Two Tiers of Privacy: A Novel Approach
You need to know that I played a significant role in the development of the homeless privacy rule that I describe here. I was a consultant to the firm that helped the federal Department of Housing and Urban Development write the rule. I am not a disinterested observer.
The homeless privacy rule came about as a byproduct of an effort to collect better information on the homeless. While HUD plans no central database of homeless individuals, a better count of the homeless requires collection of personal data at the local level and integration of that data to avoid duplication. The initiative is called the Homeless Management Information Systems. The ultimate goal is to have information needed to make policy and to provide better services to those in need.
There were three main privacy challenges, and they will sound familiar. First, many diverse organizations are subject to the rule, and they do not have the same programmatic and organizational needs. Your organization may have the same challenge. The privacy needs for one line of business may not be the same as the privacy needs for another.
The solution here started from the realization that one size would not fit all. For example, a privacy rule would have to take into account the differing needs and resources of a soup kitchen and a domestic violence shelter. However, those differences do not detract from the privacy interests of the data subjects. To meet those interests, the rule established a baseline of privacy protections applicable to all covered providers of homeless services.
The rule went further. It also described additional privacy protections that organizations could voluntarily adopt. For example, one part of the rule requires that organizations provide each requesting individual with access to his or her record. That's the baseline. One of the voluntary privacy protections is an appeal mechanism for anyone who believes that access was improperly denied.
What is novel is the detailing in the rule of additional privacy protections. The additional protections serve as a menu, and that menu is not exclusive. Organizations can add other protections if they wish, but they can also select none, one, or more of the options presented. Organizations can design privacy protections to meet their own circumstances and the specific needs of their clientele.
The second challenge resulted because some organizations are already subject to a federal privacy rule for health information. Addressing conflicting rules would be a major problem for covered organizations, just like it is for private sector organizations subject to multiple federal laws or to overlapping state and federal privacy laws. The solution here was to exempt any HMIS organization from the HMIS privacy rule if the organization determines that the federal health privacy rule covers a substantial portion of its records about homeless clients.
The HMIS rule saved enormous headaches by making sure that organizations covered by both rules wouldn't have a conflict. If your company is subject to more than one privacy law, you will look longingly at this conflict avoidance method, which is unfortunately not available to you.
The third challenge for HMIS was defining the content of information privacy. What are the elements of privacy that would meet the needs and interests of the homeless? The answer to this question was relatively easy. The solution to most information privacy problems can be found in the principles of Fair Information Practices.
The HMIS rule established policies for openness, accountability, collection limitation; purpose and use limitation; access and correction; data quality; and security. The traditional FIPs framework works just as well for the homeless as for any other constituency of individuals. The specific applications required some adjustments for the circumstances, but this is normal. The basic principles themselves did not require any significant adjustment.
I do not know yet how the HMIS privacy rule will be received by the homeless providers that are subject to it or by the homeless clientele who are the intended beneficiaries. It may be some time before the providers understand the rule and complete implementation. I anticipate the usual confusion that comes with any new privacy rule. In a year or two, a fair evaluation of the privacy rule may be possible.
The lesson for others is that privacy rules and policies do not have to be inflexible mandates handed down from on high. Within the well-accepted international framework of Fair Information Practices, many different paths allow record keepers to address privacy obligations.
The two-tiered privacy system in the HMIS rule may suggest an approach that can work in your company.