Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

The Virus Shot Goes in Your Arm, but Where Does Your Data Go?

Sept. 23, 2020, 9:59 AM

Patching together state immunization databases with information held by pharmacies like CVS, Walmart, and Walgreens to track Covid-19 vaccinations opens the door for misusing patient data, lawyers warn.

The Department of Defense is working with states and private companies to allow immunization databases to share data as part of a vaccine distribution plan. The system will allow someone who gets a shot at their local health center in one state to walk into a local pharmacy in a different state and figure out when they need their next dose and which vaccine they should take, according to Department of Defense official Paul Ostrowski, who’s in charge of supply and distribution for a Covid-19 vaccine.

Keeping tabs on which vaccine someone took will help health providers remind people to get their second dose if it’s necessary and make sure they’re getting the right vaccine. However, neither the Department of Health and Human Services nor the Department of Defense has released details about the contracts outlining privacy obligations or how the private companies can use the data.

The Centers for Disease Control and Prevention released more details this week about how the government plans to track side effects of a shot in first responders, who are expected to be the first inoculated. That includes sending daily texts asking about side effects, which will have an opt-out option.

That raises red flags, lawyers and policy consultants say, because without a clear outline of how the data will be protected, companies could use immunization data for commercial purposes and consumers might not be protected equally if there is a data breach.

Patchwork Protections

“Although a very large number of states have strengthened their state breach notification laws and that sort of thing, there really is still a patchwork system in place,” Linda Malek, chair of Moses & Singer’s health-care and privacy practices, said.

States could differ on what data points are protected and when organizations have to disclose there’s been a breach, she said. Certain states, like Texas, have rules around using personal data for marketing, but other states don’t have those sorts of protections for consumers, she said.

Certain health data is protected under the Health Insurance Portability and Accountability Act. Depending on how the vaccine data contracts are worded, the law might not apply to every party utilizing the databases in every instance.

Consequently, if the federal health privacy law doesn’t cover all the data at all times and the contracts don’t include stipulations about how companies can use the data, there’s “absolutely” instances where some consumers’ privacy will be better protected than others, Malek said.

Walgreens will “continue to collaborate with the Administration, CDC and HHS on Covid-19 testing and vaccines,” spokesperson Kelli Teno said. She didn’t share additional details. CVS and Walmart didn’t respond to questions about patient privacy and how they’ll use the combined data.

What Happens After a Breach?

If something were to go wrong—like a data breach—whether the information is protected by the federal health law “really depends on how they set up the system and where the incident occurred,” Dianne Bourque, a health privacy lawyer at Mintz in Boston, said. A health-care provider such as a doctor or pharmacist could enter vaccine information into the database system, she said, but if a breach occurred when the data was in the state government’s hands, the responsibility falls on the government.

“Once it’s out of the hands of the health-care provider, it’s outside HIPAA,” she said.

The law extends to the “business associates” of health-care providers too, but it isn’t clear how that arrangement will work under this coronavirus vaccine system.

“It depends on whether there is a contractual arrangement between pharmacies and states and what each entity’s role is,” Malek said. “So how you structure the business arrangement could drive the legal regulatory ramifications of it.”

If data isn’t covered by HIPAA, it’s less clear how a breach would be handled and who will be notified.

The opaque nature of contracts between the government and private companies to respond to the coronavirus pandemic has been a concern for government watchdogs since the pandemic began. Ostrowski told reporters last week those database contracts would be “releasable to an extent” at “some point in time” but that “not everything will be released.”

Targeted Marketing

A silver lining of including private companies is their desire to protect their reputations, Bourque said. That means health-care providers will be “extraordinarily careful.”

But for former government officials like Lisa Bari, leaning so heavily on private companies during a pandemic is concerning. Bari worked on health IT and data sharing within the Centers for Medicare & Medicaid Services before creating her own health IT consulting firm, Emphasis Health.

“We have a very fragmented health-care system with for-profit entities that serve a public health function that otherwise would be taken care of by the state in other countries,” she said.

One of Bari’s biggest concerns is companies using data for commercial purposes.

“You can create a behavior profile for anything,” she said, referring to a marketing tactic used to tailor advertisements to specific people based on what a company knows about them.

“They may say they would not do it and that’s fine, but for-profit health care enterprises making volunteer attestations that they won’t violate privacy is not as good as not creating that situation in the first place,” Bari said. “Better to not give someone that temptation even if they’re not intending to harm someone’s privacy.”

To contact the reporter on this story: Jacquie Lee in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Andrew Childers at