By Jeff Benson
First of two parts.
You wake one Friday with a cough — a dry cough that’s gotten worse after a restless night in bed.
Your breaths come as short, jagged pulls — and you don’t know whether that’s because you’ve contracted coronavirus or you’re paranoid.
You find a clinic where you can get tested, and the nurse advises to assume you have it — to go home and to avoid other people.
That shouldn’t be too hard: You’ve been a recluse for the past month. Well, mostly.
Four days later, you’re at home coughing in rhythm to “Here Kitty Kitty” by Tiger King when the telephone rings. It’s the clinic letting you know you weren’t paranoid: You’ve tested positive for COVID-19.
You think that’s it — but a few hours later, the phone rings again. The clinic has shared your status with the local public-health department. You see, not all of your medical data is private — and especially not during a public-health crisis.
Just the Beginning
Your health district is calling because they want some information — about not just you but also everyone you’ve been in close contact with. Its aim is to first notify those people that they’ve potentially been exposed, and then encourage them to be tested, to monitor their symptoms and to quarantine.
This process — “contact-tracing” — is used by health departments to combat COVID-19 and a whole slew of “notifiable diseases,” such as HIV and measles, as determined by the Centers for Disease Control and Prevention (CDC) and state epidemiologists.
Any time someone contracts a notifiable disease, state laws generally require the provider or laboratory to inform state or local health departments. State health departments then relay that information to the CDC (by general agreement, not federal law).
The required reporting format varies by state, but a standard report might feature your name, address, date of birth, Social Security number, phone number and email address. It may also include employer names and work addresses, previous medical afflictions and pregnancy status.
Lest you think the Health Insurance Portability and Accountability Act (HIPAA) prohibits health-care providers from sharing information without patient authorization. It doesn’t.
Public-health departments are just one of multiple groups for which HIPAA’s privacy aspects don’t apply. Not without reason: Public-health departments are on the front lines of every outbreak.
States looking for ways out of lockdown, then, have ample information to start with as they ramp up their contact-tracing efforts for COVID-19.
What’s Law Got to Do With It?
There’s no one nationwide system in place for contact-tracing — or one explanation of how your personal information will be treated if you test positive for COVID-19.
“Most states have particular answers for particular diseases, but not COVID,” Stacey Tovino, a law professor and founding director of the University of Nevada, Las Vegas, Health Law Program, told Digital Privacy News.
Texas, for instance, legally mandates an HIV partner-notification program. Officials inform any known sexual contacts an infected person voluntarily shares, but they may not share the infected person’s name or the time period in which they were exposed.
The opposite is true if you’re a health-care worker at University of California, San Francisco, Medical Center and test positive for COVID-19.
According to a UCSF Health policy document: “As is typically done in infectious diseases contact-tracing, your name as the index case will be shared with each contact during a phone interview conducted by the (Occupational Health Services) nurse, to determine if they were exposed to you.”
UCSF’s document contradicts the most recent CDC principles document.
“To protect patient privacy, contacts are only informed that they may have been exposed to a patient with the infection,” the webpage reads. “They are not told the identity of the patient who may have exposed them.”

— Stacey Tovino, University of Nevada, Las Vegas.
Ambiguity Abounds
Thus, much is ambiguous about how patient-contact information is used regarding contact-tracing.
“I think in some states, in terms of what COVID would fall under, there’s a general permission given to state public-health departments to do contact-tracing, but the statute doesn’t get so specific as to say ‘can a person’s name be disclosed or not?'” Tovino said.
Moreover, “It seems like some state laws just defer to whatever the current public-health authority says is the right process,” she added.
And those processes remain up in the air, even as states look to transition from broad lockdowns to increased testing and tracing. As recently as late last month, when the CDC last reviewed its contact-tracing page, it stated that it was merely providing “basic principles of contact-tracing to stop COVID-19 transmission; detailed guidance for health departments and potential contact-tracers is forthcoming.”
Regardless of the principles the CDC lays out, the federal agency isn’t the last say. States are.
Tovino told Digital Privacy News: “Because the HIPAA privacy rule does not preempt state laws and procedures governing public-health surveillance, investigation and intervention — including contact-tracing — protecting the privacy of patients who have tested positive for COVID is very difficult.”
Thursday: Technology enters the picture.
Jeff Benson is a Nevada writer.
Image: Bill of Rights overlaid with electron microscope image of an isolate from the first U.S. case of COVID-19. Credit DPN.
Sources:
- CDC contact tracing principles:
Contact Tracing : Part of a Multipronged Approach to Fight the COVID-19 Pandemic - Dimagi/CommCare: https://dimagi.com
- HIPAA coronavirus FAQ:
February 2020 Bulletin: HIPAA Privacy and Novel Coronavirus - Law.MIT.edu:
COVID-19 Contact Tracing Privacy Principles - National Notifiable Disease Surveillance System:
NNDSS | Centers for Disease Control and Prevention