Privacy and Public Access

1
Privacy and Public Access

• Wednesday, October 6, 2004
• Dino Tsibouris
• dino.tsibouris_at_mt-law.com
• (614) 228-9707

2

3

• October 22, 2003
• A Tough Lesson on Medical Privacy
• BY DAVID LAZARUS
• "Your patient records are out in the open... so
  you better track that person and make him pay my
  dues."
• A woman in Pakistan doing cut-rate clerical work
  for UCSF Medical Center threatened to post
  patients' confidential files on the Internet
  unless she was paid more money.
• The violation of medical privacy - apparently
  the first of its kind - highlights the danger of
  "offshoring" work that involves sensitive
  materials.

4

• Why Have a Privacy Policy?
• The Federal Trade Commission (FTC) permits
  companies to use information obtained from
  consumers to the extent it adequately discloses
  its practices.
• FTC is particularly concerned with preventing
  unfair or deceptive acts or practices in or
  affecting commerce.

5

• Why Have a Privacy Policy?
• The FTC Proposed Legislation.
• Notice Required clear and conspicuous notice
  of the companys information practices
• Choice Required that consumers be permitted to
  choose how their personal identifying information
  is used beyond the use for which the information
  was provided
• Access Required companies to provide
  reasonable access to the information the website
  collected about them, including a reasonable
  opportunity to review information and to correct
  inaccuracies or delete information
• Security Required companies to take reasonable
  steps to protect the security of the information
  they collect from consumers.

6

• Why Have a Privacy Policy?
• Industry Proposes Self-Regulation.
• The Online Privacy Alliance
• AOL Time Warner Apple Computer ATT Boeing
  Compaq Dell DoubleClick Inc. EarthLink, Inc
  eBay, Inc EDS Equifax Ernst and Young
  Experian Guardent IBM Intuit Keylime
  Software, Inc. Microsoft PricewaterhouseCoopers
  Reed Elsevier SAS Institute Inc. Sun
  Microsystems Verizon Communications
  Websidestory, Inc. WorldCom Yahoo! American
  Advertising Federation American Institute of
  Certified Public Accountants Association for
  Competitive Technology Business Software
  Alliance Association of National Advertisers
  American Association of Advertising Agencies
  Center for Information Policy Leadership
  Electronic Retailing Association Information
  Technology Association of America Interactive
  Digital Software Association Internet Alliance
  Motion Picture Association of America Software
  Information Industry Association The United
  States Chamber of Commerce The United States
  Council for International Business.

7

• Why Have a Privacy Policy?
• Industry Proposes Self-Regulation.
• Adoption and Implementation of a Privacy Policy
• Notice and Disclosure
• Choice/Consent
• Data Security
• Data Quality and Access

8

• Privacy Expectations in the Public Sector
• Citizens expect privacy of information collected
  online
• 57 of people surveyed would sacrifice some
  online privacy to assist law enforcement Council
  for Excellence in Govt, Nov. 2001.

9

10

• Privacy Expectations in the Public Sector
• Oregon Department of Transportation Website
• Personal Information and NondisclosureMost
  information collected by state government is
  assumed to be open to the public unless
  specifically exempted. ORS Chapter 192 contains
  the Oregon Public Records Law. Under this law,
  individuals are permitted to request that public
  officials not disclose a public record that
  contains their home address and telephone number
  under certain circumstances. ORS 192.445
  specifies how to request non-disclosure.
• http//www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandI
  nformationDisclosureNotice.shtml

11

• Privacy Expectations in the Public Sector
• Oregon Department of Transportation Website
• Public Disclosure All information collected at
  this site becomes a public record unless an
  exemption in law exists. ORS Chapter 192 contains
  the Oregon Public Records Law.
• In the State of Oregon, laws exist to ensure that
  government is open and that the public has a
  right to access appropriate records and
  information possessed by state government. At the
  same time, there are exceptions to the public's
  right to access public records that serve various
  needs including the privacy of individuals. Both
  state and federal laws provide exceptions.
• http//www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandI
  nformationDisclosureNotice.shtml

12

• Privacy Expectations in the Public Sector
• Third party service providers and gateways
• ASP
• Payment providers

13

• Privacy Expectations in the Public Sector
• NYC.gov Third Party Links
• NYC.gov provides links to, and may be linked
  from, local, State and federal government
  agencies, and from, or to, other websites. The
  existence and/or provision of those links neither
  constitutes nor implies endorsement of the
  destination or departure website(s) or of the
  content, viewpoint, accuracy, opinions,
  policy(ies), product(s), accessibility or privacy
  policy of said destination or departure
  website(s). Nor does any link between NYC.gov and
  a third-party website imply sponsorship of such
  website, or the creator of such website.

