Data Classification Culture Shock (re-Blogged)

One of the biggest “culture shocks” I had when I started working for the State of Minnesota was around data classification.


Up to that time, my work experience was completely in the private sector.


Recently a friend sent me an email with a concern that there was both information on minors and Health Insurance Portability and Accountability Act (HIPAA) data available through the web site of the State’s courts. My friend, also being an information security professional, would understandably see this as a potential security or, at least, privacy concern.


 
NOTE: As background information, HIPAA is a federal regulation that (among other things) holds HIPAA covered entities responsible for protecting health records. If you are so inclined, you can find more information at http://hhs.gov/ocr/hipaa and http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act.

Now, while this could be (and probably is) a privacy concern for individuals that the information is about, it does not necessarily violate the regulations. I will address the HIPAA issue first, as it will help build to the information on minors.


First, the local, state, and federal courts are not “covered entities” as defined by HIPAA. A covered entity has to fall into one of these categories: “Health Plan”, “Health Care Clearinghouse”, “Health Care Provider”, or “Health Care”. The “clearinghouse” classification is for organizations that processes health information for a covered entity. The last one, which sounds the most “generic”, includes organizations like pharmacies (pun intended).


There is one more classification, which provides the broadest classification, called “Hybrid Entity”. However, the activities of the courts themselves would fall outside of any “covered” activities performed by the Judicial branch. For example, if the Judicial branch was providing some health care management to the employees of the Judicial branch (e.g., self-insured), only those activities related to employee health information would be covered, not court records.


Second, most court records become public once closed. So, for example, if health information on an individual becomes evidence (or even just talked about on the witness stand) it can become public data as part of the court records.


Third, the biggest eye opener for me when I started work at the State is that one of the major differences with all data generated or collected by government entities of the State (vs. a private sector company), is that by default all data is public. This is unless it is otherwise classified and only under the provisions of State statue (MN Chapter 13) or another regulation like the Fed’s requirements (e.g., IRS tax data from the Fed).


For the information on minors, some of the same things apply as above, the court records can become public (e.g., if they are tried as an adult [“emancipated”], the minor’s conviction is part of another case, etc.).


However, there are other factors that could cause a minor’s information to be classified as public data, like the level of the sentence (felony, gross misdemeanor, misdemeanor, or petty misdemeanor). The more serious the crime and the older the minor is, the more likely the information could become public. An example of this would be a class action law suits. Child protection matters are also public records with Runaway and Truancy cases being the exception. A lot of what makes a court record “public” involving a minor, is up to the judge at the time of hearing the case.


So, just because someone can find information about a minor in the court’s publicly accessible records system, does not mean it should not be there. I mean, how many time do we hear on the news that some 12-year-old brought a gun to school and shot a fellow student by accident? Once something like that hits the media, courts will often open up the trial and records of the case to the public due to public interest (i.e., it’s already out there, so let the transparency of the court activities bring some closure for the public).

 

Now, with all that said about the juvenile records stuff, someone could make a mistake and allow a “not-public” record be publicly available.  It happens I am sure.

 

The point of this diatribe is that it just is not as black and white as some people think and the public is not necessarily aware that the information they give the State, while it may be personal to the citizen, more likely than not, it becomes public data.


Think about the information someone has to give for their beauticians license? All the information necessary to validate they qualify for a license becomes public information (i.e., citizens have the right to look up their hair stylist to find out if they are licensed or not). I know I do.


References: