Data Security and Privacy Protection Agencies React to Coronavirus
Before the Coronavirus, privacy and data security laws rapidly developed across the globe, generally giving consumers better access to and control of their personal identifying information. In the U.S., individual states such as California, Illinois, Washington, and New York passed sweeping privacy and data security legislation; most recently Washington state passed a March 12, 2020 law restricting its governmental entities’ ability to use biometric information (facial recognition) to protect civil liberties.
However, a global pandemic is definitely a game-changer. Although agencies maintain the importance of individual privacy and protection, several issued guidance to assist businesses and citizens that collect, process, and analyze personal identifying information with balancing the crisis against regulatory requirements.
USA/U.S. Dept. of Health and Human Services
A February 2020 bulletin from the Office for Civil Rights for DHHS provided guidance for entities subject to the HIPAA Privacy Rule regarding proper sharing for patient information. The February bulletin stated “that the protections of the Privacy Rule are not set aside during an emergency[,]” reiterating the Privacy Rule’s application to “covered entities” and their business associates under 45 CFR §160.103.
Days later, in response to POTUS’s declaration of national emergency and effective March 15, 2020, DHHS Secretary Alex M. Azar issued an updated March 2020 bulletin, waiving sanctions and penalties against hospitals who are unable to comply with the following rules: (1) the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care; (2) the requirement to honor a request to opt out of the facility directory; (3) the requirement to distribute a notice of privacy practices; (4) complying with the patient's right to request privacy restrictions; and (5) the patient's right to request confidential communications.
These waivers only apply: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
Additional reminders under the Privacy Rule issued by DHHS were as follows: (1) Covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient (including coordination, consultation, and management of care between providers); (2) Public Health Authorities (such as the CDC or a state hospital) may disclose health information and statistics without individual authorization, for the purpose of preventing or controlling the spread of disease, disability, or injury, to another public health authority, at the direction of another public health authority to a cooperative foreign government agency, or to a person at risk of contracting or spreading the disease or illness; (3) A covered entity may share protected health information with a patient’s family members, relatives, or those identified by the patient as involved in the patient’s care, including information required to identify, locate, and notify family members, the police, the press, or the public at large (must attempt to receive verbal permission or acknowledgment from patient unless subject to the waiver described above); and (4) Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – subject to professional ethics and state laws. A list of prohibited activities is also included in both the March and February bulletins.
On March 12, 2020, ICO released a statement providing, in pertinent part, that “[d]ata protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing.” Still, proclaiming itself “a reasonable and pragmatic regulator,” and “one that does not operate in isolation from matters of serious public concern[,]” ICO promised to consider “compelling public interest in the current health emergency” in reviewing compliance, especially as people are forced to telecommute.
Global Privacy Assembly (“GPA”)
The collection of 80+ countries and 130+ data protection regulators gave a March 17, 2020 statement that despite its confidence “that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic[,]” the GPA desired “to set out our support for public bodies and health practitioners to be able to communicate directly with people, and scientific and government bodies to coordinate nationally and globally, to tackle the current COVID-19 pandemic.”
France/National Commission on Informatics and Liberty (“CNIL”)
According to a March 6, 2020 statement employers remain subject to strict GDPR and French Public Health Code regulations. (very limited English translation).
European Data Protection Board (“EDPR”)
In a March 16, 2020 statement and a March 19, 2020 update, the EDPR reminded its processors and controllers of data subjects to ensure the protection of personal data. That said, “The GDPR is a broad piece of legislation and provides for rules that also apply to the processing of personal data in a context such as the one relating to COVID-19. The GDPR allows competent public health authorities and employers to process personal data in the context of an epidemic, in accordance with national law and within the conditions set therein. For example, when processing is necessary for reasons of substantial public interest in the area of public health. Under those circumstances, there is no need to rely on consent of individuals.”
For hospitals, covered entities, and business associates of health care providers, the responsibility to protect personal information remains. That said, and depending upon the jurisdiction, preventing imminent harm and supporting communication between health care professionals and the public should be respected provided that the use of personal information is kept at a minimum.