As states ramp up manual COVID-19 contact tracing across the United States, a rapidly growing corps of citizen data collectors are discovering why data privacy rules matter. More than 100,000 contact tracers could be needed in the U.S. alone, according to guidance from the Centers for Disease Control and Prevention and a national contact-tracing plan developed by John Hopkins University and the Association of State and Territorial Health Officials. These tens of thousands of new data collectors will turn to state and local health departments, as well as the CDC, for guidance.

They’ll quickly learn that privacy is paramount, complex and often locally governed.

The privacy rules that govern contact-tracing efforts by state and local health departments stem from federal, state and local laws, policies, contracts and best practices. This piece offers a window into those protections and why they matter so much to the efficacy of contact tracing.

CDC guidance

The CDC’s May 2020 guidance on conducting contact-tracing interviews cites three critical steps a case investigator must take before initiating an interview. The first two relate to privacy. First, the interviewer must establish trust with the patient. Second, they must assure the patient of confidentiality. Only then can they turn to offering support during isolation and begin to collect necessary contact-tracing data. 

CDC guidance outlines the demographic, health and contact data that contact tracers should collect. This data is replete with information considered sensitive across jurisdictions, including the patient’s name and contact information in conjunction with race and ethnicity, COVID-19 symptoms, preexisting health conditions and intimate partners, as well as all close contacts the patient has had during the period of time they were contagious and where and when those occurred. The privacy risks abound, not to mention the risks to data validity if data protection and patient trust is in question.

What privacy protections govern this data collection in the U.S.? Perhaps as important are contact tracers and those whose sensitive data they will collect familiar with and reassured by these rules?

The CDC’s more detailed guidance for health departments developing a case investigation and contact-tracing plan lists a “keen understanding of the need for patient confidentiality” at the top of its list of knowledge and skills required of case investigation and contact-tracing staff. Understanding the importance of protecting patient data is one thing. Understanding the legal requirements that attach to that data or individuals’ privacy rights is another thing entirely, in part because those rights and requirements vary across the U.S.

HIPAA

This is all about the protection of health data, so in the U.S., the HIPAA Rule springs to mind for most privacy professionals. However, the U.S. Health Insurance Portability and Accountability Act often does not govern contact-tracing efforts conducted by state and local health departments.

HIPAA applies to health care providers, health plans and health care clearinghouses. That means state or local health departments must follow HIPAA only when they are serving one of those functions. Many certainly are. A state Medicaid program, for instance, would be classified as a health plan under HIPAA, and a health department that runs a clinic would be covered as a health care provider. However, even when departments are providing HIPAA-covered services, they can become “hybrid entities,” which means HIPAA only applies to the part of the department providing a HIPAA-covered function. In such cases, when the component of a health department running a clinic is separate from the component charged with contact tracing, HIPAA will not apply to the latter.

Where protected health information concerning a positive COVID-19 test is passed from a HIPAA-covered entity to a component of a state or local health department that isn’t HIPAA covered to enable contact tracing, protections would continue to apply to the PHI that is shared. HIPAA permits disclosures of PHI for public health activities to public health agencies that are authorized by state or federal law to collect such information, though only the minimum necessary information may be shared. However, HIPAA would not apply to the information subsequently collected during a contact-tracing interview if the entity conducting the interview is not HIPAA-covered.

So, when HIPAA doesn’t apply, what privacy laws protect information collected during contact-tracing efforts by state and local health departments? To answer that, we need to look beyond federal laws to the legal landscape across the 50 states.

The state landscape

Privacy protections differ greatly across the 50 states. According to the National Conference of State Legislatures, 11 states have constitutions that guarantee a right to privacy. While few states have comprehensive privacy laws, all have data breach notification laws, and many have narrower consumer privacy laws or health privacy laws.

A close look at the three states hit hardest by COVID-19 and now embarking on extensive contact tracing sheds light on this question and the patchwork of privacy protections that exist across the country.

