HIPAA Might Not Protect You

I thought I’d just spread a little (hopefully) useful knowledge from my virtual reality research paper, both for you and your students. Here’s the GitHub link to my full paper.

First, if you or your students are using consumer tech that collects biometric or health data, like FitBit or Garmin (or virtual reality), then HIPAA (the Health Insurance Portability and Accountability Act) generally does not cover you. There are ongoing legal challenges to this, but as of now, these companies are allowed to do almost anything they want with data about your heart rate or sleep patterns, within the parameters of their user agreements. The Supreme Court has repeatedly upheld the “third-party doctrine,” which means that if you voluntarily give up data to a third party then you cannot expect that data to remain private. Fortunately, the third-party doctrine doesn’t apply to anyone 12 years old or younger, thanks to the Children’s Online Privacy Protection Act. Once you turn 13, though, it’s pretty much open season.

Second, data can only be anonymous up to a point. For example, the New York Times recently reported on how much personal information could be discovered from anonymous location-tracking data on smartphones. Even when your identity is “removed” from the location data, if that data shows you coming and going from your house, then it’s not tough to figure out that it’s you. This data is generally for sale to anyone with enough money.

Third, advertising and propaganda are much easier to slip into virtual reality than into two-dimensional computer screens. It’s often difficult for an ad to be smoothly displayed on a computer screen – it usually seems to be flashing annoyingly or obviously separate from the site’s content. However, if you’re in a virtual 3D environment that feels like a city street, it’s natural to have billboards or advertising posters around. If another character hands you a virtual drink, it could naturally be a particular brand. These ad spaces could easily be sold to companies.

And always remember that you might have friends on Facebook, but Facebook is not your friend.

Thanks to everyone for an interesting class! If I don’t see you again, good luck with all your future studies.