Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

While a number of companies who currently offer at-home medical and health diagnostics had rushed to produce kits that would allow for self sample collection by people who passed a screening and believed they might have contracted the new coronavirus, the U.S. Food and Drug Administration (FDA) has updated its Emergency Use Authorization guidelines to private labs that specifically bar the use of at-home sample collection. This means startups including Everlywell, Carbon Health and Nurx will have to immediately discontinue their testing programs in light of the clarified rules.

The FDA issued the updated guidance on March 21, and though some of the companies had already begun to ship their sample collection kits to people, and even begun to receive samples back to their diagnostic laboratory partners, even any samples in-hand will not be tested, and will instead be destroyed in order to compel with the FDA’s request. Carbon Health is continuing testing at its physical clinics, and notified TechCrunch of this update on Sunday evening, and an individual who ordered the Carbon Health test and sent back their sample provided the following email explaining the decision and what happens next:

We have been working hard to provide our patients every opportunity for COVID-19 testing and treatment, including exploring different avenues for testing.

This evening, we were notified by our lab partner, Curative Inc, that the 3/21/2020 FDA update for COVID-19 testing clarified that at-home sample collection is not covered under the EUA (U.S. Food and Drug Administration’s Emergency Use Authorization). Carbon Health is discontinuing distribution of the at-home sample collection kits effective immediately.

Based on this update by the FDA, we sincerely regret to inform you that you will not get a test result. If you have already shipped your kit back, the specimen will be destroyed by Curative, Inc using standard biohazard disposal. If you have not received your kit yet, please discard it upon receipt.

Please schedule an in-clinic visit at a Carbon Health clinic near you, if possible, to be tested using our traditional specimen collection by a clinician. The turn-around time for results is about 3-5 days from time of specimen collection.

Our goal was to facilitate at home specimen collection in order to keep patients safely in their homes while also providing another avenue for patients to be tested. This is a very dynamic time and we are working tirelessly to work with new partners to expand COVID-19 testing for our communities, as soon as possible. We are truly sorry for the frustration and inconvenience this has caused.

All three of the companies we spoke to that were working to distribute these tests had partnered with labs that were approved under the FDA emergency guidelines to perform COVID-19 diagnostics, and it was the understanding of all parties that at-home self collection via swab kits was included in the authorization. All three also said they were offering their tests at-cost, and seeking ways to defray even that cost to consumers through potential healthcare agency partnerships. Each also offered telehealth consultations for both the sample-gathering process, as well as for delivery of the results.

The FDA’s goal with its emergency use authorization is to enable testing without sticking to its usual qualification process, but it must always balance accuracy and safety. It did grant emergency use approval to Cepheid’s rapid point-of-care test last Friday, as well, which should expand availability of tests on-site in locations like hospitals and emergency medical care clinics, but this updated rule means that at-home tests will not, in the near-term, be a path towards expanding testing coverage in the U.S.

Another startup, Scanwell, has developed an in-home test that includes the diagnostics, using a serological test that looks for the presence of antibodies in a person’s blood. This is still pending FDA approval, and the company is seeking that under the emergency use authorization, with an anticipated approval process time of around six to eight weeks.


TechCrunch

Long and short distance travel have all but stopped for many people at the moment. But looking forward to a time when that may no longer be the case, a company designing flying taxis is today announcing a large round of funding to help continue developing its product.

Lilium, a Munich-based startup that is designing and building vertical take-off and landing (VTOL) aircraft with speeds of up to 100 km/h that it plans eventually to run in its own taxi fleet, has closed a funding round of “over” $ 240 million — money that it plans to use to keep developing its aircraft, and to start building manufacturing facilities to produce more of them, for an expected launch date of 2025.

“We’re working to deliver a brand new form of emissions-free transport,” said a spokesperson. “Doing something like that takes significant time and investment, but the outcome is a valuable business and a chance to have a genuinely positive impact on the way we travel.”

This latest investment was an inside round (involving existing, not new, investors) and it closed last month. It was led by Tencent, with participation from other previous backers that included Atomico, Freigeist and LGT. The valuation is not being disclosed, but the company confirms that it is significantly higher than it was in its Series B in 2017. (For some more context, PitchBook estimates that last year the company was valued at around $ 470 million.)

The news today caps off some challenging recent months for the company, even before the Coronavirus took hold of the world and cast a dark shadow on any kind of travel.

Last October, we reported that several sources said that Lilium, which employs 400 people, was looking to raise between $ 400 million and $ 500 million, a round that it had been working on for some months. In the end, the lower amount the company is putting out today is $ 160 million less than the lower end of that range, but from what we’ve been told, this is not far from what the company was actually aiming to raise. Still, that combined with the fact that there are no new investors in the raise might imply some challenges there.

(It is, nevertheless, one of the biggest fundraises to date for a startup in the “flying vehicle” space. (Volocopter, which is also designing a new kind of flying taxi-style vehicle and service, closed a $ 94 million round in February.) Lilium has now raised more than $ 340 million to date.)

“This additional funding underscores the deep confidence our investors have in both our physical product and our business case. We’re very pleased to be able to complete an internal round with them, having benefited greatly from their support and guidance over the past few years,” said Christopher Delbrück, Lilium’s CFO, in a statement. “The new funds will enable us to take big strides towards our shared goal of delivering regional air mobility as early as 2025.”

But raising money has not been the only challenge. At the beginning of this month, the older of Lilium’s two prototypes burst into flames while some maintenance was being carried out. The model was close to being retired, but testing on the second, newer model has nonetheless been paused until the company can determine the cause of the accident with the first aircraft.

“Our second demonstrator aircraft was fortunately undamaged in the fire and will begin flight testing once we’ve understood the cause of the fire in the first aircraft,” a spokesperson said.

The market for aircraft-based taxi services — be they electric, autonomous, or both — is still very nascent. There are no approved aircraft yet on the market (indeed, the regulations for what these would even look like haven’t even been created), and, as a result, there are no services yet in place, either.

But the opportunity of building fast services that could mitigate current traffic congestion, while also reducing carbon emissions, is potentially massive, and so we are seeing a lot of activity and investment from many corners as companies hope their takes on solving that challenge are the ones to hit the mark.

Lilium’s would-be rivals include not just fellow German startup Volocopter, but also Kitty HawkeHang, Joby and Uber, in addition to Blade and Skyryse, air taxi services of sorts that offer more conventional helicopters and other vessels in limited launches for those willing to spend the money.

It’s not clear how much of this will fare in the months and years ahead, in particular at a tricky time for travel and the wider economy. But for now, Lilium’s work so far — it was founded in 2015 by Daniel Wiegand (CEO), Sebastian Born, Matthias Meiner and Patrick Nathen — has been promising enough for its investors to continue backing it for the long haul.

“At Tencent we’re committed to supporting technologies that we believe have the potential to tackle the greatest challenges facing our world,” said David Wallerstein, Chief eXploration Officer at Tencent, in a statement. “Over the last few years we’ve had the opportunity to see the professionalism and dynamism with which Lilium are approaching their mission and we’re honored to be supporting them as they take the next steps on their journey.”


TechCrunch

The U.S. Food and Drug Administration (FDA) is moving much more quickly to grant special ’emergency use authorization’ to equipment and tests that could help increase testing for the novel coronavirus in the U.S., which lags behind most countries in the world when it comes to tests conducted relative to the size of its population. One type of test just approved for use could help expand the availability of frontline testing in hospitals and at clinics where patients are receiving care – without requiring round-tripping to a dedicated diagnostics lab.

Cepheid’s COVID-19 test, which the agency approved this week, also has the advantage of being able to be run either with or without use of a nasal swab, which is key because supplies of nasal swabs are taxed globally in light of the need for testing. It’s also a molecular, PCR-based test, with high rates of accuracy just like the lab-based testing that’s already in place across facilities in the U.S., but it uses the company’s GeneXpert machine (basically a diagnostics kit the size of an inkjet printer cartdrige lab in a box roughly the size of an inkjet printer) to produce results on-site.

Cepheid says that around 23,000 of its GeneXpert micro-labs are already in use around the world, with around 5,000 of those located in the U.S. The company’s hardware has been running tests for the flu for years already, with high reliability rates. The new COVID-19 tests for the system will begin to be shipped out by the Sunnyvale-based molecular diagnostics company starting next week.

Testing in the U.S. has increased over the past week, thanks in large part to widespread efforts to expand availability especially in hard-hit regions like New York State. But the need for more tests is still pressing, as the limits of availability mean that essentially only the most severe cases, often requiring confirmed contact tracing or proof of elevated risk, are being tested. Solutions like Cepheid’s, as well as other potential alternative test methods than can be done entirely at home, like Scanwell’s forthcoming test that looks for antibodies in a person’s blood, are much-needed if we hope to truly expand testing to a degree that it can properly inform any coronavirus mitigation strategy.


TechCrunch

Right now the world is at war. But this is no ordinary war. It’s a fight with an organism so small we can only detect it through use of a microscope — and if we don’t stop it, it could kill millions of us in the next several decades. No, I’m not talking about COVID-19, though that organism is the one on everyone’s mind right now. I’m talking about antibiotic-resistant bacteria.

You see, more than 700,000 people died globally from bacterial infections last year — 35,000 of them in the U.S. If we do nothing, that number could grow to 10 million annually by 2050, according to a United Nations report.

The problem? Antibiotic overuse at the doctor’s office or in livestock and farming practices. We used a lot of drugs over time to kill off all the bad bacteria — but it only killed off most, not all, of the bad bacteria. And, as the famous line from Jeff Goldblum in Jurassic Park goes, “life finds a way.”

Enter Felix, a biotech startup in the latest Y Combinator batch that thinks it has a novel approach to keeping bacterial infections at bay – viruses.

Phage killing bacteria in a petri dish

It seems weird in a time of widespread concern over the corona virus to be looking at any virus in a good light but as co-founder Robert McBride explains it, Felix’s key technology allows him to target his virus to specific sites on bacteria. This not only kills off the bad bacteria but can also halt its ability to evolve and once more become resistant.

But the idea to use a virus to kill off bacteria is not necessarily new. Bacteriophages, or viruses that can “infect” bacteria, were first discovered by an English researcher in 1915 and commercialized phage therapy began in the U.S. in the 1940’s through Eli Lilly and Company. Right about then antibiotics came along and Western scientists just never seemed to explore the therapy further.

However, with too few new solutions being offered and the standard drug model not working effectively to combat the situation, McBride believes his company can put phage therapy back at the forefront.

Already Felix has tested its solution on an initial group of 10 people to demonstrate its approach.

Felix researcher helping cystic fibrosis patient Ella Balasa through phage therapy

“We can develop therapies in less time and for less money than traditional antibiotics because we are targeting orphan indications and we already know our therapy can work in humans,” McBride told TechCrunch . “We argue that our approach, which re-sensitizes bacteria to traditional antibiotics could be a first line therapy.”

Felix plans to deploy its treatment for bacterial infections in those suffering from cystic fibrosis first as these patients tend to require a near constant stream of antibiotics to combat lung infections.

The next step will be to conduct a small clinical trial involving 30 people, then, as the scientific research and development model tends to go, a larger human trial before seeking FDA approval. But McBride hopes his viral solution will prove itself out in time to help the coming onslaught of antibiotic resistance.

“We know the antibiotic resistant challenge is large now and is only going to get worse,” McBride said. “We have an elegant technological solution to this challenge and we know our treatment can work. We want to contribute to a future in which these infections do not kill more than 10 million people a year, a future we can get excited about.”


TechCrunch

Netflix is picking up “The Lovebirds,” an upcoming romantic comedy starring Kumail Nanjiani and Issa Rae.

“The Lovebirds” reunites Nanjiani with director Michael Showalter. Their previous collaboration, “The Big Sick,” was distributed by Amazon Studios, who gave it a theatrical release before moving to streaming.

This is part of the ongoing fallout from the COVID-19 pandemic, which has forced Hollywood studios to scramble as theaters close amidst a broader push for social distancing. Responses have ranged from delaying major releases to releasing movies early, either as digital rentals or via subscription streaming services like Disney+.

Paramount has already delayed a number of its releases, including “The Lovebirds” (originally scheduled for April 3) and “A Quiet Place II.” This is the first time the outbreak has prompted one of the major studios to have cancel a theatrical release entirely in favor of Netflix, but Paramount had an existing deal with the streamer and previously chose to distribute “The Cloverfield Paradox” via Netflix rather than theaters.

There does not appear to be an official announcement or release date yet. Deadline and The Hollywood Reporter are both reporting on the deal.

This approach likely makes more sense for a mid-budget romantic comedy like “The Lovebirds” than it does for a big-budget blockbuster — but according to The Wrap, Warner Bros. is even considering a streaming release for this summer’s “Wonder Woman.”


TechCrunch

GM said Friday that it is working with Ventec Life Systems to help increase production of respiratory care products such as ventilators that are needed by a growing number of hospitals as the COVID-19 pandemics spreads throughout the U.S.

The partnership is part of StopTheSpread.org, a coordinated effort of private companies to respond to COVId-19, a disease caused by coronavirus.

Ventec will use GM’s logistics, purchasing and manufacturing expertise to build more ventilators. The companies did not provide further details such as when production might be able to ramp up or how many ventilators would be produced.

GM Chairman and CEO Mary Barra said in a statement that GM is working closely with Ventec to rapidly scale up production.

“We will continue to explore ways to help in this time of crisis,” Barra added.

The need for ventilators is urgent as cases of COVID-19 pop up with increasing frequency as widespread testing begins. While some people with COVID-19 reported more mild symptoms, others have experienced severe respiratory problems and need to be hospitalized.

The shortage has prompted automakers to investigate ways of ramping up ventilator production. Volkswagen and Ford have reportedly either talked to the White House or committed to looking at the problem. Volkswagen said Friday it has created a task force to look into using 3D printing to make hospital ventilators.

Elon Musk tweeted Friday that Tesla and SpaceX  employees are “working on ventilators” even though he doesn’t believe they will be needed. His confirmation on Twitter that both of the companies he leads are working on ventilators comes a day after New York City Mayor Bill de Blasio made a direct plea to Musk to help alleviate a shortage at hospitals gearing up to combat COVID-19.

Musk didn’t provide specifics what “working on ventilators” means, what Tesla factory might be used, the possible capacity or when he planned to begin production.


TechCrunch

In a public health emergency that relies on people keeping an anti-social distance from each other to avoid spreading a highly contagious virus for which humans have no pre-existing immunity governments around the world have been quick to look to technology companies for help.

Background tracking is, after all, what many Internet giants’ ad-targeting business models rely on. While, in the US, telcos were recently exposed sharing highly granular location data for commercial ends.

Some of these privacy-hostile practices face ongoing challenges under existing data protection laws in Europe — and/or have at least attracted regulator attention in the US, which lacks a comprehensive digital privacy framework — but a pandemic is clearly an exceptional circumstance. So we’re seeing governments turn to the tech sector for help.

US president Donald Trump was reported last week to have summoned a number of tech companies to the White House to discuss how mobile location data could be used for tracking citizens.

