privacy in computing cs 6v81 504 january 23 2006 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy in Computing CS 6v81.504 January 23, 2006 PowerPoint Presentation
Download Presentation
Privacy in Computing CS 6v81.504 January 23, 2006

Loading in 2 Seconds...

play fullscreen
1 / 46

Privacy in Computing CS 6v81.504 January 23, 2006 - PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on

Privacy in Computing CS 6v81.504 January 23, 2006. [Privacy] has become one of the most important human rights of the modern age. - PrivacyInternational.org. Privacy. Privacy is protected in numerous international documents.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Privacy in Computing CS 6v81.504 January 23, 2006


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
privacy in computing cs 6v81 504 january 23 2006
Privacy in Computing

CS 6v81.504

January 23, 2006

privacy has become one of the most important human rights of the modern age

[Privacy] has become one of the most important human rights of the modern age.

- PrivacyInternational.org

privacy
Privacy
  • Privacy is protected in numerous international documents.
    • Austrian charter: “Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech... Privacy is a basic human right and the reasonable expectation of every person.”
aspects of privacy
Aspects of Privacy
  • Information Privacy
  • Bodily Privacy
    • Genetic tests, drug tests, cavity searches
  • Privacy of Communications
  • Territorial Privacy
    • Searches, surveillance, and ID checks
models of privacy protection
Models of Privacy Protection
  • Comprehensive Laws
  • Sectoral Laws
    • United States (includes HIPAA, COPPA, etc)
    • The article looks down on this kind of privacy protection, allows for new sectors to form without privacy protection
  • Self-Regulation
    • Article places this as more of a “theory”
  • Technologies of Privacy
privacy not a new issue
Privacy not a new issue…
  • Sweden
    • Access to Public Records Act (1776)
  • France
    • Prohibition of publication of private facts (1858)
  • Norway
    • Prohibited the publication of information related to “personal or domestic” affairs (1889)
slide7

“No one should be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks.”

- Universal Declaration of Human Rights (1948)

enforcement
Enforcement
  • The International Covenant on Civil and Political Rights (ICCPR)
  • United Nations Convention on Migrant Workers
  • UN Convention on Protection of the Child
  • European Convention for the Protection of Human Rights and Fundamental Freedoms
hipaa
HIPAA
  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
    • Public Law 104-191 (August 21, 1996)
hipaa s privacy regulations
HIPAA’s Privacy Regulations
  • HIPAA required that the Secretary of Health and Human Services (“HHS”) to issue privacy regulations if, and only if, Congress did not enact privacy legislation within three years of the passage of HIPAA.
    • Congress did not enact legislation
hhs privacy rule
HHS’ Privacy Rule
  • Three years and three months after the passage of HIPAA, HHS developed a proposed Privacy Rule and released it for public comment.
    • 52,000 public comments
    • Finalized on December 28, 2000.
hhs privacy rule revisions
HHS’ Privacy Rule Revisions
  • March 2002 Revision Proposal:
    • 11,000 public comments
    • Adopted on August 14, 2002
summary of the privacy rule
“Summary of the Privacy Rule”
  • HIPAA legislation passed by Congress contained a series of sections now known as the “Administrative Simplification provisions”
    • Under this provision, HHS is required to publish documents such at the “Summary of the Privacy Rule” which we read.
inclusion in the privacy rule
Inclusion in the Privacy Rule

Health Plans

Unless:

- Group plan of less

than 50 people ran

by the employer

- Government funded

programs that are

“not health plans”

inclusion in the privacy rule1
Inclusion in the Privacy Rule

Health Plans

Health Care Providers

Unless:

- Group plan of less

than 50 people ran

by the employer

- Government funded

programs that are

“not health plans”

Unless:

- Provider does not

have a “standard”

means of transaction

of health care

information

(ex: e-mail)

inclusion in the privacy rule2
Inclusion in the Privacy Rule

Health Plans

Health Care Providers

Health Care

Clearinghouses

Unless:

- Group plan of less

than 50 people ran

by the employer

- Government funded

programs that are

“not health plans”

Unless:

- Provider does not

have a “standard”

means of transaction

of health care

information

(ex: e-mail)

Unless:

- Clearinghouse is

action only as a

business associate

which doesn’t receive

personally identifiable

information

scope of phi
Scope of PHI
  • An individuals past, present, or future:
    • Physical heath condition
    • Mental health condition
    • Payment of health care
  • An individual health care provision.

