While the distribution of the first Covid-19 vaccines is now underway, it will be some time before enough Americans have been vaccinated that life will resume as normal. In the meantime (and likely even beyond), easy and reliable testing will continue to play a critical role in stopping the spread of the disease, allowing both individuals and authorities to take appropriate measures.
The Food and Drug Administration (FDA) recently authorized the first few at-home rapid Covid-19 tests, which can process results in 30 minutes or less without the need to send a specimen to a lab. Previously, the FDA had granted emergency use authorizations for a number of at-home PCR tests, which require sending a nasal swab or saliva sample to a lab for processing.
Like so much else about the Covid-19 response, how well test providers handle the sensitive health data of their customers will impact Americans’ trust in this tool and thus its usefulness. Federal law does play a role through the Health Insurance Portability and Accountability Act (HIPAA). While this law provides some privacy protections for identifiable health information, there may be gaps in its applicability to at-home test kit providers.
Test providers must therefore take the lead in instituting adequate, transparent privacy safeguards. But they often fail to do so. Some do not even publish a privacy policy online, while others retain data for unspecified amounts of time or share personal information with third party vendors for targeted advertising.
How Covid-19 at-home test kits work
At-home PCR tests are designed so that nasal or saliva samples can be collected by a customer outside of a medical setting and sent to a laboratory for analysis. Results are provided by phone, email, or app, and the lab is required to report positive test results to public health authorities.
At-home rapid tests do not require sending a sample to a lab. Rather, the tests are designed to analyze samples at home. Among the FDA-authorized at-home rapid test providers are Lucira and Ellume. Lucira’s test requires customers to get a prescription from their doctor, who must report positive test results to public health authorities.
As a condition of the FDA’s authorization, Lucira is required to develop a mobile app or website to further facilitate reporting of results by both healthcare providers and individuals using the test. Ellume’s test will be available over the counter, and results will be automatically reported via Ellume’s smartphone app to relevant public health authorities.
At-home test providers and the laboratories with which they partner can collect personal and health data on their customers through several channels, including through an initial online symptom survey, purchase information, customer interactions with provider websites or apps, and test results. Some companies, including Phosphorus, LetsGetChecked, and Everlywell, also collect data from third-party sites like social media platforms.
Legal protections: HIPAA and FDA authorization
The primary federal legal regime protecting health data in the United States is HIPAA, which sets national standards for the protection of some personal health information. Whether HIPAA applies to an at-home Covid-19 test depends on two factors: whether the test provider is considered a covered entity and whether the information collected falls within the scope of protected health information. Covered entities include health care providers who transmit health information electronically, while protected health information refers to individually identifiable health data.
Some Covid-19 test providers, such as Hims Inc. (the parent company to hims & hers), claim they are not covered by HIPAA, even if the labs with which they partner to process the specimens are. While these providers would likely still be subject to HIPAA restrictions as “business associates” of the labs, not being a covered entity could open the door to their using information in ways customers may not expect or explicitly agree to — for marketing, product development, or other purposes.
Even when providers are covered entities, HIPAA may not impose meaningful safeguards on the full breadth of customer information collected. For example, a customer’s social media information is likely to fall outside the scope of HIPAA’s protections for individually identifiable health information.
To the extent at-home kits are eventually used in ways more akin to a pregnancy test, meaning they are available for customers to purchase off-the-shelf with results never handled by the test provider, the provider would likely fall completely outside the scope of HIPAA protections.
Beyond HIPAA, while a customer may expect the FDA to consider the privacy protections of a test before granting an emergency authorization, data privacy is not listed as one of the criteria considered for authorization, meaning that FDA authorization guarantees little about a provider’s privacy practices.
Since HIPAA may not cover the breadth of data collected by at-home test kit providers and the FDA’s emergency authorization process lists no explicit privacy safeguards, customers generally must also rely on a given testing company’s own policies for privacy protections.
Privacy policies
To maximize privacy protections, test-kit policies should emphasize three main principles: transparency, minimization of data collection and retention, and limitations on data sharing beyond what is necessary to combat the pandemic. Many test providers do not, however, adhere to these principles.
Transparency
At-home test kit providers should be upfront with customers about what data they collect, how it is stored, and with whom it is shared. Most test providers publish their privacy policies online. However, they vary in accessibility, detail, and depth. Pixel by LabCorp, for example, has one of the most transparent online policies, including specific details about the company’s uses and sharing of customer data. Vault does have a privacy policy, but it is unclear whether it applies to testing data or only to customer interactions with its website. At the far end of the spectrum, P23 Labs and Lucira have no privacy policy available online, a critical shortcoming that the companies should rectify immediately.
Minimizing data collection & retention
Policies should minimize data collection and storage to what is necessary to provide health care services. In practice, few do. Some providers, such as LetsGetChecked and Everlywell, specify that they may access the public social media accounts of people who engage with their company’s social media pages. LetsGetChecked states it may link a customer’s personal information with their social media account, which is clearly not necessary to provide a Covid-19 diagnosis. It also creates serious privacy vulnerabilities by allowing the test provider to collect more information about a customer. As Everlywell explicitly states in its privacy policy, this data might include the groups the customer is associated with on social media or a list of friends who did not consent to their names being shared.
The policies of many test providers fail to include specific limitations around data retention and deletion, instead relying on vague, catchall language. For example, the Hims Inc. privacy policy states that the company may use customer data if it “believe[s] in good faith that such use is otherwise necessary or advisable.” Similarly, Everlywell’s policy states that data will be kept for as long as is “reasonably necessary to comply with our business and legal obligations.” Such policies allow companies to use and indefinitely store customer data without transparency or penalty, posing the risk that the data could be compromised or used in ways their customers would not have consented to.
Limiting data sharing beyond public health necessity
Finally, test kit providers should limit data sharing to what is necessary to combat the global pandemic. Covid-19 test results must be reported to state or local health departments, and HIPAA provides for data sharing with law enforcement and researchers in some contexts. Some companies go beyond what is mandated by law, however.
Everlywell, Vitagene, and LetsGetChecked, for example, permit the sharing of personal data with commercial third parties in some contexts. Vitagene’s privacy policy states that it will share personal data “with third parties for their own services and marketing purposes, unless you opt out of this type of sharing,” a process that requires emailing the company or submitting a form that must be accessed separately from the privacy policy.
Unlike LetsGetChecked, many companies also do not publicly disclose what types of data will be shared — for instance, whether it will include someone’s contact information or aspects of their health data. By disclosing customer data to third parties for commercial use, and providing little transparency into what data is shared and with whom, test providers make it more likely that sensitive data could be leaked, used to discriminate, or sold by data brokers without oversight or consent.
Fighting the pandemic effectively
Ultimately, at-home Covid-19 testing remains a valuable option to keep testing rates up, particularly since travel and rates of Covid-19 cases increased during the holidays and drop-in testing can take hours. But at-home test providers are caretakers of sensitive information. To ensure that they are effective and trustworthy guardians, they must publish their privacy policies and appropriately limit collection, sharing, and retention of this data.