CAVEAT 1: The rules written below are those that are necessary for auditing the events of our hypothetical Scenario 9. They are not comprehensive statements of law, regulation, or policy. In essentially all cases, there are additional rules and exceptions which may apply under some circumstances.
CAVEAT 2: In some cases real rules are restated to clarify negatives. For example, a rule in the form
"you may not x, unless y"
may be stated here as
"you may x if y."
Or vice versa.
CAVEAT 3: In some cases, the rules below are entirely fictional, created solely for illustrative purposes.
Police may not search people or their property without a warrant.
Exception: Police may search people or their property with their consent.
Law: US Constitution, 4th Amendment
Police may not search people or their property without a warrant.
Exception: Police may search people or their property with their consent.
Law: Massachusetts Constitution, Declaration of Rights, Article 14
Exception: Police may search people pursuant to "community caretaking" duties.
Law: Mincey v. Arizona, 437 US 385, 392 (1978)
Quote: "We do not question the right of the police to respond to emergency situations. Numerous state and federal cases have recognized that the Fourth Amendment does not bar police officers from making warrantless entries and searches when they reasonably believe that a person within is in need of immediate aid."
A police officer can use the "community caretaking" exception and conduct a search if all of the following 4 are true:
Locator: "Four conditions must be present .... alleviate the emergency at hand."
KKW Note: 4th criterion leaves open possibility that collection of credit card information was too broad (driver's license and cell phone were sufficient to identify individual and attempt to make notification?
Anyone may have access to public records in the possession of the state of Massachusetts.
Locator: "Every person having custody ... examined by any person"
Exception: Not included within "public records" are medical files or information or any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy
Law: MGL C. 4, Section 7, Clause 26(c)
Quote: "Twenty-sixth, "Public records'' shall mean all ... documentary materials or data, ... unless such materials or data fall within the following exemptions in that they are: ... (c) ... medical files or information ... relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy"
[KKW Note: Quote above provided to show how lawyer parses a rule to read only that which is relevant to the question at hand.]
Police officers may need to divulge information as part of their community caretaking function.
Rule:
URL:
Patients in any hospital have the right to confidentiality in their records
Exception: to the extent permitted by law
Law: MGL C. 111, § 70E
Quote 1: "As used in this section, "facility'' shall mean any hospital"
Quote 2: "The rights established under this section shall apply to every patient or resident in said facility."
Quote 3: " Every patient or resident of a facility shall have the right: ...(b) to confidentiality of all records and communications to the extent provided by law"
All health plans and health care clearinghouses, and health care providers transmitting covered data electronically, are "covered entities" and must follow this rule.
Law: 45 CFR 160.102(a)
Locator: "Except as otherwise provided, ... by this subchapter."
A covered entity may not disclose or use protected health information without the authorization of the person who is the subject of the information or the person's representative.
Law: 45 CFR 164.508
Quote 1: "Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section." (§ 164.508(a))
Quote 2: "A valid authorization under this section must contain at least the following elements: ... Signature of the individual ... and ...
If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual."
(§ 164.508(c)(vii) & (viii))
A covered entity may not disclose or use protected health information without informing the person who is the subject of the information and that person has the ability to permit or prohibit the action.
Law: 45 CFR 164.510
Locator: "A covered entity may use ... requirements of this section." (first para.)
Exception: A covered entity may disclose protected health information without informing the subject
to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.
Law: 45 CFR 164.512(b)(i)
Exception: A covered entity may disclose protected health information without informing the subject
to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation
The Department of Public Health may disseminate information relating to disease or epidemic investigations, as it deems proper.
Each agency shall collect only the minimum quantity of personal information necessary for the recipient to perform its functions.
Law: MA Executive Order 412 (item 3)
Each agency shall disseminate only the minimum quantity of personal information necessary for the recipient to perform its functions.
Law: MA Executive Order 412 (item 3)
An agency of the government may only store data about US persons which is relevant and necessary to fulfill an authorized purpose assigned by statute or Executive Order.
Law: 5 USC § 552a(e)(1)
An agency of the government must publish in the Federal Register a notice when it establishes or modifies a system of records.
The notice must include the name of the system, the categories of records on whom records are maintained, the categories of records maintained, and the categories of sources for the records.
Law: 5 USC § 552a(e)(4)(A),(B),(C), & (I)
The Secretary of Health and Human Services (HHS) shall conduct, encourage, cooperate with, and render assistance to other appropriate public authorities, scientific institutions, and scientists in the conduct of research, investigations, experiments, demonstrations, and studies relating to the causes, diagnosis, treatment, control, and prevention of physical and mental diseases.
Law: 42 USC § 241(a)
CDC may place information about patients with potentially epidemic diseases into the Epidemic Investigations Case Records SOR.
Categories of individuals covered by the system: Adults and children with disease and other health conditions of public health significance, their contacts, others with possible exposure and appropriate controls.
Categories of records in the system: Medical histories, case reports, and related documents.
