Bloomberg Law
March 3, 2021, 10:01 AM

Tracking the Vaccinated by Name, Race Challenges Privacy Laws

Jake Holland
Jake Holland
Jacquie Lee
Jacquie Lee
Porter Wells
Porter Wells

The federal government’s unprecedented collection of personal information to track Americans getting the Covid-19 vaccine is raising privacy concerns and forcing states to balance the rights of citizens with the nation’s battle to stem the deadly pandemic.

Public health officials say they need the data to track where vaccinations are occurring and which communities are lagging. But sharing private information—including name, date of birth, gender, race and ethnicity, and home address of anyone inoculated—has encountered some pushback.

“Most people recognize the importance of sharing data, even if it’s at the expense of privacy, when necessary to keep people safe and healthy in the pandemic,” said Dianne Bourque, a health privacy lawyer at Mintz in Boston. “The balance shifts, however, when the connection between data sharing and public safety is unclear.”

The American Medical Association and two other health-care advocacy groups on Tuesday urged providers to ramp up efforts to collect race and ethnicity data, saying that information was missing in nearly half of the early vaccination records sent to the Centers for Disease Control and Prevention.

The race and ethnicity information would allow public health agencies “to equitably allocate resources across all communities, evaluate health outcomes and improve quality of care and delivery of public health services,” the AMA said.

But some immigration groups worry that the collected information could be used beyond the public health crisis for deportation purposes.

Early research indicates White Americans are getting vaccinated at higher rates than non-White Americans, who are more likely to get Covid-19 and to die from it.

More than 76 million vaccine doses have been administered in the U.S., and more Americans have now received at least one dose than have tested positive for the virus, according to the Bloomberg vaccine tracker.

Public Health Versus Privacy

The CDC says it needs personally identifiable data to monitor vaccine uptake and allow health-care providers to verify the proper administration of doses.

Health information from states—including which vaccine was administered and where it was given—populates several CDC datasets used to track and coordinate vaccinations. Much of the data is stripped of personal identifiers pursuant to federal privacy laws.

The federal Health Insurance Portability and Accountability Act provides Americans with privacy protections to ensure that health data stays confidential. But HIPAA, as well as state-level medical records laws, have carve-outs for public health entities—allowing them in many instances to share data without explicit patient permission.

Still, in some states people can choose to opt out of having their information shared, or otherwise restrict such access.

How It Works

States have signed data use and sharing agreements with the CDC to outline how information will be accessed, displayed, or shared.

The CDC’s Covid-19 Data Clearinghouse receives patient data from local jurisdictions and shields identifiable patient information before sending it on to other databases.

Only authorized users have access to the data maintained on the system, which is hosted on an Oracle cloud infrastructure, according to the data use agreement. The system will be independently audited to ensure compliance with HIPAA’s security, breach notification, and privacy rules, the agreement states.

Collection efforts also must comply with the Privacy Act of 1974 and the Freedom of Information Act, which lets agencies refuse to share information that would constitute an unwarranted invasion of personal privacy.

And the CDC is assembling “response teams” to address any unauthorized access or disclosure, which would include notifying and working with the reporting jurisdiction, according to the agreement.

Privacy in Mind

Privacy attorneys say the system is legally solid, but acknowledge that the risk of a breach is still present.

“There’s enough history to show that no entity, even the most secure, is immune from a cyberattack,” said Marcus Christian, a partner in Mayer Brown LLP’s cybersecurity and data privacy practice in Washington.

“But receiving the vaccine, and having that information sent to these national databases, isn’t going to materially increase the risk of identity theft,” he said. “There are so many other places personally identifiable information can be found, like on your employers’ systems, or on a state agency’s system.”

However, a separate federal effort to collect Covid-19 infection data has spurred at least one lawsuit from immigration and social justice groups.

“The government and private companies are collecting, storing, and accessing personal health information at a massive scale,” the groups said in a February complaint. “Multiple studies have shown that industry standards for deidentified data (e.g., sharing so-called “aggregated” mobile location data) fail to preserve anonymity and can still lead to privacy breaches.”

‘Fear Is Understandable’

Unrestricted data sharing between agencies “could seriously chill immigrant communities from participating in the Covid-19 vaccination program and seeking medical treatment,” said Julie Mao, deputy director of Just Futures Law, an immigrant rights legal group and co-plaintiff in the case.

“This fear is understandable as residential addresses and other biographical information can be used by Immigration and Customs Enforcement to locate, arrest, and deport immigrants, and HHS has a history of sharing personal data with ICE for deportation purposes,“ she said.

The HHS didn’t respond to a request for comment on those allegations.

Recent cyberattacks affecting the Washington State Auditor’s Office, a local water treatment plant in Florida, and a pair of French hospitals have only driven home the urgency for robust, aggressive cybersecurity measures.

But the federal government appears to be approaching this project in “a very smart way to make sure the privacy implications are very slight,” said Kirk Nahra, a Wilmer Cutler Pickering Hale & Dorr LLP partner in Washington who co-chairs the firm’s big data and cybersecurity and privacy practices. “Now, if someone is able to break in and change the numbers, that’s a different problem.”

State Law Patchwork

Many states have their own public dashboards showing doses administered and how much vaccine has been shipped to their state. Some states, like Michigan, report even more detailed data, including how many doses of each vaccine has been administered, and administration records by age groups or sex.

State laws generally prevent health-care providers from disclosing personal information without an individual’s consent, but most carve out exceptions for information sharing among medical entities for public health purposes.

Still, several states cited their privacy laws in seeking and receiving alternative options to submit redacted data to the CDC, according to the agency.

California, the nation’s most populous state, negotiated with the federal government to limit the data sharing to “only information that will not allow an individual to be identified,” according to a spokesperson at the state’s public health department.

And the CDC specifically agreed that New York “will not send individual data identifying a person in a way that could be used to document citizenship,” Gov. Andrew Cuomo (D) said in December.

Ultimately, the historic nature of the pandemic and the need to control it underscores the importance of data sharing despite some privacy concerns, said Shannon Hartsfield, a health attorney at Holland & Knight LLP in Tallahassee, Fla.

“If providers can’t provide information for public health purposes, it would be very difficult to get ahead of the next pandemic,” she said. “There are ways to share key data points that allow authorities to work to protect public health while still protecting privacy.”

To contact the reporters on this story: Jake Holland in Washington at; Jacquie Lee in Washington at; Porter Wells in Washington at

To contact the editors responsible for this story: Alexis Kramer at; Kibkabe Araya at; Gregory Henderson at