Submitted by Privacy Rights Clearinghouse
July 24, 2006
Charles Havekost
Deputy Assistant Secretary for Information Technology
Department of Health and Human Services, Room 434E
200 Independence Avenue, SW
Washington, DC 20201
Attention: IMDA RFI Response Submitted electronically:
Disaster_Storage_RFI@hhs.gov
RE: Voluntary Storage of Personal Data in Preparation for Emergencies http://www.hhs.gov/emergency/rfi/
Dear Mr. Havekost:
The Privacy Rights Clearinghouse (PRC)1 submits these comments in response to the Department of Health and Human Services (HHS) Request for Information (RFI) published on May 23, 2006.2 The RFI seeks public input about the availability and feasibility of private sector services that allow individuals to voluntarily store personal data for access in times of emergency. Prompting the RFI was a recommendation made in the White House Report (WH Report) on the federal response to hurricane Katrina.3
We direct our comments as follows:
- Introduction
- Combined Storage of Financial, Medical and Other Personal Data is Risky
- Potential for Public Confusion About Electronic Medical Data
- Existing Privacy and Data Security Laws Are Inadequate
- Voluntary Storage Would Least Help Those Who Need the Most Help
- Business and Government Should Be Responsible For Emergency Storage
- Conclusion
Introduction
Hurricanes Katrina and Rita were devastating. Indeed, nearly one year later, many individuals and families have yet to put their lives back together. Some will never recover. After the immediate concern for safety, victims soon found themselves without vital medical, financial, and other data necessary to begin a move back to normal.
To its credit, the Federal government has undertaken extensive study to examine past failures in emergency preparedness, to document the hard lessons learned, and to make recommendations to better respond to inevitable future disasters. The governmentís review pointed up many areas where disaster preparedness fell short, not the least of which was the inability of citizens to regain a measure of normal life without vital personal data.
The notion of a 21st Century vault for storing personal data for emergency use has a great deal of initial appeal. However, just below the surface lurk multiple concerns about the ability of any existing system -- or even one that could be constructed -- to ensure the public has adequate data privacy and security. Unless and until the government and the marketplace are able to address and resolve inadequate protections in current data infrastructures, this WH Report recommendation should be tabled for the reasons we discuss below.
Combined Storage of Financial, Medical and Other Personal Data Is Risky
The RFI asks what types of information would be relevant for emergencies. (Question 2.a.) The RFI lists birth certificates, wills, and medical information as types of information that might be appropriate for storage. The fact is, to be fully prepared for an emergency in which everything is lost, an individual would have to store nearly every bit of personal information he or she possesses.
Virtual storage could also include bank and other financial records, tax returns, property records, marriage and divorce records, insurance policies, employment records, credit reports, education records, and so on. We do not doubt that technology currently exists to make virtual storage a reality. However, we do not believe adequate privacy and data security can be incorporated into such a system.
Compilations of personal data that could potentially be stored would be a bonanza for identity thieves and others, always on the prowl for personal data to use for illegitimate purposes. No system is fool proof. Data systems,including those maintained by government agencies and large corporations, are routinely hacked. Laptops that contain personal data are reported lost or stolen nearly every day. Passwords may be compromised. Backup tapes may be lost. Dishonest insiders who sell personal data pose another threat. News reports of compromised personal data are nearly a daily event.
In a little over a year, the PRC has documented over 89 million personal records compromised through a data security breach. There is no reason to believe that any private sector entity could promise absolute data security. And, given the potential for the compilation of data included in an emergency storage plan, absolute data security is the only option. Without this, the reasonable question is not what kinds of data could be needed in case of emergency. More appropriately, we should question the wisdom of the federal government encouraging the public to participate in such a plan if absolute data security cannot be guaranteed.
Potential for Public Confusion about Electronic Medical Data:
We note, in addition, that the move is well under way to meet the President’s objective of a National Health Information Network (NHIN). Regional networks are now operational as are some closed employer networks and networks with a common business line such as pharmacies.
In addition, many commercial vendors now market remote storage, software, and portable devices that allow consumers to store personal medical data. The features of these services vary from vendor to vendor. Some allow for data sharing or input from outside parties.
A consumer whose information is already accessible through an existing health network or one who has signed up for a personal health record service may be confused about the need to have health information stored in yet another location.
Existing Privacy and Data Security Laws Are Inadequate
Federal law and regulations establish privacy and data security standards for the most sensitive personal data. Personal financial information is protected to some extent by the federal Gramm-Leach-Bliley Act (GLB), 15 USC ß6801.
