Google admits to reading your emails, claims you should expect it.

[tomBitonti]

It is also improbable that any human at google is actually reading any emails.

I have to ask, is who or what reads email actually relevant? Wouldn't the purpose of reading the email matter as much if not more? I'm wondering whether the distinction between a computer reading the email and a person reading the email is relevant, and is being presented perhaps as a bit of misdirection. I could be all wrong about this, but if I write a problem that intercepts and scans emails looking for certain keywords, the program is an extension of me, and that I didn't actually read the emails myself doesn't matter.

Thx!

TomB

 

[Dannyalcatraz]

Well, note something: they're talking about "automated processing". That's not necessarily the same as having a living person *reading* your mail.

AFAIK, the law does not make a distinction between live and automated data processing. It IS a possible distinction that could save fines and jail time, but would you really want to risk that if it were you? Live people made the decision to do this, then automate this. The idea that automation is going to insulate you from personal or corporate liability is a mighty thin aegis.

As it stands, all HIPPA talks about is getting the protected data and using it for commercial reasons before swinging its hammer. And Google does this- if they're being truthful & accurate, in part to legitimately process the data- but also to target advertising. THAT is what could get them in the worst trouble.

(Also, sorry 'bout the Zuckerberg goof- typed that before going to bed. )

 

[tomBitonti]

They're considered part of the staff and thus covered under the NDA and BLA you should have with them

That seems pretty robust!

Legally, would all of that prevent you from testifying about particular data which you (your company) processed?

My layman's understanding is that confidential discussions, for example, between a lawyer and their client, or between a doctor and their patient, and, I'm thinking, between a priest and a congregant, have specific legal protections which are hard to overcome, but, one way to overcome them is for a third party to be present (who would not be considered one of the clients; I'm presuming if a lawyer had two clients in a single case, the second person doesn't count as a third party).

That is, if a lawyer speaks to a client in a secure room (no other people present, no recording devices, no remote observation), then a third party is not present and the conversation remains protected. But, if the conversation were held in the presence of a third party, say, if the client had a friend present for support, then the protection is removed. Perhaps more likely, if a lawyer or doctor had lunch (or say, golfed) with a client, and remarked on confidential matters in the presence of third parties also at the lunch. Maybe the lawyer or doctor would know better (or should), but the client might bring something up when they oughtn't.

I'm trying to figure out when a separate person becomes a third party. I imagine (but could be rather wrong, not knowing in particular), that a person on staff in a law office would not be a third party, so long as the practice maintained security practices, and that the person on staff had a practical need to access protected materials. That is, a clerk who filed a lawyers notes could not be forced to testify about those notes. (But, if a lawyer had a conversation with a client and a cleaning person were in the room, and was not made to leave, they might be considered a third party.)

Something that I wonder about in this context is what difference does an un-authorized intrusion make? If a lawyer and client have a conversation which is recorded unlawfully, does that break protections? That makes a difference in that if 75% of all emails are subject to routine scanning, and this became the everyday presumption, than every email would automatically have a third party involved, and would automatically lose protection.

Thx!

TomB

 

[tomBitonti]

In regard to google, I was thinking that there would be a specific policy which was agreed to by gmail users which would cover google's use of the email content.

I found this:

http://www.google.com/intl/en/policies/privacy/

But I don't see any notice that google will use use email contents in this policy statement.

However, specific application such as gmail may have additional specific terms which are in addition to or modifications of the general policy. Does anyone have a link to such? Based on this general policy, I don't see that a user will have agreed to allow interpretive access to email contents.

As a second matter, even if a user accepts a policy which allows access, what would that mean for emails from non-gmail users to gmail users? My thinking is, unfortunately for the non-gmail user, that they give up protection to the gmail recipient. Then, the issue becomes a matter of trust between the email users. As an analogue, if I exchange love letters with a partner, I'm relying on my partner to keep the letters secret. But once I've sent the letters, I can't force my partner to keep the letters private.

Thx!

TomB

 

[Janx]

I have to ask, is who or what reads email actually relevant? Wouldn't the purpose of reading the email matter as much if not more? I'm wondering whether the distinction between a computer reading the email and a person reading the email is relevant, and is being presented perhaps as a bit of misdirection. I could be all wrong about this, but if I write a problem that intercepts and scans emails looking for certain keywords, the program is an extension of me, and that I didn't actually read the emails myself doesn't matter.

Thx!

TomB

Speaking technically, rather than legally, it's a yes and no problem.

I am, at this moment (well, a few moments ago), writing code to parse emails to extract a link to login to a portal to download a patient file and then parse that file into my system for my client to use.

During the development, I am likely to see a little PHI but am covered by NDA and need to know.

Once it is deployed, I am not seeing any PHI, nor is anybody else. It's a pipeline from Company A to Company B, even though "something" is reading the email, it is not doing so in the more sentient form of "knowing" what's in your record.

