Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Biochemistry
  4. Genetics

Medical and Workplace Privacy

advertisement 
Medical and Workplace
Privacy
Michael I. Shamos, Ph.D., J.D.
Institute for Software Research International
Carnegie Mellon University
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Outline
• Medical privacy stakeholders:
– patient
– heath care provider
– insurer
– federal government
– (sometimes) employer
– What is the basis for privacy?
• Workplace privacy stakeholders:
– employee
– employer
– basis for privacy?
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
U.S. Privacy Law
• Privacy law is a patchwork of state and federal statutes
and judicial decisions
• The Federal government has limited powers to protect
privacy
– “Interstate commerce” (Federal Trade Commission)
• There are three Federally protected categories of
personal data:
– financial (Gramm-Leech-Bliley)
– educational (FERPA)
– medical (HIPAA)
• Plus some narrow protections, e.g. video rental data
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Cliff Notes Version of HIPAA
• Covered Entities (healthcare providers, health plans,
insurance companies, healthcare clearinghouses)
• May Not Use or Disclose Protected Health
Information (PHI)
• Except with the Written Consent or Authorization of
the Employee
• Or Unless Required or Permitted by Law
• or to the Minimum Extent Necessary or Allowed to
Accomplish the Purpose of Treatment
SOURCE: LITTLER, MENDELSON
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Protected Health Information (PHI)
• Information created or received by a health plan or
healthcare provider; and
• Relates to the condition or care of an individual; or
• Relates to the payment for care; and
• Permits identification of the individual (or creates a
reasonable basis upon which to identify the
individual)
45 CFR §164.501
SOURCE: LITTLER, MENDELSON
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
HIPAA: Health Insurance Portability and
Accountability Act of 1996
•
A covered entity may not use or disclose protected
health information, except as permitted or required …
–
–
–
–
pursuant to … a consent … to carry out treatment, payment,
or health care operations
pursuant to … an authorization
pursuant to … an agreement (opt-in)
[other provisions]
45 CFR §164.502
•
Health information that meets … specifications for deidentification … is considered not to be individually
identifiable health information
45 CFR §164.502(d)
Compliance deadline was April 14, 2003
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
REGULATIONS
COPYRIGHT © 2004 MICHAEL I. SHAMOS
De-Identification
•
•
•
•
•
•
•
•
•
•
•
•
A covered entity may determine that health information is not individually
identifiable only if: … the following identifiers of the individual or of relatives,
employers, or household members of the individual are removed:
Names;
All geographic subdivisions smaller than a State, including street address, city,
county, precinct, zip code, …, except for the initial three digits of a zip code if …
All elements of dates (except year) for dates directly related to an individual,
including birth date, admission date, discharge date, date of death; and all ages
over 89…
Telephone numbers; Fax numbers; email addresses; URLs; IP addresses
Social security numbers; Medical record numbers; Health plan beneficiary
numbers; Account numbers;
Certificate/license numbers; vehicle identifiers, serial numbers, plate numbers;
Device identifiers and serial numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code; and
The covered entity does not have actual knowledge that the information could be
used alone or in combination with other information to identify an individual who
is a subject of the information.
45 CFR §164.514
Wrongful Disclosure Under HIPAA
•
•
•
•
•
A person who knowingly … uses or causes to be used a unique
health identifier;
obtains individually identifiable health information relating to an
individual; or discloses individually identifiable health information
to another person,
shall be fined not more than $50,000, imprisoned not more than
1 year, or both;
if the offense is committed under false pretenses, be fined not
more than $100,000, imprisoned not more than 5 years, or both;
and
if the offense is committed with intent to sell, or use information
for commercial advantage, or malicious harm, be fined not more
than $250,000, imprisoned not more than 10 years, or both
42 U.S.C. §1320d-6
BUT: no private lawsuit
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Genetic Privacy
• Federal Executive Order 13145 (Clinton)
– “Nondiscrimination in Federal Employment on the Basis of
Protected Genetic Information”
• State
– Cal Gov Code § 12940 (Unlawful employment practices)
• It shall be an unlawful employment practice … for an
employer ... to subject, directly or indirectly, any
employee, applicant, or other person to a test for the
presence of a genetic characteristic.
