According to the commentary in President Obama’s Budget for Fiscal Year 2010:

“These incentives, coupled with other activities authorized in… [ARRA], are expected to result in a dramatic increase in the percentage of health care providers using health IT within five years. Computerized health records – while protecting the privacy and security of personal health information – is expected to facilitate improvements in the quality of health care, prevention of unnecessary health care spending, and a reduction in medical errors.”

Provisions on privacy and security were found in ARRA’s Title XIII, Subtitle D and certain parts of Subtitle A. The ARRA provisions were generally effective as of February 17, 2010, but a more specific implementation timeline is available here.

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA statutory requirements.

Business Associates & Compliance

Prior to the enactment of the ARRA, HIPAA required that covered entities (e.g. hospitals, physicians and health plans) enter into contracts (called “business associate agreements”) with entities performing functions or providing services on their behalf, where those functions/services involved the exchange of health information. The business associate agreements required the business associates to use appropriate security safeguards to protect health information they received and were responsible for. It is important to note that before the enactment of the ARRA, business associates were not directly subject to governmental enforcement action; covered entities would have to sue them for breach of contract.

The ARRA requires business associates to comply directly with most of the provisions of the HIPAA Security Rule. Business associates must also comply with Privacy Rule provisions that are made applicable to them by their contract with the covered entity. This means that they must comply with any changes to the Privacy Rule that are part of ARRA, whether or not those provisions are included in their contracts with the covered entities.

Data Breaches

Originally, the HIPAA did not require covered entities to notify affected individuals in the case of breaches of their protected health information. Now, the ARRA requires that individuals be notified if their unsecured health information has been breached. In the case of outsourcing, business associates should notify the covered entities of any breaches and the covered entities should then notify the individuals concerned.

Restricting Disclosures

ARRA imposes a requirement on covered entities (and their business associates) to honor an individuals’ request to restrict disclosure of protected health information to a health plan for purposes of payment or health care operations if the information pertains solely to a health care item or service that the individual has paid for in full or out-of-pocket.

“Minimum necessary” Amounts

The Privacy rule outlines that only the minimum necessary amount of protected health information should be accessed, used or disclosed (except in cases of treatment and other specific circumstances). The rule also outlines that a limited data set should be used. This data set should be stripped of a number of categories of patient-identifying information and can be used pursuant to a data use agreement for research, public health and health care operations purposes. The ARRA requires the Secretary to establish guidance on what “minimum necessary” means.

Disclosures of Personal Health Information

The Privacy Rule initially stated that covered entities needed to provide – upon request – an accounting of disclosures of protected health information made from the individual’s medical record for the previous six years. However, a number of disclosures are exempted from this requirement, including disclosures for treatment, payment, and health care operations. The ARRA states that covered entities using electronic health care records may no longer exempt such disclosures. However, the accounting only needs to cover the previous three years, rather than six.

No “Sale” of Protected Health Information

ARRA prohibits direct or indirect remuneration in exchange for an individual`s protected health information without the individual’s authorization. This authorization must also specify whether the information can be further exchanged for remuneration by the original entity that receives the data. There are of course, exceptions to this provision.

Right of Access

The HIPAA Privacy Rule always protected individuals’ right to access and obtain a copy of their health records, normally within thirty days of their request. The ARRA requires covered entities using electronic health records to provide individuals with an electronic copy of the record. The record must directly be transmitted to an entity or person specified by the individual. Fees should be kept to a minimum reasonable amount in relation to the labor costs.

Marketing Communications

ARRA imposes more stringent restrictions and regulations on authorization for marketing purposes. If a covered entity is paid by an outside entity to send a communication to a patient, the communication is considered “marketing.” This means that it will require prior authorization from the patient.

There are some exceptions to this regulation. For instance, protected health information is permitted to be used without authorization if it is for communications that describe a drug or biologic that is currently being prescribed/administered to the individual, as long as the payment received by the covered entity is reasonable in amount. Communications that have patients’ authorization may also be sponsored by outside entities.