14

• Privacy Expectations in the Public Sector
• NYC.gov Third Party Links
• Some content on portions of NYC.gov resides on
  servers run by third parties. Each agency
  providing content for NYC.gov is bound by
  NYC.gov's privacy policy. Any agency using a
  third-party host, ISP, ASP or other combination
  of third-party transport, storage, content or
  application provision services shall be
  responsible for such third party's compliance
  with NYC.gov's privacy policy.

15

• Gramm-Leach-Bliley Act (1999)
• Financial Institutions
• Banks
• Credit Unions
• Brokers
• State Schools that make student loans

16

• Gramm-Leach-Bliley Act (1999)
• Privacy
• Regulates collection and sharing of nonpublic
  personal information
• Consumers vs. customers
• FI cannot share PI with an unrelated company
  unless it first provides a notice allowing the
  individual to opt-out of sharing

17

• Gramm-Leach-Bliley Act (1999)
• Privacy
• Senior level policy required
• Privacy executive or committee
• Different from FCRA (credit reporting)

18

• Gramm-Leach-Bliley Act (1999)
• Privacy
• Exemptions
• Agents
• Service providers
• PI used to enforce a transaction
• Consent

19

• Gramm-Leach-Bliley Act (1999)
• Security
• Must use reasonable security measures
• Regulations governing technical measures
• Must limit access to necessary employees
• Agents must promise to keep information secure
  and confidential

20

• Gramm-Leach-Bliley Act (1999)
• Considerations from Banking
• OCC Advisory Opinion AL 2004-09
• E-sign merely creates records
• Only a starting point
• Litigation rules - Admissibility
• Audit requirements - COBIT
• Regulatory compliance

21

• Health Insurance Portability and Accountability
  Act of 1996
• Standards for electronic exchange of health
  information
• Rules to protect privacy of health information
• Rules to protect against threats, hazards or
  unauthorized access to health information

22

• HIPAA
• Protected Health Information (PHI)
• Individually Identifiable Health Information
• Electronic, paper, oral
• Created or received by a health care provider,
  health plan, employer or health care
  clearinghouse

23

• HIPAA
• Individually Identifiable Health Information
• Related to an individual the provision of health
  care to an individual or payment for health care
• and that identifies the individual

24

• HIPAA
• Patient Rights
• Request restrictions on uses and disclosures of
  health information
• Obtain documentation of disclosures
• Inspect and copy heath information
• Request amendment of health information
• File a complaint of non-compliance

25

• HIPAA
• Provide written notice of privacy policy
• Explain uses and disclosures of health
  information and give examples
• Describe the individuals rights
• Make a good faith effort to obtain a written
  acknowledgment of the patients receipt of the
  notice at the time of first service delivery

26

• HIPAA
• Must designate a privacy official
• Must establish privacy and security policies
• Must train all personnel that may contact PHI
• Must ensure staff informed when policy is changed
• Must have a process to resolve complaints

27

• HIPAA
• Must adopt written security procedures
• Maintain reasonable and appropriate
  administrative, technical, and physical
  safeguards

28

• HIPAA
• NYC.Gov
• Health Care InformationAny agency providing
  personally identifiable health care information
  via NYC.gov will be required to certify that its
  health care data handling and security procedures
  are compliant with the Health Insurance
  Portability and Accountability Act of 1996
  ("HIPAA"). If such data and security services are
  provided to such agency(ies) by a third-party
  provider, the agency(ies) shall be responsible
  for such third party's compliance with HIPAA.
• http//www.nyc.gov/portal/index.jsp?epi_menuItemID
  b52b1c491d03e607a62fa24601c789a0epi_menuID27579
  af732d48f86a62fa24601c789a0epi_baseMenuID27579af
  732d48f86a62fa24601c789a0

29

• State Law
• Online access to court and civil records
• Privacy becomes personal
• Identity theft

30

• Florida
• Online access to court records
• Triggered backlash of concern over privacy rights
  and ID theft
• Civil and criminal documents banned from online
  posting until Supreme Court committee review
• Probably will not happen for July, 2005

31

• Florida
• Proposals
• Changing the amount of information collected
• Barring access online
• Assigning users unique ID numbers
• Imposing a waiting period for access to court
  information

32

• Florida
• Driver Privacy Protection Act (DPPA)
• Limits public access to social security numbers,
  driver license or identification card numbers,
  names, addresses, telephone numbers, and medical
  or disability information contained in motor
  vehicle and driver license records.
• Personal information protected under DPPA does
  not include "vehicular crashes, driving
  violations, and driver's status."

33

• Florida
• Driver Privacy Protection Act (DPPA) permits
  access for
• Auto manufacturers conducting a recall of parts
  or vehicles
• Government agencies or credentialed private
  investigators
• A legitimate business verifying information for
  employment
• Insurance agencies
• Towing companies
• Companies obtaining information about their
  drivers
• A person or agency with written permission

34

• California
• California Online Privacy Protection Act
• Applies to website operators that collect
  personal information from California residents
• Requires the web site operator to conspicuously
  post a privacy policy
• Policy must describe method of collection and use
  of information
• Must provide method to correct information on file