InfoSec & Forensics Law: February 2008

Heathcare Record Terms of Access

Privacy Protection by Contract

Electronic Medical Record

Some fear the law will not accord adequate privacy to healthcare records managed by non-healthcare companies like Google. I have argued that legal terms posted by a patient in (or in relation to) the patient's healthcare record can enhance legal privacy.

For the sake of public discussion, here is a humble example of what the terms might provide:

---
IMPORTANT

Healthcare Record Terms of Access

Declared and Agreed by Patient

1. I, the patient, have granted one or more third parties (the "Record Manager") power over this record. I have done so because I believe it is beneficial to me relative to my health.

2. These Terms of Access are communicated to anyone, including the Record Manager, accessing or possessing power to access my information in this record.

3. This record may contain my personal healthcare information.

4. These Terms of Access apply to you ("You") unless you are a "covered entity" under the Healthcare Insurance Portability and Accountability Act (HIPAA). You could include the Record Manager.

5. You agree to these Terms of Access, and You agree to abide by them, by doing either of the following:

(a) accessing this record, or

(b) availing Yourself to the conveniences afforded by the Record Manager’s power over this record.

6. I am entitled to privacy for my information in or discerned from this record ("My Information").

7. You agree to keep My Information private and confidential, consistent with norms for covered entities under HIPAA.

8. You agree to give me at least 6-months advance notice (delivered via first-class mail, postage-prepaid) before You change Your privacy policy relative to My Information.

9. You agree to give me notice (delivered via priority US mail, postage-prepaid) before You comply with a subpoena (or similar order) seeking access to My Information.

10. The fact that the Record Manager possesses power over this record does not undermine the legal privileges accorded communications between me and my healthcare providers.

11. You may deviate from these Terms of Access only if:

(a) I agree in a document – printed on paper – and signed by me in ink or by voice signature;

(b) The document clearly explains the deviation to me in plain English; and

(c) From all the circumstances, including the signed document, compelling evidence exists that I knowledgeably and voluntarily approved the deviation.

---

Again, I post this form language just for the purpose of public discussion. These terms are not necessarily complete. Before relying on terms like the above, you may want to seek legal advice. What I say here is not a substitute for legal advice. If you need advice, you should consult a lawyer.

As I learn more about this topic, and hear comments, I may revise what I've posted above. So check back.

--Benjamin Wright

Contracts for Patient Privacy

Healthcare e-Records Law

Privacy Policy Contract Terms

As Google jumps into the competition to provide electronic health records, the World Privacy Forum frets that the management of health records by non-healthcare companies will undermine the legal privacy accorded to the records. The WPF warns that because HIPAA protection may not apply to Google-managed records, patient privacy will suffer.

To help mitigate this problem, here is an idea. Patients could mark their records with legal terms of use. Or they could otherwise post terms of use so the vendor managing their records (and anyone seeking access to the records) could be on notice of the terms.

Terms of use for a patient's records might be analogous to the end user license agreement or EULA that comes with software or corporate web sites. Well-crafted terms of use could legally limit or regulate how the vendor (or anyone else) uses the records, discloses them to others or alters its privacy practices pertaining to the records.

For example, the terms of use on a patient's record might say:

* By accessing the record (or by availing oneself to the conveniences afforded by the vendor’s management of the record), the person accessing it agrees by contract to abide by the terms.

* Vendor agrees to give patient 6-months advance notice (delivered via first class mail) before the vendor changes its privacy policy.

* Vendor agrees to notify patient before vendor complies with a subpoena (or similar order) seeking patient’s records.

* Vendor agrees to refrain from disclosing patient's record to third parties for commercial or marketing purposes.

* The fact the record is in the hands of the vendor does not undermine the legal privileges accorded communications between patient and physician.

* And so on.

Case Law

Click Here

Case law provides growing support for the legal enforcement of electronically-published contract terms, whether published on software, a website or a record. For example, Greer v. 1-800-FLOWERS.COM held that the terms of service a flower merchant posted on its web site were enforceable against a customer who placed an order by telephone.

The Greer case illuminates the power of contract law in this electronic age. This power is just as much available to individuals as it is to corporations.

Is this contract-law power perfect for protecting patient privacy? No. But it is substantial. And it can be supported in court by good public policy arguments. Further, many parties will honor terms of access for non-legal reasons, such as ethics, politics or public reputation.

The law of healthcare privacy is very complex. HIPAA does provide certain protection, but HIPAA is subject to many exceptions and nuances. The array of protections that apply to records managed by HIPAA-regulated healthcare providers is far from ideal.

Many patients may be attracted to records services from vendors like Google. As patients embrace these vendors, contract law affords patients power to take proactive steps to enhance their privacy.

Example

I have written an example of Healthcare Terms of Access that a patient could post on his health record.

See my further discussion of privacy contract terms with Google and my further discussion of privacy contracts formed with automated systems.

--Benjamin Wright, Senior Instructor on Computer Privacy Law at the SANS Institute.

[The foregoing is not legal advice for anyone, but it is something to think about.]

Encryption Privacy Legislation Goes Overboard

Data Security for Payment Card & Social Security Numbers?

Bills pending in the Michigan and Washington state legislatures would mandate that personal information stored in business computers be “encrypted.” Legislatures are unwise to engage in such micro-management.

Pending Michigan Senate Bill (SB) 1022 would forbid a business from storing personally identifiable information in a database unless the information is encrypted. Similarly, in Washington State, pending House Bill (HB) 2574 would mandate that a business employ encryption when storing personal information on an Internet-connected computer server.

