Privacy and Public Access Wednesday, October 6, 2004 Dino Tsibouris email@example.com (614) 228-9707
October 22, 2003 A Tough Lesson on Medical Privacy BY DAVID LAZARUS "Your patient records are out in the open... so you better track that person and make him pay my dues." A woman in Pakistan doing cut-rate clerical work for UCSF Medical Center threatened to post patients' confidential files on the Internet unless she was paid more money. The violation of medical privacy - apparently the first of its kind - highlights the danger of "offshoring" work that involves sensitive materials.
Privacy Expectations in the Public Sector • Citizens expect privacy of information collected online • 57% of people surveyed would sacrifice some online privacy to assist law enforcement Council for Excellence in Gov’t, Nov. 2001.
Privacy Expectations in the Public Sector • Oregon Department of Transportation Website • Personal Information and NondisclosureMost information collected by state government is assumed to be open to the public unless specifically exempted. ORS Chapter 192 contains the Oregon Public Records Law. Under this law, individuals are permitted to request that public officials not disclose a public record that contains their home address and telephone number under certain circumstances. ORS 192.445 specifies how to request non-disclosure. • http://www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandInformationDisclosureNotice.shtml
Privacy Expectations in the Public Sector • Oregon Department of Transportation Website • Public Disclosure All information collected at this site becomes a public record unless an exemption in law exists. ORS Chapter 192 contains the Oregon Public Records Law. • In the State of Oregon, laws exist to ensure that government is open and that the public has a right to access appropriate records and information possessed by state government. At the same time, there are exceptions to the public's right to access public records that serve various needs including the privacy of individuals. Both state and federal laws provide exceptions. • http://www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandInformationDisclosureNotice.shtml
Privacy Expectations in the Public Sector • Third party service providers and gateways • ASP • Payment providers
Gramm-Leach-Bliley Act (1999) Financial Institutions • Banks • Credit Unions • Brokers • State Schools that make student loans
Gramm-Leach-Bliley Act (1999) Privacy • Regulates collection and sharing of nonpublic personal information • Consumers vs. customers • FI cannot share PI with an unrelated company unless it first provides a notice allowing the individual to opt-out of sharing
Gramm-Leach-Bliley Act (1999) Privacy • Senior level policy required • Privacy executive or committee • Different from FCRA (credit reporting)
Gramm-Leach-Bliley Act (1999) Privacy Exemptions • Agents • Service providers • PI used to enforce a transaction • Consent
Gramm-Leach-Bliley Act (1999) Security • Must use reasonable security measures • Regulations governing technical measures • Must limit access to necessary employees • Agents must promise to keep information secure and confidential
Gramm-Leach-Bliley Act (1999) Considerations from Banking • OCC Advisory Opinion AL 2004-09 • E-sign merely creates records • Only a starting point • Litigation rules - Admissibility • Audit requirements - COBIT • Regulatory compliance
Health Insurance Portability and Accountability Act of 1996 • Standards for electronic exchange of health information • Rules to protect privacy of health information • Rules to protect against threats, hazards or unauthorized access to health information
HIPAA Protected Health Information (PHI) • Individually Identifiable Health Information • Electronic, paper, oral • Created or received by a health care provider, health plan, employer or health care clearinghouse
HIPAA Individually Identifiable Health Information • Related to an individual; the provision of health care to an individual; or payment for health care • and that identifies the individual
HIPAA Patient Rights • Request restrictions on uses and disclosures of health information • Obtain documentation of disclosures • Inspect and copy heath information • Request amendment of health information • File a complaint of non-compliance
HIPAA • Must designate a privacy official • Must establish privacy and security policies • Must train all personnel that may contact PHI • Must ensure staff informed when policy is changed • Must have a process to resolve complaints
HIPAA • Must adopt written security procedures • Maintain reasonable and appropriate administrative, technical, and physical safeguards
HIPAA • NYC.Gov • Health Care InformationAny agency providing personally identifiable health care information via NYC.gov will be required to certify that its health care data handling and security procedures are compliant with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). If such data and security services are provided to such agency(ies) by a third-party provider, the agency(ies) shall be responsible for such third party's compliance with HIPAA. • http://www.nyc.gov/portal/index.jsp?epi_menuItemID=b52b1c491d03e607a62fa24601c789a0&epi_menuID=27579af732d48f86a62fa24601c789a0&epi_baseMenuID=27579af732d48f86a62fa24601c789a0
State Law • Online access to court and civil records • Privacy becomes personal • Identity theft
Florida • Online access to court records • Triggered backlash of concern over privacy rights and ID theft • Civil and criminal documents banned from online posting until Supreme Court committee review • Probably will not happen for July, 2005
Florida • Proposals: • Changing the amount of information collected • Barring access online • Assigning users unique ID numbers • Imposing a waiting period for access to court information
Florida • Driver Privacy Protection Act (“DPPA”) • Limits public access to social security numbers, driver license or identification card numbers, names, addresses, telephone numbers, and medical or disability information contained in motor vehicle and driver license records. • Personal information protected under DPPA does not include "vehicular crashes, driving violations, and driver's status."
Florida • Driver Privacy Protection Act (“DPPA”) permits access for: • Auto manufacturers conducting a recall of parts or vehicles • Government agencies or credentialed private investigators • A legitimate business verifying information for employment • Insurance agencies • Towing companies • Companies obtaining information about their drivers • A person or agency with written permission