Opting Out of Fundraising

Previously, covered entities were able to use an individual’s demographic information as well as the dates during which they received health care to send fundraising communications without pre-authorization from the individual. The ARRA now requires the Secretary to create a rule requiring that individuals be able to opt-out of receiving such communications in a clear and conspicuous way.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA statutory requirements around privacy and security.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

What is online tracking?

Online tracking is an advertising method which develops tailored ads based on information that has been gathered about the consumer. Tracking allows advertisers to accurately match consumers to products, thus increasing the effectiveness of the ads. This means that companies to charge a premium for such precisely-targeted ads. According to EMarketer Inc., a New York-based research company, the US market for targeted advertising may grow 21% in 2011, to $1.35 billion, from $1.12 billion in 2010.

In December 2010, the Federal Trade Commission (FTC) issued a report endorsing “Do Not Track” initiatives that would offer users a way to opt out of personalized advertising. While advertising companies that are part of the Network Advertising Initiative (NAI) allow users to opt out of online tracking, once customers clear browser cookies, any settings that have been customized are lost.

Firefox: Do-Not-Track Header

In January 2011, Mozilla proposed a Do-Not-Track feature in Firefox which allows users to inform websites that they would like to opt-out of third party tracking. This is done through the transmission of a Do-Not-Track HTTP header whenever user data is requested from the web. The header can be enabled or disabled when the user wishes, supposedly providing granular control over which websites are allowed to collect data. While any browser can be configured to send a Do-Not-Track header, every website must be modified in order to accept it.

Alex Fowler, Mozilla’s technology and privacy officer commented that the challenge of the Do-Not-Track header “is that it requires both browsers and sites to implement it to be fully effective. Mozilla recognizes the chicken and egg problem and we are taking the step of proposing that this feature be considered for upcoming releases of Firefox.”

Chrome: Online Tracking Tool

On January 24, 2011, Google announced the release of a new tool known as Keep My Opt-Outs, which allows users to opt out of online tracking. The Keep My Opt-Outs browser extension applies to all companies and online ad networks which offer opt-outs as a result of industry self-regulation programs. Currently, over 50 companies are members of such associations that offer opt-outs through such programs. Basically, Google’s extension determines if a cookie originates from a blacklisted targeted advertising provider and either blocks or allows it.

Google’s product managers claim, “We’ve designed the [Keep My Opt-Outs] extension so that it should not otherwise interfere with your web browsing experience or website functionality. This new feature gives you significant control without compromising the revenue that fuels the web content that we all consume every day.”

Internet Explorer: Tracking Protection

Some observers are convinced that Microsoft’s Internet Explorer Tracking Protection is perhaps the most user-friendly method for preventing online tracking. This security feature is planned for the first release candidate of Internet Explorer 9, currently available in beta version. The Tracking Protection feature uses a list to determine which third party page elements can/cannot be blocked from tracking.

In December 2010, Dean Hachamovitch, the head of Internet Explorer development, described how Tracking Protection would work:

“A Tracking Protection List (TPL) contains Web addresses (like msdn.com) that the browser will visit (or “call”) only if the consumer visits them directly by clicking on a link or typing their address. By limiting the calls to these Web sites and resources from other Web pages, the TPL limits the information these other sites can collect.

You can look at this as a translation of the “Do Not Call” list from the telephone to the browser and web. It complements many of the other approaches being discussed for browser controls of Do Not Track.”

Other ways to resist online tracking…

While the FTC assesses the efficacy and usability of tracking-minimizing tools, privacy experts have a number of other recommendations for reducing and resisting online tracking.

