EEOC is Clueless or Misleading about Protecting Individual Privacy

June 24th, 2015 by MorganDowney Leave a reply »

Perhaps the most dangerous assumption made by the EEOC is that personal information disclosed in employer wellness programs can be protected. Such security is an illusion.

The proposed regulation provides that a wellness program that is part of a group health plan will likely satisfy the ADA confidentiality requirements by complying with the HIPAA and subject to the HIPAA privacy, security and breach notification rules. Employers and wellness programs must take steps to protect the confidentiality of employee medical information that is received in connection with an employee health program. However, it is questionable whether HIPAA covers third-party vendors which are not health plans.

The EEOC is either oblivious to the realities of modern computer security problems or misleading in its assumption that personal medical and behavioral records will be safe. Namely, there is no possible way to assure anyone that their privacy is protected. Recently, we have seen major security breaches at the National Security Agency, the Internal Revenue Service, the Department of Health and Human Services and the federal Office of Personnel Management (OPM).

The OPM breach includes the records of between 4 to 14 million current and former federal workers, friends and family members. A second breach of OPM computers was reported involving not only federal employees but also their friends, family members and associates that could number millions more, according to a report in the New York Times, June 13, 2015. “Data includes a form for national security positions which can include medical data, including information on treatment or hospitalization for “an emotional or mental health condition,” according to the story. A story in Wired indicates that the information could include polygraph information in which employees are asked about law breaking and sexual history.

Breaches of health data are pervasive and include the Centers for Medicare and Medicaid services, and the federal health care exchange, Premera Blue Cross. Premera Blue Cross, in Seattle Washington, reported a cyberattack that exposed personal information of 11 million customers. A breach at Anthem Insurance involved the records of 80 million customers. Other private sector breaches have included Sony Pictures, Home Depot, Target, Ebacy, and JP Morgan Chase.

A report in Bloomberg News, notes that the recent hack of Sony Corporation included health information on more than three dozen employees. It quotes Geoff Hancock, chief executive officer at Advanced Cybersecurity Group “who works with employers to protect their health data and other sensitive information from hackers. He was speaking about the industry in general. “Now, it’s zeros and ones. So many more people have access and can take it and make money off it or manipulate it or use it to find out who you are and what you are about. It is one of the biggest hoples in the cybersecurity infrastructure.” And, “Since 2009, there have been 1,187 incidents where health information protected by HIPAA was hacked, improperly disclosing, lost or stolen involving more than 41 million individuals, according to reports to the US Department of Health and Human Services. Those cases only include instances where more than 500 records were involved. Matters involving fewer records don’t have to be reported.” “Hackers can get $50 for a medical chart on the black market, compare with just a few dollars for other pieces of personal information, said Hancock of Advanced Cybersecurity. He said he’s refused to share his health information with wellness programs at past employers because he isn’t convinced the data are safe.” “Despite the popularity of wellness programs among employers and assurances about their security and confidentiality, more than half of works said they are hesitant about sharing their health information, and a quarter said they wouldn’t share their data under any circumstances, according to a survey by the Economist Intelligence Unit. More than one-quarter of employees said they were concerned their personal information wouldn’t remain condifential. Companies, like Honeywell, take blood samples to test for nicotine, high cholesterol and irregular blood sugar, height and weight. CVS asked their employees whether they drink, and are sexually active. Johnson & Johnson’s wellness program ask about the employees mode, stress at work and home, eating and exercising habits. Some ask for the information from spouses, as well. “Sexually Active? How much do you drink? Your Workplace Health Records May Not be as Private as You Think by Shannon Pettypiece, Bloomberg News, Dec. 16, 2014

A Washington Post article, “Hackers increasingly target health records,” noted that, “Health care data seems to be increasingly targeted, accounting for 43% of major data breaches reported in 2013, according to the Identity Theft Resource Center.”

The EEOC must assume that privacy of personal records cannot be assured.