|04.17.20| Industry, government struggle with balancing privacy, public health during COVID-19; Telehealth Q&A with FCC Commissioner Carr

With the COVID-19 pandemic preventing large gatherings of any kind, the Senate Committee on Commerce, Science and Transportation last week was forced to hold its hearing on big data and privacy protections in response to the pandemic as a “paper hearing.” Participants submitted written testimony only. Lawmakers sent those experts questions, and the panel responded with written answers.

Despite the unusual format, the hearing was packed with insights about which tracking and tracing technologies have the best chance of being helpful in the fight against COVID-19, and which constitute too high a risk to Americans’ civil liberties.

Most witnesses were representatives from industry associations, but the list also included Ryan Calo, a professor of law at the University of Washington, and Kinsa CEO Inder Singh.

Other countries’ examples

Part of the impetus for this discussion is the relative success some other countries seem to have had with digital contact tracing – using cell phone activity, GPS and/or Bluetooth data to monitor the path of infection and quarantine people accordingly.

For instance, lawmakers pointed to Taiwan, South Korea, Singapore and Israel as countries that have managed to control the disease. But witnesses questioned whether those cases were truly illustrative, as well as whether that level of tracking could work in the United States.

“In responses like Taiwan’s, the availability of high-quality and complete data sets helped enable a policy response that effectively stopped the spread of COVID-19,” Graham Dufault, senior director for public policy at ACT | The App Association, wrote in his remarks. “However, the ready availability of an extraordinarily complete picture about individuals’ movements to a government authority is not generally a feature of American policy, which tends to avoid such invasive surveillance and enforcement without due process.”

The question at hand is whether voluntary tracking can be as effective as mandatory tracking. To that point, one of Israel’s initiatives could be a serviceable model.

“[A] program launched by the Ministry of Health has been supported by leading privacy academics in Israel,” said Stacey Gray, senior counsel for the Future of Privacy Forum. “This program involves an app, ‘HaMagen,’ which individuals may use voluntarily, and leverages GPS data, Wi-Fi data, Google Timeline history (upon separate consent) and Bluetooth data to enable alerts to users who have been in the proximity of a known infected person. Alerts trigger a recommendation for users to voluntarily self-quarantine. HaMagen is open source, voluntary and according to the Ministry of Health has been adopted by approximately 1.4 million people, or 25% of the desired population.”

University of Washington's Ryan Calo and Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology, both noted that it’s impossible to know for sure whether results in other countries are replicable here.

“To the extent that technology-based contact tracing has been effective in these jurisdictions, they have not been voluntary, self-reported, or involved self-help,” Calo said. “Rather, public officials have forced compliance and dispatched investigators to interview and, if necessary, forcibly quarantine exposed individuals. I see it as an open question whether Americans would be comfortable with this level of state expenditure and intervention. At any rate, the experiences of these nations are not a ready analogy.”

“Even though location and proximity tracing apps have been deployed in other countries,” Richardson added, “their impact has not been disentangled from contemporaneous efforts like widespread testing, compulsory quarantines, public information on the movement of infected individuals and other responses.”

Calo pointed out that voluntary self-reporting apps sound good in theory from a privacy perspective, but they introduce a new danger: bad actors co-opting the platform.

“It is not hard to imagine nefarious use cases as well,” he wrote. “A foreign operative who wished to sow chaos, an unscrupulous political operative who wished to dampen political participation, or a desperate business owner who sought to shut down the competition, all could use self-reported instances of COVID-19 in an anonymous fashion to achieve their goals.”

How much are privacy and security at odds?

Many senators framed their questions to the panel in terms of the balance between privacy and security.

“I want governments and businesses to be mindful that, in a complex world where absolutes like total anonymity and privacy are rare, we have to balance the value of privacy with other core values, and that the quest for that equilibrium is a constant challenge,” Leigh Freund, president and CEO of the Network Advertising Initiative, wrote. “I am optimistic that we can, collectively, retain a strong belief in the value of data for both societal and commercial benefit, and that its use can be governed by respect, rather than fear.”

Most witnesses suggested that, with the right technology, it was possible to have both privacy and an effective response to the virus. But to do so, companies and governments will have to choose the right approaches and carry them out correctly.

