Author: DCherubin

By: Hannah Baker

Link: http://techcrunch.com/2013/02/18/tumblr-is-not-what-you-think/

Discussion: This post by Adam Rifkin on techcrunch.com discusses Tumblr, one of the newer social networking/blogging websites. According to a quoted survey, Tumblr is now the most-used social networking site among both the 13-18 and the 19-25 age groups. While the survey’s informality and small sample size make its conclusions less than certain, there can be no denying the increasing popularity of Tumblr, especially amongst teenagers.

But, I can’t be the only one who has been frustrated by trying to read anything on Tumblr. The search is poor, the comment threads are impossible to follow, and the “reblogging” mechanism can make it difficult to figure out who originally posted any particular picture or piece of information.

What I found most intriguing about the Techcrunch.com post was its suggestion that Tumblr’s technological limitations may be a feature rather than a bug. Rifkin suggests that the problems people have in searching Tumblr is a bonus for many of its users, who want to be anonymous without necessarily gaining a large audience of unknown anonymous internet people. They want a personal page, like a Facebook page, but without Facebook’s corresponding public visibility.

Rifkin’s idea can be extended to some of Tumblr’s other seeming problems. Conversations and comment threads are difficult to follow, giving people the freedom to comment without complete accountability even to their online personas, yet without having to resort to complete anonymity.

I like the suggestion that privacy can be protected, not by deliberate privacy controls such as those offered on Facebook, nor by complete anonymity, but by less-than-perfect design. Whether or not Tumblr’s poor search system and lack of a good commenting system are deliberate, they function to protect the users’ privacy, to the point where better technology might be bad for the site.

This raises the larger question of whether better technology will always take off if it leads to a decrease in privacy. On the one hand, older, more private forms of technology seem generally to be abandoned. Few modifications to a cell phone will give a call the total privacy that comes when calling from a payphone, but payphones are now few and far between. Kindles and other e-readers are becoming increasingly popular, even though the readers’ notes and highlighting may be collected and seen in a way that is impossible with a physical book. On the other hand, Tumblr’s new popularity– despite the fact that, as Rifkin describes, it is a terrible platform by most standard metrics– may point in a new direction.

By: Katrina Henderson

President Obama’s 2009 stimulus plan set forth billions of dollars worth of incentives for medical health providers in order to urge them to begin using electronic medical records (EMR). The plan hoped to encourage health care providers to streamline medical care, due to the fact that EMR systems are both more efficient and accurate than paper records. The use of electronic records helps to reduce paperwork, eliminate handwriting errors, coordinate patient care, eliminate unnecessary tests and procedures, as well as provide direct access to health records.

Since this stimulus plan was put in place, the switch to electronic medical records has been quite large. By early 2012, the U.S. Department of Health and Human Services had already spent 25.9 billion on electronic health information systems. Recent research regarding family doctors, which are the largest group of primary care physicians, suggests that in 2011, about 68 percent of family doctors were using electronic health records. This percentage shows the use of such records has doubled between 2005 and 2011. Many health care providers still have concerns regarding these records. The first regarding EMR system is the cost of implementation and training. The second concern is patient privacy and who has access to this protected health information.

When it comes to privacy, the Health Information Portability and Accountability Act (HIPAA) attempts to mitigate any concerns by enacting rules to protect patient privacy. These rules, most recently tweaked by the HIPAA Omnibus Rule, create safeguards, which Covered Entities, and now their Business Associates, must implement in order to better protect patients’ personal health information. The over 500 pages of the Omnibus Rule are quite a lot to grasp. Included within the rules are four final rules, which (1) modify the HIPAA privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), (2) incorporate increased penalty structure within the HIPAA Enforcement Rule, (3) replace the “harm” threshold with a more objective standard under Breach Notification for Unsecured Protected Health information, and (4) prohibit most health plans from the use or disclosure of genetic information for underwriting purposes.

The Rule became effective on March 26, 2013. Covered Entities and Business associates still have 180 days past the effective date to become compliant with the Rule’s provisions. It is too soon to tell whether or not the new rules will be effective in terms of increasing health information privacy. For now the questions many health care providers and the U.S. Department of Health and Human Services may be asking are how much will compliance with these new rules cost and will the government incentives be enough to cover those expenses. It does not seem as though expansion of the use of EMR systems will slow due to the fact that physicians will be assessed a penalty for not adopting an EMR system by 2015. However, there may be a push for more guidance and financial assistance with implementation and compliance measures, especially by the newly liable Business Associates.

References:

http://health.usnews.com/health-news/news/articles/2013/01/15/many-more-doctors-using-electronic-health-records

http://www.healthit.gov/patients-families/benefits-health-it

http://www.medicalrecords.com/physicians/meaningful-use-government-incentives-information

By: Carey Shenkman

In Florida it is now harder for surviving spouses to obtain health records of diseased loved ones, a victory for more uniform federal healthcare privacy. Indeed, this case is particularly significant given the historical context of HIPAA, which broke significant ground when it was passed. At the same time, the law, since passing, has raised some fears by critics about the expanded federal role in health insurance reform.

In Opis Management Resources v. SecretaryFlorida Agency for Health Care Administration case ruled that HIPAA (the Health Insurance Portability and Accountability Act of 1996) trumps a Florida statute § 400.145 governing access to health records. The bar set by HIPAA is higher than that in Florida. Under HIPAA, medical records for a diseased party may only be released to a designated “personal representative.” Under the superseded Florida law, several parties including spouses, attorneys, guardians, and other enumerated parties may make such requests.

This case was an important decision for intersecting issues of federalism and privacy. The rationale of the 11th Circuit Court of Appeals rested largely on the Supremacy Clause and express preemption language in HIPAA. HIPAA provided that the statute “shall supersede any contrary provision of State law,” providing for limited exceptions. The Court of Appeals rejected the State’s argument that the Florida law supplemented, rather than conflicted with, the federal law. The Court held that “The fatal flaw in the State Agency’s argument is that the plain language of § 400.145 does not empower or require an individual to act on behalf of a deceased resident.” Instead, the statute allows what the court called “sweeping disclosures” without requirements for authorization for the individual making the request. The Court also held that 400.145 is not limited in the same way as analogous federal law or regulation.

Particularly with the complex grid of state-level and federal regulations on privacy, this type of conflict is not an issue that will go away. We already see the potential for state-federal conflict in other privacy spheres, such as through issues of police investigations (such as through video or online surveillance) and commercial use of information. Scholar Michael Hail asserts that state courts are in a way ahead of the curve of their federal counterparts, calling them “more advanced in dealing with judicial policy.” Citing a Georgia Supreme Court decision Pavesich v. New England, Hail writes how the state was at the forefront of crafting a right to privacy. States can serve as laboratories for policy experimentation, but this inevitably leads to conflicts as Opis Management reveals.

In a sense, as journalist Michael Doyle points out, cases like these are beneficial for healthcare providers themselves who are caught in the middle of conflicting regulatory frameworks. Indeed, nursing home operators cheered the decision in Opis Management.

Sources:

http://www.mcclatchydc.com/2013/04/10/188184/florida-and-federal-court-clash.html#.UYPlvbXP168

http://cdn.intechopen.com/pdfs/13676/InTech-Federalism_privacy_rights_and_intergovernmental_management_of_surveillance_legal_and_policy_issues.pdf

http://www.ca11.uscourts.gov/opinions/ops/201212593.pdf

http://www.urban.org/UploadedPDF/NICHOLS.pdf

By: Michael Lucien

Information privacy in the healthcare context is a very tricky issue.  On one hand, individuals stand to benefit greatly from a more efficient system of storing and transmitting medical information.  On the other hand, health information is among the information that we are the most concerned about falling into the wrong hands.  As such, while many other industries have been quicker to use cloud computing for day-to-day consumer services (examples include: stock trading, online banking, email, social media, many online purchases and even online movie rentals), the healthcare industry has been particularly reluctant to follow suit.  A large part of the hesitation on the part of the healthcare industry stems from regulation-imposed liability from HIPAA.

