Privacy
Privacy
The need for information privacy and protection has sparked some level of dedicated regulation in almost every country around the world. But rules, restrictions, and punitive measures vary from country to country. In the US, the confusion is further compounded by a growing number of state laws deriving chiefly from California SB 1386, as well as several pending federal privacy laws, each with its own definition of sensitive information. In addition, industry regulations, such as HIPAA privacy and security requirements and payment card industry (PCI) security standards put a further onus on companies to stay abreast of ever-changing and increasingly detailed requirements.
Privacy and Security Trade-offs
Privacy and security can be in conflict, requiring trade-offs between the two, or privacy can enhance security. For the collection of taxes it is in the interests of government if one's earnings and income are well known. On the other hand, that same information may be used to select someone or his family as a good target for kidnapping. In these narrow terms, one group's interest is to keep the information private. One of the goals of computer security is confidentiality. Identity theft, for example, is a security problem that is created from a lack of privacy or failure of confidentiality.
Privacy can also have free speech ramifications. In some countries privacy has been used as a tool to suppress free speech. One person's speech can sometimes be considered a violation of another's person's privacy. In various cases the US Supreme Court has ruled that the First Amendment trumps privacy. In Bartnicki v. Vopper, 532 U.S. 514 (2001) Docket Number: 99-1687, US Supreme Court ruled 6-3 that someone cannot be held liable in court for publishing or broadcasting intercepted contents of information, as long as that information is of public concern. Conversely, the Constitutional right to privacy is built in part on the First Amendment.
Census data is another area where such trade-offs become apparent. Accurate data are useful for planning future services (whether commercial or public sector), on the other hand, almost all censuses are released only in a way which does not allow identification of specific individuals. Often this is done by randomly altering the data and directly reducing accuracy.
On the other hand some trade-offs may be regarded as false by some observers. Identity card systems, which may reduce privacy, are often presented as a method of increasing security. More pragmatically, privacy sometimes is not maintained because there is a benefit provided by disclosure. For example, a potential employer is given a resume or curriculum vitae in order to evaluate someone's appropriateness for employment. Or, contact information, e-mail addresses most often, are provided in exchange for access to some useful information, like a "white paper".
Reasons for Not Maintaining Privacy
It has been reasoned that privacy discourages information sharing between individuals which in turn can lead to mistrust and intolerance among people and perpetuate false information. If information can be shared widely then facts can generally be verified through many different sources and there are less chances of inaccuracies. It has also been reasoned that privacy can perpetuate stigma and intolerance. The reasoning behind this is that restrictions on information about people can inhibit and discourage collection and finding of data that is required for an accurate analysis and discussion on the causes and root of the stigma and intolerance. Philosophers often ask how people can learn to accept each other if they cannot know about each other. Issues have also been raised that privacy can encourage criminal activity as it makes it easier for criminals to hide their unlawful activities.
GLBA Privacy Implications
HIPAA Privacy Implications
Health Insurance Portability and Accountability Act (HIPAA) regulations are divided into four Standards or Rules:
- Privacy
- Security
- Identifiers
- Transactions and Code Sets
The Privacy Rule is the most complex of the four, setting standards for how protected health information (PHI) "in any form or medium" should be controlled. (HIPAA's other rules cover only electronic information.) This Rule took effect in April 2003 for large entities, and a year later for small ones. (For details, see the HIPAA compliance calendar.)
Privacy Rule protections extend to every patient whose information is collected, used or disclosed by covered entities. It imposes responsibilities on the entire workforce of a covered entity -- including all employees and volunteers -- in order to secure those rights. It also requires contractual assurances for any business associates of health care institutions that handle health care information on a covered entity's behalf.
States have many laws and regulations that address health information. HIPAA adds its protections to those the states provide. In most cases, where state requirements are stricter they remain in force; HIPAA does not preempt them. Put differently, the Privacy Rule establishes a federal floor for health privacy, but not a ceiling.
In its most visible change, the Privacy Rule requires covered entities to provide patients with a Notice of Privacy Practices. The Notice must describe, in general terms, how organizations will protect health information, and specify the patient's right to:
gain access to and, if desired, obtain a copy of his/her own health records;
request corrections of errors that the patient finds (or include the patient's statement of disagreement if the institution believes the information is correct);
receive an accounting of how their information has been used (including a list of the persons and institutions to whom/which it has been disclosed);
request limits on access to, and additional protections for, particularly sensitive information;
request confidential communications (by alternative means or at alternative locations) of particularly sensitive information;
complain to the facility's privacy officer if there are problems; and
pursue the complaint with the US Department of Health and Human Services' Office of Civil Rights if the problems are not satisfactorily resolved.
