Checklists Privacy and data sharing A checklist for building privacy and data security into contact tracing programs
Checklist
1. Assess the overall process
1.a Consider conducting an initial privacy assessment by asking, for example:
who are the people/roles involved in the process,
what information will be collected,
what privacy and security policies and controls are in place,
when and how will private information be deleted or de-identified, and
what are the key data flows and data sharing use cases.
1.b With appropriate advice, consider documenting or amending existing policies, in light of the program maturity and the needs of the local jurisdiction.
2. Assess policy simplification
Assess policy simplification. Consider the costs and benefits of policies that default to treating information as sensitive, even if not legally required.
Sample: Your information is confidential and will be used only for public health purposes. We will collect, use, and share the minimum necessary information appropriate for these purposes and we will not release the name of someone who tests positive to anyone with whom that person has been in contact.
3. Privacy / Communications to contacts
4. Notification
5. Data sharing plan/framework
It is important to proactively define data sharing use cases and rules. Consider, with appropriate advice, creating a data sharing plan for your state and local jurisdiction that specifically addresses what data can be shared and with whom. Consider the following questions:
What is the data that’s being considered for sharing? Define and map data flows and explain what happens to the data in the privacy notice.
How sensitive is the data? Classify data sets into categories, such as: Protected Health Information (PHI), Personally Identifiable Information (PII), Public Health data and Public data.
What is the purpose for sharing a particular data set? For example, is the data set:
for the Public Health Department’s contact tracing process?
for other public purposes?
Are data sharing agreements in place and who (what entities) are receiving data?
Determine what data sharing, confidentiality and business associates agreements (BAAs) are needed and in place. With legal assistance, proactively prepare standard contract terms.
Entities may include for example: Public Health agencies within the jurisdiction, Public Health agencies outside the jurisdiction, clinical providers (such as labs), medical providers, medical researchers, data clearinghouses, other state and local agencies, the media and technology providers
Is individual consent required?
Determine if individual consent is required to share sensitive data.
Assess consent issues, which are fact specific, proactively and with appropriate advice. In general, the rules reflect a balancing of patient and public interests. For example, data can be more freely shared within a public health process for surveillance or for medical treatment, potentially without individual consent or authorization. In other contexts, the data that can be shared may need to be less sensitive and/or individual consent to disclose may be required.
6. Technology
When considering technology to enhance a contact tracing process, ensure privacy and security standards, including under HIPAA, are met.
The 2 general categories of tracing technologies are (i) “case management” tools to automate the efficiency of case investigation, management, and communications within a human-based tracing process and (ii) “proximity tracking” (by cell phones) which can help automate the identification and follow up communications with contacts.
Consider communicating privacy policies to your technology teams to promote cross-functional discussion.
7. Assess and ensure proper data security policies, standards and controls are in place
8. Assess and document data retention, access, deletion, & de-identification policies
9. Train staff
Train employees on privacy and security policies, as well as the reasons for the policies (including to build public trust in a process that relies on voluntary community cooperation).
Consider written privacy agreements and certifications.
Enforce the policy, including with transparent investigations of data breaches and appropriate consequences for policy violations.
10. Remote working rules
11. Agility
HIPAA and privacy compliance are highly fact-specific. This checklist is not intended as, and should not be treated as, legal advice concerning any particular course of action.
Implementation tools
Criteria for evaluating contact tracing apps to ensure privacy
Data security and privacy guidelines