Reg: 51 FR 44249
The record system is used by professional staff at the Centers for Disease Control and Prevention (CDC) for more complete knowledge of the disease/condition in the following ways:
(1) An examination of existing files enables investigators to determine areas that have been adequately investigated and to specify those that might be pursued;
or
(2) Records may later be examined in the light of future discoveries and proven associations so that relevant data collected at the time of the outbreak may be analyzed and reassessed.
CDC may or may not request duplicate copies of these State and/or local health department records for further analysis following completion of the field investigation.
Reg: 51 FR 44249
An agency may not disclose any record contained in an SOR without the written request of, or prior cosent of, the individual who is the subject of the record.
Law: 5 USC § 552a(b)
Exception: Unless the record is being disclosed to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties
Law: 5 USC § 552a(b)(1)
Rules: Creative Commons Attribution 2.5
Personal information, other than directory information about students and standard personnel information, should not be released to anyone outside MIT without the permission of the individual, except in the case of court orders and/or legal process, in cases where such release would be clearly expected (employment references, award nominations, etc.), or in extraordinary circumstances.
Rule: MIT Policy 11.2
[KKW note: Many organizations treat requests for aggregate information differently from requests for individual information.
Xphone uses Verizon's rules for disseminating customer information.
Policy: [K hypothetical]
Verizon collections information about our customers that helps to provide them with Verizon services.
Policy: Verizon Privacy and Customer Security Policies, Principle 1
This information may also be used to protect customers, employees and property against fraud, theft or abuse; to conduct industry or consumer surveys; and to maintain good customer relations.
Policy: Verizon Privacy and Customer Security Policies, Principle 1
Verizon may ask customers questions to better serve their special needs and interests. For example, our telephone company may ask whether customers work at home, whether any members of the household have special needs, or whether teenagers reside in the household, in order to determine whether customers may be interested in additional lines, ISDN or other services.
Policy: Verizon Privacy and Customer Security Policies, Principle 1
Access to databases containing customer information is limited to employees who need it to perform their jobs -- and they follow strict rules when handling that information.
Policy: Verizon Privacy and Customer Security Policies, Principle 1
Verizon may use individual customer data internally for planning and marketing purposes
Policy: Verizon Privacy and Customer Security Policies, Principle 3
Verizon permits customers to control how and when their personal information is released
Exception: When required by law.
Policy: Verizon Privacy and Customer Security Policies, Principle 4
Exception: When served with valid legal process
Policy: Verizon Privacy and Customer Security Policies, Principle 4
Exception: To protect the health and safety of customers, employees, or property.
Policy: Verizon Privacy and Customer Security Policies, Principle 4
Verizon employees may not intrude, tamper, or disclose the existence or contents of customer communications
Exception: Required by law
Exception: To manage network
Verizon employees may only access customer information in databases if they need it to perform their jobs
All Verizon employees are responsible for safeguarding individual customer communications and information.
Verizon personnel must be aware of and protect the privacy of all forms of customer communications -- whether they are voice, data or image transmissions -- as well as individual customer records.
Verizon personnel may use safeguards to increase data accuracy and to identify and authenticate the sources of customer information. Sensitive, confidential, or proprietary records must be protected and maintained in a secure environment
Policy: Verizon Privacy and Customer Security Policies, Principle 7
Verizon must disclose information, as necessary, to comply with court orders or subpoenas.
Policy: Verizon Privacy and Customer Security Policies, Disclosure of Information Outside Verizon
[Need "strict" handling rules]
“No otherwise qualified handicapped individual shall, solely by reason of his handicap, be excluded from participation in, be denied the benefits of, or be subject to discrimination under any program or activity within the Commonwealth.”
Law: Massachusetts Constitutions, Article 114
(Where it has no specific rules, MA looks to federal Americans with Disabilities Act for guidance)
(need cite)
Law: 42 USC § 12102(2)
Law: 42 USC § 12113(b)
The risk must be imminent, not speculative or remote
Policy: EEOC Guidance Letter, Jan. 1998 (p. 1, para. 4)
It must not be possible to eliminate or reduce the risk below the level of "direct threat" by reasonable accomodation
Law: 42 USC § 12111(3)
Files in the General Counsel's office are attorney-client privileged.
Attorney-client privilege exists for advice given privately by an attorney to a client.
A corporation can be a client and hold an attorney-client privilege
Case law: United States v. Louisville & Nashville R. Co., 236 U.S. 318, 336 (1915)
The people who are considered the "client" for this purpose are members of the corporation's "control group" - senior managers who can make decisions for the corporation; they may receive advice on behalf of the client.
In addition, the attorney may seek information from any employee that is needed in order to provide meaningful advice; in that context, the lawyer may share sufficient information to explain the context of the request for information.
The privilege is broken (no longer exists), if information is shared with any third party (including employees not described in the prior two points)
Case Law: Upjohn Co. v. United States, 449 US 383 (1981) (Section II)
A Massachusetts district court justice or associate justice may commit a person to long-term hospitalization at a tuberculosis treatment center, if the person has an active case of tuberculosis, resides within or is present in the court's jurisdiction, and an appropriate petition has been filed.
The individual must be given notice of his right to a hearing.
The individual may have counsel and witnesses present at the hearing.
