Scenario 9

Diagram of the Hypothetical

Hypothetical:

Lawyers Hospital notifies the Centers for Disease Control that it has a patient in a coma who suffers from Extensively Drug-Resistant Tuberculosis (XDR-TB). This is a rare form of disease; only 17 cases were reported in the US between 2000 and 2006. Because of the speed with which the disease can spread and its resistance to both first and second line drug treatments, the CDC says it "presents a global threat and a challenge to TB-control activities in the United States." Due to the urgency of the matter, and the unavailability of the patient to answer traditional interview questions about his contacts (potential recipients of the disease), the CDC uses data mining to identify his contacts, attempting to identify any person with whom the patient had sufficient personal interaction to possibly transmit the disease. Once those people are identified, the CDC will work with other public health authorities and private health care providers to contain the spread of the disease.

(KKW Note: MA has regionally designated TB treatment facilities.. See, Regional Clinics List)


Transaction 0:

On January 6, 2007, an unconscious man was brought by the Boston Police to the emergency room of Lawyers Hospital. The policemen who brought him had searched his wallet and identified him as Alfred B. Newman. In his wallet, Mr. Newman had an MIT Employee Health Benefits Card, a drivers license, and a few credit cards. He also had a cell phone clipped to his belt. The policemen provide the information to the

Collection Rules: Apply to police taking data from patient: US Constitution, 4th Amendment; MA Constitution, Article 14; US Community Caretaking; MA Community Caretaking Exception

Use Rules: [Not in this scenario, but would apply if they went to Newman's house; looked him up in NCIC; etc.]

Dissemination Rules: Apply to police providing patient information to hospital: MAPublicRecords, MAPublicRecordsExceptionPrivacy, MACommunityCaretakingRecords

Transaction Data: Date, People, Events


Transaction 1:

Hospital personnel determined that the man had tuberculosis (TB) and was in a coma from which he was not likely to recover soon. Based upon a variety of medical tests, which take approximately six weeks to conduct, the hospital personnel diagnosed the patient with XDR-TB. On February 21, 2007, they contacted the Massachusetts Department of Public Health and provided the patient's information.

Dissemination Rules: Apply to hospital passing data to the MA Department of Public Health:

MA_Health Records_Privacy, HIPAA_Disclosure Definition1, HIPAA_Disclosure 1, HIPAA_Disclosure 2, HIPAA_Disclosure Exception 1, HIPAA_Disclosure Exception 2

Transaction Data: Date, People, Events


Transaction 2:

Due to the rarity of the disease (no cases had previously been reported in Massachusetts) and the potential high risk to public health, the Massachusetts Department of Public Health immediately shared the information with the Centers for Disease Control.

Dissemination Rules: Apply to MA Dept Publ Health passing patient data to CDC

MA_Health Records_Privacy, MA_Public Health Dissemination, MA_Private Records_Dissemination

Collection Rules:CDC accepts patient's health data from hospital

US_Privacy Act 1, HHS_Authority, HHS_Collection_and_Dissemination_Authority, US_Privacy Act 2, SORN_Epidemic_Investigations_Case_Records,

Transaction Data: Date, People, Events


Transaction 3:

CDC assigned the matter to an investigator and provided the data to him.

Dissemination Rules: Apply to an individual federal employee looking at specific data

US_Privacy Act_3, US_Privacy Act_3_Exception_1

Transaction Data:

Date, People, Events


Transaction 4:

The CDC's normal method of contact investigation begins with an extensive interview of the patient about his contacts and is followed by interviews of those individuals. Mr. Newman remains unconscious and no family members or friends have come to the hospital or responded to messages to Mr. Newman's phone or letters to his home.The investigator uses a web search engine and identifies Mr. Newman as a research affiliate at MIT, a volunteer for a Daisy Girl Scout troop, and a member of Clicker Choir.

Use Rules: Constraints on CDC's use of publicly available information.

SORN_Epidemic_Investigations_Case_Records_Use_1, Creative Commons 2.5, (need use rules for PAW for Daisy Troop and Clicker choir using FOAF)

Collection Rules: CDC's collection of publicly available information.

US_Privacy Act 1, US_Privacy Act 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Transaction Data:

Date, People, Events

Additional Hypothetical Facts:

The investigator is concerned because very young children are at high risk for infection. Also, singing, like coughing, is likely to increase the risk of transmission. Calls to Mr. Newman's MIT lab indicate that he didn't spend time with people in his own research group, but was often observed in the company of others, believed to be MIT-affiliated individuals, whom no one could identify. The CDC invesitgators wish to give highest priority to persons with whom Mr. Newman appears to have spent quite a bit of time in the 6 months (check relevant time) before he was brought to the hospital.


Transaction 5:

The investigator requests a download of the entire MIT directory (faculty, staff, and students).

Dissemination Rules: MIT's rules regarding releasing whole directory.

MIT Privacy Policy, MIT Student Directory Dissemination Policy

Collection Rules:CDC's collection of publicly available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Use Rules: MIT's Rules for use of directory data.

MIT Student Directory Use Policy

Transaction Data:

Date, People, Events

Data File:

MIT Directory Data


Transaction 6:

The investigator approaches the Daisy Girl Scout website (identifying herself to the Policy Aware Website) seeking the names and addresses of all the troop members' parents.

Dissemination Rules: Daisy Troop's rules re: access to Troop 42 child member and parent information.

Troop 42 PAW Rules , Troop 42 Dissemination Rule

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Use Rules: Limitations on what government can do with data it gets from Daisy Troop.

Troop 42 Use Rule

Transaction Data: Need Date, People, Events

Data File: Troop 42 Data


Transaction 7:

The investigator approaches Clicker Choir's website, which uses Friend-of-a-Friend (FOAF) for members to identify each other.

Dissemination Rules: Choir's rule for government access to member list

Choir Dissemination Rule

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Use Rules: Choir's rule for government use of member list.

Choir Use Rule

Transaction Data: Need Date, People,Events

Data File: Need ClickerChoir data with URIs, name, address, and phone


Transaction 8:

The investigator searches Dole's Directory for indviduals who live in the same condo as the patient.

Distribution Rules: Dole's rules for distributing cross-directory information.

Dole's Dissemination Rule

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Transaction Data: Need Date,People,Events

Data File: Reverse Directory Data


Transaction 9:

The investigator puts all of the received data into a CDC database.

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Transaction Data: Need Date,People,Events


Transaction 10:

The investigator approaches Mr. Newman's cell phone company and requests his toll records for the 6 months prior to his admission to the hospital.

Dissemination Rules: Applies to Xphone release of customer phone record information

Electronic Communication Definition, Electronic Communication Dissemination Rule 3, Electronic Communication Dissemination Rule Exception 8, XPhone Privacy Policy, Verizon Privacy Principle 4, Verizon Privacy Principle 4 Exception 1, Verizon Privacy Principle 4 Exception 2, Verizon Privacy Principle 4 Exception 3, Verizon Disclosure Policy ,

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Transaction Data: Need Date,People,Events

Data File: Newman's Phone Data


Transaction 11:

The investigator approaches the major cell phone companies (AT&T, Verizon, Cingulair, T-Mobile, and Xphone) and requests that the cell phone records of all the individuals on the list be searched for Mr. Newman's number and that the names of the persons with matches be reported back.

Dissemination Rules: Applies to Xphone release of customer phone record information

Electronic Communication Definition, Electronic Communication Dissemination Rule 3, Electronic Communication Dissemination Rule Exception 8, XPhone Privacy Policy, Verizon Privacy Principle 4, Verizon Privacy Principle 4 Exception 1, Verizon Privacy Principle 4 Exception 2, Verizon Privacy Principle 4 Exception 3, Verizon Disclosure Policy ,

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Transaction Data:Need Date,People,Events

Data File: Possibles Phone Data


Transaction 12:

The investigator approaches Mr. Newman's credit card companies (Mastercard, Visa and CredCa) and requests his transaction records for the 6 months prior to his admission to the hospital.

Dissemination Rules: Release of banking customer records.

CredCa Privacy Policy, Mastercard Privacy Policy, Mastercard Privacy Requirement 1, Mastercard Privacy Requirement 2, Financial Privacy, Financial Privacy Injury Exception , Financial Privacy Injury Exception Compliance 1, Financial Privacy Compliance Certificate, Financial Privacy Injury Exception Compliance 2, RFPA HHS Authority Designation

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Use Rules: Use limitations of banking customer records obtained under RFPA.

Financial Privacy Use Limitations

Transaction Data: Need Date,People,Events

Data File: Newman CredCa Data


Transaction 13:

The investigator approaches the major credit card companies (Mastercard, Visa, and CredCa) and requests that the credit card transactions of all the individuals on the list be searched for matches with Mr. Newman's transactions and the names of the persons with matches be reported back.

Dissemination Rules: Release of banking customer records.

