Accountability and enforcement, not just policy, needed to produce trust framework for health information exchange

At yesterday’s monthly meeting of the Health IT Policy Committee, a briefing provided by the leads of the Committee’s NHIN Workgroup described the need for a health information exchange (HIE) trust framework and spelled out five components the workgroup members consider essential to overcome some of the barriers to greater HIE adoption. Notable among these essential elements is “accountability and enforcement,” which to the NHIN Workgroup means “each participant must accept responsibility for its exchange activities and answer for adverse consequences.” While it may sound obvious, the inclusion of an enforcement mechanism is a significant departure — and in our opinion, a welcome and necessary one — from the trust models articulated for health IT in the past and more broadly for healthcare security and privacy requirements in general. More typical is the sort of voluntary compliance model used for HIPAA enforcement — investigations against alleged violators of the HIPAA Privacy Rule or Security Rule are launched in response to complaints filed by patients or other healthcare stakeholders, but not as the result of direct monitoring of covered entity actions. There are no proactive HIPAA audits performed by the government; while the HHS Office of Civil Rights (OCR) has the authority to conduct “compliance reviews” of covered entities at any time, as a general rule OCR initiates such reviews only after receiving complaints about an entity. This lack of direct monitoring or proactive enforcement is one key reason why there have been so few criminal prosecutions under HIPAA, and such a voluntary violation reporting model does little to instill confidence that the legal obligations and constraints HIE participants agree to when they sign data sharing agreements will be followed. To date, the Nationwide Health Information Exchange (NHIN) governance model has relied on a legal agreement — the Data Use and Reciprocal Support Agreement (DURSA) — that obligates its signatories to be monitored, but no regular monitoring capability is yet in place, and even when implemented, such monitoring will not extend to the individual participants’ own security and privacy practices.

Against this historical backdrop, the notion even within an as-yet conceptual framework of specifying security and privacy requirements for HIE participants coupled with enforcement is a positive step forward. It remains to be seen what form this enforcement might take, and similarly whether any sort of technical enforcement or automated compliance monitoring might be sought. The NHIN Workgroup briefing suggests that self-certification and entity self-assertion of compliance may be among the valid means of enforcement, but also implies that organizational monitoring may also be employed whether by government, other HIE participants, third party authorities, or some combination of these. Absent such objective enforcement, it is hard to see how HIE participants can have sufficient confidence in others to live up to their legal obligations. The operational prerequisites for establishing trust frameworks among disparate entities — especially those with different goals and potentially mis-aligned business objectives — is a compelling subject area for further research.

Oral arguments in Quon Supreme Court case suggest narrow ruling is likely

The Supreme Court heard oral arguments in City of Ontario v. Quon yesterday, and initial reactions in legal circles on the way the plaintiff’s counsel argued the case and the questions raised by the justices seem to suggest a narrow ruling is likely in this case, rather than one setting a significant precedent or establishing doctrine on employee expectations of privacy in the workplace. While we suggested such an outcome in advance of the session, the transcript released by the Court shows that the justices spent relatively little time on the distinction between the City’s official written policy regarding personal use of city-owned computing resources and the oral policy in place between Quon and other members of the SWAT team and their immediate supervisor. While plantiff’s counsel offered two arguments to the Court:  first, that contrary to the 9th Circuit’s finding in the case, Quon had no reasonable expectation of privacy for the content of text messages sent using his city-owned and -issued pager; and second, that even if he had such a reasonable expectation, the city’s inspection of his text messages was a reasonable search. Both Chief Justice Roberts and Justice Ginsburg suggested that if you take as a given that the wireless provider with which the city contracted for the pager service, Arch Wireless, violated the Stored Communications Act (SCA) by turning over transcripts of the messages sent using the pager, then the SCA would help bolster Quon’s claim of a reasonable expectation of privacy and would call into question the legality of the city subsequently looking at those transcripts, even if the city was not itself in violation of the law. To his credit, plaintiff’s counsel seemed well prepared for that line of questioning, citing recent precedents where the Supreme Court has held that the fact a law was violated is insufficient to produce a reasonable expectation of privacy.

Parties arguing in defense of Quon did address the issues with the city’s official policy, suggesting that the best way for an employer to eliminate reasonable expectations of privacy among employees is to make it clear through comprehensive and explicit policies that no such expectation exists. The Court did not appear willing to accept this approach, noting not only the need established in O’Connor v. Ortega that “Given the great variety of work environments in the public sector, the question whether an employee has a reasonable expectation of privacy must be addressed on a case-by-case basis.” This line of thinking also echoing the reasoning of the New Jersey state Supreme Court in its recent Stengart ruling that even a carefully crafted and explicit policy cannot invalidate all potential employee claims to privacy of personal communications.

Counsel for the defense (Quon) did zero in on the understanding Quon and his co-workers had with their supervisor, arguing that that alone was sufficient to constitute a reasonable expectation of privacy, even if it was contrary to the official city policy. The Court, especially Justice Breyer, pressed defendant’s counsel to explain why reading the text messages wasn’t a logical, reasonable way to satisfy the city’s desire to know how much of Quon’s pager messaging was personal and how much was work related. Chief Justice Roberts seemed amenable to some of the alternative methods the city could have used that didn’t involve actually inspecting the content of the messages, but Breyer and other justices seemed unsatisfied with defense counsel’s responses. Plaintiff’s counsel opted to reserve his last three minutes to rebut the defense, which he tried to do by suggesting that there was not in fact any difference in terms of privacy expectations between the official policy and the informal one, with the point once again being that no reasonable expectation of privacy should be afforded Quon.

Regardless of the breadth (or lack thereof) of the final ruling, it seems that the defense may have the harder case to make, inasmuch as it has to convince the Court that the expectation of privacy was reasonable and that even if that expectation as found by the 9th Circuit is upheld, that the actions by the city to look at the text messages also constituted and unreasonable search. For its part, the city may win reversal if the Court accepts its position on either the (absence of a) reasonable expectation of privacy or on the reasonableness of the search.

Additional federal legislation may be needed to protect data on students

Congressman John Kline, a Republican from Minnesota and the ranking minority member of the House Committee on Education and Labor, publicly expressed concerns last week about potential risks to personal information on students that collected and maintained in state-level data warehouses. Kline spoke after an April 14 hearing on data used to track performance of K-12 school children, during which the Committee heard testimony from state and local education administrators as well as the lead author of a 2009 Fordham Law School study on children’s educational records and privacy. Kline stressed the need for federal, state, and local level measures that ensure student and privacy family rights are protected. While such sentiments may seem prosaic, when focusing on state or district-level databases maintained by authorities other than educational institutions, there does seem to be a significant gap in the coverage of current federal laws on the privacy of student information. Joel Reidenberg, Director of Fordham’s Center on Law and Information Policy, reiterated in his testimony before the Committee that many state practices observed and reported in the course of the Center’s study violate provisions in relevant federal laws, but without consequence because the laws in question do not apply to state or local government actions.

The prevailing federal law on privacy of information in student records is the Family Educational Rights and Privacy Act (FERPA), which includes a variety of rights for adult students and parents of minor students as well as restrictions on the use and disclosure (without consent) of student records by educators, school administrators, and institutions in general. FERPA applies at federal, state, and local levels, but only covers schools receiving funding from a U.S. Department of Education program. Significantly, this exempts many private, parochial, and charter schools, although with respect to the state data warehouses about which Rep. Kline noted his concerns, it seems unlikely that data on non-public school students would be collected as regularly as would data on public school students. To the extent that state educational databases are maintained by state government agencies or similar authorities, rather than institutions themselves, FERPA’s rules simply do not apply.

Without specific attention to student records or education information, there are other federal laws that constrain data collection from individuals, particularly children. The most general of these is the Privacy Act (5 U.S.C. §552a), which stipulates several prerequisites and conditions that must be met before personally identifiable information can be collected from any U.S. citizen. The Privacy Act reflects the Fair Information Principles published in 1973 by the U.S. Department of Health, Education, and Welfare, notably including transparency (that is, databases should not be secret), notice of intended use, and prevention of additional uses without consent. The Fordham study suggests that many states fail to provide transparency about the data they collect and maintain, and that they impose few restrictions on purposes for use of their data, including new or additional uses distinct from the purposes for which the data was originally collected.

A much more narrowly defined set of privacy practices stems from the Children’s Online Privacy Protection Act (COPPA), which lays out a number of requirements for online entities that collect personal information from children under age 13. COPPA applies to all personal information, but focuses only on data collected online from individuals, so does not cover transfers of data between institutions, even for children under 13. The law also says nothing about data collection from minors older than 13. Despite the general lack of direct relevance to the state educational database situation, privacy advocacy organization such as the Electronic Privacy Information Center (EPIC) have cited the Fordham study as an example of practice that violate the spirit, if not the letter, of COPPA by ignoring the sort privacy protections codified into the law in less narrowly defined contexts.

The failure of most current federal legal requirements to apply to state or local government authorities is one possible explanation for the apparently common practice at the state level of ignoring well established privacy principles that are codified into law constraining the behavior of educational institutions like schools and school districts and of federal agencies. One possible resolution for this problem would be to extend student record privacy protections to apply not only to institutions collecting and storing information on their students, but also to public and private sector entities that receive, aggregate, or make available student records or data contained in them.

