Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Case Study on Personal Data: Health Moderator: Dean Annette Clark, Seattle University School of Law
Panelists:
Charlotte Garden, Seattle University School of Law
Anne Toomey McKenna, Affiliate Professor at Penn State Institute for Computational and Data Sciences
Jerry Vergeront, Director of Risk and Cybersecurity, Seattle University
Wendy Charles, PhD, CIP, CCRP, CBP, Chief Scientific Officer, Burst IQ
Additional Reading:
PACT: Privacy Sensitive Protocols and Mechanisms for Mobile Contact Tracing
States Monitoring Assisted Reproductive Technology (SMART) Collaborative: Data Collection, Linkage, Dissemination, and Use.
Gathering data for decisions: best practice use of primary care electronic records for research
Contact Tracing to BLM Monitoring: Health Data andGeolocation Data as a Surveillance Tool
How Do We Protect Vulnerable Groups?
Anne Toomey McKennaPenn State University Institute for Computational & Data Sciences
@McKennaCyberLawAnne Toomey McKenna © 2020
What do the Pandemic, Health Data, & our phoneshave to do with Black Lives Matter ?
Anne Toomey McKenna © 2020
December 2019
• December 2019:Citizens of Wuhan become ill with severe respiratory symptoms.
• December 31, 2019:Chinese authorities identify novel coronavirus, SARS-CoV-2 [2019-nCoV]
January 2020
• January 30, 2020:WHO declares SARS-CoV-2 a Public Health Emergency of International Concern
• January 31, 2020:US Secretary of Health & Human Services declares a public health emergency
• A public health emergency = increase in state authority
March 2020
• March 11, 2020: WHO declares a pandemic
• March 13, 2020:President Trump declares COVID-19 a National Emergency
• March 24, 2020: OCR Issues Guidance for First Responders and Others to Receive PHI about Individuals Exposed to COVID-19
• March 28, 2020: OCR Issues Bulletin on HIPAA Flexibilities
Anne Toomey McKenna © 2020
April 2020• April 2, 2020:
OCR Enforcement Discretion to Allow Uses & Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities During COVID-19 Nationwide Public Health Emergency
• April 2, 2020:Over 100 Civil Society Organizations join Privacy International in Sounding the Alarm over Global Wave of Surveillance in Fight Against COVID-19
• April 10, 2020: Apple and Google announce contact-tracing partnership
May 2020• May 25, 2020:
Minneapolis police officers kill George Floyd; video of suffocation goes viral
• May 26, 2020: Large Scale Protests begin in Minneapolis
• May 27, 2020: Protests erupt in cities across the U.S. and globally to protest police brutality and in support of Black Lives Matter
• May 30, 2020: Media reports Minnesota officials using contact tracing to identify and track protestors
Anne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
Clarifies when a covered entity may disclose PHI and identifying information about individuals, without their HIPAA authorization, including: when required by law; when first responders may be at risk for an infection; and when disclosure is necessary to prevent or lessen threats.
SUMMARY: covered entities only have to make reasonable efforts to limit the PHI used or disclosed to government officials NOT involved in healthcare to that which is the "minimum necessary“ to accomplish purpose.
Contact Tracing:What Data is Involved?
Anne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
The Economist: Apple, Amazon, & Google –Your new doctor?• By SARAH GRAY June 5, 2018
• On the same day as Apple’s Worldwide Developers Conference (WWDC) Keynote, the tech conglomerate announced on its website that it opened its Health Records application programming interface (API) to developers.
• Earlier this year, Apple introduced Health Records, which in partnership with more than 500 hospitals and clinics and using Fast Healthcare Interoperability Resources, was able to bring patients encrypted health data from multiple health care providers directly to their phones.
• Sharing the Health Records API — or set of protocols that helps software communicate — will allow developers to build third-party apps that interact with Health Records.
• In turn, if users opt in, they’ll be able to sharing their health records with a trusted third-party app that may track a patient’s diabetes, medication schedule (with refill reminders), or nutrition requirements. An “ecosystem” of apps should be available in the fall, according to Apple’s announcement.
• “With the Health Records API open to our incredible community of developers and researchers, consumers can personalize their health needs with the apps they use every day,” Jeff Williams, Apple’s chief operating officer, said in a statement…
Anne Toomey McKenna © 2020
The race is on to develop “immunity passport” apps
What ethical and legal issues do these apps pose?
Civil Liberties v. Pandemic
“An increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities—undermining the effectiveness of any public health response.
Such measures also pose a risk of discrimination and may disproportionately harm already marginalized communities.”
Joint Civil Society Statement (Apr. 2, 2020)
Anne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
Geofences and geofencingUsed regularly by advertisers, a geofence is a virtual perimeter for a real-world geographic area. A geo-fence could be dynamically generated—as in a radius around a point location, or a geo-fence can be a predefined set of boundaries.Geofence technology locates any cellphones that cross into the area via the phone’s geolocation systems
The geofence can record social media posts and other data from the phones.
