Thursday, April 14, 2016

Last Weekly Takeaway

Last Week Takeaway:

I.               Recent Developments

Throw drown into air hover and follow you around at a pre-set distance: this is a facial recognition technology.  Follow child as walk to school safely. This is going to make facial recognition to the masses. 

FTC just announced three workshops to explore privacy and consumer. In October a workshop involving privacy aspect of drones, then in December a workshop for issues of consent and the sale of data for smart TV’s

Apple: It was a professional hacker that contacted the FBI and for a fee agreed to hack the I-Phone.

ABA and FBI partnered up and when they issue a Privacy Industry Notification the ABA will join forces and set out a warning of a hacker for law firms.

NY law requires express consent and Consumer Reports magazine sold all of the information of 2.8 million subscribers.  Based on the information they could target solicitations to a specific group of people.

II.              Question of the Week

We talked about the question of the week: Should healthcare providers be able to freely access and share electronic health records?  We talked about how Angela spoke of the benefit that sharing such information could actually save a life, as “[i]t is a system that is designed to ensure patient safety.”  One can see this is pharmaceuticals.

Utah Clinic Health Information Exchange: It is a non-profit organization from health care providers and health insurers. It not only aggregates information but acts as a clearing house. Moat providers participate but not all providers contribute all of their patient information.

III.            Lecture Stephanie Argoitia Chief Privacy Officer, University Healthcare

Stephanie Argoitia, Chief Privacy Officer, University Healthcare spoke to us about making decisions in the best interest of the patient. Privacy is not the main concern for safety. Notice of privacy practices for all that walk in for treatment. They must sign an acknowledgment form.
Denise Antolini, ABA Accreditation Team

What are the privacy related questions that should be asking regarding Utah Health Information Network and the clinical Health Information Exchange?

·      The CHI is a business associate for the University of Utah and they share PHI. Under HIPAA business associates are required to follow HIPAA. Information can be freely shared amongst providers, the sharing of this information was a logical decision to increase the safety of patients.

·      One question people asked was who could get access to the CHI? Physicians can share information with other physicians. Another question was does there have to be some kind of direct patient relationship with a patient, or if the justification is questionable they would do a similar review of: (1) who do you talk to (2) electronic security (3) who can access.  How do you document who has access is dependent upon things such as the scope of practice of a doctor? For instance, there needs to be a legitimate reason for accessing and red flags would come up where there is a dentist looking at the OBGYN information of a patient.

·      With regard to privacy a patient will want to know the information that is shared from the University of Utah to CHI if it is encrypted. And all though HIPAA doesn’t mandate encryption there is a safe harbor for HIPAA—although not explicitly stated—but if there was a laptop that was encrypted you don’t have to report it.

·      Who might fall within the definition of healthcare provider? This is a broad definition: Providers are individuals that provide care, NP, nurses, physical therapists, doctors, social workers, and secretaries—for administrative reasons may need access.


·      Absent full consent could a dermatologist access, if a provider is seeing a patient they could look at every aspect of a patients record, any access that is not directly related to the current practice should be prohibited.
·      HIPAA was aimed to let patients know how their information will be used and what the boundaries are—what a health worker needs to do their job.
·      One safeguard is a policy—because sharing information with family and friends can be tricky. Proxy access from my chart if you want to look into a spouse’s record. The reason why is because it is a violation of the University of Utah policy and this does not allow a physician to access from the terminal. Of course a physician or someone on the care team can access this.


IV.            Mike’s Post April 14th

We spoke about Mike’s post and National DNA Identification Database Proposal
First we started out with a background by discussing Maryland v. King. In King, the court upheld the constitutionality of the Maryland law where taking a cheek swab of an arrestee’s DNA that was being arrested for a violent crime was not an unreasonable search and seizure.
·      One main reasoning was due to the fact that the identity of the person was the reason for the search.
·      Another was that arrestees have a reduced expectation of privacy when compared to citizens in general. Utah’s Legislative Response
·      Makes collection of DNA sample mandatory for all persons arrested for a felony after Jan. 1, 2015
·      The sample is not processed until defendant is bound over at preliminary hearing or indicted by grand jury.
·      Sample and profile stored in state database
·      DNA may be used only for Identification purposes—even where a sample is contained you may only use the genetic markers for identification purposes.
·      Sample may be destroyed by court order if acquitted or conviction reversed, thus the person must make an affirmative request.
·      The profile gets destroyed, the sample has a greater risk of harm

