In the first of a two-part series on sharing health data to fight COVID-19, Samantha Gilbert analyses US and Canadian regulators’ advice and explores why compliance teams should err on the side of caution when it comes to sharing information and maintain data minimisation procedures wherever they can.

Governments and public bodies around the world are calling on data controllers, particularly in the healthcare and pharmaceuticals industries, to share health data in the interest of tackling COVID-19. Regulators have been updating their guidance on sharing health data to help organisations balance individuals’ privacy with the need to collect and track health data to develop vaccinations and telehealth apps, and track infection rates. However, each country’s situation is different, from the number of COVID-19 cases to the differing levels of lockdown, so, unsurprisingly, regulatory approaches can vary between jurisdictions. As a result, compliance teams face the challenge of navigating their way through the guidance and finding ways to meet the advice of all the relevant regulators in the most efficient and effective way. Since both the US and Canada have a mixture of state (provincial in Canada) and federal level laws, the situation can be even more complicated for companies to navigate, so lawyers suggest compliance teams should err on the side of caution when making decisions about health data sharing.  

The reality of COVID-19 is that businesses are dealing with distinct and unique circumstances, and as regulators move quickly to adapt, it can be challenging for organisations to keep up and comply with changes and guidance, particularly when it comes to requirements around sharing sensitive data. While regulators in the US are trying to provide companies with as much guidance as possible, their statements remain broad and open to interpretation according to Sheryl Falk, partner at Winston and Strawn LLP. Meanwhile, Canadian businesses must navigate a “patchwork of privacy laws that may apply depending on the entities involved and the circumstances of the collection,” Wendy Mee, partner, privacy group co-chair and national privacy officer for Blake, Cassels & Graydon LLP in Toronto, Canada explains.

As a result, compliance teams in North America are being advised to err on the side of caution when making decisions about sharing health data and be mindful that while rules may have changed in light of the current situation, they must continue to ensure the data is protected as much as possible. Minimisation is key to businesses keeping data secure. Deletion helps ensure that personal data collected for COVID-19 purposes is not then used or shared for other purposes, which would be unlawful. “Any collection, use and sharing of personal information is limited to what is necessary and proportionate,” Mee says.

US

On the US side, the advent of COVID-19 tracking applications like the Bluetooth tracking system designed by Apple and Google has raised data privacy questions. While there are many state laws prescribing the use and processing of private health information (PHI) that compliance teams will need to be aware of, the Health Insurance Portability and Accountability Act (HIPAA) sets out the rules on a federal level, which provides a good guide for businesses operating across multiple states. The difficulty is that HIPAA relates to a very specific set of information, and was created in the 1990s, calling into question how its provisions relate to more contemporary technologies like health apps. Jay Hodes, an expert in HIPAA compliance and president of Colington Consulting, advises companies to implement a “comprehensive HIPAA compliance programme that covers security and privacy requirements.” Having a specific HIPAA regime in place, and using common sense, will help companies judge how data sharing in or for health apps sits under a law which pre-dates their existence.

The US Secretary for Health and Human Services’ Office for Civil Rights (OCR) has published several press releases and guidance on when the HIPAA permits the disclosure of PHI. Recently, the OCR confirmed it would not impose penalties against healthcare providers or their business associates for non-compliance with the HIPAA rules for privacy, security and breach notification when it relates to they provide telehealth services in good faith during the pandemic. The OCR’s “enforcement discretion” is designed to help health care providers utilise remote communication technologies to continue to care for patients, even though these tools may not always meet the strict privacy and security requirements of the HIPAA.

The HIPAA privacy rule does include mechanisms that allow for sharing PHI to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Under the rule, patients can authorise the disclosure of their personal PHI for clinical trials or life insurance coverage, or to a pharmaceutical firm for marketing reasons. They are also permitted to use and disclose PHI without an individual’s authorisation, such as for public health activities related to communicable diseases.