Law: MGL C. 6, Ch. 111, Section 94C
The petition for commitment must show that the person has TB, is unwilling or unable to accept proper medical treatment, and is a serious danger to public health because of this. [Inverse: A person can avoid commitment and remain at home by showing that he is willing and able to accept proper medical treatment.]
Law: MGL C. 6, Ch. 111, Section 94A
The Secretary of Health and Human Services (HHS) shall collect and make available through publications and other appropriate means, information as to research, investigations, experiments, demonstrations, and studies relating to the causes, diagnosis, treatment, control, and prevention of physical and mental diseases.
Law: 42 USC § 241(a)(1)
Certain categories of student information are designated by the Institute as directory information and may be released without the student's prior consent and without a record being made of these disclosures. This information includes: Name, Term and permanent home address, MIT office address, Term phone number,Term electronic mail address.
Students have the right to withhold directory information from disclosure, including disclosure in printed and online publications of the directory, except to Institute officials who have a need to know it.
Policy: MIT Student Directory Dissemination Privacy
Using or facilitating the use by others of the Student Directory or similar listings for non-Institute purposes is a violation of Institute policy.
Policy: MIT Student Directory Use Privacy
[Propose to add new rules:
Government officials may have access to names and contact information for parents of troop members if the government officials can show that the the children members' lives are at imminent risk.
Policy: [new file needed]
[Propose to add new rules:
Government officials may only use names and contact information for parents of troop members to work to ameliorate the imminent risk to the lives of the children members.
Policy: [new file needed]
[Assumes the Choir operates using FOAF and the Choirmaster only has the member URIs]
Government officials may have access to the URIs of Choir members in order to fulfill one of the legally authorized purposes of the agency.
Policy: [new file needed]
[Assumes the Choir operates using FOAF and the Choirmaster only has the member URIs]
Government officials may only use the URIs of Choir members and any information they obtain from them to fulfill the legally authorized purpose of the agency for which they obtained the information.
Policy: [new file needed]
Dole will release cross-directory information to government officials who pay Dole's fee.
Policy: [new file needed]
"Electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole
or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include—
(A) any wire or oral communication;
(B) any communication made through a tone-only paging device;
(C) any communication from a tracking device (as defined in section 3117 of this title); or
(D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds;"
Law: 18 USC § 2510(12)
A provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.
Law: 18 USC § 2702(a)(3)
Exceptions for disclosure of communications.— A provider described in subsection (a) may divulge the contents of a communication—
to a Federal, State, or local governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.
Law: 18 USC § 2702(b)(8)
CredCa uses Mastercard's privacy rules.
Policy: [KKW Hypothetical]
MasterCard will use personal information when a cardholder has been given adequate notice of the intended use and/or as otherwise permitted by law.
Policy: Mastercard Privacy Position
Locator: First para, last sentence
All persons with access to personal data should be aware of privacy concerns and should be familiar with the laws and policies governing the collection and use of such information.
Policy: Mastercard Privacy Position
Locator: First bullet item
Only those employees with a legitimate business need and authorization should have access to the data.
Policy: Mastercard Privacy Position
Locator: Third bullet item
No Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from
a financial institution.
Law: 12 USC § 3402
Nothing in this chapter shall prohibit a Government authority from obtaining financial records from a financial institution if the Government authority determines that delay in obtaining access to such records would create imminent danger of—physical injury to any person;
In the event that the Government seeks customer financial records because of the risk of physical injury, the Government shall submit to the financial institution the certificate required in section 3403 (b) of this title signed by a supervisory official of a rank designated by the head of the Government authority.
Law: 12 USC § 3414(b)(2)
A financial institution shall not release the financial records of a customer until the Government authority seeking such records certifies in writing to the financial institution that it has complied with the applicable rules under the RIght to Financial Privacy Act.
Law: 12 USC § 3403(b)
Within five days of obtaining access to financial records under this subsection, the Government authority shall file with the appropriate court a signed, sworn statement of a supervisory official of a rank designated by the head of the Government authority setting forth the grounds for the emergency access. The Government authority shall thereafter comply with the notice provisions of section 3409 (c) of this title.
Law: 12 USC § 3414(b)(3)
[KKW created this fictional regulation. To create another privacy compliance failure, this reg could be changed to reflect designation of a higher level authority while leaving the transaction data reflecting that the physician investigator signed the request. ]
The Secretary of HHS has delegated to all physician investigators the authority to request customer financial records from financial institutions in the event that the information is needed to preclude or contain the spread of an infectious disease that can cause physical injury.
Policy: 42 CFR 9999
[Note: 42 CFR is for Public Health regs. There is no 9999.]
If the government agency receiving customer financial records from a financial institution under RFPA wishes to share them with another agency, there are six user limitations.
Law: 12 USC § 3412
If required by law
For public health activities such as tracking diseases or medical devices
To avert serious threats to the health or safety of you or the public, but we will only share your health information with someone able to help prevent the threat
Policy: MIT Health Plan Privacy Non-Routine Uses
Locator: bullets at bottom of page 1
----------------------------
Last updated $Revision: 3149 $ of $Date: 2007-07-11$ by K. Krasnow Waterman and Chris Hanson