Press Releases

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Richard Blumenthal (D-CT) along with U.S. Rep. Anna Eshoo (D-CA) today sent a letter to White House Senior Advisor Jared Kushner, raising questions about reports that the White House has assembled technology and health care firms to establish a far-reaching national coronavirus surveillance system. In the letter, the members of Congress expressed concerns that the White House has not been fully transparent about the effort, particularly in light of the significant data privacy issues associated with sharing Americans’ personal health information with corporations that have a checkered history when it comes to protecting patient and user privacy.

“While we support greater efforts to track and combat the spread of COVID-19 – and have been alarmed by the notably delayed response to the crisis by this Administration – we have serious concerns with the secrecy of these efforts and their impact on the health privacy of all Americans. Your office’s denial of the existence of this effort, despite ample corroborating reporting, only compounds concerns we have with lack of transparency,” the members of Congress wrote to Mr. Kushner. 

In the letter, the members noted that Health Insurance Portability and Accountability Act (HIPPA), which Congress passed in 1996, failed to foresee the recent boom in health technologies allowing medical data to be shared without patient or doctor consent, enabling companies that have previously been accused of privacy abuses to handle sensitive patient data without strong privacy protections. The reported establishment of far-reaching public health surveillance infrastructure in collaboration with large technology firms, against the backdrop of these failures of HIPAA, raises important privacy concerns.

“This growing health pandemic further exacerbates increasing concerns about the role large tech firms are starting to play in our health care sector. Health care entities are increasingly entering into secret data sharing partnerships with dominant technology platforms. These partnerships have bolstered the platforms’ ability to exploit consumer data and leverage their hold on data into nascent markets such as health analytics. Contrary to the fundamental, animating principle of HIPAA, this encroachment is occurring without the knowledge or consent of doctors or patients through opaque business agreements and exceptions. We fear that further empowering technology firms and providing unfettered access to sensitive health information during the COVID-19 pandemic could fatally undermine health privacy in the United States,” wrote the members of Congress. 

Added Sen. Warner, Sen. Blumenthal and Rep. Eshoo, “Similarly, we have tragically seen that COVID-19 is following and exacerbating existing health disparities and inequalities among racial, ethnic, and socioeconomic groups. A public health surveillance system should be able capture these parameters in order to ensure our response addresses the heightened risk to these communities. Yet we must be cautious about the impact and further use of this sensitive information, which also poses fraught risk for bias and civil rights violations, as we have seen when algorithmic systems used in calculating health premiums, employment determinations, and credit evaluations have led to discriminatory outcomes.” 

The members requested responses to the following questions: 

  1. Which technology companies, data providers, and other companies have you approached to participate in the public health surveillance initiative and on what basis were they chosen?
  2. What measures will the Administration put into place to ensure that federal agencies and private sector partners do not misuse or reuse health data for non-pandemic-related purposes, including for training commercial algorithmic decision-making systems, and to require the disposal of data after the sunset of the national emergency? What additional steps have you taken to protect health data from their potential misuse or mishandling?
  3. What is the program described in the press meant to accomplish? Will it be used for the allocation of resources, symptom tracking, or contact tracing? What agency will be operating the program and which agencies will have access to the data? 
  4. When will the federal government stop collecting and sharing health data with the private sector for the public health surveillance initiative? Will the Administration commit to a sunset period after the lifting of the national emergency?
  5. What measures will the Administration put into place to ensure that the public health surveillance initiative protects against misuse of sensitive information and mitigates discriminatory outcomes, such as on the basis of racial identity, sexual orientation, disability status, and income?
  6. Will the Administration commit to conducting an audit of data use, sharing, and security by federal agencies and private sector partners under any waivers or surveillance initiative within a short period after the end of the health emergency?
  7. What steps has the Administration taken under the Privacy Act, which limits the federal government's authority to collect personal data from third parties and imposes numerous other privacy safeguards?
  8. Will you commit to working with us to pass strong legal safeguards that ensure public health surveillance data can be effectively collected and used without compromising privacy?

Sen. Warner has previously raised concerns that enforcement of existing patient privacy law has not kept up with technological advancement when it comes to the use and sharing of confidential medical data and called for updating laws, including new protections to govern collection, processing, and retention of public health surveillance data. 

A copy of the letter is available here, and the full text appears below. A list of Sen. Warner’s work to protect Americans amid the COVID-19 outbreak is available here.

