As colleges and universities reopened campuses to students last fall, a number of schools across the United States turned towards the use of location tracking apps, wearable technology, and other surveillance tools in the hope that they would facilitate contact tracing and potentially mitigate the spread of COVID-19 in residence halls and in-person classes. These efforts to monitor student health and track student activity have been met with skepticism from students and privacy advocates, who cite concerns about the invasive nature of such tools and the risk that the data they generate may be misused by unauthorized parties.
In Michigan, Oakland University had announced earlier in August that it would require students living in residence halls to wear a BioButton, a coin-sized device that would monitor physiological data, such as skin temperature and heart rate as well and physical proximity to others wearing BioButtons. Administrators had hoped that this would allow the university to pinpoint early-stage cases among the student body. The university soon withdrew the policy, however, after receiving significant backlash from students, who, citing privacy and transparency issues, petitioned the school to make usage optional.
Albion College, a private liberal arts college in Michigan, had issued a similar requirement for students to install the Aura app on their phones before they could come on campus. As a contact-tracing app, Aura would record students’ real-time location using phone GPS services and alert students when they had been in close proximity with someone who had tested positive for the virus. Albion had intended for the Aura app to work in tandem with what some considered to be a draconian policy that prevented students from leaving campus, under threat of suspension. After the app was rolled out, however, a student found vulnerabilities in Aura’s source code that gave access to the app’s backend servers, and by extension, access to “patient data, including COVID-19 test results with names, addresses, and dates of birth,” and an investigation conducted by TechCrunch found another bug in the app that allow one to infer a student’s COVID-19 test results.
While these vulnerabilities were eventually patched, the issues with the Aura app and Oakland University’s impeded rollout of BioButtons point to lingering concerns about the often-piecemeal strategies that have been implemented by colleges and universities over the past few months. Many of these plans raise questions regarding the efficacy of unproven technologies and their ability to maintain the privacy of student health information.
Where Privacy Law Comes into Play:
Typically, colleges and universities are not entities covered under the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care plans, health care clearinghouses, and health care providers. Rather, postsecondary educational institutions generally fall under the ambit of the Family Educational Rights and Privacy Act (FERPA). FERPA protects the privacy of student “education records”, which, with certain exceptions, are broadly defined as any materials which contain information directly related to a student and are maintained by an educational institution or an agent acting on its behalf. For example, a student’s health records, including immunization records, maintained by a university would generally constitute education records subject to FERPA. With respect to postsecondary educational institutions, FERPA generally prohibits disclosures of a student’s personally identifiable information (PII) from education records without the consent of that student.
There are exceptions to this general rule. Educational institutions can often address threats to the health and safety of students without identifying particular students, but there are certain exceptions for health or safety emergencies. FERPA permits educational institutions to disclose, without prior written consent, PII from student education records to appropriate parties (such as law enforcement, public health officials, and medical professionals) in connection with an emergency, if knowledge of that information is necessary to protect the health or safety of a student or other individuals. This exception is narrowly tailored, as it is limited in time to the period of the emergency and generally does not allow for a blanket release of PII. Additionally, schools can disclose PII from a student’s education records, including health and medical information, to teachers and other school officials within the institution, without prior written consent, if these school officials have been determined to have “legitimate educational interests” in the education records, pursuant to criteria set forth in the school’s annual notification of FERPA rights.
Thus, for purposes of federal law, colleges and universities must be careful in determining how they use and disseminate information about COVID-19 cases on campus, particularly when student PII is involved. Under FERPA, schools are generally permitted to release statistical information if it has been sufficiently stripped of any personally identifiable information or language. Additionally, colleges may inform faculty if a student in an in-person class has tested positive since the “school official” exception applies. The exception permits disclosures to instructors, who have a legitimate interest in their safety and for that of other students in the classroom. Whether a contact-tracing or monitoring app passes muster is highly context-specific, but educational institutions should prepare consent forms for students to sign so that health information can be shared to appropriate parties. At the same time, however, colleges must also consider the applicable state medical confidentiality laws before they publish information on student COVID-19 cases, since such laws may be more restrictive than FERPA.
Issues with Contact-Tracing Strategies at Colleges:
At the start of the fall semester, colleges had looked optimistically towards contact-tracing phone apps and other technologies as part of a comprehensive plan to detect cases and ensure student safety. To that end, the results have been underwhelming. Both Oakland University and Albion College ended in-person classes earlier than anticipated in November, due to rising case numbers on their campuses. Monitoring devices, such as the BioButton, only track changes in body temperature and measurable symptoms of COVID-19, allowing asymptomatic cases to slip through. The main issue affecting the usefulness of contact-tracing apps, however, is that they are characterized by strong network effects. The value of these apps depends on how many other people use the app and regularly self-report test results. Without widespread adoption by students, these apps will be less effective in tracking the spread of COVID. Additionally, the purpose of these apps is frustrated when there is a lack of widespread rapid testing programs at colleges, or even simply access to testing within a reasonable distance of campuses. To complicate the matter, universities are often integrated into surrounding college towns, and contact-tracing apps that are limited to usage by students and faculty may fail to capture their interactions with the wider community.
The Next Steps
COVID-19 cases are again on the rise. As the winter brings in colder weather, people will spend more time indoors, where the virus is potentially more transmissible. We are likely still months away from the widespread distribution of a vaccine, and even afterwards, some precautions against the spread of coronavirus in public spaces will probably still be necessary. Even if colleges begin to send on-campus residents home for the fall, many students living in off-campus apartments and Greek life houses are still likely to stay. Is there any role for contact-tracing apps to play at colleges, despite all the difficulties they have encountered in the past?
Colleges face numerous hurdles in that regard. Above all, contact-tracing plans require cooperation from students, who may be distrustful or unwilling to use apps that continuously monitor geolocation data. To assuage concerns that these apps harvest students’ location data, colleges could adopt proximity-sensing apps that use Bluetooth rather than location-tracking services to compile encounters with other users. This may have its own drawbacks, as these apps focus on notifying users of potential exposure rather than determining specific locations of spread. Several states, including Virginia and Michigan, have already introduced their own apps that use Bluetooth to alert people of potential COVID-19 exposure. In general, colleges should be more transparent about what information is collected through COVID-tracking apps, how it is used, and what measures to protect privacy are in place in order to reassure students that the data they provide will not be misused. More importantly, access to regular, rapid testing for even those without symptoms is necessary for contact-tracing at colleges to be effective.
* Marvin Shih is an Associate Editor on the Michigan Technology Law Review.