RULES FOR SCENARIO 9

See,also, Rules in RDF

CAVEAT 1: The rules written below are those that are necessary for auditing the events of our hypothetical Scenario 9. They are not comprehensive statements of law, regulation, or policy. In essentially all cases, there are additional rules and exceptions which may apply under some circumstances.

CAVEAT 2: In some cases real rules are restated to clarify negatives. For example, a rule in the form

"you may not x, unless y"

may be stated here as

"you may x if y."

Or vice versa.

CAVEAT 3: In some cases, the rules below are entirely fictional, created solely for illustrative purposes.


US Constitution, 4th Amendment

Police may not search people or their property without a warrant.

Exception: Police may search people or their property with their consent.

Law: US Constitution, 4th Amendment


Massachusetts Constitution, Declaration of Rights, Article 14

Police may not search people or their property without a warrant.

Exception: Police may search people or their property with their consent.

Law: Massachusetts Constitution, Declaration of Rights, Article 14


US Community Caretaking

Exception: Police may search people pursuant to "community caretaking" duties.

Law: Mincey v. Arizona, 437 US 385, 392 (1978)

Quote: "We do not question the right of the police to respond to emergency situations. Numerous state and federal cases have recognized that the Fourth Amendment does not bar police officers from making warrantless entries and searches when they reasonably believe that a person within is in need of immediate aid."


Massachusetts Community Caretaking Exception

A police officer can use the "community caretaking" exception and conduct a search if all of the following 4 are true:

  1. Reasonable belief that an emergency exists presenting an imminent threat to life
  2. The officer takes immediate action
  3. The officer's actions are unrelated from detecting or investigating a crime
  4. The officer's actions must be reasonable and no broader than needed to address the emergency

Policy: "Police Powers During Public Emergencies" by Kurt N. Schwartz, Assistant Attorney General, Massachusetts, p.3 (Dec. 9, 2003)

Locator: "Four conditions must be present .... alleviate the emergency at hand."

KKW Note: 4th criterion leaves open possibility that collection of credit card information was too broad (driver's license and cell phone were sufficient to identify individual and attempt to make notification?


MA Public Records

Anyone may have access to public records in the possession of the state of Massachusetts.

Law: MGL C. 6, Section 10(a)

Locator: "Every person having custody ... examined by any person"


MA Public Records Exception Privacy

Exception: Not included within "public records" are medical files or information or any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy

Law: MGL C. 4, Section 7, Clause 26(c)

Quote: "Twenty-sixth, "Public records'' shall mean all ... documentary materials or data, ... unless such materials or data fall within the following exemptions in that they are: ... (c) ... medical files or information ... relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy"

[KKW Note: Quote above provided to show how lawyer parses a rule to read only that which is relevant to the question at hand.]


MA Community Caretaking Records:

Police officers may need to divulge information as part of their community caretaking function.

Rule:

URL:


MA Health Records Privacy

Patients in any hospital have the right to confidentiality in their records

Exception: to the extent permitted by law

Law: MGL C. 111, 70E

Quote 1: "As used in this section, "facility'' shall mean any hospital"

Quote 2: "The rights established under this section shall apply to every patient or resident in said facility."

Quote 3: " Every patient or resident of a facility shall have the right: ...(b) to confidentiality of all records and communications to the extent provided by law"


HIPAA Disclosure Definition 1

All health plans and health care clearinghouses, and health care providers transmitting covered data electronically, are "covered entities" and must follow this rule.

Law: 45 CFR 160.102(a)

Locator: "Except as otherwise provided, ... by this subchapter."


HIPAA Disclosure 1

A covered entity may not disclose or use protected health information without the authorization of the person who is the subject of the information or the person's representative.

Law: 45 CFR 164.508

Quote 1: "Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section." ( 164.508(a))

Quote 2: "A valid authorization under this section must contain at least the following elements: ... Signature of the individual ... and ...

If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual."

( 164.508(c)(vii) & (viii))


HIPAA Disclosure 2

A covered entity may not disclose or use protected health information without informing the person who is the subject of the information and that person has the ability to permit or prohibit the action.

Law: 45 CFR 164.510

Locator: "A covered entity may use ... requirements of this section." (first para.)


HIPAA Disclosure Exception 1

Exception: A covered entity may disclose protected health information without informing the subject

to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.

Law: 45 CFR 164.512(b)(i)


HIPAA Disclosure Exception 2

Exception: A covered entity may disclose protected health information without informing the subject

to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation

Law: 45 CFR 164.512(b)(iv)


MA Public Health Dissemination

The Department of Public Health may disseminate information relating to disease or epidemic investigations, as it deems proper.

Law: MGL C. 111, Section 5


MA Private Records Collection

Each agency shall collect only the minimum quantity of personal information necessary for the recipient to perform its functions.

