Skip Navigation
Analysis

Evaluating the Privacy of Covid-19 At-Home Tests

The tests are essential for fighting the pandemic, but poor privacy policies could discourage some people from using them.

While the distri­bu­tion of the first Covid-19 vaccines is now under­way, it will be some time before enough Amer­ic­ans have been vaccin­ated that life will resume as normal. In the mean­time (and likely even beyond), easy and reli­able test­ing will continue to play a crit­ical role in stop­ping the spread of the disease, allow­ing both indi­vidu­als and author­it­ies to take appro­pri­ate meas­ures.

The Food and Drug Admin­is­tra­tion (FDA) recently author­ized the first few at-home rapid Covid-19 tests, which can process results in 30 minutes or less without the need to send a speci­men to a lab. Previ­ously, the FDA had gran­ted emer­gency use author­iz­a­tions for a number of at-home PCR tests, which require send­ing a nasal swab or saliva sample to a lab for processing.

Like so much else about the Covid-19 response, how well test providers handle the sens­it­ive health data of their custom­ers will impact Amer­ic­ans’ trust in this tool and thus its useful­ness. Federal law does play a role through the Health Insur­ance Port­ab­il­ity and Account­ab­il­ity Act (HIPAA). While this law provides some privacy protec­tions for iden­ti­fi­able health inform­a­tion, there may be gaps in its applic­ab­il­ity to at-home test kit providers.

Test providers must there­fore take the lead in insti­tut­ing adequate, trans­par­ent privacy safe­guards. But they often fail to do so. Some do not even publish a privacy policy online, while others retain data for unspe­cified amounts of time or share personal inform­a­tion with third party vendors for targeted advert­ising.

How Covid-19 at-home test kits work

At-home PCR tests are designed so that nasal or saliva samples can be collec­ted by a customer outside of a medical setting and sent to a labor­at­ory for analysis. Results are provided by phone, email, or app, and the lab is required to report posit­ive test results to public health author­it­ies.

At-home rapid tests do not require send­ing a sample to a lab. Rather, the tests are designed to analyze samples at home. Among the FDA-author­ized at-home rapid test providers are Lucira and Ellume. Lucir­a’s test requires custom­ers to get a prescrip­tion from their doctor, who must report posit­ive test results to public health author­it­ies.

As a condi­tion of the FDA’s author­iz­a­tion, Lucira is required to develop a mobile app or website to further facil­it­ate report­ing of results by both health­care providers and indi­vidu­als using the test. Ellume’s test will be avail­able over the counter, and results will be auto­mat­ic­ally repor­ted via Ellume’s smart­phone app to relev­ant public health author­it­ies.

At-home test providers and the labor­at­or­ies with which they part­ner can collect personal and health data on their custom­ers through several chan­nels, includ­ing through an initial online symp­tom survey, purchase inform­a­tion, customer inter­ac­tions with provider websites or apps, and test results. Some compan­ies, includ­ing Phos­phorus, Lets­GetChecked, and Ever­ly­well, also collect data from third-party sites like social media plat­forms.

Legal protec­tions: HIPAA and FDA author­iz­a­tion

The primary federal legal regime protect­ing health data in the United States is HIPAA, which sets national stand­ards for the protec­tion of some personal health inform­a­tion. Whether HIPAA applies to an at-home Covid-19 test depends on two factors: whether the test provider is considered a covered entity and whether the inform­a­tion collec­ted falls within the scope of protec­ted health inform­a­tion. Covered entit­ies include health care providers who trans­mit health inform­a­tion elec­tron­ic­ally, while protec­ted health inform­a­tion refers to indi­vidu­ally iden­ti­fi­able health data.

Some Covid-19 test providers, such as Hims Inc. (the parent company to hims & hers), claim they are not covered by HIPAA, even if the labs with which they part­ner to process the speci­mens are. While these providers would likely still be subject to HIPAA restric­tions as “busi­ness asso­ci­ates” of the labs, not being a covered entity could open the door to their using inform­a­tion in ways custom­ers may not expect or expli­citly agree to — for market­ing, product devel­op­ment, or other purposes.

Even when providers are covered entit­ies, HIPAA may not impose mean­ing­ful safe­guards on the full breadth of customer inform­a­tion collec­ted. For example, a custom­er’s social media inform­a­tion is likely to fall outside the scope of HIPAA’s protec­tions for indi­vidu­ally iden­ti­fi­able health inform­a­tion.

To the extent at-home kits are even­tu­ally used in ways more akin to a preg­nancy test, mean­ing they are avail­able for custom­ers to purchase off-the-shelf with results never handled by the test provider, the provider would likely fall completely outside the scope of HIPAA protec­tions.