• Advertising companies use cookies to track users’ online activity. Remove and block these ad-related cookies.
• Remove Flash cookies, which are a type of supercookie that can contain more information, web beacons and web bugs. Such cookies must be removed through Adobe’s online Flash Player page.
• Use specialized software to remove and prevent tracking programs. Recommended titles include: Taco by Abine; Better Privacy for Firefox; Ghostery for Firefox; CCleaner; and NoScript for Firefox and Chrome.
• InPrivate Filtering, a feature for Internet Explorer 8, prevents data from traveling between users’ computers and third parties who frequently request data.
• Users should be cautious when giving personal information online (e.g. registration forms, social networking sites, surveys). Such information will most likely be used to customize online ads.
• Users can use several search engines to conduct online searches. Users may want to consider using different companies for searching and web-based email services.
• Certain search engines, such as Scroogle.org, enables users to search using Google, without the risk of being tracked and without the inconvenience of viewing ads.
• Use a dynamic IP address, or periodically reset the IP address by disconnecting and connecting the modem.

Summary

This article focuses on online tracking, an advertising practice in which advertising companies use information about users to more accurately match consumers with products. In late 2010, the Federal Trade Commission released a report encouraging the development of do-not-track mechanisms. Three major internet browser providers – Mozilla, Google and Microsoft – have recently responded with their solutions to the problem of online tracking. The article introduces Mozilla’s Firefox do-not-track header, Google’s Chrome online tracking tool and Microsoft’s Internet Explorer Tracking Protection feature, as well as other practices users may consider in order to reduce online tracking.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Sensitive Personal Information (I.A.b.)
• Privacy Concerns – The Consumer Perspective (II.A.a.)
• Unsolicited Marketing (II.A.e.)
• Privacy Protection – Notice and Choice (III.A.a.)
• Web Cookies (III.B.c.i.)
• Web Browser Controls (III.B.c.v.)
• Explicit and Implicit Consent – Opt-In vs. Opt-Out (IV.B.i.1.; IV.B.i.2.)

Introducing Google Buzz

Google launched what it expected would be the Twitter/Facebook competitor, Google Buzz on February 9, 2010. It was advertised as “a new way to share updates, photos, videos and more, and start conversations about the things you find interesting.” Buzz was designed to integrate with Gmail – which already had over 146 million users at the time of the launch – and other interface interaction elements with other Google products, such as Google Reader.

The service can also be accessed through supported mobile devices. The mobile version of Buzz is integrated with Google Maps, in order to let users know their location and identify other users who are around them.

Buzz was received with great interest. In the first two days after its launch, tens of millions of users created over nine million posts and comments. On average, there were over 200 posts per minute through mobile phones worldwide.

Responses

However, not all responses to Buzz were positive. Immediately after its introduction, privacy-minded users noticed that Buzz automatically set them up with followers and people to follow. This group of followers is chosen based on the contacts the user emails and chats with the most.

Another issue of concern was that the people a user follows and the people that follow the user are made public to anyone viewing the user’s profile. This is the default setting, which allows anyone who views a profile to see the people who a user chats with or emails most. The implications of this setting were worrisome to some users. For instance, a boss may discover that a subordinate has frequent email contact with executives at a competing firm.

What was distressing to most critics was that Google did not openly explain how the publicly viewable follower lists were determined. Buzz’s unclear opt-out approach put many users in the position of unknowingly sharing personal information. It is clear that Google’s choice to design the lists to show publicly by default was a strategic decision to get as many people using Buzz as quickly as possible. While it may be a helpful setting for some users, others may not feel comfortable with sharing with the world who they email or chat with most.

This glaring privacy flaw was brought to the spotlight two days after Buzz was launched, when Harriet Jacobs saw her personal information revealed to her ex-husband and his abusive friends. Unfortunately, Google automatically allowed her most frequent contacts to view her Google Reader, all the comments on her Reader, as well as her current location, workplace and other sensitive information. Her most frequent email contacts happened to be her ex-husband, his friends and other hostile blog commenters. She was unable to block these users as she never created a Google profile or Buzz profile, which left her unable to prevent them from following her.

Making Changes

Within three days of launching Buzz, Google issued a public apology and made some changes to the program in response to the widely-publicized consumer privacy concerns. It added a more visible opt-out selection to allow users to choose not to show their connections or followers on their profile. This was a rapid response to user concerns, especially when compared to Facebook’s Beacon privacy problems in 2007, which took over a month to resolve.

