on Privacy and Civil Liberties and the Information Sharing Environment
Criminal Justice Information Systems, 28 CFR Part 20 – This regulation is in three sections:
- Subpart A (General Provisions related to purpose and authority, and providing pertinent definitions);
- Subpart B (related to state and local criminal history information systems); and
- Subpart C (related to Federal systems and exchange of criminal history record information).
The purpose of the regulation is “to assure that criminal history record information wherever it appears is collected, stored, and disseminated in a manner to ensure the accuracy, completeness, currency, integrity, and security of such information and to protect individual privacy” as stated at § 20.1.
Confidentiality of Identifiable Research and Statistical Information, 28 CFR Part 22 – The purposes of the regulation as stated at § 22.1 include: protecting privacy of individuals by requiring that personally identifiable information (PII) obtained in a research or statistical program may only be used and revealed for the purpose for which it was obtained; restricting the use of such information without consent in judicial or administrative proceedings; defining how PII may be used or revealed in research and restricting subsequent use of the PII; and insuring the confidentiality of information provided by crime victims to crisis intervention counselors who have been funded by federal specific federal programs.
Criminal Intelligence Systems Operating Policies, 28 CFR Part 23 – establishes guidelines governing the operation of criminal intelligence systems that receive federal funding under the Omnibus Crime Control and Safe Streets Act of 1968, as amended (“Crime Control Act”). The purpose of the regulation as stated at Subsection 23.1 is to assure that federally funded criminal intelligence systems ensure the constitutional and privacy rights of individuals.
- The De Facto National Standard. The National Criminal Intelligence Sharing Plan (NCISP) (154pp | 1.35mb | PDF), recommends that agencies comply with the regulation even if they are not mandated by law to do so. Many law enforcement agencies have voluntarily adopted 28 CFR Part 23 as a guideline to demonstrate a good-faith effort toward protecting individuals’ rights. Since state and local programs contributing criminal intelligence to federally funded systems must assure their contributions conform with 28 CFR Part 23, the regulation is functionally the de facto national minimum standard for the collection, use and sharing of criminal intelligence information.
- Scope Of Regulation. 28 CFR Part 23 addresses five broad areas: guidance regarding the submission and entry of criminal intelligence information into databases; options promoting the security of such information; guidelines for making inquiries to criminal intelligence systems; restrictions regarding the use and dissemination of criminal intelligence information; and obligations to periodically review information and purge unreliable or outdated information.
28 CFR Part 23 does not provide specific direction on how the standards should be implemented by an individual agency but instead allows each agency to develop its own policies and procedures that conform with the regulation’s standards.
- Criminal Intelligence Defined. Subsection 23.3(b)(3) states that criminal intelligence information that can be put into a criminal intelligence sharing system is "information relevant to the identification of and the criminal activity engaged in by an individual who or organization which is reasonably suspected of involvement in criminal activity, and … meets criminal intelligence system submission criteria."
- “Reasonable Suspicion” Standard. Subsection 23.20(a) states that a system shall only collect information on an individual if "there is reasonable suspicion that the individual is involved in criminal conduct or activity and the information is relevant to that criminal conduct or activity." Finally, 23.20(c) indicates that “reasonable suspicion” (sometimes referred to as the “criminal predicate”) is present when information establishes sufficient facts to give a trained law enforcement or criminal investigative agency officer, investigator, or employee a basis to believe that there is a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise.
- Protection of First Amendment Activities. Subsection 23.20(b) explicitly states that First Amendment-protected activities may not be the subject of collection unless they relate to criminal activity.
- 1998 Clarification. An important policy clarification was issued in December 30, 1998, that permits the entry of notations regarding individuals, entities and organizations, and locations that do not otherwise meet the requirements of reasonable suspicion when done solely for the purposes of criminal identification or when the information is germane to the criminal subject's criminal activity. In such cases, the information must be clearly marked “non-criminal identifying information.” For example, a “comments” section might include a note that a person reasonably suspected of criminal activity frequents a particular non-involved local restaurant. Since the restaurant or its owners are not reasonably suspected of criminal activity, the comment should clarify that there is no suspicion that the restaurant or its owners are involved in criminal activity.
- Online Training Resources. The Institute for Intergovernmental Research (IIR) has developed training materials related to 28 CFR Part 23, including a “Frequently Asked Questions” webpage and online 28 CFR Part 23 training sessions.
- Revisions Proposed But Not Adopted. On July 31, 2008, proposed changes to 28 CFR Part 23 were published. Numerous comments were filed in response to the proposal, but as of December, 2011, the changes have not been adopted.
Standards for Privacy of Individually Identifiable Health Information
The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (Pub.L. 104-191) (169 pp | 720kb | PDF). HIPAA created nationwide standards relating to the security of an individual’s health information.
- HIPAA Privacy Rule Applies To “Covered Entities” And Their “Business Associates.” The Privacy Rule standards address the use and disclosure of individuals’ health information by organizations subject to HIPAA — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
Contrary to commonly held assumptions, HIPAA restrictions do not apply to all medical information held by any public or private entity. It applies to a “Covered entity,” which is specifically defined to mean:
“(1) A health plan.
“(2) A health care clearinghouse.
“(3) A health care provider who transmits any health information in electronic form in connection with a transaction [covered by this subchapter].”
- Privacy Rule Covers “Protected Health Information” (PHI). The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a “covered entity” or its “business associate,” in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." All these terms are specifically defined at 45 CFR 160.103 (5 pp | 160kb | PDF).
The regulations do not apply to PHI that is held by entities that are not within the scope of the definition of a “covered entity.” For example, a law enforcement agency would not normally be a “covered entity” other than in the context of PHI developed while engaged in medical activities such as operating a clinic or other medical facility within the agency or a jail managed by the agency.
When dealing with PHI in the possession of covered entities, the HIPAA “Privacy Rule” and “Security Rule” will apply.
- Law Enforcement Access To PHI. If law enforcement is dealing with a “covered entity,” with regard to PHI, 45 CFR 164.512(f) (10 pp | 174kb | PDF) authorizes disclosure of PHI under six specific circumstances (subject to specified conditions) without the individual’s authorization or an opportunity to agree or object:
- As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- In response to a law enforcement official’s request for information about a victim or suspected victim of a crime;
- To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death;
- When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and
- By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
There are other national priority purposes than law enforcement that allowed access to PHI: if disclosure is required by law; public health activities; victims of abuse, neglect, or domestic violence; health oversight activities; judicial and administrative proceedings; decedents; cadaveric organ, eye, or tissue donation; research; serious threat to health or safety; essential government functions; workers’ compensation. A summary review of the lengthy HIPAA related rules is found in the United States Department of Health and Human Service’s (HHS) “Summary of the HIPAA Privacy Rule” (25 pp | 372kb | PDF). The HHS Summary of the HIPAA Security Rule provides guidance for dealing with that rule’s restrictions. For more information on instances when law enforcement may receive PHI from covered entities, see HHS's Guide for Law Enforcement (2 pp | 177kb | PDF) on HIPAA.
- 2009 Revisions. As part of the American Recovery and Reinvestment Act (ARRA) of 2009, changes have been made to privacy and security requirements applicable to protected HIPAA health information (PHI). Business associates are now required to follow the Security Rule provisions that previously applied only to “covered entities.” Civil penalties for violations were increased. New restrictions on how PHI may be disposed by those falling under the rules were implemented. For example, notification of a breach may be delayed now for law enforcement purposes. HHS implemented these changes in the HIPAA Omnibus Rule.