What the pandemic has taught companies about collecting health information

As businesses, government agencies and nonprofits reopen and employees return to in-person offices, many pandemic safety measures are being modified. If your business has checked the vaccination status of its employees or customers or collected other COVID-related information, have you thought about what to do with the data now? Companies that maintain this information or have developed apps or other products to facilitate its collection can convey an important indicator to others considering entering the growing health app market: health information. sensitive must be accompanied by a label “Caution: handle with care”.

Does your company develop vaccine verification apps?
Some vaccine verification “passport” apps store a digital copy of a person’s vaccination card. Others give the user a digital recording to save to other apps or a mobile wallet. In addition to a person’s vaccination status and possibly their test results, some apps collect other information to verify the person’s identity, such as their name, date of birth, zip code, email address, etc. email and phone number. Some apps even leverage state or pharmacy immunization records. Once verified, apps can keep data on the phone, others can access cloud data, and still others can create a digital ID (often a QR code) that other apps can scan. If your company is building vaccine verification apps or developing other health-related apps, here are some key considerations.

  • Make accurate representations. Be clear about how people’s information will be used and shared, and then deliver on those promises. If your company has deployed apps to read credentials in storefronts, make sure those companies understand your practices and the limits on how they can use the data you share.
  • Keep your app up to date and your customers informed. If your app needs to be updated to protect against new security vulnerabilities, track it and do it. And if a customer needs to update saved information to continue using your app, communicate this clearly.
  • Review and update your privacy claims. Companies are creating apps that can evolve over time to share new or different information, especially around developments in public health. If your privacy statements don’t keep pace with changes to your data practices, consumers could be misled.
  • Minimize shared data. When verifying a consumer’s vaccination status, it may be sufficient to communicate their status to another entity without sharing name, date of birth, email address, type of vaccine, etc. of the person. This principle also applies to other health-related applications.
  • Protect the data you use for verification. If your application transmits sensitive data to verify someone’s status, use transit encryption. People who use these apps (or other health apps) usually rely on open Wi-Fi hotspots in cafes, airports, and other places where it’s easy for information thieves to intercept data. If your app stores information on a phone, consider protecting or hiding the data. This helps protect users in the event of a (digital-type) virus, malware, or device loss.
  • Apply the lessons of the pandemic by developing new health-related apps. Health apps are here to stay. But before your company rushes to market with a new product, train your team to prioritize best practices for secure development. If you start with security – and keep it as task #1 while you design, develop and test – you can reduce the risk of deploying a product with a fatal flaw. Another great resource: NIST’s Secure Software Development Framework (SSDF). Before your product goes live, check that it works as advertised and that security measures are in place. An essential step: test your product to ensure that it is not susceptible to common security vulnerabilities.
  • If you process health data or children’s data, understand the applicable standards and regulations. Additional legal provisions may apply where health information and children’s information are involved. Seek guidance on the Children’s Online Privacy Protection Act and the COPPA Rule, the Health Insurance Portability and Accountability Act (HIPAA), the Health Breach Notification Rule, and other relevant laws.

Does your business, nonprofit, or other group check people’s immunization status?
If your business checks the vaccination status of employees, customers or others – whether that’s using an app, checking vaccination cards in person, getting card scans via email, etc. – here are some tips to keep in mind. These principles will remain relevant as new health applications enter the market.

  • Consider your goal. When you check the status of customers or employees, do you do it to make sure they are vaccinated or do you need more information to comply with legal obligations or possibly conduct contact tracing? Identifying your goal can be an important step in determining the best way to achieve it.
  • When checking a person’s vaccination status, less is usually more. Ask yourself if you can simply confirm that a person is vaccinated by looking at their vaccination card or a digital ID. If you don’t need more detailed information, don’t ask for it and collect it in the first place. You don’t have to protect data you never had
  • Research the market. If you decide to use an app or other technology to help you check immunization status or perform other health-related functions, exercise great care when selecting service providers. Investigate companies, learn more about their software, and ask questions about their privacy and data. security practices. What information will they share with you? What information will an application collect from you, your customers or your employees? Are the representations you make to others consistent with your service provider’s practices?
  • Provide a secure environment. If you use technology to collect personal information, do you have a secure network through which the information is transmitted? And if you need to retain information, can you store it securely?
  • If you need to keep information about a person’s vaccination status, consider how long you need to keep it. Once you no longer have a legitimate need for someone’s vaccination status or other health information, dispose of it safely.
  • Use the return to in-person work – or the transition to a more permanent remote office – as an opportunity to take stock of the data you collect and maintain. If you don’t permanently need a consumer’s date of birth to verify their status, don’t store it. Or if you’re using an app in a storefront to check the immunization status of customers, think critically about how long to store data related to a customer visit. But don’t stop there. Look beyond COVID-related circumstances to take a fresh look at your information collection and retention practices. Why collect or store data you don’t need?

Comments are closed.