COVID-19 Contact Tracing and HIPAA

May 28, 2020
Contact Tracing apps for Covid-19 raise questions of HIPAA compliance in addition to broader questions about the privacy of individuals.

Covid-19 Contact Tracing and HIPAA

In light of the speed with which the number of COVID-19 cases has been increasing, there has been an increased motivation to innovate techniques and technologies that could help track the spread of the virus. One of these methods that has been focused on is contact tracing which has historically been done manually. However, the spread of this virus has made manual contract tracing a challenge. However, if digital contact tracing could address the privacy concerns that it establishes, it could serve as a great help in understanding the spread of COVID-19. There has also been uncertainty regarding how and what the impact of HIPAA would have on this on this type of app. 

Related: How to Comply with HIPAA

What is Manual Contact Tracing? 

The manual version of contract tracing would occur in person with a patient who received a positive test and a healthcare worker. It does require people to remember all of the individuals that they interacted with and all the places that they have gone. After identifying the people that were potentially infected, the patient would need to provide contact information for them so that they could be made aware of their need to get tested. 

What is Digital Contact Tracing? 

Digital Contact Tracing would utilize mobile apps in addition to the human-to-human tracing of COVID-19 exposures. The idea behind this app would be to use a form of tracking to record when two individuals are close enough to each other for a long enough amount of time that the virus could have been transferred. Both people would need to have the app downloaded, but if one of the users tested positive for COVID-19, then all other users who interacted with that infected user would be notified so that they could get tested. A great advantage of the digital version of tracing is that it eliminates the human error piece of remembering each individual that you interacted with at all. Although this technology would be wildly useful in tracking community spread of COVID-19, it falls into a debatable category for its legality. 

How would this app work? 

There are a few ways that this app would seek to maximize the privacy that is offered for those with the app. The app would protect the identity of the participants by only including the necessary information in each notification. When you receive a notification that you had been in close proximity to someone who had just tested positive, you would not be told who that positive test came from or when exactly you were exposed to them. The idea behind this would be to encourage the proper people to get tested for COVID-19 as soon as possible after exposure so that they aren’t continuing to spread it. The app would do this without compromising the privacy of the person who tested positive. 

Digital Content Tracing and HIPAA

One key challenge with digital content tracing would be that many organizations that are a part of it, such as Google and Apple, do not fall into the category of covered entities and therefore do not have the same regulations to follow under HIPAA. The protections that are guaranteed by HIPAA regulations would not be guaranteed for the protected health information that is shared in these apps. It is important for people to understand that if HIPAA does not apply to these organizations and these apps, then they are not given the same level of security with that information. A digital contact tracing app would require a person to share their health information with a third party willingly and as these organizations are not liable under HIPAA, that electronic protected health information (ePHI) will not be protected to the same level. 

Related: What is considered Protected Health Information?

Who would use this app? 

In the United States, the use of a digital contract tracing app would be entirely voluntary. However, without at least half of the country’s population participating, the app would not be very effective. Widespread usage of the app would create a strong network of tracing and further increase the amount of people getting tested after potential exposure. However this type of app requires users to input some protected health information as well as regularly share their location, which makes people and organizations skeptical. 

Innovation in the United States

Just this past week, Google and Apple announced that they completed work on a joint project to create a COVID-19 exposure notification system. They did not create a digital contract tracing app but rather a “unified programming interface” that will allow healthcare departments to utilize that to create digital contract tracing apps. 

Questions and Potential Problems 
  • As we have said, this type of app needs high participation in order to be as useful as possible. The strongest problem with this is that people need to trust that their own health information will be secure before they agree to join this app. 
  • With the amount of people that are self-diagnosing or experiencing false diagnoses, there is concern over how the app would verify the positive COVID-19 tests before sending out notifications.

Despite the problems and concerns with digital contact tracing, this type of technology could make a significant difference in tracking the spread of COVID-19 and warning individuals of their need for testing. In designing this technology, the Center for Disease Control, government officials and privacy experts have all consulted as they work to address these potential problems and concerns. 

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals