I'm the Google whistleblower. The medical data of millions of Americans is at risk; The Guardian, November 14, 2019

Anonymous, The Guardian; I'm the Google whistleblower. The medical data of millions of Americans is at risk

"After a while I reached a point that I suspect is familiar to most whistleblowers, where what I was witnessing was too important for me to remain silent. Two simple questions kept hounding me: did patients know about the transfer of their data to the tech giant? Should they be informed and given a chance to opt in or out?

The answer to the first question quickly became apparent: no. The answer to the second I became increasingly convinced about: yes. Put the two together, and how could I say nothing?

So much is at stake. Data security is important in any field, but when that data relates to the personal details of an individual’s health, it is of the utmost importance as this is the last frontier of data privacy.

With a deal as sensitive as the transfer of the personal data of more than 50 million Americans to Google the oversight should be extensive. Every aspect needed to be pored over to ensure that it complied with federal rules controlling the confidential handling of protected health information under the 1996 HIPAA legislation."

With fitness trackers in the workplace, bosses can monitor your every step — and possibly more; The Washington Post, February 16, 2019

Christopher Rowland, The Washington Post; With fitness trackers in the workplace, bosses can monitor your every step — and possibly more

[Kip Currier: This article--and case study about the upshots and downsides of employers' use of personal health data harvested from their employees' wearable devices--is a veritable "ripped from the headlines" gift from the Gods for an Information Ethics professor's discussion question for students this week!... 

What are the ethics issues? 

Who are the stakeholders? 

What ethical theory/theories would you apply/not apply in your analysis and decision-making?

What are the risks and benefits presented by the issues and the technology? 

What are the potential positive and negative consequences?  

What are the relevant laws and gaps in law?

Would you decide to participate in a health data program, like the one examined in the article? Why or why not?

And for all of us...spread the word that HIPAA does NOT cover personal health information that employees VOLUNTARILY give to employers. It's ultimately your decision to decide what to do, but we all need to be aware of the pertinent facts, so we can make the most informed decisions.
See the full article and the excerpt below...]   


"Many consumers are under the mistaken belief that all health data they share is required by law to be kept private under a federal law called HIPAA, the Health Insurance Portability and Accountability Act. The law prohibits doctors, hospitals and insurance companies from disclosing personal health information.

But if an employee voluntarily gives health data to an employer or a company such as Fitbit or Apple — entities that are not covered by HIPPA’s [sic] rules — those restrictions on disclosure don’t apply, said Joe Jerome, a policy lawyer at the Center for Democracy & Technology, a nonprofit in Washington. The center is urging federal policymakers to tighten up the rules.

“There’s gaps everywhere,’’ Jerome said.

Real-time information from wearable devices is crunched together with information about past doctors visits and hospitalizations to get a health snapshot of employees...

Some companies also add information from outside the health system — social predictors of health such as credit scores and whether someone lives alone — to come up with individual risk forecasts."

Facebook admits it discussed sharing user data for medical research project; The Guardian, April 5, 2018

Amanda Holpuch, The Guardian; Facebook admits it discussed sharing user data for medical research project

[Kip Currier: Timely to see this article, after discussing HIPAA and medical research data in my lecture yesterday on "Legal and Ethical Issues of Research Data Management (RDM)". And after my post here, responding to John Podhoretz's "sorry, you are a fool" New York Post opinion piece.]

"Medical institutions are held to a higher privacy standard than Facebook because of laws such as the federal Health Insurance Portability and Accountability Act, or Hipaa, which makes it illegal for health care providers and insurers to share patient data without their permission.

But it is not clear how the proposed research would have complied with this strict health privacy law.

Two people who heard Facebook’s pitch and one person familiar with it told CNBC that the proposed project would mesh data from health systems (such as diagnoses and prescribed medications) with data from Facebook (such as age, friends and likes). The idea would be to match what is known about a patient’s lifestyle with their medical needs to customize care."

