Privacy in ComputingCS 6v81.504

January 23, 2006

[Privacy] has become one of the most important human rights of the

modern age.

- PrivacyInternational.org

Privacy

• Privacy is protected in numerous international documents.– Austrian charter: “Privacy is a key value

which underpins human dignity and other key values such as freedom of association and freedom of speech... Privacy is a basic human right and the reasonable expectation of every person.”

Aspects of Privacy

• Information Privacy• Bodily Privacy

– Genetic tests, drug tests, cavity searches

• Privacy of Communications• Territorial Privacy

– Searches, surveillance, and ID checks

Models of Privacy Protection

• Comprehensive Laws• Sectoral Laws

– United States (includes HIPAA, COPPA, etc)

– The article looks down on this kind of privacy protection, allows for new sectors to form without privacy protection

• Self-Regulation– Article places this as more of a “theory”

• Technologies of Privacy

Privacy not a new issue…

• Sweden– Access to Public Records Act (1776)

• France– Prohibition of publication of private facts

(1858)

• Norway– Prohibited the publication of information

related to “personal or domestic” affairs (1889)

“No one should be subjected to arbitrary interference with his

privacy, family, home, or correspondence, nor to attacks on his honour or reputation. Everyone

has the right to the protection of the law against such interferences or

attacks.”

- Universal Declaration of Human Rights (1948)

Enforcement

• The International Covenant on Civil and Political Rights (ICCPR)

• United Nations Convention on Migrant Workers

• UN Convention on Protection of the Child

• European Convention for the Protection of Human Rights and Fundamental Freedoms

HIPAA

• Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)– Public Law 104-191 (August 21, 1996)

HIPAA’s Privacy Regulations

• HIPAA required that the Secretary of Health and Human Services (“HHS”) to issue privacy regulations if, and only if, Congress did not enact privacy legislation within three years of the passage of HIPAA.– Congress did not enact legislation

HHS’ Privacy Rule

• Three years and three months after the passage of HIPAA, HHS developed a proposed Privacy Rule and released it for public comment.– 52,000 public comments– Finalized on December 28, 2000.

HHS’ Privacy Rule Revisions

• March 2002 Revision Proposal:– 11,000 public comments– Adopted on August 14, 2002

“Summary of the Privacy Rule”

• HIPAA legislation passed by Congress contained a series of sections now known as the “Administrative Simplification provisions”– Under this provision, HHS is required to

publish documents such at the “Summary of the Privacy Rule” which we read.

Inclusion in the Privacy Rule

Health Plans

Unless:- Group plan of lessthan 50 people ranby the employer- Government fundedprograms that are“not health plans”

Inclusion in the Privacy Rule

Health PlansHealth Care Providers

Unless:- Group plan of lessthan 50 people ranby the employer- Government fundedprograms that are“not health plans”

Unless:- Provider does not have a “standard”means of transactionof health careinformation (ex: e-mail)

Inclusion in the Privacy Rule

Health PlansHealth Care ProvidersHealth Care

Clearinghouses

Unless:- Group plan of lessthan 50 people ranby the employer- Government fundedprograms that are“not health plans”

Unless:- Provider does not have a “standard”means of transactionof health careinformation (ex: e-mail)

Unless:- Clearinghouse isaction only as abusiness associatewhich doesn’t receivepersonally identifiableinformation

Scope of PHI

• An individuals past, present, or future:– Physical heath condition– Mental health condition– Payment of health care

• An individual health care provision.

…which there is a “reasonable basis to believe” the information is personally identifiable

… which isn’t an employee record held by the company of employment

Principle of Disclosure

• The Privacy Rule establishes a list of acceptable and unacceptable ways to use PHI.– Privacy Rule attempts to be a ‘catch-all’ law for

privacy

• The Privacy Rule may be waived by a signature of a patient.– Q: How many things do you sign when you go to

the doctor?– Q: Do you know what they say?– Q: Do you really have a choice to not sign then?

Principle of Disclosure(Part 2)

• The Privacy Rule does, however, ensure that individuals have access to the information stored about them.– Also allows HHS to view your medical

records when they’re “undertaking a compliance investigation”

Explicitly Acceptable Disclosures

• Disclosure to the individual (required)

• Disclosure to: (allowed without consent)– Treatment Operations– Payment Operations– Health Care Operations

Explicitly Acceptable Disclosures

• Disclosures with “Opportunity to Object”– Ex: Directory of patients– Ex: Notifications

• Family Members• Pharmacies• Law Enforcement (disaster relief, epidemic,

etc)

• Incidental disclosures– Disclosure as a result of a previous

disclosure

Explicitly Acceptable Disclosures

• Disclosure in Public Interest and Benefit Activities– Public Health (prevention or containment

of a disease)– Employees where transmission of a

dangerous disease was likely– Victims of abuse, neglect, violence, etc– Heath oversight activates and judicial

proceedings

Explicitly Acceptable Disclosures

• Disclosure in Public Interest and Benefit Activities (cont’d)– Law enforcement purposes– Decedents– Organ, eye, tissue donations– Research purposes– Serious threat to public safety– … and more…

Authorized Uses and Disclosures

• All other uses and disclosures of data but have explicit written authorization by the individual.– Q: Again, how many things do you sign

when you go into a doctor for the first time?

