9 minute read

PRIVACY CONCERNS

Maneuvering the complicated intersection of data privacy, health and technology

As collectors of employee data, employers should be aware of the health data privacy landscape and the concerns employees may have.

Advertisement

BY ANDIE BURJEK

People share their experiences with depression on Twitter to show support for the mental health community. They join private Facebook groups to discuss similar health issues, without realizing that a “private” online group does not actually offer privacy protections. Companies encourage employees to be open about their health in an effort to create a “culture of health.” And employees join “HIPAA-compliant” wellness programs without realizing that the health data they log in various apps may not be protected by any law if the program is voluntary.

When the Health Insurance Portability and Accountability Act was enacted in 1996, today’s vast digital space didn’t exist. Even if organizations comply with HIPAA, the Genetic Information Nondiscrimination Act and other laws that protect health-related data, that doesn’t necessarily mean the data is protected in many contexts. There are gaps that have yet to be legally addressed. Meanwhile, employees increasingly share health information on digital health apps or online.

A vast amount of employee data is not legally protected. As collectors of employee data, employers should be aware of the health data privacy landscape and the concerns employees may have.

“As much as it pains me to say, [data privacy] is probably nobody’s top priority,” said data privacy attorney Joseph Jerome. “It only becomes their priority when something goes wrong or they get concerned or they hear something in the news.”

“THESE ARE THINGS THAT PEOPLE PERCEIVE AS HEALTH DATA, BUT THEY’RE NOT COVERED BY HIPAA, AND THEY WERE NEVER DESIGNED TO BE COVERED BY HIPAA.”

— JOSEPH JEROME, DATA PRIVACY ATTORNEY

Employers in the U.S. and internationally have increasingly more data privacy regulations to pay attention to — as laws like the General Data Protection Regulation in the European Union and the California Consumer Privacy Act and Illinois Biometric Privacy Act in the U.S. move the data privacy legal environment forward. In this constantly changing world, there’s information that can help organizations navigate this complicated intersection more intelligently. Privacy Law Limitations

There is a lack of understanding of what HIPAA protections apply where, when and to what data, Jerome said. At its core, HIPAA was enacted to facilitate the portability and interoperability of health care records, not for any greater data privacy reason. “We act like this is a health data privacy law, but no. It’s designed to govern data in hospital systems,” he said.

Employers want to learn increasingly more data about their employees, he said. They have the opportunity to do so through commercial apps that capture wellness and fitness data. “These are things that people perceive as health data, but they’re not covered by HIPAA, and they were never designed to be covered by HIPAA,” he said.

HIPAA — and therefore what data is considered health information — is limited to covered entities like hospital systems and doctors’ offices. For example, within a health system, a patient’s email address is considered health information under HIPAA, but outside the health system, an email address is not considered health information and does not get HIPAA protection.

HIPAA also doesn’t apply to anonymized data — the data remaining after being stripped of personally identifiable information from data sets, so that the people whom the data describe remain anonymous.

Further, anonymous data is fair game, legally. “There is no regulation of ‘anonymized’ data. It can be sold to anyone and used for any purpose.The theory is that once the data has been scrubbed, it cannot be used to identify an individual and is therefore safe for sale, analysis and use,” noted “Re-Identification of ‘Anonymized’ Data,” a 2017 Georgetown Law Technology Review article.

A concern here is that anonymous data can be easily re-identified, and it’s tough to hold bad actors accountable for doing so, Jerome said. Further, it’s hard to do anything about it once the data is already identified and public information. Unfortunately, there are realistically not enough reinforcement resources, he added.

“That’s a real problem right now, not just in health care or employment context, but you’ve got this giant ecosystem where a lot of companies are sharing information and they’re all saying they’re good actors, they’re all saying they’re not re-identifying information, they’re all saying they’re not even using personal information,” he said. “But there’s data leakage all over the place. People are recombining profiles, and it’s very hard to attribute where the information originally came from.”

According to the Georgetown Law Technology Review article, the re-identification of anonymous data can lead to sensitive or embarrassing health information being linked to one’s employer, spouse or community. “Without regulation of re-identified anonymized data, employers, neighbors, and blackmailers have an unprecedented window into an individual’s most private information,” the article said. One of the privacy concerns some people have about their health data is that it could eventually be used against them and that they could suffer real-world implications like the loss of job opportunities, the denial of insurance or higher premiums for insurance. Wellness Program Gaps

The idea behind employee wellness programs is supposed to be a win-win, said Anya Prince, associate professor of law and member of the University of Iowa Genetics Cluster. Employees get healthier, and employers get lower health care costs and a more productive workforce.

