Embed Size (px)
Citation preview
October 22, 2003A Tough Lesson on Medical PrivacyBY DAVID LAZARUS
"Your patient records are out in the open... so you better track that person and make him pay my dues."
A woman in Pakistan doing cut-rate clerical work for UCSF Medical Center threatened to post patients' confidential files on the Internet unless she was paid more money.
The violation of medical privacy - apparently the first of its kind - highlights the danger of "offshoring" work that involves sensitive materials.
Why Have a Privacy Policy?
The Federal Trade Commission (“FTC”) permits companies to use information obtained from consumers to the extent it adequately discloses its practices.
FTC is particularly concerned with preventing unfair or deceptive acts or practices “in or affecting commerce.”
Why Have a Privacy Policy?
The FTC Proposed Legislation.
Notice: Required clear and conspicuous notice of the company’s information practices;
Choice: Required that consumers be permitted to choose how their personal identifying information is used beyond the use for which the information was provided;
Access: Required companies to provide reasonable access to the information the website collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information;
Security: Required companies to take reasonable steps to protect the security of the information they collect from consumers.
Why Have a Privacy Policy?
Industry Proposes Self-Regulation.
The Online Privacy AllianceAOL Time Warner; Apple Computer; AT&T; Boeing; Compaq; Dell; DoubleClick Inc.; EarthLink, Inc; eBay, Inc; EDS; Equifax; Ernst and Young; Experian; Guardent; IBM; Intuit; Keylime Software, Inc.; Microsoft; PricewaterhouseCoopers; Reed Elsevier; SAS Institute Inc.; Sun Microsystems; Verizon Communications; Websidestory, Inc.; WorldCom; Yahoo!; American Advertising Federation; American Institute of Certified Public Accountants; Association for Competitive Technology; Business Software Alliance; Association of National Advertisers; American Association of Advertising Agencies; Center for Information Policy Leadership; Electronic Retailing Association; Information Technology Association of America; Interactive Digital Software Association; Internet Alliance; Motion Picture Association of America; Software & Information Industry Association; The United States Chamber of Commerce; The United States Council for International Business.
Why Have a Privacy Policy?
Industry Proposes Self-Regulation.
• Adoption and Implementation of a Privacy Policy• Notice and Disclosure• Choice/Consent• Data Security• Data Quality and Access
Privacy Expectations in the Public Sector
• Citizens expect privacy of information collected online
• 57% of people surveyed would sacrifice some online privacy to assist law enforcement Council for Excellence in Gov’t, Nov. 2001.
Privacy Expectations in the Public Sector
• Oregon Department of Transportation Website
• Personal Information and NondisclosureMost information collected by state government is assumed to be open to the public unless specifically exempted. ORS Chapter 192 contains the Oregon Public Records Law. Under this law, individuals are permitted to request that public officials not disclose a public record that contains their home address and telephone number under certain circumstances. ORS 192.445 specifies how to request non-disclosure.
• http://www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandInformationDisclosureNotice.shtml
Privacy Expectations in the Public Sector
• Oregon Department of Transportation Website
• Public Disclosure All information collected at this site becomes a public record unless an exemption in law exists. ORS Chapter 192 contains the Oregon Public Records Law.
• In the State of Oregon, laws exist to ensure that government is open and that the public has a right to access appropriate records and information possessed by state government. At the same time, there are exceptions to the public's right to access public records that serve various needs including the privacy of individuals. Both state and federal laws provide exceptions.
• http://www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandInformationDisclosureNotice.shtml
Privacy Expectations in the Public Sector
• Third party service providers and gateways• ASP• Payment providers
Privacy Expectations in the Public Sector
• NYC.gov: Third Party Links
• NYC.gov provides links to, and may be linked from, local, State and federal government agencies, and from, or to, other websites. The existence and/or provision of those links neither constitutes nor implies endorsement of the destination or departure website(s) or of the content, viewpoint, accuracy, opinions, policy(ies), product(s), accessibility or privacy policy of said destination or departure website(s). Nor does any link between NYC.gov and a third-party website imply sponsorship of such website, or the creator of such website.
Privacy Expectations in the Public Sector
• NYC.gov: Third Party Links
• Some content on portions of NYC.gov resides on servers run by third parties. Each agency providing content for NYC.gov is bound by NYC.gov's privacy policy. Any agency using a third-party host, ISP, ASP or other combination of third-party transport, storage, content or application provision services shall be responsible for such third party's compliance with NYC.gov's privacy policy.
