Senators introduced a bipartisan bill this week aimed at protecting the health information of people who opt in to COVID exposure notification apps. The Exposure Notification Privacy Act – introduced by Sens. Maria Cantwell, D-Washington, and Bill Cassidy, R-Louisiana – requires public health officials to be involved with any exposure notification systems, mandates user consent for their participation and allows them to request the deletion of their data at any time, and prohibits any commercial use of the data, among other specifications.
“Public health needs to be in charge of any notification system so we protect people’s privacy and help them know when there is a warning that they might have been exposed to COVID-19,” Senator Cantwell said in a statement. In an interview with Healthcare IT News, Cassidy said he sponsored the bill because, when it comes to the security of contract tracing apps, “we’re relying on Google and Apple to establish standards.” He added: “I’m not saying people don’t trust them, I’m just saying people may not.”
The bill, one of several in Congress aimed at safeguarding health data in digital monitoring technology, outlines specific data security requirements including a plan to respond to unsolicited reports of vulnerabilities. Though Cassidy didn’t speak to the technological details, he said that restricting how data is used without security around its maintenance “is like trying to keep air on one side of a screen door.” As the MIT Technology Review pointed out, the bill’s measures echo existing protections built into Google and Apple’s technology.
“The two Silicon Valley companies joined forces in April to develop and deploy an exposure notification system, which most states are planning to use as the underlying framework for their apps,” the Review explained. “Their rules mean that many of the legislative suggestions in the Senate bill are, in fact, already de facto standards.”
The legislation includes enforcement provisions from the Federal Trade Commission and state attorneys general for operators that do not comply. Cassidy said he hopes the bill will reassure potential users to opt in, due to the potential public health benefits of contact tracing. Still, researchers, professional organizations and members of the public have expressed concerns with patient privacy. A recent sample of 50 COVID-19 apps found only 16 that promised to anonymize and encrypt protected data. And last month, the American Medical Association released patient privacy principles warning that the government must not trade privacy for efficiency.
When asked whether concerns about being tracked by law enforcement might deter some users from sharing their data, particularly in the wake of large-scale protests against police violence, Cassidy said it was possible – but it would require a warrant to obtain the information. “The police currently have the ability to serve a warrant to Google or Apple; that risk is still there,” said Cassidy.The New York Times last year revealed that Google has given geofencing data from dozens to hundreds of devices in response to a single warrant. Given the bill’s bipartisan nature, Cassidy said he was hopeful it would be successfully implemented, either on its own or as part of a larger package. “Public health [means] educating people to their vulnerability,” he said.
