PowerPoint Presentation - Privacy Implications of RFID Technology ...

guineanscarletElectronics - Devices

Nov 27, 2013 (3 years and 8 months ago)

72 views

“Privacy Implications of RFID
Technology in Health Care Settings”

Marc Rotenberg

President EPIC

Dept. of Health & Human Services

Washington, DC

11 January 2005

Health Care Applications for
RFID

1)
Label bulk products

2)
Label products for patients (amber vials)

3)
Identify patients
-

temporary (ID cards)

4)
Identify patients
-

permanent (implant)

Multiple Privacy Frameworks


Fair Information Practices (FIP)


HIPAA Privacy Rule (2002)


EPIC RFID Guidelines (2004)


Common concern: collection and use of
Personally Identifiable Information (PII)


(Non
-
PII problems arise with data but they
are not typically characterized as “privacy
concerns”)

Privacy Risks with PII


Data mismanagement: inaccurate,
incomplete, out of date


Data misuse: data used for other purposes
adverse to the the interests of the data
subject (employment, insurance, travel)


Lack of transparency, data subject control


Loss of freedom

HIPPA AND PII


HIPPA Privacy Rule (2002) adopts multiple
terms


Health Information


Individually Identifiable Health Information
(IIHI)


Protected Health Information (PHI)


Patient Identified Information (PII)


Deidentified Information (DI)

EPIC RFID Guidelines (2004)


RFID Users (no PII)


Duties: Notice, disable tags, removal, accountability


Prohibitions: Tracing, recording data, coercing
collection


RFID Users (with PII)


Duties: written consent and application of broad Fair
Information Practices, including minimization


Rights of RFID Subjects


Access and correct data, remove tags, hold accountable


Legislative Developments


Int’l Privacy Commissioners affirm application of
data protection principles and recommend deletion
(2003)


US state bills


Massachusetts and Maryland bills


Maryland established an RFID task force


California bill provides strong safeguards


Hearings at the Federal Trade Commission (2004)


EPIC Recommendations on
RFID for NCVHS, HHS


Adopt Four Tier Approach to RFID Policy


Tier 1 (bulk distribution of products):



No links to specific individuals


No collection of PII


No privacy risk


No privacy obligations

EPIC RFID Recommendations
(cont’d)


Tier 2 (product distribution to patient):



Privacy risk proportional to collection of PII.


Current privacy rules apply.


Additional rules will be necessary (EPIC RFID
Guidelines)

EPIC RFID Recommendations
(cont’d)


Tier 3 (temporary identification of patients):



Current privacy rules apply.


Significant risk of identity theft


Security concerns become significant


Can context be limited?

EPIC RFID Recommendations
(cont’d)


Tier 4 (permanent identification of
patients):



Coercive and profound. Far
-
reaching ethical
implications


Privacy risk is greatest
--

permanent loss of
control over disclosure of actual identity


More than 1 m animals have been permanently
tagged


HHS should prohibit this practice

EPIC RFID References


Privacy and Human Rights: An International Survey
of Privacy Laws and Developments 115
-
123 (2004)


Proposed Guidelines for Use of RFID Technology
(EPIC 2004)


“RFID Technology: What the Future Holds for
Commerce Security and the Consumer” (House
Commerce Committee 2004)


“RFID: Application and Implications for Consumers
(FTC 2004)


EPIC RFID Page, http://www.epic.org/privacy/rfid