Many Americans have recently been introduced to new phone applications and workplace procedures that monitor and trace the spread of COVID-19 throughout the United States.
These apps and procedures perform a function known as “contact tracing,” examine COVID-19 spread through the identification, monitoring, and support of individuals that may be infected or that may have come into contact with infected individuals.
As demand has grown for comprehensive databases of COVID-19 contact points, companies have emerged to provide those services. Accordingly, the CDC has issued guidance for those individuals or companies conducting contact-tracing:
- Adequate Training. Contact tracers should have properly trained staff who are equipped to create trust in their communities; recommended skills include excellent and tactful interpersonal skills, cultural sensitivity, and language and interviewing skills.
- Identifying cases and contacts. Contact tracers must be able to identify and advise affected individuals to self-isolate immediately.
- Tracing and monitoring contacts of infected people. Contact tracers must also be able to notify contacts of their exposure, advise them to self-quarantine, and advise them to self-monitor for COVID-19 symptoms.
However, none of this can be accomplished without gathering and retaining vast amounts of data. This data will typically include personal identifying information and protected health information, which must be kept private under various state, federal, and international privacy laws. HIPAA, for example, applies to “covered entities,” which include health care providers, health plans, and health care clearinghouses; however, some companies can become “hybrid entities” when providing HIPAA covered functions such as reporting public health information.
Any company collecting, storing, or processing COVD-19-related data should be careful to limit its exposure to violations by limiting the information shared and stored. At a minimum, personal information of the infected individuals should never be provided to exposed individuals. And reporting should be anonymous. Further, retention of such data may trigger other state-specific data privacy laws, which can have their own requirements and regulations that are not considered under HIPAA.
For more information data privacy matters, please contact a Kerr Russell attorney.
Nezar G. Habhab has a broad transactional practice handling matters related to leasing and purchasing, mergers and acquisitions, entity formation, commercial contracts, as well as data privacy. He works as part of firm’s Data Privacy and Cybersecurity team to draft and review company policies, facilitate cross-border data transfer arrangements, and counsel clients on the risks associated with the control and processing of data around the globe. Additionally, Nezar is experienced in drafting and negotiating a variety of artist, influencer, branding, and licensing agreements in the experiential and marketing space for both SAG-AFTRA and non-SAG talent.
Other posts to consider: