Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Four Tier Framework for RFID Regulation for medical information


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Four Tier Framework for RFID Regulation for medical information

  1. 1. “ Privacy Implications of RFID Technology in Health Care Settings” Marc Rotenberg President EPIC Dept. of Health & Human Services Washington, DC 11 January 2005
  2. 2. Health Care Applications for RFID <ul><li>Label bulk products </li></ul><ul><li>Label products for patients (amber vials) </li></ul><ul><li>Identify patients - temporary (ID cards) </li></ul><ul><li>Identify patients - permanent (implant) </li></ul>
  3. 3. Multiple Privacy Frameworks <ul><li>Fair Information Practices (FIP) </li></ul><ul><li>HIPAA Privacy Rule (2002) </li></ul><ul><li>EPIC RFID Guidelines (2004) </li></ul><ul><li>Common concern: collection and use of Personally Identifiable Information (PII) </li></ul><ul><li>(Non-PII problems arise with data but they are not typically characterized as “privacy concerns”) </li></ul>
  4. 4. Privacy Risks with PII <ul><li>Data mismanagement: inaccurate, incomplete, out of date </li></ul><ul><li>Data misuse: data used for other purposes adverse to the the interests of the data subject (employment, insurance, travel) </li></ul><ul><li>Lack of transparency, data subject control </li></ul><ul><li>Loss of freedom </li></ul>
  5. 5. HIPPA AND PII <ul><li>HIPPA Privacy Rule (2002) adopts multiple terms </li></ul><ul><ul><li>Health Information </li></ul></ul><ul><ul><li>Individually Identifiable Health Information (IIHI) </li></ul></ul><ul><ul><li>Protected Health Information (PHI) </li></ul></ul><ul><ul><li>Patient Identified Information (PII) </li></ul></ul><ul><ul><li>Deidentified Information (DI) </li></ul></ul>
  6. 6. EPIC RFID Guidelines (2004) <ul><li>RFID Users (no PII) </li></ul><ul><ul><li>Duties: Notice, disable tags, removal, accountability </li></ul></ul><ul><ul><li>Prohibitions: Tracing, recording data, coercing collection </li></ul></ul><ul><li>RFID Users (with PII) </li></ul><ul><ul><li>Duties: written consent and application of broad Fair Information Practices, including minimization </li></ul></ul><ul><li>Rights of RFID Subjects </li></ul><ul><ul><li>Access and correct data, remove tags, hold accountable </li></ul></ul>
  7. 7. Legislative Developments <ul><li>Int’l Privacy Commissioners affirm application of data protection principles and recommend deletion (2003) </li></ul><ul><li>US state bills </li></ul><ul><ul><li>Massachusetts and Maryland bills </li></ul></ul><ul><ul><li>Maryland established an RFID task force </li></ul></ul><ul><ul><li>California bill provides strong safeguards </li></ul></ul><ul><li>Hearings at the Federal Trade Commission (2004) </li></ul>
  8. 8. EPIC Recommendations on RFID for NCVHS, HHS <ul><li>Adopt Four Tier Approach to RFID Policy </li></ul><ul><li>Tier 1 (bulk distribution of products): </li></ul><ul><ul><li>No links to specific individuals </li></ul></ul><ul><ul><li>No collection of PII </li></ul></ul><ul><ul><li>No privacy risk </li></ul></ul><ul><ul><li>No privacy obligations </li></ul></ul>
  9. 9. EPIC RFID Recommendations (cont’d) <ul><li>Tier 2 (product distribution to patient): </li></ul><ul><ul><li>Privacy risk proportional to collection of PII. </li></ul></ul><ul><ul><li>Current privacy rules apply. </li></ul></ul><ul><ul><li>Additional rules will be necessary (EPIC RFID Guidelines) </li></ul></ul>
  10. 10. EPIC RFID Recommendations (cont’d) <ul><li>Tier 3 (temporary identification of patients): </li></ul><ul><ul><li>Current privacy rules apply. </li></ul></ul><ul><ul><li>Significant risk of identity theft </li></ul></ul><ul><ul><li>Security concerns become significant </li></ul></ul><ul><ul><li>Can context be limited? </li></ul></ul>
  11. 11. EPIC RFID Recommendations (cont’d) <ul><li>Tier 4 (permanent identification of patients): </li></ul><ul><ul><li>Coercive and profound. Far-reaching ethical implications </li></ul></ul><ul><ul><li>Privacy risk is greatest -- permanent loss of control over disclosure of actual identity </li></ul></ul><ul><ul><li>More than 1 m animals have been permanently tagged </li></ul></ul><ul><ul><li>HHS should prohibit this practice </li></ul></ul>
  12. 12. EPIC RFID References <ul><li>Privacy and Human Rights: An International Survey of Privacy Laws and Developments 115-123 (2004) </li></ul><ul><li>Proposed Guidelines for Use of RFID Technology (EPIC 2004) </li></ul><ul><li>“ RFID Technology: What the Future Holds for Commerce Security and the Consumer” (House Commerce Committee 2004) </li></ul><ul><li>“ RFID: Application and Implications for Consumers (FTC 2004) </li></ul><ul><li>EPIC RFID Page, </li></ul>