What to ask your employer about your COVID-19 symptom tracking app
Kyle Tretina, Ph.D.,
Genomics Application Scientist
Posted on July 7th, 2020
Tracking a pandemic of apps
There are new COVID-19 symptom tracking apps coming out on a regular basis now, and it can be difficult to know if you can trust them with your medical data. The information going into these apps can be very sensitive, including symptom recording, location tracking, COVID-19 test results and more. Whether these apps are effective as an integrated public health approach or not, many people clearly care about where this information is going and who is going to have access to it.
Is your app “HIPAA compliant”?
HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act passed by Congress in 1996. This act covers a variety of topics related to health insurance, but in this context it is important because it was made to ensure that employers keep protected personal health information (PHI) confidential and secure when it is used in essentially any way or form (digital, paper, oral, etc.). It also makes sure that only the minimum PHI is collected as necessary. The government has a large system that makes sure that employers are compliant with this act (see Office of HIPAA Compliance in the Department of Health Care Services’ office for more information), and there can be very harsh penalties if an employer violates this act, including fines of over a million dollars per year. Asking and confirming that your COVID-19 symptom tracking app is HIPAA compliant is therefore extremely important for both you and your employer. This question covers some of the upcoming questions as well, but it’s best to ask your employer about them individually to make sure.
“Your personal health data is your data. You should own it and you should be able to control it and take it with you.” — Stephan Smith, CTO at Meenta, Inc.
Will anyone other than my doctor and me be able to see my personal health information?
A key part of your health privacy rights (1) under HIPAA is to be able to access your PHI, check it, and know everyone who has had access to it. While certain information is required to be collected and sent to the Department of Health and Human Services (2), depending on the app, your PHI could be passed to a variety of physicians, pharmacies, laboratories, hospitals, insurance companies, programmers and others. Your rights under HIPAA should give you the chance to learn how your health information is being shared, give you the chance to let your insurance companies know if there is information that you do not want to share, and be able to request that you want to be contacted somehow other than at your home. Some apps give the ability to enter your PHI (such as symptoms) in your place as a surrogate, but your COVID-19 testing status, symptom status, and other PHI should be under your control in these ways, so you confirm with your employer that the app facilitates that control.
Figure 1. An example of a symptom tracker user interface by Meenta, Inc.
Is the app secure?
You don’t need to be a computer programmer or web developer to ask some basic questions about app security. The app should only contain the data that it needs to complete its function, meaning that each piece of data in the app should have a clear purpose. Each user should have a way to uniquely authenticate their access when logging in. PHI should never be sent in a text message (it’s not safe). Sessions should be able to timeout if left unattended. The app should not send push notifications. The security of the app should be validated by security testing. All stored data should be deleted after it is needed. There are a variety of ways that data can be accessed and stored, including the use of QR codes, blockchain, employer dashboards, a key fob, or a user COVID-19 profile / passport. Are the developers aware of the ways in which the data is encrypted, transmitted, verified and stored should be HIPAA compliant? For the more advanced users, there are many online resources available (3) on this topic.
Is the use of this app voluntary?
The Equal Employment Opportunity Commission (EEOC) provides guidance regarding whether employers may screen employees for COVID-19 (4). Since these guidelines can change often and may or may not relate to a symptom checking app, you should ask whether the use of this app is required by your employer in the first place in case you are not comfortable with sharing your PHI with the app for any reason. Then you should ask your employer whether they are requiring that you use the app.
Will the app track my location?
Some COVID-19 symptom tracking apps will actually use location data from your phone for contact tracing, which is the investigative work of discovering people who have been in contact with COVID-19 patients and finding more information about them. Several governments (5) are making apps available for this purpose with the hope that it could inform public health decisions and control of the pandemic. However, automated tracking raises privacy concerns (6) and many people are questioning if the gain in public health information is worth the loss of privacy (7). Recent mathematical modeling (8) suggests that this kind of contact tracing could be effective, but sharing anonymized location data with the government is not simple, as Google and Facebook (9) are finding out now. Data from traditional contact tracing in China (10) and South Korea (11) suggests that contact tracing could provide some efficacy against the pandemic, so you might think that the loss of privacy is worth it, but you know up front whether your symptom tracking app is tracking your location.
Which symptoms does the app track?
Despite a core set of symptoms that are listed by the Center for Disease Control (CDC) as COVID-19 symptoms (12) which can appear 2–14 days after exposure to the virus (Figure 1), not all symptom checking apps check the same set of symptoms. This might not be surprising, since these symptoms can appear in many combinations (13), and there are many unlisted symptoms that are generally more rare. Generally, fatigue, cough and tend to be the most common symptoms (13), with loss of taste or smell as the most informative (14), so you should at least check to see if your app is checking for those symptoms and making sure that it is only checking for symptoms that are relevant to COVID-19 infection.
How will the data I put into the app affect my ability to go to work?
Perhaps most importantly, if an employer is going to track the symptoms of their employees, they need to have an effective plan if an employee shows possible symptoms for COVID-19. For example, if you start getting a cough, will you be allowed to return to work? Who is responsible for coordinating and enforcing the response to possible COVID-19 symptoms? Will you then get tested? Will the test occur at home, work, or another location? Which medical personnel should you contact and will any of them be checking in on you as you are in self-isolation?
Compliance as a symptom of trust
Most technologies that have the power to improve lives can also ruin them, and apps that contain PHI are no exception (15). This makes it even more important that as we integrate technology into our lives to fight emergent diseases, we understand the risks that we take in adopting them. Symptom checking as part of a larger disease prevention and control strategy can be an effective way to reduce the risk of an outbreak within your company, but no public health strategy is effective without the trust of the people involved. By asking your employer these questions and asking to share the answers with your coworkers, you can begin the journey of building the kind of trust that is necessary for your company to become more resilient, even against pandemics.
Kyle has extensive research expertise and interest in the area of genomics, microbiology and immunology. He received his Ph.D. from the University of Maryland, Baltimore working at the Institute for Genome Sciences and came to Meenta from a postdoc at Yale University.