Distinguish Goals from Technologies for Reaching Goals

When a legislature specifies a technology like "encryption," it goes beyond stating a goal and requiring that the goal be met. The legislature selects the precise technical means for reaching the goal. In other words, when a legislature dictates technical measures like "encryption," it assumes the role of a professional engineer. But state legislatures are not qualified to provide professional engineering services!

Encryption is a powerful data security tool. But it is not necessarily always the best way to achieve a data security goal. The successful implementation of encryption in a specific setting involves many issues and tradeoffs.

For example, a panel of security experts recently pointed out that the encryption of data in storage (as opposed to data in transit) raises vexing questions about the key infrastructure that underpins the encryption. When an enterprise encrypts lots of its stored data, a hacker has incentive to attack the encryption scheme's key infrastructure. If the hacker can defeat the key infrastructure, she can deny the enterprise access to its data. That means the hacker can put the enterprise out of business, or blackmail the enterprise. Thus, the indiscriminate use of encryption may increase the overall social risk associated with stored private data.

The lesson is: Data security is a complex field of engineering. State legislatures should steer clear of it.

Utah Law Is Model for Bad Legislation

In 1995 the Utah legislature adopted pioneering legislation to stimulate growth of public key infrastructure (PKI). The legislature received lots of detailed advice from experts. The legislature crafted legislation that was very technically specific. At the time, and for several years thereafter, some experts hailed the Utah legislation as a model and as a great catalyst for e-commerce. However, it is safe to say today that the Utah Digital Signature Act was an absolute bust. It achieved none of its goals. It was far too technically specific to be of any value to industry.

The Michigan and Washington legislatures should remember the Utah experience as they draft legislation. A wise legislature might require, for example, that businesses use "reasonable security procedures" (a general goal) rather than that they use "encryption" (a specific technology).

Update: Here's a simple example of why legislatures have no business legislating words like "encryption." In Indiana newly-enacted House Bill (HB) 1197 (aka Public Law 136) tries to define "Breach of the security of a system". One of the ways HB 1197 achieves its definition is by telling us what a breach of security is not. It says security has not been breached if data have been encrypted and the "encryption key" has not been compromised. Hmmm. Doesn't that sorta make sense? . . . But wait. Does it always make sense? What about a public key cryptosystem? Public key cryptosystems can be used effectively to encrypt data and keep it private. Sometimes in a public key system, it is not the protection of the encryption key that protects data privacy. Sometimes it is protection of the decryption key that protects privacy! For purposes of certain legitimate applications of a public key cryptosystem, the drafter of HB 1197 seems to have missed the boat completely.

--By Benjamin Wright

Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Update: See my analysis of a breach notification where data on a stolen laptop are encrypted.

Related: Data breach investigation -- legal expectations.

[Footnote: In this post I mentioned the laws (or proposed laws) of some states. Please understand that when I blog about the law of a state like Indiana, I have not necessarily researched all the relevant regulations and rulings in that state. And whatever I say here could easily be out of date. So if you need a reliable legal opinion about the law of any state, you need to go some place else to get it. Also, the fact that this post does not mention any other state -- Florida, California, New Jersey, Illinois, Missouri, whatever -- means nothing. Other states may have encryption laws that I've not mentioned.]

WorkGroup Software: e-Discovery and Record Retention

Will Destruction of Collaboration Archives be Treated as Spoliation?

Subpoena for Records of Business Social Networking

Office collaboration software such as Zimbra, Zoho and Google Docs enables people to work jointly on the creation of documents, and talk (e.g., via comments and instant messages) as they work.

Similarly, social networking sites such as Ning allow teams to condense the time needed to complete a project. An engineer told me that a corporate customer recently insisted that his company collaborate by way of a private social networking site because it would be so much faster than e-mail.

EDiscovery
As professionals make greater use of collaborative tools or social sites to negotiate business and legal transactions, there will be lawsuits. Lawsuits are an inevitable byproduct of business interaction. A lawsuit is a kind of investigation. The investigation wants to learn who said what and when did they say it. To that end, a lawsuit always seeks to uncover all the records, including especially electronic records.

A new source of records will be all those related to the different stages of collaborative e-discovery in court will be access to the records (archives) stored in connection with Zimbra and similar products. Instinctively, lawyers will advise corporate clients to destroy the archives of a collaborative project when the project is complete.
interaction as messages, documents and transactions were assembled. A coming topic of

Destroy the Records ASAP?
That type of advice has precedent. When lawyers first encountered e-mail, they advised their clients to destroy e-mail records as soon as possible. However, the instinctual advice makes me uncomfortable. The legal system has been punishing enterprises for destroying their e-mail too early. I foresee the legal system meting out the same punishment when enterprises are too quick to delete archives of the interaction during a collaborative project.

Subpoena?
A side issue with collaboration records is whether they will reside in-house with the record owner, or be hosted by a third party (the "cloud"), such as acrobat.com. If the final records of a business negotiation are in the hands of a third party, an adversary can try to subpoena them directly from the third party (or obtain them with a more aggressive search warrant if the adversary is law enforcement).

In a dispute, the owner of records prefers directly to manage and control the release of records to the adversary, rather than to see them released by a third party. Third party service providers have been known to be too quick and generous in their release of electronic records. See Theofel vs. Farey-Jones, 341 F.3d 978 (9th Cir. 2003), where an Internet Service Provider (ISP) complied with a subpoena (issued by the civil-lawsuit adversary of its business customer) by turning over an excessive number of its customer's e-mail records.

--Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

P.S. Will CPAs perform unethically if they put account records in the cloud?

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law