COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER, THE CENTER FOR HIV LAW AND POLICY, PREP4ALL & THE POSITIVE WOMEN’S NETWORK +
Department of Health and Human Services
System of Records Notice, System No. 09-90-2101 HIV Prevention Medication Distribution Records
88 Fed. Reg. 3,999
February 22, 2023
The Office of Infectious Disease and HIV/AIDS Policy (OIDP) is proposing to establish a new database to help Gilead Pharmaceuticals verify identity and eligibility of enrollees in a joint program between Gilead and OIDP to distribute Pre-Exposure Prophylaxis (PrEP) to people at high risk of contracting HIV. The proposed database would collect and maintain a variety of personal information and healthcare records from multiple vulnerable populations.
CHLP is a national legal and policy thinktank, fighting stigma and discrimination at the intersections of HIV, race, health status, disability, class, sexuality and gender identity, and expression-with a focus on the criminal legal system and the public health system. We do this through legal advocacy, high impact policy initiatives and the creation of cross-issue partnerships, networks and resources.
Founded in March 2018, PrEP4All is an organization of community members, healthcare professionals, lawyers, and academics all dedicated to increasing access to lifesaving HIV medication. Every member of PrEP4All has been personally affected by the HIV epidemic, and most of us rely on HIV medications every day.
The Electronic Privacy Information Center (“EPIC”) is a public interest research center in Washington, D.C., established in 1994 to focus public attention on emerging civil rights and liberties issues. EPIC regularly submits regulatory comments and amicus briefs in cases involving threats to Americans’ health privacy.
Positive Women’s Network-USA (PWN) is a national organization building power by and for women, trans and gender non-binary people living with HIV, with a focus on those communities most impacted by the epidemic. PWN’s work is grounded in social justice and human rights, and we explicitly apply a racial justice and gender justice lens to address the many, intersecting barriers people living with HIV face.
The undersigned groups writing represent people in the vulnerable populations most likely to be affected by the database, HIV policy experts, and privacy experts. We urge OIDP not to implement this database and to instead follow established protocols for distributing medication without overly burdensome eligibility requirements or the threat of unnecessary surveillance primarily in order to further Gilead Sciences’ corporate interests with no public health benefit. This database creates substantial and unnecessary risks to the privacy and safety of already marginalized people vulnerable to contracting HIV. OIDP decided to implement the database without consulting the relevant HIV policy and privacy advocates. Creating high barriers to access free PrEP and tying associated PrEP distribution programs to overly broad surveillance will discourage enrollment, working against this program’s public health goals. This program could undermine larger and more impactful interventions including a nationwide PrEP program.
Despite the invention of highly effective drugs to prevent the transmission of HIV more than ten years ago, HIV continues in the United States. In 2019, the most accurate recent reference year, 36,940 people were diagnosed with HIV in the US. In total, HIV has taken more than half a million lives in the U.S. Although people across demographics contract HIV, new infections are most common among gay and bisexual men, transgender women, Black and Hispanic/Latino people, and younger people. These same populations are disproportionately marginalized due to poverty, racism, homophobia, transphobia, immigration status, unequal access to benefits, and stigma. In short, the people who need PrEP the most tend to have the least resources and bear the highest burdens in society.
In 2015, the CDC estimated that between 1.2 and 1.8 million people have indications that would warrant taking PrEP, but that year only 6% of them actually had prescriptions. By 2020, only 25% of those most in need of PrEP were estimated to have received a prescription with staggering racial and ethnic disparities; 66% of White individuals most in need of PrEP had access while only 9% of Black and 16% of Latinx individuals had received a prescription. The failure to broadly provide PrEP to individuals vulnerable to HIV has been described as “one of the greatest public health implementation failures in the history of this country.” Although generic-brand PrEP is available in many countries for as little as $6 month, in the U.S. the cash cost of PrEP (Truvada) can approach $2,000 per month. Making PrEP broadly available for vulnerable populations is an urgent part of the federal government’s End the HIV Epidemic in the US (EHE) strategy. The overarching goal of that program is to reduce new cases of HIV by 90% by 2030. Part of that strategy is implemented through the Ready, Set, PrEP (RSP) initiative.
In 2019, Gilead, the manufacturer of PrEP medications emtricitabine/tenofovir disoproxil fumarate and emtricitabine/tenofovir alafenamide agreed to donate PrEP to up to 200,000 individuals each year through a partnership with OIDP resulting in the establishment of RSP. Gilead maintains a separate program called Advancing Access which also provides some individuals with free or low-cost access to PrEP. RSP has been largely unsuccessful; despite an ambitious target of 10,000 enrollees in its first year, RSP had only provided access to PrEP for a mere 800 individuals by June 2020. Much of this failure is because RSP is largely duplicative of Advancing Access; enrollment requirements are nearly identical between the two programs, and both act exclusively as a medication distribution program and not a comprehensive access program that also addresses costs related to necessary HIV testing, quarterly and annual lab work, and provider visits.
This System of Records Notice is the latest implementation of Gilead’s partnership with HHS to donate PrEP through the Ready, Set, PrEP program. To determine initial eligibility to receive PrEP, the system will collect:
Meanwhile for continuing eligibility the system will house details of patients medical history including:
Patients will need to register when they enroll in the program. Patients and their doctors are expected to periodically submit updates to maintain eligibility. The database will not simply house patient records, but require regular updates including reporting of quarterly HIV test results. HHS anticipates having at least two separate contractors with access to the database, as well as Gilead staff and government employees.
I. The proposed database creates substantial and unnecessary privacy risks in order to further Gilead’s business interests.
Privacy is a serious concern for many people taking PrEP, particularly those from marginalized communities, because it is a prerequisite for their safety. A distribution program like this one risks doing more harm than good if it unnecessarily sacrifices patients’ privacy in the present and exposes patients to potential harms in the future. A federally run database accessible by multiple actors and holding sensitive health information creates privacy risks that cannot be mitigated. In addition, the scheme HHS and Gilead are proposing collects substantially more information than is necessary, magnifying the risks to already vulnerable populations.
a) The existence of this database is an unnecessary privacy and safety risk for marginalized people.
Data collection and storage is often a necessary part of administering a federal program or monitoring progress on key public health initiatives. However it must be logistically necessary for the administration of the program and be balanced against the substantial criminal and societal vulnerabilities experienced by marginalized communities most in need of PrEP.
The unfortunate reality created by outdated HIV criminal laws is that housing data that identifies individuals can expose them to targeted prosecution, discrimination, stigma, and interpersonal violence. Currently at least 35 states have laws that criminalize actions potentially exposing another person to HIV. These laws do not focus on a specific intent to transmit HIV or even require that HIV transmission has occurred, but instead focus on the very broad, very vague concept of exposure—even for no- to low-risk sexual activity. In this climate, community advocates are reasonably concerned that maintaining an overly broad and widely accessible database of people at high risk for contracting HIV could become a short-list for police and prosecutors looking to further criminalize this population and increase the risk of wrongful arrest. Furthering Gilead’s business interests does not constitute a reasonable circumstance to exacerbate these fears and undermine community trust.
The conditions that require careful consideration of any new database extend beyond HIV criminalization. HIV status and vulnerability to HIV acquisition is also a significant driver of employment discrimination in the U.S. The Equal Opportunity Employment Commission records dozens of violations of employment law from businesses discriminating against individuals with HIV annually and in recent years has averaged well over half a million dollars in restitution awarded. The EEOC’s investigations are on top of investigations under state and local anti-discrimination law and reflect only a fraction of all cases.
This proposal to create a database of PrEP users also intersects with how racism, namely criminalization and policing, is a huge threat to public health. We must locate the call for this database in its appropriate political context-the increased surveillance and continued policing of Black and Brown communities as a direct result of bipartisan support for heightened law enforcement budgets despite decreased safety and quality of life. OIDP must ask itself: considering the data on who is most vulnerable to HIV, how do more barriers to PrEP align with the Ending the Epidemic goals? If these public and private entities are truly invested in ending HIV, how does a forced registry encourage people to sign up for PrEP or other health care?
Based on collective histories and current realities of surveillance and policing not only from law enforcement but also from public health officials and departments, there is a well-founded lack of trust and these initiatives grow that distrust instead of repairing it. When deeply marginalized communities see an opportunity for further surveillance and criminalization, they will rightfully move away from it, even when tied to health care. Especially when there are better options available that will incentivize, not disincentivize, access to PrEP. Let’s also consider the message this sends to deeply marginalized communities, namely working class Black and Brown people.
Now is a particularly poor time for HHS to further Gilead’s interests by creating this database. Risk of HIV status is a proxy for disproportionately targeted demographics including LGBTQ+ individuals, Black and Brown individuals, immigrants, and those most marginalized by poverty. Potential enrollees in a PrEP program will be rightly concerned that a list of individuals receiving PrEP could easily become a list of easy targets for a state or federal administration hostile to gay and trans rights, BIPOC people, and the poor. This database cannot be understood outside the context of other registries explicitly targeting LGBTQ+ people. For example, the state of Texas’ recently moved to compile a record of all transgender people who had changed their names on drivers’ licenses in the state. 2022 set a record for the most anti-transgender bills introduced in state legislatures, and this year more have been filed in the first two months than in all of last year. The decision to mandate collecting and compiling sensitive personal information for individuals to access life-saving care must be understood not in a policy vacuum, but in a landscape that is increasingly hostile to many of the people who will be in this database.
The risk of data abuse or data breach is not hypothetical, but a serious safety concern. Data breaches are both increasingly common and increasingly severe. As an example of this trend across the federal government, a 2015 data breach at the Office of Personnel Management (OPM) exposed social security numbers and other personal data from 21.5 million individuals. Around the same time, OPM reported another major data breach exposing records on about 4 million federal employees. Just a year before, a breach at the U.S. Postal Service led to the loss of personal information from more than 800,000 employees.
The greatest risks of data breaches come from the government holding large volumes of personal information that can have lasting financial and security impacts when wrongfully divulged. For example, The Federal Emergency Management Agency (FEMA) unnecessarily disclosed sensitive information from victims of the 2017 California wildfires, exposing up to 2.3 million people. FEMA shared details of victims’ financial institutions and personal lives, including EFT and bank transit numbers and complete addresses. While traditionally the focus on protecting federal agency databases has settled on improving cybersecurity practices, implementation of best practices has been uneven at best. In 2018 for example, the GAO found that over 700 of its cybersecurity recommendations since 2010 had not been implemented by federal agencies. And just this year a new GAO report revealed that more than 60 percent of the agency’s privacy recommendations have not been adopted by federal agencies. Holding sensitive personal information will inherently create risks of abuse, accidental disclosure, and data breach.
The risk of data breach can also be a barrier to providing medical care because there is an established track record of data breaches specifically impacting individuals vulnerable to HIV. On February 10, 2023, Lambda Legal announced a settlement for data breaches in the enrollment program for California’s AIDS Drug Assistance Program. In 2018, Aetna settled a lawsuit for accidentally revealing that people were taking PrEP and other HIV medications in the clear window of envelopes. And in 2019, a University of California at San Diego study on the impact of domestic violence, substance abuse and other traumatic events for women with HIV had a substantial data breach exposing extraordinarily confidential information to a broad array of unauthorized staff. These breaches show that privacy harms are increasingly possible for programs meant to benefit persons living with and vulnerable to HIV, and that there are substantial real and perceived risks to collecting and maintaining this data, particularly if it exists primarily to appease corporate interests with no compelling public or individual health benefit.
b) The details of this data collection scheme are overly invasive and do not meet privacy best practices standards.
Best practices for privacy include data minimization and limiting access to only necessary actors through purpose specification and use limitation. The proposed database fails to meet those standards by collecting more information than is necessary and inserting more actors than are necessary under other schemes.
Data minimization requires collecting only directly relevant and necessary information and deleting that information as soon as possible. This program is unnecessarily invasive because it requires overly intensive verification procedures for doctors and patients. First, the program requires semi-annual renewals instead of annual renewals. Second, the program requires detailed statements of continuing eligibility including actual documentation of negative HIV status and lack of insurance coverage. All of this granular information could be avoided with a simple certification from the prescribing doctor that patients meet the eligibility criteria.
The system also collects population data that is not necessary for verifying identity but could be misused. Alongside the personal information that OIDP will collect to verify identity, the program will also collect demographic data including “race, ethnicity, gender identity, and sex assigned at birth”. Although OIDP intends to use this data for statistical purposes only, including it is not necessary to verify patients’ identities or eligibility. This increases the risk of harm from a data breach. All of these factors may form a basis for discrimination and could be abused to target individuals with violence or wrongful prosecution. Such information should not be housed in patient records held by third parties unless necessary.
The design of this system also exposes data to at least two private contractors, the relevant staff at OIDP, and staff at Gilead, essentially inserting HHS as an intermediary and giving extra parties access to the system. This scheme creates unnecessary risks of breach by expanding who has access to the system and creating the possibility of housing the information on multiple systems. The more locations data is stored, and the more people who have access to it, the greater the risk that something goes wrong and sensitive personal information is exposed.
II. This database was imposed without consulting impacted persons or expert advocates and runs contrary to public policy.
The proposed database has been developed without the knowledge and input of impacted persons and unbiased experts. This is unfortunately obvious given the system of records notice (SORN), which leans into instead of avoiding some of the most common pitfalls in administering public health programs for low-income, LGBTQ+ and BIPOC groups vulnerable to acquiring HIV. Quick outreach to other leading national HIV/AIDS organizations appears to confirm this; it seems that no leaders in PrEP access and HIV privacy concerns had heard of the proposed database. More engagement with impacted communities and experts up-front could have resulted in a SORN that needed to be amended; this one will have to be largely scrapped if its public health goals are to be achieved.
Fear of surveillance, avoidance of stigma, and frustration with cumbersome eligibility processes have all been shown to decrease the likelihood that a vulnerable person will seek out PrEP. Studies also show that complex application and eligibility processes like the ones anticipated in this SORN undercut program adoption and adherence. As one uninsured consumer reported in a 2021 focus group, “I stopped using [PrEP] because it became too much of a hassle to keep verifying my information every month. That I didn’t have a job, that I didn’t have income. And it started making me feel bad.” But this program only feeds into those fears and insecurities by establishing a system of relatively invasive and cumbersome eligibility checks and databases.
As an example, the proposed database may disincentivize program adoption because putative members will justifiably fear surveillance and exposure to law enforcement, particularly given the extensive network of entities that will have access including the Department of Justice. LGBTQ men, especially Black gay, bisexual and men who have sex with men, are at increased risk of having negative encounters with law enforcement officers. This has sparked a culture of fear and psychological distress that has already dampened Black minority men’s likelihood of obtaining PrEP. For this reason, experts recommend that public health HIV prevention projects avoid involving law enforcement officers and techniques. But this program involves invasive surveillance of putative program members and explicitly states it will share information with the Department of Justice. Although the current provisions for DOJ access are limited, authorizing any law enforcement access creates a potential for abuse and leaves the door open to amend the routine uses to expand that access in the future.
III. There are established practices for medication distribution programs that are safer.
A community-driven eligibility model is a safer and better fit for this program. One such model was proposed as part of a national PrEP program last year. A community-based approach would improve access while reducing privacy risks.
Any registry for PrEP access should be limited to necessary information and only accessible by healthcare providers and pharmacies. Patient providers should be responsible for checking eligibility and adding people to a registry for PrEP access. Identity can be tied to a drivers’ license or other de-duplicated credential. Patients should receive a pseudorandom number identifier that pharmacies can check against the registry to determine eligibility. Such a registry should not be housed by or accessible to HHS. Ultimately, Gilead does not need access to the database either. Gilead’s only claimed need is to verify that patients are not “double dipping” in Ready, Set, PrEP and the company’s Advancing Access program. But this is a problem of Gilead’s own making and the onus should not rest on patients to give up privacy rights to satisfy fraud concerns. A limited sample could be provided to an independent auditor to determine the presence and prevalence of fraud, but access beyond that is unnecessary.
Patients should also have rights to transparency and data removal. Patients should be regularly informed if their information has been accessed. Patient identity should also be blinded or removed from the database when patients unenroll in the program. A provider-maintained database as described would present fewer privacy risks without compromising functionality.
IV. The Ready, Set, PrEP program should not take any steps that would impair the effectiveness of a national PrEP access program.
