- Diagram of
- Index case: A hospital discovers that patient has a rare form of
Tuberculosis (TB) that is resistant to known treatment.
- Since 20-30% of people with whom a patient has had close contact will
get LBTI (the latent form of TB), there is a high likelihood that the
patient has infected a significant number of other people.
- The patient is in a coma and cannot be interviewed by the CDC.
- A Google search reveals that he is a University researcher;
- His university webpage says he sings in a large choir and helps out
with his daughter's Daisy Girl Scout troop.
- Since singing provides a higher than average rate of transmission
and children under 5 fall in the high risk category, the CDC is
anxious to investigate quickly
- The CDC decides to follow a traditional forensic investigation and to
find all of the patient's repeated or high risk contacts during the
previous three months.
- Since they cannot interview the patient, their normal means of
determining contacts, the CDC decides to determine the contacts through
data mining because it should be faster and more thorough.
- To develop a list of possible contacts, the CDC identifies the people
- who live in the patient's condo (Thomas reverse-directory
- who work in his department (mit.edu search);
- are members of the choir (FOAF); and
- are related to the Daisy Girl troop (PAW site).
- To narrow the list, the CDC attempts to find the patient's most
frequent contacts by pulling and cross-matching:
- credit card transactions records
- telephone records
Details of the scenario (and links to
related rules, transaction logs, and data files).
are trying to build scenarios that have complex points of failure. We are
looking for a scenario in which
a) It is not possible to
avoid the failure by telling a single person or group, "Don't do x again."
b) The rule violation
cannot be caught simply by stoping a single transfer or group of transfers.
The rules we're looking to enforce are of the form: even though actor A is
entitled to have access to data D, it is not permissible to use D for purpose
Our optimal scenario will
require computation and analysis to determine that an appropriate rule has
not been followed, resulting in an adverse consequence to someone. We have
identified three classes of scenarios that might be appropriate and described
them below. It is worthy of note that, based upon last year's work, we
believe we know how to build the computations for the first two classes, but
that the third class would require new discoveries.
Consequences: In almost all of the proposed scenarios, if a
non-permitted distribution of information occurred, the adverse consequence
could be the loss of apartment, employment, health insurance, or other
economic benefit based upon the perception of heightened risk to self or
direct threat to the health of others. In some scenarios, if the failure to
distribute information occurred, there may be the adverse consequence of
failure to timely diagnose, leading to permanent disability or death.
We can create a variety
of scenarios in which the hospital or other health care providers are
requested to provide information to the CDC and make the wrong decision by
following the wrong privacy law. The regulations created to implement the
Health Insurance Portability and Accountability Act (HIPAA) provide the
reasoning to apply when a state law conflicts with the HIPAA Privacy Rule.
A state health privacy law will be preempted if it is "less stringent"
than the HIPAA Privacy Rule;
- We should be able to use Data Purpose Algebra (DPA) to establish
the set of permitted distributions under state law and the HIPAA rule
and then have the system calculate whether the state set is "greater
than" the HIPAA set.
- Research required: If "stringent" is defined by the number of types
of distribution sets this will be easier than if it is defined by the
number of distribution points.
Preemption Exception: There are automatic exceptions to the rule
above for particular categories of data (e.g., birth and death) and for
particular authorized purposes (i.e., to report child abuse).
- In these cases it does not matter if the state rule is less
stringent, so the calculation will need to have a logical disjunction
- The DPA for this rule will determine whether a data category or
authorized purpose is "equal to" one of the exception values.
Preemption Exception: State authorities may request exemptions
for laws that are necessary to 1) prevent fraud/abuse in health care
payments; 2) ensure regulation of insurance/health plans; 3) report on
healthcare delivery/costs; 4) serve a compelling public
health/safety/welfare need as warranted when balanced against the privacy
need; or 5) regulate controlled substances.
- Again, will not
matter if the stringency test is met and another logical disjunction
will be required.
- The calculation
will need to find a logical conjunction of exemption requested by the
state, exemption granted by Health and Human Services (HHS), and an
authorized purpose equal to one of these exception values.
required: If "necessary to" is interpreted more broadly than
"authorized purpose" this will be much more difficult.
B. Data Category
We can create scenarios
in which data begins as one data category but becomes a different data
category based upon circumstances. This creates challenges when different
rules apply to the different categories.
Transformation caused by data aggregation: Data may be collected
in an anonymized form but when aggregated with other data, it can be
de-anonymized. Both the Privacy Act and the HIPAA Privacy Rule do not
apply to the former category but to apply to the latter because they only
apply to data records in which it is possible to identify a specific
individual (whether by name or other identifier).
- At each aggregation, the system would need to determine if an
individual identifier had become part of or associated with the
Transformation caused by an external event: The Privacy Act
applies to Systems of Records (SORs) that contain data about "US
persons," defined as citizens or legal permanent residents. A SOR which
collected information only about non-immigrant foreign nationals becomes
covered by the Privacy Act when the first person in the SOR becomes a
legal permanent resident or naturalized citizen.
- Before each data transfer, the system would need the capability to
cross-match all persons in the SOR against a Department of Homeland
Security system identifying legal permanent residents and naturalized
Transformation caused by authorized purpose: Telephone companies
may only release an individual's telephone records in accordance with the
Electronic Communications Privacy Act (ECPA). But, what happens when
those records are passed to HHS for a disease investigation? We believe
they are likely treated as health information records and handled in
accordance with the HIPAA Privacy Rule. (Research required)
We can envision scenarios
in which information was not transferred but can be inferred from
circumstances. When the inference occurs, how will it be recognized and the
appropriate controlling rules attached?
- It is likely that when the CDC exercises its authority to get records
for a disease investigation, that humans will infer that the person whose
records are being sought is infected with a serious disease. We propose a
scenario in which telephone company employees refuse to make a service
call because the person's records reflect that the CDC has made an
The applicable rule here is that regulated utitlies are not permitted
to condition service on the health status of the customer.
- The CDC will enlist the local public health (LPHA) authorities in help
with this investigation. Imagine that the LPHA also operates a hot lunch
service for senior citizens and that one of the choir members is over 65
years old (as reported in her FOAF file). Based on this information, the
LPHA refused to serve this woman when she makes her daily visit to the
community center that serves meals because she might pose a health risk
to other diners.
The applicable rule is that city services may not be conditioned on
health status unless the condition has been verified by a physician's
maintained by K. Krasnow
Waterman and Lalana Kagal.
$Revision: 3260 $ of $Date: 2007-06-27$