Although the changes were a positive step in terms of supporting user privacy rights, critics pointed out that Google did not go far enough to address immediate concerns. For instance, the selection box for sharing followers was checked by default. Since this is an option for sharing private or sensitive information, many argued that the box should be unchecked. Given its nature, it would be best to leave that as an opt-in feature.

Furthermore, the opt-out selection did not give users an adequate explanation as to what they were allowing Buzz to publish. Users were not informed that Buzz would publish the list of people they email and chat with most. Although the privacy settings could be adjusted, the problem was that most users do not know how to change these settings. The majority of users simply click “save and continue” until the application is fully set-up, unfortunately reading little of the information contained in the dialog boxes. This made it clear that Google’s changes were an inadequate response to the scope and implication of user’s concerns.

In April 2010, privacy officials from Canada, Germany, France, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the UK raised privacy concerns regarding Google Buzz, as well as other Google services. The letter pointed out that even months after its launch, Buzz was still disregarding its user’s privacy rights, despite Google’s promises to the contrary.

Opt-In vs. Opt-Out

Opt-out mechanisms give users the opportunity to express non-agreement to a specific purpose. Unless the user takes action to opt-out, the organization assumes consent and proceeds. The organization should clearly inform the users that failing to opt-out means that the user consents to the use or disclosure of information. For instance, the Google Buzz box presented users with the opt-out choice with a pre-checked box that read, “Show the list of people I’m following and the list of people following me on my public profile.”

Opt-in consent is often referred to as “express consent.” With opt-in consent, the organization presents the users with the opportunity to express positive agreement to a stated purpose. Only with the user’s action will the organization assume consent. Opt-in consent is considered the strongest form of consent. The Privacy Commissioner of Canada encourages organizations to use this form of consent wherever it is appropriate, as it is least likely to result in misunderstandings and complaints.

In the Google Buzz case, an effective opt-in statement for new users might have been a checkbox reading “Show the list of people I’m following and the list of people following me on my public profile. Right now, the list is made up of people you email and chat with most.”

Recommendations

Jennifer Stoddart, the federal Privacy Commissioner of Canada expressed her unease over how such a problematic application like Buzz was launched for public use in the first place. Stoddart did not support the decision to release Buzz in its “beta” form, as it should have demonstrated compliance with fair information principles before it was introduced. She felt it was unacceptable to launch a product that had such significant privacy issues, with the intention of addressing those problems only as they arise. This was also not the first time Google made a glaring privacy error, as Google Street View was launched earlier, without consideration of privacy, data protection laws or cultural norms.

Stoddart and the Privacy Commissioner’s Office sent Google a number of recommendations that would enable it to integrate fundamental privacy principles into its online services. The recommendations included:

• Collecting and processing only the minimum amount of personal information that is necessary for achieving the purpose of the product or service.
• Providing clear, unambiguous information regarding the use of personal information.
• Allowing users to provide informed consent.
• Creating privacy-protective default settings.
• Ensuring that privacy control settings are clear and easy to use.
• Ensuring that all personal data is adequately protected.
• Giving users simple procedures for account deletion.
• Honoring user requests in a timely manner.

Summary

This article examines privacy issues raised through the launch of the social networking program Google Buzz. It outlines some critical responses to the privacy settings and risks that the application exposes users to. The article also explores opt-in and opt-out consent mechanisms. Finally, the article takes a look at the Canadian Privacy Commissioner’s response and recommendations to Google Buzz.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Online privacy, online data collection (V.B.c.)
• End user expectations (V.C.c.a.i.)
• End user preferences, opt-in vs. opt-out (V.C.c.a.ii.)

