The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP, CIPP/US is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

The Battle Over Re-identified Data

Read Article Here

Every single day there is something new in my chosen career path, the intersection between cyber security and privacy is fascinating to me. The attached article is just another example of the intricacies and difficulties in these areas. The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that protects your personal health information (PHI). HIPAA basically says a patient has to opt-in before their information can be shared with other organizations unless it is for treatment, payment or healthcare operations. One way a HIPAA covered entity (CE) or business associate (BA) can share information is if it is de-identified, which is what it sounds like, something done to remove the identifying characteristics from data. Clear enough right?

However, the attached article talks about a case in Chicago, where plaintiffs are patients that are suing the Chicago Medical Center alleging that they were sharing basically all of their electronic health care records (EHR) with Google from 2009-2016. The hospital states the records were de-identified, the patients say, “the hospital included date and time stamps and ‘copious’ free-text medical notes that, combined with Google’s other massive troves of data, could easily identify patients,” in violation of HIPAA. Wow. Can a CE and/or BA be in violation of HIPAA if the entity they shared their de-identified data with can re-identify patients? This gets my brain churning, because it is a grey area. 

However, if I had to take a side, I would be on the side of the patients. PHI and EHR are some of the most sensitive information out there about an individual and sure technically the hospital did de-identify, but they also made money from the sale of their patient data. Ergo, I would argue that there is an ethical responsibility by the hospital to ensure whomever they chose to sell their EHR to would keep the data in a de-identified state. Would it be reasonable to assume that Google would use the data to re-identify patients? Yes! Google’s entire business model is based on collecting as much information as possible and to make connections with that data, to sell again!