Begin forwarded message: From: Bob Gellman <bob@xxxxxxxxxxxxxx> Date: June 28, 2006 9:59:54 AM EDT To: Latanya Sweeney <latanya@xxxxxxxxxxxxxxxxxxxxxx> Cc: David Farber <dave@xxxxxxxxxx> Subject: Re: Farber's List postingInteresting. I agree that changing business practices may undermine the concept of a conduit. But I am not sure that there aren't better ways to deal with some of your examples.
First, the maintenance of shipping logs (let's leave aside the prospect for Internet data retention requirements) may not be enough to create a problem. Keeping the logs is one thing. Using them to derive data on consumers for some other use is something else. I presume that all package delivery companies have logs, which they probably keep for some significant period of time. I don't see that as troublesome from a health privacy perspective. As long as the information is not used in some inappropriate way by the company, then the OCR test still works. In any event, asking USPS or UPS to treat a class of packages (and their attendant records) differently from all other packages is likely to be impractical. It might make the privacy problems worse. Those activities tagged as HIPAA related will stand out.
Second, the outside address on a letter or package is not health information per se. It's the same distinction made between the content of a phone call and the pen register information used to route the call. The government can access pen register information under a lesser standard. Similarly with the information on the outside of a first class letter. Anyway, if an AIDS clinic is sending the item, it can use a return address that reveals nothing, and any problem goes away. Third, there are some activities that may be and should be beyond control. Anyone can stand outside an AIDS clinic and observe those who enter. There isn't much that HIPAA can do about it. Similarly, HIPAA allows an ER to announce publicly that John Doe is next. That's a practical concession, and it would be difficult to have a different approach. (However, in my view, a public sign in list at a doctor's office is a violation of HIPAA because it is easy to devise an alternative.) HIPAA is generally pretty good on the practical side of health care information use and disclosure. That's important so that privacy laws don't become an obstacle to routine activities.
Fourth, HIPAA allows the disclosure of health information without individual notice, without the need for authorization, and over the objection of the patient to a MULTITUDE of institutions. These include, among others, any law enforcement officer and any national security agency. The procedures that apply in these cases are laughable. In light of the gaping holes in confidentiality allowed by HIPAA, I can't get excited over the possibility of inferences from return addresses on envelopes. In any event, a patient who cares about this can probably object under HIPAA if a hospital uses a tracked package delivery service. See 164.522(b). Finally, if package deliverers or phone companies were actually compiling information about recipients and using that for dossiers or marketing, then I agree that the conduit concept would no longer work. In that case, a business associate agreement might be needed, but I think that this would be strongly resisted and very complicated. The better approach would be to use a different service that doesn't create the problem. At least, as long as that possibility existed.
Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman <bob@xxxxxxxxxxxxxx> + + Privacy and Information Policy Consultant + + 419 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 www.bobgellman.com + + + + + + + + + + + + + + + + + + + + + + + + Latanya Sweeney wrote:
Hi Bob, At first glance, the wording in the FAQ may seem out-dated in its approach and allow all conduits to be free from consideration as a Business Associate. I'm not sure that is their intention. OCR may want to clarify or update given today's technical reality. Here's what I mean. When I think of UPS and the U.S. Postal Service in historical context, these "conduits" have not had access to the information inside the packages and envelopes they handle. By OCR's own statement, they envision "infrequent" and "random" access. Therefore, it stands to reason that these conduit providers would not be considered a Business Associate. But that's at historical glance. In light of today's technology and evolving business practices, these providers often maintain logs of packages delivered when shipped via certain services. A typical log includes shipper address, recipient address, shipping date and package weight on each package. These logs can pose privacy problems that it seems a Business Associates agreement under HIPAA could easily correct. Even the OCR's wording may support a claim that these logs are covered by HIPAA and require