Utah Newborn Screening
·      Blood sample is mandatory; parent can refuse only for religious reasons.
·      Sample of newborns by a heel stick to test for certain disorders that can be resolved or mitigated if immediate treatment.
·      Samples are de-identified prior to disposal but the Department of health owns them and there is no requirement for disposal.
Policy Arguments Against National Data Base
·      Mistakes: We are human
·      Unauthorized Access/hacking
·      Non-law enforcement purposes.
·      Profiling people: there are certain genetic markers that make up people. Ex. The warrier gene.
·      Discrimination: employer and health care cant used genetics to base decisions on. Such predispositions
o   Hire someone else,
o   Puts a person in a group or profile.
o   Banks not giving loans red-lining.
·      Mike noted in his post that the privacy concerns outweigh the needs of law enforcement.
·      What if we took DNA of everyone arrested? One argument is for racial profiling.
·      Arrested so their privacy expectation is diminished and they are now in the system and as long as probable cause then.
·      Maybe the privacy analysis would support expanding the DNA of those, but the issues with hackers.
National DNA Identification Database: Proposal
1.     DNA samples collected via cheek swabs only from those arrested and newborns
2.     Profiles are created; samples are destroyed and only the profiles are saved but destroyed if acquitted
3.     Warrants required to access database; law enforcement access only
4.     Database is encrypted; other best available security safeguards are employed
5.     Private cause of action with statutory damages for breach.

o   These factors are in assistance,

Saturday, April 9, 2016

National DNA database

The creation of a nationwide DNA database containing DNA from every citizen pursuant to a mandated collection is not sound policy.  DNA is unique in the fact that it is arguably impossible to de-identify, thus it is quite distinct from general medical records, financial records, government records, and educational records that can, and are, de-identified on a regular basis.  Thus, DNA requires additional protections.  Moreover, like the prior mentioned records, and to a greater extent, DNA or genetic information has been granted a variety of protections from congressional acts and agency rules.  This has led to an expectation that our DNA is deserving of privacy protections.  The fact that it is so valuable to research or law enforcement does not outweigh individual privacy considerations of DNA information; therefore a National DNA database is not sound policy.
           
Privacy Protections
           
            There are many laws in place to protect the information that is found in our DNA.  The following is a non-exhaustive list of laws and regulations addressing the privacy concerns surrounding DNA and Genetic information.  This blog post will not discuss at depth the implications of these laws and regulations related to a National DNA database.  The explanation of these laws is to make the point that these laws have helped to create an expectation of privacy regarding our DNA and genetic information.  Therefore, creating a DNA database is not sound policy because it would violate our reasonable expectation privacy concerning our DNA and genetic information.  Thus under the Katz test a DNA database should be a violation of our privacy. 
            Genetic Information Nondiscrimination Act (GINA) was passed by congress in 2008 to prevent genetic discrimination against individuals in employment and health insurance. 
            Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect medical records and other health information.  HIPAA applies to health plans, health care clearing houses, and health care providers.
            The Freedom of Information Act (FOIA) was passed in 1967 to allow citizens to access public government documents, however FOIA does not contain a specific exemption for genetic information, however it does exempt information that clearly constitutes an unwarranted invasion of personal privacy.  The National Institute of Health (NIH) is the primary agency in charge of Bio-medical and health-related research.  NIH operates a research facility and also is charged with distributing funds to other research entities like universities. NIH has promulgated a data sharing policy to address the concerns surrounding DNA and genetic information privacy. 
            As stated above this is not an exhaustive list of law and regulations that support a sense that our DNA and genetic information is private, but shows how the government has taken steps to ensure that our DNA is protected.