Financial Privacy, Financial Privacy Injury Exception , Financial Privacy Injury Exception Compliance 1, Financial Privacy Compliance Certificate, Financial Privacy Injury Exception Compliance 2, RFPA HHS Authority Designation

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Use Rules: Use limitations of banking customer records obtained under RFPA.

Financial Privacy Use Limitations,

Transaction Data: Need Date,People,Events

Data File: Possibles CredCa Data


Transaction 14:

There are still too many matches for the investigator to handle quickly. The investigator approaches the major health care agencies and requests they search their patient records to determine if any of the matches have sought treatment for the any of the major TB symptoms.

Dissemination Rules: MIT Health Plan's rules for releasing patient information.

MIT Health Plan Privacy Non-Routine Uses, HIPAA_Disclosure Definition1, HIPAA_Disclosure 1, HIPAA_Disclosure 2, HIPAA_Disclosure Exception 1, HIPAA_Disclosure Exception 2

Collection Rules: CDC collection of privately available information.

US_PrivacyAct 1, US_PrivacyAct 2, HHS_Authority, HHS_Collection_and_Dissemination_Authority, SORN_Epidemic_Investigations_Case_Records

Use Rules: Transaction Data: Need Date,People,Events

Data File: Need File with Multiple Possibles from Health Insurer


Transaction 15:

Bob Same calls Xphone and requests installation of a home telephone at his home on the corner of Drucker & 3rd. Betty Jo Bialoski, the service operator taking the call, requests and receives Mr. Same's cell phone number to use as a credit reference. [Insert a variation.] Ms. Bialoski refuses to schedule a repairman for Mr. Same.

Collection Rules: Apply to getting Mr. Same's cell phone number?

XPhonePrivacy Policy, Verizon Privacy Principle 1, Verizon Privacy Principle 1 Collection 1

Use Rules: Apply to what Xphone employees can do with customer data

Verizon Privacy Principle 1 Use 1, Verizon Privacy Principle 1 Use 2, VerizonPrivacy Principle 3,Verizon Privacy Principle 7, XPhone Handling Rules

Use Rules: Apply to using knowledge of CDC investigation (or court order) in denying service.

MA_Disability_Discrimination , MA Disability Discrimination Looks to US, US_Disability_Qualified_Individual, US_Disability_Direct_Threat, US Disability Imminent Risk , US Disability Threat Accomodation

Variation 1 (real world): When Ms. Bialoski pulls up that record, she sees an odd notation. Unsure of what it is, she calls her brother-in-law, Nick Danjer, in the computer department, who uses his system administrator id to see what it references. He tells her that the computer department was asked by the Legal Department to match Mr. Same's records to some other records for a CDC investigation into a bad TB epidemic.

Variation 2 (future world): When Ms. Bialoski pulls up that record, she sees an odd notation. She looks it up (because everyone has access to all records) and discovers that the computer department was asked by the Legal Department to match Mr. Same's records to some other records for a CDC investigation into a bad TB epidemic. Ms. Bialoski refuses to schedule a repairman for Mr. Same.

Variation 3 (liability avoidance): When Ms. Bialoski pulls up that record, she sees an odd notation; there is a reference to the General Counsel's office with no further information. She contacts Richard Duck, who pulls the file. He tells her that Mr. Same's records were requested as part of a CDC investigation into a bad TB epidemic and that he advised senior management that they should consider potential liability related to sending any employee to service the people on the CDC's list.. Ms. Bialoski refuses to schedule a repairman for Mr. Same

Use Rules: Use of General Counsel files

Attorney-Client Privilege Corporate Counsel, Attorney-Client Privilege Corporate Control Group

Variation 4 (random chance): Ms. Bialoski is aware that Mr. Same suffers from TB. She lives in the same condo building as Mr. Same. When Mr. Same was the subject of a petition for commitment and had prevailed in court, obtaining permission to stay at home, there were public notices posted and informational meetings held at the condo by the Department of Public Health.

Use Rules: Use of TB-related information about a person by the courts of Massachusetts

MA TB Commitment 1, MA TB Commitment 2

Transaction Data: Date, People, Events

Complaint: Mr. Same's lawyer, Clarence Narrow, files a lawsuit in Massachusetts court asserting that Xphone has violated the law by denying a utility service to Mr. Same based upon the perception that he has a disability. Mr. Narrow specifically asserts that Xphone has violated Article 114 of the Massachusetts Constitution (known here as the Rule: MA_Disability_Discrimination).



maintained by K. Krasnow Waterman
$Revision: 3526 $ of $Date: 2007-07-22$