Begin forwarded message:
From: Bob Gellman <[EMAIL PROTECTED]>
Date: June 28, 2006 9:59:54 AM EDT
To: Latanya Sweeney <[EMAIL PROTECTED]>
Cc: David Farber <[EMAIL PROTECTED]>
Subject: Re: Farber's List posting
Interesting. I agree that changing business practices may undermine
the concept of a conduit. But I am not sure that there aren't better
ways to deal with some of your examples.
First, the maintenance of shipping logs (let's leave aside the
prospect for Internet data retention requirements) may not be enough
to create a problem. Keeping the logs is one thing. Using them to
derive data on consumers for some other use is something else. I
presume that all package delivery companies have logs, which they
probably keep for some significant period of time. I don't see that
as troublesome from a health privacy perspective. As long as the
information is not used in some inappropriate way by the company,
then the OCR test still works. In any event, asking USPS or UPS to
treat a class of packages (and their attendant records) differently
from all other packages is likely to be impractical. It might make
the privacy problems worse. Those activities tagged as HIPAA related
will stand out.
Second, the outside address on a letter or package is not health
information per se. It's the same distinction made between the
content of a phone call and the pen register information used to
route the call. The government can access pen register information
under a lesser standard. Similarly with the information on the
outside of a first class letter. Anyway, if an AIDS clinic is sending
the item, it can use a return address that reveals nothing, and any
problem goes away.
Third, there are some activities that may be and should be beyond
control. Anyone can stand outside an AIDS clinic and observe those
who enter. There isn't much that HIPAA can do about it. Similarly,
HIPAA allows an ER to announce publicly that John Doe is next.
That's a practical concession, and it would be difficult to have a
different approach. (However, in my view, a public sign in list at a
doctor's office is a violation of HIPAA because it is easy to devise
an alternative.) HIPAA is generally pretty good on the practical
side of health care information use and disclosure. That's important
so that privacy laws don't become an obstacle to routine activities.
Fourth, HIPAA allows the disclosure of health information without
individual notice, without the need for authorization, and over the
objection of the patient to a MULTITUDE of institutions. These
include, among others, any law enforcement officer and any national
security agency. The procedures that apply in these cases are
laughable. In light of the gaping holes in confidentiality allowed
by HIPAA, I can't get excited over the possibility of inferences from
return addresses on envelopes. In any event, a patient who cares
about this can probably object under HIPAA if a hospital uses a
tracked package delivery service. See 164.522(b).
Finally, if package deliverers or phone companies were actually
compiling information about recipients and using that for dossiers or
marketing, then I agree that the conduit concept would no longer
work. In that case, a business associate agreement might be needed,
but I think that this would be strongly resisted and very
complicated. The better approach would be to use a different service
that doesn't create the problem. At least, as long as that
possibility existed.
Bob
--
+ + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman <[EMAIL PROTECTED]> +
+ Privacy and Information Policy Consultant +
+ 419 Fifth Street SE +
+ Washington, DC 20003 +
+ 202-543-7923 www.bobgellman.com +
+ + + + + + + + + + + + + + + + + + + + + + +
Latanya Sweeney wrote:
Hi Bob,
At first glance, the wording in the FAQ may seem
out-dated in its approach and allow all conduits
to be free from consideration as a Business
Associate. I'm not sure that is their intention.
OCR may want to clarify or update
given today's technical reality. Here's what I mean.
When I think of UPS and the U.S. Postal Service
in historical context, these "conduits" have not had
access to the information inside the packages and
envelopes they handle. By OCR's own
statement, they envision "infrequent" and "random"
access. Therefore, it stands to reason that these
conduit providers would not be considered
a Business Associate. But that's at historical glance.
In light of today's technology and evolving business
practices, these providers often maintain logs of
packages delivered when shipped via certain services.
A typical log includes shipper address, recipient
address, shipping date and package weight
on each package. These logs can pose privacy problems
that it seems a Business Associates agreement under
HIPAA could easily correct. Even the OCR's wording
may support a claim that these logs are covered by HIPAA
and require a Business Associates agreement
in some situations.
An example in the spirit of those that came earlier
is a log of recipients of packages shipped from a hospital's
AIDs support group, which operates under separate cover
and distinctive mailing address. If most of their packages
are to patients, then the log may support reliable
inferences about individuals at personal mailing addresses.
