Contact tracing: CEOs must remain vigilant on patient privacy

Gabriel Perna | October 7, 2020

 Consumers are skeptical about the idea that their phone will be the way to stop the COVID pandemic from spreading.   

According to a survey from researchers at Cornell and MIT, only 42 percent of Americans indicate they would download and use a contact tracing app. The survey also found there was a great deal of misunderstanding from the patient population on the privacy elements of these apps. Andrew Crawford, Policy Counsel, Privacy & Data at the Center for Democracy and Technology (CDT) isn’t surprised that many are wary of tech-assisted contact tracing.  

It’s hard for the average person to anticipate how data sets about them will be used to potentially give insights into COVID—or a lot of other things related to their health for that matterFor techassisted contact tracing to really be of value, folks have to have trust in it,” says Crawford. “That’s something the people running these platforms need to be thinking about.”  

Crawford is on the CDT’s Coronavirus: Data for Life and Liberty Task Force, a collaborative effort between various stakeholders aimed at understanding how data can be used to fight the pandemic while preserving civil liberties. He has seen numerous approaches to contact tracing apps that properly use de-identified data and generate positive outcomes. He’s also seen apps that are not as effective at protecting patient data.   

When it comes to patient privacy and contact tracing, experts like Crawford say CEOs need to be transparent with health consumerstake advantage of the privacy frameworks available and earn public trustMoreover, in working with public health agencies and engaging in contact tracing of their own exposed employees, they also need to understand exactly what kind of information is being used in these appsensuring its de-identified and limited in scope 

“These apps should be making sure they’re only collecting the information that’s absolutely necessary for the task at hand, i.e. preventing and limiting the transmission of COVID. You don’t need to host a lot of information from a mobile device to do that. You don’t need access to someone’s photos or emails,” Crawford says.  

Trying to gain public trust in Pennsylvania  

In the Keystone State, the Pennsylvania Department of Health (DOH) recently launched COVID Alert PA, a contact tracing app which uses the Exposure Notification System (ENS), provided by Apple and Google.  Meghna Patel, Deputy Secretary for Health Innovation at the Pennsylvania DOHsays the agency has seen 234,000 downloads thus far.  

“We don’t have the latest census, but the most recent one had 9.5 million people in the state over the age of 18. [The 234,000 downloads] is progress in comparison to other states that have implemented their own exposure notification apps,” says Patel, acknowledging there is a way to go if the app is going to be effective. “We are living in the misinformation epidemic and public trust has always been under question, especially when it’s a government-released app. People think it’s a ‘Big Brother’ tool and we’ve seen those comments. It’s not surprising.”  

Patel says the app uses Bluetooth electronic handshake capabilities to determine if a person was in proximity to others who have the app and have tested positive for COVID. If a person was within six feet of the COVID-positive person for 15 minutes or more, they’ll receive a notification on their phone once that person gets the positive test. The app doesn’t use GPS, geo-location, or identifiable information of any kind, she adds.  

The exposure notification system, developed by Google and Apple, has earned praise from privacy experts like Crawford and Mark Eggleston, Chief Information Security and Privacy Officer, Health Partners Plans, a hospital-owned HMO in Philadelphia.  

“Some of the early apps that came out in the spring had major concerns, but the Google-Apple effort with them working together to ensure privacy is a good sign. Bluetooth is a lot better [than GPS], but there are still some concerns with Bluetooth,” says Eggleston. “There are concerns with everything though.”  

It’s up to everyone 

As Eggleston notes, for contact tracing apps to be effective, more than a majority of the population has to use them. That means public trust is paramount to success. In general, the more transparency around contact tracing the better and Google-Apple’s ENS infrastructure has been an example of that, says Crawford. The Pennsylvania DOH has worked with the University of Pennsylvania Behavioral Economics on the right messaging to address public concerns and misinformation.  

As a public health entity, we have to balance the desire from the communities around us to want more information while protecting private health information, making sure we’re protecting that important tenant of public health,” says Lindsey Mauldin, Special Advisor for the Secretary of Health on Contact Tracing at the Pennsylvania DOH.  

While major contact tracing efforts are headed by state public health agencies, health systems, employers, community health organizations and other stakeholders are all major links in the chain to limiting the COVID-19’s spread. This is especially true in the U.S., where there are no national contact tracing apps and only 12 statewide apps (as of publication date). Compare this to the U.K. where a national app was downloaded six million times in its first day.  

That means in the U.S., contact tracing can’t be left to the state government alone. Kevin Haynes, CISO of Nemours Children’s Health System, says that when one of their hospitals has a COVID-positive patient, they have the right to track where the patient has been and who in the organization was in contact with them. Furthermore, they had to figure out a process for contact tracing that addressed potential privacy concerns for when an employee tested positive, since Nemours is a covered entity. 

We had to define the roles of the people who can communicate and access the information we have, provide guidance on where that contact tracing information can go and figure out if we could de-identify that information. That was a challenge with contact tracing,” Haynes says.  

More legislation needed  

Experts say legislation doesn’t effectively cover patient privacy in the new age of consumer health. Jodi Daniel, partner in Crowell & Moring’s Health Care Group and founding director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC), says that current U.S. privacy laws don’t protect all health information wherever it is, only based on who is collecting or maintaining that information.  

“[HIPAA] privacy laws cover information created or maintained by health care providers or health plans, but it doesn’t necessarily cover information maintained by employers and their role as employers, and it doesn’t necessarily cover information maintained in applications that individuals may use. While a health care provider might have limitations on how they share information on somebody’s health condition related to COVID-19, a contact tracing app may not have those same restrictions or any restrictions on how they use that data,” Daniel says.  

Crawford at the CDT says the technology has evolved over time from when HIPAA was passed in 1996. He cites the example of an Apple Watch, which holds a lot of personal health information, but it is manufactured by a non-covered entity. With the slim likelihood of any major privacy regulation passing in an election year, CDT has created a Consumer Privacy Framework for Health Data, which aims to create best practices to shore up protections for non-HIPAA covered data. 

Daniel says there are not many options to protect patient data in this new age without wholesale legislation. This was a challenge before the COVID-19 crisis and the pandemic has only exposed it further. “The question on privacy and COVID-19 contract tracing apps is highlighting the broader challenges we have,” she says.  

Eggleston says that HIPAA has been positive but agrees with the notion that it is lacking for protections for modern health applications. He says it requires adjustments for a new age of consumer health. “HITECH, when it came out, did work to make business associates liable under the law, but it’s not hitting what we’re seeing now with these apps,” Eggleston says. He also sees a mindset shift among the general public, which may force an updated federal privacy law, even if it doesn’t happen in 2020 or 2021. 

“Americans are also waking up to privacy issues, acknowledging what’s happening across the pond in Europe with the General Data Protection Regulation,” Eggleston says. “As we continue to get more awareness around that, we’re understanding that when we use social media sites, for example, we are realizing that we are the product.”  

Cover image credit: franckreporter/

About the Author

Gabriel Perna, Senior Manager, Digital Content

Gabriel Perna is the Senior Manager of Digital Content at Health Evolution. He brings 10+ years of experience in covering the intersection of health care and business. Previously, he was at Chief Executive, Physicians Practice and Healthcare Informatics. You can reach him via email at or on Twitter at @GabrielSPerna