In another development this month he announced Google was working on a nationwide coronavirus screening site — in fact it’s Verily, a different division of Alphabet. But concerns were quickly raised that the site requires users to sign in with a Google account, suggesting users’ health-related queries could be linked to other online activity the tech giant monetizes via ads. (Verily has said the data is stored separately and not linked to other Google products, although the privacy policy does allow data to be shared with third parties including Salesforce for customer service purposes.)

In the UK the government has also been reported to be in discussions with telcos about mapping mobile users’ movements during the crisis — though not at an individual level. It was reported to have held an early meeting with tech companies to ask what resources they could contribute to the fight against COVID-19.

Elsewhere in Europe, Italy — which remains the European nation worst hit by the virus — has reportedly sought anonymized data from Facebook and local telcos that aggregates users’ movement to help with contact tracing or other forms of monitoring.

While there are clear public health imperatives to ensure populations are following instructions to reduce social contact, the prospect of Western democracies making like China and actively monitoring citizens’ movements raises uneasy questions about the long term impact of such measures on civil liberties.

Plus, if governments seek to expand state surveillance powers by directly leaning on the private sector to keep tabs on citizens it risks cementing a commercial exploitation of privacy — at a time when there’s been substantial push-back over the background profiling of web users for behavioral ads.

“Unprecedented levels of surveillance, data exploitation, and misinformation are being tested across the world,” warns civil rights campaign group Privacy International, which is tracking what it dubs the “extraordinary measures” being taken during the pandemic.

A couple of examples include telcos in Israel sharing location data with state agencies for COVID-19 contact tracing and the UK government tabling emergency legislation that relaxes the rules around intercept warrants.

“Many of those measures are based on extraordinary powers, only to be used temporarily in emergencies. Others use exemptions in data protection laws to share data. Some may be effective and based on advice from epidemiologists, others will not be. But all of them must be temporary, necessary, and proportionate,” it adds. “It is essential to keep track of them. When the pandemic is over, such extraordinary measures must be put to an end and held to account.”

At the same time employers may feel under pressure to be monitoring their own staff to try to reduce COVID-19 risks right now — which raises questions about how they can contribute to a vital public health cause without overstepping any legal bounds.

We talked to two lawyers from Linklaters to get their perspective on the rules that wrap extraordinary steps such as tracking citizens’ movements and their health data, and how European and US data regulators are responding so far to the coronavirus crisis.

Bear in mind it’s a fast-moving situation — with some governments (including the UK and Israel) legislating to extend state surveillance powers during the pandemic.

The interviews below have been lighted edited for length and clarity

Europe and the UK

Dr Daniel Pauly, technology, media & telecommunications partner at Linklaters in Frankfurt 

Data protection law has not been suspended. At least when it comes to Europe. So data protection law still applies — without any restrictions. This is the baseline on which we need to work and for which we need to start. Then we need to differentiate between what the government can do and what employers can do in particular.

It’s very important to understand that when we look at governments they do have the means to allow themselves a certain use of data. Because there are opening clauses, flexibility clauses, in particular in the GDPR, when it comes to public health concerns, cross-border threats.

By using the legislation process they may introduce further powers. To give you one example what the Germany government did to respond is they created a special law — the coronavirus notification regulation — we already have in place a law governing the use of personal data in respect of certain serious infections. And what they did is they simply added the coronavirus infection to that list, which now means that hospitals and doctors must notify the competent authority of any COVID-19 infection.

This is pretty far reaching. They need to transmit names, contact details, sex, date of birth and many other details to allow the competent authority to gather that data and to analyze that data.

Another important topic in that field is the use of telecommunications data — in particular mobile phone data. Efficient use of that data might be one of the reasons why they obviously were quite successful in China with reducing the threat from the virus.

In Europe the government may not simply use mobile phone data and movement data — they have to anonymize it first and this is what, in Germany and other European jurisdictions, happened — including the UK — that anonymized mobile phone data has been handed over to organizations who start analyzing that data to get a better view of how the people behave, how the people move and what they need to do in order to restrict further movement. Or to restrict public life. This is the view on the government at least in Europe and the UK.