Law: MA Executive Order 412 (item 3)


MA Private Records Dissemination

Each agency shall disseminate only the minimum quantity of personal information necessary for the recipient to perform its functions.

Law: MA Executive Order 412 (item 3)


US Privacy Act 1

An agency of the government may only store data about US persons which is relevant and necessary to fulfill an authorized purpose assigned by statute or Executive Order.

Law: 5 USC 552a(e)(1)


US Privacy Act 2

An agency of the government must publish in the Federal Register a notice when it establishes or modifies a system of records.

The notice must include the name of the system, the categories of records on whom records are maintained, the categories of records maintained, and the categories of sources for the records.

Law: 5 USC 552a(e)(4)(A),(B),(C), & (I)


HHS Authority

The Secretary of Health and Human Services (HHS) shall conduct, encourage, cooperate with, and render assistance to other appropriate public authorities, scientific institutions, and scientists in the conduct of research, investigations, experiments, demonstrations, and studies relating to the causes, diagnosis, treatment, control, and prevention of physical and mental diseases.

Law: 42 USC 241(a)


SORN Epidemic Investigations Case Records

CDC may place information about patients with potentially epidemic diseases into the Epidemic Investigations Case Records SOR.

Categories of individuals covered by the system: Adults and children with disease and other health conditions of public health significance, their contacts, others with possible exposure and appropriate controls.

Categories of records in the system: Medical histories, case reports, and related documents.

Reg: 51 FR 44249


SORN Epidemic Investigations Case Records Use 1

The record system is used by professional staff at the Centers for Disease Control and Prevention (CDC) for more complete knowledge of the disease/condition in the following ways:

(1) An examination of existing files enables investigators to determine areas that have been adequately investigated and to specify those that might be pursued;

or

(2) Records may later be examined in the light of future discoveries and proven associations so that relevant data collected at the time of the outbreak may be analyzed and reassessed.

CDC may or may not request duplicate copies of these State and/or local health department records for further analysis following completion of the field investigation.

Reg: 51 FR 44249


US Privacy Act 3

An agency may not disclose any record contained in an SOR without the written request of, or prior cosent of, the individual who is the subject of the record.

Law: 5 USC 552a(b)


US Privacy Act 3 Exception 1

Exception: Unless the record is being disclosed to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties

Law: 5 USC 552a(b)(1)


Creative Commons 2.5

[look up and use Harvey's representation of CC rules]

Rules: Creative Commons Attribution 2.5


MIT Privacy Policy

Personal information, other than directory information about students and standard personnel information, should not be released to anyone outside MIT without the permission of the individual, except in the case of court orders and/or legal process, in cases where such release would be clearly expected (employment references, award nominations, etc.), or in extraordinary circumstances.

Rule: MIT Policy 11.2

[KKW note: Many organizations treat requests for aggregate information differently from requests for individual information.


XPhone Privacy Policy

Xphone uses Verizon's rules for disseminating customer information.

Policy: [K hypothetical]


Verizon Privacy Principle 1

Verizon obtains and uses individual customer information for business purposes only.

Verizon collections information about our customers that helps to provide them with Verizon services.

Policy: Verizon Privacy and Customer Security Policies, Principle 1


Verizon Privacy Principle 1 Use 1

This information may also be used to protect customers, employees and property against fraud, theft or abuse; to conduct industry or consumer surveys; and to maintain good customer relations.

Policy: Verizon Privacy and Customer Security Policies, Principle 1


Verizon Privacy Principle 1 Collection 1

Verizon may ask customers questions to better serve their special needs and interests. For example, our telephone company may ask whether customers work at home, whether any members of the household have special needs, or whether teenagers reside in the household, in order to determine whether customers may be interested in additional lines, ISDN or other services.

Policy: Verizon Privacy and Customer Security Policies, Principle 1


Verizon Privacy Principle 1 Use 2

Access to databases containing customer information is limited to employees who need it to perform their jobs -- and they follow strict rules when handling that information.

Policy: Verizon Privacy and Customer Security Policies, Principle 1


Verizon Privacy Principle 3

Verizon may use individual customer data internally for planning and marketing purposes

Policy: Verizon Privacy and Customer Security Policies, Principle 3


Verizon Privacy Principle 4

Verizon permits customers to control how and when their personal information is released


Verizon Privacy Principle 4 Exception 1

Exception: When required by law.

Policy: Verizon Privacy and Customer Security Policies, Principle 4


Verizon Privacy Principle 4 Exception 2

Exception: When served with valid legal process

Policy: Verizon Privacy and Customer Security Policies, Principle 4


Verizon Privacy Principle 4 Exception 3

Exception: To protect the health and safety of customers, employees, or property.

