Superconductor

The Health Information Technology for Economic and Clinical Health (HITECH) Act that recently went into effect has provisions that encourage, but don't require, covered entities to encrypt PHI. The Interim Final Rule (45 CFR Parts 160 and 164) that implements part of the HITECH Act requires notification of the unauthorized use or disclosure of unencrypted PHI that "poses a significant risk of financial, reputational, or other harm" to an individual.

Some conspiracy theorists seem to believe that this wording was included to allow businesses to avoid the high costs of breach notifications by arguing that their analysis shows that their breach didn't cause a significant risk of harm. A more reasonable explanation is that similar language dates back as far at the original Privacy Act of 1974, and is already included in the existing state breach notification laws.

But if the breach notification requirements of the HITECH Act aren't there to let businesses freely violate our privacy while giving us the illusion of it being protected, why are they there?

The breach notification requirements of the HITECH Act are probably best understood as part of a trend that's slowly but surely increasing the protection that sensitive data needs to have. This started with laws and regulations that required organizations to protect sensitive information, although the exact way in which they protect it is typically very flexible. It then moves to requiring notification of breaches of unencrypted sensitive information. At this point, encryption still isn't required, but there's a strong incentive to use it to avoid expensive breach disclosures. The next step is to require organizations to encrypt sensitive information.

The HIPAA Privacy Rule was the first step in this process for PHI. It required health care organizations to protect PHI, although they could implement this protection in many ways. The HITECH Act is the next step. It essentially requires the notification of breaches of PHI that isn't encrypted. In the future, we will probably see a federal law that actually requires the encryption of PHI. This has already happened in some states.

In 2008, Nevada law (NRS 597.970) required the encryption of Nevada residents' sensitive information when it's transmitted outside a business' secure network. The Massachusetts encryption law (201 CMR 17.00) did the same for Massachusetts residents a short while later. Legislators are now considering similar laws in other states, and similar data encryption laws will probably become widespread over the next several years. It's now hard to avoid complying with these state laws, and it's going to get even harder in the future.

How to comply with these laws in a reasonable way is still an unsolved problem. Legislators want businesses to protect sensitive information, but not at cost that's too high to be practical for a business that needs to be profitable to survive.

Encryption is notoriously hard and expensive to use, but a combination of newer technologies and motivated IT departments is leading to solutions that are much more practical than they were a few years ago. Technologies like identity-based encryption, for example, are at least a factor of three less expensive to own and operate than the aging PKI technology that dates back to the dot-com boom. That's often enough of a difference to make encryption practical where it once wasn't.

Once the states find what works and what doesn't, it's likely that the federal government will raise the bar and require the encryption of all PHI, and when they do this, they will probably base exactly what they require on the lessons that the states have learned. Let's hope that this happens soon.

There has been lots of media coverage of the recent data breaches that have exposed millions of credit card numbers to hackers. But while it's relatively easy to cancel a compromised credit card and get a new one, it's not really practical to cancel and get a new medical history. Once it's compromised, it's compromised forever. Because of this, PHI deserves to have strong protection, and encrypting PHI is the best way to do this. The breach notification requirements of the HITECH Act only encourage encryption, but they're a good step towards ensuring that PHI gets the protection that it deserves.

In his article "Did Privacy Cause Identity Theft?" law professor Lynn LoPucki claims that the problem of identity theft that we have today is directly due to the increased privacy that various laws have given us in the past several years. He says that as recently as the '70s, identity theft was very hard for a criminal to pull off because there was so much public information about our identities. And because identity thieves need privacy to commit their crimes, the very privacy that we think is making things better for us has actually made it easier for identity theft to happen.

There's certainly a correlation between the proliferation of privacy laws and identity theft, but attributing the identity theft to the laws may be an example of post hoc reasoning. It seems to me that the ways in which identities were verified in the past didn't really take advantage of the additional information that was available at the time, even though it was available.

Instead of believing that our higher level of privacy has caused the higher rates of identity theft that we see today, I'd guess that it's just a case of criminals using the technology that's available to them. At the same time that stricter privacy laws made it easier for identity thieves to commit identity theft, information technology also proliferated. When this happened, there was much more information available to identity thieves, so they naturally used this information to commit identity theft. I'd guess that's why identity theft is a bigger problem today than it once was, and that the increased amount of identity theft isn't related to the stricter privacy laws at all.

On the other hand, I could be wrong. If that's the case, then I would expect LoPucki's model to predict that identity theft will decrease over the next several years as the proliferation of social networking web sites provides a handy source for lots of public information about our identities. Or I would expect his model to predict that users of social networking web sites suffer less identity theft than people who don't.

I don't believe that either of these will turn out to be true.

The 1890 Harvard Law Review article "The Right to Privacy" by Samuel Warren and Louis Brandeis is probably one of the most influential articles ever written on the topic of the protection of privacy. In this article, Warren and Brandeis argued that common law contained the foundation for effectively protecting privacy and that it was possible to modify and extend common law to make this happen.

From reading "The Right to Privacy," it certainly looks like Warren and Brandeis started thinking about the need to protect privacy because technological innovations were making it easier and easier to violate privacy. We have this same problem today. Cell phone carriers have databases of every call that we make as well as where we are when we make these calls, and e-commerce web sites track every click that you make and every page that you view.

Back in the 1880s, however, the problem was apparently a bit different. The example that Warren and Brandeis use again and again is that of the loss of privacy that the new technologies for photography allow. After all, if anyone can take a photograph without you knowing it, the possibilities for abuse of the technology are limited only by the imagination of the people who have cameras.

From the early twenty-first century, it almost seems hard to believe that cameras could cause so much concern. I wonder if people 100 years from now will have the same reaction to the privacy concerns that we have today. People seem to have adjusted to the widespread use of cameras fairly well, and they seem to have done this by accepting that the violation of privacy that they allow is an acceptable cost of using the technology. It may seem hard to believe now, but we might adjust to today's information technology by accepting that the violations of privacy that they allow. I wouldn't be surprised if that's how things turn out in the future.

Although identity theft is now getting more media coverage than it once did, the need to protect the sensitive personal information that’s used to commit identity theft has been well known for many years. As far back as 1973 this was know to be a problem. That’s when the report Records, Computers and the Rights of Citizens was written for Caspar Weinberger, who was then Secretary of Health, Education, and Welfare.

This report discussed the problems of privacy and recommended that the following five principles be used to create a “federal code of fair information practice” that would be enforced by one or more federal laws:

• There must be no personal data record keeping systems whose very existence is secret.
• There must be a way for an individual to find out what information about him is in a record and how it is used.
• There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
• There must be a way for an individual to correct or amend a record of identifiable information about him.
• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

The government has known for over 35 years that protecting sensitive personal information is a problem that needs to be addressed. Let’s hope that they can manage to do what needs to be done before we can say that they’ve known about the problem for over 40 years and still not addressed it.