Following reports of improper disposal of personal health information (PHI) the OCR launched an investigation into the information practices of CVS Entities in September 2007. Their review found the following:

• Between July 2006 and May 2007 some retail CVS stores placed paper records containing personal health information in open dumpsters where they could be accessed by unauthorized individuals.
• The policies and procedures of CVS Entities prior to November 2006 were not adequate to ensure the security of PHI
• CVS did not have the appropriate administrative safeguards in place, such as disciplinary action or sanctions policies for members violating privacy and security policies
• Between April 2003 and November 2006, the training given to employees regarding compliance with the Privacy Rule of HIPAA was insufficient to ensure proper destruction of PHI

In January 2009 a resolution agreement was reached with the following terms:

• Each CVS entity must designate a Compliance Representative that is familiar with the Privacy Rule in order to ensure compliance with HIPAA and the Corrective Action Plan required by the agreement. The Compliance Representative is in charge of designing or improving policies, procedures, training and internal controls.
• CVS must pay the Department of Health and Human Services $2,250,000 in penalties
• CVS Entities must agree to implement the Corrective Action Plan outlined in the Resolution Agreement

The Corrective Action Plan (CAP) for CVS entities involved a number of changes in oversight, policy and training to ensure the adequate protection of PHI. Oversight of implementation of the CAP lasts three years from the effective date of the agreement.

The CAP required the following:

Policies

• Development, Improvement and maintenance of privacy policies and procedures that comply with the Privacy Rule of HIPAA and any other relevant privacy regulations
• CVS Entities must submit revised policies within 90 days of the agreement and implement the policies within 60 days of OCR approval
• Policies and procedures must be reviewed annually by the Compliance Representative
• Physical and Administrative safeguards to allow the proper disposal of PHI must be implemented

Employee Policies and Training

• All employees accessing personal health information must receive a copy of the new policies and sign a written agreement saying they understand and agree to abide by the Privacy Rule
• Employees that fail to comply with the Privacy Rule must receive disciplinary action
• Employees that have access to PHI must receive training appropriate to their level of access regarding proper handling of PHI, including its disposal, as well as the sanctions policies for non-compliance. Training should take place within 30 days of employment. Employees are prohibited from handling PHI before completing their privacy training
• A written or electronic account of employee training must be made available to the Office of Civil Right for inspection
• Employees must verify in writing that they have received training and certification must be submitted to the relevant CVS entity within 10 days of certification
• Training material must be reviewed annually by the Compliance Representative

Enforcement

• CVS Entities must develop procedures for internal monitoring of compliance to be approved by the OCR
• CVS Entities will use a third party assessor to conduct evaluations of compliance with the Privacy Rule and the CAP. The Assessor must file reports with the OCR and Compliance Representative periodically
• The Assessor, Compliance Representative and all CVS Entities must maintain all paper’s related to the Assessor’s reports for inspection upon request by the OCR
• CVS entities must develop and internal reporting procedure for approval by the OCR which requires employees to report violations of the CAP to the Compliance Representative as soon as they become aware of the problem
• Upon receiving an internal report, the Compliance Representative must investigate the problem immediately
• If the investigation determines that a violation has occurred a written report describing the violation and the actions taken by the CVS entity must be submitted to the Assessor and the OCR

Reporting

Within 150 days of OCR approval of the policies and procedures, the Compliance Representative will file an Implementation Report that includes the following information:

• A written attestation from the Compliance Representative stating that CVS is in full compliance with the Privacy Rule and the CAP to the best of their knowledge
• A written attestation from the Compliance Representative stating that the workforce with access to PHI have received their initial privacy training certification
• A copy of all training materials and a summary of the training program including length, topics and schedules
• A written attestation from the Compliance Representative with the contact information for all locations and retail pharmacies stating that all locations are compliant with the CAP within the best of their knowledge
• A written attestation from the Compliance Representative stating they have reviewed the Implementation Report and believe the evaluation to be accurate

Periodic reports must also be filed once a year to allow ongoing oversight. The periodic reports require similar information regarding training materials and compliance officer attestations. They also require a summary of all engagement between CVS Entities and the Assessor (ie: financial audits, compliance program engagements) and a summary of   any compliance violations committed by a workforce employee. Furthermore, CVS is responsible for maintaining all documents related to the CAP for six years.

