Privacy Law and Policy Reporter
Moya Gray and John Cole
This 1999 country report on the status of privacy throughout the 50 states of the US was prepared for the Second Asia Pacific Forum on Privacy and Data Protection, held in the Hong Kong SAR, China, on September 12, 1999.
The 50 states have dealt with the issues of privacy as they pertain to both the government and private sectors on a piecemeal basis. For example, many states have made wiretapping and other forms of eavesdropping illegal unless exempted for law enforcement purposes. Many states also statutorily provide their citizens with a right of publicity, meaning their photograph or other likeness cannot be used in a commercial way without consent. There are also state laws prohibiting specific types of businesses, from bookkeeping to video rental services, from disclosing records that contain personal information without express written consent. However, no states protect privacy through a comprehensive scheme with regard to collecting and use of personal information about individuals.
The four states that are actively attempting to enact omnibus privacy legislation all have or have recently had separate governmental offices dedicated to overseeing freedom of information laws. Governmental offices of this type in the US seem to be taking the initiative in seeking the best balance between individual privacy rights and information exchange in this era of rapid technological advancement. Similarly, government regulators in the privacy area may see a trend toward melding privacy with the freedom of information jurisdiction, as may be the case in England.
In January 1999, the Hawaii Legislature considered House Bill 1232 and Senate Bill 991, companion Bills that would have created the Hawaii Information Privacy Act. The Bills were intended to effect an individual’s right to privacy under the Hawaii Constitution, while providing for the reasonable exchange of information with adequate safeguards to assure its appropriate use. The Bills would have:
Although the Bills enjoyed the general support of local and international privacy advocates, concerns were voiced, mainly by business interests, that caused both Bills to be held in committee.
However, the Legislature did pass House Concurrent Resolution 196, which requests the State Office of Information Practices (OIP) to co-ordinate a comprehensive study involving government agencies and concerned private businesses and individuals. The study will examine ways in which personal information is currently used, what protections are desirable, and proposals which address the concerns of consumers, law enforcement and businesses. The OIP is to submit a report, including proposed legislation, to the Legislature prior to the January 2000 session.
Massachusetts House Bill 4483 was introduced, on behalf of Governor Paul Cellucci, by Lieutenant Governor Jane Swift on 23 June 1999 and is currently being heard in various House committees. The Bill amends existing laws. Among other things, this Bill would:
The Bill would exempt law enforcement from most of its provisions.
Significantly, the Bill creates an arbitration board for resolving disputes between consumers, credit bureaus and ‘individual reference service providers’ and requires the Office of Consumer Affairs and Business Regulation to promulgate rules and regulations to implement many of its provisions.
Perhaps most interestingly, the Bill creates a special commission to conduct an investigation and make a recommendation on the feasibility, ramifications, benefits and disadvantages of creating a property interest in personal information. The commission is to consider whether changes are desirable in the present laws, regulations, and practices governing property rights in order to better protect the personal information of the residents of Massachusetts.
California Senate Bill 129 was introduced by State Senator Steven Peace on 22 December 1998, and is currently in the Assembly Committee on Approp-riations. As introduced, this Bill would impose restrictions on the collection and disclosure of personal information by governmental, business, or not-for-profit organisations, superceding existing laws to the extent they conflict. The Bill would:
The Bill was amended in committee and is now currently weaker than described above. However, Senator Peace and other supporters of the Bill hope to bring back most of the original language as the legislative process plays out.
Texas House Bill 611 was introduced by State Representative Kyle Janek on 16 February 1999, and was left pending in the House Committee on Business and Industry. To protect certain personal information provided by a customer to a business, this Bill would have:
An interim committee, chaired by Representative Janek, has been assigned to study privacy issues, including the effects privacy legislation would have on sharing of information between affiliates of large corporations. The interim committee is to work with all interested parties and attempt to reach a consensus on what type of privacy protections are reasonable. The committee will begin work in January 2000, and Representative Janek hopes that new privacy legislation will be introduced at the next session in January 2001.