The Fair Information Practice Principles

Notice/Awareness

Individuals should receive notice of an entity’s privacy practices prior to the collection of personally identifiable information. Notice allows individuals to make informed choices regarding the use of the personal information. A privacy notice must include:

• A legitimate name and physical address of the entity collecting the data
• The type of data collected
• How collected data will be used
• Any potential third party disclosure of personal information
• Any potential secondary use of personal information

Choice/Consent

Individuals must be able to consent or reject to certain uses of their personal information, particularly with regard to secondary uses and marketing purposes. Two main mechanisms are used to provide consumer with consent options:

• Opt in: Require affirmative consent from the individual. In other words, action must be taken by the individual to START the processing of personal information for secondary uses or disclosures. This may include signing up to receive marketing newsletters, special offers and similar types of communications.
• Opt Out: Requires the implicit consent of the individual. Here consent is assumed because the individual has not stated a desire otherwise. In other words, action must be taken by the individual to STOP the processing of personal information for secondary uses or disclosures. This may include opting out of third party advertising

An individual must be able to view their consent options and change them at any time. Changes should be honored within a reasonable length of time.

Access/Participation

An individual must be able to view the data an entity has on record. They must also be allowed to correct an incomplete or false information contained in their file. Access to data must be granted within a reasonable time frame and at a minimal cost.

Integrity/Security

Data must be accurate, up-to-date, complete and not stored longer than necessary. Security of data must be maintained using physical, technical and administrative safeguards to protect against unauthorized access, use, disclosure and destruction. Safeguards should be implemented in proportion to the security risk or threat, with greater risks or threats using greater resources and stronger protections.

Enforcement/Redress

An individual must be able to file complaints with the entity have their issues addressed.   Furthermore there should be a mechanism in place to ensure compliance with the above standards, either through self or government regulation.

Enforcement of Privacy Practices

The Fair Information Practice Principles are suggestions to guide the use of personal information in connection with business activities and transactions. They are not in themselves a law that must be followed, and as such are not enforceable. However, there are many privacy laws(see below) which make use of the Fair Information Practices to protect personal information.

The United States supports the use of self-regulation to enforce Fair Information Practices. Theoretically, informed consumers will choose to use businesses that implement the Fair Information practices and ensure the protection of their information, forcing those business that do not guarantee such protections out of business. Services such as the Better Business Bureau and online assurance programs build trust between businesses and consumers by providing consumers with a directory of businesses whose privacy practices have been assessed and found to provide adequate protection.

The Fair Information Practice Principles have been criticized because they do not require the creation of a general privacy authority and rely largely on self-regulation, which at times falls short of adequately regulating consumer protection. At the same time, many businesses believe implementing stronger guidelines or regulations would be too costly and detrimental to the growth of business. For now, the United States continues to use a sectoral approach, developing privacy laws as needed.

Laws Using the Fair Information Practice Principles to regulate Privacy

• Fair Credit Reporting Act– Regulated by the Federal Trade Commission, the Fair Credit Reporting Act regulates the use of consumer reports. Requires Notice of disclosure and adverse action, as well as the ability for a consumer to access and rectify inaccuracies in their consumer reports.
• Right to Financial Privacy Act– Protects the privacy of customers using financial institutions from government searches (with exceptions.) RFPA restricts government access to financial records without the individual’s consent or meeting one of the specified exemptions from the rule.
• Children’s Online Privacy and Protection Act–Protects against the collection, use and disclosure of the personal information of children under 13 without parental notice and consent.

Summary:

The Fair Information Practice Principles form the backbone of privacy laws in the United States. Though the principles put forth by the FTC are only considered guidelines, there are some laws that have turned the guidelines into law and even more businesses which choose build trust with consumers by ensuring their privacy through self regulation of the Fair Information Practice Principles. Understanding the principles and their implementation is one of the core concepts all privacy professionals need to know.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy Principles and Definitions including Fair Information Principles(I.B.a.i.)

