PowerPoint Presentation - Privacy Implications of RFID Technology ...

guineanscarletΗλεκτρονική - Συσκευές

27 Νοε 2013 (πριν από 4 χρόνια και 4 μήνες)

94 εμφανίσεις

“Privacy Implications of RFID
Technology in Health Care Settings”

Marc Rotenberg

President EPIC

Dept. of Health & Human Services

Washington, DC

11 January 2005

Health Care Applications for

Label bulk products

Label products for patients (amber vials)

Identify patients

temporary (ID cards)

Identify patients

permanent (implant)

Multiple Privacy Frameworks

Fair Information Practices (FIP)

HIPAA Privacy Rule (2002)

EPIC RFID Guidelines (2004)

Common concern: collection and use of
Personally Identifiable Information (PII)

PII problems arise with data but they
are not typically characterized as “privacy

Privacy Risks with PII

Data mismanagement: inaccurate,
incomplete, out of date

Data misuse: data used for other purposes
adverse to the the interests of the data
subject (employment, insurance, travel)

Lack of transparency, data subject control

Loss of freedom


HIPPA Privacy Rule (2002) adopts multiple

Health Information

Individually Identifiable Health Information

Protected Health Information (PHI)

Patient Identified Information (PII)

Deidentified Information (DI)

EPIC RFID Guidelines (2004)

RFID Users (no PII)

Duties: Notice, disable tags, removal, accountability

Prohibitions: Tracing, recording data, coercing

RFID Users (with PII)

Duties: written consent and application of broad Fair
Information Practices, including minimization

Rights of RFID Subjects

Access and correct data, remove tags, hold accountable

Legislative Developments

Int’l Privacy Commissioners affirm application of
data protection principles and recommend deletion

US state bills

Massachusetts and Maryland bills

Maryland established an RFID task force

California bill provides strong safeguards

Hearings at the Federal Trade Commission (2004)

EPIC Recommendations on

Adopt Four Tier Approach to RFID Policy

Tier 1 (bulk distribution of products):

No links to specific individuals

No collection of PII

No privacy risk

No privacy obligations

EPIC RFID Recommendations

Tier 2 (product distribution to patient):

Privacy risk proportional to collection of PII.

Current privacy rules apply.

Additional rules will be necessary (EPIC RFID

EPIC RFID Recommendations

Tier 3 (temporary identification of patients):

Current privacy rules apply.

Significant risk of identity theft

Security concerns become significant

Can context be limited?

EPIC RFID Recommendations

Tier 4 (permanent identification of

Coercive and profound. Far
reaching ethical

Privacy risk is greatest

permanent loss of
control over disclosure of actual identity

More than 1 m animals have been permanently

HHS should prohibit this practice

EPIC RFID References

Privacy and Human Rights: An International Survey
of Privacy Laws and Developments 115
123 (2004)

Proposed Guidelines for Use of RFID Technology
(EPIC 2004)

“RFID Technology: What the Future Holds for
Commerce Security and the Consumer” (House
Commerce Committee 2004)

“RFID: Application and Implications for Consumers
(FTC 2004)

EPIC RFID Page, http://www.epic.org/privacy/rfid