When libraries become medical screeners: User health data and library privacy

Choose Privacy Week

By: Becky Yoose

What will your public library do when you reopen your doors? Some libraries are exploring phased reopening, starting with curbside or no-contact service outside the physical building. Others are investigating what reopening the physical building to library users will look like in terms of social distancing, increased cleaning and sanitation, and limiting the number of users in the building at one time.

One library went one step further, though. Last week, The Seattle Public Library reopened five branches to provide restrooms for those who otherwise would not have regular access to clean restrooms. In a statement about the reopening, the City of Seattle’s Office of the Mayor listed the precautions library staff are taking to protect staff and library users:

To help prevent further spread of COVID-19, Library branches will employ social distancing protocols, ask patrons to complete a brief COVID-19 health screener prior to entering the building, and will limit the number of individuals permitted in the building for restroom use at a time. [emphasis mine]

While health screenings are used in other areas, such as employees returning to work, its use in a library to determine which library users can access the building brings up questions regarding user health data in the library and what libraries must think about when considering going down this path.

HIPPA, User Health Data, and Libraries

The Health Insurance Portability and Accountability Act (HIPAA) governs the handling and processing of protected health information (PHI) in the United States. HIPAA’s scope includes “covered entities” – hospitals, health insurers, health care clearinghouses – as well as “business associates” – any person or organization that works with PHI on behalf of covered entities. HIPAA’s Privacy Rule and Security Rule, along with HITECH, require covered entities and business associates to follow strict rules and procedures to protect patient PHI, including information security and data privacy safeguards.

HIPAA’s scope does not extend to the majority of libraries unless the library in question is part of a covered entity or business associate, such as a hospital library. Traditionally, the extent of medical data collected by libraries comes in the way of the user’s activity in the library, such as using health resources and attending programs about particular health topics. In addition, libraries might also retain some health-related information through certain ADA accommodations for library users. This information, while not covered under HIPAA, should be given additional protection from potential improper use or access by staff or by the public.

User Health Data Risks and Considerations

Collecting health data from all library users brings considerable risk to both the library and its users. The risks are not just around a data breach or leak, but also about equable service to all library users. Starting a library user health screening process by library staff, like the one at SPL, needs to ensure that the screening process does not target one part of the library user population more than the rest through inconsistent screening across all users.The deployment of such health screenings brings up a number of library user data privacy risks that go beyond the risks already present in the library. Using the library data lifecycle, here are some questions for libraries collecting user health data through screeners:

  • Collection
    • What user data is being collected on the screener form? Are you collecting data about a user, such as their name or library barcode? If so, what is the current business need to collect that data? Are you collecting any other data that can tie the screener data back to the user? For example, the combination of date/time, branch location, and security camera footage can connect a real-world individual to the health data, even if you don’t collect any other identifying information about the library user.
  • Storage
    • Where are you storing the screener forms? Are you entering the data from paper forms into a database or another electronic application or document? Where are the databases, documents, or applications located – local server, cloud-hosted service, shared network drive?
  • Access
    • Who has access to the data in your library? Is this access secured through secured physical storage or through user account permission levels? What access do vendor staff have to the user health data on a third-party system? What access do the vendor’s subcontractors have to that data in the system?
  • Reporting
    • What are your state and local regulations surrounding law enforcement requests for library user data? What are the regulations surrounding public disclosure requests for library user data? Do the definitions of library user data in those regulations cover all library user data, or do they only cover a specific subset of library user data?
  • Retention and Deletion
    • How long are you keeping the completed screener forms? How are you disposing the paper forms? How are you deleting the electronic library user health data?

Another consideration on top of what we already covered is the liability of a data breach if that information includes library user health data. How will your library communicate to its users that the data breach could have included health data collected by the screeners? How would your library prepare for the possible legal and reputational consequences of such a breach?

Overall, libraries deploying health screener forms to library users adds considerable risk to both libraries and users in terms of privacy, equable service, and liability. Many libraries are not bound to HIPAA regulations in protecting user data which means data privacy and security varies widely, dependent on library resources and legal regulations specific to their location. As of now many libraries are not in a position to ramp up their data security and privacy protections given limited time and resources that were spent on setting up a (hopefully secure) way for library workers to work from home as well as offer remote services to library users.

The best way to protect library user health data is to leave the health screenings to medical professionals where the data would be protected by the established strict privacy and security protocols of HIPAA.

This post does not constitute legal advice and is for informational purposes only. Please consult an attorney for legal advice.

Becky YooseBecky Yoose is the founder of and Library Data Privacy Consultant for LDH Consulting Services, a consultancy that guides libraries and vendors in protecting patron data without sacrificing operational data needs. For over a decade, Becky has wrangled library data in its various forms in academic and public libraries. Becky received her MA-LIS from University of Wisconsin – Madison in 2008, and has been a Certified Information Privacy Professional/United States (CIPP/US) with the International Association of Privacy Professionals since 2018. You can find her online at yobj.net and @yo_bj on Twitter.