The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

Grey Areas In IoT Allowing Employers To Receive Employee Health Data

See Article Here

Wearable IoT devices and health tracking apps collect some very personal information about an individual and unfortunately the laws on the books do not specifically address the growing amount of data being sold to many companies including employers and insurance companies. This Washington Post article discusses a pregnancy app that was selling information of a particular user to her employer! What?

First let’s talk about the law. There are several laws on the books today that protect workplace privacy, Title VII of the Civil Rights Act, The Age Discrimination Act, The Americans with Disability Act, even the Pregnancy Discrimination Act to name a few. These laws make it illegal to discriminate against an individual because of race, color, religion, age, disability, pregnancy, etc. Then of course you have the HIPAA Privacy Rule which requires a patient’s express written authorization to share their PHI data to any entity that is not a part of healthcare operations, payment processing or for treatment purposes. HIPAA does not apply to other entities that sell health related data. Although it is fair to note that IoT wearables, apps, etc. were not around when HIPAA was enacted back in 1996. Do you see the gap?

When it comes to workplace privacy EMPLOYERS are not allowed to engage in these types of discriminatory behavior. With HIPAA it is the covered entity and business associate’s responsibility to comply with the privacy rule. There is nothing on the books currently that would prevent an application, i.e. third party, from collecting and selling the health data it collects about you to your employer or insurance company. Your average citizen would never know, and it is a loop hole that could allow discriminatory behavior. You see what happens when privacy is not thought of at the very beginning? Or more nefariously, when a company finds a loop hole and develops a business based on that gap for financial gain?

The Protecting Personal Health Data Act introduced by U.S. Senator Amy Klobuchar (D-MN) and Senator Lisa Murkowski (R-AK) is designed to help strengthen privacy and security protections for consumers’ personal health data. At the very least an individual should know exactly what is going to happen to the health information collected in the app and given the choice to opt-out (or opt-in) to the sale of their data. One thing for sure, it is more likely that huge gains for privacy can be made because HIPAA already exists. Still waiting for the more comprehensive law that covers all industries.