NY

New York has been the epicenter of the U.S. COVID-19 crisis. With more than 380,000 positive cases, it is now at the forefront of efforts to deploy robust contact tracing.

Earlier this spring, Bloomberg Philanthropies and Johns Hopkins Bloomberg School of Public Health teamed up to develop a free training program for contact tracers to be hired by New York’s Department of Health. According to the news release announcing the partnership, between 6,400 and 17,000 contact tracers will be needed in the state alone, depending on the number of cases moving forward. All will be required to complete the new training course. That training recognizes the importance of privacy. One of the five major topics covered is the “ethics of contact tracing, including balancing privacy and public health considerations.” However, as a Coursera training accessible to contact trainers across the globe, it does not focus specifically on the privacy regulations in New York state.

Helpfully, New York’s legal requirements governing the collection of health-related information by its health department are clearly defined. New York’s Public Health Law sets forth “methods and controls to restrict dissemination and maintain control of confidential personal health-related information within the Department of Health.” It states that employees or agents of the department may only access personal health information when necessary as part of their official duties, with management approval and after training in the responsibilities associated with access to the information. Health department employees or agents are prohibited from disclosing such information except to someone officially authorized to access it where that person needs it to perform an official function. Supervisors are responsible for the control and security of such information until it is disposed of in a way that does not compromise confidentiality. The law requires the Department of Health and supervisors of each operational unit to develop standard confidentiality protocols to effectuate these protections and “prevent discrimination, abuse or other adverse actions directed toward persons to whom personal health related information applies.”

While the Public Health Law dates back to 1989 and is not focused on contact tracing, it provides clear rules for handling the data contact tracers will collect.

New York also has a law specifically focused on contact tracing, though it governs such tracing in relation to individuals infected with HIV or AIDS only. While the law will not provide protections related to COVID-19 contact tracing, it points to the confidentiality needed in such efforts and how targeted legislation has previously addressed the need to build public trust. New York’s HIV-specific contact-tracing law provides that “[i]n notifying any contact identified in the course of any investigation conducted pursuant to this section, the physician or public health officer shall not disclose the identity of the protected individual or the identity of any other contact.” The law further specifies that information received by the department or local health officials shall be kept confidential, except when used to carry out the provisions of the law, when used in aggregate without identifying information to improve the quality of care, when used by state and local health departments to assess specific programs, or to provide specified care. Under the law, individuals are not liable for failure to participate in contact tracing, making it voluntary.

These approaches have become generally recognized best practices for contact tracing.

NJ

New Jersey has grappled with the second-highest number of COVID-19 cases among the 50 states. There are extensive local efforts to develop contact tracing and build public trust in local data protection.

To date, more than 165,000 individuals in New Jersey have tested positive for COVID-19. In May, Gov. Phil Murphy, D-N.J., announced that there were already 800 contact tracers working for local and county health departments and that there were plans to hire several thousand. 

A New York Times article on contact tracing in Patterson, New Jersey, highlighted the local approach to this effort across the country and also raised privacy protections. It quoted a conversation between a contact tracer working for the Patterson Health Department and an individual exposed to the virus, in part:

In the context of this conversation, HIPAA could govern the information identifying the individual who tested positive, presumably collected and shared by a HIPAA-covered entity, even if it does not govern the specific contact-tracing efforts. But, what rules would govern the information the “passenger” quoted in the article above then shares with Mugulusi if contact tracing by the Patterson Health Department or other city health departments doing such work are not HIPAA-covered?

New Jersey has no comprehensive data privacy law. The state has laws governing the protection of personal information in the context of a data breach, collection and use by retail establishments, substance abuse and mental health treatment, genetic data collection and other specific areas. While these laws point to useful best practices and provide limited protections in the case of data breaches, none seems to provide concrete and actionable individual rights or protections for the protection of data collected by the contact tracers. In the absence of clear legal rules governing privacy protections for contact tracing, the onus falls on state and local health departments to develop protections and confidentiality agreements to guide their efforts.

