第五章 過往與新興個資議題的可能解方
第三節 美國法之相關規範
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
88
統整本節所提及之 DPA 2018 條文內容,可以得知 DPA 2018 為一部較 GDPR 規範更嚴厲或更細節具體之立法,其對個資之保障,比起 GDPR 可 說是採取更加嚴謹之措施來進行。然而其立法模式,仍與 GDPR 類似,僅 在部分條文進行額外解釋,作出合於英國之細部規範。本文認為,若欲採 取英國法之立法模式,必定得先採納歐盟法,因英國 DPA 2018 之基礎就是 GDPR,若未先採取 GDPR 之體系,就直接採用 DPA 2018,將有適用困難。
總合 DPA 2018 之內容,本文認為英國法值得我國效法之處在於:一、
具有歷史相對悠久之專責主管機關 ICO(早在 1984 年即成立,歐盟直到 2016 年才以 GDPR 要求各成員國須設立個資專責主管機關473),得以累積執法經 驗,完善個資體系。二、出於自身之需求,將 GDPR 各法律要件做出進一 步之解釋。
對於第一點,因我國至今仍無專責之主管機關,尚無法如同英國擁有 ICO 此種經驗豐富之專責單位,故必須直起急追,盡速設立專門之個資主 管機關,以統合個資事務,為未來之個資執法預做準備。
對於第二點,本文認為因我國並未如同英國一般,須與歐盟保持密切 聯繫,而無法直接於個資法表明「準用」GDPR 或任何國家之個資法,仍 應自行設立獨立之個資法作為法源依據。然而本文認為,我國可以將英國 法之體系,作為我國個資法施行細則之參考藍本,即以我國之個資法作為 如同 GDPR 般的基礎規範,並將個資法施行細則定位為如同 DPA 2018 般的 細節規範,先參考歐盟法修改我國個資法,再參考英國法修改我國個資法 施行細則。於作為母法之個資法中,授權個資主管機關得視實際需求,調 整個資法施行細則內容,重新定義個資法中各項名詞與標準。
第三節 美國法之相關規範
第一項 美國現況之概述
與歐盟及我國不同,美國並無統一之個資法,而是採分散規範之模式,
在各產業皆設有專門的個資法規474。其中與本文討論之健保資料庫最為相關 者,乃「健康保險可攜性和責任法(Health Insurance Portability and
Accountability Act,下稱 HIPAA)」以及「經濟和臨床健康之健康資訊科技 法(Health Information Technology for Economic and Clinical Health Act,下稱 HITECH)」。本文認為,針對健康資料設立特別規範,亦屬於改善我國個資 實務之可行方法,在個資法保障之外,額外以特別法加強健康相關個資之保
473 Supra note 386.
474 同註 19,頁 46。
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
89
護,或是針對健康個資之特性,賦予較具彈性之蒐集、處理、利用合法事由。
此外,由於健保資料庫訴訟案中,「資訊安全」為法院用作論證資料蒐集、
處理、利用合法性之重要理由之一475,本文認為對於健康資料之資訊安全,
有特別訂立規範之美國法,實足以作為我國參考藍本。最後,因為「是否有 助於公共利益」也是健保資料庫訴訟案,法院用以表明健保署蒐集、處理、
利用個資屬於合法之論理依據476,本文認為,美國法上之研究倫理規範
「Federal Policy for the Protection of Human Subjects(下稱 Common Rule)」,
亦值得參照,作為認定某一研究是否有助於公共利益之判準。
本節內容,將論述 HIPAA、HITECH 此兩部法規內涵,並輔以 Common Rule,論述我國採用如同美國之特別法模式,以規範健康個資之可能性。
第二項 HIPAA
HIPAA 是美國國會於 1996 年通過之法律,用來取代 1986 年通過之美 國國內稅收法 (Internal Revenue Code)對於健康資料之規範。立法目的為 增加健康資料可攜性、可持續性,並打擊針對健康保險與健康照護所為之浪 費、不法濫用,以增進長期照護服務之覆蓋率、簡化行政流程477。
1996 年美國國會通過 HIPAA 時,同時對自身的立法行動設下時限,要 求美國國會必須在 1999 年 8 月 21 日前通過資訊保護立法,若逾期未完成立 法,則授權衛生及公共服務部(Department of Human and Health Service,下 稱 HHS)發布行政命令作為規範。由於美國國會未能於時限內完成立法,
最後係由 HHS 制定「個人可辨識健康資訊隱私標準(Standards for Privacy of Individually Identifiable Health Information,下稱隱私規則)」以及「保護電 子受保護健康資訊之資安標準(Security Standards for the Protection of Electronic Protected Health Information,下稱資安規則)」,並於 2002 年由小 布希(George Walker Bush)總統簽署,分別被編入美國聯邦行政法典第 45 本第 160 和 164 章(part)478 479 480。其中第 164 章的 A、E 二節(subpart)
是隱私規則,尤其第 E 節是隱私規則行為規範的主要部分,而第 C 節則是 資安規則。隱私規則於 2003 年 4 月 12 日生效;資安規則之生效日則為 2005
475 同註 140、166。
476 同註 139、157。
477 U.S. Government Publishing Office, Public Law 104–191—Aug. 21, 1996 Health Insurance Portability And Accountability Act of 1996 2(1996).
