DES MOINES, Iowa – On Tuesday, State Auditor Rob Sand announced that his office joined a coalition of 14 other state auditors for a bipartisan project to audit how states are reporting and monitoring COVID-19 cases.
Sand said the project intends to improve understanding of the pandemic’s progression and better guide public health actions in the future.
“I’m excited to be able to work with a bi-partisan group of auditors on projects like we did with our initial Test Iowa audit, as well as monitoring our state’s response to this global pandemic,” he said in a released statement. “The goal of this project can be summed up as good government. Working with other auditors to ensure our states are being transparent, responsible, and accountable is extremely important, and may help illuminate helpful experiments in this laboratory of democracy we call the USA.”
What information will the state auditor’s office need to conduct this audit?
Sand’s spokesperson, Andrew Turner, told Caffeinated Thoughts that they only want the information provided to the private companies involved in the Test Iowa initiative.
“Privacy will be protected… Privacy will be protected in the same way that we protect everything. Our office has strict confidentiality rules and laws that we follow with everything that we do,” he said.
“Governor Reynolds, when she signed the Test Iowa contract with the two Utah companies, she agreed to give them all the testing data, and it goes to those two Utah companies before then comes back to us. So we’ll just be getting the same data that they’re getting, which is like a 65-year-old man in Dubuque County tested positive on this date,” Turner explained.
Sand’s formal request, however, asked for more information than that.
In Sand’s formal request to the Iowa Department of Public Health (IDPH), he asked, “In order to audit the State’s testing response to the COVID-19 pandemic, we are requesting access to the Iowa Disease Surveillance System (IDSS) for COVID-19 and not other communicable diseases. Access should include, but is not limited to, all fields defined under Chapter 139A.3(1)a-k of the Code of Iowa, and all data available to Local County Boards of Health, Hospitals, and all other entities who may access or use the data.”
The fields included under Iowa Code 139A.3(1)a-k contains personally identifiable information (PII) such as:
- The patient’s name.
- The patient’s address
- The patient’s date of birth.
- The sex of the patient.
- The race and ethnicity of the patient.
- The patient’s marital status.
- The patient’s telephone number.
- The name and address of the laboratory.
- The date the test was found to be positive and the collection date.
- The name of the health care provider who performed the test
- If the patient is female, whether the female is pregnant
This is information that healthcare providers or hospitals provide the IDPH upon someone testing positive for an infectious disease. It is also beyond the scope of Test Iowa’s vendors can freely access.
Pat Garrett, the spokesperson for Gov. Kim Reynolds, told Caffeinated Thoughts that Qualtrics and Domo, the Test Iowa vendors, could only look up protected information such as a name and test results “at our request or with the consent of a patient who is trying to access a test result.”
He said the information could only be accessed with “the sole purpose of informing the state’s response to the pandemic.”
The interim director of IDPH, Kelly Garcia, denied that specific request in a response sent on July 24, 2020.
“IDPH is unable to grant access to IDSS for COVID-19 cases only, as the system does not have that functionality. Any individual granted access to IDSS as a state user would be able to see patient demographics and disease information on every case in IDSS and there is no way to limit access to COVID cases only. IDSS includes information on sexually transmitted infections which are confidential in accordance with Iowa Code section 139A.30 and other reportable diseases which are confidential in accord with Iowa Code section 139A.3,” she wrote.
Garcia said IDPH could provide COVID-19 specific data to the state auditor’s office with PII redacted.
During an interview with Simon Conway on WHO Radio, Sand said that his office is an entity covered by HIPPA that can receive private health information.
Conway expressed concern about the state auditor’s office having medical information.
“It would be your testing information, not your entire medical record. And the degree to which we need that, you know, remains to be seen. Do we need to have people’s names attached to it? We don’t need it. But legally speaking, would it be okay, if we had it? Again, the law carves us into that piece of confidentiality,” Sand answered.
In the past, the state auditor’s office, under State Auditor David Vaudt, has argued they are a “health oversight agency” to address HIPPA restrictions since they are not considered a “covered entity” or the “business associate” of a provider.
The definition under federal law for “health oversight agency” states, “Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.”
Whether the state auditor’s office is included in the definition is debatable as the Iowa Department of Public Health is the state’s agency with that grant of authority.
Sand assured Conway that his office is not seeking medical records, but testing data.
“(What) we’re going to be looking at is testing data. So it’d be a medical record, a test, we would be able to potentially see just who got that test. But there’s a piece of this that comes down to, again, the audit function, we want to have reliability of data. I don’t think this is happening. But hypothetical. Why should someone in an auditor’s position have access to this? Well, hypothetically, you’d want to know that the testing data that’s getting reported is for actual people, right? That are alive and that are getting tested. So that you know that there aren’t some fake tests getting reported as they’re being done so that we can pump up the numbers of tests that are being conducted and say, ‘Oh, look at all these tests we’re doing well, we’re doing them.’ Okay, let’s check. Yep, that’s a real person,” he said.
Conway asked Sand how he would make sure, if he received a test, was actually tested. “Would you speak to my primary care physician?” he asked.
“Well (it would) depend on the parameters that we lay down, those parameters haven’t been laid down. And again, I’m not suggesting that that’s necessarily one of the things that we’re looking at. But you’re asking the question, so I’m answering. There’s a number of ways you could do it. I mean, number one, we could simply look at birth records in the state of Iowa. Look, and make sure that your person with an accurate name room know you exist,” Sand said.
Turner told Caffeinated Thoughts that any data provided to the state auditor’s office by IDPH would not be shared with the coalition because it would be a violation of their confidentiality policy.