We came across some useful information from CRC Press and the Federal Trade Commission and have combined it into the summary below on the topic of general privacy laws in the United States of America. Please refer to the original sources below for more detailed information.
Privacy laws in the United States of America cover several topics and industries related to the concept of privacy. The right to privacy, generally defined as the "right to be let alone," deals with the right to regulating the way in which sensitive information is collected by government and private agencies about individuals.
We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.
Overview of Privacy Acts
- Electronic Communications Privacy Act of 1986 - 18 U.S. Code sections 2510-2522, 2701-2711, 3121,1367.
- This law amends the federal wiretap law to cover specific types of electronic communications, such as e-mail, radio-paging devices, cell phones, private communications carriers, and computer transmissions. It also extends the ban on the interception to the communications of wire or electronic communication services and sets restrictions on access to stored wire and electronic communications and transaction records.
- Family Educational Rights and Privacy Act of 1974 (FERPA) - 20 U.S. Code section 1232g.
- This law restricts the disclosure of educational records maintained by educational agencies and institutions that receive federal funding.
- Fair Credit Reporting Act (FCRA) - 15 U.S. Code sections 1681-1681u.
- This law is designed to promote accuracy, fairness, and privacy of information in the files of the credit bureaus that gather and sell information about consumers to creditors, employers, landlords and other businesses.
- Fair Debt Collection Practices Act - 15 U.S. Code sections 1692-1692p.
- The purpose of this is “to eliminate abusive debt collection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.” For more information, see the FTC Fair Debt Collection guide.
- Financial Services Modernization Act of 1999, Gramm-Leach-Bliley (GLB), Privacy Rule - 15 U.S. Code sections 6801-6809.
- The federal GLB law permits the consolidation of financial services companies and requires financial institutions to issue privacy notices to their customers that explain their information-sharing practices and give customers the opportunity to opt-out of some sharing of personally identifiable financial information with outside companies.
- Video Privacy Protection Act of 1988 - 18 U.S.Code section 2710.
- This law was originally intended to limit the conditions under which a video rental or sales outlet may disclose personally identifiable information about consumers, including viewing history. Even though videotapes have been practically replaced by other technology, such as DVDs and streaming video, this law still applies to such “similar audio visual materials.”Consumers have the right to opt-out from disclosure of their name and address (e.g., in a mailing list), and can sue for actual and punitive damages, and attorneys’ fees and costs, if they are harmed by a violation of this law. This law was recently amended to enable sharing of viewing history, still with consumers’ written consent, on Internet sites such as Facebook and Netflix.
- HHS Privacy and Security Framework Principles
- Guide to Privacy and Security of Electronic Health Information in the United States
- Sample HIPAA Confidentiality Agreements for Medical Practice Vendors
- The Health Insurance Portability and Accountability Act (HIPAA)
The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The GLBA primarily sought to "modernize" financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions on its use.
Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives. Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals:
- First, banks, brokerage companies, and insurance companies must securely store personal financial information.
- Second, they must advise you of their policies on sharing of personal financial information.
- Third, they must give consumers the option to opt-out of some sharing of personal financial information.
Federal Identity Theft and Assumption Deterrence Act of 1998 - 18 U.S. Code section 1028. This law makes it a federal crime to produce or possess false or unauthorized identification documents, or to use another's identity to commit an activity that violates Federal law or that is a felony under state or local law.
- Children's Online Privacy Protection Act (COPPA) - 15 U.S. Code section 6501 and following.
- The goal of COPPA is to place parents in control over what information is collected from their young children online. With limited exceptions, COPPA and the related FTC Rule require operators of commercial web sites and online services to provide notice and get verifiable parental consent before collecting personal information from children under the age of 13.
- Computer Fraud and Abuse Act of 1984 - 18 U.S. Code section 1030.
- This law makes unauthorized access to "protected computers" illegal. Protected computers include U.S. government computers, computers used in interstate or foreign commerce or communication, and computers used by financial institutions. It also prohibits trafficking in computer passwords and damaging a protected computer.
- Computer Matching & Privacy Protection Act of 1988 & Amendments of 1990 - 5 U.S. Code section 552a (a)(8)-(13), (e)(12), (o), (p), (q), (r), & (u).
- This law amends the federal Privacy Act of 1974 and sets requirements that federal agencies must follow when performing certain automated comparisons of federal benefit program information of individuals with information held by other federal, state or local agencies.
To ensure that you are fully protecting a person's right to privacy, you must ensure that (1) any person seeking access to health information has the right to access the data; (2) the person is who he or she claims to be; and (3) the person is permitted access to the data. You must be able to provide, on request of a patient, a list of all access to that person's data and ensure that you hold anyone accountable for inappropriate access or use of the data.
While privacy and security are two different areas, there is overlap between them. To help structure the understanding and approach to privacy policies, there Kolkman and Brown devise the "5 A's of Security":
- Ensuring that individuals logging into a system are who they say they are.
- Determining that individuals are allowed to access the HIE.
- Access to data
- Determining to which data individuals have access and what actions they are allowed to relative to that data.
- Audit policies
- Ensuring that you can consistently inspect what records have been accessed and by whom.
- Determining how you will hold those responsible for breaches liable.
Privacy laws in the United States extend widely to the right to privacy and preventing the invasion of privacy. This includes the right to privacy in such areas as finance, technology and cybersecurity, politics, education, the media, and, of course, healthcare. Healthcare information provides a special case of privacy-related policies and laws, as healthcare information must be passed between different providers and requires protection. Healthcare information laws also protect the method in which medical information may be used for research and marketing, to minimize the risk of disclosure. Read more about USA related healthcare privacy legislation here.