Last Week Takeaway:
I.
Recent
Developments
Throw drown into air hover and follow you around at a
pre-set distance: this is a facial recognition technology. Follow child as walk to school safely. This
is going to make facial recognition to the masses.
FTC just announced three workshops to explore privacy and
consumer. In October a workshop involving privacy aspect of drones, then in December
a workshop for issues of consent and the sale of data for smart TV’s
Apple: It was a professional hacker that contacted the FBI
and for a fee agreed to hack the I-Phone.
ABA and FBI partnered up and when they issue a Privacy
Industry Notification the ABA will join forces and set out a warning of a
hacker for law firms.
NY law requires express consent and Consumer Reports
magazine sold all of the information of 2.8 million subscribers. Based on the information they could target
solicitations to a specific group of people.
II.
Question
of the Week
We talked about the question of the week: Should healthcare
providers be able to freely access and share electronic health records? We talked about how Angela spoke of the
benefit that sharing such information could actually save a life, as “[i]t is a
system that is designed to ensure patient safety.” One can see this is pharmaceuticals.
Utah Clinic Health Information Exchange: It is a non-profit
organization from health care providers and health insurers. It not only
aggregates information but acts as a clearing house. Moat providers participate
but not all providers contribute all of their patient information.
III.
Lecture
Stephanie Argoitia Chief Privacy Officer, University Healthcare
Stephanie Argoitia, Chief Privacy Officer, University
Healthcare spoke to us about making decisions in the best interest of the
patient. Privacy is not the main concern for safety. Notice of privacy
practices for all that walk in for treatment. They must sign an acknowledgment
form.
Denise Antolini, ABA Accreditation Team
What
are the privacy related questions that should be asking regarding Utah Health Information
Network and the clinical Health Information Exchange?
·
The CHI is a business associate for the
University of Utah and they share PHI. Under HIPAA business associates are
required to follow HIPAA. Information can be freely shared amongst providers,
the sharing of this information was a logical decision to increase the safety
of patients.
·
One question people asked was who could get
access to the CHI? Physicians can share information with other physicians.
Another question was does there have to be some kind of direct patient
relationship with a patient, or if the justification is questionable they would
do a similar review of: (1) who do you talk to (2) electronic security (3) who
can access. How do you document who has
access is dependent upon things such as the scope of practice of a doctor? For
instance, there needs to be a legitimate reason for accessing and red flags
would come up where there is a dentist looking at the OBGYN information of a
patient.
·
With regard to privacy a patient will want to
know the information that is shared from the University of Utah to CHI if it is
encrypted. And all though HIPAA doesn’t mandate encryption there is a safe
harbor for HIPAA—although not explicitly stated—but if there was a laptop that
was encrypted you don’t have to report it.
·
Who might fall within the definition of
healthcare provider? This is a broad definition: Providers are individuals that
provide care, NP, nurses, physical therapists, doctors, social workers, and
secretaries—for administrative reasons may need access.
·
Absent full consent could a dermatologist
access, if a provider is seeing a patient they could look at every aspect of a
patients record, any access that is not directly related to the current
practice should be prohibited.
·
HIPAA was aimed to let patients know how their
information will be used and what the boundaries are—what a health worker needs
to do their job.
·
One safeguard is a policy—because sharing information
with family and friends can be tricky. Proxy access from my chart if you want
to look into a spouse’s record. The reason why is because it is a violation of
the University of Utah policy and this does not allow a physician to access
from the terminal. Of course a physician or someone on the care team can access
this.
IV.
Mike’s
Post April 14th
We spoke about Mike’s post and National
DNA Identification Database Proposal
First we started out with a
background by discussing Maryland v. King.
In King, the court upheld the constitutionality
of the Maryland law where taking a cheek swab of an arrestee’s DNA that was
being arrested for a violent crime was not an unreasonable search and seizure.
·
One main reasoning was due to the fact that the
identity of the person was the reason for the search.
·
Another was that arrestees have a reduced
expectation of privacy when compared to citizens in general. Utah’s Legislative Response
·
Makes collection of DNA sample mandatory for all
persons arrested for a felony after Jan. 1, 2015
·
The sample is not processed until defendant is
bound over at preliminary hearing or indicted by grand jury.
·
Sample and profile stored in state database
·
DNA may be used only for Identification
purposes—even where a sample is contained you may only use the genetic markers
for identification purposes.
·
Sample may be destroyed by court order if
acquitted or conviction reversed, thus the person must make an affirmative
request.
·
The profile gets destroyed, the sample has a
greater risk of harm
Utah
Newborn Screening
·
Blood sample is mandatory; parent can refuse
only for religious reasons.
·
Sample of newborns by a heel stick to test for
certain disorders that can be resolved or mitigated if immediate treatment.
·
Samples are de-identified prior to disposal but
the Department of health owns them and there is no requirement for disposal.
Policy
Arguments Against National Data Base
·
Mistakes: We are human
·
Unauthorized Access/hacking
·
Non-law enforcement purposes.
·
Profiling people: there are certain genetic
markers that make up people. Ex. The warrier gene.
·
Discrimination: employer and health care cant
used genetics to base decisions on. Such predispositions
o
Hire someone else,
o
Puts a person in a group or profile.
o
Banks not giving loans red-lining.
·
Mike noted in his post that the privacy concerns
outweigh the needs of law enforcement.
·
What if we took DNA of everyone arrested? One
argument is for racial profiling.
·
Arrested so their privacy expectation is
diminished and they are now in the system and as long as probable cause then.
·
Maybe the privacy analysis would support
expanding the DNA of those, but the issues with hackers.
National
DNA Identification Database: Proposal
1. DNA
samples collected via cheek swabs only from those arrested and newborns
2. Profiles
are created; samples are destroyed and only the profiles are saved but
destroyed if acquitted
3. Warrants
required to access database; law enforcement access only
4. Database
is encrypted; other best available security safeguards are employed
5. Private
cause of action with statutory damages for breach.
o
These factors are in assistance,