There are numerous guidelines, best practices and regulations for collecting information on customers, patients or other data subjects (for this article, let’s generally call them consumers) in the United States.  The most regularly visited is probably HIPAA, where nearly everyone signs some sort of disclosure notification that a primary care physician, pharmacy, lab, hospital or some other medical office will share your Personal Health Records with third parties that handle administrative tasks for the provider.  There’s a decent sized list of who constitutes a health care provider, a third party and what information between all parties involved may be exchanged for transactions such as an insurance claim.  The financial sector also regularly distributes privacy policy notifications, although most times inaccurate information doesn’t affect anyone outside the credit reporting industry.  What happens when the collected data aren’t right?  How can a consumer even discover the inconsistencies?  What course of action does a consumer take, and what should a corporation do to respect the rights of their customers?

Historical Perspective

This is not a new issue, and has been tackled in multiple symposia and expanded several times over the past decades.  In 1973, the US Department of Health and Human Services introduced the Code of Fair Information Practices.  The 1981 Organization for Economic Cooperation and Development (OECD) guidelines and the comprehensive 1995 European Union Data Protection Directive 95/46/EC both deal with this issue.  They define two topics – “Individual Participation” and “Data Quality”.  Individual participation centers on consumer access, or the right to view any collected information and the ability to correct errors.  The EU expounds upon individual participation, where access must be at reasonable intervals and rectification without excessive delay or expense.  The Federal Trade Commission (FTC) released an advisory on online access and security in 2000. The CIPP defines these scenarios as customer access and redress.

Problems in credit reporting

Let’s first examine the US credit reporting world.  Information collected by the credit bureaus is used by banks and other money lenders to determine an applicant’s credit worthiness, or more important to the lender, their risk of default.  The credit bureaus have reason to keep the information collected as unavailable as possible – between the three main companies they had a monopoly on the compiled credit history the lenders need and each one tries to glean every ounce of data on an individual to justify ordering their credit report product.  The bureaus were charging consumers for every access to their credit reports, by what some would consider an inordinate amount.  A 1998 survey by the Public Interest Research Group underscored the customer redress situation:

• Of the consumers that did obtain their credit reports, at least 14% of them were forced to call back 3 or more times after receiving busy signals or had to write a letter in order to receive their report;
• And 12% of the consumers waited two weeks or longer to receive their report once they finished requesting it. It took more than a month for one California man to receive his report.
• Overall, 15% of consumers who attempted to participate in the survey either made at least 3 phone calls and never got through or requested their reports but never received them.

This treatment went against the privacy principles laid out in the OECD and Fair Information Practices.  Plus, mistakes were reportedly found on 79% of consumer credit reports.  Without more readily available customer access, the system was in jeopardy.  To compound these problems, there was simultaneously a rise in identity theft.

Congress steps in

In response, the US Congress passed the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) in 2003.  The FACTA amended the 1970 Fair Credit Reporting Act (FCRA), and gave rise to a free annual credit report requirement from each of the major bureaus… and the slew of funny commercials about guys in pirate hats. Congress decided the credit bureaus’ reporting was simply too important to the US financial systems stating their rationale for the legislation:

(a)Accuracy and fairness of credit reporting. The Congress makes the following findings:

1. The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
2. An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
3. Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
4. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.

(b)Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.

Unintended Consequences

It is interesting to note, that in response to the FACTA, “imposter” domains sprang up, with a World Privacy Forum study calling out 96 specific known sites.  The web site touted in the pirate hat commercials is not the free annual credit report required by Congress, but actually one of the imposter domains belonging to Experian.  The World Privacy Forum study, “Call Don’t Click: Why It’s Smarter to Order a Federally Mandated Credit Report via Phone Instead of the Internet,” found:

• 28 of the imposter domains belong to Experian, a credit bureau.
• 68 of the imposter domains belong to or are hosted at “pay per click” companies.
• 50 of the “pay per click” domains are live, and some are luring consumers to inappropriate and risky Web sites. Some of    the “pay per click” sites lead consumers to Experian and other credit companies’ commercial sites in order to cash in on the credit bureaus’ affiliate marketing programs.