Authorized Uses and Disclosures

• Given examples:– Psychotherapy notes– Marketing– etc

“Minimum Necessary” Clause

• One of the central aspects of the entire Privacy Rule is that only the minimally necessary amount of PHI is disclosed.

“Minimum Necessary” Clause

• However, the minimum necessary clause does not cover:– Health care providers for treatment– Individuals who is the subject of the

information– Disclosures made pursuant to an

authorization– Disclosure to HHS or required by law– Disclosure for HIPAA compliance reviews

Other Privacy Rule Conditions

• Privacy Practice Notices– Provides the “privacy policy” of the

health care institution– Must be easily accessible and a receipt

(signature) must be on file from every patient that they had the chance to review the notice

• Patient’s right to knowledge of disclosure, with cetain limitations.

Other Privacy Rule Conditions

• Confidential Communications– An individual may request

communications be made only at a specific telephone number or a specific address.

– Furthermore, they may request that information is sent in sealed envelopes rather than postcards or other unsecured mail

Penalties

• HHS may impose monetary civil penalties for violations of the Privacy Rule:– $100 per failure to comply with a Privacy

Rule requirement (up to $25,000/yr/company for violations of the same Privacy Rule requirement)

Penalties

• Criminal Penalties– Any person (a physical person or an

incorporated company) who knowingly obtains or discloses PHI is in violation of HIPAA and faces:

• Up to a $50,000 fine• Up to a one-year prison term

– An intention to sell, transfer, or use PHI increase both the fine and the prison term

Rational for Adopting Comprehensive Privacy Laws…

• To remedy past injustices• To promote electronic commerce

– “These countries recognize that consumers are uneasy with the increased availability of their personal data, particularly with new means of identification and forms of transactions.”

• To ensure laws are consistent with Pan-European laws

Oversight of Privacy

• EU Solution:– Leave it to the individual countries to

have an independent enforcement body.– Often falls under the department which

handles “freedom of information” in countries which do not adopt comprehensive laws

Oversight isn’t easy…

• Small budget• Budget cuts• Too few staffers• Too many complaints

“Data Havens”

• Idea: If privacy laws prevents a person from storing the information they gather, why not ship it overseas?– Privacy laws now control the exporting

of data.– Europe Directive (next slide)

“Data Havens”

• Europe Directive:– “The Member States shall provide that

the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection.”

– Q: Who defines adequate?– Q: What should that standard be?

Safe Harbor Agreement

• Negotiations between the US and the EU to ensure that the United States has “adequate” privacy safegaurds.– Requires all signatory organizations

“clear and conspicuous” notices of the kinds of information they collect, the purpose of what it’s used, and any third parties of whom the information might be disclosed to.

– If information will be disclosed to a third party, an individual must be able to opt-out of that information collection.

Safe Harbor Agreement

• … even more provisions …– “Sensitive” information requires that an

individual opts-in to the collection and distribution to a third party.

– And in any case, the third party must be a signatory of the Safe Harbor Agreement.

– Originations must take measures to protect safety of the data, ability individuals must be able to to correct, amend, and delete inaccurate information.

Problems with Safe Harbor…

• Self-regulator• Non-transparent• EU Commission in 2002 looked into

its success– Found that it helped protect privacy, but

found numerous problems– Full report was due out in 2003

• Shamed the United States• Didn’t reach far enough to end the Safe

Harbor Agreement

“There are three elements in privacy: secrecy, anonymity and solitude. It is

a state which can be lost, whether through the choice of the person in that state or through the action of

another person”

- Ruth Gavison (Israel Democracy Institute)

Article 2: Who wrote it?

• Privacy International– Privacy International (PI) is a human

rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. PI has conducted campaigns and research throughout the world on issues ranging from wiretapping and national security, to ID cards, video surveillance, data matching, medical privacy, and freedom of information and expression.

Article 1: What’s in HIPAA that’s not in the Privacy Rule?

• Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.– Source: Centers for Medicare and

Medicaid Services' (CMS)

Article 1: What’s in HIPAA that’s not in the Privacy Rule?

• Title II requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

HIPAA

• “As a matter of linguistic-political criticism, many have noted that the Act did little to actually make health insurance more "portable" in the sense of preserving access to health care when an individual changes employers. Also, despite its many new rules on the sharing of medical information, the Act did not significantly increase health insurers' "accountability" for wrongdoing.”– WikiPedia

HIPAA

• New York Times (April 21, 2005)– Author writes and asks the reader to

imagine a hospital stay today and a hospital stay a year and a half from now.

– Claims that the hospital stay today would be like the stay a year and a half from now if HIPAA wasn’t “forced” upon the “already overburdened” healthcare industry

HIPAA

• The article we read came from the government, covers only the Privacy Rule, and doesn’t look at enforcement issues or its actual application to society.