I. EXECUTIVE SUMMARY
The Maryland Department of Health (MDH) has the mission to promote and improve the health and safety of all Marylanders through disease prevention, access to care, quality management, and community engagement. The MD COVID Alert is a smartphone COVID-19 exposure notification system that Marylanders can choose to use to learn if they may have been exposed to COVID-19.
The Office of Enterprise Technology (OET) is responsible for administering this program.
Under Governor Larry Hogan’s direction, state agencies continue to develop comprehensive and coordinated prevention and response plans for coronavirus disease 2019 (COVID-19). The purpose of the MD COVID Alert is to allow users to send and receive notifications of a potential high-risk exposure to COVID-19, in a privacy-preserving manner. The notifications will include instructions on whom to contact and the next steps to take if potential high-risk exposure is suspected.
The exposure notifications are intended to supplement the conventional contact tracing efforts undertaken by local public health authorities involving contact by a caseworker.
III. POLICY STATEMENTS
- “Aggregate data” means information that relates to a group or category of individuals that is not linked or reasonably linkable to any individual or device that is linked or reasonably linkable to an individual.
- “Automated exposure notification system” means a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the United States and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease, or the device of such individual, or a person or entity that reviews such disclosures.
- “Bluetooth” means a short-range wireless communications technology to replace the cables connecting electronic devices.
- “MD COVID Alert” means an automated exposure notification system.
- Personal information.
- “Personal information” means any information that is:
- Linked or reasonably linkable to any individual or device linked or reasonably linkable to an individual; and
- Collected, processed, or transferred in connection with an automated exposure notification service.
- “Personal information” does not include aggregate data.
- “Personal information” means any information that is:
- “Voluntary” means an affirmative express consent that shall be freely given and nonconditional.
B. GENERAL POLICY
How MD COVID Alert Works.
- As defined in the Exposure Notification Privacy Act, MD COVID Alert does not collect or exchange any personal information of the user receiving notifications.
- The mobile devices of users share anonymous tokens (randomly generated strings of numbers) via Bluetooth. The only data used are the anonymous tokens, Bluetooth signal strength (proximity), and date and duration of exposure.
- Data is not linked to a user’s identity or location. Each user’s tokens change frequently to further protect their identity.
- Data is stored only on the user’s own device and are never shared unless and until the user has a positive COVID-19 diagnosis and elects to share this information within the system.
- Data is stored for a period of 14 days and then automatically deleted. Once deleted, data cannot be restored.
- A user who tests positive for COVID-19 may choose to notify other MD COVID Alert users who have been near the user. To trigger such notification, the COVID-19 positive user must enter a valid verification code provided by a contact tracer during the case investigation process initiated by the user’s positive test result being reported to MDH.
- Several times a day, the app downloads a list of all the anonymous tokens associated with positive COVID-19 cases that have elected to share their tokens via the app.
- The user’s device checks these tokens against the list of tokens it has encountered in the past 14 days.
- If there is a match, and the date, duration, and proximity align with the public health authority’s risk model to indicate a possible exposure to the virus, the user will receive an exposure notification.
- The exposure notification will inform the user of the date of exposure and voluntary instructions on what to do next.
User Consent and Choices.
Using the system.
MD COVID Alert has the potential to help stop the spread of the infection and its use is highly encouraged, but it is completely voluntary.
The system does not collect, track or store users’ location, GPS information, or personal information.
Disabling exposure notifications.
Users may disable MD COVID Alert at any time by uninstalling the app (Android), turning off the feature (iOS), turning off the mobile device, or turning off the Bluetooth function.
Generating exposure notifications to other users.
Providing notification to other users is also completely voluntary. If a user tests positive for COVID-19, and chooses to notify others, the user has to activate notifications by entering a verification code to release the anonymous tokens stored on the mobile device. When anonymous tokens are released, the notifications that may be generated do not disclose the COVID-19 positive user’s identity, location, phone number, or any other personal information.
The exposure notification includes the date of the exposure, but the COVID-19 positive user’s identity is not shared. Sharing the exposure date is important to ensure the right precautions (such as self-quarantine) are taken for an appropriate amount of time based on the exposure date. It is possible that someone who receives an exposure notice could guess the identity of the COVID-19 positive individual if they had a limited number of contacts on a given day.
A verification code is required to share a positive test result in the system. This ensures that only verified positive test results are used to generate exposure notifications. Verification codes shall only be provided by a contact tracer during the case investigation process initiated by the user’s positive test result being reported to MDH.
Sharing of information.
The following categories of de-identified data may be processed and collected by MD COVID Alert:
- Installing of the app;
- Enabled and disabled exposure notifications;
- Receipt of an exposure notification;
- Entry of a verification code to send anonymous tokens;
- Anonymous tokens that have been voluntarily shared; and
- Deletion of the app.
The data may be used to monitor system usage, as well as for performance evaluation and statistical or scientific research purposes. The data may also be shared with local public health authorities. This information will not include any personal or location information, nor can it be used to identify any system user.
MD COVID Alert is not intended for anyone under the age of 18.
Maryland Department of Health
Office of Enterprise Technology
201 West Preston Street
Baltimore, MD 21201
- Exposure Notification Privacy Act – S.3861
- Health Insurance Portability and Accountability Act (HIPAA); Public Law §104-191
- Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recoveries and Reinvestment Act of 2009; Public Law 111-5
- MDH HIPAA Individual Rights Policy
- MDH HIPAA Webpage