Eric Johnson


In 2009, the HITECH Act prompted hospitals and medical centers across the country to move patient information from paper health records to electronic versions. Electronic health records (EHRs) introduced a wave of new possibilities—like searching for information instantly, analyzing large trends and preventing data loss.

They also created a need for rigorous standards of privacy and security.

Historically, very few groups outside of health care have had a good reason to collect information about personal health—but the coronavirus changed that.

Suddenly, organizations all over the world are incentivized to understand this virus better, and many are going so far as to do their own research. Local governments are tracing symptoms, offices are asking their employees for temperature checks and companies are checking on customers.

As a survey company, SurveyMonkey has a front-row seat to what might be the second wave of change in the way we think about health care data.

The coronavirus has prompted a flood of demand for data insights

As businesses start to reopen, everyone from retail stores to big corporate offices need to understand whether they can safely go back to their offices and how their community is impacted. They too have started asking questions.

The result is a flood of new data points coming into all kinds of organizations—from health care to government to small businesses to international corporations.

Here are some examples of the types of data that I’m talking about.

Governments, NGOs and companies across the world are doing similar research, and many workplaces will start taking the temperature of every person who enters the building. There are far more health care data points in circulation than before, both publicly and privately.

So what are the implications of this?

First, the clear line between individual protected health information (PHI) and businesses that have nothing to do with health care could get blurrier. Second, we could unlock incredible new breakthroughs.

The importance of prioritizing privacy during the coronavirus

PHI is protected under HIPAA—which means that covered entities and business associates who collect it are liable if they fail to keep the information private and secure. Even if an organization’s intentions are noble, mishandling PHI would be an incredible breach of the trust of its employees or customers.

Violating HIPAA can result in significant fines and criminal penalties and could cost businesses their customers, their employees and their good reputation.

That isn’t to say that these organizations shouldn’t be asking questions or gathering other PHI (like taking temperatures)—in many cases, that may be the responsible thing to do. It just means that teams collecting it need to be careful.

In many cases, businesses already have resources to help people stay compliant from a behavior perspective, including legal teams and security and compliance groups. So whoever is thinking about collecting information that could fall under PHI—marketers, customer support, HR, etc.—will need to consult with those internal experts before they do so and keep them in the loop at every stage.

An area to be especially conscious of is information storage. Groups that collect PHI are also responsible for saving information in a secure place—including digitally—controlling the people who have access to it, and disposing of it securely when it’s no longer needed. HIPAA compliance obligations can often extend to vendors, integrations, and partners.

The urgency of the coronavirus might tempt businesses and other groups to move fast, but it’s equally important to be careful. If organizations plan to collect PHI to protect a community’s best interest, they need to extend that concern to the processes, staff and security of that data and protecting that data appropriately.

The potential benefits of the second wave of health care data

But the flood of new information could also lead to unprecedented insights.

Health care institutions are usually extremely cautious with medical data, including in research, which means less sharing. Many medical studies are restricted to the pool of volunteers within a certain institution or program, which ensures that the data collected is comprehensive and sound, but limits the scale.

This second wave of data involves much more information, coming from all kinds of different sources. Each of these also has its own pre-existing unique data sets. If organizations across regions and industries start collecting and sharing information about coronavirus symptoms and trends, what insights could that unlock?

Some of these changes may even outlast the coronavirus. It’s reasonable to assume that some might pay closer attention to health or continue to collect health-related information in the future. If that’s the case, then organizations should be planning for long-term security policies and sustainable solutions with the interests of their community (customers, employees, partners) front and center.

The world is experiencing a flood of new health information, and there are risks, responsibilities, and opportunities that come with that.