If asked, OCR may liken AT&T's phone service to UPS
and the U.S. Postal Service. But doing so across the board,
without the covered entity assessing the inferences that can
be drawn from the information they provide on the mailing label
(or other "conduit information"), may be unnecessarily
problematical. By OCR's own statement, they envision
"infrequent" and "random" access. These logs capture all data
on all packages provided under these services. There is nothing
infrequent or random about them.
A simple test can be constructed as to whether ordinary
business conduits may be collecting information that would be
a HIPAA disclosure, and if so, the conduit could then be deemed
a Business Associate. On the other hand, if the conduit
information contained no such information,
then the conduit would not be a Business Associate.
Decisions would not be so sweeping as company x always
is or is not a covered entity. A particular determination
would consider the covered entity, the conduit service,
and the conduit information.
Under a Business Associates agreement, conduit providers
would have to control further releases of logs that
contain protected information. Without a Business
Associates agreement, patients are left to the individual
and somewhat arbitrary privacy policies the companies
declare. I think we can do better than that.
--LS
_____________________________________________________
Latanya Sweeney, Ph.D.
Director, Laboratory for International Data Privacy
Associate Professor of Computer Science, Technology and Policy
School of Computer Science
Carnegie Mellon University Voice: (412)268-4484
1301 Wean Hall Fax: (412)268-6561
Pittsburgh, PA 15213 USA Email: [EMAIL PROTECTED]
http://privacy.cs.cmu.edu/index.html
http://privacy.cs.cmu.edu/people/sweeney/
_____________________________________________________
Date: Wed, 28 Jun 2006 05:42:11 -0400
To: David Farber <[EMAIL PROTECTED]>
From: Latanya Sweeney <[EMAIL PROTECTED]>
Subject: Re: Farber's List posting
Cc: Bob Gellman <[EMAIL PROTECTED]>
Dave,
Bob Gelman is a leading legal scholar on privacy
policy, and the most knowledgeable person about HIPAA
that I know. Below is his response to the inquiry about AT&T
and HIPAA. (Please post this message to your list.)
--LS
At 08:05 PM 6/23/2006, Bob Gellman wrote:
Someone sent me your posting from Dave Farber's list about the
latest AT&T privacy policy and HIPAA. You wrote:
"On the other hand, if the AIDS support line was provided by a
hospital that used it to support
its patients diagnosed with HIV, then the information would be
protected. However, it would be assumed
that the hospital entered into a Business Associates agreement
with AT&T and did not just sign-up for phone service without the
additional protection. If such an agreement did exist, there may
be some liability under HIPAA
if AT&T shared the data further. However, even this situation is
complicated by whether there
was an overarching legal requirement for the information that
took precedent. "
I don't think that a telephone company is a business associate
under HIPAA. It is just a conduit for information. Here's an
answer from the OCR FAQ (answer number 245) that explains the point:
"Are the following entities considered "business associates"
under the HIPAA Privacy Rule: US Postal Service, United Parcel
Service, delivery truck line employees and/or their management?
No, the Privacy Rule does not require a covered entity to enter
into business associate contracts with organizations, such as the
US Postal Service, certain private couriers and their electronic
equivalents that act merely as conduits for protected health
information. A conduit transports information but does not access
it other than on a random or infrequent basis as necessary for
the performance of the transportation service or as required by
law. Since no disclosure is intended by the covered entity, and
the probability of exposure of any particular protected health
information to a conduit is very small, a conduit is not a
business associate of the covered entity. " (END OCR)
We can dream up circumstances in which a conduit would access
information entrusted to it, and that could create interesting
and complicated HIPAA questions. Much would depend on what the
covered entity knew about the conduit's conduct, and what was
allowed by its contract with the conduit. If a conduit regularly
"opened the package" and peeked, then a business associate
agreement might be required to control that conduct.
I haven't read AT&T's policy either. But its reported assertion
of ownership is bad policy, bad law, and rather meaningless.
With personal information, there are rights, interests, and
responsibilities on all sides. A claim of ownership doesn't get
anyone anywhere.
I don't have access to Farber's list, but you can post this if
you choose.
Bob
--
+ + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman <[EMAIL PROTECTED]> +
+ Privacy and Information Policy Consultant +
+ 419 Fifth Street SE +
+ Washington, DC 20003 +
+ 202-543-7923 www.bobgellman.com +
+ + + + + + + + + + + + + + + + + + + + + + +
-------------------------------------
You are subscribed as [email protected]
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
