Privacy Provisions Pushed for COVID-19 Relief BillDemocratic Senators Urge Inclusion of Health Data Safeguards
A group of Democratic senators is urging Senate leaders to include in the next round of coronavirus economic relief legislation provisions for protecting the privacy of COVID-19 health data.
In a letter sent to leaders Tuesday, the senators urged the inclusion of the Public Health Emergency Privacy Act - which was introduced in May - in the next coronavirus relief package being negotiated in the Senate.
The letter was signed by 12 Democratic senators along with independent Angus King.
'Common Sense Protections'
The senators say in a joint statement that inclusion of "common-sense privacy protections" for COVID-19 health data in the next coronavirus relief package "will help strengthen the public's trust to participate in critical screening and contact-tracing efforts to aid in the fight against COVID-19."
"With research consistently showing that Americans are reluctant to adopt COVID screening and tracing apps due to privacy concerns, the lack of health privacy protections could significantly undermine efforts to contain this virus and begin to safely re-open - particularly with many screening tools requiring a critical mass in order to provide meaningful benefits," the senators wrote.
The Senators say Congress should "establish common-sense targeted rules to ensure the collection, retention and use of data by COVID screening tools are focused on combatting COVID and not for extraneous, invasive or discriminatory purposes."
A lack of privacy protections could lead to a breakdown in public trust that could thwart successful public health surveillance initiatives, the senators wrote.
"As a litany of investigative reports, Congressional hearings and studies have increasingly demonstrated, the widespread secondary use of Americans' data - including sensitive health and geolocation data - has become a significant public concern," the senators say. "Efforts by public health agencies to combat COVID-19, such as manual contract-tracing, health screenings, interviews and case investigations, are not restricted by our bill."
The Public Health Emergency Privacy Act would allow for the collection, use and sharing of data for public health research purposes and would not restrict use of health information for public health or other scientific research associated with a public health emergency.
The senators say the legislation would:
- Ensure that data collected is strictly limited for use in public health;
- Guard against the misuse of health data by government agencies with no role in public health;
- Explicitly prohibit the use of health data for discriminatory, unrelated or "intrusive" purposes, including commercial advertising, e-commerce as well as obtaining employment, financing, insurance housing or education;
- Prohibit conditioning the right to vote based on a medical condition or use of contact-tracing apps;
- Require data security and data integrity protections, including data minimization and accuracy, and mandate deletion of data by tech firms after the public health emergency ends;
- Mandate that individuals must opt-in to consent to participate in COVID-19 related contact-tracing and data collection efforts.
Other privacy-related legislation also is pending.
Democratic senators proposing the COVID-19 privacy provisions have told Republicans leading that effort in the Senate that they are open to finding a way to reconcile these various privacy proposals, a spokeswoman for Sen. Mark Warner, D-Va., one of the Public Health Emergency Privacy Act sponsors, tells Information Security Media Group.
Meanwhile, Senate Republicans are proposing to allocate about $53 million to the U.S. Cybersecurity and Infrastructure Security Agency to help combat hackers that are targeting research into possible virus vaccines.
'Relevant and Strategic'
"Because the next stimulus package ... may contain provisions encouraging contact-tracing and COVID-19 screening activities, adding the privacy protections to it is relevant and strategic," says regulatory attorney Nancy Perkins of the law firm Arnold & Porter.
"Given that the COVID-19-related privacy bills that have been introduced have not advanced independently, their chances of enactment may not be high if they are not attached to this or a later stimulus bill or other key, broader COVID-19-related legislation," she adds.
If Congress does not move forward with legislation to protect COVID-19 health data, the risks to the public depend largely on the type of data collected and the uses and disclosures of that data, Perkins says.
"If data on exposure to and infection with COVID-19 is used responsibly for public health purposes - which appears to have been the case to date - the risks to consumers/patients should be low compared to risks associated with other types of data, such as personal financial information, genetic information and biometric information," she says.