Big Settlement in Privacy Case Involving 2 Patients, HIV Data; Gov Info Security, May 24, 2017

Marianne Kolbasuk McGee, Gov Info Security; Big Settlement in Privacy Case Involving 2 Patients, HIV Data

"Sensitive Health Information

The high settlement amount paid by St. Luke's in a case involving privacy incidents impacting only two individuals reflects the sensitive nature of information that was breached.

"There is no doubt that OCR felt compelled to act due to the sensitivity of the PHI disclosed, that the organization should have been aware of the enhanced safeguards surrounding this type of PHI and there had been repeated occurrences of similar unauthorized disclosures," says privacy attorney David Holtzman of security firm CynergisTek.

"The message here is fix your problems when they happen," notes privacy attorney Kirk Nahra of the law firm Wiley Rein. "This was obviously a particularly sensitive piece of information, and it is possible that this also implicates a request for confidential communication or request for restriction in the HIPAA individual rights. So, while the [settlement] number may seem a bit high, this is both a repeated problem, and one that was not fixed, as well as a particularly harmful step.""

Privacy Concerns in Emerging Technologies; American Bar Association Webinar: Thursday, May 25, 2017

American Bar Association Webinar: Thursday, May 25, 2017Privacy Concerns in Emerging Technologies

• 

1.50 CLE

Format:

Webinar

Date:

May 25, 2017

Time:

12:00 PM - 1:30 PM ET

Add to Calendar

Credits:

1.50 General CLE Credit Hours

Panelist(s):

Jodi Daniel

Scott Stiefel

Moderator(s):

Alya Sulaiman

Sponsor(s):

Center for Professional Development

Health Law Section

The rise in health information technology and wearable devices has brought innovative models of healthcare delivery, as well as increasing privacy risks and compliance concerns. Join our expert faculty as they discuss privacy issues confronting emerging technologies.

Topics will include:

• Applicability of HIPAA to technology companies
• Office for Civil Rights (OCR) guidance on HIPAA and cloud computing
• Increasing Focus on Patient Right of Access
• Recent enforcement settlements affecting emerging health care technologies and developers
• Privacy considerations in the era of the Internet of Things (IoT)/Wearables

Your private medical data is for sale – and it's driving a business worth billions; Guardian, 1/10/17

Sam Thielman, Guardian; 

Your private medical data is for sale – and it's driving a business worth billions:

"Your medical data is for sale – all of it. Adam Tanner, a fellow at Harvard’s institute for quantitative social science and author of a new book on the topic, Our Bodies, Our Data, said that patients generally don’t know that their most personal information – what diseases they test positive for, what surgeries they have had – is the stuff of multibillion-dollar business.

But although the data is nominally stripped of personally identifying information, data miners and brokers are working tirelessly to aggregate detailed dossiers on individual patients; the patients are merely called “24601” instead of “Jean Valjean”."

How Your Health Data Lead A Not-So-Secret Life Online; NPR, 7/30/16

Angus Chen, NPR; How Your Health Data Lead A Not-So-Secret Life Online:

"Medical information can be gleaned from all this and more, says Nathan Cortez, a professor of law at the Southern Methodist University Dedman School of Law.

A recent report from the Department of Health and Human Services showed that the vast majority of mobile health apps on the marketplace aren't covered by the Health Information Portability and Accountability Act. "HIPAA is pretty narrow as far as these things go. It applies only to traditional entities [like hospitals, doctors and health insurance providers], and it's not surprising. HIPAA was written by Congress in 1996 before we had health apps," Cortez says.

Apps or devices used in conjunction with a doctor's office or a hospital can't share or sell your information. But there's no definitive federal law governing what happens to the data that an app developer, tech company or private individual collects. Cortez and I spoke about what that means and what people can do with individuals' data."

Faculty Rallies to Support University of Oregon Archivist; Library Journal, 4/16/15

Lisa Peet, Library Journal; Faculty Rallies to Support University of Oregon Archivist:

"More than 100 faculty members at the University of Oregon (UO) have signed a letter to the university administration supporting archivist James Fox, who has been informed that his contract will not be renewed in June. Fox, along with digital archivist Kira Homo, is at the center of a controversy involving the release of some 22,000 pages of unfiltered UO presidential archives to professor of economics Bill Harbaugh in November 2014."