“As one can see, there are a number of ways big data processing can advance the coronavirus response without unduly risking individual privacy,” Richardson said. “Some of this data does not reflect personal information at all – such as state level statistics that are aggregated and cannot be associated with specific individuals. But there are also uses of data that are riskier. For example, if heat maps or case reporting become too granular, it may be easy to associate a positive coronavirus status with identifiable people. Symptom trackers may also pose privacy risks if they collect personal information.”

In general, the conflict comes from the use of location tracking to trace the spread of the disease. In order to do so effectively, the government would have to collect an uncomfortable amount of data about individuals.

“Contact tracing apps collect and combine two highly sensitive categories of information: location and health status,” said Calo. “It seems fair to wonder whether these apps, developed by small teams, will be able to keep such sensitive information private and secure. To the extent digital contact tracing – or any private, technology-driven response to the pandemic – involves the sharing of healthcare data with private parties, there is also the specter of inadequate transparency or consent.”

Many members of the panel pointed out that “de-identifying” data is not a good solution, as location data is especially hard to de-identify and easy to re-identify. But there are other ways to anonymize data, such as processing data locally and sending only aggregate information to companies or governments.

“In an era of big data, super computers and highly sophisticated hackers, even using sophisticated anonymization techniques cannot completely prevent the possibility of anonymized data being associated with an individual,” Freund said. “For this reason, it is necessary to also incorporate technical and administrative controls that protect against this unintended outcome, like strict data usage limitations, data minimization practices, employee training and data retention restrictions.”

And privacy and safety may not be the only values being traded. Many witnesses noted that if these systems aren’t carefully designed, they can also contribute to health inequalities.

“We are alarmed by the early reports of COVID-19-related death disparities in African American communities,” said Gray. “Understanding how and why these disparities exist is only possible with the collection of sensitive data combined with health information reflecting racial demographics. For example, voluntary contact tracing apps must be adopted by sufficient numbers of app users within high-risk populations, including those who cannot afford the latest mobile technology. To the extent possible, mobile apps should be designed so they are not unduly limited to users of only the newest or more sophisticated devices that can accommodate the recent updates to iOS and Android operating systems.”

Ultimately, Calo urged the legislators to be transparent about the trade-offs they are comfortable making.

“The American people through their representatives may decide that these extraordinary times call for invasive measures in order to slow and contain the spread of coronavirus,” he said. “For example, some Americans may embrace testing and reporting requirements, mandatory quarantine, and ‘badges’ that indicate who is free of coronavirus or possess antibodies against it. I am not an elected official and so it is hard for me to speak on anyone’s behalf but my own.”

But, along with several other witnesses, he was quick to warn the government that whatever extraordinary power they choose to use to fight the virus, they must commit now to giving it up when the threat has passed.

“To paraphrase the late Justice Robert Jackson, a problem with emergency powers is that they tend to kindle emergencies,” Calo wrote. “My hope is that policymakers will expressly ensure that any accommodations privacy must concede to the pandemic will not outlive the crisis.”
Keep Reading >>

With COVID-19 bearing down on America, the Federal Communications Commission has amplified its commitment to outfit providers with telehealth devices and services.

The beginning of April saw the Commission propose and approve the COVID-19 Telehealth Program, an initiative that uses $200 million appropriated by Congress to bankroll telecommunications equipment for eligible healthcare organizations.

And as the pandemic grows in size with each passing day, the FCC's latest program has been moving at a rapid clip. The commission kicked off the application process on Monday, and just yesterday announced the first six healthcare providers approved to receive funding.

At the same time, the FCC has also been pushing steadily forward with its Connected Care Pilot Program. Introduced way back in 2018, this effort seeks to bring telemedicine care to those who are low income, veterans or people living in underserved rural areas. All five commissioners voted unanimously to move forward with the program last summer, and within the last few weeks began reviewing its final rules.

This week MobiHealthNews spoke with FCC Commissioner Brendan Carr about both of these programs: When accepted applicants should expect to receive funding, and why certain provider types are being excluded – as well as how these investments will influence the healthcare and telecommunications-technology industries.

The below Q&A has been edited for length and clarity.

Could you start with a quick overview of what the FCC is trying to achieve with these two telehealth programs?

Sure. I think it's best to think of these in two buckets, and actually, the two programs you talked about I would put in the same bucket. But I'll come back to that.

The first bucket is that, for years, the FCC has supported the buildout of internet infrastructure to brick-and-mortar health facilities. We have a lot of different funding mechanisms that serve that goal. Millions and millions of dollars a year go to that, and we're going to keep doing that.