Privacy Concerns

            The privacy concerns of a Nation wide DNA database are many.  Some likely concerns include: how will the information be collected; how long will the DNA be stored; who will have access to the database, and what can they access it for; and how will the administrators of the database ensure that the information is accurate.
            Mandated collection of DNA from every citizen is in opposition of the values expressed in the fourth amendment, namely, freedom from unreasonable searches and seizures.  The DNA collection of honest, law-abiding citizens would no doubt be an abhorrent practice to the founders of this country.  Along with the constitution, the government has taken steps to protect our privacy as evident from the sample of laws mentioned above.  The result of passing such laws gives Americans the impression that they are justified in expecting privacy when it comes to their genetic information.  Surely anyone who understands the significance of DNA and how it can be used would at least have some reservations about handing it over to anyone, including the government.   
            There is a practice that is being used by law enforcement all over the world called DNA dragnets.  DNA dragnets are when police enter an area where a crime (typically a murder or rape) has occurred and ask for volunteer DNA samples from all persons in the suspected class.  Canadian police in a remote town recently engaged in the largest DNA dragnet in Canadian history.  The practice of DNA dragneting is not technically a mandated collection of DNA but some have argued that it amounts to such because refusing to give a DNA can spark suspicion that can lead to a search warrant being issued.  This happened in a 2003 rape and murder in Louisiana where an individual refused to provide DNA and the police obtained a warrant to collect his DNA, the case went to the appellate court and the court found the warrant was not supported by probably cause.  For a summary on DNA dragnet click here.
            One of the main areas of concern regarding DNA collection practices by law enforcement centers around when the collection can take place.  Some have argued that collection upon arrest is inappropriate because of the presumption of innocence. Some have argued that it should only be done upon conviction.  However, recent court cases show a trend toward allowing DNA collection at earlier and earlier times.  For a discussion on these recent cases click here.
            Another concern about DNA databases is the retention of the information.  Most states have enacted evidence laws to specify under what circumstances DNA can be collected, how long it is preserved, and rules addressing other concerns.  These laws deal specifically with DNA collected as part of criminal investigations.  A Federal DNA database, if created, would clearly need its own set of rules addressing privacy concerns.
            One other concern about DNA collection by law enforcement is the effectiveness of mass DNA collection.  Time, money, and efficiency have all been called into question particularly with respect to DNA dragnets. 
            The access and use of a Federal DNA database is another valid concern.  DNA can be used to uncover so much information about us; this is what makes it so useful to research and yet potentially harmful to our privacy.  A perfect illustration of this occurred in the Grand Canyon, in 1998.  Seem strange?  In 1998 the Havasupai Tribe and Arizona State University undertook to link a type II diabetes epidemic within the isolated tribe to their genetic makeup.  The research did not provide any evidence of a connection between diabetes and the tribe’s genes.  However, the researchers retained the information gathered and used it for several other research endeavors that the Tribe was not aware of.  The tribe sued Arizona State University in state court under several theories arguing that ASU invaded their privacy.
            This case illustrates the very real potential for violations of privacy in the use of DNA.  While it is not likely that the researchers acted with malicious intent to harm the tribe, their actions were offensive to the tribe.  This type of invasion of individual privacy could easily happen to anyone if the government created a national DNA database,
           
Conclusion


            The risk of abuse, whether by use of DNA beyond the scope of consent, or by law enforcement in an manner that would violate our constitutional rights would be increased if the government created a national database containing the DNA from all Americans.  Along with each individual’s own sense of personal privacy, the government has passed laws protecting our genetic information that has increased our awareness of the need for privacy concerning our DNA.  A reviewing court could easily find that under Katz v United States, the creation of a nation-wide database would violate our privacy. This supports the position that the government should not create a National Database because the collection and use of our DNA would de in direct conflict with our privacy and laws designed to protect it. 

Friday, April 8, 2016

WEEK 12 TAKEAWAYS 

We spent this week discussing a student’s privacy rights as they relate to free speech rights on high school and college campuses. 

In current events, Professor Dryer informed us that although the controversy between the Department of Justice and Apple concerning access to the San Bernardino shooter's Iphone has been resolved, there are still over one-hundred pending cases where prosecuting agencies are seeking court orders that compel Apple to create "backdoors" in Iphones. 

We began the week by reviewing the Supreme Court's landmark decision in Tinker v. Des Moines Independent Community School District, 393 U.S. 503. This case affirmed a student's First Amendment right  of Free Speech within a school. Tinker, however, also acknowledged that high school's and colleges may abridge student speech within certain parameters in order for the school to fulfill its educational mission. Following Tinker, courts have acknowledged that student speech on college campuses was much more protected than student speech on high school campuses. I was interested in Vik’s comments related to this distinction. Vik noted that high school students are compelled to attend high school, whereas adults voluntarily choose to attend college. Most of us seemed to agree that this distinction meant that more tolerance is required on college campuses to ensure they remain marketplaces of ideas.

I was interest in the distinction Professor Dryer highlighted between free speech rights and privacy rights. Although he mentioned these two concepts are of-times co-extensive, he suggested that within the context of student speech, there are both distinct  privacy implications and free speech implications. We discussed student speech mostly within the context of free speech, rather than privacy. When considering anonymous speech, it is interesting to consider what defenses a student could raise that are unrelated to free speech to stop a school from identifying anonymous speech.

