By Jorge Castaneda
Over the last several years, I’ve made it a point to get more educated and experienced with data privacy. I’ve read several books along the way, watched several online trainings, and done some research as well. I have also taken some Law courses while pursuing my Master’s degree in Cybersecurity Law & Policy from Texas A&M School of Law.
This blog post outlines some actionable insights into privacy torts and health privacy from my perspective and that of an IT professional.
Disclaimer: This information is meant for educational purposes only. It is based on my own knowledge, research, and understanding and it is not intended as professional or legal advice.
Protecting personal information is extremely critical, especially when it comes to health data. For IT professionals like myself, understanding privacy torts and health privacy laws isn’t just a matter for legal teams, it’s integral to designing ethical, compliant systems. Here’s a brief breakdown of some key torts related to privacy and how health privacy laws, like HIPAA, impact IT practices.
So what exactly are Privacy Torts?
Privacy torts provide legal recourse when someone’s privacy rights are violated. They’re derived from common law and play an essential role in holding individuals or organizations accountable for privacy breaches.
Here are some of those privacy torts:
Intrusion Upon Seclusion Tort
This tort occurs when someone intentionally invades another person’s private space or affairs in a manner that would be considered highly offensive to a reasonable person.
- Example: Unauthorized surveillance or hacking into someone’s personal communications.
- IT Impact/Actionable Step: Ensure systems have robust access controls and policies to prevent unauthorized monitoring or data access.
Public Disclosure of Private Facts Tort
- Example: Publishing sensitive personal information without consent.
- IT Impact/Actionable Step: Implement strict data handling and sharing policies. Ensure encryption and access controls are in place to protect sensitive data from leaks.
False Light Tort
- Example: Portraying someone in a misleading way that damages their reputation.
- IT Impact/Actionable Step: Be cautious with data presentation in public interfaces, ensuring information reflects users accurately.
Appropriation of Name or Likeness Tort
- Example: Using someone’s name or image for commercial purposes without consent.
- IT Impact/Actionable Step: Obtain explicit consent when using user-generated content or personal images in marketing or promotions.
These torts show the importance of embedding privacy-respecting practices into IT workflows and system designs.
Another key tort, especially relevant to health data, is Breach of Confidentiality.
- What It Is: Unauthorized sharing or disclosure of information entrusted in confidence (e.g., medical records).
- Example: A hospital employee leaking a patient’s diagnosis to unauthorized parties.
- IT Impact/Actionable Step: Ensure strict data governance practices, enforce role-based access control (RBAC), and use encryption to protect patient information.
This tort ties directly to compliance with health privacy laws like the Health Insurance Portability and Accountability Act (HIPAA).
Health Privacy Laws: The Importance of HIPAA
HIPAA (Health Insurance Portability and Accountability Act of 1996) is the cornerstone of health privacy law in the United States. It establishes rules for handling Protected Health Information (PHI).
Key HIPAA Provisions for IT Professionals
Privacy Rule
- Governs how Protected Health Informationcan (PHI) be used and disclosed.
- IT Impact/Actionable Step: Limit access to PHI and ensure clear policies on data sharing.
Security Rule
- Sets standards for protecting electronic Protected Health Information (ePHI).
- IT Impact/Actionable Step: Implement measures like encryption, secure authentication, and audit trails.
Breach Notification Rule
- Requires entities to notify affected individuals after a data breach.
- IT Impact/Actionable Step: Develop and test incident response plans to handle breaches promptly.
De-identification of Data
- HIPAA allows data to be de-identified to reduce privacy risks.
- IT Impact/Actionable Step: Use techniques like data masking and aggregation to remove identifiable elements while retaining data utility.
Our role as IT Professionals in Health Privacy Compliance – The things we should implement:
Data Protection by Design
- Embed privacy measures into systems handling health data from the start.
- IT Impact/Actionable Step: Apply encryption, secure APIs, and rigorous access controls during development.
Employee Training
- Ensure IT teams understand privacy laws and tort risks.
- IT Impact/Actionable Step: Regularly update training materials to reflect changes in privacy regulations.
Audits and Assessments
- Regularly assess systems for privacy vulnerabilities.
- IT Impact/Actionable Step: Conduct Privacy Impact Assessments (PIAs) and Security Risk Assessments (SRAs).
In my opinion, privacy is a shared responsibility and understanding privacy torts and health privacy laws can help us protect users and our organizations from costly violations. By integrating privacy best practices, we not only ensure legal compliance but also build a cornerstone of ethical technology.
I hope you found this post helpful and informative. Thanks for stopping by!
CyberCasta 
Leave a comment