Covid-19 puts data privacy on slippery slope

Gary Copelovitz / Photo: Ofir Abe

Coronavirus is associated with location monitoring and GPS tracking but health information can also be abused, argues Adv. Gary Copelovitz.

"Privacy in days of the Covid-19 pandemic" is ordinarily and typically associated with location monitoring and GPS tracking. Let us focus, however, on a different, and rather particular, feature of privacy - our health information.

The Covid-19 emergency has forced us to rethink the established balance between individual privacy interests and the public's right to health and safety. The recent trends in granting care providers, and others, special dispensation, in allowing disclosure, usage and process of health information in an unprecedented manner, are a glaring example of this shift.

In the US, for instance, the US Department of Health Services has relaxed enforcement of the Health Insurance Portability and Accountability Act ,embodied in a waiver on potential penalties for violations of privacy and security breaches by health care providers and their business associates serving patients through "everyday communications technologies" (otherwise known as "Telehealth" services) during the Covid-19; the OCR (Office for Civil Rights) later announced a similar policy in regards to first responders, "when need to provide treatment", "for public health purposes", and "when disclosure is necessary to prevent or lessen a serious and imminent threat to health or safety".

Still in the US, the Governor of California has apparently gone one step further where, in the context of an order relaxing the effects and enforcement of legislature and regulatory instruments in the course of proving telehealth services, the scope of the waiver was broadened to apply not only to government penalties, but also to damages awards, including in private class action lawsuits.

Another illustration of this principle can be found in the UK, in which the Department of Health and Social Care published a Control of Patient Information (COPI) notice requiring organizations providing health services to process and share confidential patient information amongst them, for the defined "Covid-19 Purpose", for a set period of six months. A Covid-19 purpose is broadly defined to include (without limitation) understanding Covid-19 and risks to public health, and controlling and preventing the spread of Covid-19 and such risks; identifying and understanding information about patients or potential patients with or at risk, including: locating, contacting, screening, flagging and monitoring such patients; understanding information about patient access to health services; monitoring and managing the response to Covid-19 by health and social care bodies and the Government; delivering services to patients, clinicians; and research and planning in relation to Covid-19.

Healthcare providers need access to health information to give better informed, faster, more effective and personalized treatment. Substantially improving the quality of care, however, is not an exclusive consideration; health information is equally vital for developing the next generation of medial solutions.

The Israeli Ministry of Health had attempted to join ranks with this approach in the regulation of secondary use (that is, use other than for medical treatment) of health information for research and commercial purposes under its circulars 1/2018 and 2/2018.

A key principle in these circulars is the de-identification of health information. As a default, secondary use of health information will be done only in de-identified form, i.e. information that has undergone a process of reducing the risk of identifying the applicable individual. Reducing the risk of identification shall be done, inter alia, by aggregation, reducing the accuracy of the data by using a range instead of a unique value, omitting details, coding and encryption.

However, unlike the examples mentioned above from the US and the UK, the invaluable potential of health information appears to have been overlooked by the Israeli regulator, as a relaxation of regulatory restrictions on the sharing of health information was not included among the various policy responses promoted by the Israeli Government as emergency measures in the battle with Covid-19.

Furthermore, bearing in mind the global trend on relaxing health information protocols in these pressing times, Israel is not just "late on the trend": Israeli health organizations currently collect and classify "health" information differently, and a previous Ministry of Health circular on the matters of sharing medical information, termed at the time as HIE (health information exchange) (circular 5/14) was cancelled, though not replaced; therefore, we would expect that when the Israeli regulator deems it necessary to revisit this matter, it would likely face questions that are broader and go beyond the global pandemic at hand.

Zooming out from our local regulatory regime, in era where governments and entrepreneurs alike are spending tremendous recourses on development of an effective vaccine, perhaps the time has come to revisit our perceptions on the significance of maintaining data privacy - in particular in the realm of healthcare - which arguably appear dated.

Indeed; it is submitted, that any attempt to get the balance right between privacy rights and the public's interests is likely to be riddled with controversy. However, that is not to say that this road should not be taken - regardless.

The author is a Partner in the Lipa Meir law firm and Head of the International Department who last month participated in the Futuremed2020 conference.

Published by Globes, Israel business news - en.globes.co.il - on August 2, 2020 © Copyright of Globes Publisher Itonut (1983) Ltd. 2020

Gary Copelovitz / Photo: Ofir Abe
Gary Copelovitz / Photo: Ofir Abe
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018