@Info.Policy: For HUD, privacy is a menu
- By Robert Gellman
- Nov 17, 2004
Last summer, the Housing and Urban Development Department issued privacy rules as part of a new homeless management information system. A major goal of the system was to meet a congressional mandate for more data about the homeless population and services available.
You need to know that I was a consultant to one of HUD's contractors on the privacy part of the project. I am not a wholly disinterested observer here. However, I think the way HUD addressed privacy in its information system is novel and may have applications elsewhere.
A major problem faced by HUD was that many different types of organizations provide services to the homeless. The capabilities of the organizations differ, and the clientele have different privacy concerns. For example, clients of a domestic-violence shelter are more worried about confidentiality than clients of a soup kitchen are.
The next step is the key. The rules describe additional privacy protections that organizations could voluntarily adopt. For example, a baseline requirement is that an organization must provide each requesting individual access to his or her record. But an organization can do more. One voluntary measure is an appeal mechanism for anyone who believes that access was improperly denied.
Detailing optional privacy protections in a set of rules is a new idea. The rules essentially provide a menu, and each organization can choose the right mix of protections from that menu. Ordering 'off the menu' is also possible. An organization with a better idea, more suitable to its circumstances, can do more.
In addition to serving different privacy needs based on organizations' missions, HUD faced a second challenge, because some homeless organizations are already subject to federal privacy rules under the 1996 Health Insurance Portability and Accountability Act. One choice would have been to ask dually covered organizations to figure out how to deal with conflicts. Another would have been to resolve differences in the privacy rules. Neither alternative was attractive.
HUD took a bolder step. Its solution exempts any homeless organization from HUD's privacy rules if the organization determines that federal health privacy rules cover a substantial portion of its records about homeless clients. Only one set of rules will apply, minimizing conflicts while ensuring some privacy rules will cover most records.
Some parts of HUD's plan remain controversial, including the decision to collect Social Security numbers. However, the department's general ap- proach to privacy received kind words from the privacy community.
It's too early to tell for sure how the rules will work in practice. Nevertheless, there may be ideas in HUD's policy that will help other agencies solve their privacy problems. Robert Gellman is a Washington privacy and information policy consultant. E-mail him at firstname.lastname@example.org.