While the distribution of the first Covid-19 vaccines is now underway, it will be some time before enough Americans have been vaccinated that life will resume as normal. In the meantime (and likely even beyond), easy and reliable testing will continue to play a critical role in stopping the spread of the disease, allowing both individuals and authorities to take appropriate measures.
The Food and Drug Administration (FDA) recently authorized the first few at-home rapid Covid-19 tests, which can process results in 30 minutes or less without the need to send a specimen to a lab. Previously, the FDA had granted emergency use authorizations for a number of at-home PCR tests, which require sending a nasal swab or saliva sample to a lab for processing.
Like so much else about the Covid-19 response, how well test providers handle the sensitive health data of their customers will impact Americans’ trust in this tool and thus its usefulness. Federal law does play a role through the Health Insurance Portability and Accountability Act (HIPAA). While this law provides some privacy protections for identifiable health information, there may be gaps in its applicability to at-home test kit providers.
How Covid-19 at-home test kits work
At-home PCR tests are designed so that nasal or saliva samples can be collected by a customer outside of a medical setting and sent to a laboratory for analysis. Results are provided by phone, email, or app, and the lab is required to report positive test results to public health authorities.
At-home rapid tests do not require sending a sample to a lab. Rather, the tests are designed to analyze samples at home. Among the FDA-authorized at-home rapid test providers are Lucira and Ellume. Lucira’s test requires customers to get a prescription from their doctor, who must report positive test results to public health authorities.
As a condition of the FDA’s authorization, Lucira is required to develop a mobile app or website to further facilitate reporting of results by both healthcare providers and individuals using the test. Ellume’s test will be available over the counter, and results will be automatically reported via Ellume’s smartphone app to relevant public health authorities.
At-home test providers and the laboratories with which they partner can collect personal and health data on their customers through several channels, including through an initial online symptom survey, purchase information, customer interactions with provider websites or apps, and test results. Some companies, including Phosphorus, LetsGetChecked, and Everlywell, also collect data from third-party sites like social media platforms.
Legal protections: HIPAA and FDA authorization
The primary federal legal regime protecting health data in the United States is HIPAA, which sets national standards for the protection of some personal health information. Whether HIPAA applies to an at-home Covid-19 test depends on two factors: whether the test provider is considered a covered entity and whether the information collected falls within the scope of protected health information. Covered entities include health care providers who transmit health information electronically, while protected health information refers to individually identifiable health data.
Some Covid-19 test providers, such as Hims Inc. (the parent company to hims & hers), claim they are not covered by HIPAA, even if the labs with which they partner to process the specimens are. While these providers would likely still be subject to HIPAA restrictions as “business associates” of the labs, not being a covered entity could open the door to their using information in ways customers may not expect or explicitly agree to — for marketing, product development, or other purposes.
Even when providers are covered entities, HIPAA may not impose meaningful safeguards on the full breadth of customer information collected. For example, a customer’s social media information is likely to fall outside the scope of HIPAA’s protections for individually identifiable health information.
To the extent at-home kits are eventually used in ways more akin to a pregnancy test, meaning they are available for customers to purchase off-the-shelf with results never handled by the test provider, the provider would likely fall completely outside the scope of HIPAA protections.
Beyond HIPAA, while a customer may expect the FDA to consider the privacy protections of a test before granting an emergency authorization, data privacy is not listed as one of the criteria considered for authorization, meaning that FDA authorization guarantees little about a provider’s privacy practices.
Since HIPAA may not cover the breadth of data collected by at-home test kit providers and the FDA’s emergency authorization process lists no explicit privacy safeguards, customers generally must also rely on a given testing company’s own policies for privacy protections.
To maximize privacy protections, test-kit policies should emphasize three main principles: transparency, minimization of data collection and retention, and limitations on data sharing beyond what is necessary to combat the pandemic. Many test providers do not, however, adhere to these principles.
Minimizing data collection & retention
Limiting data sharing beyond public health necessity
Finally, test kit providers should limit data sharing to what is necessary to combat the global pandemic. Covid-19 test results must be reported to state or local health departments, and HIPAA provides for data sharing with law enforcement and researchers in some contexts. Some companies go beyond what is mandated by law, however.
Unlike LetsGetChecked, many companies also do not publicly disclose what types of data will be shared — for instance, whether it will include someone’s contact information or aspects of their health data. By disclosing customer data to third parties for commercial use, and providing little transparency into what data is shared and with whom, test providers make it more likely that sensitive data could be leaked, used to discriminate, or sold by data brokers without oversight or consent.
Fighting the pandemic effectively
Ultimately, at-home Covid-19 testing remains a valuable option to keep testing rates up, particularly since travel and rates of Covid-19 cases increased during the holidays and drop-in testing can take hours. But at-home test providers are caretakers of sensitive information. To ensure that they are effective and trustworthy guardians, they must publish their privacy policies and appropriately limit collection, sharing, and retention of this data.