Transparency obligations [related to government use of personal data] are stemming from the GDPR [General Data Protection Regulation]. When they would like to make use of mobile phone data this is the ePrivacy directive. This is not as transparent as the GDPR is and they did not succeed in replacing that piece of legislation by new regulation. So the ePrivacy directive gives again the various Member States, including the UK, the possibility to introduce further and more restrictive laws [for public health reasons].

[If Internet companies such as Google were to be asked by European governments to pass data on users for a coronavirus tracking purpose] it has to be taken into consideration that they have not included this in their records of processing activities — in their data protection notifications and information.

So it would be at least from a pure legal perspective it would be a huge step — and I’m wondering whether it would be feasible without the governments introducing special laws for that.

If [EU] governments would make use of private companies to provide them with data which has not been collected for such purposes — so that would be a huge step from the perspective of the GDPR at least. I’m not aware of something like this. I’ve certainly read there are discussions ongoing with Netflix to reduce the net traffic but I haven’t heard anything about making use of the data Google has.

I wouldn’t expect it in Europe — and particularly in Germany. Tracking people, tracking and monitoring what they are doing this is almost last resort — so I wouldn’t expect that in the next couple of weeks. And I hope then it’s over.

[So far], from my perspective, the European regulators have responded [to the coronavirus crisis] in a pretty reasonable manner by saying that, in particular, any response to the virus must be proportionate.

We still have that law in place and we need to consider that the data we’re talking about is health data — it’s the most protected data of all. Having said that there are some ways at least the GDPR is allowing the government and allowing employers to make use of that data. In particular when it comes to processing for substantial public interest. Or if it’s required for the purposes of preventive medicine or necessary for reasons of public interest.

So the legislator was wise enough to include clauses allowing the use of such data under certain circumstances and there are a number of supervisory authorities who already made public guidelines how to make use of these statutory permissions. And what they basically said was it always needs to be figured out on a case by case basis whether the data is really required in the specific case.

To give you an example, it was made clear that an employer may not ask an employee where he has been during his vacation — but he may ask have you been in any of the risk areas? And then the sufficient answer is yes or no. They do not need any further data. So it’s always [about approaching this] a smart way — by being smart you get the information you need; it’s not the flood gate suddenly opened.

You really need to look at the specific case and see how to get the data you need. Usually it’s a yes or no which is sufficient in the particular case.

The US

Caitlin Potratz Metcalf, senior U.S. associate at Linklaters and a Certified Information Privacy Professional (CIPP/US)

Even though you don’t have a structured privacy framework in the US — or one specific regulator that covers privacy — you’ve got some of the same issues. The FCC [Federal Communications Commission] will go after companies that take any action that is inconsistent with their privacy policies. And that would be misleading to consumers. Their initial focus is on consumer protection, not privacy, but in the last couple of years they’ve been wearing two hats. So there is a focus on privacy even though we don’t have a national privacy law [equivalent in scope to the EU’s GDPR] but it’s coming from a consumer protection point of view.

So, for example, the FCC back in February actually announced potential sanctions against four major telecoms companies int he US with respect to sharing data related to cell phone tracking — it wasn’t the geolocation in an app but actually pinging off cell towers — and sharing that data to third parties without proper safeguards. Because that wasn’t disclosed in their privacy policies.

They haven’t actually issued those fines but it was announced that they may pursue a $ 208M fine total against these four companies: AT&T, Verizon*, T-Mobile, Sprint… So they do take it very seriously about how that data is safeguarded, how it’s being shared. And the fact that we have a state of emergency doesn’t change that emphasis on consumer protection.

You’ll see the same is true for the Department of Health and Human Services (HHS) — that’s responsible for any medical or health data.