At the end of class on Thursday, we discussed a hypothetical in which a white elementary school-aged child bullied an African-American girl via a school-provided Ipad to the point where she committed suicide. Professor Dryer asked us to apportion liability based on moral considerations between the white student, the African-American girl, the white student’s parents, the victim’s parents, the school, and other students who were aware of the bullying. I thought it was interesting that most of us were willing to apportion some “moral” liability to other students who were potentially aware of the bullying. While we did not have to time to discuss our rationales in detail, I would be interested to know why we think young, immature children have a moral duty to report bullying. I don’t disagree necessarily, but I think the rational underlying this decision is worth exploring.


Most of us had never heard of Yik-Yak until this week. While none of us have Yik-Yak accounts, at least half of Professor Dryer’s undergraduate students subscribe to the service. We learned that Yik-Yak is not nearly as anonymous as people may think because Yik Yak states in its terms of service that it may identify users in connection with supporting the legal process. What troubles me about Yik Yak is that the service accesses your phone’s data to use your contact list to further solicit the service. Yik Yak has become such a hot bed for cyber bullying and other nefarious content that Yik Yak has suspended the service to nearly 90% of US High Schools. 

Thursday, April 7, 2016

Question of the Week No. 12

Healthcare providers are moving to a system of electronic health records where an individual’s entire medical history, diagnoses, treatments, medications and other health information are maintained in a digital form.  For the purposes of providing better and more timely health care to individuals, should physicians and other healthcare providers be able to freely access and share this information with each other without a patient’s consent?

Friday, April 1, 2016

Expanding the Panopticon: Monitoring Social Media

            Most of us are old enough to remember a time when our peers were bold enough to demean or threaten us to our face or at least take the time to gossip face to face. Contemporarily, the internet has qualitatively and quantitatively amplified a student’s ability to “talk trash” and even make violent threats over the internet. Technology has not only made these threats and offensive statements more ubiquitous, but has also allowed students to make these statements anonymously.

            Yik Yak is a social media platform “that helps people discover their local community, letting them share news, crack jokes, offer support, ask questions, and interact freely. Its home to the casual, relatable, heartfelt, and silly things that connect people with their community.” One unique feature of Yik Yak is that it asks for virtually no private information to sign-up except a phone number. It also has a geolocation setting that ensures any Yik Yak posts that users see are from those within a five-mile radius

            Yik Yak has 3.6 million user, 98% of are “millenials.” It has exploded since its inception, leaving a wake of bullying threat and acts of violence. For example, in 2015, a student at the University of Missouri was arrested after made a post on Yik Yak in which he threatened to shoot every African-American on the University of Missouri’s campus. Also, in 2015, a student at Emory University was arrested after she posted on Yik Yak, “ I'm shooting up the school. Tomorrow. Stay in your rooms. The ones on the quad are the ones who will go first." These are just two examples of the growing cyberbullying and cyberterrorism epidemic. A national study found school threats increased 158 percent during 2014 from 2013.
           
            In response to the rise of school shootings and cyberbullying. Local school districts and universities have begun to monitor social media activity to identify potential threats. In Delkalb County, Georgia, employees track searches made by students and faculty on the district’s wireless network to identify potential threats. Other school districts have implemented apps that allow people to make anonymous tips about threats of violence. For a steep price, universities and school districts can use Hootsuite, Social Sentinel, and GEOCOP to effectually spy on students’ social media posts to monitor potential threats. These sites monitor social network activity within discreet geographic locations [geofencing] to track actual or potential violent threats in an effort to prevent school violence.
           
            The increased frequency of school violence and the prevalence of social media have caused the principles of free speech, privacy, and safety to collide. The United States Supreme Court, in Tinker v. Des Moines, held that both high school and college student enjoy free speech rights under the First Amendment protections. The Court, however, noted that these “schools may limit or discipline student expression if school officials reasonably conclude that it will materially and substantially disrupt the work and discipline of the school.” The rationale behind Tinker’s holding is that schools should be granted broad authority to execute their educational mission and to discipline students in accordance with those goals. Following Tinker, however, courts have recognized that Tinker’s proscriptions apply differently on high school and college campuses. The Third Circuit Court of Appeals has explained that “public secondary and elementary school administrators are granted more leeway [to restrict speech] than public colleges and universities.”

