by Jeremy Griffith
Apart from our Freedom of Speech or Expression, or the Right to Worship as we please, the Right to Privacy is probably the most sacred of our individual liberties. So what happens if that right is violated by a trusted health care worker, student affairs administrator, or a journalist?
Well, the reader should know that we did extensive research on this topic and we found that a private citizen has certain rights guaranteed to secure the privacy of their financial records in institutions of higher learning or their personal medical records at their doctor’s office. That doesn’t unfortunately mean that breaches don’t occur however, they certainly do. But those persons inside or outside an institution can face criminal and civil penalties for breaching public trust where private records are concerned.
We spoke to an old friend who is both a licensed clinical social worker and an employee in the financial aid office at a major Minnesota university. He wouldn’t go on record for this article, but he was willing to give background information. He confirmed to us in our background interview that universities and colleges are covered under HIPPA and FERPA privacy rules and that individuals working for the institution who violate the trust of students and parents are subject to termination from their jobs AS A MINIMUM. Severe breaches of trust for individuals can open the institution or the individual involved in divulging the information to an outside source to criminal prosecution and lawsuits.
Our friend also confirmed for us that Licensed Social Workers who violate the trust of their clients and divulge information to outside sources can be sanctioned by the authorities who license them and that their licenses can be limited, or revoked pending on the nature of the offense.
Let’s take a step backwards for a moment and define terms. HIPPA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996 and is the Department of Health and Human Services rule that covers privacy issues where it touches on medical records. It should be noted that the privacy rule was not legislated by congress but was a directive from HHS. Never-the-less, it provides the teeth for which all privacy violations are controlled under when it comes to medical records. Definitions and detailed information on HIPPA is available at the HHS website here.
FERPA stands for the Family Education Rights and Privacy Act and is the HIPPA equivalent for institutes of higher learning where it touches on individual financial or educational records of a student. A definitive summery of the act is available at the Department of Education’s website here.
Bottom line for both of these rules is this: that private individual who is the subject of the record can chose whether or not to divulge the record and that any outside source who wants to gain access to a record must have the express permission of the individual who is the subject of the records.
So if you are an record keeper of private records at a college or university, or a unit secretary, and you are approached by an outside source with a question about an individual record, you are required to decline the request unless you have the express written consent of the individual who is the subject of the records.
Colleges and universities are covered under both rules because they can find themselves in possession of both medical records and academic or financial records within their financial aid offices. For example, a student who takes a leave of absence from the university must provide a doctor’s letter showing why he is taking leave to the university for their records and that information, with the diagnosis from the doctor is protected information that the institution cannot divulge without consent.
The right to privacy in regards to both of these rules is not complete, however. There are certain cases where the possessor of the record is required to divulge the record to another party. For example, according to the HHS website there are the following exemptions as expressed by the rule: the individual who is subject of the record, treatment payment and health care operations, opportunity to agree or object, limited data sets where the individual is not expressly identified for the purpose of research.
Clear as mud right? Bottom line is that the institution can use the data and share it with those who need to know, like consulting doctors and nurses, but have the obligation to protect the data from outside entities that don’t have a right or need to know.
Similarly, educational records are likewise protected. An outside institution can ask if you have a degree or if you are participating in the program, which the institution can acknowledge without consent, however, they may not give out what classes you took or your grade point average to that outside source, without your express written permission.
There are limits to the kinds of information social workers can divulge as well and they have some leeway as to what can be divulged. For example, a licensed social worker is a mandatory reporter when the client makes an expression of a threat to any person or to himself. That means that if a client is suicidal or is threatening harm to others, the social worker is required by law to report that information to law enforcement AND to the persons who are subject to the threat. Likewise social workers and other health care workers are mandatory reporters when it comes to neglect or abuse of vulnerable persons, especially children. That’s good to know right?
How important is all of this? We consulted attorney James D. Skyles of Skyles Law Group, LLC., founder of the website AskACyberLawyer.com. This is what he told us about what consumers should know about privacy issues and the Internet.
“In short, privacy laws, particularly the 1974 Privacy Act provide protections for consumers by prohibiting companies from selling information to consumers, unless the individual consents, or under a few other circumstances as required by law, such as government reporting. If they do disclose the information, there could be fines by the government.”
Another grave concern for consumers is hacking, where an outside source illegally accesses private information electronically from outside an institution. This is what Skyles said about that issue.
“Now when it comes to online data privacy that a company does not actively disclose, if a database is hacked, the liability of the business varies greatly. Currently the law governing this area is a patchwork of various federal and state laws, which are in no way uniform. In general and in most jurisdictions, businesses have an affirmative responsibility to prevent the information hacking, and can face liability from both the government and from individuals if someone stole private information and used it to the detriment of the victims whose information was stolen.
Skyles continues his analysis with this warning to consumers:
“In my opinion, this is not the worst problem. The biggest problem with data privacy is the extent to which individuals consent to allowing companies to use and sell their information. When you click “I Agree” on a pop up end user licensing agreement (EULA), you are often consenting to the company to do any number of things with your information.”
Bottom line is this, be careful with your personal information and who you give it to. Be wary of online access points like online bill pay. It can be convenient to do business that way, but be careful that you don’t overdo it and you don’t give out personal information online to a source that doesn’t have reputable online security controls. It doesn’t ever hurt to ask your college or medical center whether or not they have online controls that protect your virtual identity.
It should be noted that health care staff have been fired from their institutions recently for egregious privacy law violations. That doesn’t prevent your private data from getting out there, but it does ensure that if there is a breach that institutions are doing what they can. Some organizations even punish employees who are snooping through records even if there isn’t a public disclosure of records.
Mayo Clinic for example has over 100 policies covering privacy issues according to their website. Employees of all Mayo sites are trained regularly on their responsibilities to protect patient confidentiality. The Post Bulletin of Rochester reports that health care staff have been removed from their jobs for snooping through records where the provider or clinical worker did not have a need to access a personal record.
It should be noted that some institutions produce so called honey-traps to catch abusers. This is a controversial practice for IT workers and can only take place with the express authorization of the institutional leadership. Honey-traps are instances where IT workers produce a fake record of a famous or well known person and monitors it to see if unauthorized persons try to access the record. In this way they can catch abusers in the act and take remedial action against the employee. This may or may not be ruled as entrapment in a legal setting but could result in the termination of the employee.
While health care workers and record keepers can get into trouble for obtaining records illegally, so too can journalists. In Great Britain for example, journalists are facing criminal charges for hacking into private cell phone conversations. The result of this trial will be interesting as it affects News Of The World, a subordinate company of NewsCorp, which owns Fox News here in the United States. The results of that case can have broad implications for journalists who access records or tap phones illegally.
Ultimately you are responsible for your reputation and personal data. Take care of it and it should be secure, and take comfort that most of the time your data is being secured by the institutions you trust.