The most useful tool for healthcare providers and their business associates to judge whether a particular disclosure is acceptable within OCR’s guidance is to refer to recently released FAQs and updates on how to balance HIPAA compliance with the realities of combating COVID-19, according to Eric Shinabarger, attorney at US firm Winston & Strawn LLP. However, Shinabarger emphasises that data minimisation, such as anonymising or aggregating the data and automatic deletion after a set time, is key to reducing the risk of breaching data protection law. Indeed, the OCR has emphasised data protection compliance will still be strictly supervised. “In an emergency situation, covered entities [healthcare providers and their business associates] must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” it said in a statement.

The OCR’s advisory statements are necessarily broad, and businesses are dealing with highly unusual circumstances, some of which are hard to apply to the guidance. When trying to interpret general guidance for specific situations, the best course for businesses is to err on the side of caution, says Winston and Strawn’s Falk. This translates to disclosing only the most necessary PHI while observing the HIPAA privacy rule.

“To the extent possible, business associates should continue to treat and disclose PHI only in compliance with the HIPAA privacy rule as well as the relevant business associate agreement. Where information is requested by a public agency for COVID-19 treatment or prevention purposes, the disclosure should only be considered to the extent that it is made in “good faith” for public health purposes and the relevant covered entity is informed in a timely manner, at least within 10 calendar days,” Falk says.

While the OCR temporarily allows disclosures of PHI between health organisations and business associates, compliance teams must evaluate each business relationship and arrangement in relation to the HIPAA rules, says Hodes. If a business associate is going to create, receive, maintain or transmit any PHI on behalf of a health organisation, Hodes says, the business and any subcontractor who will need to access the PHI, must ensure they have a business associate agreement (BAA). The BAA is a regulatory requirement and sets out the terms of the access to the PHI, but ultimately businesses must remember that the PHI always belongs to the covered entity. A BAA will help demonstrate a business’s data sharing allowances and compliance considerations to the OCR in the event of a breach. “Having an executed BAA in place is something OCR always looks for in these covered entity and business associate relationships.  If there is a breach of the PHI data caused by the business associate, the executed BAA may help to avoid being faced with a monetary penalty or having to enter into a settlement agreement for this violation,” Hodes explains.

The core to compliance is the security of the PHI, so that should be centre of any measures companies are developing to share health data. “There must be an ongoing HIPAA security management process in place that includes conducting required risk assessments, updating and revising policies and procedures, and training the workforce,” Hodes says. Compliance teams should ensure they are adhering to standard data minimisation practices, staying abreast of regulatory guidance and investing in specialised external advice when needed. When PHI is being shared, it is far better to be cautious and accept the costs of external advice rather than risk breaching data protection law, according to Hodes. “The cost to do so may be minimal compared to costs associated with an unauthorised or impermissible access case that will be investigated by the OCR and not to mention the potential for civil ligation,” he says.

Canada

Canada has multiple privacy laws, which apply differently across the private, public and health sectors. The Personal Information Protection and Electronic Documents Act (PIPEDA) provides, on a federal level, for how private-sector organisations collect, use and disclose personal information in the course of for-profit, commercial activities across Canada. Health-related privacy laws, however, are implemented by provinces so there can be variation. “Healthcare companies need to carefully consider what their obligations are with respect to patient data,” says Mee, because they could be subject to varying provincial health information legislation, public-sector privacy laws, professional obligations relating to patient privacy and private-sector legislation like PIPEDA. Compliance teams in businesses operating internationally, or even different provinces, have to review multiple laws and guidance to ensure they are sharing health data compliantly as they fight COVID-19. What is crucial for compliance teams, Mee says, is to ensure that “they have a lawful basis to share the information, and that any sharing is limited to what is necessary and proportionate.”