Electronic Health Records & HIPAA

Consumer access is probably not as obvious of a problem with the health care community.  Most of the work currently happens on the back end, where insurance companies and health care provider’s offices wrangle over receiving the right amount of money for procedures.  As an uninsured American, you may have to pick up the torch of dealing with doctor’s office blunders, but in those cases, you’re likely handling them at the time of service and wont pay until they get it right.  Most people simply don’t see the man behind the curtain.

The scary part will surround electronic health records (EHR) and the push to incorporate them through ARRA.  As digital bits, EHR integrity could become more questionable.  It will also uncover a slew of inconsistencies that have yet to reach the light of day – the proverbial Garbage In, Garbage Out.  A recent adopter of Google Health recounts his experience utilizing his hospital’s auto-migrate feature.  Some of his revelations:

• [T]he docs in the back room… quickly figured out what was going on… the system transmitted insurance billing codes to Google Health, not doctors’ diagnoses. [I]nsurance billing codes bear no resemblance to reality… if a doc needs to bill insurance for something and the list of billing codes doesn’t happen to include exactly what your condition is, they cram it into something else so the stupid system will accept it.
• EMR pontificators are saying “Online data in the hospital won’t do any good at the scene of a car crash.” Well, GOOD: you think I’d want the EMTs to think I have an aneurysm, anxiety, migraines and brain mets?? Yet if I hadn’t punched that button, I never would have known my data in the system was erroneous.
• [M]y 12/6/2003 x-ray identified me as a 53 year old woman… it took me months to get that error corrected, because nobody’s in the habit of actually fixing errors…

This was a contemporary hospital.  Their CIO touted the EHR revolution and already took steps embracing customer advocacy.  There will undoubtedly be push back with older hospitals or stodgier doctors.  The documented excavations are inevitable, especially with so many people involved in providing healthcare.  An article in Fast Company chronicled the clinical staff access associated with the writer’s medical care:

… a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team,every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

To top it all off, there are already questions as to how older, paper records might be brought into the digital realm.  Who’s to handle the scanning?  What’s to be had of the old records?  Will the security provisions be in place to prevent EHR compromise?  It’s already time consuming to update a digitized hospital’s records – how about those of a newly computer literate doctor’s office?

International Example

The US doesn’t have a lock on the access and redress problem.  Even with the heavy emphasis placed on privacy in the EU and a separate Information Commissioner’s Office (ICO) responsible for privacy, the United Kingdom has had it’s share of reporting and correction problems, most recently with their national health database.  Until late May, citizens only had the option of opting out of the National Healthcare System (NHS) electronic health database or masking their data in the system.  With the socialized health care in the UK, there were instances where the opt out had serious consequences.  In British health care, a summary care record (SCR) includes information such as allergy information, current medications, medical conditions and resuscitation preferences.  There is obviously personal information included in the SCRs, and security of the communications medium between the hospitals (called the Spine) has been called into question.  Additionally, access controls on the system allow any authorized users to view any patient’s information, not just those currently being treated.

The NHS agency Connecting for Health (CfH) runs the records system.  An ICO spokeswoman confirmed medical record deletion would now be possible after discussions with the ICO privacy watchdogs and CfH managers.

People want the assurance that they can restrict who can access their personal details in NHS electronic records.  We met recently with Connecting for Health (CfH) to discuss the permanent deletion of summary care records once a patient requests their summary record no longer appears on the database.  We are pleased that as a result of these discussions CfH have found a way to ensure that these records are permanently removed from the database when appropriate and we are continuing to talk to them about how this is put into practice.

Summary

When drawing corporate or group policies, general best practices dictate data subjects should have the ability to review all information an organization holds on them and have the right to change any errors.  Those changes must be reconciled across the organization, either pushed upward from third party partners or downward from the main collecting organization.  By adhering to this standard, nearly every organization will be kept in lock step with multi-national laws with regard to data subject access and redress.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B)
• Data Subject Access & Redress (Foundations: III.B.d)