资源描述
,Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Medical and WorkplacePrivacy,Michael I. Shamos, Ph.D., J.D.,Institute for Software Research International,Carnegie Mellon University,Outline,Medical privacy stakeholders:,patient,heath care provider,insurer,federal government,(sometimes) employer,What is the basis for privacy?,Workplace privacy stakeholders:,employee,employer,basis for privacy?,U.S. Privacy Law,Privacy law is a patchwork of state and federal statutes and judicial decisions,The Federal government has limited powers to protect privacy,“Interstate commerce” (Federal Trade Commission),There are three Federally protected categories of personal data:,financial (Gramm-Leech-Bliley),educational (FERPA),medical (HIPAA),Plus some narrow protections, e.g. video rental data,Cliff Notes Version of HIPAA,Covered Entities (healthcare providers, health plans, insurance companies, healthcare clearinghouses),May Not Use or Disclose Protected Health Information (PHI),Except with the Written Consent or Authorization of the Employee,Or Unless Required or Permitted by Law,or to the Minimum Extent Necessary or Allowed to Accomplish the Purpose of Treatment,SOURCE: LITTLER, MENDELSON,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Protected Health Information (PHI),Information created or received by a health plan or healthcare provider; and,Relates to the condition or care of an individual; or,Relates to the payment for care; and,Permits identification of the individual (or creates a reasonable basis upon which to identify the individual),45 CFR 164.501,SOURCE: LITTLER, MENDELSON,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,HIPAA,: Health Insurance Portability and Accountability Act of 1996,A covered entity may not use or disclose protected health information, except as permitted or required ,p,ursuant to a consent to carry out treatment, payment, or health care operations,p,ursuant to an authorization,p,ursuant to an agreement (opt-in),other provisions,45 CFR 164.502,Health information that meets specifications for de-identification is considered not to be individually identifiable health information,45 CFR 164.502(d),Compliance deadline was April 14, 2003,REGULATIONS,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,De-Identification,A covered entity may determine that health information is,not individually identifiable,only if: the following identifiers of the individual or of relatives, employers, or household members of the individual are removed:,Names;,All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, , except for the initial three digits of a zip code if ,All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89,Telephone numbers; Fax numbers; email addresses; URLs; IP addresses,Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers;,Certificate/license numbers; vehicle identifiers, serial numbers, plate numbers;,Device identifiers and serial numbers;,Biometric identifiers, including finger and voice prints;,Full face photographic images and any comparable images; and,Any other unique identifying number, characteristic, or code; and,The covered entity does not have,actual knowledge,that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.,45 CFR 164.514,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Wrongful Disclosure Under HIPAA,A person who knowingly ,uses or causes to be used a unique health identifier;,obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person,shall be fined not more than $50,000, imprisoned not more than 1 year, or both;,if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and,if the offense is committed with intent to sell, or use information for commercial advantage, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both,42 U.S.C. 1320d-6,BUT: no private lawsuit,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Genetic Privacy,Federal Executive Order 13145 (Clinton),“Nondiscrimination in Federal Employment on the Basis of Protected Genetic Information”,State,Cal Gov Code 12940 (Unlawful employment practices),It shall be an unlawful employment practice for an employer . to subject, directly or indirectly, any employee, applicant, or other person to a test for the presence of a genetic characteristic.,Cal Gov Code 10148 (Test for genetic characteristic),No insurer shall require a test for the presence of a genetic characteristic for the purpose of determining insurability other than for those policies that are contingent on review or testing for other diseases or medical conditions,SOURCE: KARL MANHEIM, LAWRENCE SLOCUM,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Employee Polygraph Protection Act,Make it illegal for an employer in interstate commerce to require an employee or prospective employee to take a lie detector test,to use the results of a lie detector test,to use the refusal to take a test to discharge the employee,Exceptions:,governments,employer investigations of theft where the em,oyer has reasonable suspicions