Now that you have a solid background on key concepts, let's explore the legal and ethical issues raised by contact tracing through a case study. We'll do so by following the journey of Connie Contacter, a contact tracer working with the local public health department. Connie has been assigned to reach out to Patrick Patient, an individual who recently tested positive for SARS-CoV-2. Connie calls Patrick on the phone, but when she begins discussing what he thought was private medical information and asking for additional personal information, she encounters some resistance. Patrick wonders whether this conversation is illegal and violates his right to privacy. To determine whether Connie's conduct is illegal, we have to look at both federal privacy laws and state privacy laws. Let's start with a well known federal health privacy law called HIPAA. There's a lot of confusion about HIPAA. And fears about violating HIPAA can lead to people being afraid to ask for individuals' medical information or being less willing to share their personal medical information with outsiders. But often these fears are based on a missed understanding about what HIPAA does and does not allow. In general, HIPAA restricts the use and disclosure of health information that identifies a patient, unless the patient expressly authorizes the use or disclosure. However, there are some important exceptions to this rule, some of which apply to public health activities. For example, healthcare providers can disclose patient information to public health authorities, like the CDC or state and local health department, when the law authorizes the governmental agency to collect or receive information for the purpose of preventing or controlling disease, injury, or disability. In other words, public health authorities can collect information about a patient if necessary to conduct a public health intervention or investigation. Another HIPAA exception applies when the healthcare provider has a mandatory reporting obligation. For example, this can mean that doctors don't have to get the patient's authorization before disclosing information to a health department about an individual who has an infectious disease as long as the law either requires the report or authorizes the agency to collect this information. So perhaps in Patrick's case, his primary care doctor or a hospital alerted the local health department of Patrick's Coronavirus diagnosis because state law required them to report cases of patients with the disease. Also, it's important to understand that HIPAA does not apply to all situations that involve a patient's medical information. Only so-called covered entities and their business associates are required to comply with HIPAA. So what are covered entities and business associates? Covered entities refer to healthcare providers, health plans, and healthcare clearinghouses such as billing service companies. Business associates are individuals or entities that perform services on behalf of covered entities that involve patient information like accounting firms and hospital consultants. However, local health departments that perform health functions, like disease surveillance, are not healthcare providers, health plans, or healthcare clearinghouses, nor are they business associates of covered entities. Now, some of you may be thinking that many local health departments operate community clinics, so perhaps that should make them a healthcare provider. Well, when a local health department is part health provider and part public health authority, HIPAA gives the local department the option to draw a dividing line between these two functions. If it elects to do so, and most local health departments have made this election, the components of the local health department that provide medical care to patients, such as community clinics, are considered to be healthcare providers and must comply with HIPAA. But the other components of the local health department, so the people who are doing public health surveillance or preventing or controlling diseases or injuries, are not considered covered entities. This means HIPAA does not apply to those components of the local health department that are not involved in treating patients. And this includes the people within the local health department that are doing contact tracing. Similarly, when the contact tracer is a nurse or doctor, HIPAA does not apply to them when they're wearing their public health hat, such as when they're performing public health activities for the local health department. It only applies when they are wearing their healthcare provider hat, like when they're treating patients. In other words, HIPAA does not apply to contact tracers, even if the local health department operates a separate community clinic. And even if the contact tracer is a doctor or nurse or other healthcare professional. And this means that HIPAA does not prevent Connie from asking Patrick for his medical information or other personal information. Now what about state laws? Typically, state laws also do not prevent contact tracers like Connie from collecting personal information about patients with Coronavirus as long as the information is relevant for the contact tracing functions. In Texas for example, state law permits Connie to ask Patrick for personal information, such as where he lives or who he has recently come into contact with. But state laws may vary, and it's important to check out whether your state's law impose restrictions on what information contact tracers can and cannot collect. Ethically however, respecting an individual's privacy and confidentiality means that the contact tracer should only ask for personal information that is relevant to contact tracing. So Connie should not ask Patrick for personal information that is unrelated to her contact tracing activities, such as Patrick's Social Security number. We now have another opportunity to reinforce your understanding of how federal and state privacy laws apply to public health activities like contact tracing. The first will provide information about HIPAA in the context of public health. The second considers similar issues with added attention to Texas law. Using the information we've just reviewed, Connie provides some clarification about Patrick's privacy rights. Patrick understands but still seems reluctant to share his personal and medical information. Using her active listening skills, Connie senses this reluctance. And she asks Patrick if there's any other information she could provide to him to help him feel more comfortable about the process. Patrick says two things are weighing on his mind. First, that the information he provides will be disclosed to other people. Second, that the information he shares will be used against him, and he'll be punished. As we've learned, Connie is not a covered entity or business associate under HIPAA. But that doesn't mean she has no legal