Add to collection(s) Add to saved
  1. Social Science
  2. Law

Medical and Workplace Privacy

advertisement 
Medical and Workplace
Privacy
Michael I. Shamos, Ph.D., J.D.
Institute for Software Research International
Carnegie Mellon University
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Outline
• Medical privacy stakeholders:
– patient
– heath care provider
– insurer
– federal government
– (sometimes) employer
– what is the basis for privacy?
• Workplace privacy stakeholders:
– employee
– employer
– what is the basis for privacy?
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
U.S. Privacy Law
• Privacy law is a patchwork of state and federal statutes
and judicial decisions. There is little consistency
• The Federal government has limited powers to protect
privacy
– “Interstate commerce” (Federal Trade Commission)
• There are three Federally protected categories of
personal data:
– financial (Gramm-Leech-Bliley)
– educational (FERPA)
– medical (HIPAA)
• Plus some narrow protections, e.g. video rental data
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Cliff Notes Version of HIPAA
• Covered Entities (healthcare providers, health plans,
insurance companies, healthcare clearinghouses)
• May Not Use or Disclose Protected Health
Information (PHI)
• Except with the Written Consent or Authorization of
the Employee
• Or Unless Required or Permitted by Law
• or to the Minimum Extent Necessary or Allowed to
Accomplish the Purpose of Treatment
SOURCE: LITTLER, MENDELSON
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Protected Health Information (PHI)
• Information created or received by a health plan or
healthcare provider; and
• Relates to the condition or care of an individual; or
• Relates to the payment for care; and
• Permits identification of the individual (or creates a
reasonable basis upon which to identify the
individual)
45 CFR §164.501
SOURCE: LITTLER, MENDELSON
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
HIPAA: Health Insurance Portability and
Accountability Act of 1996
•
A covered entity may not use or disclose protected
health information, except as permitted or required …
–
–
–
–
pursuant to … a consent … to carry out treatment, payment,
or health care operations
pursuant to … an authorization
pursuant to … an agreement (opt-in)
[other provisions]
45 CFR §164.502
•
Health information that meets … specifications for deidentification … is considered not to be individually
identifiable health information
45 CFR §164.502(d)
REGULATIONS
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
De-Identification
•
•
•
•
•
•
•
•
•
•
•
•
A covered entity may determine that health information is not individually
identifiable only if: … the following identifiers of the individual or of
relatives, employers, or household members of the individual are removed:
Names;
All geographic subdivisions smaller than a State, including street address,
city, county, precinct, zip code, …, except for the initial three digits of a zip
code if …
All elements of dates (except year) for dates directly related to an
individual, including birth date, admission date, discharge date, date of
death; and all ages over 89…
Telephone numbers; Fax numbers; email addresses; URLs; IP addresses
Social security numbers; Medical record numbers; Health plan beneficiary
numbers; Account numbers;
Certificate/license numbers; vehicle identifiers, serial numbers, plate
numbers;
Device identifiers and serial numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code; and
The covered entity does not have actual knowledge that the information
could be used alone or in combination with other information to identify an
individual who is a subject of the information.
45 CFR §164.514
Wrongful Disclosure Under HIPAA
•
•
•
•
•
A person who knowingly … uses or causes to be used a unique
health identifier;
obtains individually identifiable health information relating to an
individual; or discloses individually identifiable health information
to another person,
shall be fined not more than $50,000, imprisoned not more than
1 year, or both;
if the offense is committed under false pretenses, be fined not
more than $100,000, imprisoned not more than 5 years, or both;
and
if the offense is committed with intent to sell, or use information
for commercial advantage, or malicious harm, be fined not more
than $250,000, imprisoned not more than 10 years, or both
42 U.S.C. §1320d-6
BUT: no private lawsuit
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Genetic Privacy
• Federal Executive Order 13145 (Clinton)
– “Nondiscrimination in Federal Employment on the Basis of
Protected Genetic Information”
• State
– Cal Gov Code § 12940 (Unlawful employment practices)
• It shall be an unlawful employment practice … for an
employer ... to subject, directly or indirectly, any
employee, applicant, or other person to a test for the
presence of a genetic characteristic.
