Data Sharing Being Emphasized in the Battle Against COVID-19
In effort to combat the COVID-19 pandemic, we are beginning to see regulatory regimes increase the focus on data sharing with public health authorities, as well as some targeted loosening of privacy protections in the hope that better information-sharing will lead to slowing the outbreak and saving lives.
Effective March 15, 2020, Health and Human Services (HHS) issued a "Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency," which waives certain provisions of the HIPAA Privacy Rule to enable better information-sharing in connection with COVID-19. Under the limited waiver, there will be no sanctions or penalties against covered entities that fail to comply with the following requirements of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b)
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a)
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a)
- the patient’s right to request confidential communications. See 45 CFR 164.522(b)
The waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
Elsewhere, on March 17, 2020, the Executive Committee of the Global Privacy Assembly (GPA) issued a statement in support of the sharing of personal data by organizations and governments for the purposes of combating the COVID-19 outbreak. The GPA acknowledged that the challenge of slowing the outbreak "requires coordinated responses at national and global levels, including the sharing of personal information as necessary by organisations and governments, as well as across borders."
In light of the need of a coordinated response, the GPA stated:
We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.
Health data is considered sensitive across many jurisdictions, but work between data protection authorities and governments means we have already seen many examples of national approaches to sharing public health messages; of using the latest technology to facilitate safe and speedy consultations and diagnoses; and of creating linkages between public data systems to facilitate identification of the spread of the virus.
Indeed, several data protection regulators have released COVID-19 guidance for the sharing of information, and the GPA’s website has a data protection and COVID-19 resources page, which provides "the latest guidance and information from GPA members and observers on data protection and COVID-19," including regulators from Canada, France, Germany, Italy, the United Kingdom, and the U.S. It is encouraging that regulatory barriers are being reduced to allow coordination of data sharing efforts, and we expect this trend to rapidly continue.
As we continue to monitor the novel coronavirus (COVID-19), White and Williams lawyers are working collaboratively to stay current on developments and counsel clients through the various legal and business issues that may arise across a variety of sectors. Read all of the updates here.