Federal Vaccination Tracking Raises Privacy Concerns
Although vaccine rollout began slowly in the United States, millions of people are now being vaccinated against COVID-19 per day. As individuals receive the vaccine, states have been collecting personal health data in individual immunization registries. Experts say this data collection is essential to effectively monitor vaccination progress, report adverse reactions, compare vaccine efficacy in cross sections of the population, and keep track of who needs second doses and when.
Although states have traditionally been responsible for collecting immunization data without federal intervention, some say the global scale of the pandemic and the need to understand vaccination progress nationally require greater federal intervention in tracking immunization data. In December 2020, the U.S. Centers for Disease Control and Prevention (CDC) began asking states to enter into Data Use and Sharing Agreements that would require states to share vaccination data with the federal government, with the stated goal of “generat[ing] a comprehensive picture of COVID-19 vaccine uptake nationally.” Many states have signed the agreements as is, but some have negotiated with the CDC to share less data, or to ensure that the data will not be used for particular purposes. Minnesota and Colorado, for instance, will only submit de-identified data on vaccine doses administered in each state. California will only provide the federal government with the birth year and sex of vaccinated individuals, as well as the county where the vaccine was administered.
Naturally, the collection and storage of health information at the federal level raises significant privacy concerns. Although the Health Insurance Portability and Accountability Act (HIPAA) normally protects against the disclosure of identifiable immunization data by covered entities, HIPAA contains various exceptions to ensure public health and safety. Throughout the pandemic, the U.S. Department of Health and Human Services (HHS) has announced its intention to empower HIPAA covered entities to use technology to contain the spread of COVID-19 without fear of massive penalties. For instance, HHS exercised its enforcement discretion to announce it will not enforce penalties in connection with the good faith use of online scheduling applications for COVID-19 vaccinations. HHS also clarified that using Protected Health Information (PHI) to identify and contact individuals who have recovered from COVID-19 to facilitate plasma donations is permitted during the pandemic. In this instance, to justify its request for vaccination data from states, the CDC relies on the HIPAA exception that permits a covered entity to disclose such data to public health authorities, such as the CDC, when the disclosure of PHI is necessary to prevent or control disease.
Notably, even with this exception, covered entities must reasonably limit the disclosure to the minimum amount necessary to accomplish the public health purpose. To meet this requirement, the data received from the states will be stored on a cloud-hosted “COVID-19 Data Clearinghouse” that will receive, de-duplicate, and de-identify the data, and then populate IZ Data Lake, a separate cloud-hosted repository, with limited datasets of redacted vaccination data. Only authorized users that need to see the data for vaccination management and administration purposes will be given access to these limited, redacted datasets. This limits access to the larger pool of data that is received by the COVID-19 Data Clearinghouse. The repositories will also be independently audited to ensure compliance with privacy laws. Should there be a data breach, the CDC is putting in place appropriate response teams to coordinate a response to the incident.
To be sure, even with these risk mitigation measures in place, the collection of vaccination data at the federal level requires the secure collection, management, and dissemination of data at an unprecedented scale.