Anne Toomey McKenna © 2020
Google’s SensorvaultGoogle employees tell New York Times:
• Google database Sensorvault holds detailed location records of “hundreds of millions of devices worldwide”
• Sensorvault records date back a decade
Law Enforcement use of Sensorvault Data:
• According to Times, Google receives as many as 180 requests for location data per week
Sensorvault Data Combined with Geofencing Tools:
• Police say this tool helps break cases open
• But it sweeps hundreds to thousands of innocent people into a criminal investigation
• Individuals are pulled simply for walking or driving through a given location at a given time Anne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
Who is being monitored, and who will be arrested?
The impact is racially disparateAnne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
Business Insider:Police use Big Tech to monitor activists and protesters the moment they walk out their door.
Making “full use of high-tech surveillance to monitor protestors
Contact Tracing, Geofencing, and other Surveillance Tools to Identify Protestors
The problem is not just with monitoring of
Black Lives Matter Protestors
Discrimination is built into techAnne Toomey McKenna © 2020
Anne Toomey McKenna © 2020
What are WE- Educators, Lawyers Technologists, &
Business Professionals -
doing about it?
Anne Toomey McKenna © 2020
OUR CHALLENGE IS TO:
• Build Tech• Use Data• Develop Law & Policies• Promote Diversity
So we disrupt the status quo in a world where data sharing, data use, and location tracking are pervasive and impact individuals differently based upon the color of their skin.
Anne Toomey McKenna © 2020
To recognize and protect #DataPrivacy
as a Fundamental Human Right
We & Our StudentsMust Learn, Teach, and
Understand Data & PrivacyAnne Toomey McKenna © 2020
Presented by:
Jerry D. Vergeront, JD, CISSP, CISA Vergeront Law, PLLCFounder and Attorney of Vergeront Law
Director, Risk and Cybersecurity at Seattle University
Contact Tracing
Issues Faced by Higher Education
1
Introduction – Issues for Higher Education
State requirements for reporting
Different ways to contact tracing Apps
Self-reported health checks
Issues relevant to contact tracing Functionality Issues
Privacy Issues
Policy Issues
2
Reporting Requirements
Federal / CDC: Who must report
Authority: Public Law 116-136, § 18115(a), the Coronavirus Aid, Relief, and Economic Security (CARES)Act
All COVID-19 diagnostic and screening testing sites must report to CDC
Provides guidelines for Institutes of Higher Education (IHE), not requirements.
State Requirements Each state has different requirements Washington Authority: Gubernatorial Proclamation 20-25
Washington Department of Health provided guidance to meet the Gubernatorial mandates
IHE must report suspected COVID-positive faculty, staff, and students to Local Health Department
3
4
Contact Tracing
Many different apps: COVIDWISE - Google+Apple
GuideSafe – Alabama Department of Public Health + University of Alabama Birmingham
Care19 – North Dakota (based on Google+Apple APIs)
Homegrown University Apps
Self-reported Health Checks Online or paper
Set of questions to determine risk of infection
Those with high risk of infection are reported to local health department
5
University Considerations - Applications
Effectiveness Issues All personnel must have smartphone with app loaded and running
Issue: Creates an economic barrier for those who can’t afford a smartphone
Possible claims of discrimination
Overcome by providing phones/service, but requires capital investment
Some faculty/staff/students do not wish to have application loaded
Phones must be on and carried on the person
Bluetooth technology Many forms of Bluetooth interference
Wi-Fi Coexistence, Microwave ovens, Cross-body Interference, Office Lighting
Interference could affect proximity/power calculations
6
University Considerations - Applications
Different applications Which specific application will be used?
Some states and foreign countries require different applications
Important when considering foreign students on campus
How will cross-state data collecting and reporting work? Centralized or decentralized collection and reporting?
How will the University actually be notified? Most apps are personal applications, rather than university monitored
Can a user opt-out? Google+Apple product allows user to “decide whether to contribute to exposure notification”
7
University Considerations - Applications
Saturation “Oxford University researchers have said 60% of a country’s population would have to download a tracing
app in order for it to be effective.” MIT showed that even lower numbers could may not be AS effective, but can still provide significant
slow-downs in infection rates What is the saturation goal of the campus? What about visitors to campus?
Privacy Extreme privacy issues if using location-based contact tracing application What data is stored and where is it stored?
Is it anonymized?
Who may request access to data? Will data be available for law enforcement?
Who owns the data?
8
University Considerations – Self-Reported Health Checks
How will this be completed? On-line via web page?
Paper forms upon campus entry?
How will it be stored? MUCH harder to anonymize
Must be well-protected from unauthorized access
How may this data be used? Who may make requests of the data?
