120 likes | 198 Views
“Privacy Implications of RFID Technology in Health Care Settings” Marc Rotenberg President EPIC. Dept. of Health & Human Services Washington, DC 11 January 2005. Health Care Applications for RFID. Label bulk products Label products for patients (amber vials)
E N D
“Privacy Implications of RFID Technology in Health Care Settings”Marc RotenbergPresident EPIC Dept. of Health & Human Services Washington, DC 11 January 2005
Health Care Applications for RFID • Label bulk products • Label products for patients (amber vials) • Identify patients - temporary (ID cards) • Identify patients - permanent (implant)
Multiple Privacy Frameworks • Fair Information Practices (FIP) • HIPAA Privacy Rule (2002) • EPIC RFID Guidelines (2004) • Common concern: collection and use of Personally Identifiable Information (PII) • (Non-PII problems arise with data but they are not typically characterized as “privacy concerns”)
Privacy Risks with PII • Data mismanagement: inaccurate, incomplete, out of date • Data misuse: data used for other purposes adverse to the the interests of the data subject (employment, insurance, travel) • Lack of transparency, data subject control • Loss of freedom
HIPPA AND PII • HIPPA Privacy Rule (2002) adopts multiple terms • Health Information • Individually Identifiable Health Information (IIHI) • Protected Health Information (PHI) • Patient Identified Information (PII) • Deidentified Information (DI)
EPIC RFID Guidelines (2004) • RFID Users (no PII) • Duties: Notice, disable tags, removal, accountability • Prohibitions: Tracing, recording data, coercing collection • RFID Users (with PII) • Duties: written consent and application of broad Fair Information Practices, including minimization • Rights of RFID Subjects • Access and correct data, remove tags, hold accountable
Legislative Developments • Int’l Privacy Commissioners affirm application of data protection principles and recommend deletion (2003) • US state bills • Massachusetts and Maryland bills • Maryland established an RFID task force • California bill provides strong safeguards • Hearings at the Federal Trade Commission (2004)
EPIC Recommendations on RFID for NCVHS, HHS • Adopt Four Tier Approach to RFID Policy • Tier 1 (bulk distribution of products): • No links to specific individuals • No collection of PII • No privacy risk • No privacy obligations
EPIC RFID Recommendations (cont’d) • Tier 2 (product distribution to patient): • Privacy risk proportional to collection of PII. • Current privacy rules apply. • Additional rules will be necessary (EPIC RFID Guidelines)
EPIC RFID Recommendations (cont’d) • Tier 3 (temporary identification of patients): • Current privacy rules apply. • Significant risk of identity theft • Security concerns become significant • Can context be limited?
EPIC RFID Recommendations (cont’d) • Tier 4 (permanent identification of patients): • Coercive and profound. Far-reaching ethical implications • Privacy risk is greatest -- permanent loss of control over disclosure of actual identity • More than 1 m animals have been permanently tagged • HHS should prohibit this practice
EPIC RFID References • Privacy and Human Rights: An International Survey of Privacy Laws and Developments 115-123 (2004) • Proposed Guidelines for Use of RFID Technology (EPIC 2004) • “RFID Technology: What the Future Holds for Commerce Security and the Consumer” (House Commerce Committee 2004) • “RFID: Application and Implications for Consumers (FTC 2004) • EPIC RFID Page, http://www.epic.org/privacy/rfid