ajfortin.com

Image via Wikipedia

(I’m attending this conference for a few days at Harvard University and will do some live blogging here as the mood or content strikes me. One of my reasons for being here is to make sure I’m up-to-date on HIPAA privacy and security requirements and to get a reality check on the emerging issues.)

7:30 am The Plenary session today will start off in Harvard’s Memorial Hall in about a half hour. Miles Davis “Kind of Blue” album is playing in the background. Not bad.

8:00 am Ten Developments Transforming the Privacy Environment (Alan Westin)

1. The all-pervasive Internet 2.0
2. “Identity crisis” and data breaches
3. Social networking and video posting
4. The Blogosphere
5. Behavioral target marketing
6. The mobile revolution
7. Anti-Terrorist surveillance
8. Monitoring and photographing public spaces
9. Electronic patient health records
10. In the US, a growing culture rejecting privacy constraints

8:10 am (Westin) We need a new national privacy framework? Can we create one? What is the balance that society seeks? Europe is in the same situation. Things have changed, the ground has shifted. Most of the breaches have been in the health area. Existing law and voluntary policies do not cover these developments.

8:20 am (Westin) Future effects of these developments could include:

1. A national online privacy law and regulatory administration
2. Privacy code for mobile communications
3. Privacy code for electronic medical records
4. Privacy Act covering government electronic services and dissemination of public records
5. Federal identity management standards for the private and public sectors
6. Revision of federal anti-terrorist surveillance systems

8:30 am (Westin) We have a basically insecure data environment  marked by continuing data leaks and large-scale identity theft. A major troubling reality. We are entering a period of reflection on these issues.

8:45 am (Arthur Miller) A lot of lawyers and conservative judges looking for things to do. Once they find how to make money out of privacy issues they will be on your back. Now talking to audience members in a ‘Socratic Dialogue’ finding out who we are etc. Humorous touch.

8:55 am  (Miller) Litigation and regulation will be threats to organizations that are not on their game when it comes to privacy.

9:00 am (Congressman Cliff Stearns R-FL) Talks about the striking global differences between China and the US with US being individualistic (rights and privacy first) and China being more collectively oriented (people in lock step with each other).

ID theft is a major problem and legislation he introduced would have addressed this problem but it never reached the floor of the House. We are going at “glacial speed” with regard to privacy, in a sector by sector approach. Consumers are more vulnerable, and business is uncertain. We need a federal approach, and a comprehensive privacy framework. We must empower consumers and business with privacy tools. Privacy in the online world can be characterized as death by a thousand cuts.

9:15 am (Stearns) Discussing Google and other companies who track consumer information. What kinds of info is being tracked? What are they doing with it? Do consumers know what they are doing? Have they been notified? Need best practices to protect consumers. There are concerns about these big companies. We must be careful, of course, in how we go about creating these standards and regulations so as not to destroy the benefits of these technologies. We asked these companies about their privacy policies and their responses are available online. We also need better cyber-security and preparedness against cyber-warfare that we are witnessing now regarding Georgia and Russia.

9:30 am (Brian Tretick) Data is being held in a varied of objects and places controlled by a number of different people and organizations – a data diaspora. Need to discuss Rights and Obligations. Very difficult to answer privacy questions even for small organizations.Transformational technologies affecting privacy include:

1. Permeation of devices (smart phones, memory sticks etc – who owns the data? – blurring of work and home – who controls? Your employer?) There is the concept of “digital manners” as an example of non-user control of these devices. What are my obligations over these devices?
2. Devices will all have an internet address – Connected, location, time and condition aware. Who manages this? Expect more capabilities and proliferation of these devices. There will be new repositories of new information that you never had before.
3. Everyone will have their web “thing”. Social network sites, blogs, EMRs, web 2.0 stuff. Social networks moving into business, municipal wi-fi. People are making more predictive analysis and decisions based on the data on the web. Transformation of these web-based objects moving into this data diaspora. What, again, are my my organization’s obligations) over these things?
4. Utility Computing – Cloud computing – On-demand computing resources – it is the commodification of computing services. Who controls the info? Your organization is relying more on others. It stretches the legal aspects of these relationships. So how do I obligate my service providers? How do we address this continuity of obligations? Control and custody issues abound. What will the Cloud accept? We don’t have enough vocabulary to deal with this.
5. Outsourcing and out-shoring business functions. Who is monitoring this? Third parties often overlook these transactions. Business boundaries are blurred through the use of third, fourth, fifth parties. Who has control?