a Business Associates agreement in some situations. An example in the spirit of those that came earlier is a log of recipients of packages shipped from a hospital's AIDs support group, which operates under separate cover and distinctive mailing address. If most of their packages are to patients, then the log may support reliable inferences about individuals at personal mailing addresses. If asked, OCR may liken AT&T's phone service to UPS and the U.S. Postal Service. But doing so across the board, without the covered entity assessing the inferences that can be drawn from the information they provide on the mailing label (or other "conduit information"), may be unnecessarily problematical. By OCR's own statement, they envision "infrequent" and "random" access. These logs capture all data on all packages provided under these services. There is nothing infrequent or random about them. A simple test can be constructed as to whether ordinary business conduits may be collecting information that would be a HIPAA disclosure, and if so, the conduit could then be deemed a Business Associate. On the other hand, if the conduit information contained no such information, then the conduit would not be a Business Associate. Decisions would not be so sweeping as company x always is or is not a covered entity. A particular determination would consider the covered entity, the conduit service, and the conduit information. Under a Business Associates agreement, conduit providers would have to control further releases of logs that contain protected information. Without a Business Associates agreement, patients are left to the individual and somewhat arbitrary privacy policies the companies declare. I think we can do better than that. --LS _____________________________________________________ Latanya Sweeney, Ph.D. Director, Laboratory for International Data Privacy Associate Professor of Computer Science, Technology and Policy School of Computer Science Carnegie Mellon University Voice: (412)268-4484 1301 Wean Hall Fax: (412)268-6561 Pittsburgh, PA 15213 USA Email: latanya@xxxxxxxxxxxxxxxxxx http://privacy.cs.cmu.edu/index.html http://privacy.cs.cmu.edu/people/sweeney/ _____________________________________________________
Date: Wed, 28 Jun 2006 05:42:11 -0400 To: David Farber <dave@xxxxxxxxxx> From: Latanya Sweeney <latanya@xxxxxxxxxxxxxxxxxx> Subject: Re: Farber's List posting Cc: Bob Gellman <bob@xxxxxxxxxxxxxx> Dave, Bob Gelman is a leading legal scholar on privacy policy, and the most knowledgeable person about HIPAA that I know. Below is his response to the inquiry about AT&T and HIPAA. (Please post this message to your list.) --LS At 08:05 PM 6/23/2006, Bob Gellman wrote:Someone sent me your posting from Dave Farber's list about the latest AT&T privacy policy and HIPAA. You wrote:"On the other hand, if the AIDS support line was provided by a hospital that used it to support its patients diagnosed with HIV, then the information would be protected. However, it would be assumed that the hospital entered into a Business Associates agreement with AT&T and did not just sign-up for phone service without the additional protection. If such an agreement did exist, there may be some liability under HIPAA if AT&T shared the data further. However, even this situation is complicated by whether there was an overarching legal requirement for the information that took precedent. "I don't think that a telephone company is a business associate under HIPAA. It is just a conduit for information. Here's an answer from the OCR FAQ (answer number 245) that explains the point:"Are the following entities considered "business associates" under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity. " (END OCR)We can dream up circumstances in which a conduit would access information entrusted to it, and that could create interesting and complicated HIPAA questions. Much would depend on what the covered entity knew about the conduit's conduct, and what was allowed by its contract with the conduit. If a conduit regularly "opened the package" and peeked, then a business associate agreement might be required to control that conduct.I haven't read AT&T's policy either. But its reported assertion of ownership is bad policy, bad law, and rather meaningless. With personal information, there are rights, interests, and responsibilities on all sides. A claim of ownership doesn't get anyone anywhere.I don't have access to Farber's list, but you can post this if you choose.Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman <bob@xxxxxxxxxxxxxx> + + Privacy and Information Policy Consultant + + 419 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 www.bobgellman.com + + + + + + + + + + + + + + + + + + + + + + + +
------------------------------------- You are subscribed as roessler@xxxxxxxxxxxxxxxxxx To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/