What the pandemic has taught businesses about health information collection

As businesses, government agencies and nonprofits reopen and employees return to the office, many pandemic safety measures are being modified. If your company has checked the vaccine status of employees or customers or collected other coronavirus-related information, have you considered what to do with that data now? Businesses that maintain this information or develop apps or other products to facilitate its collection can send an important message to others planning to enter the emerging health app market: Sensitive health information should carry a “Warning: Handle with caution” label.

Is your business developing a vaccine verification app?
Some vaccine verification “passport” apps store a digital copy of a person’s vaccination card. Others provide users with digital records to save in other apps or mobile wallets. In addition to a person’s vaccine status and possible test results, some apps collect other information to verify the person’s identity, such as name, date of birth, zip code, email address and phone number. Some apps will even tap into state or pharmacy vaccination records. Once authenticated, apps can save the data on the phone, other apps can access the data from the cloud, and some can create digital credentials (usually QR codes) that other apps can scan. If your company creates a vaccine verification application, or you are developing other health-related applications, here are some key considerations.

• Make accurate statements. Clearly explain how people’s information will be used and shared, and then deliver on those promises. If your company deploys applications to read credentials for storefronts, make sure those businesses understand your practices and the limitations on how they can use the data you share.
• Keep your app updated and your customers informed. If your application needs to be updated to prevent new security vulnerabilities, please follow and do so. If customers need to update their profile information to continue using your app, communicate this clearly.
• Review and update your privacy statement. Companies are creating applications that may evolve over time to share new or different information, particularly related to public health developments. If your privacy statement does not keep up with changes in data practices, consumers may be misled.
• Minimize the amount of data shared. When verifying a consumer’s vaccination status, it may be sufficient to communicate that status to another entity without sharing the person’s name, date of birth, email address, vaccine type, etc. The same principle applies to other health-related apps.
• Protect the information you use for verification. If your application transmits sensitive data to verify a person’s status, use transmission encryption. People who use these apps (or other health apps) often rely on open Wi-Fi access points in coffee shops, airports, and other places where data can be easily intercepted by information thieves. If your app stores information on your phone, consider protecting or hiding the data. This helps protect users in the event of viruses (digital viruses), malware, or lost devices.
• Apply lessons from the pandemic when developing new health-related apps. Health apps are here to stay. But before your company brings a new product to market, train your team to prioritize secure development best practices. If you start with security – and keep it top of mind when designing, developing and testing – you can reduce the risk of launching a product with fatal flaws. Another great resource: NIST’s Secure Software Development Framework (SSDF). Before your product goes live, verify that it works as advertised and that security measures are effective. One step you can’t skip: Test your product to make sure it’s not vulnerable to common security vulnerabilities.
• If you are processing health data or children’s data, please understand the applicable standards and regulations. When it comes to health information and children’s information, other legal requirements may apply. Seek guidance on the Children’s Online Privacy Protection Act and COPPA Rule, the Health Insurance Portability and Accountability Act (HIPAA), the Health Breach Notification Rule, and other related laws.

Does your business, nonprofit or other group check on people’s vaccine status?
If your company is verifying the vaccine status of employees, customers or others (whether by using an app, checking a vaccine card in person, getting a scan of the card via email, etc.), here are some suggestions to keep in mind. As new health apps enter the market, these principles will remain relevant.

• Think about your goals. When checking the status of a customer or employee, are you doing so to ensure they have been vaccinated, or do you need more information to comply with legal obligations or possibly conduct contact tracing? Identifying your goals can be an important step in figuring out how best to achieve them.
• When checking someone’s vaccination status, less is usually more. Consider whether you can confirm someone has been vaccinated simply by looking at their vaccination card or digital certificate. If you don’t need more detailed information, don’t ask, and don’t collect it.You don’t have to protect data you never own
• Study the market. If you decide to use an app or other technology to assist in checking vaccination status or perform other health-related functions, please take extra care when choosing a service provider. Research the company, learn more about its software, and ask questions about its privacy. and data security practices. What information will they share with you? What information will the application collect from you, your customers, or your employees? Are the statements you make to others consistent with your service provider’s practices?
• Provide a safe environment. If you do use technology to collect personal information, do you have a secure network over which to transmit the information? If you must maintain information, can you store it securely?
• If you need to retain information about someone’s vaccine status, consider how long you need to retain that information. Once you no longer have a legitimate need for someone’s vaccine status or other health-related information, dispose of it safely.
• Use the opportunity to return to an on-site workplace or transition to a more permanent remote office to take inventory of the materials you collect and retain. If you don’t need the consumer’s date of birth on an ongoing basis to verify their status, don’t store it. Or, if you’re using an app in your store to verify a customer’s vaccination status, carefully consider how long the data associated with any one customer visit needs to be stored. But don’t stop there. Look beyond COVID-19 and reexamine your information collection and retention practices. Why collect or retain unnecessary data?