In March 2020, at the start of the COVID-19 pandemic, the Secretary of the Department of Health and Human Services (HHS), Alex Azar, used discretionary authority to suspend certain provisions of HIPAA law designed to protect the privacy of US citizens’ personal health information (PHI). As a nearly direct result of this suspension, the COVID-19 status of people living at certain addresses in certain states has been made available to first responders in advance of their arrival on the scene without having to go through a covered entity, and APIs may have played a role. This article parses through the possible implications.
In September 2020, as the US was approaching the first peek of the coronavirus pandemic, a patrol officer in Oxford, Ohio approached a midday house party.
As young people fled, one man stepped forward to take responsibility for the gathering. The officer asked for the man’s identification, then ran his ID through the police computer-aided dispatch (CAD) system mounted in the patrol car.
That moment is when the single-source federal deregulation of PHI was put on display: upon running the man’s ID through the police CAD system, the search presented the man’s COVID-19 positive status on the CAD display in the patrol car.
How the 1135 Waiver Affects PHI
Under normal circumstances in the United States, HIPAA (Health Insurance Portability and Accountability Act) would bar most of an individual’s PHI from direct routing into police databases, or even from being displayed on a first responder’s in-vehicle computer system. In the information age, a global pandemic is without precedent. In 2020, a solitary, Presidentially-nominated, Senate-approved member of the federal government was presented with an opportunity for an unprecedented nationwide rollback of certain HIPAA provisions, primarily through an erosion of the privacy rights that the original legislation was designed to protect.
The federal alteration of HIPAA protections arrived in the 1135 Waiver (the first nationwide waiver of its kind) and was sent from the desk of the former HHS Secretary Alex Azar, with retroactive effect to March 1, 2020. The same document referred to Azar’s issuance of a Declaration of a Public Health Emergency (retroactive to January 27, 2020), which also has the power to suspend or alter the regulation of PHI. The 1135 Waiver garnered no mainstream news coverage, with heavy attention paid only by outlets for legal news and healthcare news media.
The federalized boundaries enacted with HIPAA to limit access (and therefore distribution of) PHI are suspended by the 1135 Waiver. During the suspension of HIPAA laws, PHI can be moved (via API or manual processes) to new destinations where it's ultimate treatment of PHI is not guaranteed. For example, per HIPAA, a covered entity such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive for the coronavirus, or who have received treatment for COVID-19, to a federal 911 dispatch for use on a per-call basis. The federal 911 dispatch would then route the information to the first responder. A covered entity under this example would not be allowed to distribute compiled lists of individuals directly to EMS personnel, and instead would disclose only an individual’s information on a per-call basis.
During any formal public health emergency, from coronavirus to tuberculosis, or an opioid crisis to a hurricane, HIPAA allows for PHI to be sent to first responders, via a covered entity, on demand. In Oxford, Ohio, local police use a software system with the unique selling proposition of an integrated suite of solutions which, when deployed, share information between primary functions like police and municipal departments. Their provider, CentralSquare, is also a provider of a suite of public sector solutions that among other functions, includes CAD, 911 Dispatch, and integrated coordination of police, fire, and EMS resources.
When a software company builds platforms designed to work together seamlessly, making connections between departments becomes a much more straightforward task. Connecting one department to another, or merging one company with another with seamless exchange of information, can make a software company an industry leader. In the case of the pandemic, it sometimes allowed for the rapid flow of PHI into the databases of public servants without sufficient training for the management of sensitive information. In other cases, it allowed first responders the opportunity to prepare and protect themselves when coming onto a scene in aid of an individual who had tested positive for COVID-19.
With a company like CentralSquare, which provides software for public safety, public administration, and public healthcare, this rapid flow of information is what their software was built to do. Their software is agile and integrated, able to immediately react to sweeping changes such as those enabled by the 1135 Waiver from March 2020. The company claims to serve three in four citizens across North America, with software in public safety, including 911, dispatch, records, mobile and jail, finance, HR/payroll, utilities, citizen engagement, community development, property tax, municipal services and asset management, all of which suggests that the public sector, in general, relies on APIs to share information. However, Anthony Dwyer, a Deputy in Oxford, Ohio, confirmed that as of 2021, records of residences with positive test results were still being bulk uploaded into the CAD system. ProgrammableWeb sought comment from Central Square in February 2021, an employee said there was “no department available for that.”
Looking again at the incident with the house party in Ohio, there is a question of how a CAD system (using software created by CentralSquare) was loaded with the same bulk data as a 911 dispatch center. The data flowing to a 911 dispatch is different from a police dispatch center, most fundamentally because 911 is a federal program (though operated at the state and local level), and a police dispatch can be, at maximum, a county program. In addition to calls for police, a 911 dispatch center receives calls for fire and rescue, EMS, threats, tips and all other requests for aid, making them the logical distribution point for sensitive information.
According to the HHS Office for Civil Rights, only specific 911 dispatch centers are HIPAA-covered entities or business associates. This matters because even under the 1135 Waiver, HIPAA law only allows mass record reporting to flow into covered (federal) 911 dispatch centers, those which are considered HIPAA-covered entities or business associates. Information is allowed out of a HIPAA-covered 911 dispatch center only on a case-by-case basis to first responders. Once pushed into their system, the police dispatch systems allow data to pass through their systems and out to the CAD systems in police vehicles.
