[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Model Privacy Act

I just read the "Model State Public Heath Privacy Act" at 
http://www.critpath.org/msphpa/privacy.htm I must say I'm impressed.  It 
improves substantially on past proposals.

One point continues to plague me -- that of secondary disclosure of 
protected health information.  Article IV says, "No person to whom protected 
health information has been disclosed pursuant to this Act shall disclose 
the information to another person except as authorized by this Act."

The problem is that nothing is said about the status of protected health 
information received by a third person in *VIOLATION* of the Act.

Consider the newspaper that receives an anonymous package containing the 
protected health information of a political candidate.  May they publish it?

Also, the law should not permit stolen information to be "laundered" by 
posting it on a web page thus placing it irretrievably in the public domain. 
Computers make it practical to expose hundreds of millions of records as 
easily as one record.  I fear that the prize of laundering the entire 
nation's protected health information would be irresistibly appealing to 
would-be cyber criminals.  I further fear that criminal prosecution is 
insufficient deterrence to groups who already render up members willing to 
perform assassination for their cause. To deter them, we must do more than 
imprison the thief; we must diminish the value of the prize by encumbering 
the information itself.

It comes down to a first amendment issue and the legal approach.  To protect 
against the scenarios I cite, the law must encumber the information itself 
and restrict all holders in due course regardless of how they came by the 
information. In other words, we need a prior restraint on speech. The Model 
Act applies only to those who obtain the information legally.

I believe that there is a legal precedent that has passed first amendment 
muster.  If I understand correctly, exactly the legal approach I advocate 
for protected health information already exists for classified national 
security information.  It may not be perfect, as demonstrated by The 
Pentagon Papers Case, but it provides some measure of protection.

Can anyone tell me if this issue was considered when making the model act 
and if so why it is not reflected in article IV?

I just read the "Model State Public Heath Privacy Act".  I must say I'm 
impressed.  It improves substantially on past proposals.

One point continues to plague me -- that of secondary disclosure of 
protected health information.  Article IV says, "No person to whom protected 
health information has been disclosed pursuant to this Act shall disclose 
the information to another person except as authorized by this Act."

The problem is that nothing is said about the status of protected health 
information received by a third person in *VIOLATION* of the Act.

Consider the newspaper that receives an anonymous package containing the 
protected health information of a political candidate.  May they publish it?

Also, the law should not permit stolen information to be "laundered" by 
posting it on a web page thus placing it irretrievably in the public domain. 
 Computers make it practical to expose hundreds of millions of records as 
easily as one record.  I fear that the prize of laundering the entire 
nation's protected health information would be irresistibly appealing to 
would-be cyber criminals.  I further fear that criminal prosecution is 
insufficient deterrence to groups who already render up members willing to 
perform assassination for their cause. To deter them, we must do more than 
imprison the thief; we must diminish the value of the prize by encumbering 
the information itself.

It comes down to a first amendment issue and the legal approach.  To protect 
against the scenarios I cite, the law must encumber the information itself 
and restrict all holders-in-due-course regardless of how they came by the 
information. In other words, we need a prior restraint on speech. The 
existing model act applies only to those who obtain the information legally.

I believe that there is a legal precedent that has passed first amendment 
muster.  If I understand correctly, exactly the legal approach I advocate 
for protected health information already exists to some degree for 
classified national security information.

Can anyone tell me if this issue was considered when making the model act 
and if so why it is not reflected in article IV?


-- 
Dick Mills            www.albany.net/~dmills        dmills@albany.net