From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search


The need for information privacy and protection has sparked some level of dedicated regulation in almost every country around the world. But rules, restrictions, and punitive measures vary from country to country. In the US, the confusion is further compounded by a growing number of state laws deriving chiefly from California SB 1386, as well as several pending federal privacy laws, each with its own definition of sensitive information. In addition, industry regulations, such as HIPAA privacy and security requirements and payment card industry (PCI) security standards put a further onus on companies to stay abreast of ever-changing and increasingly detailed requirements.

Data Privacy Around the World

For a more in-depth view into data privacy around the world, visit Data_Privacy_Laws_and_Regulations for more information.

Privacy and Security Trade-offs

Privacy and security can be in conflict, requiring trade-offs between the two, or privacy can enhance security. For the collection of taxes it is in the interests of government if one's earnings and income are well known. On the other hand, that same information may be used to select someone or his family as a good target for kidnapping. In these narrow terms, one group's interest is to keep the information private. One of the goals of computer security is confidentiality. Identity theft, for example, is a security problem that is created from a lack of privacy or failure of confidentiality.

Privacy can also have free speech ramifications. In some countries privacy has been used as a tool to suppress free speech. One person's speech can sometimes be considered a violation of another's person's privacy. In various cases the US Supreme Court has ruled that the First Amendment trumps privacy. In Bartnicki v. Vopper, 532 U.S. 514 (2001) Docket Number: 99-1687, US Supreme Court ruled 6-3 that someone cannot be held liable in court for publishing or broadcasting intercepted contents of information, as long as that information is of public concern. Conversely, the Constitutional right to privacy is built in part on the First Amendment.

Census data is another area where such trade-offs become apparent. Accurate data are useful for planning future services (whether commercial or public sector), on the other hand, almost all censuses are released only in a way which does not allow identification of specific individuals. Often this is done by randomly altering the data and directly reducing accuracy.

On the other hand some trade-offs may be regarded as false by some observers. Identity card systems, which may reduce privacy, are often presented as a method of increasing security. More pragmatically, privacy sometimes is not maintained because there is a benefit provided by disclosure. For example, a potential employer is given a resume or curriculum vitae in order to evaluate someone's appropriateness for employment. Or, contact information, e-mail addresses most often, are provided in exchange for access to some useful information, like a "white paper".

Reasons for Not Maintaining Privacy

It has been reasoned that privacy discourages information sharing between individuals which in turn can lead to mistrust and intolerance among people and perpetuate false information. If information can be shared widely then facts can generally be verified through many different sources and there are less chances of inaccuracies. It has also been reasoned that privacy can perpetuate stigma and intolerance. The reasoning behind this is that restrictions on information about people can inhibit and discourage collection and finding of data that is required for an accurate analysis and discussion on the causes and root of the stigma and intolerance. Philosophers often ask how people can learn to accept each other if they cannot know about each other. Issues have also been raised that privacy can encourage criminal activity as it makes it easier for criminals to hide their unlawful activities.

Legal Implications

GLBA Privacy Implications

GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity Major Components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:

Financial Privacy Rule

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.

HIPAA Privacy Implications

The Privacy Rule is the most complex of the four, setting standards for how protected health information (PHI) "in any form or medium" should be controlled. (HIPAA's other rules cover only electronic information.) This Rule took effect in April 2003 for large entities, and a year later for small ones. (For details, see the HIPAA compliance calendar.) Privacy Rule protections extend to every patient whose information is collected, used or disclosed by covered entities. It imposes responsibilities on the entire workforce of a covered entity -- including all employees and volunteers -- in order to secure those rights. It also requires contractual assurances for any business associates of health care institutions that handle health care information on a covered entity's behalf. States have many laws and regulations that address health information. HIPAA adds its protections to those the states provide. In most cases, where state requirements are stricter they remain in force; HIPAA does not preempt them. Put differently, the Privacy Rule establishes a federal floor for health privacy, but not a ceiling.

