CONTENTS: factsheet Direct url: privacy.globe1234.com |
Spies Auditors Inspectors Investigators Licensing bureaus Secret Service Targets of threats Organ banks Coroners Medical examiners Funeral directors Subpoena Summons Other medical staff | Family & friends when relevant to their involvement or payments People at risk of communicable disease Public health agencies (including foreign) Social services agency to help victims of abuse Discovery requests (e.g. divorce) Emergency preparedness (NYTimes story) Military commanders (about service members) Prisons (about prisoners) Police and any other law enforcement Researchers on anonymous data, or onsite, or on the dead, or locally approved Workers' compensation purposes Food and drug businesses approved by FDA (to monitor side effects) Employer for "medical surveillance of the workplace and work-related illnesses" if employer requested any care |
Rules are at 45 CFR 164 and 160.
Rules were updated in 2013: lawyer's summary, published rule and press release.
All medical records can be subpoenaed, as explained by ABA, Massachusetts Bar, Iowa Medical Society, and a liability insurer. Electronic records are cheaper to subpoena than paper records, since copying is cheaper.
Federal rules of evidence do not protect doctor-patient confidentiality in federal courts, though most state courts do. Federal prosecutors use their access to private health care data in prosecutions.
Disclosures have the same limits for 50 years after death.
Covered entities can send patient information to their fund-raising arms, which can send the information to data brokers, thus telling the data broker the person has been treated by the covered entity, and buying information such as the person's income, wealth and interests. This was clarified in the 2013 rule.
The following organizations do not have to follow the Privacy and Security Rules for data they have. A good poster and study show how hundreds of data brokers buy this health information and spread it widely.
Disclosure rules are also strict on mental illness, and the government plans to loosen them to keep mental patients from access to guns.
An article shows practical barriers to carrying out the law and suggests more access for relatives. A longer explanation of medical privacy is at the Privacy Rights Clearinghouse.
HHS lets information be released if the following are removed: patient/relatives/employers' names, ID numbers, addresses except state or 3-digit zip with 20,000+ people, IP addresses, URLs, equipment numbers, months and days of any event, and years over 90 years ago (so people 90 and older are grouped), biometric identifiers (e.g. finger/voice prints), "full-face photographs and any comparable images, Any other unique identifying number, characteristic, or code," such as dental charts. Even these can be released if a statistical expert certifies a "very small" risk of identifying people. Lawyers say the expert approach is common, though I cannot imagine an expert saying that releasing more is safe. Even the HHS list does not protect privacy: it allows records with your age, doctor names, and diagnoses by year, which data brokers can compare to your social media postings. Movers can be identified by a series of 3-digit zip codes.
Medicare itself releases individual patient records to researchers who get approval and sign a data use agreement. The data use agreement refers to other documents for computer security, does not specifically cover access to, or deletion of backup systems, locking of offices and cars, etc.
Records on your own phone or computer, with a password, are fairly well protected, since the rules against self-incrimination let you refuse to provide a password. However protection by face recognition or thumbprint is not secure, since police can get a search warrant forcing you to provide your face or thumbprint (just like a breathalyzer). "The expression of the contents of an individual's mind [e.g. password] falls squarely within the protection of the Fifth Amendment... Courts are in relative accord that the Fifth Amendment doesn’t protect against the production of physical features or acts."
F. Damages and Alternatives
An extensive article in Politico says hackers can sell medical records for hundreds of dollars, and people use them to get prescription drugs for resale. A 2013 article in Wired said companies with big business outside health care, like Google were leaving the business of patient data to avoid liability when things go wrong. A 2015 article said 2 Google subsidiaries were producing health care inventions.
The government rarely imposes penalties for privacy breaches, and it is hard for individuals to sue for damages, though they may claim deceptive privacy statements, or other grounds.
A legal review points out, "Trusted insiders often are granted access to an organization’s most sensitive data without a proper understanding of the information security policies and procedures that govern usage... Employees should be aware of common attack vectors specific to their industry, and they should be provided with examples of attempted or successful attacks on their company and on similar organizations... Putting employees through regular mock breach scenarios can be a good way to determine the adequacy of response times and to evaluate existing procedures."
An ID company warns about keeping your purse or wallet secure when you strip for a medical procedure, by giving it to a friend or asking for it to be locked up, or entrusting it to a staff member you trust
In Dominica each patient carries his/her own medical record, creating an incentive to maximize involvement, availability and security.
G. Comparison of Lists of Data Breaches
Rules were updated in 2013: lawyer's summary, published rule and press release.
All medical records can be subpoenaed, as explained by ABA, Massachusetts Bar, Iowa Medical Society, and a liability insurer. Electronic records are cheaper to subpoena than paper records, since copying is cheaper.
Federal rules of evidence do not protect doctor-patient confidentiality in federal courts, though most state courts do. Federal prosecutors use their access to private health care data in prosecutions.
Disclosures have the same limits for 50 years after death.
Covered entities can send patient information to their fund-raising arms, which can send the information to data brokers, thus telling the data broker the person has been treated by the covered entity, and buying information such as the person's income, wealth and interests. This was clarified in the 2013 rule.
The following organizations do not have to follow the Privacy and Security Rules for data they have. A good poster and study show how hundreds of data brokers buy this health information and spread it widely.
- online shopping sites (know what health items you bought)
- credit card companies
- social networks (know your messages about your and your friends' health)
- life insurers
- employers
- workers compensation carriers
- most schools and school districts
- many state agencies like child protective service agencies
- most law enforcement agencies
- many municipal offices
- health care providers small enough that they don't electronically send health insurance claims and eligibility to insurance companies
Disclosure rules are also strict on mental illness, and the government plans to loosen them to keep mental patients from access to guns.
An article shows practical barriers to carrying out the law and suggests more access for relatives. A longer explanation of medical privacy is at the Privacy Rights Clearinghouse.
HHS lets information be released if the following are removed: patient/relatives/employers' names, ID numbers, addresses except state or 3-digit zip with 20,000+ people, IP addresses, URLs, equipment numbers, months and days of any event, and years over 90 years ago (so people 90 and older are grouped), biometric identifiers (e.g. finger/voice prints), "full-face photographs and any comparable images, Any other unique identifying number, characteristic, or code," such as dental charts. Even these can be released if a statistical expert certifies a "very small" risk of identifying people. Lawyers say the expert approach is common, though I cannot imagine an expert saying that releasing more is safe. Even the HHS list does not protect privacy: it allows records with your age, doctor names, and diagnoses by year, which data brokers can compare to your social media postings. Movers can be identified by a series of 3-digit zip codes.
Medicare itself releases individual patient records to researchers who get approval and sign a data use agreement. The data use agreement refers to other documents for computer security, does not specifically cover access to, or deletion of backup systems, locking of offices and cars, etc.
Records on your own phone or computer, with a password, are fairly well protected, since the rules against self-incrimination let you refuse to provide a password. However protection by face recognition or thumbprint is not secure, since police can get a search warrant forcing you to provide your face or thumbprint (just like a breathalyzer). "The expression of the contents of an individual's mind [e.g. password] falls squarely within the protection of the Fifth Amendment... Courts are in relative accord that the Fifth Amendment doesn’t protect against the production of physical features or acts."
F. Damages and Alternatives
An extensive article in Politico says hackers can sell medical records for hundreds of dollars, and people use them to get prescription drugs for resale. A 2013 article in Wired said companies with big business outside health care, like Google were leaving the business of patient data to avoid liability when things go wrong. A 2015 article said 2 Google subsidiaries were producing health care inventions.
The government rarely imposes penalties for privacy breaches, and it is hard for individuals to sue for damages, though they may claim deceptive privacy statements, or other grounds.
A legal review points out, "Trusted insiders often are granted access to an organization’s most sensitive data without a proper understanding of the information security policies and procedures that govern usage... Employees should be aware of common attack vectors specific to their industry, and they should be provided with examples of attempted or successful attacks on their company and on similar organizations... Putting employees through regular mock breach scenarios can be a good way to determine the adequacy of response times and to evaluate existing procedures."
An ID company warns about keeping your purse or wallet secure when you strip for a medical procedure, by giving it to a friend or asking for it to be locked up, or entrusting it to a staff member you trust
In Dominica each patient carries his/her own medical record, creating an incentive to maximize involvement, availability and security.
G. Comparison of Lists of Data Breaches
- All lists omit the many breaches, large and small, which companies fail to report.
- As noted above the federal HHS list covers medical breaches affecting 500 or more people and does not yet include cases which are still under investigation.
- Companies push back against breach reporting laws, saying they help attackers
- National lists (pdf) of medical and non-medical breaches as soon as they are reported by government or press, and no matter what the size, are at the ID Theft Resource Center, sponsored by a company which sells services for ID theft prevention and recovery. Each year the "Breach Stats Report" is a compact list of key facts on each breach, while the "Breach Report" has more detail when available. Often the initial listing from press reports does not show the number of people affected, but the site inserts it later if the number becomes available in followup reports or the HHS site. Breaches which appear on the CA Attorney General site must be over 500, but the ID Theft Resource Center site does not update with just that information.
- The CA Attorney General, lists all breaches which affect 500 or more Californians, as soon as a notification letter is sent to people affected. It includes many national breaches, which affect 500 Californians. It does not always show who caused the breach, for example when a bank tells people that a merchant lost credit credit card data, it shows the bank, not always the merchant.
- Massachusetts lists all breaches which affected any Massachusetts residents since Nov 2007. It shows whether the breach included social security number, driver's license, account number, and if data were encrypted (almost never). Like other lists it does not show whether the breach happened at the place which reported it, or for example at a merchant losing credit card data. It is incomplete, because there is no enforcement.
- Washington State lists breaches which affect 500 or more Washington residents.
- Oregon lists breaches which affect 250 or more Oregon residents.
0 Comments