Pokemon Go & business privacy risks

Davis Dwight & Tremaine LLP
Oregon business law firm

By Rebecca L. Williams

Pikachu, Alakazam, Bulbasaur, Charmander, and Squirtle can teach us a few things about HIPAA privacy. Pokémon GO is a recent craze encouraging people to try to catch’em all. As a result, employees, clients, and patients are scrambling around the halls of covered entities and business associates in search of elusive Pokémon, hoping to take a capturing picture and possibly post a photo of their trophy on social media.

The risks presented by Pokémon GO are not new, they’re just a Zebstrika of a different stripe. The key is to stay alert and to keep one step ahead of those HIPAA compliance pocket monsters. Some covered entities and business associates are banning the beasts, while others are setting lures to attract even more Pokémon. Whatever approach, covered entities and business associates should consider:

  • Revisiting policies on photography within – and outside – the facility. Photography and filming can identify a patient and capture an array of other protected health information (“PHI) and personally identifiable information. We have seen at least one HIPAA settlement relating to unauthorized filming of individuals.
  • Reviewing social media policies. Social media presents challenges in balancing employees’ rights with maintaining the privacy and security of PHI. Even if a patient, a plan participant, or a customer initiates the contact through social media, the entity could wind up with an impermissible disclosure of PHI. Now is a good time to develop or revisit a social media policy.
  • Addressing portable devices. Portable devices, such as smart phones and laptops, present massive privacy and security risks. Many, many HIPAA enforcement actions — and reportable breaches — have arisen from the loss or theft of an unencrypted portable device carrying PHI.

Updating the risk analysis. Again, now is the time to verify that the covered entity’s or business associate’s risk analysis addresses portable devices as well as photography and social media. Entities then should verify that appropriate safeguards, policies, and procedures are in place to bring these risks to a reasonable level.

Training. Training and security reminders are an on-going part of all effective compliance programs. Use the quest for Pokémon to remind workforce to stay ever-vigilant in safeguarding PHI.


Disclaimer: Articles featured on Oregon Report are the creation, responsibility and opinion of the authoring individual or organization which is featured at the top of every article.