GPS tracking need not sit out COVID-19 because of privacy laws

Photo: AntonioGuillem/iStock / Getty Images Plus/Getty Images

Commentary by Jeremy Meisinger

Jeremy Meisinger

The scale and speed of the COVID-19 crisis has left policymakers searching for new tools to address an unprecedented challenge. Everything from faster testing to new treatments to more supplies for frontline providers is needed, and smart deployment of these resources requires an ability to track infections that is not yet available for a problem of the scale of COVID-19.

The recent economic stimulus package passed by Congress — the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) – looks to fund this kind of tracking. Among its many priorities, the CARES Act appropriates half a billion dollars to the Centers for Disease Control and Prevention (CDC) for modernization of its public health data surveillance capabilities, and specifically directs the CDC to report to Congress on the development of a “public health surveillance and data collection system for coronavirus within 30 days.”

The legislation does not give much in the way of additional direction to the CDC, meaning that the CDC is likely to think expansively and look for proven models in other highly developed public health systems.

Disease surveillance efforts around the world have taken a variety of approaches, in many cases informed by experience in battling prior pandemics. Public health systems in places such as South Korea, Singapore and China were built on the lessons of the outbreak of Severe Acute Respiratory Syndrome (SARS) and similar conditions over the past several years.

Location-based tracking using GPS provides greater insight and precision than, for example, asking an infected patient to remember and re-trace his or her steps.

Among many other elements, these systems frequently employ GPS-enabled smartphone apps both to gather information and to target alerts to local populations. Location-based tracking using GPS provides greater insight and precision than, for example, asking an infected patient to remember and re-trace his or her steps.

As discussions of similar solutions have begun in the United States, privacy advocates have rightly pointed out the risks inherent in systems that necessarily gather and communicate health information and pair that information with location-based information provided by GPS. But both legally and practically, there need not be an exclusive choice between health information privacy and using GPS and other technology to gather and provide information about COVID-19.

On the legal front, HIPAA broadly exempts disclosures of protected health information for public health activities, allowing disclosures to public health authorities without first obtaining patient consent. Similarly, HIPAA permits data to be de-identified — subject to recognized standards laid out in regulations and guidance — and thereafter shared and used for research purposes, including public health research and similar purposes.

Legal avenues certainly exist to permit significant information sharing about COVID-19 in order to help protect public health.

Furthermore, federal authorities tasked with enforcing HIPAA have already signaled in guidance that they will take a flexible approach to enforcement in order to meet the exigencies of the crisis. Thus, while it is true that HIPAA has not been applied directly to a public health emergency on the scale of COVID-19, legal avenues certainly exist to permit significant information sharing about COVID-19 in order to help protect public health.

On the practical front, HIPAA also points the way to sensible decision-making that balances privacy interests with the needs of the crisis. First, de-identification provides a significant opportunity to share data in a way that is protective of privacy. Second, we should not assume that widespread participation — both in information gathering and information dissemination — must be involuntary in order to be widely adopted.

Smartphones users can — and should — be given a choice before enabling tracking features on their devices, just as they can and should be informed in a transparent way about what data would and would not be shared. HIPAA establishes a “minimum necessary” standard that should provide the guiding principle here: no more information should be shared than is necessary to accomplish the intended objective.

As we search quickly for tools to enable the kind of tracking that we have not undertaken before, we should be careful not to construct a false dilemma between privacy and efficacy — the two go hand in hand. Strong and transparent privacy protections are both possible and necessary to secure the public buy-in that is necessary to make public health surveillance work.

Jeremy Meisinger is a Boston-based attorney at Foley Hoag LLP.