– Cal Gov Code § 10148 (Test for genetic characteristic)
• No insurer shall require a test for the presence of a
genetic characteristic for the purpose of determining
insurability other than for those policies that are
contingent on review or testing for other diseases or
medical conditions
SOURCE: KARL MANHEIM, LAWRENCE SLOCUM
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Employee Polygraph Protection Act
• Make it illegal for an employer in interstate
commerce to require an employee or prospective
employee to take a lie detector test
• to use the results of a lie detector test
• to use the refusal to take a test to discharge the
employee
• Exceptions:
– governments
– employer investigations of theft where the em,oyer has
reasonable suspicions the employee was involved
– security personnel
29 U.S.C. §2002
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
O’Connor vs. Ortega, 480 U.S. 709
(1987)
• Search warrants not needed by employers
• Executive director O’Connor of a public hospital
suspected Dr. Ortega of management improprieties
• Search his office and found incriminating evidence
• Was his expectation of privacy violated?
• Reality of workplace may vitiate some expectations
Standard of “reasonableness” is sufficient for workrelated intrusions by public employers
• 5-4 decision by the Supreme Court
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Skinner vs. Railway Labor Executives
Assoc., 489 U.S. 602 (1989)
• Federal Railroad Administration (FRA) implemented
regulations requiring mandatory blood and urine tests
of employees involved in certain train accidents
• Expectations of privacy by employees engaged in an
industry regulated to ensure safety are diminished
• Testing procedures pose only limited threats
• Rights of the individual are superseded by the rights
of the organization to conduct business.
• Government's interest in assuring safety on the
nation's railroads constitutes a “special need”
SOURCE: CAYLEN TICHENOR
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
U.S. vs. Simons, 206 F.3d 392 (4th Cir. 2000)
• Simons was a subcontractor to the CIA.
• Agency policy stated:
– employees could use Internet for official government
business only
– Accessing unlawful material prohibited
– Agency would conduct electronic audits to ensure
compliance
• Firewall detected queries containing “sex” from
Simon’s computer
• Simons’ office and computer were searched; child
porno found; Simons tried and convicted
• Employee cannot maintain expectation of privacy
when there is a monitoring policy in place.
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Computer Surveillance
• In general, surveillance by the employer is legal if
– the computer being monitored belongs to the employer; or
– the computer is connected to the employer’s network; and
– even if communications are encrypted
• McLaren v. Microsoft Corp.,
No. 05-97-00824 (Tex. Ct. App. May 28, 1999).
– Employee used private password to encrypt email messages
stored on office computer.
– Company decrypted and viewed files.
– Email account and workstation were provided for business
use, so Microsoft could legitimately access data stored there.
• Notice of Electronic Monitoring Act (CT)
– Versions introduced in other states and Congress
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Office Snooping?
• Doe v. SEPTA, 72 F.3d 1133 (3d Cir. 1995)
• Doe (not identified in the case) was awarded
$125,000 when his co-employees learned from his
prescription records he has being treated for AIDS
• Appeals court reversed
• The information was learned in a routine audit of the
company’s health plan for fraud, drug abuse, and
excessive costs
• No prohibition against employers making use of
medical records in employment decisions
• All co-employees had a “need to know”
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Phone Calls and Email
• Omnibus Crime Control Act of 1968 prohibits
monitoring of employee phone calls unless
– it occurs in the regular course of business; or
– the employee consents to the monitoring
• 1986 Electronic Communications and Privacy Act
– Allows employers the same access to employee
emails on the job
– If employees are informed that their emails can
and will be monitored there is no reasonable
expectation of privacy
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Tiberino v. Spokane County
13 P.3d 1104 (2000)
• Gina Tiberino worked for Spokane County, WA
• She misused her office computer for personal email
and was fired
• She threatened to sue; Spokane printed out her email
(551 messages; 467 were personal)
• The media requested copies
• Tiberino sued to prevent disclosure
• Held, the emails were “public records” but the
contents were exempt from disclosure. The fact of
the emails, not their contents, were of public interest
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Q&A
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Texas Privacy Laws
• Texas Health and Safety
Code §611.000
• Texas Medical Privacy Act
• Texas Labor Code
– HIV
– Genetic testing
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Texas Medical Practices Act
Prohibits access to computerized
records of a “confidential
communication” between a
physician and patient
– Without consent
– Authorized purposes
– May be released if relevant to civil action for
monetary damages
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Passage of HIPAA in 1996
• At the time of the passage of HIPAA there
was no federal protection for the privacy of
medical records except for:
– Privacy Act of 1974
• Does not cover records held by private entities
– Americans with Disabilities Act
• Does not cover the nondisabled or the disabled in many
situations
• Doe v. Septa case is a real eye-opener
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Future Privacy Issues
– In the future, medical privacy is only going to get
more difficult to secure
• There is a trend toward larger and larger medical
databases of computerized medical records
– Computerized records radically lower the costs of
acquiring, storing, and integrating medical records
– DNA testing probably has the greatest potential for
treatment breakthroughs
– DNA results in the medical records could have more
damaging effects on future insurability and employability
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Need For Reform
• Much of HIPAA is devoted to the privacy of
medical records
– Since HIPAA was passed the issue of health
insurance portability has receded while concern
about privacy of medical records has increased
• Federal government is dealing with privacy
issues on several fronts, most notably, on the
Internet
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
HIPAA-Mandated Rule
• When HIPAA was passed it was anticipated
that Congress would enact privacy legislation
– Congress was given until August 21, 1999
– That deadline came and went and HHS was
required to promulgate its own regulations
– These regulations became law in April of 2001.
