States push back on Trump admin's request for COVID-19 vaccine patient data
Some state governments have resisted requests from the U.S. Centers for Disease Control and Prevention to sign data use agreements that would share information about individuals who had received the COVID-19 vaccine.
Leaders from several states raised privacy concerns about the idea, with The New York Times reporting that New York Gov. Andrew Cuomo worried that such a practice would dissuade undocumented people from getting inoculated. Minnesota officials, meanwhile, said they planned to submit de-identified data on a daily basis once the vaccine campaigns began. Colorado leaders also said the state planned to strip personally identifiable information from data before submission.
Trump administration officials said this week that the data was necessary to generate a comprehensive picture of the COVID-19 national uptake, as well as aiding individuals who may get one dose of the vaccine and then travel across state lines before getting the second.
WHY IT MATTERS
The U.S. Department of Health and Human Services partnered with data-mining firm Palantir earlier this fall to develop a system to track the manufacture, distribution and administration of the COVID-19 vaccine.
That platform, known as Tiberius, will integrate information related to manufacturing, supply chain, delivery and administration of the vaccine, among other data.
"HHS and CDC, working with partners, have developed a technical architecture to facilitate the transmission of jurisdictional vaccine administration data from various sources to CDC, and then to HHS’s Tiberius analytic platform, to generate a comprehensive picture of COVID-19 vaccine uptake nationally," said the Data Use and Sharing Agreement some states are resisting.
The federal government has maintained that "no personally identifiable or personal health information is contained in the Tiberius system." Deacon Maddox, who runs Operation Warp Speed's data and analysis system, said the "only number" being asked for is date of birth (rather than Social Security number or driver's license number).
Still, the New York Times reported, the administration is requiring states to submit personal information – including names, birth dates, ethnicities and addresses – of those who had obtained the COVID-19 vaccine.
The DUA says that the "record-level, identifiable" dataset, which will reside in a cloud-hosted data repository known as Data Clearinghouse and will contain identifiable elements, is being requested to verify second-dose vaccination, to assess vaccine safety and to allow for vaccine effectiveness monitoring.
The DUA also notes that the Clearinghouse can be used by local jurisdictions or healthcare providers to enable appropriate administration and dosing for those receiving vaccines.
The "record-level redacted dataset," which does not include 16 of the 18 HIPAA identifiers, is a condensed version of the identifiable dataset and will reside in the cloud-hosted data repository known as the Immunization (IZ) Data Lake. These data will also be used to monitor vaccine uptake.
"CDC and HHS will not be authorized to view identifiable portions of PHI stored in the DCH, but redacted PHI will be transferred to the IZ Data Lake. This information will be used to track and report progress of COVID-19 vaccine administration over time," read the DUA.
HHS and CDC representatives did not respond to requests for comment about who is responsible for ensuring those agencies would not have access to the DCH.
Regarding data security, HHS and CDC pledged to store and transfer data with best practices for confidentiality and "to establish appropriate administrative, technical, and physical safeguards to prevent unauthorized access to the Covered Data."
Should there be a data breach, a CDC representative will contact the jurisdiction within one hour with regard to personally identifiable or protected health information, and 24 hours for non-PII or non-PHI, to provide the response plan.
THE LARGER TREND
The specifics around vaccine distribution have remained somewhat murky, even as the FDA prepares to issue a probable Emergency Use Authorization.
"It's not tomorrow's problem, but it's not next year's either," said Chris Hale, CEO and cofounder of the global procurement company Kountable, regarding the supply chain process.
And when it comes to cybersecurity around that process, experts have also raised concerns.
"Clearly all that information [about patient distribution] is going to be recorded," said Nigel Thorpe, technical director at the enterprise security firm SecureAge. "That data is going to be stored somewhere. And any piece of data, no matter how inconsequential it might be, is a useful thing for a cybercriminal."
ON THE RECORD
"Since data may only be used in furtherance of the public health COVID-19 response, data about individual vaccine recipients may not be used to market commercial services to individual patients or nonpatients, to assist in bill collection services, or for any civil or criminal prosecution or enforcement, including, but not limited to, immigration enforcement, against such individuals whose information is shared pursuant to this DUA," reads the DUA.