Newark Mayor Ras Baraka has been clear about their use of confidentiality agreements and the significant financial penalties the city will enforce for breaches of such confidentiality. Other state authorities, including those in Washington and Kentucky, have also publicly referenced their use of confidentiality agreements for contact tracing. While such approaches can be quite effective and help build community trust, it increases the burdens on health departments at a challenging time and can lead to divergent protections across and between states.  

Calif.

As a large and populous state, California has seen a significant number of COVID-19 cases. While the state is known as a leader in data protection, it too has worked hard to reassure individuals that data collected during contact-tracing efforts will be kept confidential.

Approximately 140,000 Californians have tested positive for COVID-19. To stem the tide of future cases, California launched a comprehensive contact-tracing program in collaboration with its Department of Public Health, local public health departments and the University of California, which developed online training for the 10,000 contact tracers the state plans to hire.

California’s contact-tracing program addresses privacy upfront. One of the questions asked and answered on its homepage is "Is the information I provide confidential? The answer is an emphatic yes, but with reference to the multiple laws rather than a single governing law."

The answer above highlights the significant privacy concerns at stake, referencing immigration status, financial information, and the fact that information will only be used by local and state health departments.

California is among the 11 states with a constitutional right to privacy. It also has a privacy law — the Information Practices Act — delineating data collection and use limitations for state agencies. While it excludes local agencies, which California’s contact-tracing program indicates are the ones leading this effort, many of those local agencies have privacy and confidentiality agreements with the state, as well as their own privacy policies. The state also has a Confidentiality of Medical Information Act, which supplements HIPAA. Local health department websites typically reference their commitment to and provision of HIPAA and CMIA protections.

While California has helped lead the charge in adopting privacy legislation, even there, it can be challenging to determine exactly which rules and recourse mechanisms apply in which situations.  

Next steps

It is clear that state and local health departments have gone to great lengths to assure the public that personal information shared as part of contact-tracing efforts be well protected. Yet, the rules, regulations and recourse that apply remain complex, varied and opaque. That doesn’t mean protections are lax. Health departments seem to be supplementing gaps with internal policies and enforceable confidentiality agreements. They recognize that privacy is pivotal to trust, and trust is central to the success of contact-tracing efforts. But, the distributed and complex nature of these laws increases the burden on local departments at a time when their plates are quite full. And, it makes it difficult for public leaders to explain the privacy protections across the U.S. in a way that would strengthen individual trust. 

The national contact-tracing plan published by John Hopkins and ASTHO acknowledges this challenge in the context of contact-tracing technologies. It states:

"Privacy and responsible data management must be considered when thinking about contact-tracing technologies for several reasons. First, without the ability to reassure concerned citizens and privacy activist groups that sensitive information will be respected and safeguarded, there may be significant opposition to a systematic contact-tracing program being initiated, and individuals may be unwilling to participate. Second, mishandling of sensitive information may cause public blow-back after such a program is in place, sabotaging its effectiveness. Third, official contact may be mistaken for spam or scams by cases or contacts, and strategies are needed to ensure the public can tell the difference. To increase the chances that these efforts will be effective, trusted, and legal, use of technology in the contact-tracing space should be conceived of and planned with extensive safeguards to protect private information from the beginning."

Legislators in Washington, D.C., have recognized this challenge and proposed COVID-19-specific privacy legislation to help build the public trust necessary for data sharing to combat the pandemic. IAPP Senior Westin Research Fellow Müge Fazlıoğlu, CIPP/E, CIPP/US, recently analyzed these proposals. While it is unclear whether any of these bills will be adopted, the privacy issues raised by the pandemic and the complex and growing web of state-level protections clearly create a further impetus for broad-based federal privacy legislation in the U.S.  

In the interim, those undertaking this critical contact-tracing work will likely turn to CDC best practices and privacy professionals around the country to build the trust on which these efforts hinge. Let’s hope they succeed.

Photo by Timon Studler on Unsplash