Beyond HIPAA, while a customer may expect the FDA to consider the privacy protec­tions of a test before grant­ing an emer­gency author­iz­a­tion, data privacy is not listed as one of the criteria considered for author­iz­a­tion, mean­ing that FDA author­iz­a­tion guar­an­tees little about a provider’s privacy prac­tices.

Since HIPAA may not cover the breadth of data collec­ted by at-home test kit providers and the FDA’s emer­gency author­iz­a­tion process lists no expli­cit privacy safe­guards, custom­ers gener­ally must also rely on a given test­ing company’s own policies for privacy protec­tions.

Privacy policies

To maxim­ize privacy protec­tions, test-kit policies should emphas­ize three main prin­ciples: trans­par­ency, minim­iz­a­tion of data collec­tion and reten­tion, and limit­a­tions on data shar­ing beyond what is neces­sary to combat the pandemic. Many test providers do not, however, adhere to these prin­ciples.

Trans­par­ency

At-home test kit providers should be upfront with custom­ers about what data they collect, how it is stored, and with whom it is shared. Most test providers publish their privacy policies online. However, they vary in access­ib­il­ity, detail, and depth. Pixel by LabCorp, for example, has one of the most trans­par­ent online policies, includ­ing specific details about the company’s uses and shar­ing of customer data. Vault does have a privacy policy, but it is unclear whether it applies to test­ing data or only to customer inter­ac­tions with its website. At the far end of the spec­trum, P23 Labs and Lucira have no privacy policy avail­able online, a crit­ical short­com­ing that the compan­ies should rectify imme­di­ately.

Minim­iz­ing data collec­tion & reten­tion

Policies should minim­ize data collec­tion and stor­age to what is neces­sary to provide health care services. In prac­tice, few do. Some providers, such as Lets­GetChecked and Ever­ly­well, specify that they may access the public social media accounts of people who engage with their company’s social media pages. Lets­GetChecked states it may link a custom­er’s personal inform­a­tion with their social media account, which is clearly not neces­sary to provide a Covid-19 diagnosis. It also creates seri­ous privacy vulner­ab­il­it­ies by allow­ing the test provider to collect more inform­a­tion about a customer. As Ever­ly­well expli­citly states in its privacy policy, this data might include the groups the customer is asso­ci­ated with on social media or a list of friends who did not consent to their names being shared.

The policies of many test providers fail to include specific limit­a­tions around data reten­tion and dele­tion, instead rely­ing on vague, catchall language. For example, the Hims Inc. privacy policy states that the company may use customer data if it “believe[s] in good faith that such use is other­wise neces­sary or advis­able.” Simil­arly, Ever­ly­well’s policy states that data will be kept for as long as is “reas­on­ably neces­sary to comply with our busi­ness and legal oblig­a­tions.” Such policies allow compan­ies to use and indef­in­itely store customer data without trans­par­ency or penalty, posing the risk that the data could be comprom­ised or used in ways their custom­ers would not have consen­ted to.

Limit­ing data shar­ing beyond public health neces­sity

Finally, test kit providers should limit data shar­ing to what is neces­sary to combat the global pandemic. Covid-19 test results must be repor­ted to state or local health depart­ments, and HIPAA provides for data shar­ing with law enforce­ment and research­ers in some contexts. Some compan­ies go beyond what is mandated by law, however.

Ever­ly­well, Vita­gene, and Lets­GetChecked, for example, permit the shar­ing of personal data with commer­cial third parties in some contexts. Vita­gene’s privacy policy states that it will share personal data “with third parties for their own services and market­ing purposes, unless you opt out of this type of shar­ing,” a process that requires email­ing the company or submit­ting a form that must be accessed separ­ately from the privacy policy.

Unlike Lets­GetChecked, many compan­ies also do not publicly disclose what types of data will be shared — for instance, whether it will include someone’s contact inform­a­tion or aspects of their health data. By disclos­ing customer data to third parties for commer­cial use, and provid­ing little trans­par­ency into what data is shared and with whom, test providers make it more likely that sens­it­ive data could be leaked, used to discrim­in­ate, or sold by data brokers without over­sight or consent.

Fight­ing the pandemic effect­ively

Ulti­mately, at-home Covid-19 test­ing remains a valu­able option to keep test­ing rates up, partic­u­larly since travel and rates of Covid-19 cases increased during the holi­days and drop-in test­ing can take hours. But at-home test providers are care­takers of sens­it­ive inform­a­tion. To ensure that they are effect­ive and trust­worthy guard­i­ans, they must publish their privacy policies and appro­pri­ately limit collec­tion, shar­ing, and reten­tion of this data.