That is really limited towards entities that are covered entities under HIPAA [Health Insurance Portability and Accountability Act] or their business associates. So it doesn’t apply to everybody across the board. But if you are a hospital health plan provider, whether you’re an employer and you have a group health plan, an insurer, or a business associate supporting one of those covered entities then you have to comply with HIPAA to the extent you’re handling protected health information. And that’s a bit narrower than the definition of personal data that you’d have under GDPR.

So you’re really looking at identifying information for that patient: Their medical status, their birth date, address, things like that that might be very identifiable and related to the person. But you could share things that are more general. For example you have a middle aged man from this county who’s tested positive for COVID and is at XYZ facility being treated and his condition is stable. Or his condition is critical. So you could share that kind of level of detail — but not further.

And so HHS in February had issued a bullet stressing that you can’t set aside the privacy and security safeguards under HIPAA during an emergency. They stressed to all covered entities that you have to still comply with the law — sanctions are still in place. And to the extent that you do have to disclose some of the protected health information it has to be to the minimum extent necessary. And that can be disclosed either to other hospitals, to a regulator in order to help stem the spread of COVID and also in order to provide treatment to a patient. So they listed a couple of different exceptions how you can share that information but really stressing the minimum necessary.

The same would be true for an employer — like of a group health plan — if they’re trying to share information about employees but it’s going to be very narrow in what they can actually share. And they can’t just cite as an exception that it’s for the public health interest.. You don’t necessarily have to disclose what country they’ve been to it’s just have they been to a region that’s on a restricted list for travel. So it’s finding creative ways to relay the necessary information you need and if there’s anything less intrusive you’re required to go that route.

That said, just last week HHS also issued another bullet saying that they would waive HIPAA sanctions and penalties during the nationwide public health emergency. But it was only directed to hospitals — so it doesn’t apply to all covered entities.

They also issued another bulletin saying that they would lax restrictions on basically sharing data on using electronic means. So there’s very heightened restrictions on how you can share data electronically when it relates to medical and health information. And so this was allowing doctors to communicate by FaceTime or video chat and other methods that may not be encrypted or secure. Or communicate with patients etc. So they’re giving a waiver or just softening some of the restrictions related to transferring health data electronically.

So you can see it’s an evolving situation but they’ve still taken a very reserved and kind of conservative approach — really emphasizing that you do need to comply with your obligation to protect health data. So that’s where you see the strongest implementations. And then the FCC coming at it from a consumer protection point of view.

Going back to the point you made earlier about Google sharing data [with governments] — you could get there, it just depends on how their privacy policies are structured.

In terms of tracking individuals we don’t have a national statute like GDPR that would prevent that but it would also be very difficult to anonymize that data because it’s so tied to individuals — it’s like your DNA; you can map a person leaving home, going to work or school, going to a doctor’s office, coming back home — and it really does have very sensitive information and because of all the specific data points it means it’s very difficult to anonymize it and provide it in a format that wouldn’t violate someone’s privacy without their consent. And so while you may not need full consent in the US you would still need to have notice and transparency about the policies.

Then it would be slightly different if you’re a California resident — the degree that you need under the new California law [CCPA] to provide disclosures and give individuals the opportunity to opt out if you were to share their information. So in that case, where the telecoms companies are potentially going to be sued by the FCC for sharing data with third parties, that in particular would also violate the new California law if consumers weren’t given the opportunity to opt out of having their information sold.

So there’s a lot of different puzzle pieces that fit together since we have a patchwork quilt of data protection — depending on the different state and federal laws.

The government, I guess, could issue other mandates or regulations [to requisition telco tracking data for a COVID-related public health purpose] — I don’t know that they will. I would envisage more of a call to arms requesting support and assistance from the private sector. Not a mandate that you must share your data, given the way our government is structured. Unless things get incredibly dire I don’t really see a mandate to companies that they have to share certain data in order to be able to track patients.

[If Google makes use of health-related searches/queries to enrich user profiles it uses for commercial purposes] that in and of itself wouldn’t be protected health information.

