Security and privacy after September 11: the health care example

IF 3 3区 社会学 Q1 LAW Minnesota Law Review Pub Date : 2002-04-16 DOI:10.1145/543482.543493
Peter P. Swire, Lauren Steinfeld
{"title":"Security and privacy after September 11: the health care example","authors":"Peter P. Swire, Lauren Steinfeld","doi":"10.1145/543482.543493","DOIUrl":null,"url":null,"abstract":"This article examines the interaction between data privacy, which was a highly salient political issue before the events of September 11, and cyber-security and homeland security, which became much more salient after those events. The article illustrates the shift in salience by examining the USA-PATRIOT Act, which was passed quickly in the fall of 2001 despite containing a number of surveillance provisions that had been explicitly rejected by Congress in 2000. To understand the interaction between privacy and security, the article examines the medical privacy rule issued in 2000 under the Health Insurance Portability and Accountability Act (HIPAA). (In the interests of full disclosure, the authors were the lead White House officials in coordinating the privacy rule.) The analysis here shows that the HIPAA rule stands up well to the concerns of the post-September 11 era. Concerns about public safety are met by existing provisions that permit disclosures to protect national security, to react to emergency circumstances, and to respond to law enforcement inquiries. The article explores in particular detail the proposed Model State Emergency Health Powers Act, drafted in the wake of the 2001 anthrax attacks. Professors Lawrence Gostin and James Hodge have argued that this Act is justified by a new \"model of information sharing\" for medical information. Our article concludes that public health concerns are appropriately addressed by the current HIPAA rule, and that a \"model of information sharing\" sends precisely the wrong signal about how the health system will handle issues of data privacy and security. More generally, the article analyzes situations of \"security vs. privacy\", where the two values are antagonistic, and situations of \"security and privacy\", where the two values work together. Security in some instances means greater surveillance, information gathering, and information sharing. For instance, law enforcement can monitor the online movements of hackers or hospitals can more quickly report cases of anthrax infection. These situations of \"security vs. privacy\" are defined as instances where security is promoted by getting information to the proper decisionmakers. As these information flows increase, privacy decreases. By contrast, security measures often promote privacy. Good security is one of the standard privacy fair information practices, because otherwise any hacker can get into a sensitive database. Good security, moreover, creates audit trails about which authorized users have accessed particular systems or data. Such auditing mechanisms promote the fair information practice of accountability, by deterring wrongdoing and making enforcement more effective. Finally, the authors explain how the most cost-effective and thorough implementation of privacy occurs at the time of a computer system overhaul. This approach is fundamental to HIPAA, which provided that privacy and security protections should be built at the same time as the shift to electronic health records. The new emphasis on security after September 11, in short, is a major strategic opportunity to improve data handling practices in general, for both security and privacy.","PeriodicalId":47393,"journal":{"name":"Minnesota Law Review","volume":"86 6 1","pages":"1515-40"},"PeriodicalIF":3.0000,"publicationDate":"2002-04-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1145/543482.543493","citationCount":"29","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Minnesota Law Review","FirstCategoryId":"90","ListUrlMain":"https://doi.org/10.1145/543482.543493","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
引用次数: 29