FTC, Congress trying to make commercial privacy more manageable

In two separate developments this week we see efforts from both the executive and legislative branches intended to make it easier for financial institutions to comply with regulations on privacy practices required under the Gramm-Leach-Bliley Act (GLBA). For its part, today the Federal Trade Commission (FTC) announced the availability of an online form builder to help financial institutions draft the privacy notices that the institutions are required to provide to their customers. By following a simple (one page) set of instructions, users seeking to create privacy notices are directed to one of four PDF templates, each of which is two pages long and has a set of highlighted areas where institutions can insert their own content to explain what they do with customer personal information. The four versions of the template correspond to the possible combinations of two attributes:  whether or not an opt-out provision exists and whether or not affiliate marketing is included. More detailed guidance on content required to be included in each section of the form was published in the Federal Register on December 1, 2009. The provision to create and make available such an optional model form was included in GLBA (15 U.S.C. §6803(e)).

On the legislative side, yesterday the House of Representatives passed the Eliminate Privacy Notice Confusion Act (H.R. 3506), which if enacted into law would amend GLBA (15 U.S.C. §6803) to add an exception to the current requirement that privacy notices be provided annually to customers, if the institution’s information disclosure policies and practices haven’t changed since previous notice was provided, and if the provisions under which the institution discloses non-public personal information fall entirely within the statutory exceptions to prohibited disclosure already in the statute. The bill is notable in another respect tangential to its content:  it was passed as a “stand-alone” bill for a single purpose, rather than as part of some larger, more complex piece of legislation. It is the second such bill sponsored by Rep. Erik Paulsen, a freshman Republican Congressman from Minnesota.

Supreme Court takes on expectations of privacy for personal text messages

As noted in a post here about a week and a half ago, the Supreme Court will hear arguments on April 19 in City of Ontario v. Quon, which is an appeal by the city of a 9th Circuit Court decision in the case, which was then known as Quon v. Arch Wireless, and which went in Quon’s favor, finding the city had violated his 4th Amendment rights by examining the contents of personal text messages Quon had sent using a city-issued pager. There is a lot of attention focused on this case and the possible implications a ruling either way might have for employee expectations of privacy in the workplace, or outside the workplace when communicating with employer-owned devices. Public sector organizations in particular are concerned that if the 9th Circuit decision is affirmed, these organizations would be severely constrained in their ability to monitor electronic communications among law enforcement personal, between teachers and students, or among employees in general.

Given the Court’s past tendency to avoid establishing sweeping precedents extrapolating from the specific circumstances of a case before them, our expectation is for a ruling more narrowly focused to the atypical facts in this case. The Ontario police department (Quon’s employer) had an explicit policy in place that clearly gave employees no expectation of privacy when using city-issued computers or resources, although to be fair there was no specific policy that addressed text messaging uses of pagers. Nonetheless, the official policy is not a point of contention; what is relevant is that Quon’s immediate supervisor made a separate arrangement with Quon and some of his fellow officers that was in conflict with the city policy. It’s not at all clear that Quon would have prevailed in his appeal had the conflict between formal and informal policies not been involved. While other courts have found that even unambiguous employer policies may not be able to override employee expectations of privacy for some types of content (such as communications between an employee and an attorney), there doesn’t seem to be anything in the nature of the personal text messages in the Quon case that would demand special protection.

In advance of Monday’s argument, the plaintiff’s reply brief has yielded some observations by legal experts on the line of reasoning the city will use to plead its case. Orin Kerr noted his surprise at the attention focused on the Stored Communications Act (SCA) and Quon’s former (successful) argument that the provisions of the SCA create a reasonable expectation of privacy, which was violated by the city when it read his personal text messages. Presumably to challenge the reasonable expectation of privacy argument under the 4th Amendment, the city feels it needs to challenge the 9th Circuit’s interpretation of the SCA as well. This is an interesting tactic given that the Supreme Court granted cert. only on the 4th Amendment appeal by the city, but denied cert. on Arch Wireless’s appeal (Arch Wireless is not a party to the case before the Supreme Court) of the ruling that it violated the SCA. The primary challenge for the city in overturning Quon is convincing the Court that Quon’s expectation of privacy was not reasonable, and that appears to be a tall order given the facts of the case that aren’t in dispute. However, an affirmation of Quon could hardly be construed as an unequivocal victory for employee expectations of privacy. Instead, such a ruling would highlight the critical importance of writing explicit policies covering acceptable uses of employer-owned resources and, if personal use is to be allowed, of avoiding vague or subjective terms like “limited” or “occasional” and instead being clear on exactly what will be permitted and under what terms.