Significance of the CVS Enforcement Case

The CVS enforcement case reinforced several important privacy issues:

• All employees handling PHI must receive the proper training in their privacy obligations under HIPAA and other privacy laws. Furthermore they must be held accountable for any violations that occur
• Data destruction requires as much attention to privacy concerns as data in other parts of the data life cycle.
• Though most individuals PHI was not compromised through CVS’s improper disposal of data, it is the potential for such unauthorized use, access, or disclosure which is the real problem being addressed in the Corrective Action Plan.

In Conclusion:

The U.S. Government is serious about HIPAA enforcement. Entities handling PII must take the necessary steps to ensure compliance or be faced with much stronger requirements, oversight and costs.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• HIPAA (I.B.a.i)

HIPAA legislation is divided between two rules: the Privacy Rule and the Security Rule. The Privacy Rule of HIPAA involves the privacy of protected health information (PHI). Among the protections it provides are the right to access and amend medical records, the right to consent to PHI disclosure, the right to notice of a covered entity’s privacy practices, as well as the safeguarding and limited disclosure of PHI. Enforcement of the Privacy Rule ensures that such rights are protected.

How Does the OCR Enforce the Privacy Rule?

The Office of Civil Rights enforces the Privacy Rule through several methods:

• Investigating complaints filed with the OCR
• Conducting compliance reviews of covered entities
• Creating programs for education and outreach

The most common method of enforcement is the investigation of complaints.

How Does the OCR Investigate Complaints?

All complaints filed with the OCR go through an Intake and Review process. If the complaint meet the following criteria, the complaint moves on to the investigation stage:

• The alleged violation occurred after the effective dates of the Privacy or Security Rule.
• The entity against whom the complaint is filed must be considered a covered entity
• The alleged complaint must be an activity that would violate the Privacy or Security Rule.
• The Complaint must be filed within 180 days of when then person submitting the complaint became aware of the violation.

If the complaint does not meet all of the above criteria, than no violation of HIPAA is considered to have occurred. If the complaint does meet all of the above criteria, an investigation is launched to determine the veracity of the complaint.

If the complaint involves a possible criminal violation, the investigation is handled by the Department of Justice. If the complaint only involves Privacy or Security Rule violations, it is investigated by the OCR. Depending on the results of the OCR investigation:

• No violation may be found
• A violation may be found and voluntary compliance, or corrective action is taken
• A formal finding of violation from the OCR is issued

Enforcement Statistics

The Number of HIPAA complaints has increased each year since its institution. In 2008, the OCR received almost 10,000 complaints. On average, around two-thirds of alleged complaints are determined to be violations and resolution action is taken. One-third of alleged complaints either do not meet the criteria to warrant an investigation or the investigation determined that no violation had occurred.

On average the top five complaints filed every year involve:

1. Impermissible uses and disclosures
2. Safeguards
3. Access
4. More PHI is collected or used than the minimum necessary
5. Improper authorization for disclosure

On average, the top five covered entities that have been found to be in violation of the Privacy Rule include:

1. Private Practices
2. General Hospitals
3. Outpatient Facilities
4. Health Plans
5. Pharmacies

Summary:

The OCR is committed to HIPAA enforcement. All complaints filed with the OCR are reviewed and may be subject to investigation if a violation is suspected. Depending on the severity of the violation, the OCR may need to take enforcement action against an entity to ensure compliance. Such enforcement is costly to both the entity, the U.S. Government and its citizens, so covered entities should review their practices and policies to correct any potential compliance violations.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• HIPAA (I.B.a.i)

What is Protected Health Information?

Protected Health Information is any personally identifiable health information communicated in any form–oral, paper or electronic–that is maintained by a covered entity as defined by HIPAA (see below.) Personally identifiable health information may include a person’s age, gender and other demographic information as well as information about their diagnosis; prognosis; their past, present or future medical health or conditions; and payment for the provision of past, present or future medical care. Any information that may potentially identify an individual personally is considered to be protected health information (PHI.)

Who Must Comply With HIPAA?

In general any entity that handles protected health information must comply with HIPAA regulations. However, the law specifically mentions the following all of which are considered “covered entities” :

• Health Care Providers – All hospitals, doctors, nurses, health care workers and any other healthcare service providers
• Health Plans– Medicare and Medicaid; private insurance companies; group health plans
• Business Associates– Any third part that may handle protected health information as a service, such as billing, data analysis, data aggregation, etc.