It's kind of like if the Post Office had transporters. They technically know EVERY atom and it's location and thus the contents of the package you shipped. But for practical purposes, they don't actually know what's in the box, even if they scanned it for explosives as part of the process. So a module might "know" what's in the box for the sake or processing the box, but your privacy is still intact from the sense of nobody knows what the present for Timmy was when he gets it but you.

Privacy is not a giant mega-shape that can cover every bit of information about you. It's just not feasible, nor is it conducive to making things work.

there's different kinds of privacy.

Nobody needs to know your social security number
Nobody needs to know who you dated last night
Nobody needs to know about that lump you have
nobody needs to know that you are planning to fire Tom in accounting tomorrow.

These are private things, that should only be shared when you choose and as needed.

As we do know, some people do need your social security number to process your claim
And the computer does need to know your address so it can mail the bill to you
And Google does need to skim your mail for nouns so they can display advertisements about those nouns to you while you use their free service.

but does that mean they've violated those core things I identified at the top? probably not.

Technically your pharmicist knows about the lump you have, because you've got a script for cream for it. It's irrelevant to her, because everybody has a rash somewhere and it's meaningless noise. Pre-HIPPA, everybody knew your business as you stood at the pharmacy counter.

The real point of the privacy laws is to protect your assets, not your privates.

As long as google isn't collating a big database of identities to sell to the Russian hackers, or building a secret black mail profile against you, you don't have a problem.

Your core risk is not that my program is reading your information. It is whether I am opening up the database snapping off a export and selling it to the russians or contacting you on a disposable phone to get you to pay me to not tell your wife about your activities.

It all snaps back to what a human is misusing the data for. the software is often the innocent party, just processing your work, like the assistant at the front desk booking your appointment and taking your credit card to bill you.

 

[Janx]

That seems pretty robust!

Legally, would all of that prevent you from testifying about particular data which you (your company) processed?

My layman's understanding is that confidential discussions, for example, between a lawyer and their client, or between a doctor and their patient, and, I'm thinking, between a priest and a congregant, have specific legal protections which are hard to overcome, but, one way to overcome them is for a third party to be present (who would not be considered one of the clients; I'm presuming if a lawyer had two clients in a single case, the second person doesn't count as a third party).

That is, if a lawyer speaks to a client in a secure room (no other people present, no recording devices, no remote observation), then a third party is not present and the conversation remains protected. But, if the conversation were held in the presence of a third party, say, if the client had a friend present for support, then the protection is removed. Perhaps more likely, if a lawyer or doctor had lunch (or say, golfed) with a client, and remarked on confidential matters in the presence of third parties also at the lunch. Maybe the lawyer or doctor would know better (or should), but the client might bring something up when they oughtn't.

I'm trying to figure out when a separate person becomes a third party. I imagine (but could be rather wrong, not knowing in particular), that a person on staff in a law office would not be a third party, so long as the practice maintained security practices, and that the person on staff had a practical need to access protected materials. That is, a clerk who filed a lawyers notes could not be forced to testify about those notes. (But, if a lawyer had a conversation with a client and a cleaning person were in the room, and was not made to leave, they might be considered a third party.)

Something that I wonder about in this context is what difference does an un-authorized intrusion make? If a lawyer and client have a conversation which is recorded unlawfully, does that break protections? That makes a difference in that if 75% of all emails are subject to routine scanning, and this became the everyday presumption, than every email would automatically have a third party involved, and would automatically lose protection.

Thx!

TomB

HIPPA is a loosey-goosey law. It basically says "you must protect" with very little definition of what standards to follow. the credit card industry follows DCI which is very specific and strict. it is a stronger standard.

On the third party present question, you do NOT conduct business with an unsecured party present. Cleaning staff don't have need to know, so you ask them to leave. Otherwise, you have a risk.

In my world, you don't just walk into a room and transform into a third party. Negotiations, contracts and audits happen before we start passing data. I would be in breach if I sent PHI to somebody we didn't have a BLA with.

What HIPPA says is "do whatever you want to protect" But if there's a breach, you are screwed. So it's more Stick, than book of tips on how to secure your business.

Some specifics are, if an unauthorized party gets PHI, I have to notify the affected people (patients) and probably pay for credit fraud protection (I've had a few of those from the financial industry loosing laptops). If they crack my server and steal my database, I am protected ONLY if the database was reasonably encrypted.

So if my PHI is unreadable in my Patient table, I'm safe. If not, then I will pay large fines and fees that could destroy my business. But it is all up to me on whether to do that, and up to my client to choose to do business with me. This is where a large business expects higher security, and a small business is exempted from being expected to have huge piles of documented security practices when doing the BLA.

It's all moot until a breach, when blame flies and money has to be paid.

