Add to collection(s) Add to saved
  1. Business
  2. Management

e-Gov Privacy

advertisement 
Privacy and Public Access
Wednesday, October 6, 2004
Dino Tsibouris
dino.tsibouris@mt-law.com
(614) 228-9707
October 22, 2003
A Tough Lesson on Medical Privacy
BY DAVID LAZARUS
"Your patient records are out in the open... so you better track that
person and make him pay my dues."
A woman in Pakistan doing cut-rate clerical work for UCSF Medical
Center threatened to post patients' confidential files on the Internet
unless she was paid more money.
The violation of medical privacy - apparently the first of its kind highlights the danger of "offshoring" work that involves sensitive
materials.
Why Have a Privacy Policy?
The Federal Trade Commission (“FTC”) permits
companies to use information obtained from
consumers to the extent it adequately discloses its
practices.
FTC is particularly concerned with preventing unfair
or deceptive acts or practices “in or affecting
commerce.”
Why Have a Privacy Policy?
The FTC Proposed Legislation.
Notice: Required clear and conspicuous notice of the company’s information
practices;
Choice: Required that consumers be permitted to choose how their personal
identifying information is used beyond the use for which the information was provided;
Access: Required companies to provide reasonable access to the information the
website collected about them, including a reasonable opportunity to review
information and to correct inaccuracies or delete information;
Security: Required companies to take reasonable steps to protect the security of the
information they collect from consumers.
Why Have a Privacy Policy?
Industry Proposes Self-Regulation.
The Online Privacy Alliance
AOL Time Warner; Apple Computer; AT&T; Boeing; Compaq; Dell; DoubleClick Inc.; EarthLink, Inc; eBay, Inc;
EDS; Equifax; Ernst and Young; Experian; Guardent; IBM; Intuit; Keylime Software, Inc.; Microsoft;
PricewaterhouseCoopers; Reed Elsevier; SAS Institute Inc.; Sun Microsystems; Verizon Communications;
Websidestory, Inc.; WorldCom; Yahoo!; American Advertising Federation; American Institute of Certified Public
Accountants; Association for Competitive Technology; Business Software Alliance; Association of National
Advertisers; American Association of Advertising Agencies; Center for Information Policy Leadership;
Electronic Retailing Association; Information Technology Association of America; Interactive Digital Software
Association; Internet Alliance; Motion Picture Association of America; Software & Information Industry
Association; The United States Chamber of Commerce; The United States Council for International Business.
Why Have a Privacy Policy?
Industry Proposes Self-Regulation.
•
•
•
•
•
Adoption and Implementation of a Privacy Policy
Notice and Disclosure
Choice/Consent
Data Security
Data Quality and Access
Privacy Expectations in the Public Sector
•
Citizens expect privacy of information collected online
•
57% of people surveyed would sacrifice some online
privacy to assist law enforcement Council for Excellence in
Gov’t, Nov. 2001.
Privacy Expectations in the Public Sector
•
Oregon Department of Transportation Website
•
Personal Information and Nondisclosure
Most information collected by state government is assumed to be
open to the public unless specifically exempted. ORS Chapter
192 contains the Oregon Public Records Law. Under this law,
individuals are permitted to request that public officials not
disclose a public record that contains their home address and
telephone number under certain circumstances. ORS 192.445
specifies how to request non-disclosure.
•
http://www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandInformationDisclosureNotice.shtml
Privacy Expectations in the Public Sector
•
Oregon Department of Transportation Website
•
Public Disclosure All information collected at this site becomes
a public record unless an exemption in law exists. ORS Chapter
192 contains the Oregon Public Records Law.
•
In the State of Oregon, laws exist to ensure that government is
open and that the public has a right to access appropriate records
and information possessed by state government. At the same
time, there are exceptions to the public's right to access public
records that serve various needs including the privacy of
individuals. Both state and federal laws provide exceptions.
•
http://www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandInformationDisclosureNotice.shtml
Privacy Expectations in the Public Sector
•
•
•
Third party service providers and gateways
ASP
Payment providers
Privacy Expectations in the Public Sector
•
NYC.gov: Third Party Links
•
NYC.gov provides links to, and may be linked from, local, State
and federal government agencies, and from, or to, other websites.
The existence and/or provision of those links neither constitutes
nor implies endorsement of the destination or departure
website(s) or of the content, viewpoint, accuracy, opinions,
policy(ies), product(s), accessibility or privacy policy of said
destination or departure website(s). Nor does any link between
NYC.gov and a third-party website imply sponsorship of such
website, or the creator of such website.
Privacy Expectations in the
Public Sector
•
NYC.gov: Third Party Links
•
Some content on portions of NYC.gov resides on
servers run by third parties. Each agency providing
content for NYC.gov is bound by NYC.gov's privacy
policy. Any agency using a third-party host, ISP, ASP or
other combination of third-party transport, storage,
content or application provision services shall be
responsible for such third party's compliance with
NYC.gov's privacy policy.
