
Ask HN: Is this legal? Employer requires saved submission of health data daily - priv_con
Is this legal? Employer requires saved submission of health data daily for covid-19 prevention.<p>I work for a University that requires you to talk about your personal health with a chatbot.  That data is then stored in a SQL database without knowing who has access to it, where it is, or how long it will exist.<p>Employer is in NY state.
======
davismwfl
IANAL but I do work in a healthcare company and have worked in healthcare off
and on for my career.

HIPAA does not prevent your employer from collecting this data, it only states
(to a certain degree) how that data can be used, shared and what company
policies & procedures are needed etc. In general right now though, the FDA,
CMS and other enforcement agencies have suspended many of the penalties/rules
around data collection, sharing, device usage etc. I am not aware of any laws
that would prevent your employer from asking these questions or storing the
data, but I would say it will make them subject to the rules of medical record
storage as technically that data can identify you and is related to your
health. If they shared this data without getting a release from you or had a
database compromised then they could be subject to fines and other penalties,
but I doubt any of that would be enforced over the next 6 months or so.

Many states are requiring employers to monitor/check employees that are on-
site, but most are not storing the data as far as I know, so I doubt they are
doing anything illegal or improper, maybe creepy but nothing technically
wrong.

~~~
jrowley
HIPAA also only applies to covered entities and their business associates, of
which the university most likely is not, or at least not in their capacity as
OPs employer.

~~~
davismwfl
Mainly correct, HIPAA applies to carriers, health providers and healthcare
vendors (even an ISP that stores data for a healthcare company) in general.
However, there are exceptions where it applies to other organizations not
directly in the care line.

In the OP's case it isn't so clear HIPAA doesn't apply, and IMO likely it may,
because he works at a university and not a traditional private employer. If
that university has a medical school or provides clinics to students/employees
under the universities name (even contracted through a third party), then most
legal advisors would say HIPAA rules must be followed. Also many states
regulate the collection of health data by private employers, and with this
being NYC who knows what is on the books.

I totally support a company wanting to do fever checks daily to prevent
someone sick from entering the building while all this craziness is going on.
But it gets creepy & frankly useless if they are relying on self-reporting and
logging that to a database somewhere.

------
Spooky23
It’s legal and required by one of the New York EO 202 revisions. The emergency
powers granted to the governor essentially means that executive orders can
supersede or replace existing state law for the duration of the emergency.

Employers aren’t generally in the scope of HIPPA, only medical providers and
related business entities.

You’re not going to win this one, unless you can semipermanently work
remotely.

------
duxup
Outside of detailed personal history I think given the COVID context asking
about flu like symptoms would not be out of line / illegal.

I am amused by the chatbot idea here. Kinda Ad Astra like:

[https://www.youtube.com/watch?v=FKpq4vFxDqQ](https://www.youtube.com/watch?v=FKpq4vFxDqQ)

~~~
kian
I don't see why the COVID context should remove the need to properly handle
health information, nor should it remove the burden of compliance with HIPAA.

~~~
duxup
Would "have cough" qualify?

I suppose HIPAA might be broad enough to cover that but I think there are a
lot more questions to answer if we're talking about something that is really
covered by HIPAA or not.

Personally I wouldn't assume that anything health related is automatically
HIPAA.

------
LinuxBender
Disclaimer, I am not a lawyer and this is not legal advise. What health
details is it asking for? If I was the DBA, what data would I see? Does this
university have a medical facility and is this database managed in the group
that also manage patient data? If so, have the legal team reviewed this chat
bot usage?

I would probably match the categories against HIPAA [0] as a starting point
and then ask the university legal team if this was reviewed by them. If not,
consider letting them handle it so that there is no retaliation against you if
that project is neutralized.

[0] - [https://www.hipaajournal.com/what-is-considered-protected-
he...](https://www.hipaajournal.com/what-is-considered-protected-health-
information-under-hipaa/)

~~~
priv_con
I have not interacted with the chatbot, but I have read the code (it's open
source). The health data they are collecting relates to: Fever, Breathing,
Coughing, Sore Throat, Body Aches, Smell.

We were not given details on who has access to the data, including any DBAs.
Yes, this University owns a Medical Center, and the data is being collected on
the Medical Center website. The code was produced by the University's Tech
Transfer team. We do not know who manages the data, if it's the same as the
people who manage patient data. I do not know if the legal team has reviewed
the chat bot usage.

I've started off with some simple questions: Who has access to the data, where
is the data saved, and how long will the data persist. Thank you for your
additional questions, as I will use them to go forward.

~~~
trcollinson
So, I am also not a lawyer, and also not giving you legal advice. I do have
some legal background and some HIPAA background.

This tool would fall under HIPAA compliance. In that, it doesn't matter if you
know who has access to the data. The only thing that matters is that the
holder of the data knows who has access to the data and whether those with
access have proper training, metrics, and monitoring for the data. There are a
lot of If's in this area.

If the data is anonymized, then there are a number of requirements that
disappear.

If the data is not anonymized, then it must be kept for a certain period of
time.

If the data is saved, it must be encrypted on ingress, egress, and at rest
according to the HIPAA plan of the provider.

If... if... if...

There are a lot of considerations here. However, you don't actually get to
know any of those things. The only part you get to know is whether they say
"We are HIPAA Compliant". And if they say that and you disagree, you can make
a complaint with the US Department of Health and Human Services.

Don't expect to get very many answers.

~~~
Spooky23
No, it does not. HIPPA applies to health providers and related entities, not
employers. If you disclose your general medical condition to your employer, it
is not HIPPA protected.

------
mrfusion
This just seems wrong. Why not give employees sick days and say don’t come in
if you don’t feel well. Why go so crazy like this?

Or even taking your temperature makes more sense than this.

------
himinlomax
A chatbot? What kind of chat does it do?

~~~
sfgweilr4f
Cynical me thinks its just Buzzword compliance. This could be much easier
overall with just a simple web form.