or ethical obligation to protect Patrick's information from needless disclosure to others. Legally, Connie's duties are governed by state law. For example, in Texas, information about a known case of certain types of infectious diseases can only be released to specific people identified in Texas statutes, like state and federal agencies, and then only the minimum information necessary to complete the intended purpose. For example, confirmed and suspected cases of serious diseases posing major public health threats, like anthrax and smallpox, must be reported to the state immediately. But that doesn't mean the patient's entire medical record will be shared along with it. The laws governing how and when public health departments must protect Patrick's information vary by state, and in some cases, they may be subject to very few legal restrictions. Ethically, Connie must respect Patrick's privacy and endeavor to keep his information confidential. That means she should only use Patrick's information for the purpose or purposes it was collected, including contact tracing. But perhaps other public health activities, like continued surveillance and required reporting. But sharing with some entities doesn't mean that she can share with all of them. Respecting Patrick's privacy means that, for example, Connie should not gossip with her neighbor about Patrick or disclose Patrick's identity to the media. Patrick is also concerned that the information he shares may be used against him. Perhaps he's worried that he'll be punished for violating local shelter in place or mask orders if he's honest with Connie. Or he's worried that the government will force him to isolate himself. In some states, it is possible to force individuals to comply with public health efforts. For example, in Texas, if an individual refuses to isolate, it is possible to use the courts to enforce an order to do so. Or even to send the individual to a designated facility, sometimes, and under certain circumstances, it is even legal to force treatment. However, just because public health authorities may have this legal authority, ethically it is still preferable that an individual act voluntarily. Public health should always start from the point of cooperation and persuasion with coercion as a last resort. This is important for developing and fostering public trust in government authorities, which is essential to public health efforts. Instead, Connie should encourage Patrick to isolate himself from others until he is no longer contagious. However, if he refuses to do so, it is also okay for Connie to acknowledge that these behaviors may be mandated by the public health department and the courts. We now have an opportunity to reinforce some of these concepts through optional external readings. First, take a look at information about data protection. This issue brief will give a thorough overview of different legal authorities governing the collection, use, and sharing of identifiable information. It's all interesting, but we specifically recommend you focus on section four, which explains the legal authority for information sharing and public health activities. Second, take a look at how Texas handles court-ordered management of an individual with a communicable disease. This explains what can happen if people do not comply voluntarily. Using information about law and ethics to address Patrick's fears, Connie is able to obtain information about Patrick's contacts. It is now time to continue her investigation. Patrick told Connie that he spent a lot of time with his best friend, Peggy, over the last several days. Connie calls Peggy to let her know she has a close contact who tested positive for the novel Coronavirus. Peggy's angry and scared, and she demands to know who put her in danger. As with all issues we've discussed today, there are legal and ethical reasons why Connie cannot and should not identify Patrick. If you'll recall from our review of law and ethics, whether Connie can identify Patrick, and whether she should identify him, require different frameworks. However, in this case, the conclusion is the same. Connie should not identify Patrick. In some cases, a state law or local health department protocol may specifically prevent Connie from identifying Patrick. Ethically, a contact tracer should not identify a known case. It is possible that Peggy will be able to figure out Patrick's identity through context clues. For example, maybe Patrick is the only person Peggy has seen in two weeks. However, Connie should not confirm Peggy's suspicions. As we have discussed, protecting Patrick's privacy is important to protect individuals like Patrick from embarrassment, discrimination, and stigma. If people believe contact tracers will identify them to contacts, it will undermine their trust in the process and reduce their willingness to participate in public health control measures. We now have a final opportunity to reinforce these concepts. As we've noted before, protecting privacy is a key element of developing and fostering trust. Trust is a crucial component of successful public health initiatives. Because individuals who trust the government are more likely to comply with disease control measures. If you want to learn more, please read this blog post about a study conducted in Liberia and perhaps the full study, if you're interested. While you read, consider what makes a person or an institution trustworthy. We've covered a lot of information in this module, but it only scratches the surface of the complex legal and ethical issues in contact tracing. For example, you may have read about the use of smartphone applications to augment human contact tracing efforts. This has been successfully implemented in some countries but faces considerable push back in the United States. In some ways, apps could help alleviate some of the challenges with SARS-CoV-2 contact tracing, like identifying strangers who may have been exposed to the known case but for whom the case has no way of knowing their identity. However, it cannot fully replace the human aspect of contact tracing, like the ability to provide education, information, and support to help people who may have been exposed. And then recommend the steps they should take to help stop the spread of disease. As many of these activities rely on the trusting relationships built during person to person interaction. If you'd like to learn more about some of the proposed ideas, please follow this link. You may also have heard about employers developing disease tracking initiatives as a condition for employees returning to work. This raises interesting legal and ethical questions that are also beyond the scope of this presentation. If you would like to learn more, please follow the link to an issue brief. Thank you for joining us. We hope you've enjoyed this brief introduction to the ethical, legal, and regulatory issues in contact tracing.
