Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

PRISM, Surveillance and PHI: What the NSA’s data collection means for HIPAA privacy and security compliance concerns.

Posted in Privacy & Security

Tamarra Holmes writes:

In recent weeks, people all around the world were made aware of a secret U.S. government surveillance program that essentially collects massive amounts of data from the general public through electronic communication providers, such as Facebook, Skype, and Google. The existence of the program, known as PRISM, was leaked by a former National Security Agency (NSA) contractor, Edward Snowden.

The story began breaking in early June 2013, when U.K. news website, The Guardian, working in conjunction with Mr. Snowden, released an order from the Foreign Intelligence Surveillance Court (FISC) requiring Verizon to turn over daily logs of its customer’s phone calls. A number of leaked Power Point slides alleged to come from the NSA describing how and why data was collected, stated that surveillance is conducted on stored information like email, video, chat messages, photos, and social networking data.  While the NSA claims that it does not target average citizens in its surveillance, Mr. Snowden revealed that he or any other intelligence analyst could access just about any person’s information with simply an email address.

Initial statements by Facebook, Yahoo, Google, and Apple denied any knowledge of PRISM or participation in the program.  However, just weeks later the same corporations reported they had in fact received tens of thousands of requests from the U.S. Government for user information.

Unlike the internet companies, the major telecommunication providers, AT&T, Verizon, T-Mobile and Sprint, have never denied cooperating with the NSA or participating in a secret surveillance program.  The NSA’s data collecting program, which dates back to as early as 2006, captures information and metadata from phone calls, including phone numbers, length, and location of every call.

The ability of Covered Entities and Business Associates to keep protected health information (PHI) secure in the wake of the NSA’s capabilities is cause for concern. No longer is it safe to assume that, just because data has been encrypted, securely sent and received, and password protected, it is immune from unintended disclosure. If PHI is on the internet or being transmitted over U.S. telecommunication signals, it is subject to data-collection by the NSA.

The biggest threat to PHI may not be some unknown hacker waiting to access data through an unsecured wireless network, but our very own federal government gathering personal information from Facebook, search queries from Google, an email sent to a health provider from a Yahoo account, and telephone logs from a Verizon wireless number.

(Tamarra Holmes is an associate in the Litigation Department in the Princeton, NJ office who handles a range of litigation matters related to labor and employment, consumer fraud, financial institutions liability, bankruptcy and general corporate disputes.)