But one of the trends that I saw when I joined the commission, and this goes to the second bucket, is this trend in healthcare towards connected care, which means no longer do you have to go to a brick-and-mortar facility to receive care. You can get it right from home, it's on your smartphone or tablet or other connected devices. So I went to our chairman, Chairman Pai, and said "Hey, we should look to support this new trend in addition to this first bucket that we're doing."

So that's how we got the ball rolling a few years ago on this second bucket. And because we had done so much work in trying to stand up that second bucket, we were able to move within a matter of days when that new funding came through [in the CARES Act]. We were able to use that existing proceeding as the vehicle to get that money moving very quickly.

So that second bucket, both the $200 million and the $100 million, are serving the same purpose of how do we get care out of the hospital and to people – which is so important right now with COVID-19, because we don't want people going to the hospital. Even the emergency COVID-19 funding isn't just about funding for COVID-19 patients. You can have diabetes, you can have high-risk pregnancy, you can have pain management for treating opioid dependency – people you don't want coming to your facility right now because of COVID-19. You can access this funding to keep them outside of the facility.

I see. So, the COVID-19 emergency kick-started this initiative, but the infrastructure itself can be used for a number of different conditions and use cases.

That's right. Ultimately, we think it serves the purpose of the national response to COVID-19 by making sure that physical facilities aren't overwhelmed, freeing up resources there to truly focus on stuff that has to be treated there right now. But the $200 million and the $100 million are very similar – although there are slight differences between the programs. For instance, the $200 million we can actually use to pay for devices the consumers might use to connect to the hospital, because it's appropriated money, whereas the $100 million, which comes from our existing funding mechanisms, has more limitations on what you can use it for. So some slight differences, but largely they want to do the same thing, which is the shift to connected care. I always describe it to people to think of it as the shift from Blockbuster to Netflix, so you don't have to get it delivered right to you.

Absolutely, and we see that analogy all the time in the digital health sector. Now, I saw that there's guidance about what health organizations can do to begin applying for the $200 million program...

Yes, just [Monday] we opened up an online portal to submit applications online that'll be processed, reviewed and granted or not on a rolling basis. [Editor's note: So far, six healthcare providers have been approved for funding.] We're trying to draw people's attention to the FCC.gov website and the portal that's on that website. And you know, we're more than happy to work with people to determine [if] they're eligible, if they're not, how to go through the application. The application process runs through eligible healthcare facilities. There's seven eligible types of healthcare facilities, and the applications have to come from them or a consortium of them. Things like skilled nursing facilities.

Do you have a rough timeline when the funds will be able to be accessed by these organizations?

I would think of these in a matter of weeks than anything else, but it's not a firm time line, because I don't know what the bureau is thinking. But from my perspective, we want to go now while we can make a difference. It should be days or weeks, not months.

While mostly positive, I've seen some mixed industry reactions to the COVID-19 program. One person I talked to said that this isn't enough money for what a true transformation into connected health would require, and another commentator highlighted the exclusion of for-profit hospitals from that list of approved organizations. Do you have thoughts on both of those concerns?

Yes, I do. For the first one, I would say to step back and understand that this program alone is not the tip and the spear of the federal government's response on telehealth. Obviously with healthcare and COVID-19, we're working very closely with HHS and CMS, and there is a lot of funding that's being provided to healthcare right now through other means. We're talking millions in the FCC's program, but there are billions of dollars that are going to other facilities, and my understanding is that includes telehealth.

So I would agree with someone that when you're looking at this, it isn't the silver bullet. It's small, I agree, but when you think of it in the broader picture with what the government is doing and what we're doing with other FCC programs providing millions, I think we are heading in the right direction.

The for-profit thing is interesting. I saw we had a petition filed with the FCC to reconsider our position to not allow for-profits in. The basis for the FCC's decision on that was the seven eligible types of healthcare providers I mentioned earlier doesn't include for-profit hospitals. Our existing telehealth programs aren't set up to recognize and have those for-profit institutions in there. So they filed a petition and we'll look at the arguments that are raised in there. I don't know which way the FCC will ultimately rule, but it wasn't so much a new decision about them. It's more of that we have an existing list of facilities – that we've used for a lot of different purposes – that understand the FCC funding mechanisms, how it works. We were working from that when we set up this new program.

Keep Reading >>