Policy: Verizon Privacy and Customer Security Policies, Principle 4


Verizon Privacy Principle 7

Verizon employees may not intrude, tamper, or disclose the existence or contents of customer communications

Exception: Required by law

Exception: To manage network

Verizon employees may only access customer information in databases if they need it to perform their jobs

All Verizon employees are responsible for safeguarding individual customer communications and information.

Verizon personnel must be aware of and protect the privacy of all forms of customer communications -- whether they are voice, data or image transmissions -- as well as individual customer records.

Verizon personnel may use safeguards to increase data accuracy and to identify and authenticate the sources of customer information. Sensitive, confidential, or proprietary records must be protected and maintained in a secure environment

Policy: Verizon Privacy and Customer Security Policies, Principle 7


Verizon Disclosure Policy

Verizon must disclose information, as necessary, to comply with court orders or subpoenas.

Policy: Verizon Privacy and Customer Security Policies, Disclosure of Information Outside Verizon


Xphone Handling Rules

[Need "strict" handling rules]


MA_Disability_Discrimination

“No otherwise qualified handicapped individual shall, solely by reason of his handicap, be excluded from participation in, be denied the benefits of, or be subject to discrimination under any program or activity within the Commonwealth.”

Law: Massachusetts Constitutions, Article 114


MA Disability Discrimination Looks to US ADA

(Where it has no specific rules, MA looks to federal Americans with Disabilities Act for guidance)

(need cite)


US Disability Qualified Individual

To be considered a "qualified handicapped individual" a person must: have a physical or mental impairment that substantially limits one or more major life activities; have a record of such an impairment; or be regarded as having such an impairment.

Law: 42 USC 12102(2)


US Disability Direct Threat

Exception: If there is a "direct threat" - significant risk of substantial harm to the heatlh or safety of the individual or others

Law: 42 USC 12113(b)


US Disability Imminent Risk

The risk must be imminent, not speculative or remote

Policy: EEOC Guidance Letter, Jan. 1998 (p. 1, para. 4)


US Disability Threat Accomodation

It must not be possible to eliminate or reduce the risk below the level of "direct threat" by reasonable accomodation

Law: 42 USC 12111(3)


Attorney-Client Privilege Corporate Counsel

Files in the General Counsel's office are attorney-client privileged.

Attorney-client privilege exists for advice given privately by an attorney to a client.

A corporation can be a client and hold an attorney-client privilege

Case law: United States v. Louisville & Nashville R. Co., 236 U.S. 318, 336 (1915)


Attorney-Client Privilege Corporate Control Group

The people who are considered the "client" for this purpose are members of the corporation's "control group" - senior managers who can make decisions for the corporation; they may receive advice on behalf of the client.

In addition, the attorney may seek information from any employee that is needed in order to provide meaningful advice; in that context, the lawyer may share sufficient information to explain the context of the request for information.

The privilege is broken (no longer exists), if information is shared with any third party (including employees not described in the prior two points)

Case Law: Upjohn Co. v. United States, 449 US 383 (1981) (Section II)


MA TB Commitment 1

A Massachusetts district court justice or associate justice may commit a person to long-term hospitalization at a tuberculosis treatment center, if the person has an active case of tuberculosis, resides within or is present in the court's jurisdiction, and an appropriate petition has been filed.

The individual must be given notice of his right to a hearing.

The individual may have counsel and witnesses present at the hearing.

Law: MGL C. 6, Ch. 111, Section 94C


MA TB Commitment 2

The petition for commitment must show that the person has TB, is unwilling or unable to accept proper medical treatment, and is a serious danger to public health because of this. [Inverse: A person can avoid commitment and remain at home by showing that he is willing and able to accept proper medical treatment.]

Law: MGL C. 6, Ch. 111, Section 94A


HHS Collection and Dissemination Authority

The Secretary of Health and Human Services (HHS) shall collect and make available through publications and other appropriate means, information as to research, investigations, experiments, demonstrations, and studies relating to the causes, diagnosis, treatment, control, and prevention of physical and mental diseases.

Law: 42 USC 241(a)(1)


MIT Student Directory Dissemination Policy

Certain categories of student information are designated by the Institute as directory information and may be released without the student's prior consent and without a record being made of these disclosures. This information includes: Name, Term and permanent home address, MIT office address, Term phone number,Term electronic mail address.

Students have the right to withhold directory information from disclosure, including disclosure in printed and online publications of the directory, except to Institute officials who have a need to know it.

Policy: MIT Student Directory Dissemination Privacy


MIT Student Directory Use Policy

Using or facilitating the use by others of the Student Directory or similar listings for non-Institute purposes is a violation of Institute policy.

Policy: MIT Student Directory Use Privacy


Troop 42 Dissemination Rule

[Propose to add new rules:

Government officials may have access to names and contact information for parents of troop members if the government officials can show that the the children members' lives are at imminent risk.

Policy: [new file needed]


Troop 42 Use Rule

[Propose to add new rules:

Government officials may only use names and contact information for parents of troop members to work to ameliorate the imminent risk to the lives of the children members.

Policy: [new file needed]


Choir Dissemination Rule

[Assumes the Choir operates using FOAF and the Choirmaster only has the member URIs]

Government officials may have access to the URIs of Choir members in order to fulfill one of the legally authorized purposes of the agency.

Policy: [new file needed]


Choir Use Rule

[Assumes the Choir operates using FOAF and the Choirmaster only has the member URIs]

Government officials may only use the URIs of Choir members and any information they obtain from them to fulfill the legally authorized purpose of the agency for which they obtained the information.

Policy: [new file needed]


Dole's Dissemination Rule

Dole will release cross-directory information to government officials who pay Dole's fee.

Policy: [new file needed]


Electronic Communication Definition

"Electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole

or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include—

(A) any wire or oral communication;

(B) any communication made through a tone-only paging device;

(C) any communication from a tracking device (as defined in section 3117 of this title); or

(D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds;"

Law: 18 USC 2510(12)


Electronic Communication Dissemination Rule 3

A provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.

Law: 18 USC 2702(a)(3)


Electronic Communication Dissemination Rule Exception 8

Exceptions for disclosure of communications.— A provider described in subsection (a) may divulge the contents of a communication—

to a Federal, State, or local governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.

Law: 18 USC 2702(b)(8)


CredCa Privacy Policy

CredCa uses Mastercard's privacy rules.

Policy: [KKW Hypothetical]


Mastercard Privacy Policy

MasterCard will use personal information when a cardholder has been given adequate notice of the intended use and/or as otherwise permitted by law.

Policy: Mastercard Privacy Position

Locator: First para, last sentence


Mastercard Privacy Requirement 1

All persons with access to personal data should be aware of privacy concerns and should be familiar with the laws and policies governing the collection and use of such information.

Policy: Mastercard Privacy Position

Locator: First bullet item


Mastercard Privacy Requirement 2

Only those employees with a legitimate business need and authorization should have access to the data.

Policy: Mastercard Privacy Position

Locator: Third bullet item


Financial Privacy

No Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from

a financial institution.

Law: 12 USC 3402


Financial Privacy Injury Exception

Nothing in this chapter shall prohibit a Government authority from obtaining financial records from a financial institution if the Government authority determines that delay in obtaining access to such records would create imminent danger of—physical injury to any person;

Law: 12 USC 3414(b)(1)(A)


Financial Privacy Injury Exception Compliance 1

In the event that the Government seeks customer financial records because of the risk of physical injury, the Government shall submit to the financial institution the certificate required in section 3403 (b) of this title signed by a supervisory official of a rank designated by the head of the Government authority.

Law: 12 USC 3414(b)(2)


Financial Privacy Compliance Certificate

A financial institution shall not release the financial records of a customer until the Government authority seeking such records certifies in writing to the financial institution that it has complied with the applicable rules under the RIght to Financial Privacy Act.

Law: 12 USC 3403(b)


Financial Privacy Injury Exception Compliance 2

Within five days of obtaining access to financial records under this subsection, the Government authority shall file with the appropriate court a signed, sworn statement of a supervisory official of a rank designated by the head of the Government authority setting forth the grounds for the emergency access. The Government authority shall thereafter comply with the notice provisions of section 3409 (c) of this title.

Law: 12 USC 3414(b)(3)


RFPA HHS Authority Designation

[KKW created this fictional regulation. To create another privacy compliance failure, this reg could be changed to reflect designation of a higher level authority while leaving the transaction data reflecting that the physician investigator signed the request. ]

The Secretary of HHS has delegated to all physician investigators the authority to request customer financial records from financial institutions in the event that the information is needed to preclude or contain the spread of an infectious disease that can cause physical injury.

Policy: 42 CFR 9999

[Note: 42 CFR is for Public Health regs. There is no 9999.]


Financial Privacy Use Limitations

If the government agency receiving customer financial records from a financial institution under RFPA wishes to share them with another agency, there are six user limitations.

Law: 12 USC 3412


MIT Health Plan Privacy Non-Routine Uses

The MIT Health Plan will disclose health information without plan member permission:

If required by law

For public health activities such as tracking diseases or medical devices

To avert serious threats to the health or safety of you or the public, but we will only share your health information with someone able to help prevent the threat

Policy: MIT Health Plan Privacy Non-Routine Uses

Locator: bullets at bottom of page 1


----------------------------

Last updated $Revision: 3149 $ of $Date: 2007-07-11$ by K. Krasnow Waterman and Chris Hanson