@Info.Policy: For HUD, privacy is a menu

Robert Gellman

Last summer, the Housing and Urban Development Department issued privacy rules as part of a new homeless management information system. A major goal of the system was to meet a congressional mandate for more data about the homeless population and services available.

You need to know that I was a consultant to one of HUD's contractors on the privacy part of the project. I am not a wholly disinterested observer here. However, I think the way HUD addressed privacy in its information system is novel and may have applications elsewhere.

A major problem faced by HUD was that many different types of organizations provide services to the homeless. The capabilities of the organizations differ, and the clientele have different privacy concerns. For example, clients of a domestic-violence shelter are more worried about confidentiality than clients of a soup kitchen are.

Often, privacy rules come in only one size and everyone has to implement the same policy. HUD adopted a different approach. HUD's privacy policy begins with a baseline of protections applicable to all covered providers of homeless services. Those protections overtly implement fair information practices, a set of privacy principles that form the basis for the 1974 Privacy Act and some other U.S. and international laws.

The next step is the key. The rules describe additional privacy protections that organizations could voluntarily adopt. For example, a baseline requirement is that an organization must provide each requesting individual access to his or her record. But an organization can do more. One voluntary measure is an appeal mechanism for anyone who believes that access was improperly denied.

Detailing optional privacy protections in a set of rules is a new idea. The rules essentially provide a menu, and each organization can choose the right mix of protections from that menu. Ordering 'off the menu' is also possible. An organization with a better idea, more suitable to its circumstances, can do more.

In addition to serving different privacy needs based on organizations' missions, HUD faced a second challenge, because some homeless organizations are already subject to federal privacy rules under the 1996 Health Insurance Portability and Accountability Act. One choice would have been to ask dually covered organizations to figure out how to deal with conflicts. Another would have been to resolve differences in the privacy rules. Neither alternative was attractive.

HUD took a bolder step. Its solution exempts any homeless organization from HUD's privacy rules if the organization determines that federal health privacy rules cover a substantial portion of its records about homeless clients. Only one set of rules will apply, minimizing conflicts while ensuring some privacy rules will cover most records.

Some parts of HUD's plan remain controversial, including the decision to collect Social Security numbers. However, the department's general ap- proach to privacy received kind words from the privacy community.

It's too early to tell for sure how the rules will work in practice. Nevertheless, there may be ideas in HUD's policy that will help other agencies solve their privacy problems.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@netacc.net.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above