Standards for medical privacy and data security are included in regulations promulgated by HHS under the Health Insurance Portability and Accountability Act of 1996 (Pub Law 104-191). The HHS rules, commonly referred to as HIPAA, are found in 45 CFR Parts 160 and 164.
However, protections for personal data extend only to information held by a “financial institution” as defined by GLB and agency regulations or a “covered entity” as defined by HIPAA. The private sector storage service described by the RFI would seem to be neither a “financial institution” under GLB nor a HIPAA “covered entity.” Thus, the principle federal laws that provide individuals with privacy and data security protections would not be applicable to an emergency self-storage facility.
Add to this the fact that the recommendation envisions voluntary submission of data. Because information is provided voluntarily, it seems individuals could forego all rights to privacy granted by existing federal law. For example, if a patient gives copies of his or her medical records to a third party, the patient could not reasonably claim that HIPAA restricts that party’s use of the medical data.
Of course, the service could establish a privacy policy and be held accountable under laws such as the Federal Trade Commission Act. However, this is far less desirable than a specific privacy and security law such as GLB or HIPAA. At a time when Congress seems reluctant to effectively address data privacy and security issues involving data brokers, it questionable that Congress would adopt effective safeguards for a voluntary emergency storage service.
The question of data ownership raises additional questions about privacy and the feasibility of private emergency storage services. Under both GLB and HIPAA, the financial institution and covered entity are considered the “owners” of customer or patient data.
HIPAA, for example, only entitles patients to receive copies of medical records. If this same principle is extended to a private emergency storage service — one not subject to any existing privacy law -- the service would be free to adopt its own privacy and data security plans and change those plans at will. What’s more, without strong legal controls, the temptation for secondary uses of data might be too great to pass up.
Voluntary Storage Would Least Help Those Who Need the Most Help
Effective use of a remote emergency storage system assumes a degree of sophistication and knowledge of technology. As a minimum, the service would require some basic computer skills and understanding of network systems. From all news reports, the people hardest hit by last year's hurricane strikes were the very poor, the elderly and the disabled, individuals who would not be likely to have the equipment and skills necessary to participate in a voluntary storage system.
Participation in a system one does not understand would inevitably lead to some participating under pressure of third parties who may not have the subject's best interests at heart. In a worst case scenario, individuals without the aid of concerned family and friends could become the victim of hucksters offering a superior or cheaper storage option. Indeed, there are numerous pitfalls imaginable when people are encouraged to participate in a plan they do not have the ability to understand.
Another, troubling prospect is that a government encouraged storage facility could become the "gold standard" through which disaster victims receive emergency relief. While this may seem, at first, to contradict the voluntary element of the plan, this is certainly possible if the plan ever takes effect and a majority of citizens participate. It is not too far-fetched to imagine that disaster victims who are "in the system" would be first in line for assistance.
Business and Government Should Be Responsible for Emergency Storage
Vital information that individuals most need after a disaster is already stored with, among others, financial institutions, government agencies, courthouses and academic institutions. Unlike many individuals, institutions do have the knowledge and sophistication to adopt emergency data storage facilities. As discussed previously, it is generally accepted that the institution that houses personal information is the owner of the information.
A better plan for emergency preparedness would be for each institution that holds personal data to adopt identity and access procedures. That way, individuals would not give up all existing privacy rights by voluntarily submitting information to a third party that is not legally bound by privacy and data security restrictions.
Again, we fully appreciate the initial appeal of having vital documents stored for emergency situations. We do not suggest by our comments that the government should remain silent. Indeed, the government should encourage and educate the public about ways to prepare for emergencies, including ways to have vital documents safely stored, electronically or in paper. However, a national, private sector service constructed to store vast amounts of personal data could ultimately cause more public harm than good.
Absent drastic changes in the legal environment, we do not believe it is feasible to provide adequate privacy and data security protections for a private sector emergency storage system. We encourage the HHS to abandon this pursuit until the Federal government itself can answer many of the questions posed in the RFI.
Sincerely,
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
3100 5th Ave., Suite B
San Diego, CA 92103
www.privacyrights.org
1The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumersí interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org
271 Federal Register 29642 (May 23, 2006)
3The White House Report recommends that the Federal government encourage private sector development of virtual storage, the 21st century version of a bank vault, where individuals could voluntarily store medical, financial, and other personal data for access if disaster strikes. http://www.whitehouse.gov/infocus/hurricane/
