Is SilverCloud privacy good enough?
February 26, 2020 6:19 AM Subscribe
My employer recently offered access to Silvercloud, an online CBT program which has been recommended here before (e.g. here and here) and it seems it could be useful for my depression and anxiety. However, I'm moderately concerned about privacy, and the privacy policy doesn't ever say something as clear as "we won't let your employer know you are depressed". How worried should I be?
Here is the actual policy specific to my employer, CU Boulder
I don't have a lot of trust in my employer but I think I could really use this service. I don't understand the privacy policy well enough to figure out if the exposure to their data collection is worth the potential gain.
I don't have any specific concerns and know that "good enough" will depend on the individual. Would/are you using it? If no for privacy reasons, how did you make that decision?
Here is the actual policy specific to my employer, CU Boulder
I don't have a lot of trust in my employer but I think I could really use this service. I don't understand the privacy policy well enough to figure out if the exposure to their data collection is worth the potential gain.
I don't have any specific concerns and know that "good enough" will depend on the individual. Would/are you using it? If no for privacy reasons, how did you make that decision?
"Data controller" and "data processor" are terms of art that have a specific meaning in the context of the EU's General Data Protection Regulation (GDPR). Silvercloud appears to be a UK-based company, so their privacy policy is further tailored to meet the requirements of the UK's Data Protection Act (2018), which is the UK-specific implementation of the GDPR.
Generally speaking, European privacy regulations are stronger and more subject-friendly than those in the US. Notably, they enumerate "rights of individuals," including the "right to be forgotten."
However, while Silvercloud does not appear to have a different privacy policy for their US operations (which makes sense), it's worth noting that you are not legally protected by GDPR here. The relevant legal framework in the US is called HIPAA, and it's specific to health care data whereas GDPR covers all kinds of personal data.
Disclosure rules for health care data under HIPAA rely heavily on the concepts of a "covered entity" and its "business associates". Personal health information can be legally shared between CEs and BAs in either direction without your explicit consent as long as it is necessary for "treatment, payment, or operations." Most of the data that goes back and forth under this rule is billing-related, because of our horribly complex insurance system. Sometimes this data is specific enough that it implies health information (e.g., billing codes that are specific to a certain procedure or diagnosis). But I can't think of any way that that would be the case in this particular situation.
So, depending on the contract that CU has with Silvercloud, they might be entitled to see the fact that you personally have used the Silvercloud service (more likely they only get aggregated data across the population), but I would seriously doubt that anyone at CU would ever see anything more specific about your Silvercloud records. A big exception here would be if you get medical care at CU-affiliated providers --- they might (again a big might) have access to your detailed treatment records in Silvercloud. But in most cases where an employer is also a medical service provider, those two entities are legally separate and great care is taken to prevent the "regular" personnel from seeing personal health information about patients who happen to work for the employer.
Sorry this is so long! Privacy regulations are complicated, and while I know more about them than most people, I'm not a lawyer or an expert. But in short, I personally would have no concerns about using this service under the scope that you outlined.
posted by slenderloris at 1:20 PM on February 26, 2020
Generally speaking, European privacy regulations are stronger and more subject-friendly than those in the US. Notably, they enumerate "rights of individuals," including the "right to be forgotten."
However, while Silvercloud does not appear to have a different privacy policy for their US operations (which makes sense), it's worth noting that you are not legally protected by GDPR here. The relevant legal framework in the US is called HIPAA, and it's specific to health care data whereas GDPR covers all kinds of personal data.
Disclosure rules for health care data under HIPAA rely heavily on the concepts of a "covered entity" and its "business associates". Personal health information can be legally shared between CEs and BAs in either direction without your explicit consent as long as it is necessary for "treatment, payment, or operations." Most of the data that goes back and forth under this rule is billing-related, because of our horribly complex insurance system. Sometimes this data is specific enough that it implies health information (e.g., billing codes that are specific to a certain procedure or diagnosis). But I can't think of any way that that would be the case in this particular situation.
So, depending on the contract that CU has with Silvercloud, they might be entitled to see the fact that you personally have used the Silvercloud service (more likely they only get aggregated data across the population), but I would seriously doubt that anyone at CU would ever see anything more specific about your Silvercloud records. A big exception here would be if you get medical care at CU-affiliated providers --- they might (again a big might) have access to your detailed treatment records in Silvercloud. But in most cases where an employer is also a medical service provider, those two entities are legally separate and great care is taken to prevent the "regular" personnel from seeing personal health information about patients who happen to work for the employer.
Sorry this is so long! Privacy regulations are complicated, and while I know more about them than most people, I'm not a lawyer or an expert. But in short, I personally would have no concerns about using this service under the scope that you outlined.
posted by slenderloris at 1:20 PM on February 26, 2020
« Older YANML: help me decipher my lawyers' advice re: an... | How much padding do I need to transport my laptop... Newer »
This thread is closed to new comments.
This suggests to me that your employer (the "healthcare team" providing access) is the one who controls the data and data privacy, not SilverCloud (who just processes it according to their instructions). Could you reach out to your employer and ask what their policies are? Specifically in regards to HIPAA.
posted by brook horse at 6:29 AM on February 26, 2020