A National Registry of COVID-19 Patients: The Legal Implications

Medical data companies are reportedly volunteering to join the fight against COVID-19 by offering to broadly share confidential, HIPAA-protected patient medical information they possess, including patient demographics, symptoms, testing results, treatment and outcomes. The creation of a national repository of health-related information and a potential registry of COVID-19 patients and patient information for use by government agencies and healthcare researchers would be without precedent. The privacy issues and concerns implicated by such sharing are being considered in the greater context of a worldwide state of medical emergency and the need for medical and demographic data evaluation and research studies.

The data to be shared, almost without a doubt, would include protected health information about patients, including data that may have been collected prior to the relaxing of certain of HIPAA’s requirements. However, the Global Privacy Assembly (GPA) Executive Committee acknowledged that the challenge of slowing the outbreak "requires coordinated responses at national and global levels, including the sharing of personal information as necessary by organizations and governments, as well as across borders." Understanding the way COVID-19 is being transmitted, the symptom development over time after initial exposure, the efficacy of specific treatments utilized and efforts to contain spread of the virus, the existence of area “hot spots” and ultimately patient outcomes, can be analyzed through the use of protected medical and related data contained in provider medical records and insurance and government reimbursement documentation.

While HIPAA currently permits providers and healthcare researchers to use health data/information to assure quality of care within limited guidelines, the creation of a national bank of COVID-19-related medical data accessible to the government and healthcare scientists and researchers presents an entirely new circumstance challenging our existing laws and regulations. We are in uncharted territory for the businesses charged with holding and storing such data, the medical providers and insurance payers generating such data and the government entities, scientists and researchers looking to access and utilize such national data. And, while there is a demonstrated relaxing of federal regulatory enforcement and requirements, this does not offer protection against breach of contract actions or potential tort actions from patients or other interested parties asserting improvident use of specific health information. Business associates and covered entities who intend to rely upon the relaxed regulatory enforcement should be counseled to ensure that their compliance team considers contractual obligations, litigation risks, business issues and coordination with operations, in addition to state and federal regulatory concerns.

Other practical considerations emanate from the creation of such a national repository of COVID-19 data and include the potential use of such data in evaluating the safety of having at least a portion of our workforce return, especially when a potential requirement of “clean testing” as a predicate for worker return is being discussed. Employers hopeful of soon seeing a return of at least a portion of their workers must also seek guidance and counsel to make sure they are acting responsibly and reasonably under the circumstances. While the medical community has experience in use of data research in the world of clinical trials, such trials require the advance consent of patients, who enter the trial agreeing that the information about their progress will be studied and researched. But, can business associates, healthcare providers and insurers freely provide and exchange such patient medical information, even without some type of informed consent?

There is legal precedent for special consideration of the emergency circumstances presented by COVID-19. While securing and protecting patient medical records and sensitive health information is an elemental precept acknowledged by virtually everyone in civilized society, there is also a recognition among lawmakers, public officials, courts and healthcare leaders that existing rules and regulations need to be relaxed in times of an emergency. Even before the COVID-19 pandemic, many states had existing statutes that granted healthcare workers immunity for ordinary negligence when providing medical care in aid of disaster services or a declared public health emergency. See for example in Pennsylvania, 35 Pa. C.S. § 7101 et. seq. and in New Jersey, N.J.S.A. 26:13-19, et. seq.

The use of an “emergency” doctrine to allow a relaxing/bending of existing rules finds support in our history, and even in our current law. In the aftermath of the 9/11 attack, for example, several cleanup workers seeking redress for respiratory injuries sustained at the World Trade Center brought claims for negligence and wrongful death against the City of New York, its Port Authority and various general contractors and private entities. As noted by the court, “for when an emergent disaster threatens society as a whole, the doctrine of salus populi supreme lex (the welfare of the people is the highest law) requires the government to act, enlisting persons, firms and corporations in the private sector to eliminate the threat to society and restore society’s ability to function.” In re Wold Trade Ctr. Disaster Site Litig., 456 F. Supp. 2d 520, 550 (SDNY 2006). During the Civil War, President Abraham Lincoln suspended habeas corpus as an avenue of judicial review because of the emergency circumstances presented by the war. And the “war” analogy has been invoked with COVID-19. Additionally, when healthcare systems are unable to meet patients’ needs at the level normally expected because of a public health crisis, providers may need to transition from prioritizing optimum care to every patient, and reallocate resources with the objective of doing the most good for the most people. This latter concept, providing additional latitude in the health care decision maker, is known under the law as a “crisis standard of care.”

The use of national medical data, while essential as part of fight against COVID-19, must be done with care and sensitivity to the unprecedented nature of the circumstances and the medical emergency which continues to unfold. Reasonable efforts to protect, where possible, the privacy of the individual patient, consistent with allowing the sharing of the information in the context of a national and indeed worldwide medical emergency, is the current direction of the federal regulatory environment. Specific evaluation and reasonable efforts of front line healthcare providers, including telehealth providers, insurers and their associate businesses should ultimately find protection under the law as the government and regulators address these issues over the coming weeks.

If you have any questions or need more information, contact Andrew Susko (suskoa@whiteandwilliams.com; 215.864.6228), Daniel J. Ferhat (ferhatd@whiteandwilliams.com; 215.864.6297) or another member of the Healthcare Group.

As we continue to monitor the novel coronavirus (COVID-19), White and Williams lawyers are working collaboratively to stay current on developments and counsel clients through the various legal and business issues that may arise across a variety of sectors. Read all of the updates here.