CDC COVID-19 Vaccine Tracking Privacy Concerns
Although the vaccine rollout has started slowly in the United States, millions of people are now vaccinated against COVID-19 daily. As individuals receive the vaccine, states collect personal health data in individual immunization registries. Experts say this data collection is essential for effectively tracking vaccination progress, reporting side effects, comparing vaccine effectiveness across cross-sections of the population, and knowing who needs second doses and when.
While states have traditionally been responsible for collecting immunization data without federal intervention, some argue that the global scale of the pandemic and the need to understand the progress of immunization nationally requires increased federal intervention. in monitoring immunization data. In December 2020, the US Centers for Disease Control and Prevention (CDC) began asking states to commit Data usage and sharing agreements which would require states to share immunization data with the federal government, with the stated purpose of “generating[ing] a comprehensive picture of COVID-19 vaccine use nationwide. Many states signed the agreements as is, but some have negotiated with the CDC to share less data or to ensure that the data is not used for any particular purpose. Minnesota and Colorado, for example, will only submit anonymized data on vaccine doses administered in each state. California will only notify the federal government of the year of birth and gender of those vaccinated, as well as the county where the vaccine was administered.
Naturally, the collection and storage of health information at the federal level raises significant privacy concerns. Although the Health Insurance Portability and Accountability Act (HIPAA) normally protects against the disclosure of identifiable immunization data by covered entities, the HIPAA law contains various exceptions to ensure public health and safety. Throughout the pandemic, the US Department of Health and Human Services (HHS) has announced plans to allow HIPAA-covered entities to use technology to contain the spread of COVID-19 without fear of massive sanctions . For example, HHS exercised its discretion to announce that it will not apply sanctions in connection with the good faith use of online planning applications for COVID-19 vaccinations. HHS also clarified that the use of protected health information (PHI) to identify and contact people who have recovered from COVID-19 to facilitate plasma donation is permitted during the pandemic. In this case, to justify its request for immunization data from states, the CDC relies on the HIPAA exception which allows a covered entity to disclose that data to public health authorities, such as the CDC, when the disclosure of RPS is needed to prevent or control the disease.
Notably, even with this exception, covered entities should reasonably limit disclosure to the minimum amount necessary to achieve the public health objective. To meet this requirement, data received from States will be stored on a cloud-hosted COVID-19 Data Clearinghouse that will receive, deduplicate and de-identify the data, then populate IZ Data Lake, a cloud-hosted repository, with limited datasets of redacted immunization data. Only authorized users who need to view the data for immunization management and administration purposes will have access to these limited and redacted data sets. This limits access to the larger pool of data received by the COVID-19 clearinghouse. The repositories will also be independently audited to ensure compliance with privacy laws. In the event of a data breach, CDC sets up appropriate response teams to coordinate a response to the incident.
Certainly, even with these risk mitigation measures in place, collecting immunization data at the federal level requires the secure collection, management and dissemination of data on an unprecedented scale.
© 2021 Proskauer Rose LLP. Review of national legislation, volume XI, number 110