The aversion to adopting new technology appears to be changing due to two separate happenings.  First, the American Recovery and Reinvestment Act requires that healthcare agents begin migrating patient records and other data to cloud computing by 2015.  Albeit a far off deadline, this has provided some motivation for the industry to modernize.

The second, and perhaps more important happening was the proliferation of Business Associate Agreements (BAAs) under the finalized HIPAA rules as modified by the Department of Health and Human Services.  It was discovered that in earlier versions of the rules, liability only extended to Covered Entities (usually the originators of health information).  The finalized rules make clear that liability should also extend to Business Associates, essentially anyone that in in the course of business with the Covered Entity deals with the protected information.  This development lead to the birth of the BAA.  These are agreements between the originator of the information and the Business Associate that extends liability.  In lieu of these agreements, Business Associate liability would fall to the Covered Entity.   Needing the business of the Covered Entities, Business Associates including could vendors have begun to accept BAAs is droves.  What new innovations lie ahead in the healthcare industry remains to be seen.  What is clear is that thee course for increased efficiency has been paved and consumers stand to benefit.

Sources: http://www.healthtechzone.com/topics/healthcare/articles/2013/05/02/336675-healthcare-ready-embrace-cloud.htm

http://www.forbes.com/sites/danmunro/2013/05/01/hipaa-support-widens-in-cloud-vendor-community/

By Siranya Rhuvattana

After the mass shootings in Colorado and Connecticut, President Barack Obama has attempted to curb the gun violence by, among other ways, improving the Federal government’s background check system for the sale or transfer of firearms by licensed dealers, called the National Instant Criminal Background Check System (NICS). The Department of Health and Human Services (HHS) is accordingly considering amending the Health Insurance Portability and Accountability Act (HIPAA) privacy rule to allow covered entities to disclose the identities of those deemed dangerous. (link: Link: http://www.courthousenews.com/2013/04/26/57104.htm)

NICS Index

The NICS Index is a database administered by the Federal Bureau of Investigation (FBI) established to collect and keep certain identifying information about individuals who are subject to one or more of the Federal prohibitors and thus, are ineligible to purchase firearms. In general, the Federal Firearms Licensees are required to request a background check through the NICS before selling guns to a buyer. The mental health prohibitors include those who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined, through a formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others or being incapable of managing their own affairs.

The demographic information about the individual maintained in the NICS database is restricted to only the names of ineligible individuals and certain other identifying information, such as their dates of birth, and codes for the submitting entity and the prohibited category that applies to the individual. The underlying diagnoses, treatment records, and other identifiable health information is not provided to or maintained by the NICS. However, State agencies are not required to report to the NICS the identities of individuals who are prohibited from purchasing firearms. The NICS Index, thus, could not encompass the information of all mental health prohibitors.

HIPAA implications

Where the record of an involuntary commitment or mental health adjudication

originated with a HIPAA covered entity, or the HIPAA covered entity is the State

repository for such records, the records are subject to HIPAA. Nonetheless, due to the variety of State laws, there may be other parties such as State agencies, boards, commissions, or other lawful authorities outside the court system that are involved and to what extent these parties that order involuntary commitments or conduct mental health adjudications are HIPAA covered entities. Also, there may be some designated repositories by State laws that needs to be determined as to whether they are subject to HIPAA, such as State health agencies, to collect and report to the NICS the identities of individuals subject to the mental health prohibitor. Although HIPAA allows the State agency to designate itself a hybrid entity by labeling its health care components as separate from other components and documenting that designation, there may be administrative or other challenges to the creation of a hybrid entity.

As a result of unclear extent of covered entities and their obligations, many States still are not reporting essential mental health prohibitor information to the NICS. Some States may face practical difficulties in passing a State law requiring NICS disclosures, but primary concern is about the HIPAA Privacy Rule’s restrictions on covered entities’ disclosures of protected health information which may prevent certain them from reporting to the NICS the identities of individuals who are subject to the mental health prohibitor. (link: http://thehealthcareblog.com/blog/2013/04/25/what-does-hipaa-have-to-do-with-gun-control-maybe-more-than-you-think/)

In addition, the provided names will then be cross-checked against a state database of people who have registered their weapons. Law enforcement officials would then have the option of removing weapons from that individual, and suspending or revoking any gun permits they hold. Harvey Rosenthal, an executive director for the state Association of Psychiatric Rehabilitation Services (link: http://www.timesunion.com/local/article/Gun-law-vs-mental-health-4234056.php#ixzz2SA8ehuHA) was of concern that a danger that the information might fall into the wrong hands, or prejudice police or other authorities who come in contact with someone over a non-gun-related issue.