To support businesses, the Office of the Privacy Commissioner (OPC) has stated that, while it cannot extend statutory deadlines for its information requests, it will, for the moment at least be flexible in its enforcement. In addition, the OPC has issued guidance to organisations subject to federal privacy laws understand their privacy-related obligations during the COVID-19 outbreak and issued a privacy compliance framework setting out the temporary exemptions to the notice and consent requirements for sharing personal and health data under PIPEDA in the interest of public health.

While this framework is focused on the responsibilities of federal government institutions subject to the Privacy Act, it includes principles private entities struggling with PIPEDA compliance should note:

  • any proposed measures to combat COVID-19 must have a clear legal basis;
  • the measures must be necessary and proportionate, so be science-based and necessary to achieve a specific identified purpose;
  • personal information must be used to protect public health and for no other purpose;
  • use de-identified or aggregate data whenever possible to safeguard it;
  • consider the unique impacts on vulnerable groups;
  • provide clear and detailed information to Canadians about new and emerging measures, on an ongoing basis;
  • carefully weigh the benefits and risks of the release of public datasets, giving particular attention to health and location data, and impacts on vulnerable populations;
  • new laws and measures specific to the crisis should provide specific provisions for oversight and accountability;
  • privacy-invasive measures should be time-limited, with obligations to end when they are no longer required.

 

The key message from the OPC in both guidance documents is that “during a public health crisis, privacy laws still apply, but they are not a barrier to the appropriate collection, use or sharing of information,” says Mee.

For the private sector, this generally means obtaining meaningful consent where possible, but when there are exceptions from the consent requirement, such as where disclosure of personal information is necessary in a life-threatening emergency, or where required by law, they should carefully consider whether the exception applies in the circumstances, and should ensure that any information sharing is limited to what is permitted under the exception. Mee says this decision and assessment should also be thoroughly documented “so that the business can demonstrate that it exercised appropriate due diligence before relying on the exception.”

While the OPC’s advice is generally helpful, “it remains a challenge for organisations to apply the advice in practice, since each situation must be assessed based on the specific facts,” says Mee, adding that “it would have been helpful for the OPC to provide specific examples of when personal information may be shared for COVID-19 related purposes, including specific examples of when exceptions from the consent requirement may apply.”

Similar to regulatory advice in the US, data minimisation is key to businesses keeping data secure. Deleting data also helps ensure that personal information collected for COVID-19 related purposes is not subsequently used or shared for other purposes, which would be unlawful.

Mee advises applying a four-part test, in line with OCR guidance, when considering whether a collection, use or disclosure of personal information is necessary and proportionate:

  • Is the collection, use or disclosure demonstrably necessary to meet a specific need?
  • Is it likely to be effective in meeting that need?
  • Is the loss of privacy proportional to the benefit gained?
  • Is there a less privacy-invasive way of achieving the same end?

Before concluding a data sharing arrangement, businesses should apply this test. Compliance teams must also develop effective policies and procedures to “enable their company to effectively and consistently assess and document the legality, necessity and proportionality of the proposed information sharing”, says Mee. Placing access restrictions on data collected for COVID-19 purposes so it is not accidentally shared for other reasons, and ensuring the required information is only shared with individuals who absolutely need access to it, can be an effective way of doing so.  

Across North America, compliance teams have to be aware of the varying provisions in federal and subnational privacy legislation. Companies operating with a large footprint have to adhere to multiple, and often, generalised pieces of advice from regulators. The key to managing this is to rely on data minimisation, common sense, strong documentation and justification of sharing arrangements.

The second article of the series, looking at regulators' advice in the UK and EU, is available here

Lexology PRO Compliance is including articles relating to covid-19 in the main Lexology newsfeed in order to provide in-house counsel users with practical information and first-hand experiences on how to navigate the current market

Explore Lexology PRO Compliance

Lexology Pro Compliance, a unique information platform for chief compliance officers, general counsel and their teams. With a focus on anticorruption, antitrust and data protection -three core compliance areas for businesses around the world, Lexology PRO Compliance provides users with analysis, interviews, legal research, know-how materials, global comparative tools and more.

Find out more by clicking here.