The Privacy Rule

The HIPAA Privacy rule attempts to strike a balance between the need for disclosure among health care professionals to ensure quality care, payment and  maintain public security, while still protecting the identity and personal health information of the patient.

Under the Privacy Rule a patient has the right to:

• Notice of a covered entity’s privacy practices which include the type of information collected and its intended use.
• Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information.
• Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records.
• Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy.
• Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient’s information.

Exceptions to the Privacy Rule

The Privacy Rule makes provisions for the disclosure of protected health information without the limitations outlined above for the following situations:

• Information needed for public health activities and safety
• In coordination with law enforcement of judicial activities and proceedings
• Certain research purposes
• Special Government functions

The Security Rule

HIPAA’s Security Rule deals specifically with the protection of personal health information in its electronic form, which includes data stored on computer hard drives and magnetic or digital storage devices.

The Security Rule requires that covered entities take reasonable measures to:

• Ensure the confidentiality, integrity, and availability of electronic health information
• Protect against the unauthorized access, use or disclosure of protected health information.
• Enforce HIPAA compliance in the work force.

Further more the Security Rule requires:

• The creation of an individual entity to be responsible for implementing and enforcing the Security Rule
• Initial and periodic risk assessments to determine the efficacy of current safeguards, evaluate new threats and implement the necessary protections to maintain the confidentiality and integrity of the data.
• The creation of an ongoing training program to educate the workforce on complying with the Security Rule
• The Covered entity to incorporate the Security Rule into Business Associate Contracts to ensure that all business associates maintain an equivalent level of protection.

Summary:

The Health Care Portability and Accountability Act plays a significant role in the protection of the privacy of health information. HIPAA is a complex and far reaching law which pertains all professionals involved in the health care field. Education in HIPAA compliance must be ongoing, and compliance closely monitored to ensure the protection of health information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including HIPAA (I.A.b.i.)

What are Online Assurance Programs?

Online assurance programs are a broader term for a number of organizations and associations that have created a set of privacy standards that all of its members or clients have agreed to abide by. These programs allow self-regulation of privacy. By becoming a member of a consumer protection association or participating in a trust seal program, businesses build consumer confidence and increase consumer traffic, theoretically pushing companies without privacy guarantees out of business.

Online assurance programs often also provide dispute resolution services to businesses participating in their program. Should a customer file a privacy complaint against them, by law, a business is required to investigate the complaint. Dispute resolution services provide consumers with an impartial third party to investigate privacy disputes and provide businesses, who otherwise might not have the means, to investigate disputes using privacy professionals.

Examples of Online Assurance Programs Around the World

TRUSTe

TRUSTe was the first and continues to be the largest web privacy seal organization. It provides assurance seals for web privacy, email privacy, EU Safe Harbor compliance and COPPA compliance. All participants are required to follow TRUSTe’s privacy standards. To participate, businesses sign a contract with TRUSTe who then conducts an investigation into the website’s privacy policies and technology. TRUSTe makes recommendations and once the suggestions are implemented the company receives the TRUSTe seal.  Participants continue to be monitored through dispute resolution and periodic scanning. TRUSTe also maintains a directory of trusted sites for consumer access and use.

BBBonline

BBBonline is an extension of the Better Business Bureau Organization, which was founded in 1912 to promote fair marketing practices and build trust among buyers and sellers. In addition to safeguarding privacy, business accreditted with BBBonline must follow a code of business practices. These include promises to build trust, advertise honestly, tell the truth, honor promises, be responsive and transparent, and embody integrity.

Network Advertising Initiative

NAI is a cooperative agreement between online marketing and analytics companies to build consumer awareness and implement and abide by effective privacy practices. One of the most significant features of the NAI is their Opt Out of Behavioral Advertising tool which tells a user which of its members have placed cookie files on their hard drive and allows them to change their consent options according to their preferences. Users will still see online advertising on websites, but by opting out, the companies involved in the Network Advertising Initiative will no longer collect information about a user’s web activity to create tailored advertising.

US Direct Marketing Association

The Direct Marketing Association is a group of trade organizations which promote direct marketing to consumers. Though the DMA’s purpose is to increase the use and efficacy of direct marketing, which includes the use of spam and unsolicited marketing messages, the DMA also promotes fair marketing practices and consumer awareness programs including consumer preference services such as DMAchoice, telephone and fax preference services, which provide consumers with consent options with regard to marketing messages.