            The concern with monitoring social media posts within the context of preventing violent acts is not where the clash of safety, speech, and privacy is troubling. Indeed, courts seems to consistently hold that violent threats are not protected under Tinker and school administrators are permitted to enact discipline based on these threats. Rather, the tension seems to lie with a schools actual monitoring of social media posts. Moreover, this clash is also most prevalent with other forms of controversial speech and school’s decision to enact discipline based on that speech.

            The ACLU argues that a school’s decision to monitor social media fails to promote confidence and trust between the student body and school employees. These concerns, however, seem hypothetical and trivial in comparison to the real, concrete concern of school violence. Given there does not seem to be an efficient or practical way to monitor social media for violent threats without also monitoring other content, the concern for safety, from my perspective, must trump the ACLU’s ideological concerns about promoting trust. Although the actual monitoring of social media undermines a student’s privacy, both college and high school students have a diminished expectation of privacy while they attend a secondary or post-secondary public institution. Simply put, the safety concerns and social value of monitoring social media to curb violent attacks far outweighs a students’ expectation of privacy, especially when student already enter a campus with a diminished expectation of privacy. Certainly social media monitoring has the potential to chill speech that implicates the First Amendment, but it aims to chill violent speech, which enjoys no protection under the First Amendment.

            Although I am in favor a school district’s action of monitoring social media, I am in favor of California’s law related to social media monitoring. In California, a school or university must follow specific steps before implementing a social media monitoring program. These steps include providing notice to students and/or their parents or guardians, only collecting information that implicates school safety and the school must destroy the information it collects on a student within a year after that student graduates or turns 18. Similarly, Utah has enacted law that proscribes Universities from demanding that a student supply their social media credentials.

            Sites such as Yik Yak add another layer of complexity to this First Amendment calculus because even if a school is able to identify a potential threat, Yik Yak allows user to post anonymously. Thus, a more troubling and complex issue is whether schools may affirmatively take steps to identify students who make social media posts that contain discriminatory remarks based on gender and race. Under its current terms of service, Yik Yak will only disclose a person’s identifiable information if it “believe[s] it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person…” Given Yik Yak only has its users’ phone numbers, a school would have to pursue other routes to identify a student who makes discriminatory remarks.

            As a result of this limitation, it seems more practical to ask to what end is the school seeking to identify a student who makes remarks that are discriminatory. Presumably, it would be to punish that student. This is where social media monitoring enters dubious territory, where it functions as avenue to curb student speech that potentially enjoys First Amendment protection. Such monitoring invokes a slippery slope that grants schools too much power to determine what type of speech is offensive and is not. The Third Circuit considered this issue in DeJohn v. Temple University. It reviewed Temple University’s sexual harassment policy that stated in relevant part “all forms of sexual harassment are prohibited…when ...such conduct has the purpose or effect of unreasonably interfering with an individual's work, educational performance, or status; or (d) such conduct has the purpose or effect of creating an intimidating, hostile, or offensive environment.” A student challenged this rule, arguing he felt it illegally interfered with his right to express his comments about women in the military. The Court ultimately held the policy was overbroad because it limited speech the First Amendment protects. The court explained “some speech that creates a hostile or offensive environment may be protected speech under the First Amendment. It is difficult to cabin this phrase, which could encompass any speech that might simply be offensive to a listener, or a group of listeners, believing that they are being subjected to or surrounded by hostility.”


            It easy to rationalize a school’s effort to punish a student for making comments on campus that are discriminatory in nature. Such speech collides with the right of student to remain free from harassment. However, a tension arises between speech, safety, and privacy when such discriminatory speech is made anonymously and off-campus. I am not in favor of a school pursuing the identity of anonymous, discriminatory speech because its chilling effect on others. When a school is willing to use time, money, and man power to effectually hunt down those who speak anonymously, it dissuades others from expressing controversial yet protected viewpoints. This is antithetical to a college campus which is supposed to be a “marketplace of ideas” where robust debate occurs. While I recognize there is little social value in discriminatory speech, as the DeJohn court noted, there is a degree of subjectivity in determining whether speech is discriminatory based on gender or race. When a college or university commits itself to leaving the campus boundaries to quell this speech, it harms the confidence and privacy of others to express their controversial yet protected view points. To be sure, the answer to this question may be different with regard to high schools, but it seems that identifying anonymous unprotected speech through social media monitoring comes at too great a cost to be justified.