the employee was involved,security personnel,29 U.S.C.,2002,OConnor vs. Ortega,480 U.S. 709,(1987),Search warrants not needed by employers,Executive director OConnor of a,public hospital,suspected Dr. Ortega of management improprieties,Search his office and found incriminating evidence,Was his expectation of privacy violated?,Reality of workplace may vitiate some expectations Standard of “reasonableness” is sufficient for work-related intrusions by public employers,5-4 decision by the Supreme Court,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Skinner vs. Railway Labor Executives Assoc,.,489 U.S. 602,(1989),Federal Railroad Administration (FRA) implemented regulations requiring mandatory blood and urine tests of employees involved in certain train accidents,Expectations of privacy by employees engaged in an industry regulated to ensure safety are diminished,Testing procedures pose only limited threats,Rights of the individual are superseded by the rights of the organization to conduct business.,Governments interest in assuring safety on the nations railroads constitutes a “special need”,SOURCE: CAYLEN TICHENOR,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,U.S. vs. Simons,206 F.3d 392,(4,th,Cir. 2000),Simons was a subcontractor to the CIA.,Agency policy stated:,employees could use Internet for official government business only,Accessing unlawful material prohibited,Agency would conduct electronic audits to ensure compliance,Firewall detected queries containing “sex” from Simons computer,Simons office and computer were searched; child porno found; Simons tried and convicted,Employee cannot maintain expectation of privacy when there is a monitoring policy in place.,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Computer Surveillance,In general, surveillance by the employer is legal if,the computer being monitored belongs to the employer; or,the computer is connected to the employers network; and,even if communications are encrypted,McLaren v. Microsoft Corp,.,No. 05-97-00824 (Tex. Ct. App. May 28, 1999).,Employee used private password to encrypt email messages stored on office computer.,Company decrypted and viewed files.,Email account and workstation were provided for business use, so Microsoft could legitimately access data stored there.,Notice of Electronic Monitoring Act (CT),Versions introduced in other states and Congress,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Office Snooping?,Doe v. SEPTA,72 F.3d 1133,(3d Cir. 1995),Doe (not identified in the case) was awarded $125,000 when his co-employees learned from his prescription records he has being treated for AIDS,Appeals court reversed,The information was learned in a routine audit of the companys health plan for fraud, drug abuse, and excessive costs,No prohibition against employers making use of medical records in employment decisions,All co-employees had a “need to know”,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Phone Calls and Email,Omnibus Crime Control Act of 1968 prohibits monitoring of employee phone calls unless,it occurs in the regular course of business; or,the employee consents to the monitoring,1986 Electronic Communications and Privacy Act,Allows employers the same access to employee emails on the job,If employees are informed that their emails can and will be monitored there is no reasonable expectation of privacy,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Tiberino v. Spokane County,13 P.3d 1104,(2000),Gina Tiberino worked for Spokane County, WA,She misused her office computer for personal email and was fired,She threatened to sue; Spokane printed out her email (551 messages; 467 were personal),The media requested copies,Tiberino sued to prevent disclosure,Held, the emails were “public records” but the contents were exempt from disclosure. The fact of the emails, not their contents, were of public interest,Q,A,&,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Texas Privacy Laws,Texas Health and Safety Code 611.000,Texas Medical Privacy Act,Texas Labor Code,HIV,Genetic testing,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Texas Medical Practices Act,Prohibits access to computerized records of a “confidential communication” between a physician and patient,Without consent,Authorized purposes,May be released if relevant to civil action for monetary damages,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Passage of HIPAA in 1996,At the time of the passage of HIPAA there was,no federal protection for the privacy,of medical records except for:,Privacy Act of 1974,Does not cover records held by private entities,Americans with Disabilities Act,Does not cover the nondisabled or the disabled in many situations,Doe v. Septa,case is a real eye-opener,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Future Privacy Issues,In the future, medical privacy is only going to get more difficult to secure,There is a trend toward larger and larger medical databases of computerized medical records,Computerized records radically lower the costs of acquiring, storing, and integrating medical records,DNA testing probably has the greatest potential for treatment breakthroughs,DNA results in the medical records could have more damaging effects on future insurability and employability,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Need For Reform,Much of HIPAA is devoted to the privacy of medical records,Since HIPAA was passed the issue of health insurance portability has receded while concern about privacy of medical records has increased,Federal government is dealing with privacy issues on several fronts, most notably, on the Internet,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,HIPAA-Mandated Rule,When HIPAA was passed it was anticipated that Congress would enact privacy legislation,Congress was given until August 21, 1999,That deadline came and went and HHS was required to promulgate its own regulations,These regulations became law in April of 2001.,Actual implementation is scheduled to take place in phases several years from now-a minimum of 2 years,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,HIPAA Rule: Goals of HHS,The goals of HHS HIPAA Regs. are an adaptation of the FTC Fair Information Principles,Allow for free flow of medical information to promote treatment, payments, and healthcare operations,Prohibit secondary uses of medical information unless authorized by the subject of the info,Allow individuals access to their own records and give them an opportunity to correct errors,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Goals of HIPPA Regs.,Continuing with the goals of the HIPAA Rule:,Allow individuals to know who is using their health information and how it is being used,Require persons who hold identifiable health information to safeguard that information from inappropriate use or disclosure,Hold those who store health information accountable for their handling of the information,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Rules of Thumb,HIPAA limits jurisdiction of HHS Rule to “covered entities”,Healthcare providers, health plans (insurance companies are included), and healthcare clearinghouses,HHS laments its lack of ability to totally control electronic transfer of health information,HHS develops the “business partner” concept for those that receive medical information from a covered entity,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,HIPAA Rules,Protected healthcare information could be transferred within covered entities without authorization of the patient if,The transfers were for the purpose of facilitating treatment, payment, or healthcare operations,Special protections are provided for notes of psychotherapist,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,HIPAA Rules,Other transfers of health information would require authorization of the patient except if:,The transfer of information fell into one of 12 designated categories:,Oversight of the healthcare system, public health, medical research, law enforcement, emergency situations, government health data systems, financial payment plans through banks that facilitate credit cards, and where state law requires disclosure,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Workplace Privacy,Governmental employer:,OConnor v. Ortega,Balance right of employee to privacy against employers needs for supervision, control and the efficient operation of the workplace,Private employer,Use same balancing test,Nardinelli et al., v. Chevron:,harassing emails,Blakey v. Continental Airlines:,bulletin board offsite,Michael A. Smyth v. Pillsbury Company:,employees email,McLaren v. Microsoft:,employees having password did not give him protection,SOURCE: WEST LEGAL STUDIES,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Impact of the ECPA on Workplace Privacy,Robert Konop v. Hawaiian Airlines,Posted messages on his password-protected bulletin board,One of his users with a password gave the password to a third party,Third party went online and viewed Roberts BB,Ct.: no violation of Title I, no interception,Violation of Title II, not authorized use to give password to third party,SOURCE: WEST LEGAL STUDIES,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Workplace Privacy,Needs of the business outweigh the privacy of the individual.,Burden of proof is on employee.,Must prove “invasiveness.”,If there is no “reasonable expectation of privacy” there is no fourth amendment protection.,SOURCE: CAYLEN TICHENOR,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,Employer Eavesdropping,Employers cannot eavesdrop on private phone calls.,Federal law does allow unannounced monitoring for business related calls.,If employer provides notice of monitoring and that communication systems shall be used for business purposes only monitoring of voice mail and email is permissible.,SOURCE: CAYLEN TICHENOR,17-801 PRIVACY POLICY, LAW & TECHNOLOGY FALL 2004 COPYRIGHT 2004 MICHAEL I. SHAMOS,
展开阅读全文