Gramm-Leach-Bliley Act (1999)Financial Institutions
• Banks• Credit Unions• Brokers• State Schools that make student loans
Gramm-Leach-Bliley Act (1999)Privacy
• Regulates collection and sharing of nonpublic personal information
• Consumers vs. customers• FI cannot share PI with an unrelated company unless
it first provides a notice allowing the individual to opt-out of sharing
Gramm-Leach-Bliley Act (1999)Privacy
• Senior level policy required• Privacy executive or committee• Different from FCRA (credit reporting)
Gramm-Leach-Bliley Act (1999)Privacy
Exemptions• Agents• Service providers• PI used to enforce a transaction• Consent
Gramm-Leach-Bliley Act (1999)Security
• Must use reasonable security measures• Regulations governing technical measures• Must limit access to necessary employees• Agents must promise to keep information secure and
confidential
Gramm-Leach-Bliley Act (1999)Considerations from Banking
• OCC Advisory Opinion AL 2004-09• E-sign merely creates records• Only a starting point
• Litigation rules - Admissibility• Audit requirements - COBIT• Regulatory compliance
Health Insurance Portability and Accountability Act of 1996
• Standards for electronic exchange of health information
• Rules to protect privacy of health information• Rules to protect against threats, hazards or
unauthorized access to health information
HIPAA
Protected Health Information (PHI)• Individually Identifiable Health Information• Electronic, paper, oral• Created or received by a health care provider,
health plan, employer or health care clearinghouse
HIPAA
Individually Identifiable Health Information• Related to an individual; the provision of health
care to an individual; or payment for health care• and that identifies the individual
HIPAA
Patient Rights• Request restrictions on uses and disclosures of
health information• Obtain documentation of disclosures• Inspect and copy heath information• Request amendment of health information• File a complaint of non-compliance
HIPAA
Provide written notice of privacy policy• Explain uses and disclosures of health information
and give examples• Describe the individual’s rights• Make a good faith effort to obtain a written
acknowledgment of the patient’s receipt of the notice at the time of first service delivery
HIPAA
• Must designate a privacy official• Must establish privacy and security policies• Must train all personnel that may contact PHI• Must ensure staff informed when policy is changed• Must have a process to resolve complaints
HIPAA
• Must adopt written security procedures• Maintain reasonable and appropriate administrative,
technical, and physical safeguards
HIPAA
• NYC.Gov• Health Care Information
Any agency providing personally identifiable health care information via NYC.gov will be required to certify that its health care data handling and security procedures are compliant with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). If such data and security services are provided to such agency(ies) by a third-party provider, the agency(ies) shall be responsible for such third party's compliance with HIPAA.
• http://www.nyc.gov/portal/index.jsp?epi_menuItemID=b52b1c491d03e607a62fa24601c789a0&epi_menuID=27579af732d48f86a62fa24601c789a0&epi_baseMenuID=27579af732d48f86a62fa24601c789a0
State Law
• Online access to court and civil records• Privacy becomes personal• Identity theft
Florida
• Online access to court records– Triggered backlash of concern over privacy rights and
ID theft– Civil and criminal documents banned from online
posting until Supreme Court committee review– Probably will not happen for July, 2005
Florida
• Proposals:– Changing the amount of information collected– Barring access online– Assigning users unique ID numbers– Imposing a waiting period for access to court
information
Florida
• Driver Privacy Protection Act (“DPPA”)– Limits public access to social security numbers,
driver license or identification card numbers, names, addresses, telephone numbers, and medical or disability information contained in motor vehicle and driver license records.
– Personal information protected under DPPA does not include "vehicular crashes, driving violations, and driver's status."
Florida
• Driver Privacy Protection Act (“DPPA”) permits access for:
• Auto manufacturers conducting a recall of parts or vehicles• Government agencies or credentialed private investigators • A legitimate business verifying information for employment• Insurance agencies• Towing companies • Companies obtaining information about their drivers• A person or agency with written permission
California
• California Online Privacy Protection Act– Applies to website operators that collect personal
information from California residents– Requires the web site operator to “conspicuously
post” a privacy policy– Policy must describe method of collection and use of
information– Must provide method to correct information on file
