Recently, a bipartisan group of United States Senators introduced the Exposure Notification Privacy Act (ENPA). This bill aims to regulate exposure notification and contact tracing apps that will be used to monitor and control COVID-19 spread.
What is Contact Tracing?
Contact tracing is the process of identifying people who may have come into contact with a person infected by a virus. COVID-19 contact tracing apps are being developed by companies such as Google and Apple to reduce the spread of COVID-19. A contact tracing app works using technology similar to what the “Find My iPhone” app uses. When a user downloads a contact tracing app onto his or her smartphone, the phone emits audible, short-range Bluetooth signals called “chirps.” These signals are picked up by nearby phones that are also running the app. If the user later tests positive for COVID-19, the user can upload all chirps from recent weeks into a public database. Other individuals with the app are then notified as to the time and date their phones picked up infected individuals’ chirps, thus alerting them that they may have been exposed (and when they may have been exposed).
Are you adequately protecting patient data? Find out now with our HIPAA compliance checklist.
The contact tracing app, upon alerting the individual that he or she may have been exposed, then provides a user with information from public health officials regarding appropriate actions to take, such as self-quarantining or getting tested for COVID. For more details, read about HIPAA & contact tracing.
What Privacy Risks Do Contact Tracing Apps Pose?
Use of these apps presents privacy risks. The Exposure Notification Privacy Act aims to protect privacy by requiring the use of contact tracing and exposure notification apps be voluntary. This bill also requires app developers to implement security measures that give consumers strong controls over their data. In addition, the bill limits the types of data the apps can collect, and how that data can be used. The bill proposes that personal data collected through contact tracing apps only be used for the purpose of controlling COVID-19 spread, and prohibits use of personal data for commercial purposes. The bill also places a time limit on how long personal data can be used. Finally, the bill gives Americans the right to opt out and have their personal data deleted at any time.
The bill also provides for strict enforcement measures to ensure protection of consumer rights. The ENPA requires that all affected individuals be notified in the event of a data breach. In addition, the bill contains a provision giving federal and state authorities the right to impose financial penalties in the case of noncompliance.