Google is not a [HIPAA] covered entity. And depending on what type of support it’s providing for covered entities it may be in limited circumstances could be considered a business associate that could be subject to HIPAA but in the context of just collecting data on consumers it wouldn’t be governed by that.

So as long as it’s not doing anything outside the scope of what’s already in its privacy policies then it’s fine — so the fact that it’s collecting data based on searches that you run on Google that should be in the privacy policy anyway. It doesn’t need to be specific to the type of search that you’re running. So the fact that it’s looking up how to get COVID testing or treatment or what are the symptoms for COVID, things like that, that can all be tied to the data [it holds on users] and enriched. And that can also be shared and sold to third parties — unless you’re a California resident. They have a separate privacy policy for California residents… They just have to consistent with their privacy policy.

The interesting thing to me is maybe the approach that Asia has taken — where they have a lot more influence over the commercial sector and data tracking–  and so you actually have the regulator stepping in and doing more tracking, not just private companies. But private companies are able to provide tracking information.

You see it actually with Uber. They’ve issued additional privacy notices to consumers — saying that to the extent we become aware of a passenger that has had COVID or a driver, we will notify people who have come into contact with that Uber over a given time period. They’re trying to take the initiative to do their own tracking to protect workers and consumers.

And they can do that — they just have to be careful about how much detail they share about personal information. Not naming names of who was impacted [but rather saying something like] ‘in the last 24 hours you may have ridden in an Uber that was impacted or known to have an infected individual in the Uber’.

[When it comes to telehealth platforms and privacy protections] it depends if they’re considered a business associate of a covered entity. So they may not be a covered entity themselves but if they are a business associate supporting a covered entity — for example a hospital or a clinic or insurers sharing that data and relying on a telehealth platform. In that context they would be governed by some of the same privacy and security regulations under HIPAA.

Some of them are slightly different for a business associate compared to a covered entity but generally you step in the shoes of the covered entity if you’re handling the covered entity’s data and have the same restrictions apply to you.

Aggregate data wouldn’t be considered protected health information — so they could [for example] share a symptom heat map that doesn’t identify specific individuals or patients and their health data.

[But] standalone telehealth apps that are collecting data directly from the consumer are not covered by HIPAA.

That’s actually a big loophole in terms of consumer protection, privacy protections related to health data. You have the same issue for all the health fitness apps — whether it’s your fitbit or other health apps or if you’re pregnant and you have an app that tracks your maternity or your period or things like that. Any of that data that’s collected is not protected.

The only protections you have are whatever disclosures are in the privacy policies. And in them having to be transparent and act within that privacy policy. If they don’t they can face an enforcement action by the FCC but that is not regulated by the Department of Health and Human Services under HIPAA.

So it’s a very different approach than under GDPR which is much more comprehensive.

That’s not to say in the future we might see a tightening of restrictions on that but individuals are freely giving that information — and in theory should read the privacy policy that’s provided when you log into the app. But most users probably don’t read that and then that data can be shared with other third parties.

They could share it with a regulator, they could sell it to other third parties so long as they have the proper disclosure that they may sell your personal information or share it with third parties. It depends on how they’re privacy policy is crafted. So long as it covers those specific actions. And for California residents it’s a more specific test — there are more disclosures that are required.

For example the type of data that you’re collecting, the purpose that you’re collecting it for, how you intend to process that data, who you intend to share it with and why. So it’s tightened for California residents but for the rest of the US you just have to be consistent with your privacy policy and you aren’t required to have the same level of disclosures.

More sophisticated, larger companies, though, definitely are already complying with GDPR — or endeavouring to comply with the California law — and so they have more sophisticated, detailed privacy notices than are maybe required by law in the US. But they’re kind of operating on a global platform and trying to have a global privacy policy.

*Disclosure: Verizon is TechCrunch’s parent company


TechCrunch

Created by R the Company. Powered by SiteMuze.