In its most visible change, the Privacy Rule requires covered entities to provide patients with a Notice of Privacy Practices. The Notice must describe, in general terms, how organizations will protect health information, and specify the patient's right to:

  • Gain access to and, if desired, obtain a copy of his or her own health records
  • Request corrections of errors that the patient finds (or include the patient's statement of disagreement if the institution believes the information is correct)
  • Receive an accounting of how their information has been used (including a list of the persons and institutions to whom or which it has been disclosed)
  • Request limits on access to, and additional protections for, particularly sensitive information
  • Request confidential communications (by alternative means or at alternative locations) of particularly sensitive information
  • Complain to the facility's privacy officer if there are problems
  • Pursue the complaint with the US Department of Health and Human Services' Office of Civil Rights if the problems are not satisfactorily resolved

A copy of the Privacy Notice must be provided the first time a patient sees a direct treatment provider, and any time thereafter when requested. On that first visit, treatment providers must also make a good faith effort to obtain a written acknowledgment, confirming that a copy of the Notice was obtained. Health plans and insurers must also provide periodic Notices to their customers, but do not need to secure any acknowledgment.
HIPAA requires no other documentation from the patient to use or disclose information for basic functions, like treatment and payment, or for a broad range of other core health care operations. State laws may nonetheless require some kind of consent or authorization form from the patient for these purposes. (It is common for institutions to claim, incorrectly, that HIPAA does.)

By contrast, the Privacy Rule does require that patients sign a supplemental authorization before information can be used for certain "extra" purposes like research, or certain kinds of marketing and fund raising. Health care institutions cannot condition treatment or payment for health care services on receiving a patient's authorization for such supplemental uses.

The general approach of the Rule beyond that is: If a person has a right to make a health care decision, then he or she has the right to control information associated with that decision. Children and those who are incompetent may have decisions about both health care and health information made by a personal representative. (Typically, the personal representative is the parent in the case of a child.) HIPAA extends extra protections for especially sensitive information -- notably psychotherapy notes, which require a supplemental authorization for release. Genetic information issues are not yet addressed by HIPAA, nor does HIPAA extend any special protections to HIV, substance abuse or other information categories that often receive special treatment in state law.

Although the Privacy Rule is complicated (to put it mildly) it does have an overall scheme for its protections:

  • Uses for treatment, payment and a long list of other routine health care operations are covered by the "Notice" that patients acknowledge receiving
  • A few particular kinds of uses -- notably for research, marketing or fund raising -- require a specific, separate written "authorization"
  • A few others require only an opportunity to agree or object orally, but no consent or authorization -- notably, this includes listing of patients in facility directories, and disclosures to those involved in a patient's care, such as family members. (It is common to get written authorization for this too, though it is not required)

Beyond treatment, payment and health care operations, there is another broad category of uses and disclosures that are permitted without patients' permission.

This includes PHI uses and disclosures:

  • For public health activities
  • About victims of abuse, neglect or domestic violence
  • For health oversight activities
  • For judicial or administrative proceedings
  • For law enforcement
  • About deceased persons (including organ and tissue donations)
  • For research, without any authorization, where permitted by an IRB or Privacy Board waiver
  • To avert a serious, imminent threat to public safety
  • Certain specialized government functions (e.g., national security, military, corrections)
  • Anything else required by law

Individuals would be entitled to an accounting of (some of) these disclosures, though that accounting might be temporarily suspended in certain circumstances.

Over and above all the categories, HIPAA imposes a very general rule on anyone who deals with protected health information: collection, use and disclosure should be no greater than necessary to complete a work-related task. For obvious reasons, this is called the minimum necessary standard. The minimum necessary standard is partially waived for health practitioners engaged in treatment -- it still applies to treatment uses, but not to disclosures between or among practitioners. The regulations relax the requirement in part to avoid any possible interference in the daily practice of delivering health care.

Health care facilities are under an obligation to integrate a minimum necessary standard into their policies and procedures. That includes administrative rules as well as, where available, computer-enforced access controls. Every covered entity must put in place general privacy policies that reflect HIPAA's requirements, and, if they are stricter, the requirements of state law. Those policies must include sanctions for employees that violate them, including termination for serious or repeated violations.

Institutions must designate a privacy officer, who will have the responsibility for enforcing the regulations, as well as supervising (or handling directly) the procedures to handle requests for information access, corrections to records, accountings of disclosures, processing complaints and so forth. Institutions must also, as noted, include privacy requirements in their contracts with business associates. All employees (and volunteers) must be educated about privacy practices in a manner "appropriate" to their job responsibilities.


External References

See Also