This would be a particularly inopportune time for HHS to undermine community trust given the current momentum for a National PrEP Program. As part of his FY23 Budget Request, President Biden included a vision for comprehensive national PrEP access, calling for a $9.8B investment over 10 years. Community advocates and other stakeholders have been galvanized by this proposal, generating thousands of individual and organizational signatures in support. As part of the final FY23 budget, Congress included a call for the Centers for Disease Control and Prevention to address equitable PrEP access.
Such progress would be needlessly threatened were HHS to move forward with a database with seemingly no public health benefit. That such a sacrifice of privacy and trust should come in order to maintain RSP– a duplicative and failed medication distribution mechanism– at a time when a more effective and comprehensive national PrEP access initiative is on the verge of becoming a reality, would be all the more unfortunate.
We urge HHS not to go forward with developing and implementing this database. Impacted persons, policy experts, HIV rights advocates, and privacy experts were not consulted on this proposal and suggest alternative measures. Ultimately, this database should be understood in the context of increasing repression for marginalized populations and policy efforts should be closely scrutinized so as not to impair the effectiveness of larger programs in the future.
/s/ Jake Wiener
/s/ Tom McBrien
EPIC Law Fellow
ELECTRONIC PRIVACY INFORMATION CENTER (EPIC)
1519 New Hampshire Ave. NW
Washington, DC 20036
/s/ S. Mandisa Moore-O’Neal
S. Mandisa Moore-O’Neal
Executive Director at The Center for HIV Law and Policy (CHLP)
/s/ Amir Sadeghi
National Partner and Policy Strategist
The Center for HIV Law and Policy
147 Prince Street
Brooklyn, NY 11201
/s/ Kelly Flannery
Policy Director at Positive Women’s Network-USA
POSITIVE WOMEN’S NETWORK-USA (PWN)
436 14th St., Suite 425
Oakland, CA 94612
/s/ Jeremiah Johnson
Acting Executive Director
[email protected] (email)
185 Hall Street, #105
Brooklyn, NY 11205
/s/ Adrian Gropper
Adrian Gropper, MD
Patient Privacy Rights Foundation
1006 Mopac Circle
Austin, TX 78746
 88 Fed. Reg. 3,999.
 Centers for Disease Control and Prevention, HIV Surveillance Report (2020), https://www.cdc.gov/hiv/library/reports/hiv-surveillance.html.
 Centers for Disease Control and Prevention National Center for Health Statistics, HIV in the U.S. by the Numbers, cdc.gov (Aug. 26, 2022), https://www.cdc.gov/nchhstp/newsroom/fact-sheets/hiv/hiv-in-the-us-by-the-numbers.html.
 Centers for Disease Control and Prevention, HIV Surveillance Report (2021).
 Dawn K. Smith et al., Vital Signs: Estimated Percentages and Numbers of Adults with Indications for Preexposure Prophylaxis to Prevent HIV Acquisition — United States, 2015, 65 Morbidity & Mortality Weekly Rep. 1291, 1291–95 (2015).
 See Centers for Disease Control and Prevention, PrEP for HIV Prevention in the US (2022), available at <https://www.cdc.gov/nchhstp/newsroom/fact-sheets/hiv/prep-for-hiv-prevention-in-the-us-factsheet.html>.
 The PrEP4All Collaborations, A National Action Plan for Universal Access to HIV Pre-Exposure Prophylaxis (PrEP) in the United States, 22nd Int’l AIDS Conference (Jul. 2018), https://static1.squarespace.com/static/5e937afbfd7a75746167b39c/t/5ea5ff68ccd2820f98798d1f/1587937130060/A+National+Action+Plan+for+Universal+Access+to+HIV+Pre-Exposure+Prophylaxis+%28PrEP%29.pdf.
 Id. at 21; Kristen Gerencher, 5 Ways to Save on PrEP Costs (With or Without Insurance), GoodRx (Aug. 25, 2022), https://www.goodrx.com/truvada/truvada-hiv-prep-cost-generic-how-to-save (based on recent GoodRx market research).
 88 Fed. Reg. 3,999.
 See Presidential Advisory Council on HIV/AIDS (PACHA) 65th Meeting at 4 (Oct. 21-22, 2019), available at https://files.hiv.gov/s3fs-public/PACHA-65th-Full-Council-Meeting-Summary.pdf.