The Japanese Information Processing Development Cooperation

JIPDEC was created to develop IT technologies and policies. Recently it has been a major contributor to the development of Japan’s information privacys law and the development of the the Privacy Mark System which functions similarly to a privacy seal program. In the Privacy Mark System, third-parties evaluate a business’s compliance with Japan’s data protection laws and any problems are rectified before a business may display the PrivacyMark.

Health Information Trust Alliance

The HITRUST is a collaboration between healthcare, business and technology organizations to help manage personal health information and use IT effectively to comply with HIPAA and HITECH regulations. HITRUST created a common security framework which helps organizations implement information security according to the information they handle and the associated regulations. The common security framework is free to use. Unlike other organizations HITRUST does not require compliance with a set of practices or codes, but does promote protection of information by helping companies understand privacy law and develop effective, relevant information security and privacy practices.

European Privacy Seal

EuroPriSe is the European equivalent of trust seal programs. EuroPriSe was developed out of a desire to have independent regulation of data protection in addition to government regulation. To obtain a privacy seal, independent privacy experts conduct an investigation. The government accredited certification body evaluates the report for compliance with the Data Protection Directive and other European privacy laws. If found to be compliant, the IT product or service is given the European Privacy Seal. EuroPriSe does not provide dispute resolution services since data protection complaints are handled under the Data Protection Directive.

Summary

The number one objective of online assurance programs is to build trust with consumers. Whether an organization oversees compliance through the use of privacy seals or use cooperative agreements to comply with a set of standards, businesses are making privacy an important feature in building strong, effective, long-standing relationships with customers.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Online Assurance including trust seal, dispute resolution programs and self regulatory frameworks. (III.B.l.i-iii.)

If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded.  However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands.

The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry today.

Why is Data Destroyed?

Data Destruction is a necessary and important part of the information life cycle. Deleting data from a server frees space on the hard drive for other data that may be more pertinent to business operations. Destroying untimely data also helps limit the extent of a breach should unauthorized access occur.

The Fair Information Practice Principles include regulations regarding the limits and uses of collected data. Once data is collected, the data controller is restricted to using it for purposes related to the reasons for which it was originally collected. Data that is outdated or no longer useful is destroyed. Data destruction may also occur after transferring data to new technologies and discarding the old ones. Data, especially that has been hosted with a cloud computing service, may also be deleted at request of the data subject or data controller.

How Do Data Breaches from Improper Destruction Occur?

Today, data usually takes two forms: electronic and paper. Paper files containing personal information are a frequent cause of data breaches due to carelessness. Unclaimed copies, faxes and other paper files are often thrown into recycling bins or the trash with little thought as to the personal information that may contain. This leaves personal information vulnerable to dumpster divers that sort through trash looking for information that may allow them to commit fraud.

Another common way that deleted data may be accessed is through the improper disposal of computers and other electronic equipment with the ability to store data. Sending files to the recycle bin or hitting the delete key does not actually erase a file from existence. What it does is remove the link from the file directory while a copy of the file still remains until it is written over by other files. Some operating systems support software which allows undeletion so that files have been previously deleted can be restored. Computer hard drives, USB drives, cell phones and other related products are all susceptible to data breaches if they are recovered by dumpster divers or through computer recycling programs and their hard drives have not been overwritten, encrypted or physically destroyed.

Cloud computing has improved the interactivity and productivity of businesses and individuals but it has also increased the potential for the unauthorized access of information. When a company or individual stores personal information with a cloud computing service be it a Payroll Account Servicer or Facebook, they are trusting that servicer to protect and eventually delete their information when requested. However, it may be days, weeks or even months before that information is deleted. Furthermore, placing information in the cloud allows more individuals, that are not under the control or supervision of the data subject or the data controller to have access to personal information, laying the ground for misuse of information.

Data breaches are a serious occurrence  and take place on a regular basis due to carelessness and general ignorance of the danger that improperly disposed data may pose.

How Should Data Be Disposed?

While different regulations may call for various means of protecting data, there are a number of commonly accepted ways for individuals and businesses to properly dispose of in both paper and electronic forms.