Thus, the HHS’s advance notice of proposed rulemaking (link: https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-09602.pdf) is seeking public comment on how HIPAA is preventing states from sharing such records, and how the law would be in place without discouraging individuals from reaching out for medical cares. Wide public recommendations would, expectantly, provide a balanced strike between the privacy interest and public security.

By: Albert Lin

As part of a reaction to the mass shootings in Aurora, Colorado and particularly Sandy Hook Elementary School, there has been strong push in recent weeks for stronger and stricter gun control laws to hopefully reduce the risk of future mass shootings. Much attention during debate over the proposed gun control legislation has rightfully been focused on their relation to the Second Amendment’s right to bear arms. One of the proposed alterations to the existing framework of gun control laws involves improving the background check system nationwide and enforcing a prohibition on selling guns to individuals found to be a danger to themselves, otherwise known as “mental health prohibitors.” One unintended potential consequence of the proposed reforms may clash with the current provisions of the Health Insurance Portability and Accountability Act (HIPAA), as well as other laws related to the privacy of personal health information (PHI).

HIPAA forbids “covered entities” such as medical clinics, hospitals, physician offices, and other health care organizations, from disclosing the identities of health care information of persons whose medical records they store. Additionally, numerous states have specific statutes providing civil and criminal protection against the disclosure of medical information. Some statutes restrict disclosure of medical data by certain entities, while others restrict the disclosure of particular types of medical data, including mental health information. While it is unclear what the exact mechanism of the proposed background checks is, it is clear that they will undoubtedly be in conflict with the relatively strict nondisclosure requirements under HIPAA.

Towards the end of April, the Department of Health and Human Services began soliciting public comments on improving the background check system and for potentially amending the privacy rule to allow covered entities to disclose the identities of those deemed dangerous. The DHHS has cautioned that they would not allow the disclosure of an individual’s treatment record or any related clinical or diagnostic information. In the issued statement, the DHHS also stated they would limit the information disclosed to only the demographic information (such as date of birth), and codes identifying the reporting entity and the relevant prohibitor. Depending on the relevant state laws, however, it is possible that Congress may have to amend HIPAA entirely to allow these increased background checks to move forward. As such, the clash of this prospective expansion to the background check system with HIPAA’s privacy rule must be resolved before the expansion of background checks may be implemented.

http://www.courthousenews.com/2013/04/26/57104.htm

http://www.allgov.com/news/controversies/would-gun-background-checks-clash-with-health-privacy-laws-130429?news=849885

http://www.gpo.gov/fdsys/pkg/FR-2013-04-23/html/2013-09602.htm

Anonymous

The use of drones on American soil came to the fore in March, when Sen. Rand Paul “talking filibuster[ed]”of the confirmation of John Brennan as Director of Central Intelligence. Mindful of the killing of al-Qaeda activist and U.S. citizen Anwar al-Awlaki by weaponized drone—after an Article II-only deliberative process—in Yemen, Sen. Paul insisted on a clear statement from the Obama Administration that it did not possess “the authority to use a weaponized drone to kill an American not engaged in combat on American soil.”

Sen. Paul’s particular focus on drones was curious: one would think that the chief concerns with executive killings of this sort would relate to the lack of Article III process and use of the substantive threshold of enemy combatant status, rather than whether the instrument was a drone or a SEAL teams. But the attention that Paul nonetheless drew to the potential use of drones in America raised a public debate about the proper usage and procedures for private and public drones alike. The debate particularly illuminated the scope of surveillance potentially enabled by a world of ubiquitous flying cameras, as well as its impact on what our reasonable privacy expectations are in the 21^st century.

