HIPAA and IoT

« Back to Previous Page
3
0

I read this article and the CSO website post that it references. It's not clear to me how employers collecting...

Please to read the entire article.

Marked as spam
Posted by Alan Davis, PMP, GSLC (Discussions: 1, Comments: 1)
Replied on April 10, 2017 12:00 am
1 views
0
Private comment
In my opinion this would fall under PII, not HIPAA, but what if the employer is also a healthcare provider? Things don't seem as black and white when that's thrown into the situation.
Marked as spam
Posted by Kevin Medeiros (Discussions: 0, Comments: 6)
Replied on April 10, 2017 8:00 pm
0
Private comment
The CSO article had a number of good points about general security, but the paragraph re: data seemed out of place "Companies that collect but don’t carefully anonymize health-related data have effectively acquired what’s known as electronic Protected Health Information (ePHI), “which puts you squarely in the HIPAA world,” warns Eric Hodge, director of consulting at CyberScout, a data risk management and identity protection firm. And then, you must “worry about complying with all kinds of HIPAA requirements just as a hospital would,” he says. Plus, you’re exposed to the same fines, which lately have been between $150,000 and $6 million, if you don’t comply with HIPAA requirements. As a precaution, be sure to dissociate information about health and fitness from the individual, he adds." I looked up Cyber Scout and didn't seen any mention of HIPAA expertise...
Marked as spam
Posted by Allison Dolan (Discussions: 2, Comments: 58)
Replied on April 10, 2017 8:00 pm
0
Private comment
Thanks Kevin and Allison. Looks like I wasn't the only one to see this article with a little "stink eye". Kevin is right that if the employer also provides healthcare then the information could be PHI, definitely is if it is stored alongside the company's ePHI.
Marked as spam
Posted by Alan Davis, PMP, GSLC (Discussions: 1, Comments: 1)
Replied on April 10, 2017 8:00 pm
0
Private comment
The is pure myth. Wearables, despite the fact that many collect patient health data, do NOT implicate PHI in the HIPAA sense of the word BECAUSE the patient has always been free to do whatever they want with their own data. Unless the "wearable" is collecting data on behalf of a CE or BA it's not going to be PHI. Kevin is absolutely correct; it still qualifies as PII as enforced by the FTC but that's as far as it goes.
Marked as spam
Posted by Carlos Leyva (Discussions: 1, Comments: 144)
Replied on April 10, 2017 8:00 pm
0
Private comment
Lots of people make this fundamental error regarding HIPAA - which is - HIPAA does NOT regulate data - it regulates persons. Thus, if the PERSON/ENTITY is a CE, then (potentially, anyway), the data in their possession could be PHI. If the PERSON/ENTITY is NOT a CE, then you cannot make the data PHI, no matter how hard you try.
Marked as spam
Posted by Bruce Borkosky (Discussions: 1, Comments: 25)
Replied on April 11, 2017 8:00 pm
0
Private comment
The only situation where wearable vendors would be considered business associates would be if the wearable vendor is on contract with a covered entity (or upstream business associate) to collect health data that will be used for treatment, payment and healthcare operations. As an example, Fitbit announced I believe last year that in some instances they were willing to sign a BAA. Companies collecting employee health information for purposes other than treatment, payment and healthcare operations such as for wellness programs of FMLA are not doing "covered activities". This is true even if it's the covered entity collecting health information about its employees such as for FMLA.
Marked as spam
Posted by Chris Apgar, CISSP (Discussions: 1, Comments: 1)
Replied on April 12, 2017 8:00 pm
« Back to Previous Page