Getty Images/iStockphoto

Congress Presses Kushner on COVID-19 Health Data Surveillance Project

After reports showed White House Advisor Jared Kushner is creating a nationwide COVID-19 health data surveillance system, members of Congress are probing the effort due to privacy risks.

Several members of Congress are pressing White House Advisor Jared Kushner amid privacy concerns, after reports showed the White House has assembled technology and healthcare firms to develop an extensive COVID-19 surveillance system.

Led by Sen. Mark Warner, D-Virginia, the letter argues the White House may not have been completely transparent about its surveillance efforts. And as many of the reported participating organizations have “have a checkered history when it comes to protecting patient and user privacy,” the effort raises several privacy red flags.

As noted repeatedly in the past, HIPAA was not designed to support to the mass amount of digital health technologies that allow medical data to be shared without consent from patients or providers.

As the Office for Civil Rights reminded covered entities in 2019, health apps chosen by patients are not covered under the privacy regulation. As a result, many of these health apps share health data with third-party vendors without user consent.

The Department of Health and Human Services have also recently waived several HIPAA sanctions to better support the response to COVID-19, but in doing so, have waived some privacy protections for protected health information.

To these Congressional members, without a clear commitment to improving these health privacy laws, these new sweeping measures could potentially undermine the privacy and security of health information and “become the new status quo.”

HIPAA limitations are also growing increasingly apparent in several Trump Administration efforts, including the creation of a COVID-19 screening registration website and app offered by Verily, owned by Google’s parent company, Alphabet. The site is not covered by HIPAA since it is not acting as a covered entity or business associate. .

A group of Senators recently sent an inquiry letter to Google to explain its privacy protections of the testing site.

While warranted, to the members of Congress, an effort of “far-reaching public health surveillance infrastructure in collaboration with large technology firms, against the backdrop of these failures of HIPAA, raises important privacy concerns.”

“While we support greater efforts to track and combat the spread of COVID-19 – and have been alarmed by the notably delayed response to the crisis by this Administration – we have serious concerns with the secrecy of these efforts and their impact on the health privacy of all Americans,” the Congressional members wrote.

“Your office’s denial of the existence of this effort, despite ample corroborating reporting, only compounds concerns we have with lack of transparency,” they added. “This growing health pandemic further exacerbates increasing concerns about the role large tech firms are starting to play in our healthcare sector.”

The concern is that the pandemic is exacerbating current privacy issues brought to light by several major partnerships between major tech companies, with healthcare entities, such as the collaboration between Ascension and Google.

To the Congressional members, these partnerships are providing further ways “to exploit consumer data and leverage their hold on data into nascent markets such as health analytics,” often without the individual’s knowledge or consent.

“We fear that further empowering technology firms and providing unfettered access to sensitive health information during the COVID-19 pandemic could fatally undermine health privacy in the United States,” according to the letter.

“Given reports indicating that the Administration has solicited help from companies with checkered histories in protecting user privacy, we have serious concerns that these public health surveillance systems may serve as beachheads for far-reaching health data collection efforts that go beyond responding to the current crisis,” they added.

Any public health surveillance will require governance measures, providing effective privacy protections and account for any impacts to privacy rights. As a result, the Congressional members are asking Kushner to detail any privacy efforts related to the nationwide public health surveillance project.

To start, Congressional members want to know what the program is meant to accomplish, including whether it will be used to allocate resources, track symptoms, or trace COVID-19 contact, as well as the agency that will be assigned to operate the program and who will have access to the data.

Kushner must detail the tech vendors, data providers, and other companies that have been approached to participate in the surveillance effort, as well as why those companies were selected.

Further, the Congressional members want to know what measures will be implemented to ensure health data is not misused or reused for non-pandemic-related purposes, such as training commercial algorithmic decision-making systems, along whether these tech companies will be required to dispose of the data after the national emergency has ended.

Kushner is being asked to outline steps taken to protect health data from potential misuse, or mishandling, in addition to when the project will stop collecting and sharing data with the private sector in connection to the surveillance initiative.

The Congressional members also as for details into protecting against misuse and mitigating discriminatory outcomes based on race, sexual orientation, disability, and income. They also ask whether the Administration and its partners will commit to an audit of data use, sharing, and security.

Lastly, they want Kushner to commit to privacy and security efforts to ensure surveillance data is effectively collected and used without compromising patient privacy.

“We have seen when algorithmic systems used in calculating health premiums, employment determinations, and credit evaluations have led to discriminatory outcomes,” the letter reads. “Our urgent and forceful response to COVID-19 can coexist with protecting and even bolstering our health privacy.”

“If not appropriately addressed, these issues could lead to a breakdown in public trust that could ultimately thwart successful public health surveillance initiatives. We encourage you to think seriously about these issues,” it continued.

The letter is just the latest Congressional effort to address privacy concerns that have come to light during the pandemic. Currently, the Senate is probing Zoom on its privacy practices after reports of several security issues and Apple on the privacy and cybersecurity policies of Apple's screening tools.

Advocacy groups are also calling on Vice President Mike Pence and the White House Coronavirus Task Force to proactively combat COVID-19 fraud attempts and other patient harms.

Next Steps

Dig Deeper on Health data access & privacy