Amidst increase awareness of the implications for privacy law raised by the drone future, several members of Congress have introduced legislation to regulate domestic drone use. The Center for Democracy and Technology has helpfully summarized bills targeting privacy issues raised by non-weaponized drones introduced by Reps. Ed Markey and Joe Barton, and Reps. Poe and Lofgren. Both bills would increase oversight of use of drones by law enforcement agencies and constrict the scope of private actors’ permissible use of drones. While both bills (and others) are still pending, they mark some of the first attempts by legislators considering drones’ potential to challenge bounds of privacy in the physical space just as the internet has challenged bounds of privacy in the communicative space.

For the Center for Democracy and Technology summary: https://www.cdt.org/blogs/gs-hans/0804drone-privacy-bills-attempt-protect-americans-governmental-commercial-surveillance

By Scott B.

Trying to make employees work more efficiently isn’t a new project – from Taylorism to 360-degree reviews, an entire industry has emerged to analyze and optimize workforce productivity. However, never before has the sheer amount of data, and immense processing power, been available in a way that allow companies to analyze employee performance in real-time, and without human intervention.

The New York Times reported last week about the growing trend of “employee informatics”, where companies are using employee data and the tools of big data to measure employee habits. “Today,” the Times reports, “every e-mail, instant message, phone call, line of written code and mouse-click leaves a digital signal. These patterns can now be inexpensively collected and mined for insights into how people work and communicate, potentially opening doors to more efficiency and innovation within companies.” These are the same types of tools that advertising companies use for behavioral ad targeting, but since the data available on employees is so much richer, the privacy risks are also greatly increased. Furthermore, the employee-employer relationship gives rise to a far greater risk of privacy harm.

IBM’s 1.3 billion dollar acquisition of Kenexa in August, 2012 appears to be a sign of things to come. According to Forbes.com, “Kenexa is a consulting, content, and technology company which plays in many different parts of the talent management market.” Through the purchase, IBM will be able to integrate its data processing power and know-how with the abundant data and HR industry connections that Kenexa has established. The Times article also reports that companies like Google, and organizations like the NYU Langone Medical Center, have utilized “constant measurement” to test employee traits.

How do the Fair Information Practices (FIPs) fare when corporations are tracking every move their employees make in the workplace? To prevent employee abuse, meaningful notice and consent should be important components of extensive workplace data collection and analysis. Employees should also be able to view and correct any data collected about them. It would also be beneficial to require that any measurement methodology used be disclosed to employees so that they can see why their work is being praised or criticized. Particularly when employee informatics leads to demotion or firing, reckless reliance on inaccurate employee analytics is deeply problematic. Furthermore, data security is a big concern, particularly when confidential employee data is shared with third parties such as IBM.
Employee creativity is also at risk when work is so closely monitored, and companies might find these monitoring strategies to be counterproductive when employees try to beat the system rather than produce their best work. Even the most mundane jobs include elements of creativity, such as process optimization. Will the chilling effect of constant workplace surveillance serve to chill employee creativity in the same way that public surveillance chills free speech and expression? While the workplace is not considered a particularly private environment, the extension of surveillance to the workplace represents another space where persistent surveillance is becoming the norm. As these surveillance programs become increasingly common, it would be useful for a government agency (presumably the Department of Labor) to oversee the regulation of these tools to ensure they are responsibly implemented.

By: Felipe Burgos

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit upheld the district court decision that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes.

The nursing facilities were penalized by the Florida Agency for Health Care Administration (“AHCA”) for refusing to provide medical records to deceased residents’ spouse, guardian, surrogate, proxy, or attorney in fact, according with a 1987 state law allowing to provide that personal health information.

Florida’s nursing facilities filed the case against the AHCA in May 2012.

The plaintiffs argued if they followed the Florida law requiring them to provide medical records to these parties, they would violate HIPAA. Under HIPAA, nursing homes can only provide personal health information to officially designated “personal representatives”, which could include the executor, administrator or other person acting on behalf of an individual or his or her estate. Providers also may furnish medical records to deceased residents’ family members who helped pay for the resident’s care, but only if the records are pertinent to the requestor’s financial involvement.

The Court maintained the decision from the lower court that the Florida statute was too broad and it did not meet the stricter HIPAA definition of personal representative, but “authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead”.

According to the Court, HIPAA and the Florida law “could not be reconciled” because the Florida law was “an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA in keeping an individual’s protected health information strictly confidential.” The court emphasized that HIPAA ensures the privacy protection of deceased individuals’ health information by generally prohibiting its use and disclosure except in certain circumstances or with authorization. In contrast, the court explained, the Florida law allowed for “sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead.”

Based on this argument, the court concluded HIPAA preempted the Florida law.

Because HIPAA preempts any contradictory state laws, the Florida legislature must revise the statute at issue or it will not be enforceable, Judge Susan H. Black said.

Link: http://www.govhealthit.com/news/appeals-court-affirms-hipaa-preemption

The FISA Amendments Act (FAA) enacted in 2008 and extended in 2012, has been the subject of much controversy as of late. The Act authorizes the Attorney General or the Director of National Intelligence to gather intelligence information on individuals who are “reasonably believed to be out of the United States.”[1] Of course, the Act places several restrictions on the government in order to prevent the warrantless seizure of information on U.S. citizens.  Beyond these restrictions that mainly prohibit intentional misuse of the Act in order to collect information from people in the United States or U.S. people abroad, the FAA also provides for judicial review of the targeting procedures that the government uses to gather information. However, one large concern of opponents of the Act is that the information gathered and the judicial review process are largely confidential.

The Federal Intelligence Surveillance Court (FISC) handles judicial review of the FAA cases. These courts writes full, binding opinions on the permissibility of certain targeting and surveillance practices of the federal government. Proponents of the Act support the privacy interests of those conducting foreign intelligence gathering to keep us safe– keeping this information confidential is essential to protecting their efforts to thwart potential foreign attacks. Many citizens, including several senators, however, were not keen on extending the life of the Act without increasing transparency on an otherwise opaque process.

One major concern over transparency is that while the government may not be intending to collect information on people in the United States or our citizens abroad, we have no idea how much inadvertent surveillance of American citizens the government has conducted. We also don’t know how FISCs are interpreting the statute and whether or not their interpretation is markedly different from the Congress’s intent. Organizations like the ACLU believe that the American people have a right to know how effective current procedures are in keeping American citizens and those in the US from mistakenly having their privacy interests infringed upon.[2]  At the same time, Congress has no way of knowing if they should look into changing the wording of the Act to ensure that the court interprets the statute as intended. Two proposed amendments to the FAA arose out of this concern.

In 2012 when the Senate voted on extending the deadline for the FAA, Senator Jeff Merkley (D-OR) introduced S. 3515[3] and “put the Senate to a vote on whether the administration should be forced to release the court opinions, supply unclassified summaries of them, or explain why they should be kept secret.”[4] Finding that “Secret law is inconsistent with democratic governance. In order for the rule of law to prevail, the requirements of the law must be publicly discoverable,” Merkley’s proposed Amendment would require that the Attorney General disclose each decision, order, or opinion of a FISC that includes significant interpretations of FISA. If declassification of the full text would compromise national security, then the AG should provide summaries of the opinions. If even that will compromise national security, the Amendment asks the AG to provide a report on where they are in the process of declassifying these materials.

Those who opposed this Amendment worried about the potential dangers of requiring the administrators to broadcast classified information to the world, putting all Americans at grave risk. Further, they believed the Amendment unrealistic to accomplish – these opinions contain facts about current surveillance techniques and targeted subjects that they cannot separate out. Finally, though Senator Merkley’s Amendment allows for summaries and updates that might avoid some of these national security issues, a major concern for the Senate and Congress was the timing. Indeed, the Senate discussed this proposed amendment on December 27, 2012, just 4 days before the President had to sign the bill.[5]

What do you think? Was this proposed amendment worth holding up a bill that helps monitor potential foreign threats? Should we be concerned about “secret legal opinions”? Is this just the price we pay for a safer America?