• Actual implementation is scheduled to take place in
phases several years from now--a minimum of 2 years
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
HIPAA Rule: Goals of HHS
• The goals of HHS HIPAA Regs. are an
adaptation of the FTC Fair Information
Principles
– Allow for free flow of medical information to
promote treatment, payments, and healthcare
operations
– Prohibit secondary uses of medical information
unless authorized by the subject of the info
– Allow individuals access to their own records and
give them an opportunity to correct errors
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Goals of HIPPA Regs.
• Continuing with the goals of the HIPAA Rule:
– Allow individuals to know who is using their health
information and how it is being used
– Require persons who hold identifiable health
information to safeguard that information from
inappropriate use or disclosure
– Hold those who store health information
accountable for their handling of the information
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Rules of Thumb
– HIPAA limits jurisdiction of HHS Rule to “covered
entities”
• Healthcare providers, health plans (insurance companies
are included), and healthcare clearinghouses
• HHS laments its lack of ability to totally control electronic
transfer of health information
• HHS develops the “business partner” concept for those
that receive medical information from a covered entity
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
HIPAA Rules
• Protected healthcare information could be
transferred within covered entities without
authorization of the patient if
– The transfers were for the purpose of facilitating
treatment, payment, or healthcare operations
– Special protections are provided for notes of
psychotherapist
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
HIPAA Rules
– Other transfers of health information would require
authorization of the patient except if:
• The transfer of information fell into one of 12 designated
categories:
• Oversight of the healthcare system, public health,
medical research, law enforcement, emergency
situations, government health data systems, financial
payment plans through banks that facilitate credit cards,
and where state law requires disclosure
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Workplace Privacy
• Governmental employer: O’Connor v. Ortega
– Balance right of employee to privacy against employers’ needs for
supervision, control and the efficient operation of the workplace
• Private employer
– Use same balancing test
•
•
•
•
Nardinelli et al., v. Chevron: harassing emails
Blakey v. Continental Airlines: bulletin board offsite
Michael A. Smyth v. Pillsbury Company: employee’s email
McLaren v. Microsoft: employee’s having password did not give him
protection
SOURCE: WEST LEGAL STUDIES
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Impact of the ECPA on Workplace Privacy
• Robert Konop v. Hawaiian Airlines
– Posted messages on his password-protected bulletin
board
– One of his users with a password gave the password to
a third party
– Third party went online and viewed Robert’s BB
• Ct.: no violation of Title I, no interception
• Violation of Title II, not authorized use to give password to
third party
SOURCE: WEST LEGAL STUDIES
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Workplace Privacy
• Needs of the business outweigh the privacy of the
individual.
• Burden of proof is on employee.
• Must prove “invasiveness.”
• If there is no “reasonable expectation of privacy”
there is no fourth amendment protection.
SOURCE: CAYLEN TICHENOR
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Employer Eavesdropping
• Employers cannot eavesdrop on private phone calls.
• Federal law does allow unannounced monitoring for
business related calls.
• If employer provides notice of monitoring and that
communication systems shall be used for business
purposes only monitoring of voice mail and email is
permissible.
SOURCE: CAYLEN TICHENOR
17-801 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Related documents
Privacy Confidentiality Minor
Privacy Confidentiality Minor
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
ADVANCED CARE OB/GYN HIPAA PRIVACY NOTICE CONSENT
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Download
advertisement