Scenario 9

Core Facts:

• Diagram of core facts
• Index case: A hospital discovers that patient has a rare form of Tuberculosis (TB) that is resistant to known treatment.
• Since 20-30% of people with whom a patient has had close contact will get LBTI (the latent form of TB), there is a high likelihood that the patient has infected a significant number of other people.
• The patient is in a coma and cannot be interviewed by the CDC.
  • A Google search reveals that he is a University researcher;
  • His university webpage says he sings in a large choir and helps out with his daughter's Daisy Girl Scout troop.
  • Since singing provides a higher than average rate of transmission and children under 5 fall in the high risk category, the CDC is anxious to investigate quickly
• The CDC decides to follow a traditional forensic investigation and to find all of the patient's repeated or high risk contacts during the previous three months.
• Since they cannot interview the patient, their normal means of determining contacts, the CDC decides to determine the contacts through data mining because it should be faster and more thorough.
• To develop a list of possible contacts, the CDC identifies the people
  • who live in the patient's condo (Thomas reverse-directory search);
  • who work in his department (mit.edu search);
  • are members of the choir (FOAF); and
  • are related to the Daisy Girl troop (PAW site).
• To narrow the list, the CDC attempts to find the patient's most frequent contacts by pulling and cross-matching:
  • credit card transactions records
  • telephone records

Details of the scenario (and links to related rules, transaction logs, and data files).

Scenario Options:

Goal: We are trying to build scenarios that have complex points of failure. We are looking for a scenario in which

a) It is not possible to avoid the failure by telling a single person or group, "Don't do x again."

b) The rule violation cannot be caught simply by stoping a single transfer or group of transfers. The rules we're looking to enforce are of the form: even though actor A is entitled to have access to data D, it is not permissible to use D for purpose P.

Our optimal scenario will require computation and analysis to determine that an appropriate rule has not been followed, resulting in an adverse consequence to someone. We have identified three classes of scenarios that might be appropriate and described them below. It is worthy of note that, based upon last year's work, we believe we know how to build the computations for the first two classes, but that the third class would require new discoveries.

Adverse Consequences: In almost all of the proposed scenarios, if a non-permitted distribution of information occurred, the adverse consequence could be the loss of apartment, employment, health insurance, or other economic benefit based upon the perception of heightened risk to self or direct threat to the health of others. In some scenarios, if the failure to distribute information occurred, there may be the adverse consequence of failure to timely diagnose, leading to permanent disability or death.

A. Conflicting Rules

We can create a variety of scenarios in which the hospital or other health care providers are requested to provide information to the CDC and make the wrong decision by following the wrong privacy law. The regulations created to implement the Health Insurance Portability and Accountability Act (HIPAA) provide the reasoning to apply when a state law conflicts with the HIPAA Privacy Rule. For example,

• Preemption: A state health privacy law will be preempted if it is "less stringent" than the HIPAA Privacy Rule;
  • We should be able to use Data Purpose Algebra (DPA) to establish the set of permitted distributions under state law and the HIPAA rule and then have the system calculate whether the state set is "greater than" the HIPAA set.
  • Research required: If "stringent" is defined by the number of types of distribution sets this will be easier than if it is defined by the number of distribution points.
• Automatic Preemption Exception: There are automatic exceptions to the rule above for particular categories of data (e.g., birth and death) and for particular authorized purposes (i.e., to report child abuse).
  • In these cases it does not matter if the state rule is less stringent, so the calculation will need to have a logical disjunction ("or") .
  • The DPA for this rule will determine whether a data category or authorized purpose is "equal to" one of the exception values.
• Triggered Preemption Exception: State authorities may request exemptions for laws that are necessary to 1) prevent fraud/abuse in health care payments; 2) ensure regulation of insurance/health plans; 3) report on healthcare delivery/costs; 4) serve a compelling public health/safety/welfare need as warranted when balanced against the privacy need; or 5) regulate controlled substances.
  • Again, will not matter if the stringency test is met and another logical disjunction will be required.
  • The calculation will need to find a logical conjunction of exemption requested by the state, exemption granted by Health and Human Services (HHS), and an authorized purpose equal to one of these exception values.
  • Research required: If "necessary to" is interpreted more broadly than "authorized purpose" this will be much more difficult.

B. Data Category Transformation

We can create scenarios in which data begins as one data category but becomes a different data category based upon circumstances. This creates challenges when different rules apply to the different categories.

• Category Transformation caused by data aggregation: Data may be collected in an anonymized form but when aggregated with other data, it can be de-anonymized. Both the Privacy Act and the HIPAA Privacy Rule do not apply to the former category but to apply to the latter because they only apply to data records in which it is possible to identify a specific individual (whether by name or other identifier).
  • At each aggregation, the system would need to determine if an individual identifier had become part of or associated with the record.
• Category Transformation caused by an external event: The Privacy Act applies to Systems of Records (SORs) that contain data about "US persons," defined as citizens or legal permanent residents. A SOR which collected information only about non-immigrant foreign nationals becomes covered by the Privacy Act when the first person in the SOR becomes a legal permanent resident or naturalized citizen.
  • Before each data transfer, the system would need the capability to cross-match all persons in the SOR against a Department of Homeland Security system identifying legal permanent residents and naturalized citizens.
• Category Transformation caused by authorized purpose: Telephone companies may only release an individual's telephone records in accordance with the Electronic Communications Privacy Act (ECPA). But, what happens when those records are passed to HHS for a disease investigation? We believe they are likely treated as health information records and handled in accordance with the HIPAA Privacy Rule. (Research required)

C. Leakage

We can envision scenarios in which information was not transferred but can be inferred from circumstances. When the inference occurs, how will it be recognized and the appropriate controlling rules attached?

• It is likely that when the CDC exercises its authority to get records for a disease investigation, that humans will infer that the person whose records are being sought is infected with a serious disease. We propose a scenario in which telephone company employees refuse to make a service call because the person's records reflect that the CDC has made an inquiry.

  The applicable rule here is that regulated utitlies are not permitted to condition service on the health status of the customer.

• The CDC will enlist the local public health (LPHA) authorities in help with this investigation. Imagine that the LPHA also operates a hot lunch service for senior citizens and that one of the choir members is over 65 years old (as reported in her FOAF file). Based on this information, the LPHA refused to serve this woman when she makes her daily visit to the community center that serves meals because she might pose a health risk to other diners.

  The applicable rule is that city services may not be conditioned on health status unless the condition has been verified by a physician's examination.

Background

• Powerpoint from the CDC explaining investigation techniques for TB contacts

Relevant policies

• Rules that may apply to Scenario 9

----------------------------