[arin-ppml] Policy Proposal: Customer Confidentiality

Tom Vest tvest at pch.net
Wed Jun 10 14:54:50 EDT 2009 

Hi Milton,

At last we agree on something :-)
My point in offering this reference was not to advocate any new  
requirements, confusing, deluge-like, or otherwise. Our method for  
handling authorization and accountability-related information is  
already fully operationalized, is generally well understood by most if  
not all stakeholders, and works pretty well. Moreover, the system of  
"unified identifiers" that facilitate the management of authorization  
and accountability-related records in this industry is identical to,  
and shares fate with, the unique identifiers that are the subjects of  
the records themselves. I believe that that's an administrative  
advantage that we'd all very much like to preserve.

I don't understand how the goal of permitting insurance portability  
was rendered (any more) meaninglessness by the fact of additional  
paperwork. If health insurance is still not as portable as it might be  
under current circumstances, I seriously doubt that HIPAA could be  
blamed. To be portable, something must exist first -- but let's not go  
down that road here.

Cheers,

TV

On Jun 10, 2009, at 12:08 PM, Milton L Mueller wrote:

> Tom
> The parallels with HIPAA are indeed there with respect to policy  
> objectives.
> But I hope we don't use HIPAA notification and consent as a model  
> for anything. Anyone confronted with the confusing deluge of consent  
> forms at a doctor's office during the early stages of its  
> implementation knows how meaningless the policy objectives became  
> once they were operationalized. Also, note what happened to their  
> attempt to create a unified identifier...


> On Jun 10, 2009, at 11:41 AM, Kevin Kargel wrote:
>
>>
>>> -----Original Message-----
>>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml- 
>>> bounces at arin.net] On
>>> Behalf Of William Herrin
>>> Sent: Tuesday, June 09, 2009 11:25 PM
>>> To: Aaron Wendel
>>>
>>> IP addresses are like public right of ways. As an ISP you get to  
>>> hold
>>> lots of them in trust, but they aren't yours. They're ours, the
>>> general public's, and while you hold them in trust you are  
>>> accountable
>>> for their use... not to ARIN but to the general public whose commons
>>> you are so graciously being allowed to use at an almost negligible
>>> cost.
>>
>> Ah, but things have changed, you can now buy, sell and trade IP's  
>> thanks to
>> powers vested by 2009-1.  I know that 2009-1 has words saying that  
>> the
>> intention is not to create property, but if it walks like a duck  
>> and quacks
>> like a duck...
>
> Hi Kevin,
>
> While your views about IP number resource privatization may (or may  
> not) be borne out by changing circumstances, I think that the  
> article that I quoted previously is relevant either way.  Recall  
> that HIPAA = Health Information *Portability and Accountability*   
> Act. The overall goal of the legislation was to strike a practical  
> balance between privacy and disclosure so that the option of  
> insurance portability (individual autonomy, freedom of choice,  
> competition, etc.) could be extended broadly *without* sacrificing  
> "accountability," including the accountability of individuals and  
> health service providers for the potential impacts that increasing  
> patient/provider churn might have on the health of other individuals  
> and society in general.
>
> I think the parallels to our current circumstances and policy  
> debates are pretty self-evident, but perhaps that's just me...
>
> TV



> On Jun 10, 2009, at 10:12 AM, Milton L Mueller wrote:
>
>>> -----Original Message-----
>>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml- 
>>> bounces at arin.net] On
>>> Public actions have public accountability.  If you don't want your  
>>> picture
>>> taken going in to a strip club then don't go to a strip club.
>>>
>>
>> This doctrine bears no relationship to actual law regarding privacy  
>> and freedom of association. Sorry, guys, but there's more at stake  
>> here than your convenience as network admins, and even as network  
>> admins there are appropriate limits to place on indiscriminate  
>> public access to sensitive information, especially when  
>> contractually agreed between provider and customer. When you get  
>> elected as a legislator, Kevin, then you and 250 other elected reps  
>> can change that under due process if you wish; until then, don't  
>> try to make law via ARIN.
>>
>> --MM
>
>
> Neither does "actual law" impose a strict, uniform interpretation on  
> how information collected and maintained for *authorization and  
> accountability purposes* can and cannot be used in all situations.  
> An arguably relevant, if US-centric, illustration:
>
> "HIPAA requires healthcare providers to obtain patients'  
> authorization before disclosing their information to third parties  
> for marketing purposes. However, healthcare providers do not need  
> authorization to disclose information for marketing their own health- 
> related services. HIPAA also allows disclosure of health-related  
> information for a variety of social purposes such as public health  
> activities, suspicion of abuse or neglect, health oversight  
> activities, and for law enforcement purposes, along with a court  
> order, subpoena, or "administrative request." HIPAA does not include  
> a requirement to provide notice toconsumers in the event of a data  
> breach. Finally, lawsuits to enforce HIPAA requirements can only be  
> brought by the secretary of the Department of Health and Human  
> Services and not by individuals."*
>
> So, in some contexts at least, one man's "indiscriminate public  
> access" may be another man's access/disclosure to fulfill a  
> "legitimate social purpose."
>
> If that doesn't suit you, you can always take your own advice and  
> try to author some new "actual laws" that more closely fit your own  
> views.
>
> TV
>
> *George H. Pike, "HIPAA Gets New Privacy Rules" (Information Today,  
> April 1, 2009), p. 13.
>
> An online version is available at:
> http://goliath.ecnext.com/coms2/gi_0199-10387318/HIPAA-gets-new-privacy-rules.html

More information about the ARIN-PPML mailing list