by Edward A. Schirick, C.P.C.U., C.I.C., C.R.M.
Privacy! We live in a country and work in a society where privacy is
highly regarded. In fact, our federal and state governments have gone
to great lengths to protect our privacy. This is one of those "good
news, bad news" experiences, especially for businesses today, because
complying with these laws and managing the privacy risk each creates
is increasingly complex.
Identifying which privacy law(s) applies to
your camp may take some time and will require some research. Identifying
risk is the first step in the risk management process.
Federal Laws
Federal
laws for the most part allow the states to pass similar legislation with
more stringent requirements. Some states have done so. Legal advisors
tell me when no state law applies or when federal law is more stringent
than a state requirement, the federal law takes precedence. So, you can
begin to appreciate how the risk identification step can be complicated.
Let's briefly examine a few federal laws which impact camp businesses.
Children's Online Privacy Protection Act
of 1998 (COPPA)
This law
generally requires a Web site directed at children under age thirteen
to obtain "verifiable parental consent" before collecting
individually identifiable, personal information online from children.
COPPA defines the term "collect" to include providing a child
with the ability to have an e-mail address or the ability to post to
a chat room, bulletin board, or other online forum.
How much personal,
private information do you collect on your campers and their families
online? When is it gathered? If your Web site tracks information on any
inquiries that are made by children and it is tied to individually identifiable
information, your camp could be subject to the regulatory requirements
of COPPA.
COPPA also requires that such a Web site disclose in a notice
its online information collection and use practices with respect to children
and provide parents with the opportunity to review the personal information
collected online from their children.
Personal information includes full
name, address, e-mail address, telephone number, and any other information
that would allow someone to contact the child. The Act also applies to
information about hobbies and other interests, including information
gathered through cookies and other types of tracking mechanisms when
they are tied to individually identifiable information.
You can find
out more about COPPA and how to comply with this Act by visiting the
following section of the Federal Trade Commission Web site: www.ftc.gov/bcp/conline/
pubs/buspubs/coppa.shtm.
Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
This legislation was established to protect the privacy
of personal health information. It was designed to improve efficiency
by standardizing electronic data interchange. This was deemed necessary
because of the gains in technology and the movement toward electronic
transactions. Another purpose was to protect the confidentiality and
security of health data by setting and enforcing standards.
The duty
of establishing these standards fell to the U. S. Department of Health
and Human Services (HHS). Among other requirements, HHS established a
Privacy Rule and a Security Rule.
The Privacy Rule applies to all forms
of a patient's protected health information whether it is electronic,
written on paper, or oral.
The Security Rule applies only to protected
patient health information that is either housed or transmitted electronically.
"Covered
entities" are those organizations required to comply with HIPAA
Privacy and Security Rules — health plans, health care providers,
and health care clearinghouses. In addition, the business associates
of the "covered entities" may also be required to comply.
These include independent contractors, such as third party administrators
(TPAs) who pay claims for health plans, researchers, life insurance companies,
and employers.
The question is: do camps qualify as "covered entities" (as
health care providers) under HIPAA because they gather individually identifiable
health information about campers?
I think the answer is "yes" with regard to the Privacy Rule,
and "maybe" with regard to the Security Rule, depending upon
how the information is stored and shared. For example, if all of the
protected information is kept in paper form and none of it is transmitted
electronically (including via e-mail), then the Security Rule probably
doesn't apply. But, if the information is stored on your camp management
system and shared with hospitals and other health care providers electronically,
then the answer is definitely "yes."
A key requirement of
HIPAA is securing a person's consent for the use and disclosure
of the individually identifiable health information. If you haven't
reviewed the impact of HIPAA on your camp business in our growing electronic
world, now is the time to do so. Learn more about HIPAA by visiting www.hhs.
gov/ocr/hipaa.
Fair Credit Reporting Act
Another federal law which creates
a regulatory compliance risk is the Fair Credit Reporting Act (FCRA).
In its simplest form it is designed to regulate the collection, dissemination,
and use of consumer information. But, wait a minute, camps are not credit
reporting agencies. How does FCRA apply to camps?
FCRA sets a national
standard for employers to follow in employment screening. This includes
criminal background checks, as well as driving histories! All camp directors
should be regularly checking prospective employee and volunteer criminal
histories before offering a position and checking driving records if
the position includes any driving responsibilities.
FCRA requires that
the disclosure and written authorization from the prospective employee
or volunteer be a separate document to be signed independently of the
employment application. When was the last time you reviewed your employment
application and the authorization you use for criminal background checks?
Have you ever requested a credit history on a prospective camper family?
If you have and didn't include an FCRA written authorization, you
may have been in violation of the Act. To learn more about using consumer
reports in your camp business, go to www.ftc.gov/bcp/conline/pubs/
buspubs/credempl.shtm.
Drivers Privacy Protection Act of 1994
This federal law prohibits state
department of motor vehicle offices from releasing personal information
from driver license records and motor vehicle registration records except
for specific statutory purposes.
One of these specific purposes is driver
safety and theft, which includes release of information for insurance
underwriting purposes.
These regulations have changed the way driver
histories are obtained and shared. Because of the regulations and concerns
about privacy, most insurance companies won't send a copy of the
employee or volunteer's driving history to the insurance broker
or camp director anymore.
Individuals who don't qualify for driving
responsibilities based upon information contained in the motor vehicle
report may have to secure a copy of their own driving record to clear
up any potential confusion or erroneous entries.
Insurance brokers may
be able to help you craft some documents and disclosures for driving
history checks. However you handle driving records for U. S. citizens,
please remember to require International Staff to bring copies of their
driving histories with English translations when necessary. The various
staffing agencies can provide assistance with this.
State Laws
On top
of these federal laws are various state laws which may be more restrictive
than the federal regulations. To help with the privacy risk identification
and risk management process at the state level, go to the Electronic
Privacy Information Center (EPIC) at www.epic.org/privacy/
consumer/state.html.
Once you've gotten the "big picture" from these and
other resources available to you, seek advice and assistance from legal
counsel to ensure your forms and documents comply fully with the various
state and federal regulations. Exercise due diligence!
Originally published in the 2008 March/April
issue of Camping Magazine. |