– Cal Gov Code § 10148 (Test for genetic characteristic)
• No insurer shall require a test for the presence of a
genetic characteristic for the purpose of determining
insurability other than for those policies that are
contingent on review or testing for other diseases or
medical conditions
SOURCE: KARL MANHEIM, LAWRENCE SLOCUM
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Employee Polygraph Protection Act
• Makes it illegal for an employer in interstate
commerce to require an employee or prospective
employee to take a lie detector test
• to use the results of a lie detector test
• to use the refusal to take a test to discharge the
employee
• Exceptions:
– governments
– employer investigations of theft where the employer has
reasonable suspicions the employee was involved
– security personnel
29 U.S.C. §2002
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Fourth Amendment
“The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon
probable cause, supported by Oath or affirmation,
and particularly describing the place to be searched,
and the persons or things to be seized.”
Adopted December 15, 1791
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
O’Connor vs. Ortega
480 U.S. 709 (1987)
• Search warrants are generally not needed by
employers
– Why? What about the Fourth Amendment?
• Executive director O’Connor of a state hospital
suspected Dr. Ortega of management improprieties
• Searched his office, found incriminating evidence
• Was his expectation of privacy violated?
• Reality of workplace may vitiate some expectations
Standard of “reasonableness” is sufficient for workrelated intrusions by public employers
• 5-4 decision by the Supreme Court
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Skinner vs. Railway Labor Executives
Assoc., 489 U.S. 602 (1989)
• Federal Railroad Administration (FRA) implemented
regulations requiring mandatory blood and urine tests
of employees involved in certain train accidents
• Expectations of privacy by employees engaged in an
industry regulated to ensure safety are diminished
• Testing procedures pose only limited threats
• Rights of the individual are superseded by the rights
of the organization to conduct business.
• Government's interest in assuring safety on the
nation's railroads constitutes a “special need”
SOURCE: CAYLEN TICHENOR
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Computer Surveillance
• In general, surveillance by the employer is legal if
– the computer being monitored belongs to the employer; or
– the computer is connected to the employer’s network; and
– even if communications are encrypted
• McLaren v. Microsoft Corp.,
No. 05-97-00824 (Tex. Ct. App. May 28, 1999).
– Employee used private password to encrypt email messages
stored on office computer.
– Company decrypted and viewed files.
– Email account and workstation were provided for business
use, so Microsoft could legitimately access data stored there.
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Computer Surveillance
• Even spyware installed by the employer is legal
• Notice of Electronic Monitoring Act (Connecticut and
Delaware)
– Versions introduced in other states and Congress
– None have passed
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Connecticut Dept. of Labor Form
Office Snooping?
• Doe v. SEPTA, 72 F.3d 1133 (3d Cir. 1995)
• Doe (not identified in the case) was awarded
$125,000 when his co-employees learned from his
prescription records he has being treated for AIDS
• The appeals court reversed
• The information was learned in a routine audit of the
company’s health plan for fraud, drug abuse, and
excessive costs
• No prohibition against employers making use of
medical records in employment decisions
• All co-employees had a “need to know”
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
CMU Policy on the Privacy of Faculty Offices
• The employer may give up its rights by contract
• “No one may enter a faculty member's office, or search a faculty
member's files, or examine or remove work products or
documentary material (e.g., research data, notes on interviews,
drafts of publications or lectures, notes used in the preparation
of publications or lectures, audio and visual tapes, films,
outtakes, mental impressions, opinion and other material
intended for dissemination of information to students, colleagues
or the general public) without permission, even if the faculty
member is absent.”
• “Exceptions: employee terminated, building maintenance, space
planning, emergencies, retrieval of joint work or routine
documents where the faculty member is not readily available to
grant permission.”
• “Under any conditions of entry the occupant of the office shall
immediately afterwards be furnished a list of, and/or copies of,
the property or things copied or taken, if any.”