Physical Destruction:

1. Shredding- the most commonly used form of destruction in homes and small business in which paper is cut into small pieces to make the information harder to reassemble. Cross-cut shredders are more effective than length wise only shredders which may be reassembled into usable data with a minimal amount of work.
2. Incineration- Paper and/or electronic equipment may be burned to make it unreadable. While the destruction is effective there is a large debate concerning its impact on the environment.
3. Pulverization- Uses high pressure to crush objects into unusable forms. Like incineration it is effective in protecting data, but poses environmental problems as the chemicals and products used in computers and paper degrade in landfills.

Electronic Destruction:

1. Overwriting- Involves writing over data files with files containing junk information. The more times a file is overwritten the more securely it is protected from possible recovery. Overwriting is not 100% effective, however it is a common tool that is available on all computers to protect data.
2. Encryption- Involves the use of private and public cipher keys to code data using algorithms. Only users with the correct key can decode the data to readable form. The HITECH act is considering using encryption as the exclusive method of data destruction.
3. Degaussing- Involves realigning the magnetic fields of devices which use magnetization to store data such as hard drives, magnetic tapes and audio cassettes.

What are the U.S. Federal Regulations Regarding Data Disposal?

There are number of different regulations in place in the United States that deal with the proper disposal of personal information. These are often incorporated into the various laws regulating privacy in different sectors and industries.

The Fair and Accurate Credit Transactions Act

In 2003, the the Fair and Accurate Credit Transaction Act was passed as an amendment to the Fair Credit Reporting Act, both which deal with the protection of personal information in consumer reports. FACTA includes a disposal rule for the protection of information contained in consumer reports by any entity which may use such information for business functions. Such entities may include landlords, employers, automobile dealers, debt collectors and financial institutions. The law requires such entities take take reasonable measures to destroy consumer reports including the physical and electronic destruction of data to make it unreadable. It also calls for independent audits to determine an entity’s compliance with the disposal rule.

The Gramm-Leach-Bliley Act

In 1999, the Gramm-Leach-Bliley Act was passed to protect personally identifiable information used by financial institutions. It includes a Safeguards Rule which requires financial institutions to designate a coordinator of their information safety program. It also requires extensive routine risk assessments of the physical, technical and administrative safeguards to determine the threat of internal or external abuse of personal information. The proper disposal of data is included in such risk assessments.

The law sets up for the proper protection of data against security risk, but like many information privacy laws in the U.S., is criticized for being largely unenforceable due to the variations in technology, methodology, and use of information from business to business. The GLBA does set up heavy penalties for businesses that do not complete risk assessments and develop security plans to handle potential threats.

The Health Insurance Portability and Accountability Act

HIPAA is a broad law dealing with issues within the health industry. It contains a Privacy rule and Security Rule for the protection of personal health information. While HIPAA does not specifically have rules regarding the destruction of data, it does require covered entities to take reasonable measures to ensure the protection of data and compliance with HIPAA standards. Historically, improper disclosure has been one of the number one methods of unauthorized access to protected health information.

The Federal Information Security Management Act

In 2003, FISMA (pdf) was passed to regulate information security within the Federal Government. Similar to the Gramm-Leach-Bliley Act, FISMA requires periodic risk assessments to determine the threat and magnitude of harm due to unauthorized access, use, modification, disclosure, or destruction of sensitive information throughout its life cycle. The act calls for detailed plans and security measures to be implemented in order to protect against potential threats.

Data destruction has been recognized as an important security risk in U.S. regulations, however many of the aforementioned regulations do not set clear or standardized guidelines for the correct disposal of information. Data destruction remains  a confusing and complicated topic. Most regulations use language such as “reasonable measures” to acknowledge the fact that data is extraordinarily difficult and expensive to destroy. However, “reasonable measures” also creates a lot of room for interpretation and so data destruction through the United States and its industries remains largely self-regulated.

What About Data Destruction Services?

As awareness has grown about the dangers posed by improperly disposed data, a number of independent data destruction services have appeared to be part of the solution. Many of these companies offer certificates of destruction assuring it’s customers that their data is well protected and properly destroyed. While many of these companies may properly dispose of data, potential customers should be aware that the industry is completely self-regulatory. There is no government authority that certifies data destruction services in the United States and so the certificates they issue are only as good as the reputation and accountability of a company.