Abstract

This article examines the interaction between data privacy, which was a highly salient political issue before the events of September 11, and cyber-security and homeland security, which became much more salient after those events. The article illustrates the shift in salience by examining the USA-PATRIOT Act, which was passed quickly in the fall of 2001 despite containing a number of surveillance provisions that had been explicitly rejected by Congress in 2000. To understand the interaction between privacy and security, the article examines the medical privacy rule issued in 2000 under the Health Insurance Portability and Accountability Act (HIPAA). (In the interests of full disclosure, the authors were the lead White House officials in coordinating the privacy rule.) The analysis here shows that the HIPAA rule stands up well to the concerns of the post-September 11 era. Concerns about public safety are met by existing provisions that permit disclosures to protect national security, to react to emergency circumstances, and to respond to law enforcement inquiries. The article explores in particular detail the proposed Model State Emergency Health Powers Act, drafted in the wake of the 2001 anthrax attacks. Professors Lawrence Gostin and James Hodge have argued that this Act is justified by a new "model of information sharing" for medical information. Our article concludes that public health concerns are appropriately addressed by the current HIPAA rule, and that a "model of information sharing" sends precisely the wrong signal about how the health system will handle issues of data privacy and security. More generally, the article analyzes situations of "security vs. privacy", where the two values are antagonistic, and situations of "security and privacy", where the two values work together. Security in some instances means greater surveillance, information gathering, and information sharing. For instance, law enforcement can monitor the online movements of hackers or hospitals can more quickly report cases of anthrax infection. These situations of "security vs. privacy" are defined as instances where security is promoted by getting information to the proper decisionmakers. As these information flows increase, privacy decreases. By contrast, security measures often promote privacy. Good security is one of the standard privacy fair information practices, because otherwise any hacker can get into a sensitive database. Good security, moreover, creates audit trails about which authorized users have accessed particular systems or data. Such auditing mechanisms promote the fair information practice of accountability, by deterring wrongdoing and making enforcement more effective. Finally, the authors explain how the most cost-effective and thorough implementation of privacy occurs at the time of a computer system overhaul. This approach is fundamental to HIPAA, which provided that privacy and security protections should be built at the same time as the shift to electronic health records. The new emphasis on security after September 11, in short, is a major strategic opportunity to improve data handling practices in general, for both security and privacy.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
911事件后的安全和隐私:以医疗保健为例
本文考察了数据隐私与网络安全和国土安全之间的相互作用。数据隐私在9 / 11事件之前是一个非常突出的政治问题,而网络安全和国土安全在这些事件之后变得更加突出。这篇文章通过对《美国爱国者法案》(USA-PATRIOT Act)的考察,说明了这种显著的转变。该法案在2001年秋天迅速获得通过,尽管其中包含了一些在2000年被国会明确否决的监控条款。为了理解隐私和安全之间的相互作用,本文考察了2000年根据《健康保险可携带性和责任法案》(HIPAA)颁布的医疗隐私规则。(为了充分披露,这些文件的作者是负责协调隐私规定的白宫官员。)这里的分析表明,HIPAA规则能够很好地应对后9 / 11时代的担忧。现有规定允许为保护国家安全、应对紧急情况和回应执法调查而披露信息,从而满足了对公共安全的关切。这篇文章特别详细地探讨了在2001年炭疽袭击之后起草的《示范国家紧急卫生权力法》。Lawrence Gostin教授和James Hodge教授认为,该法案被一种新的医疗信息“信息共享模式”所证明是合理的。我们的文章得出结论,现行的HIPAA规则适当地解决了公共卫生问题,而“信息共享模型”恰恰发出了关于卫生系统如何处理数据隐私和安全问题的错误信号。更概括地说,本文分析了“安全与隐私”这两种价值观对立的情况,以及“安全和隐私”这两种价值观协同工作的情况。在某些情况下,安全意味着更多的监视、信息收集和信息共享。例如,执法部门可以监控黑客的在线活动,医院可以更快地报告炭疽感染病例。这些“安全性与隐私”的情况被定义为通过向适当的决策者获取信息来提升安全性的实例。随着这些信息流的增加,隐私也在减少。相比之下,安全措施通常会促进隐私。良好的安全性是标准的隐私公平信息实践之一,否则任何黑客都可以进入敏感的数据库。此外,良好的安全性可以创建关于哪些授权用户访问了特定系统或数据的审计跟踪。这种审计机制通过阻止不法行为和使执法更有效,促进公平的信息问责做法。最后,作者解释了最具成本效益和最彻底的隐私实施是如何在计算机系统大修时发生的。这种方法是HIPAA的基础,它规定在转向电子健康记录的同时应该建立隐私和安全保护。简而言之,911事件后对安全的新强调,是一个重大的战略机遇,可以从总体上改善数据处理实践,无论是在安全和隐私方面。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
CiteScore
1.40
自引率
0.00%
发文量
1
期刊介绍: In January 1917, Professor Henry J. Fletcher launched the Minnesota Law Review with lofty aspirations: “A well-conducted law review . . . ought to do something to develop the spirit of statesmanship as distinguished from a dry professionalism. It ought at the same time contribute a little something to the systematic growth of the whole law.” For the next forty years, in conjunction with the Minnesota State Bar Association, the faculty of the University of Minnesota Law School directed the work of student editors of the Law Review. Despite their initial oversight and vision, however, the faculty gradually handed the editorial mantle over to law students.
期刊最新文献
The Sound and Fury of Patent Activity Congress's Agency Coordination Strengthening Cybersecurity with Cyber Insurance Markets and Better Risk Assessment A Close-Up, Modern Look at First Amendment Academic Freedom Rights of Public College Students and Faculty Civil Rules Interpretive Theory
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1