Phone Calls and Email
• Omnibus Crime Control Act of 1968 prohibits
monitoring of employee phone calls unless
– it occurs in the regular course of business; or
– the employee consents to the monitoring
• 1986 Electronic Communications and Privacy Act
– Allows employers the same access to employee
emails on the job
– IF employees are informed that their emails can
and will be monitored, there is no reasonable
expectation of privacy
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Ontario v. Quon
(U.S. Supreme Court, June 17, 2010)
• Jeff Quon was a policeman in Ontario, California
• The city provided Quon with a pager for text
messages
• Arch Wireless, the pager service company, imposed
a monthly character limit on each pager
• Quon exceeded the maximum for several months
• The city asked Arch Wireless for transcripts of Quon’s
text messaged. Arch provided them
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Ontario v. Quon
(U.S. Supreme Court, June 17, 2010)
• Many of Quon’s messages were not work-related,
even though sent during work hours, and were
sexually explicit, in violation of police policy
• In fact, only a few of his messages overall were workrelated
• Quon was disciplined by Internal Affairs
• Quon sued Arch and the city for violating the Stored
Communications Act
• Quon also sued the city for violating his civil rights
under the Fourth Amendment (that the search was no
reasonable)
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Stored Communications Act (SCA)
• The provider of an electronic communication service
may not
• knowingly divulge to any person or entity the
contents of a communication while in electronic
storage by that service
• knowingly divulge a record or other information
pertaining to a subscriber to or customer of such
service to any governmental entity. 18 U.S.C. §2701
• Many exceptions, e.g. to a recipient, with consent, to
provide or maintain service, protect the property
(such as the network) of the provider, child abuse,
inadvertently obtained material can be given to law
enforcement …
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
City of Ontario
“Computer Usage, Internet and E-Mail Policy”
• The City “reserves the right to monitor and log all
network activity including e-mail and Internet use,
with or without notice. Users should have no
expectation of privacy or confidentiality when using
these resources.”
• In 2000, Quon signed a statement acknowledging
that he had read and understood the policy.
• However, pagers are not mentioned
• The City told police officers that messages sent on
the pagers are considered e-mail messages and are
subject to audit
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Ontario v. Quon
• When Quon exceeded usage the first time, he was
told about the overage and reminded that messages
could be audited
• No audit occurred, and Quon wrote a check to pay for
the overage
• He has overages for severel months, and paid the
City each time
• Quon’s boss got tired of being a “bill collector” and
decided to do an audit
• Of 456 messages in August 2002, only 57 were workrelated
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Ontario v. Quon
• The jury found the search reasonable
• The 9th Circuit Court of Appeals reversed:
– Quon had a reasonable expectation of privacy in
his text messages
– The search was not reasonable even though it
was conducted on a legitimate, work-related
rationale.
– The were many less intrusive ways to learn of
Quon’s usage than transcripts
– Arch Wireless violated the SCA by giving the City
the transcript.
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Ontario v. Quon
• The Supreme Court reversed:
• The 4th Amendment guarantees a person’s privacy,
dignity, and security against arbitrary and invasive
governmental acts
• A court must consider the operational realities of the
workplace to determine if an employee’s
constitutional rights are being violated
• An employer’s intrusion on a legitimate privacy
expectation for noninvestigatory, work-related
purposes, as well as for investigations of work-related
misconduct, should be judged by the standard of
reasonableness under all the circumstances.
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Ontario v. Quon
• The search was reasonable
• The Supreme Court declined to resolve the parties’
disagreement over expectation of privacy:
• “Prudence counsels caution before the facts in this
case are used to establish far-reaching premises that
define the existence, and extent, of privacy
expectations of employees using employer-provided
communication devices. Rapid changes in the
dynamics of communication and information
transmission are evident not just in the technology
itself but in what society accepts as proper behavior.
At present, it is uncertain how workplace norms, and
the law’s treatment of them, will evolve.
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Q&A
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Tiberino v. Spokane County
13 P.3d 1104 (2000)
• Gina Tiberino worked for Spokane County, WA
• She misused her office computer for personal email
and was fired
• She threatened to sue; Spokane printed out her email
(551 messages; 467 were personal)
• The media requested copies
• Tiberino sued to prevent disclosure
• Held, the emails were “public records” but the
contents were exempt from disclosure. The fact of
the emails, not their contents, were of public interest
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
U.S. vs. Simons, 206 F.3d 392 (4th Cir. 2000)
• Simons was a subcontractor to the CIA.
• Agency policy stated:
– employees could use Internet for official government
business only
– Accessing unlawful material prohibited
– Agency would conduct electronic audits to ensure
compliance
• Firewall detected queries containing “sex” from
Simon’s computer
• Simons’ office and computer were searched; child
porno found; Simons tried and convicted
• Employee cannot maintain expectation of privacy
when there is a monitoring policy in place.
08-733 PRIVACY POLICY, LAW & TECHNOLOGY
FALL 2010
COPYRIGHT © 2010 MICHAEL I. SHAMOS
Related documents
Discussion 1 Computer Organization 1. 2.
Discussion 1 Computer Organization 1. 2.
PART 1 (OPEN TO THE PUBLIC) ITEM NO.
PART 1 (OPEN TO THE PUBLIC) ITEM NO.
Download
advertisement