 Straube, supra note 38; Chris Sloan et al., PACHA Highlights Need to Address HIV PrEP Coverage Disparities, Avalere (Apr. 7, 2021), https://avalere.com/insights/pacha-highlights-need-to-address-hiv-prep-coverage-disparities.
 88 Fed. Reg. 4000.
 CDC, HIV and STD Criminalization Laws (Oct. 24, 2022), https://www.cdc.gov/hiv/policies/law/states/exposure.html(noting “After more than 40 years of HIV research and significant biomedical advancements to treat and prevent HIV transmission, many state laws are now outdated and do not reflect our current understanding of HIV.”)
 Equal Employment Opportunity Commission, ADA Charge Data – Monetary Benefits (Charges filed with EEOC) FY 1997 – FY 2021, https://www.eeoc.gov/data/ada-charge-data-monetary-benefits-charges-filed-eeoc-fy-1997-fy-2021.
 OIDP, What Is Ending the HIV Epidemic in the U.S.? (Jul. 1, 2022), https://www.hiv.gov/federal-response/ending-the-hiv-epidemic/overview.
 Kylie Cheung, Texas Creates Chilling Registry of 16,000 People Who Changed Genders on Their Driver’s Licenses, Yahoo! News (Dec. 15, 2022), https://news.yahoo.com/texas-creates-chilling-registry-16-181000674.html.
 James Factora, Over 300 Anti-LGBTQ+ Bills Have Already Been Filed in 2023, Teen Vogue (Feb. 13, 2023), https://www.teenvogue.com/story/anti-lgbtq-bills-filed-2023.
 U.S. Gov’t Accountability Office, DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System (Jan. 2016) at 8, https://www.gao.gov/assets/680/674829.pdf.
 Cybersecurity and Infrastructure Security Agency, Federal Agency Compromised by Malicious Cyber Actor, AR20-268A, Dep’t. of Homeland Sec. (Sept. 24, 2020), https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a; Duncan Riley, DHS discloses data breach of US agency but doesn’t name which was hacked, SiliconAngle (Sept. 24, 2020), https://siliconangle.com/2020/09/24/dhs-discloses-data-breach-us-agency-doesnt-name-hacked/.
 Christopher Mele, Personal Data of 2.3 Million Disaster Victims Was Released by FEMA, Report Says, N.Y. Times (Mar. 22, 2019), https://www.nytimes.com/2019/03/22/us/fema-data-breach.html; John V. Kelly, Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information, OIG-19-32, Dep’t of Homeland Sec. Off. of Inspector Gen. (Mar. 15, 2019), https://www.oig.dhs.gov/sites/default/files/assets/2019-03/OIG-19-32-Mar19.pdf.
 U.S. Gov’t Accountability Office, GAO-19-105 Information Security: Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting Against Intrusions (Dec. 18, 2018), https://www.gao.gov/assets/700/696105.pdf.
 Elana Gordon, Aetna Agrees To Pay $17 Million In HIV Privacy Breach, NPR (Jan. 17, 2018), https://www.npr.org/sections/health-shots/2018/01/17/572312972/aetna-agrees-to-pay-17-million-in-hiv-privacy-breach.
 Jill Castellano & Brad Racino, UCSD Has Not Told Women with HIV of Data Breach, Despite Researchers’ Pleas, inewsource (May 14, 2019), https://inewsource.org/2019/05/14/ucsd-data-breach-hiv-women-study/.
 88 Fed. Reg. 4,000.
 Amy Killelea et al., Financing and Delivering Pre-Exposure Prophylaxis (PrEP) to End the HIV Epidemic, 50 J. L., Med. & Ethics 8, 13 (2022).
 Center for American Progress & Movement Advancement Project, Unjust: How the Broken Criminal Justice System Fails LGBT People 3, 37 (2016).
 See Devin English et al., Intersectional Social Control: The Roles of Incarceration and Police Discrimination in Psychological and HIV-Related Outcomes for Black Sexual Minority Men, 258 Soc. Sci. & Med. 1, 6 (2020).
 See 88 Fed. Reg. 4001.
 See Killelea et al., supra note 22, at 8–23.