July 01, 2020

Warren Leads Colleagues Demanding Answers From HHS About the Department's Handling of the Personal Health Information of Millions of Americans

Lawmakers Urge HHS to Ensure its COVID-19 Response Efforts Comply with Recommended Privacy Principles

Text of Letter (PDF)

Washington, DC - United States Senators Elizabeth Warren (D-Mass.) and Richard Blumenthal (D-Conn.), along with Representatives Carolyn B. Maloney (D-N.Y.), Andy Levin (D-Mich.), and Anna G. Eshoo (D-Calif.), led their colleagues in a letter to the U.S. Department of Health and Human Services (HHS), following reports that HHS plans to add Americans' personal health information (PHI) to its COVID-19 data platform, HHS Protect. In the letter, the lawmakers requested additional details on the opaque HHS Protect project. The lawmakers also urged HHS to follow key privacy principles laid out in their recently-introduced legislation, including that the data should not be used for purposes unrelated to public health.

In April, HHS awarded two contracts, worth a total of nearly $25 million, to Palantir Technologies, Inc., ("Palantir") for a massive COVID-19 data platform. The platform, called HHS Protect, "pulls data from across the federal government, state and local governments, healthcare facilities, and colleges, to help administration officials determine how to 'mitigate and prevent spread' of the coronavirus." HHS Protect reportedly houses 187 different datasets, including COVID-19 case counts, hospital capacity, and supply chain, census, testing, and emergency department data. 

HHS reportedly plans to gather the public's sensitive health information, as part of HHS Protect. 

"The inclusion of [Protected Health Information] (PHI) in this database raises serious privacy concerns," the lawmakers wrote. "Neither HHS nor Palantir has publicly detailed what it plans to do with this PHI, or what privacy safeguards have been put in place, if any. We are concerned that, without any safeguards, data in HHS Protect could be used by other federal agencies in unexpected, unregulated, and potentially harmful ways, such as in the law and immigration enforcement context." 

The lawmakers laid out in the letter a set of COVID-19 privacy principles, drawing from provisions in recent legislation that each lawmaker has either introduced or co-sponsored:

  • Data should be minimized, anonymized, and redacted.
  • Data should only be collected, used, or disclosed to the extent that it serves a public health purpose.
  • Data should not be shared within the federal government except for certain public health agencies.
  • Agencies should adopt safeguards to prevent unlawful discrimination on the basis of collected data.
  • Any public reports of data should protect the privacy of individuals.
  • Data should be deleted after the conclusion of the COVID-19 public health emergency.
  • Tribal data sovereignty must be respected.

To ensure that the public can trust that the federal government will not misuse COVID-19 related data, the lawmakers asked HHS to ensure and verify that all COVID-19-related initiatives-including HHS Protect-comply with their COVID-19 privacy principles. The lawmakers asked HHS to respond to their inquiry by no later than July 15, 2020.

Senators Michael Bennet (D-Colo.), Edward J. Markey (D-Mass.), Jeff Merkley (D-Ore.), Tina Smith (D-Minn.), and Representatives Raúl M. Grijalva (D-Ariz.), Mark Pocan (D-Wis.), Katie Porter (D-Calif.), Jamie Raskin (D-Md.), Suzan K. DelBene (D-Wash.), Brenda L. Lawrence (D-Mich.), and Jerry McNerney (D-Calif.) also signed the letter.

The letter is part of Senator Warren's ongoing efforts to protect Americans' privacy during the pandemic. Senator Warren has introduced the Coronavirus Containment Corps Act and cosponsored the Public Health Emergency Privacy Act, both of which put safeguards around sensitive information that might be collected during contact-tracing.