In Conclusion

Data Destruction is an often overlooked part of information security which is essential to individuals and businesses alike. Maintaining the security of personal information is one of the key elements of information privacy and not data is fully secure until it is completely and properly destroyed. Both individuals and businesses need to be aware of the potential consequences of improper disposal of data, recognize their accountability in ensuring its destruction and complete extensive research when choosing other services such as cloud computing and/or data destruction services which may be given control over the process.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  “Information lifecycle principles” (Foundations: I.E.vi)
• Information Security: “Cryptography” (Foundations: II.C.a.iii), “Implementing information security controls – Asset management” (Foundations: II.C.b.iii) and “Physical and environmental security” (Foundations: II.C.b.v)

There are numerous guidelines, best practices and regulations for collecting information on customers, patients or other data subjects (for this article, let’s generally call them consumers) in the United States.  The most regularly visited is probably HIPAA, where nearly everyone signs some sort of disclosure notification that a primary care physician, pharmacy, lab, hospital or some other medical office will share your Personal Health Records with third parties that handle administrative tasks for the provider.  There’s a decent sized list of who constitutes a health care provider, a third party and what information between all parties involved may be exchanged for transactions such as an insurance claim.  The financial sector also regularly distributes privacy policy notifications, although most times inaccurate information doesn’t affect anyone outside the credit reporting industry.  What happens when the collected data aren’t right?  How can a consumer even discover the inconsistencies?  What course of action does a consumer take, and what should a corporation do to respect the rights of their customers?

Historical Perspective

This is not a new issue, and has been tackled in multiple symposia and expanded several times over the past decades.  In 1973, the US Department of Health and Human Services introduced the Code of Fair Information Practices.  The 1981 Organization for Economic Cooperation and Development (OECD) guidelines and the comprehensive 1995 European Union Data Protection Directive 95/46/EC both deal with this issue.  They define two topics – “Individual Participation” and “Data Quality”.  Individual participation centers on consumer access, or the right to view any collected information and the ability to correct errors.  The EU expounds upon individual participation, where access must be at reasonable intervals and rectification without excessive delay or expense.  The Federal Trade Commission (FTC) released an advisory on online access and security in 2000. The CIPP defines these scenarios as customer access and redress.

Problems in credit reporting

Let’s first examine the US credit reporting world.  Information collected by the credit bureaus is used by banks and other money lenders to determine an applicant’s credit worthiness, or more important to the lender, their risk of default.  The credit bureaus have reason to keep the information collected as unavailable as possible – between the three main companies they had a monopoly on the compiled credit history the lenders need and each one tries to glean every ounce of data on an individual to justify ordering their credit report product.  The bureaus were charging consumers for every access to their credit reports, by what some would consider an inordinate amount.  A 1998 survey by the Public Interest Research Group underscored the customer redress situation:

• Of the consumers that did obtain their credit reports, at least 14% of them were forced to call back 3 or more times after receiving busy signals or had to write a letter in order to receive their report;
• And 12% of the consumers waited two weeks or longer to receive their report once they finished requesting it. It took more than a month for one California man to receive his report.
• Overall, 15% of consumers who attempted to participate in the survey either made at least 3 phone calls and never got through or requested their reports but never received them.

This treatment went against the privacy principles laid out in the OECD and Fair Information Practices.  Plus, mistakes were reportedly found on 79% of consumer credit reports.  Without more readily available customer access, the system was in jeopardy.  To compound these problems, there was simultaneously a rise in identity theft.

Congress steps in

In response, the US Congress passed the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) in 2003.  The FACTA amended the 1970 Fair Credit Reporting Act (FCRA), and gave rise to a free annual credit report requirement from each of the major bureaus… and the slew of funny commercials about guys in pirate hats. Congress decided the credit bureaus’ reporting was simply too important to the US financial systems stating their rationale for the legislation:

(a)Accuracy and fairness of credit reporting. The Congress makes the following findings:

1. The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
2. An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
3. Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
4. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.

(b)Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.

Unintended Consequences

It is interesting to note, that in response to the FACTA, “imposter” domains sprang up, with a World Privacy Forum study calling out 96 specific known sites.  The web site touted in the pirate hat commercials is not the free annual credit report required by Congress, but actually one of the imposter domains belonging to Experian.  The World Privacy Forum study, “Call Don’t Click: Why It’s Smarter to Order a Federally Mandated Credit Report via Phone Instead of the Internet,” found:

• 28 of the imposter domains belong to Experian, a credit bureau.
• 68 of the imposter domains belong to or are hosted at “pay per click” companies.
• 50 of the “pay per click” domains are live, and some are luring consumers to inappropriate and risky Web sites. Some of    the “pay per click” sites lead consumers to Experian and other credit companies’ commercial sites in order to cash in on the credit bureaus’ affiliate marketing programs.

