Personal data privacy rules and regulations present significant challenges to all business and government operations. Solutions are needed that preserve data privacy for the Individual-I and Private Data Owner (PDO) while granting data access to the User-U and Accessor who need to access such data to perform their usual and customary business functions.
Along with the emergence of the digital revolution, a nearly ubiquitous transformation is well under way, which is redesigning the way companies interact and transact business. A direct consequence of this changing business infrastructure is a plethora of digital data records concerning individuals, which are proliferating on a vast scale. These records are maintained in various databases at various locations and across nearly every company and organization with whom an individual interacts. These digital records include private and public information about individuals whose data are needed by organizations, which are either Providers or Consumers of services in connection with a variety of industries, including Legal, Healthcare, Financial, Government and other industries which require strict adherence to rules regarding the confidentiality of a Private Data Owner's (PDO) data.
The digitization and ease of transferability-via communication media of vast quantities of Private Data associated with Consumers of healthcare, legal, financial, government and other services enable business process efficiencies and economies of scale, while significantly increasing the risk that the individual's personal data privacy will be violated. Such privacy violations may be intentional or unintentional and may often be undetectable and untraceable.
Government regulation can be expected to continually impose more and more strict requirements for the service Provider to protect confidential Consumer information and enforce stringent rules in connection with the collection, storage, usage, transferability, presentation and integration of the Consumer's Private Data. Such regulations also have the potential to hinder and interfere with the efficiency of commercial operations and result in the imposition of heavy economic burdens on the Provider who must conform to their mandate. Both Providers and Consumers may be subjected to significant legal exposures as a consequence of alleged violations of privacy laws and regulations while they incur significant expense to comply with such laws and regulations. Some of the industries that are especially burdened by privacy regulations, include (but are not limited to) industries such as insurance, legal, government and healthcare which routinely provider and/or consume:
“claim Services”;
“Legal Services”;
“Healthcare Services”;
Conflict Resolution Services;
“Risk Management Service”; and
“Transaction Management Services.”
“Transaction Management” may include any business or personal transaction, such as healthcare, real estate, insurance, intellectual property (e.g. patent filing, trademark filing, etc.), family (e.g., marriage, adoption, etc.), etc.
Many service/product Providers are often Consumers within a “supply chain” of transactions. For example, a retail store is a Consumer of products at wholesale and a Provider of products at retail. Similarly, organizations, such as insurance companies or law firms, may be both Consumers and Providers of Claims Services and/or Legal Services.
Organizations that both consume and provide Claim Services and Legal Services include property and casualty insurance carriers, life and health insurance carriers, workers compensation insurance carriers, healthcare professionals and facilities and medical malpractice insurance carriers. Government entities are a significant Consumer and Provider of claim Services and Legal Services. Courts and Administrative agencies are massive Consumers and Providers of Legal Services and Conflict Resolution Services. Just about anyone in business today is a Consumer of claim Services, Legal Services and Conflict Resolution Services.
The present problem may be exacerbated by various legislation and regulation affecting the privacy and confidentiality of Private Data. Many business operations can be adversely impacted, as burdensome legal and regulatory requirements interrupt the efficient and effective flows of data (statistical and otherwise) among various Organizations and Individuals. Further limitations and restrictions on the Provider's and Consumer's ability to access and exchange data in order to provide and consume products and services in the usual and customary (and efficient) manner, present significant economic threats to service Providers and Consumers and the vast scope of entities' interests which they represent. The failure to properly conform to legal guidelines in order to protect administrative-level efficiencies can exacerbate the legal liability of the Provider who allegedly failed to properly protect the privacy rights of an Individual.
Digital Records maintained about an individual may include “Private Data” as defined above. Private Data may include non-public data such as the individual's history of medical treatment, history of financial transactions and other confidential and potentially sensitive personal information. Private Data may also include “Public Data”, such as Litigation Records, Motor Vehicle Records and other data maintained in publicly available databases, if such “Public Data” can be used to link an individual's non-public data records to his/her public data records. For example, “Private Data” may include de-identified portions of a person's public data records (such as the person's address and gender) that could be used to reveal portions of the person's Private Data record (such as a confidential communication from public health authorities concerning an infectious disease). Information that can be used to reveal the identity of a person is called “Identifying Information” (or “identifying I or II”).