But wellness programs are often not effective at changing employee health, she said.

“If the premise is we’re doing this to benefit employees [but] there’s not actually evidence that it’s benefiting employees, the question then becomes why are [wellness programs] continuing to happen?” she said. “The evidence

shows that what they’re doing is shifting health care costs back on to employees in various ways. That’s where the concern comes in.”

Digital health apps on employees’ phones play a part in many workplace wellness programs. But even though thirdparty health apps are common on people’s phones, the privacy landscape behind these apps is murky at best.

Prince cited Lori Andrews, professor of law at the University of Chicago and director of Illinois Tech’s Institute for Science, Law and Technology. Andrews has conducted work on the types of data that medical apps collect from users, including employees in workplace wellness programs.

“Some of the medical apps are just completely bogus and don’t give you anything helpful back,” Prince said about the general health data privacy environment. “But they are collecting data on you, not just health information but geolocation and other data that’s worth money.”

Another trend in wellness programs is employers offering employees consumer-directed genetic tests to help them understand what medical issues they may be predisposed to and what preventative measures they can take to combat them. According to the Society for Human Resource Management, 18 percent of employers provided a health-related genetic testing benefit in 2018, up from 12 percent in 2016.

Many studies have shown that people are not aware of the Genetic Information Nondiscrimination Act or what privacy protections they have through the law, Prince said. “GINA is quite protective in employment in the sense that employers are not allowed to use genetic information to discriminate, so they can’t make hiring, firing, promotion, wage, any decisions based on genetic information,” she said, adding that genetic information includes family medical history, genetic test results and more.

Still, she said, there are some exceptions with GINA, including private employers with fewer than 15 employees and any employee in a voluntary wellness program.

There is currently a legal debate on whether wellness programs are voluntary or if employees feel coerced to join them, Prince said. Some wellness programs are participatory — meaning that employees don’t need to hit a certain health outcome target to earn the incentive — but others are health contingent. Employees need to lose some amount of weight or accomplish another target measurement to get the financial benefits of the wellness program.

These programs are more participatory currently, she said. But if programs that collect genetic information become health contingent, that could bring up ethical issues and become more invasive.

“If you think of breast cancer gene] testing, which is a predisposition to breast and ovarian cancer, one of the preventive measures right now is to prophylactically remove your breast and ovaries. My dystopian future is the employer saying, ‘Have you finished having kids yet? Get on that, so that you can remove your ovaries,’” she said.

This discussion begs the question of who is ultimately the best actor to push people toward better behaviors and health outcomes, she said. Society has to ask if employment is the best place to do this.

“In a way the answer is yes because we’ve created a system where health insurance and employment are so intertwined, but maybe employment isn’t the right space to be encouraging people to make the right health choices,” she said. “Maybe that should be a public health system or your primary care physician or researchers.”

“MY DYSTOPIAN FUTURE IS THE EMPLOYER SAYING, ‘HAVE YOU FINISHED HAVING KIDS YET? GET ON THAT, SO THAT YOU CAN REMOVE YOUR OVARIES.’”

— ANYA PRINCE, ASSOCIATE PROFESSOR

The Pentagon has advised service members not to engage in 23andMe genetic tests, said Glenn Cohen, professor of law at Harvard Law School, and faculty director of the Petrie-Flom Center for Health Law Policy, Biotechnology and Bioethics.

There’s a major national security reason for this, he said, but part of the reasoning also has to do with protecting service members’ privacy. The military is exempted from GINA, which is the law prohibiting genetic discrimination by employers. Consent, Transparency and Communication

Employers could communicate with employees better, Jerome said. Privacy is more than just legal compliance, which may include a disclaimer in the company handbook or on the employees’ computers that inform them “All this can be tracked and monitored.” This can help set up the expectation for employees that they should have no expectation of privacy in anything they do at work.

While most employers have done their legal duty, they’ve yet to have a conversation with employees about what they’re actually doing with this data, Jerome said.

“I get that those conversations can be difficult and uncomfortable and frankly might get employees riled up, but I think that’s probably a good thing in the end,” he said.

Employers — who sit on large troves of employee health data — may have the legal right to share data, but that doesn’t mean employees and other parties won’t criticize them, said Cohen. “They have to be worried a little bit about how it’s going to play as a PR matter and, in an industry where they’re competing for talent, how employees feel about [it],” he said.

DATA PRIVACY continued on page 43

This article is from: