In the last entry, I posed a question that if an individual provides what should be protected personal information to a bank but does not become a “customer,” is the bank obliged to protect that information? The letter of the law is ambiguous, but of course, common sense dictates that the data is to be protected. More on this later, but let’s look at a different set of rules for protected information – HIPAA for the healthcare industry.
In this law, as described in the Code of Federal Regulations (see 45 C.F.R. §164.514(b)(2)(i)), a healthcare organization is obliged to protect personal healthcare information (PHI), specifically
- Names;
- All geographic subdivisions smaller than a State
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code
Actually, the directive for protection is less about “protection” and more about “de-identification,” meaning that the healthcare organization cannot expose data that allows someone to connect the data to specific identified individual’s health care information. And that type of “data protection” is slightly different than the protection implied by the Gramm-Leach-Bliley Act (GLB). For one thing, the rule governing the protection of PHI introduces some potential constraints that are not part of GLB. For example, GLB allows the financial institution to share data that is derived from public sources, such as mailing lists or phone directories. But the PHI privacy rule restricts exposure of any potential protected information, raising the question about whether a letter from a healthcare provider with the provider’s specialty on the envelope might constitute a risk of exposure, since it links protected data elements to personal health information.
Reviewing other privacy and data protection laws show other variations in strictness and constraints. However, these risks are precariously balanced by another growing risk: data exposure resulting from security breaches. In that context, you could raise more questions about the imposition of privacy protection rules and their observance – more in the next post.