During the course of consuming or providing various services, it is often necessary to disseminate a person's Private Data and Public Data to third parties. For example, the dissemination of Private Data by Claim Service and Legal Service professionals working for law firms, insurance companies and health care providers can threaten the privacy rights of the Private Data Owner (“PDO”); i.e., the person whose Private Data is being disseminated. Such disclosure could potentially have damaging personal consequences to the PDO and subject the disclosing organization that possesses and releases the PDO's Private Data to severe legal/regulatory consequences and civil/criminal liability. For example, a medical or legal claim may involve the use of the plaintiff's medical records. Specifically, in the case of a medical malpractice claim or other litigation against a health care provider, Private Data must be disclosed to different parties such as legal representatives for each party, expert witnesses, non-party witnesses called by various parties to testify on their behalf, private investigators investigating allegations of fraud and neutrals, such as mediators, arbitrators, judges and juries.
During the course of rendering Legal Services to a physician defending a medical malpractice claim, the plaintiff's claims, legal and medical history and financial records may need to be disclosed to the defendant and the defendant's legal representatives. The health care provider's claims and legal history may need to be disclosed to the plaintiff and the plaintiff's legal representatives. In addition, if treatment and/or healthcare-related services have been rendered by a clinic, hospital or other health care entity, data regarding claims, legal and medical history and financial records may need to be disclosed to all parties and their legal representatives.
In criminal cases, particularly those of a sensitive nature (e.g., rape, incest, sexual assault, hate crimes or crimes involving threats of physical violence), as well as in other types of privacy-sensitive situations (e.g., involving victims of government power abuse, political controversy, activism or terrorism, participants in witness protection programs, etc.), it may be desirable for plaintiffs, defendants and witnesses to maintain a state of pseudonymity. Nevertheless, documents containing identifying information must be maintained and shared among the parties to the legal proceeding and their legal counsel.
Concerns about the privacy of Private Data, especially healthcare-related Private Data, have escalated over the years, giving rise to governmental regulation first initiated throughout the European Union and now in the United States. At the time the present disclosure was written, there are numerous regulations being promulgated under various statutes, such as the Healthcare Information Portability and Accountability Act (HIPAA), which govern all forms of Private Data collection, storage and access. These Statutes and Regulations may prescribe rules for securing the PDO's authorization and procedures that must be followed before Private Data can be properly disclosed by the disclosing entity to a third-party.
These regulations may require that healthcare providers and their trading partners maintain a privacy policy that prevents disclosure of Private Data to third parties, without adherence to strict data security and privacy requirements. Such requirements may include stringent compliance with rules for securing the express written consent of the PDO to the release of Private Data and rules that govern the collection, maintenance and access to healthcare-related Private Data, especially Private Data that may advertently or inadvertently reveal the identity of the PDO. Consequently, the collection, storage, use and exchange of Private Data may be severely impacted by its identification with and traceability to the PDO. There are other statutes and regulations that govern the security and privacy of financial transactions and provide rules that strictly regulate the release of Private Data within commercial sectors.
Statutory and regulatory requirements that regulate third-party access to Private Data can adversely impact the efficiency, effectiveness and economic costs of business processes, while they increase the overall risk of doing business. Many businesses now face potential liability for the unauthorized disclosure of Private Data where no such liability ever existed before. As a result of data privacy rules and regulations, the Provider may also incur increased liability by attempting to perform services without access to the full and complete data that the Provider may need to adequately perform those services. These significant risks have resulted in the development of data privacy insurance products and services.
On Apr. 4, 2002, the American Association of Health Plans (AAHP) released a report conducted by PricewaterhouseCoopers that identified the specific factors responsible for driving costs higher in the United States health care system in 2001. The report examined health care spending during 2001 and found that the average increase in health insurance premiums was 13.7 percent. PricewaterhouseCoopers attributed much of the rise in health care spending to the following factors:
Mandates and government regulation: 15 percent-$10 billion
Impact of litigation: 7 percent-$5 billion
Fraud and abuse and other cost drivers: 5 percent-$3 billion
This study, based on 2001 data, did not address the significant additional cost anticipated from compliance with HIPAA and other privacy-related regulations. More (not less) data is needed to reduce the costs associated with the reported increases in healthcare spending in 2001. Nevertheless, privacy-related regulations can severely limit the Provider's access to the data needed to better manage the costs of government regulation; litigation, fraud and abuse. Unless a robust technical approach can be introduced which enables practical methods for the Provider and Consumer to access and use the PDO's data records, it will become more and more difficult to conduct business within the environment created by legislation and regulation affecting the privacy and confidentiality of Private Data. It will be nearly impossible to manage the costs associated with government regulation, litigation and fraud. Potentially, the time and expense required to perform routine and basic business processes within the constraints imposed by more and more strict privacy rules can adversely impact both the efficiency and effectiveness of all business operations. In order for service Providers and Consumers to stay competitive or even marginally survive in business, it will be of paramount importance to design and implement proper technical infrastructures to conform to the privacy-related regulatory requirements in such a way as to maintain the efficiency and effectiveness of standard businesses processes.