Electronic Health Records & HIPAA

Consumer access is probably not as obvious of a problem with the health care community.  Most of the work currently happens on the back end, where insurance companies and health care provider’s offices wrangle over receiving the right amount of money for procedures.  As an uninsured American, you may have to pick up the torch of dealing with doctor’s office blunders, but in those cases, you’re likely handling them at the time of service and wont pay until they get it right.  Most people simply don’t see the man behind the curtain.

The scary part will surround electronic health records (EHR) and the push to incorporate them through ARRA.  As digital bits, EHR integrity could become more questionable.  It will also uncover a slew of inconsistencies that have yet to reach the light of day – the proverbial Garbage In, Garbage Out.  A recent adopter of Google Health recounts his experience utilizing his hospital’s auto-migrate feature.  Some of his revelations:

• [T]he docs in the back room… quickly figured out what was going on… the system transmitted insurance billing codes to Google Health, not doctors’ diagnoses. [I]nsurance billing codes bear no resemblance to reality… if a doc needs to bill insurance for something and the list of billing codes doesn’t happen to include exactly what your condition is, they cram it into something else so the stupid system will accept it.
• EMR pontificators are saying “Online data in the hospital won’t do any good at the scene of a car crash.” Well, GOOD: you think I’d want the EMTs to think I have an aneurysm, anxiety, migraines and brain mets?? Yet if I hadn’t punched that button, I never would have known my data in the system was erroneous.
• [M]y 12/6/2003 x-ray identified me as a 53 year old woman… it took me months to get that error corrected, because nobody’s in the habit of actually fixing errors…

This was a contemporary hospital.  Their CIO touted the EHR revolution and already took steps embracing customer advocacy.  There will undoubtedly be push back with older hospitals or stodgier doctors.  The documented excavations are inevitable, especially with so many people involved in providing healthcare.  An article in Fast Company chronicled the clinical staff access associated with the writer’s medical care:

… a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team,every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

To top it all off, there are already questions as to how older, paper records might be brought into the digital realm.  Who’s to handle the scanning?  What’s to be had of the old records?  Will the security provisions be in place to prevent EHR compromise?  It’s already time consuming to update a digitized hospital’s records – how about those of a newly computer literate doctor’s office?

International Example

The US doesn’t have a lock on the access and redress problem.  Even with the heavy emphasis placed on privacy in the EU and a separate Information Commissioner’s Office (ICO) responsible for privacy, the United Kingdom has had it’s share of reporting and correction problems, most recently with their national health database.  Until late May, citizens only had the option of opting out of the National Healthcare System (NHS) electronic health database or masking their data in the system.  With the socialized health care in the UK, there were instances where the opt out had serious consequences.  In British health care, a summary care record (SCR) includes information such as allergy information, current medications, medical conditions and resuscitation preferences.  There is obviously personal information included in the SCRs, and security of the communications medium between the hospitals (called the Spine) has been called into question.  Additionally, access controls on the system allow any authorized users to view any patient’s information, not just those currently being treated.

The NHS agency Connecting for Health (CfH) runs the records system.  An ICO spokeswoman confirmed medical record deletion would now be possible after discussions with the ICO privacy watchdogs and CfH managers.

People want the assurance that they can restrict who can access their personal details in NHS electronic records.  We met recently with Connecting for Health (CfH) to discuss the permanent deletion of summary care records once a patient requests their summary record no longer appears on the database.  We are pleased that as a result of these discussions CfH have found a way to ensure that these records are permanently removed from the database when appropriate and we are continuing to talk to them about how this is put into practice.

Summary

When drawing corporate or group policies, general best practices dictate data subjects should have the ability to review all information an organization holds on them and have the right to change any errors.  Those changes must be reconciled across the organization, either pushed upward from third party partners or downward from the main collecting organization.  By adhering to this standard, nearly every organization will be kept in lock step with multi-national laws with regard to data subject access and redress.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B)
• Data Subject Access & Redress (Foundations: III.B.d)