Other than Hawaii, Rhode Island, and Wisconsin, there are no states which have a comprehensive statute dealing with medical records privacy. Many states have many laws in the area, but they deal with the issue on a piecemeal basis. For example, they may have a statute that makes HIV information private, another that deals with immunisation records, and another general law requiring maintenance of confidentiality of medical records by physicians. Some of the most notable statutes are discussed below.
In 1998 the Office of Information Practices (OIP) was asked to facilitate a group of representatives from the health industry, which included both private sector and government members. The goal of the task force was to reach consensus on contentious issues and to draft comprehensive legislation to protect medical records. Both goals were accomplished and House Bill 351 was introduced in the 1999 legislative session. After intense discussions by members of the public in committee hearings, the legislature passed out a compromise Bill and on 23 June 1999, the Bill was signed into law as Act 87. The Act will go into effect on 1 July 2000. The law:
Rhode Island General Laws Chapter 5-37.3 provides that a patient’s confidential health information shall not be released or transferred without the written consent of the patient. The law exempts transfers of information by some parties in certain instances, including law enforcement and public health authorities. It also exempts transfers to ‘qualified personnel’ for the purpose of conducting research, management or financial audits, insurance underwriting, or similar studies, provided that no individual patient can be identified directly or indirectly in any report of the research or evaluation. The law also provides that anyone who knowingly violates its provisions and is convicted shall be fined up to $1000 and imprisoned for up to six months.
Wisconsin Statutes Chapter 146 provides that patient health care records may be released only to persons designated in the statute or to other persons with the informed consent of the patient or of a person authorised by the patient. Those permitted to receive records without the consent of the patient include law enforcement authorities, certain governmental agencies for statistical and public health purposes, and to researchers affiliated with a health care provider, provided the final product of the research will not reveal information that may serve to identify the patient whose records are being released without the informed consent of the patient. The law also provides for civil damages and criminal penalties up to $1000 fine or six months imprisonment or both.
New Hampshire Revised Statutes Title 30 Chapter 332I:1 prohibits patient-identifiable medical information from being released for sales or marketing purposes without written authorisation.
The Idaho Code Title 54 Chapter 45 allows patients to make more informed health care decisions when selecting a provider by requiring patient access to provider profile information.
In addition to these existing statutes, California’s State Senate has passed a medical privacy Bill — Senate Bill 19, introduced by Senator Liz Figueroa — intended to prevent health care plans and their contractors from disclosing medical records without patient permission. Most of the debate was in favor of the Bill, but critics argued that fines for violations are too large.
The increasing incidence of identity theft crime has spurred several states to enact laws that specifically address the problem. Typically, these laws make it a misdemeanor or a felony for a person to willfully misappropriate and use personal identifying information of another to obtain or attempt to obtain credit, goods, services, or other information. Among the states that have enacted such laws are California, Georgia, Mississippi, West Virginia and Wisconsin.
Hawaii’s Uniform Information Practices Act (UIPA) provides a balancing mechanism to determine when the public’s interest overrides a person’s privacy interest in information held by government. In addition, the UIPA applies fair information practices to government records, giving the OIP authority over all government records except for the non-administrative records of the judiciary.
A Virginia law prohibits a merchant, without giving notice to the purchaser, from selling to any third person information which concerns the purchaser and which is gathered in conjunction with the sale, rental or exchange of tangible personal property to the purchaser. A recent amendment to the same chapter prohibits electronic mail or message service providers from selling or otherwise releasing the names or email addresses of any subscriber without prior consent. The chapter makes violators liable for damages in the amount of $100 to the person whose information was released, as well as reasonable attorney fees and costs; Va Code Ann §§ 59.1-442, 59.1-442.1 and 59.1-444.
The California and Wisconsin legislatures are considering measures that would prohibit their departments of motor vehicles from selling photos or physical descriptions of drivers to vendors without consent. This follows an incident in which one state sold thousands of drivers licence photos to a private company for use in a fraud deterrent database that would have been available to retailers to verify the identity of customers.
Many states, including California and Washington, have statutes requiring that marketing businesses provide a way for consumers to opt-out of their inclusion on mailing lists and similar mass marketing databases.
Moya T Davenport Gray, is Director, and John E. Cole, Staff Attorney, in the OIP of the State of Hawaii.