…which there is a “reasonable basis to believe” the information is personally identifiable

… which isn’t an employee record held by the company of employment

principle of disclosure
Principle of Disclosure
  • The Privacy Rule establishes a list of acceptable and unacceptable ways to use PHI.
    • Privacy Rule attempts to be a ‘catch-all’ law for privacy
  • The Privacy Rule may be waived by a signature of a patient.
    • Q: How many things do you sign when you go to the doctor?
    • Q: Do you know what they say?
    • Q: Do you really have a choice to not sign then?
principle of disclosure part 2
Principle of Disclosure(Part 2)
  • The Privacy Rule does, however, ensure that individuals have access to the information stored about them.
    • Also allows HHS to view your medical records when they’re “undertaking a compliance investigation”
explicitly acceptable disclosures
Explicitly Acceptable Disclosures
  • Disclosure to the individual (required)
  • Disclosure to: (allowed without consent)
    • Treatment Operations
    • Payment Operations
    • Health Care Operations
explicitly acceptable disclosures1
Explicitly Acceptable Disclosures
  • Disclosures with “Opportunity to Object”
    • Ex: Directory of patients
    • Ex: Notifications
      • Family Members
      • Pharmacies
      • Law Enforcement (disaster relief, epidemic, etc)
  • Incidental disclosures
    • Disclosure as a result of a previous disclosure
explicitly acceptable disclosures2
Explicitly Acceptable Disclosures
  • Disclosure in Public Interest and Benefit Activities
    • Public Health (prevention or containment of a disease)
    • Employees where transmission of a dangerous disease was likely
    • Victims of abuse, neglect, violence, etc
    • Heath oversight activates and judicial proceedings
explicitly acceptable disclosures3
Explicitly Acceptable Disclosures
  • Disclosure in Public Interest and Benefit Activities (cont’d)
    • Law enforcement purposes
    • Decedents
    • Organ, eye, tissue donations
    • Research purposes
    • Serious threat to public safety
    • … and more…
authorized uses and disclosures
Authorized Uses and Disclosures
  • All other uses and disclosures of data but have explicit written authorization by the individual.
    • Q: Again, how many things do you sign when you go into a doctor for the first time?
authorized uses and disclosures1
Authorized Uses and Disclosures
  • Given examples:
    • Psychotherapy notes
    • Marketing
    • etc
minimum necessary clause
“Minimum Necessary” Clause
  • One of the central aspects of the entire Privacy Rule is that only the minimally necessary amount of PHI is disclosed.
minimum necessary clause1
“Minimum Necessary” Clause
  • However, the minimum necessary clause does not cover:
    • Health care providers for treatment
    • Individuals who is the subject of the information
    • Disclosures made pursuant to an authorization
    • Disclosure to HHS or required by law
    • Disclosure for HIPAA compliance reviews
other privacy rule conditions
Other Privacy Rule Conditions
  • Privacy Practice Notices
    • Provides the “privacy policy” of the health care institution
    • Must be easily accessible and a receipt (signature) must be on file from every patient that they had the chance to review the notice
  • Patient’s right to knowledge of disclosure, with cetain limitations.
other privacy rule conditions1
Other Privacy Rule Conditions
  • Confidential Communications
    • An individual may request communications be made only at a specific telephone number or a specific address.
    • Furthermore, they may request that information is sent in sealed envelopes rather than postcards or other unsecured mail
penalties
Penalties
  • HHS may impose monetary civil penalties for violations of the Privacy Rule:
    • $100 per failure to comply with a Privacy Rule requirement (up to $25,000/yr/company for violations of the same Privacy Rule requirement)
penalties1
Penalties
  • Criminal Penalties
    • Any person (a physical person or an incorporated company) who knowingly obtains or discloses PHI is in violation of HIPAA and faces:
      • Up to a $50,000 fine
      • Up to a one-year prison term
    • An intention to sell, transfer, or use PHI increase both the fine and the prison term
rational for adopting comprehensive privacy laws
Rational for Adopting Comprehensive Privacy Laws…
  • To remedy past injustices
  • To promote electronic commerce
    • “These countries recognize that consumers are uneasy with the increased availability of their personal data, particularly with new means of identification and forms of transactions.”
  • To ensure laws are consistent with Pan-European laws
oversight of privacy
Oversight of Privacy
  • EU Solution:
    • Leave it to the individual countries to have an independent enforcement body.
    • Often falls under the department which handles “freedom of information” in countries which do not adopt comprehensive laws
oversight isn t easy
Oversight isn’t easy…
  • Small budget
  • Budget cuts
  • Too few staffers
  • Too many complaints
data havens
“Data Havens”
  • Idea: If privacy laws prevents a person from storing the information they gather, why not ship it overseas?
    • Privacy laws now control the exporting of data.
    • Europe Directive (next slide)
data havens1
“Data Havens”
  • Europe Directive:
    • “The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection.”
    • Q: Who defines adequate?
    • Q: What should that standard be?
safe harbor agreement
Safe Harbor Agreement
  • Negotiations between the US and the EU to ensure that the United States has “adequate” privacy safegaurds.
    • Requires all signatory organizations “clear and conspicuous” notices of the kinds of information they collect, the purpose of what it’s used, and any third parties of whom the information might be disclosed to.
    • If information will be disclosed to a third party, an individual must be able to opt-out of that information collection.
safe harbor agreement1
Safe Harbor Agreement
  • … even more provisions …
    • “Sensitive” information requires that an individual opts-in to the collection and distribution to a third party.
    • And in any case, the third party must be a signatory of the Safe Harbor Agreement.
    • Originations must take measures to protect safety of the data, ability individuals must be able to to correct, amend, and delete inaccurate information.
problems with safe harbor
Problems with Safe Harbor…
  • Self-regulator
  • Non-transparent
  • EU Commission in 2002 looked into its success
    • Found that it helped protect privacy, but found numerous problems
    • Full report was due out in 2003
      • Shamed the United States
      • Didn’t reach far enough to end the Safe Harbor Agreement
slide40

