What’s the news: Technology behemoths Google and Apple have joined forces to create functionalities for their popular smartphone operating systems that automatically notify users of potential exposures to people with COVID-19.
In the Google-Apple announcement, the companies say their systems won’t track users’ location, that users control whether they receive exposure notifications, that only public health authorities can use the system, and that neither Google, Apple, nor other users can see a user’s identity. Both Google’s Android operating system and Apple’s iOS require users to opt in to the functionality.
Why it’s important: Without a proven SARS-CoV-2 vaccine or breakthrough treatment, public health experts agree that quickly tracking new COVID-19 infections and tracing those patients’ contacts is essential to limiting spread of the deadly respiratory illness. “A well-resourced public health system for surveillance and contact tracing” is one of the four signposts for safely reopening America that have been laid out by the AMA.
Yet, with a recent KPMG survey finding that nine in 10 Americans view data privacy as a human right, Google and Apple’s exposure-notification technology raises anew the profound concerns that patients have about the sensitive information gathered by for-profit companies, and how it is used.
The “AMA Privacy Principles” support an individual’s right to control, access and delete personal data collected about them. Using the privacy principles, the AMA is actively engaging the Trump administration, Congress and industry stakeholders in discussions on the future direction of legal guardrails that are needed to restore public confidence in data-privacy protections.
In the meantime, here are six steps—drawing on the AMA privacy principles—that Google and Apple must take to help reassure patients with privacy concerns regarding use of their COVID-19 exposure-notifications system.
When it comes to individual users, the companies must:
- Let them know exactly what data of theirs is being accessed, used, disclosed and processed—and for what purpose—at or before the point of collection.
- Tell them whether their data will be used to develop and/or train machines or algorithms.
- Assure them that their data will not be used for discrimination, stigmatization, discriminatory profiling and exploitation by any of the entities receiving access to the data—including downstream recipients.
More generally speaking, Apple and Google must:
- State that they have an obligation, or “duty of loyalty,” to the individual, including the duty to maintain the confidentiality of their information.
- Work with public health agencies to only collect the information necessary for the stated public health purpose.
- Assure individuals that data collected will not be used in any way, other than for the stated purpose.
Learn more: A new draft health data privacy framework to which the AMA contributed is now available for public comment. The framework, part of a project funded by the Robert Wood Johnson Foundation and led by the eHealth Initiative and the Center for Democracy and Technology, is meant to serve as a stepping-stone to federal privacy legislation, rather than as a replacement for it or attempt to avoid it. Several of the AMA’s privacy principles are reflected in the framework, which seeks to move beyond outdated notice-and-consent models and cover a wide range of health information.
For more than a decade the AMA has advocated for the fundamental right of patients to access their complete medical record and promoted the use of health data to enhance patient experience, improve population health, cut costs, and improve the work life of physicians and other health professionals.
The AMA Patient Access Playbook, for example, helps guide physicians and their staff on best practices for providing patients their medical records.