478 同註 19,頁 50-51。
479 楊智傑(2014),〈美國醫療資訊保護法規之初探─以 HIPAA、HITECH 之隱私規則與資安規 則為中心〉,《軍法專刊》,第 60 卷第 5 期,頁 81-82。
480 葉錫誼(2018),〈個人健康醫療資訊之美國與歐盟法規管理方向〉,《當代醫藥法規月刊》,第 92 期,頁 8。
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
90
年 4 月 20 日481。
而隱私規則、資安規則,皆為 HIPAA 當中,最具影響力的條文,以下 分別論述兩者內涵。
第一款 隱私規則
第一目 受保護之健康資料定義
按美國聯邦行政法典第 45 本第 160 章的第 A 節第 103 條(45 CFR § 160.103),HIPAA 隱私規則所稱的「健康資料(health information)」,其定義為:「包括遺傳資訊在內,不論係以口頭或 任何形式媒介記錄,只要符合(1)由健康照護提供者、健康計劃、
公共健康主管機關、雇主、人壽保險公司、學校或大學、健康照護 資訊交換中心所創造或收受(created or received)之資訊;和(2)
與個人過去、現在或將來的身體或心理健康狀況有關;與對個人提 供之醫療服務有關;或與過去、現在或將來對個人提供的醫療服務 費用有關。此兩項條件,即為健康資料482 483。」
在健康資料中,被進一步被列為「受保護健康資料(protected health information)」者,則為「可單獨識別特定個人之資訊,(1)
包含:透過電子方式傳輸(transmitted)或維護(maintained) , 以及其他方式傳輸或維護者;(2)但不包含:屬於家庭教育權和隱 私權法案(Family Educational Rights and Privacy Act)所稱的教育 記錄、受 20 U.S. Code § 1232g 條文所涵蓋者、以雇主身分持有之 就業記錄、已過世超過 50 年之人之資料484」。
481 同註 479,頁 82。
482 45 CFR § 160.103 (“Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”).
483 同註 479,頁 82-83。
484 45 CFR § 160.103(“Protected health information means individually identifiable health information:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information:
‧
對於幾項專有名詞,「健康照護提供者(health care provider)」、
「健康計畫(health plan)」、「健康照護資訊交換中心(health care clearinghouse)」,HIPAA 隱私規則亦於同條文(45 CFR § 160.103)
中,給出明確定義。
(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.”).
485 45 CFR § 160.103 (“Health care provider means a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”).
486 45 CFR § 160.103 (“Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).”).
487 45 CFR § 160.103 (“(2) Health plan excludes:
(i) Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
(ii) A government-funded program (other than one listed in paragraph (1)(i)-(xvi) of this definition):
(A) Whose principal purpose is other than providing, or paying the cost of, health care; or (B) Whose principal activity is: (1) The direct provision of health care to persons; or (2) The making of grants to fund the direct provision of health care to persons.”).
488 45 CFR § 160.103 (“Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.”).
‧
隱私規則也納入規範,稱其為「商業夥伴(business associates)490
491」。
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”).
490 45 CFR § 160.103 (“Business associate:
Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.”).
491 同註 479,頁 84。
492 Supra note 490.
‧
493 45 CFR § 160.103 (“ A covered entity may be a business associate of another covered entity.”).
494 45 CFR § 160.103 (“Business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”)
495 45 CFR § 160.103 (“Business associate does not include:
(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or
collecting protected health information for such purposes, to the extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.”).
496 45 CFR § 164.502(e)(1)(i).
497 45 CFR § 164.502(e)(1)(ii).
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
94
業夥伴協議」中以書面方式明訂498。雖然此一規定只是要求受涵蓋 機構需與商業夥伴簽訂契約,以確保受保護健康資料能被適當地保 護,看似僅屬於受涵蓋機構與商業夥伴間的私法契約,但實質上隱 私規則卻對商業夥伴協議的內容,設下了詳細的具體要求499,隱私 規則對商業夥伴亦設有其他法定義務,例如:使用、揭露受保護健 康資料,不得超出契約約定範圍500 ;必要時負有揭露受保護健康 資料之義務501。可知商業夥伴亦屬於 HIPAA 隱私規則所欲納入規 範體系之對象502。
第三目 合法利用受規範資訊之要件
按 HIPAA 隱私規則當中的 45 CFR § 164.506 條第(b)項第 1 款,受涵蓋機構得(may)徵得當事人的同意,以使用或揭露受保 護健康資料,以進行對該當事人的治療(treatment)、支付(payment)、
健康照護運作(health care operations)503。意即並不須得當事人同 意,即可將受保護健康資料用於治療、支付、健康照護運作504。使 用的範圍,則限於:「(1)由受涵蓋機構自身進行的治療、支付、
健康照護運作。(2)為進行治療,而向其他健康照護提供者所為之
健康照護運作。(2)為進行治療,而向其他健康照護提供者所為之