Ensure that a careful terms of use is created
Ensure “interviewer” has an approved script of questions to ask
9
University Considerations – Final Issues
Liability Issues Selecting a solution that may be discriminatory against some members
Foreign students, economically disadvantaged, etc…
Privacy
False sense of safety When selecting a solution, one must be able to convey that tracking does not guarantee
complete:
Safety (barring COVID-positive people from entering campus); or
Effectiveness (not all individuals using apps; truthfulness when self-reporting)
10
University Considerations – Policy
No matter the type of contact tracing an Institute of Higher Education chooses, understand the policies of using the data.
Determine the data owner
Determine reporting requirements
Document privacy expectations
Determine how to address “walk-ons”
Consider trespassing requirements if you plan on barring those who do not comply from entering campus
Determine enforcement procedures
Build data request policies
11
Questions?
Please feel free to ask questions.
If you have a question outside of this presentation, please visit the Vergeront Law website to contact me at your leisure:
www.vergerontlaw.com
425.328.8736
12
21 AUGUST 2020
CONNECT TO IMPOSSIBLE
W E N D Y C H A R L E SPhD, CIP, CCRP, CBPChief Scientific Officer
The views expressed in this presentation are the views of the presenter and do not necessarily reflect the views or policies of BurstIQ.
I work for a blockchain company that partners with health care and life science organizations. Descriptions of my work are used only to illustrate educational concepts.
D I S C L A I M E R S
• Blockchain has grown rapidly from an “audit trail” to a data engine with advanced capabilities that traditional data systems cannot offer
• 70% of life sciencesorganizations plan to implement 1 or moreblockchain projects by 2020
B L O C K C H A I N F R A M E O F R E F E R E N C E
Research & Innovation Challenges
Data Sharing
Supply Chain Coordination
HealthPassport
Telemedicine
Contact Mapping
Self Sovereign Health & ID Profiles
Clinical Trials
B L O C K C H A I N : C O N N E C T E D D A T A E C O S Y S T E M
P O P U L A T I O N H E A L T H D A T A P R O T E C T I O N S
BLOCKCHAIN
SECURITYBIG DATA
AuditabilityTamper-resistanceHIPAA, GDPR, NIST
Cryptographic ownership & dynamic consentOn-chain data & longitudinal profiles
Population healthComplex queries
B L O C K C H A I N U S E S F O R C O V I D - 1 9 D A T A
• Public health data management
• Contact tracing• Storing/sharing COVID-19
infection results• Storing/sharing COVID-19
antibody results
(Next)
• Immunity status information is secured, trusted, and easily shared using blockchain
• Zero knowledge proofsminimize sharing ofsensitive data
C O V I D - 1 9 I M M U N I T Y P A S S P O R T
R E S E A R C H F O U N D R Y
Humanitarian initiative: Developer, researcher, & support community to accelerate public health research using blockchain
joined Research Foundry and provides legal information to the community
C O N D U C T C O V I D - 1 9 R E S E A R C H
https://www.herox.com/americanheartassociationcovid19
B L O C K
Individual or Organization
Consent Contract(from any person or
Organization)
ADD PERMISSIONS FOR RECIP IENT
Da tesNameRo le
Va r i ab l es (PH I )Da ta Se t
Me thod o f Ac c es sT ime pe r i od
(Any pa rame te r )
Q u e r y D a t a
M A N A G E D Y N A M I C C O N S E N T
C O N N E C T A N D A N A L Y Z E D A T A
Conduct simple or complex analyses
B L O C K
B L O C K
B L O C K
B L O C K
Single source of truth
Query
Return
Return
Query
Regulatory AgencySponsorResearch SiteEMR
Subject ID, procedure codes
verified & recorded
Verification Triggers Consent Contract
Co-ownership Executed & Recorded
Subject
Verified Results
Fictional example: Health information in a clinical trial
A U T O M A T E D A T A E X C H A N G E
D A T A I N T E G R I T Y R E G U L A T I O N S
P R I V A C Y & S E C U R I T Y R E G U L A T I O N S
R E G U L A T O R Y R E Q U I R E M E N T S
B L O C K C H A I N : D I F F E R E N T S E C U R I T Y R I S K S
Dasgupta D, Shrein JM, Gupta KD. A survey of blockchain from security perspective. J Bank Financ Technol. 2019;3:1-17. doi: 10.1007/s42786-018-00002-6.
• Increasingly used in health care and life sciences
• Capabilities offer new methods for health research
• Platform design and documentation must meet all statutes and regulations for its intended use (with awareness of unique risks)
K E Y T A K E A W A Y S A B O U T B L O C K C H A I N
“COLLABORATION is the most powerful way to expand
human knowledge. In fact, it might be the only way.”
-Frank Ricotta, BurstIQ CEO
Wendy Charles, [email protected]