A copy of the Privacy Notice must be provided the first time a patient sees a direct treatment provider, and any time thereafter when requested. On that first visit, treatment providers must also make a good faith effort to obtain a written acknowledgement, confirming that a copy of the Notice was obtained. Health plans and insurers must also provide periodic Notices to their customers, but do not need to secure any acknowledgement.
HIPAA requires no other documentation from the patient to use or disclose information for basic functions, like treatment and payment, or for a broad range of other core health care operations. State laws may nonetheless require some kind of consent/authorization form from the patient for these purposes. (It is common for institutions to claim, incorrectly, that HIPAA does.)
By contrast, the Privacy Rule does require that patients sign a supplemental authorization before information can be used for certain "extra" purposes like research, or certain kinds of marketing and fundraising. Health care institutions cannot condition treatment or payment for health care services on receiving a patient's authorization for such supplemental uses.
The general approach of the Rule beyond that is: If a person has a right to make a health care decision, then he/she has the right to control information associated with that decision. Children and those who are incompetent may have decisions about both health care and health information made by a personal representative. (Typically, the personal representative is the parent in the case of a child.)
HIPAA extends extra protections for especially sensitive information -- notably psychotherapy notes, which require a supplemental authorization for release. Genetic information issues are not yet addressed by HIPAA, nor does HIPAA extend any special protections to HIV, substance abuse or other information categories that often receive special treatment in state law.
Although the Privacy Rule is complicated (to put it mildly) it does have an overall scheme for its protections:
Uses for treatment, payment and a long list of other routine health care operations are covered by the "Notice" that patients acknowledge receiving;
A few particular kinds of uses -- notably for research, marketing or fundraising -- require a specific, separate written "authorization";
A few others require only an opportunity to agree or object orally, but no consent or authorization -- notably, this includes listing of patients in facility directories, and disclosures to those involved in a patient's care, such as family members. (It is common to get written authorization for this too, though it is not required.)
Beyond treatment, payment and health care operations, there is another broad category of uses and disclosures that are permitted without patients' permission.
This includes PHI uses and disclosures:
for public health activities;
about victims of abuse, neglect or domestic violence;
for health oversight activities;
for judicial or administrative proceedings;
for law enforcement;
about deceased persons (including organ and tissue donations);
for research, without any authorization, where permitted by an IRB or Privacy Board waiver;
to avert a serious, imminent threat to public safety;
certain specialized government functions (e.g., national security, military, corrections); or
anything else required by law.
Individuals would be entitled to an accounting of (some of) these disclosures, though that accounting might be temporarily suspended in certain circumstances.
Over and above all the categories, HIPAA imposes a very general rule on anyone who deals with protected health information: collection, use and disclosure should be no greater than necessary to complete a work-related task. For obvious reasons, this is called the minimum necessary standard.
The minimum necessary standard is partially waived for health practitioners engaged in treatment -- it still applies to treatment uses, but not to disclosures between/among practitioners. The regulations relax the requirement in part to avoid any possible interference in the daily practice of delivering health care.
Health care facilities are under an obligation to integrate a minimum necessary standard into their policies and procedures. That includes administrative rules as well as, where available, computer-enforced access controls.
Every covered entity must put in place general privacy policies that reflect HIPAA's requirements, and, if they are stricter, the requirements of state law. Those policies must include sanctions for employees that violate them, including termination for serious or repeated violations.
Institutions must designate a privacy officer, who will have the responsibility for enforcing the regulations, as well as supervising (or handling directly) the procedures to handle requests for information access, corrections to records, accountings of disclosures, processing complaints and so forth.
Institutions must also, as noted, include privacy requirements in their contracts with business associates. All employees (and volunteers) must be educated about privacy practices in a manner "appropriate" to their job responsibilities.
HIPAA includes substantial civil and criminal penalties for violations of its provisions, ranging from $100 per violation up to $250,000 and 10 years in prison. The harshest penalties attend deliberate misuse, particularly for sale or use of information for personal gain, commercial advantage or malicious harm.