 

April 10, 2020

 

Jared Kushner

Senior Advisor to the President

The White House

1600 Pennsylvania Ave NW

Washington, DC  20500

 

Dear Mr. Kushner: 

 

We write you in the wake of reports that you have assembled a range of technology firms and health care providers to establish a far-reaching public health surveillance system in response to the COVID-19 pandemic. While we support greater efforts to track and combat the spread of COVID-19 – and have been alarmed by the notably delayed response to the crisis by this Administration – we have serious concerns with the secrecy of these efforts and their impact on the health privacy of all Americans. Your office’s denial of the existence of this effort, despite ample corroborating reporting, only compounds concerns we have with lack of transparency.

In response to the spread of COVID-19, the Department of Health and Human Services (HHS) has promulgated a number of guidance documents that attenuate or waive privacy protections normally attached to protected health information. Many of these measures, such as disclosure of a patient’s COVID-19 diagnosis to protect first responders, are warranted during this health emergency. However, we fear that – absent a clear commitment and improvements to our health privacy laws – these extraordinary measures could undermine the confidentiality and security of our health information and become the new status quo.

It is increasingly apparent that Health Insurance Portability and Accountability Act’s (HIPPA) Privacy and Security rules have not aged well. We have seen numerous examples of the limits of HIPAA undermining the strong protections we have come to expect of our sensitive health information. For example, there are rumors in the press that Administration is promoting a COVID-19 screening registration tool offered by Verily, which is owned by Google’s parent company Alphabet. That site is inexplicably not covered under HIPAA. 

This growing health pandemic further exacerbates increasing concerns about the role large tech firms are starting to play in our health care sector. Health care entities are increasingly entering into secret data sharing partnerships with dominant technology platforms. These partnerships have bolstered the platforms’ ability to exploit consumer data and leverage their hold on data into nascent markets such as health analytics. Contrary to the fundamental, animating principle of HIPAA, this encroachment is occurring without the knowledge or consent of doctors or patients through opaque business agreements and exceptions. We fear that further empowering technology firms and providing unfettered access to sensitive health information during the COVID-19 pandemic could fatally undermine health privacy in the United States.

Given reports indicating that the Administration has solicited help from companies with checkered histories in protecting user privacy, we have serious concerns that these public health surveillance systems may serve as beachheads for far-reaching health data collection efforts that go beyond responding to the current crisis. Public health surveillance efforts must be accompanied by governance measures that provide durable privacy protections and account for any impacts on our rights. For instance, secondary uses of public health surveillance data beyond coordinating our public health response should be strictly restricted. Any secondary usage for commercial purposes should be explicitly prohibited unless authorized on a limited basis with appropriate administrative process and public input. 

Similarly, we have tragically seen that COVID-19 is following and exacerbating existing health disparities and inequalities among racial, ethnic, and socioeconomic groups. A public health surveillance system should be able capture these parameters in order to ensure our response addresses the heightened risk to these communities. Yet we must be cautious about the impact and further use of this sensitive information, which also poses fraught risk for bias and civil rights violations, as we have seen when algorithmic systems used in calculating health premiums, employment determinations, and credit evaluations have led to discriminatory outcomes.

Our urgent and forceful response to COVID-19 can coexist with protecting and even bolstering our health privacy. If not appropriately addressed, these issues could lead to a breakdown in public trust that could ultimately thwart successful public health surveillance initiatives. We encourage you to think seriously about these issues. To that end, we request that you respond to the following questions we have on your current effort:

  1. Which technology companies, data providers, and other companies have you approached to participate in the public health surveillance initiative and on what basis were they chosen?
  2. What measures will the Administration put into place to ensure that federal agencies and private sector partners do not misuse or reuse health data for non-pandemic-related purposes, including for training commercial algorithmic decision-making systems, and to require the disposal of data after the sunset of the national emergency? What additional steps have you taken to protect health data from their potential misuse or mishandling?
  3. What is the program described in the press meant to accomplish? Will it be used for the allocation of resources, symptom tracking, or contact tracing? What agency will be operating the program and which agencies will have access to the data? 
  4. When will the federal government stop collecting and sharing health data with the private sector for the public health surveillance initiative? Will the Administration commit to a sunset period after the lifting of the national emergency?
  5. What measures will the Administration put into place to ensure that the public health surveillance initiative protects against misuse of sensitive information and mitigates discriminatory outcomes, such as on the basis of racial identity, sexual orientation, disability status, and income?
  6. Will the Administration commit to conducting an audit of data use, sharing, and security by federal agencies and private sector partners under any waivers or surveillance initiative within a short period after the end of the health emergency?
  7. What steps has the Administration taken under the Privacy Act, which limits the federal government's authority to collect personal data from third parties and imposes numerous other privacy safeguards?
  8. Will you commit to working with us to pass strong legal safeguards that ensure public health surveillance data can be effectively collected and used without compromising privacy?  

Thank you for your prompt attention and responses to these important questions.

 

Sincerely, 

 

###