However, after the creation of a national economy as a result of the Civil War, governmental agencies were created to recommend stronger privacy protections.
This led to the creation of de facto privacy commissioners, such as the Federal Trade Commission (FTC) and the State Attorney General.
The Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”), which “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.”[2] There are several different types of privacy legislation currently in place.
Types of legislation include: One major aspect of medical privacy is laws placed on biobanks.
Major federal laws that apply to biobanks are regulations by the Food and Drug Administration and Common Rule.
The Common Rule is a guideline for in the United States on research involving human subjects.
State legislation on privacy tends to follow the same patterns and orders as federal laws in these matters.
[3] With focus to biobanks, state laws can restrict a laboratory's ability to reject a customer and can regulate what happened with data after a test.
[3] State can place legislation that let individuals have control over the tests conducted on their genes and regulate how long data is stored in biobanks.
At the national level, the Federal Trade Commission (FTC) is in charge of data security regulation.
Several aspects of the FTC regulations are outdated and are loosely connected to data security though section 5.
(b) The patient has the right to access information contained in his or her clinical records within a reasonable time frame.
Original medical records shall be released by the hospital only in accordance with federal or state laws, court orders, or subpoenas.
(3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach.
(1) A current or prospective employee or student to disclose his or her username and password to the current or prospective employee's or student's social media account; or (2) A current or prospective student, as a condition of acceptance in curricular or extracurricular activities, to: (A) Add an employee or volunteer of the institution of higher education, including without limitation a coach, professor, or administrator, to the list of contacts associated with his or her social media account; or (B) Change the privacy settings associated with his or her social media account.
(c) An institution of higher education shall not: (1) Take action against or threaten to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a current student for exercising his or her rights under subsection (b) of this section; or (2) Fail or refuse to admit or hire a prospective employee or student for exercising his or her rights under subsection (b) of this section.
(d) Nothing in this section precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.
However, this section does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.
(c) This section shall not do either of the following: (1) Affect a public or private postsecondary educational institution's existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations.
An insurer shall adopt and maintain procedures to ensure that all identifiable information maintained by the insurer regarding the health, diagnosis, and treatment of persons covered under a policy or contract is adequately protected and remains confidential in compliance with all federal and state laws and regulations and professional ethical standards.