Gramm-Leach-Bliley Act (1999)
Financial Institutions
•
•
•
•
Banks
Credit Unions
Brokers
State Schools that make student loans
Gramm-Leach-Bliley Act (1999)
Privacy
• Regulates collection and sharing of nonpublic
personal information
• Consumers vs. customers
• FI cannot share PI with an unrelated company unless
it first provides a notice allowing the individual to optout of sharing
Gramm-Leach-Bliley Act (1999)
Privacy
• Senior level policy required
• Privacy executive or committee
• Different from FCRA (credit reporting)
Gramm-Leach-Bliley Act (1999)
Privacy
Exemptions
• Agents
• Service providers
• PI used to enforce a transaction
• Consent
Gramm-Leach-Bliley Act (1999)
Security
•
•
•
•
Must use reasonable security measures
Regulations governing technical measures
Must limit access to necessary employees
Agents must promise to keep information secure and
confidential
Gramm-Leach-Bliley Act (1999)
Considerations from Banking
• OCC Advisory Opinion AL 2004-09
• E-sign merely creates records
• Only a starting point
• Litigation rules - Admissibility
• Audit requirements - COBIT
• Regulatory compliance
Health Insurance Portability and
Accountability Act of 1996
• Standards for electronic exchange of health
information
• Rules to protect privacy of health information
• Rules to protect against threats, hazards or
unauthorized access to health information
HIPAA
Protected Health Information (PHI)
• Individually Identifiable Health Information
• Electronic, paper, oral
• Created or received by a health care provider,
health plan, employer or health care clearinghouse
HIPAA
Individually Identifiable Health Information
• Related to an individual; the provision of health
care to an individual; or payment for health care
• and that identifies the individual
HIPAA
Patient Rights
• Request restrictions on uses and disclosures of
health information
• Obtain documentation of disclosures
• Inspect and copy heath information
• Request amendment of health information
• File a complaint of non-compliance
HIPAA
Provide written notice of privacy policy
• Explain uses and disclosures of health information
and give examples
• Describe the individual’s rights
• Make a good faith effort to obtain a written
acknowledgment of the patient’s receipt of the
notice at the time of first service delivery
HIPAA
•
•
•
•
•
Must designate a privacy official
Must establish privacy and security policies
Must train all personnel that may contact PHI
Must ensure staff informed when policy is changed
Must have a process to resolve complaints
HIPAA
• Must adopt written security procedures
• Maintain reasonable and appropriate administrative,
technical, and physical safeguards
HIPAA
• NYC.Gov
• Health Care Information
Any agency providing personally identifiable health care
information via NYC.gov will be required to certify that its health
care data handling and security procedures are compliant with
the Health Insurance Portability and Accountability Act of 1996
("HIPAA"). If such data and security services are provided to
such agency(ies) by a third-party provider, the agency(ies) shall
be responsible for such third party's compliance with HIPAA.
•
http://www.nyc.gov/portal/index.jsp?epi_menuItemID=b52b1c491d03e607a62fa24601c789a0&epi_menuID=27579af732d48f86a62
fa24601c789a0&epi_baseMenuID=27579af732d48f86a62fa24601c789a0
State Law
• Online access to court and civil records
• Privacy becomes personal
• Identity theft
Florida
• Online access to court records
– Triggered backlash of concern over privacy rights and
ID theft
– Civil and criminal documents banned from online
posting until Supreme Court committee review
– Probably will not happen for July, 2005
Florida
• Proposals:
– Changing the amount of information collected
– Barring access online
– Assigning users unique ID numbers
– Imposing a waiting period for access to court
information
Florida
• Driver Privacy Protection Act (“DPPA”)
– Limits public access to social security numbers,
driver license or identification card numbers,
names, addresses, telephone numbers, and
medical or disability information contained in motor
vehicle and driver license records.
– Personal information protected under DPPA does not
include "vehicular crashes, driving violations, and
driver's status."
Florida
• Driver Privacy Protection Act (“DPPA”) permits access for:
•
•
•
•
•
•
•
Auto manufacturers conducting a recall of parts or vehicles
Government agencies or credentialed private investigators
A legitimate business verifying information for employment
Insurance agencies
Towing companies
Companies obtaining information about their drivers
A person or agency with written permission
California
• California Online Privacy Protection Act
– Applies to website operators that collect personal
information from California residents
– Requires the web site operator to “conspicuously
post” a privacy policy
– Policy must describe method of collection and use of
information
– Must provide method to correct information on file
Related documents
Privacy Confidentiality Minor
Privacy Confidentiality Minor
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Download
advertisement