How States Are Legislating PHI in the Wake of the 1135 Waiver
Even with the softening of HIPAA regulations, how data about COVID-19 moves into a CAD system is circuitous. PHI is moved through a series of APIs housed in private labs as well as through government entities before it reaches a police CAD system. The latitude granted by the 1135 Waiver for interpretation of the suspension of privacy protection can be interpreted as fairly broad. How far this latitude is taken varies, with some states interpreting it as an opportunity to legislate entirely new guidelines, while other states release orders or mandates for PHI distribution.
Elected leadership from ten states (Colorado, Iowa, Louisiana, Nevada, New Hampshire, New Jersey, North Dakota, Ohio, South Dakota, and Tennessee) set their own guidelines for the management of the distribution (and in Tennessee, the purge) of PHI for COVID-19, beginning with distribution going directly to first responders without first flowing through a covered entity. (Wisconsin also did so briefly, then ceased sharing data in early May 2020.)
- In Ohio, Centerpoint Health released a public statement: “We may use and disclose your health information when needed to prevent a serious threat to your health and safety...We would only give this information to someone that can help stop the threat.”
- Williamson County Public Safety Director Bill Jorgensen from Tennessee offered a plan for handling PHI over the long term: in a phone call, he promised that the temporary record of those addresses associated with COVID-19 patients will automatically be purged 30 days after they're added.
The tally of states releasing limited PHI as well as the shortlist of ten states from above disclosing broader PHI to non-covered entities makes a telling statement about powers inherent within statehood about their power to decide how to interpret HIPAA guidelines. Just as PHI data has been more accessible to non-covered entities during the pandemic, focus may turn to questions such as what are and are not covered entities with the right to access PHI like vaccination status, as the data is accessible via all of the same APIs and platforms.
As some states make use of the 1135 Waiver’s temporary suspension of privacy protections, other administrators at the state level take long-term bureaucratic and legal paths to plow through patient privacy protection.
- Florida, Alabama, Massachusetts, and North Carolina all signed orders to share lists of home addresses of people who had tested positive for COVID-19 with first responders.
- San Diego County, California distributed lists of COVID-19 addresses directly to the police.
- In 2020, the state of New Hampshire issued a memorandum of understanding which declared that, going forward, New Hampshire would be following their own guidelines regarding PHI disclosure.
- The City of Livingston, Montana, successfully sued Park County Health Officer Dr. Laurel Desnick, the Park County Health Department and the City-County Board of Health to provide addresses of positive COVID-19 cases directly to law enforcement.
In Ohio, Erin Smiley, the Butler County Health Promotion Director, explained to ProgrammableWeb via email how PHI moves from an initial health screening, through hospital systems, third-party databases, and into the dashboard system of a first responder. Ms. Smiley outlined the usual process of disease reporting:
“In Ohio, most laboratories report all positive cases of COVID-19 and other Class A infectious diseases, like measles for example, to the Ohio Department of Health (ODH) via a disease reporting database. These entries are sorted by county, and local health departments can access their own cases. A few cases are reported directly to the local health department and are sent on to ODH.”
The ODH maintains the public health portal for the state of Ohio (an equivalent health portal is legally required in all states). Every U.S. state has a publicly searchable health portal, ranging from the basic, to the comprehensive, where users can find a broad range of data, from morbidity to mortality, to an index of diseases with report criteria. These data are made publicly available with the idea that the line between what is private and public should be definitive: sharing anonymized data is considered to be for the greater good, whereas PHI by definition is private. This is why HIPAA guidelines were created: for the careful management of PHI within closely-held centers known as covered entities.
The Role APIs Play in the Future of PHI
With states creating micro-loopholes to circumnavigate HIPAA mandates, the lack of comprehensive legal protection for personal data comes into sharper focus. The flow of PHI through a health care provider into a government system is not a guarantee for dissemination via API - yet - but the legal mandate, named the Cures Act, is underway. The HHS has defined parameters for information sharing which must be adopted by the end of 2022 - including standardizing the use of APIs for health data with enforcement of the ONC interoperability rule.
Given the permeability of HIPAA legal protections as evidenced by the response of the HHS to the COVID-19 pandemic, it is clear that declaring an official health emergency not only gives the agency the right to suspend certain provisions of the law, it grants the privilege without oversight. While such suspensions are in effect, APIs can and will be used to move PHI past what would be the normal legal barriers. Patriot Act exceptions are referred to in the waiver, and the same APIs which given access to data portability for patients through Cures Act creates has created data portability for the National Notifiable Diseases Surveillance System (NNDSS), which contributes to the existing network of open source code, data, and APIs already used by the CDC.
The last federal layer of privacy protection guarding PHI exists in HIPAA. Even with the passage of the 21st Century Cures Act (the law requiring full access and portability via API of patient records) and the activation of the 1135 Waiver, bulk PHI can only be pushed to specific, HIPAA-covered 911 dispatch centers or covered entities. When states rewrite their individual constitutions to permanently abandon federal privacy protections for a short-term problem, or, worse, allow local governments to circumvent the laws altogether, the loss of this protection is at stake. These sub-federal examples are ongoing throughout the country, and unwittingly or not, they abandon the assurance of data security which the use of APIs had provided HIPAA-covered entities.
The impact of a top-down power like the 1135 Waiver will only increase once the Cures Act is fully enforced. The 1135 Waiver has already opened Pandora’s box with regards to the flow of PHI data; as APIs become not only common but the standard in healthcare settings, the portability of PHI data along with their possible consequences will increase. The fallout for legislating mid-pandemic PHI management will be ongoing without a thoughtful walking back.