Apple senior government affairs director Timothy Powderly also tells the Senate that its tools aren’t covered by the health privacy law HIPAA. HIPAA governs when a company can disclose data to a third party, and Apple says there aren’t any third parties involved in collecting the information, since “data are entered into the website and app directly by users.” The screening tool doesn’t ask for a user’s name, but it requests information about their age, travel history, possible exposure to infected people, and other details that could determine whether they should be tested for the novel coronavirus. Apple says it “collects only the information necessary” to run the app, including analytics like crash reports, and if it decides to store and share more data in the future, it would get user consent.
These tools are separate from — and far less complex than — the COVID-19 contact tracing system that Apple is developing alongside Google. That tool is set to launch in mid-May and raises its own set of privacy questions — although they’re ones that both companies have put a lot of work into addressing. In a statement to The Verge, Menendez said that he appreciated the replies. “Apple’s response reflects a commitment to data privacy and the importance of taking proactive steps to protect it. I expect them to live up to this commitment and I will be there to hold them accountable if they fail,” he said. “I would hope that the Department of Health and Human Services — and the Trump Administration as a whole — follow similar steps to be more transparent and, for example, publish the full agreements they have signed with tech companies such as Apple.”