more on AT&T and HIPAA

[David Farber <dave () farber net>]

Begin forwarded message:

From: Bob Gellman <bob () bobgellman com>
Date: June 28, 2006 9:59:54 AM EDT
To: Latanya Sweeney <latanya () LAB privacy cs cmu edu>
Cc: David Farber <dave () farber net>
Subject: Re: Farber's List posting

Interesting.  I agree that changing business practices may undermine  
the concept of a conduit.  But I am not sure that there aren't better  
ways to deal with some of your examples.

First, the maintenance of shipping logs (let's leave aside the  
prospect for Internet data retention requirements) may not be enough  
to create a problem.  Keeping the logs is one thing.  Using them to  
derive data on consumers for some other use is something else.  I  
presume that all package delivery companies have logs, which they  
probably keep for some significant period of time.  I don't see that  
as troublesome from a health privacy perspective.  As long as the  
information is not used in some inappropriate way by the company,  
then the OCR test still works.  In any event, asking USPS or UPS to  
treat a class of packages (and their attendant records) differently  
from all other packages is likely to be impractical.  It might make  
the privacy problems worse.  Those activities tagged as HIPAA related  
will stand out.

Second, the outside address on a letter or package is not health  
information per se. It's the same distinction made between the  
content of a phone call and the pen register information used to  
route the call.  The government can access pen register information  
under a lesser standard.  Similarly with the information on the  
outside of a first class letter. Anyway, if an AIDS clinic is sending  
the item, it can use a return address that reveals nothing, and any  
problem goes away.
Third, there are some activities that may be and should be beyond  
control.  Anyone can stand outside an AIDS clinic and observe those  
who enter.  There isn't much that HIPAA can do about it.  Similarly,  
HIPAA allows an ER to announce publicly that John Doe is next.   
That's a practical concession, and it would be difficult to have a  
different approach.  (However, in my view, a public sign in list at a  
doctor's office is a violation of HIPAA because it is easy to devise  
an alternative.)  HIPAA is generally pretty good on the practical  
side of health care information use and disclosure.  That's important  
so that privacy laws don't become an obstacle to routine activities.

Fourth, HIPAA allows the disclosure of health information without  
individual notice, without the need for authorization, and over the  
objection of the patient to a MULTITUDE of institutions.  These  
include, among others, any law enforcement officer and any national  
security agency.  The procedures that apply in these cases are  
laughable.  In light of the gaping holes in confidentiality allowed  
by HIPAA, I can't get excited over the possibility of inferences from  
return addresses on envelopes.  In any event, a patient who cares  
about this can probably object under HIPAA if a hospital uses a  
tracked package delivery service.  See 164.522(b).
Finally, if package deliverers or phone companies were actually  
compiling information about recipients and using that for dossiers or  
marketing, then I agree that the conduit concept would no longer  
work.  In that case, a business associate agreement might be needed,  
but I think that this would be strongly resisted and very  
complicated.  The better approach would be to use a different service  
that doesn't create the problem.  At least, as long as that  
possibility existed.

Bob

--
+ + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman       <bob () bobgellman com> +
+ Privacy and Information Policy Consultant +
+ 419 Fifth Street SE                       +
+ Washington, DC 20003                      +
+ 202-543-7923           www.bobgellman.com +
+ + + + + + + + + + + + + + + + + + + + + + +



Latanya Sweeney wrote:

> Hi Bob,
>
> At first glance, the wording in the FAQ may seem
> out-dated in its approach and allow all conduits
> to be free from consideration as a Business
> Associate. I'm not sure that is their intention.
> OCR may want to clarify or update
> given today's technical reality. Here's what I mean.
>
> When I think of UPS and the U.S. Postal Service
> in historical context, these "conduits" have not had
> access to the information inside the packages and
> envelopes they handle. By OCR's own
> statement, they envision "infrequent" and "random"
> access.  Therefore, it stands to reason that these
> conduit providers would not be considered
> a Business Associate. But that's at historical glance.
>
> In light of today's technology and evolving business
> practices, these providers often maintain logs of
> packages delivered when shipped via certain services.
> A typical log includes shipper address, recipient
> address, shipping date and package weight
> on each package. These logs can pose privacy problems
> that it seems a Business Associates agreement under
> HIPAA could easily correct. Even the OCR's wording
> may support a claim that these logs are covered by HIPAA
> and require a Business Associates agreement
> in some situations.
>
> An example in the spirit of those that came earlier
> is a log of recipients of packages shipped from a hospital's
> AIDs support group, which operates under separate cover
> and distinctive mailing address. If most of their packages
> are to patients, then the log may support reliable
> inferences about individuals at personal mailing addresses.
>
> If asked, OCR may liken AT&T's phone service to UPS
> and the U.S. Postal Service. But doing so across the board,
> without the covered entity assessing the inferences that can
> be drawn from the information they provide on the mailing label
> (or other "conduit information"), may be unnecessarily
> problematical. By OCR's own statement, they envision
> "infrequent" and "random" access.  These logs capture all data
> on all packages provided under these services. There is nothing
> infrequent or random about them.
>
> A simple test can be constructed as to whether ordinary
> business conduits may be collecting information that would be
> a HIPAA disclosure, and if so, the conduit could then be deemed
> a Business Associate. On the other hand, if the conduit
> information contained no such information,
> then the conduit would not be a Business Associate.
> Decisions would not be so sweeping as company x always
> is or is not a covered entity. A particular determination
> would consider the covered entity, the conduit service,
> and the conduit information.
>
> Under a Business Associates agreement, conduit providers
> would have to control further releases of logs that
> contain protected information.  Without a Business
> Associates agreement, patients are left to the individual
> and somewhat arbitrary privacy policies the companies
> declare. I think we can do better than that.
>
> --LS
> _____________________________________________________
> Latanya Sweeney, Ph.D.
> Director, Laboratory for International Data Privacy
> Associate Professor of Computer Science, Technology and Policy
> School of Computer Science
>
> Carnegie Mellon University     Voice: (412)268-4484
> 1301 Wean Hall                       Fax:    (412)268-6561
> Pittsburgh, PA 15213 USA     Email: latanya () privacy cs cmu edu
> http://privacy.cs.cmu.edu/index.html
> http://privacy.cs.cmu.edu/people/sweeney/
> _____________________________________________________