“There are three elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost, whether through the choice of the person in that state or through the action of another person”

- Ruth Gavison (Israel Democracy Institute)

article 2 who wrote it
Article 2: Who wrote it?
  • Privacy International
    • Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. PI has conducted campaigns and research throughout the world on issues ranging from wiretapping and national security, to ID cards, video surveillance, data matching, medical privacy, and freedom of information and expression.
article 1 what s in hipaa that s not in the privacy rule
Article 1: What’s in HIPAA that’s not in the Privacy Rule?
  • Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
    • Source: Centers for Medicare and Medicaid Services' (CMS)
article 1 what s in hipaa that s not in the privacy rule1
Article 1: What’s in HIPAA that’s not in the Privacy Rule?
  • Title II requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
hipaa1
HIPAA
  • “As a matter of linguistic-political criticism, many have noted that the Act did little to actually make health insurance more "portable" in the sense of preserving access to health care when an individual changes employers. Also, despite its many new rules on the sharing of medical information, the Act did not significantly increase health insurers' "accountability" for wrongdoing.”
    • WikiPedia
hipaa2
HIPAA
  • New York Times (April 21, 2005)
    • Author writes and asks the reader to imagine a hospital stay today and a hospital stay a year and a half from now.
    • Claims that the hospital stay today would be like the stay a year and a half from now if HIPAA wasn’t “forced” upon the “already overburdened” healthcare industry
hipaa3
HIPAA
  • The article we read came from the government, covers only the Privacy Rule, and doesn’t look at enforcement issues or its actual application to society.