10:30 am (Deborah Peel) “HIPAA is an anti-privacy law.” Four million covered entities can share your information with each other AND their business associates without your permission. Privacy is not working. The route to progress is consumer consent. Americans want control. Her position is not radical, she says. What is radical is that the control over our medical information has been taken away from us. (She causes a little stir at the conference.)

11:15 am (Panel – Privacy prospects in the new online personal health record (PHR) world) Strong belief by the public in the value of electronic health records. Key issue in PHR adoption is consumer confidence. Policies and practices should be transparent to consumers. Consumers should be in control of their PHR information. We need companies to share their PHR privacy policies, and have the technological infrastructure to support these policies. Companies need to foster consumer trust in these new online tools. Many of these companies do not come under HIPAA. But there are other laws that go to the protection of this information. Need things like periodic privacy reports on your PHR. New federal legislation should not unduly restrict the adoption of PHRs. Mandated government solutions tends to inhibit technological innovation and make those solutions unwieldy. 50 different sets of privacy laws does not seem workable. 43 states now have breach of privacy laws. Some sensible federal preemption of state laws and balance is necessary.

(The morning sessions were terrific focusing on the ‘edge issues’ I wanted to get to regarding the emerging “new environment” for the privacy and security of electronic health information.)

1:45 pm (Lawrence Ponemon) Talking about the ‘Privacy Breach Index’ (PBI), a benchmarking tool measuring an organization’s response to an actual privacy breach. Compare and contrast your results to other organizations. In a separate survey we’ve found that most respondents give their organizations good marks for privacy but outsourcing negligence is rising. Organizations are not as proactive as they should be. Ponemon will be putting out a white paper on their findings from their PBI tool of organizations having a data breach in the last 24 months and what they did.  A ‘Privacy Trust Index’ is developed from the benchmarking tool. The PBI tool can be useful. Can be filled out online and they will score it.

2:15 pm (Daniel Solove) Talking about a new framework for understanding privacy. He has a new book in which he argues that the term privacy has lost its meaning. Why, in fact or theory, is a privacy problem harmful? This aspect of privacy is not always readily articulated. This makes privacy difficult to balance against other interest. How to conceptualize privacy? All attempts try to locate a common denominator, an “essence” of privacy. But these conceptions end up being either too vague, broad, or the opposite, too narrow. He thinks there are a lot of problems here. So we need a different way to think about privacy. He now begins quoting and using the philosophy of Ludwig Wittgenstein. Privacy problems, he says, resemble each other, but do not have ONE thing in common. Instead they share clusters of things, more like a ‘family resemblance.’ Also privacy notions have changed over time such as notions of bodily privacy or that of the ‘home’.

Solove concludes that ‘nothing is ESSENTIALLY private’. (Ahh, we see the postmodern viewpoint emerging here – my comment)

We then can turn to, say, social expectations or the specific information that is considered private, both of which are inherently bogged down with conceptual, legal and theoretical problems. So why not ask people? Well people will say that privacy is important, but will trade it away for minor conveniences. So let’s study their behavior, but that will only show that they give up their privacy. But what were their choices? It will give us a very skewed view.

Communications, for example, became private because we desired it. Solove asks, what do we desire in privacy? What do we want the laws to do? We can agree that we don’t want a dystopia. So why don’t we focus on actual problems or harms. He outlines his model examining and defining a number “harms” to the “data subject” that can happen when their privacy is violated. Solove sums up by saying we need to look at privacy in a more complete way if we are to create the balance with other society interests that we are searching for.

3:30 pm ( Panel on Privacy and Behavioral Marketing- Fran Maier) Consumers do not understand what is going on in this area. There is a lot of personalization that is valued. But how much is too much? Most (survey cited) consumers find it annoying and intrusive when it is not relevant to them. But consumers could accept a certain amount of advertising under certain conditions. Industry groups, consumers and legislators are starting to get together. We are working on coming up with rules on the tracking of our internet information, and behavioral targeting, such as ensuring the ability to ‘opt out’, for example.