COVID-19: Privacy, Security Concerns as Businesses ReopenPrivacy Attorney Iliana Peters on Data Collection Considerations
As businesses reopen, they need to carefully consider the privacy, security and legal implications of collecting COVID-19-related health information from customers, employees and other individuals, says privacy attorney Iliana Peters of the law firm Polsinelli.
For instance, in most cases, only specific types of healthcare sector entities and vendors fall under the umbrella of HIPAA privacy and security regulations for safeguarding protected health information, including COVID-19 test results, she says in an interview with Information Security Media Group.
However, non-healthcare sector businesses that request COVID-19 related information from individuals - including workers and customers - are still accountable for protecting that information under various other federal and state laws, including regulations pertaining to certain industries, she notes.
"It's really important that the company, as they collect information, take certain critical steps," she says.
Understanding the Risks
For starters, "the company should not collect information that it doesn't actually need to do some function. The more information you collect, the more risk it creates for the organization, particularly given the risk of data breaches," she notes.
Secondly, depending upon the state and sector, "consumer information may need to be kept separately from employee information. And in regards to employee information, health information about employees may need to be kept separately in their [human resources] records [away] from the rest of their HR records," Peters adds.
"You want to make sure you're maintaining that information in the appropriate way according to state or federal law - and in a secure way," she says.
That includes ensuring that the only individuals who have access to this information are those who need it to perform a specific function related to why the data was collected in the first place, she notes.
Additionally, it's important for entities collecting COVID-19 information from workers and customers to remember, "state privacy laws apply based on where the individual lives, not based on where the business is located," she says.
In the interview (see audio link below photo), Peters also discusses:
- Common myths related to the collection of health data by non-healthcare sector businesses;
- Special privacy and security related considerations related to two primary types of COVID-19 testing, including tests to diagnose if an individual has an active case of coronavirus, and antibody tests that help determine whether an individual had been previously exposed to or infected by the virus;
- Other top privacy and security challenges related to the COVID-19 pandemic.
Peters is a Polsinelli law firm shareholder and an attorney in its national healthcare operations practice. She previously spent more than a decade at the Department of Health and Human Services' Office for Civil Rights, including as the acting deputy director of health information privacy and as the senior adviser for HIPAA compliance and enforcement. Before joining the OCR team in Washington, Peters worked as an investigator in OCR's Dallas regional office.