> > Date: Wed, 28 Jun 2006 05:42:11 -0400
> > To: David Farber <dave () farber net>
> > From: Latanya Sweeney <latanya () privacy cs cmu edu>
> > Subject: Re: Farber's List posting
> > Cc: Bob Gellman <bob () bobgellman com>
> >
> >
> > Dave,
> >
> > Bob Gelman is a leading legal scholar on privacy
> > policy, and the most knowledgeable person about HIPAA
> > that I know.  Below is his response to the inquiry about AT&T
> > and HIPAA. (Please post this message to your list.)
> >
> > --LS
> >
> > At 08:05 PM 6/23/2006, Bob Gellman wrote:
> >
> > > Someone sent me your posting from Dave Farber's list about the  
> > > latest AT&T privacy policy and HIPAA.  You wrote:
> > >
> > > "On the other hand, if the AIDS support line was provided by a  
> > > hospital that used it to support
> > > its patients diagnosed with HIV, then the information would be  
> > > protected. However, it would be assumed
> > > that the hospital entered into a Business Associates agreement  
> > > with AT&T and did not just sign-up for phone service without the  
> > > additional protection. If such an agreement did exist, there may  
> > > be some liability under HIPAA
> > > if AT&T shared the data further.  However, even this situation is  
> > > complicated by whether there
> > > was an overarching legal requirement for the information that  
> > > took precedent. "
> > >
> > > I don't think that a telephone company is a business associate  
> > > under HIPAA.  It is just a conduit for information.  Here's an  
> > > answer from the OCR FAQ (answer number 245) that explains the point:
> > >
> > > "Are the following entities considered "business associates"  
> > > under the HIPAA Privacy Rule: US Postal Service, United Parcel  
> > > Service, delivery truck line employees and/or their management?
> > >
> > > No, the Privacy Rule does not require a covered entity to enter  
> > > into business associate contracts with organizations, such as the  
> > > US Postal Service, certain private couriers and their electronic  
> > > equivalents that act merely as conduits for protected health  
> > > information. A conduit transports information but does not access  
> > > it other than on a random or infrequent basis as necessary for  
> > > the performance of the transportation service or as required by  
> > > law. Since no disclosure is intended by the covered entity, and  
> > > the probability of exposure of any particular protected health  
> > > information to a conduit is very small, a conduit is not a  
> > > business associate of the covered entity. "  (END OCR)
> > >
> > > We can dream up circumstances in which a conduit would access  
> > > information entrusted to it, and that could create interesting  
> > > and complicated HIPAA questions.  Much would depend on what the  
> > > covered entity knew about the conduit's conduct, and what was  
> > > allowed by its contract with the conduit.  If a conduit regularly  
> > > "opened the package" and peeked, then a business associate  
> > > agreement might be required to control that conduct.
> > >
> > > I haven't read AT&T's policy either.  But its reported assertion  
> > > of ownership is bad policy, bad law, and rather meaningless.   
> > > With personal information, there are rights, interests, and  
> > > responsibilities on all sides.  A claim of ownership doesn't get  
> > > anyone anywhere.
> > >
> > > I don't have access to Farber's list, but you can post this if  
> > > you choose.
> > >
> > > Bob
> > >
> > > --
> > > + + + + + + + + + + + + + + + + + + + + + + +
> > > + Robert Gellman       <bob () bobgellman com> +
> > > + Privacy and Information Policy Consultant +
> > > + 419 Fifth Street SE                       +
> > > + Washington, DC 20003                      +
> > > + 202-543-7923           www.bobgellman.com +
> > > + + + + + + + + + + + + + + + + + + + + + + +






-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/