Virus vaccination records raising privacy concerns
Are legal safeguards up to the task of preventing information from leaking?
When California Gov. Gavin Newsom announced cash incentives to spur coronavirus vaccine-hesitant residents to get their shots, he emphasized everyone who received a dose was automatically entered into state databases.
“We have your information in our system,” he said, referring to the millions of vaccination records in the California Department of Public Health’s confidential, digital Immunization Information System, reassuring anyone concerned about missing their opportunity to qualify for a $1.5 million grand prize for taking a vaccine.
But not everyone is so reassured. As the state’s vaccination campaign approaches 40 million administered doses, the flood of cor-
responding medical information is sparking fresh privacy concerns about Californians’ health data.
Thousands of public agencies, health care providers, pharmacies and nonprofits are scrambling to vaccinate as many Californians as quickly as possible — all while sharing medical patient data across third-party digital platforms — leading privacy advocates to worry current legal safeguards will not prevent vaccination information from leaking or being sold into data markets.
They also worry that some confidentiality laws, such as the federal Health Insurance Portability and Accountability Act, or HIPAA, which strictly regulates what patient data health providers may share, have been weakened by emergency waivers to make protected information more available to fight the pandemic.
Finally, emerging vaccination verification systems — most of which link vaccinated patients’ health statuses and identities — are also generating fierce debates around their design, implementation and confidentiality.
Lee Tien, a senior staff attorney at the Electronic Freedom Foundation, a privacy rights organization, said he is unaware of significant medical data breaches as a result of the pandemic in the Golden State. But he said that Californians’ patient data is rife with vulnerabilities, particularly at city and county governments, which he described as potential “exit ramps” for confidential health data.
The California Information Practices Act and HIPAA impose confidentiality obligations on health care providers and state agencies like the California Department of Public Health, Tien said, but “simply don’t apply to the city of Berkeley Public Health Department, San Francisco Public Health.”
Privacy experts say California’s massive immunization program is proliferating health data among nonclinical entities, including employers, pharmacies, community-based health organizations and telehealth providers. Many of these are becoming increasingly involved in testing, vaccine distribution and state registration of vaccinated individuals.
Pam Dixon, executive director of World Privacy Forum, an Oregon-based nonprofit privacy policy research group, said that during the Trump administration the U.S. Department of Health and Human Services issued several unprecedented waivers of HIPAA protections.
For example, the federal government waived HIPAA penalties against health care providers serving patients with “everyday communications technologies” like Zoom and Skype during the pandemic. Another waiver allowed hospital contractors such as electronic health record providers, record destruction services, management and cloud services to forgo HIPAA requirements to “encrypt electronic protected health information whenever deemed appropriate.”
American Civil Liberties Union Legislative Coordinator Becca CramerMowder echoed Dixon’s concerns about patient information leaking into the private data markets at a time when federal privacy laws have been weakened.
“We certainly have seen problematic public-private partnerships, like, for example, when Verily, a sister company to Google, was providing COVID testing services,” said Cramer-Mowder, referring to a fraught $72 million nobid state contract Newsom ended earlier this year. “Verily required that for sign-ups for local COVID tests in the counties it had partnered with, everyone had to have a Google account and agree to let Verily share their data with their sister companies.”
Cramer-Mowder said she was unaware of similar third-party relationships with the state around immunization data, but warned digital vaccination verification systems currently being developed by private companies with the guidance of government officials will complicate patient confidentiality.
“If you don’t want to link your vaccination status and your identity, it definitely cannot be a digital system, because that is going to be tied to an IP address or a phone number or something that is personally identifiable information,” she said. “Even if it just reveals whether I’m vaccinated or not, (that) is potentially revealing information about me since attitudes are linked to political ideologies or it could reveal that I have a medical condition that prevents me from being vaccinated.”
Other legal experts, however, are less concerned about the consequences of public health agencies’ use of immunization data. Stanford Law School professor Michelle Mello downplayed privacy concerns since California will not establish a vaccination verification system and will have no direct involvement in furnishing companies with medical data.
“Let’s say United Airlines says I get special privileges if I am vaccinated, so I have to upload my vaccine card,” Mello said. “But I don’t see the airline talking to my doctor about it or to the clinic that doesn’t even exist anymore — set up temporarily to provide vaccinations.”
Multiple governments, companies and other entities are currently developing vaccination verification programs, said Dixon, whose World Privacy Forum is currently conducting a review of more than 70 such systems across the globe.
“The systems are being built by numerous, numerous entities, and we don’t know which will be broadly adopted and be mandatory,” she said. “We’ve got to take a look at vaccine credentialing systems and make sure that we don’t create something we regret.”