 

[Umbran]

AFAIK, the law does not make a distinction between live and automated data processing. It IS a possible distinction that could save fines and jail time, but would you really want to risk that if it were you?

Well, I am not personally a billion-dollar company that lives or dies based on advertising, so "if it were me" is perhaps not the best measure.

The law may not currently make a distinction, but that question is going to get asked eventually. The real question here is simple - is it a breach of privacy if *you* are the only one who ever sees the relevant bits? It isn't like Google it taking your information and giving it to someone else. They use the data from *your* e-mail to show things to *you*. Your information does not go to anyone else in a non-anonymized way. How is your privacy violated? Your data doesn't actually go to anyone but you!

This gets to the basic question - what is "privacy"? That has not been answered in a solid way for the digital age.

 

[Dannyalcatraz]

The law may not currently make a distinction, but that question is going to get asked eventually. The real question here is simple - is it a breach of privacy if *you* are the only one who ever sees the relevant bits? It isn't like Google it taking your information and giving it to someone else. They use the data from *your* e-mail to show things to *you*. Your information does not go to anyone else in a non-anonymized way. How is your privacy violated? Your data doesn't actually go to anyone but you!

This gets to the basic question - what is "privacy"? That has not been answered in a solid way for the digital age.

Here's the potential problem:

42USC1320d-6 Wrongful disclosure of individually identifiable health information

(a) Offense

A person who knowingly and in violation of this part-

(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).

Google may be using the data it gleaned from emails to target ads to the email users. If they are, that is a potential violation of HIPPA...even if it is completely automated. In a very real & legal sense, Google IS sharing your data with someone else.

Even though its a bunch of computer programs talking to each other, its your personal information being used without your permission for other than its intended purpose by organizations not within the boundaries of the doctor/patient privilege. They are using the data for targeting ads to you (the patient) and to the doctors who share that data between themselves.

And legally, corporations are "people." When Google's computers talk to Glaxo Smith-Kline's to target drug ads to you and your doc based on your patient data, that means a "person" has disclosed your data to another "person" for commercial purposes.

That is almost a textbook case of violating your privileged communication. (It WILL be at some point after this all sorts out.) Pharma companies can't have reps in the room with you & your doc during an appointment to hawk their meds and procedures– that would be a clear violation. Allowing them to do essentially the same thing via targeted emails is, IMHO, every bit as violative of the privacy laws as the former. That it is automated should not be a shield from liability.

(Disclosure: even though its not my primary field, I have done some legal work for my father's medical practice.)

 

[Janx]

This gets to the basic question - what is "privacy"? That has not been answered in a solid way for the digital age.

Yup.

There's the obvious things I can't have floating out there like my account numbers

There's my personal business that I don't care to share with neighbors, let alone the world

There's "harmless" data I'm dropping off with out realizing that technology can now collect and make surprising deductions from.

Like DNA samples, fingerprints on discard pop cans, cameras catching my car going to places that have always been there, but only now can something sneaky or useful come of it.

There's machine processes that do legitimate work on my and others data that then are vulnerable to criminal attack.

There's machine processes that offer genuine services for hosting my data, and are inherently reading it to do things on my behalf (like showing me targeted ads)

there's machine processes that parse my data that I willingly gave it to then perform statistics on that deduce surprising things that I hadn't thought I opted into.


Now bring in that Snowden guy, who was an IT worker, who inherently had "need to know" access on the back-end to NSA data (meaning the agents may have been locked to certain data by need, but an IT guy kind of needs access to everything, even though he's not reading it per se). There's your risk factor, somebody HAS to have access to everything to keep the server running. Now in his case, he apparently didn't like how the data was being used, and made a big deal about it (not commenting on the details of his case).

Now bring in that kid in England who got banned by the game shops. His name was out there for anybody to know what he did and who he was. He voluntarily gave away his privacy, and yet, when the news was reported, others were trying to protect his privacy by saying his name shouldn't be disclosed.

To sum up, nobody really knows that the heck privacy is. it's a magic word that means whatever you didn't want to happen after the cat was let out of the bag.

 

[Dannyalcatraz]

Forgot to address this:

This gets to the basic question - what is "privacy"? That has not been answered in a solid way for the digital age.

At its most basic level, "privacy" in the sense we are discussing here is the legal right to restrict and control access to information of a particular kind. Nothing more, nothing less. Each of the recognized forms of it- Priest/penitent, Attorney/Client, Doctor/Patient, husband & wife have certain commonalities but also unique boundaries.

The privilege belongs to the person disclosing the information to the second party- only that person can legally disclose the information to a third party.

And not everything disclosed to the second party is covered- only such information as is vital for the proper functioning of the relationship is protected. So if you tell your Lawyer about your medical conditions, or your Doctor about your legal woes, those would not necessarily be privileged communications.

That we live in the digital age doesn't change any of this.