Organizations
- American Civil Liberties Union (ACLU)
- Electronic Frontier Foundation (EFF)
- Electronic Privacy Information Center (EPIC)
- Privacy International
References
- Dennis Bailey, Open Society Paradox: Why The Twenty-first Century Calls For More Openness--not Less, Brasseys Inc (November, 2004), hardcover, 224 pages, ISBN 1-57488-916-8
- Judith Wagner DeCew, 1997, In Pursuit of Privacy: Law, Ethics, and the Rise of Technology, Ithaca: Cornell University Press
- Whitefield Diffie and Susan Landau, 2007, Privacy on the Line: The Politics of Wiretapping and Encryption, The MIT Press, ISBN 978-0-262-04240-6
- Ruth Gavison, "Privacy and the Limits of the Law," in Michael J. Gorr and Sterling Harwood, eds., Crime and Punishment: Philosophic Explorations (Belmont, CA: Wadsworth Publishing Co., 2000, formerly Jones and Bartlett Publishers, 1996), paperback, 552 pages, pp. 46-68
- Raymond Geuss, 2003, "Public Goods, Private Goods," Princeton: Princeton University Press
- Sven Ove Hansson and Elin Palm, eds., The Ethics of Workplace Privacy (SALTSA Reports, Work and Society Series nr 50), (Brussels: P.I.E.-Peter Lang), 2005, paperback, 186 pages, ISBN 90-5201-293-8
- Robert O Harrow, No Place To Hide: Behind The Scenes Of Our Emerging Surveillance Society, Free Press or Simon and Schuster (January, 2005), hardcover, 304 pages, ISBN 0-7432-5480-5
- Adam D. Moore, 2003, “Privacy: Its Meaning and Value” American Philosophical Quarterly 40: 215-227
- William Parent, 1983, “Privacy, Morality and the Law”, Philosophy and Public Affairs 12: 269-88
- K. A. Taipale, "Technology, Security and Privacy: The Fear of Frankenstein, the Mythology of Privacy, and the Lessons of King Ludd," 7 Yale J. L. & Tech. 123 ; 9 Intl. J. Comm. L. & Pol'y 8 (Dec. 2004) (arguing for incorporating privacy protecting features in the construction of information systems through value sensitive design)
- Judith Jarvis Thomson, "The Right to Privacy," in Michael J. Gorr and Sterling Harwood, eds., Crime and Punishment: Philosophic Explorations (Belmont, CA: Wadsworth Publishing Co., 2000, formerly Jones and Bartlett Publishers, 1995), 552 pages, pp. 34-46
- Perry Metzger (1993) A Parable. http://cypherpunks.venona.com/date/1993/04/msg00559.html
- David H. Holtzman, Privacy Lost: How Technology Is Endangering Your Privacy, Jossey-Bass (September, 2006), hardcover, 278 pages, ISBN 0-7879-8511-2
- A. Westin, 1967, Privacy and Freedom, New York: Atheneum
- Adams, Helen. "Privacy in the 21st Century". Libraries Unlimited, 2005
External References
- Tracks current news regarding developments as we speed towards a Big Brother society
- Green Hell - The Freedom and Survival blog/privacy
- Generally Accepted Privacy Principles
- Privacy Commission Privacy Watch Review (and other resources)
- Electronic Frontier Foundation digital rights NGO
- Electronic Privacy Information Center a public interest research center
- Privacy International UK-based International privacy NGO
- Privacy Spot privacy law blog
- The Privacy Place Research Center
- World Privacy Forum U.S. consumer education group
- Read Congressional Research Service (CRS) Reports regarding Privacy
- "The Right to Privacy" (Warren and Brandeis) the seminal law review article for U.S. privacy law
- OECD Guidelines on the Protection of Privacy describe principles behind many contemporary privacy laws
- Stanford Encyclopedia of Philosophy entry
- European Privacy Protection for Wikipedia Users on the blog of Jean-Baptiste Soufron
- Data Protection in the European Union, from the Directorate-General for Justice, Freedom and Security
- Genetic privacy and the law
- The condition of privacy in Italy
- European data protection and privacy law
- EU-IST news - IT security and privacy regulation - what is happening in Europe?
- Congress Erodes Privacy by Rep. Ron Paul, Ph.D.
- The Eternal Value of Privacy by Bruce Schneier from Wired magazine
- GlobalPOV Privacy and technology blog
- Proposal for a Privacy Protection Guideline on Secret Personal Data Gathering and Transborder Flows of Such Data in the Fight against Terrorism and Serious Crime by Marcel Stuessi
- Opt-Out of Personally Identifiable Information Sharing Sample letter from a non-profit consumer group to opt-out of information sharing by financial institutions under the Financial Services Modernization Act.
- MySecureCyberspace: a resource for home users created by Carnegie Mellon CyLab