Databases

When opting out is hard to do: World Privacy Forum sends letter to FTC about data broker companies offering mail-based opt outs

Data broker opt out issue -- The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.

Report Announcement: Privacy in the Clouds

WPF report announcement -- The World Privacy Forum's newest report examines the privacy and confidentiality issues of cloud computing that have been largely overlooked to date. It is a thorough analysis with policy findings. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing was written by Robert Gellman for the World Privacy Forum. Cloud computing tips for consumers and business are also available.

Council for Responsible Genetics convenes experts and the public for database and genetics conference

Genetic privacy -- The World Privacy Forum participated in a Council for Responsible Genetics (CRG) conference on genetic databases at New York University. The groundbreaking conference focused on key issues of race and genetic databases, fairness, accuracy, and privacy. The World Privacy Forum discussed a paper by Dr. Harry G. Levine, Drug Arrests and DNA, noting that innocent victims of medical identity theft may be arrested for the "drug seeking behavior" of the criminals impersonating them.

World Privacy Forum files comments with FTC regarding credit -based insurance scoring

Financial privacy -- The World Privacy Forum filed comments with the Federal Trade Commission today about its proposed study of credit -based pricing practices for homeowners insurance. The World Privacy Forum requested that the FTC ask insurers if there are specific procedures in place for detecting, mitigating, and responding to consumers who have been victims of identity theft. The WPF noted its support for the FTC's use of the FTC Act Section 6(b) authority to acquire robust information from the insurance companies.

Legal and Policy Analysis: Personal Health Records: Why Many PHRs Threaten Privacy

New publication | PHRs and privacy -- The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records -- or PHRs -- and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.

Updates to Top Ten Opt-Out List

Opt-out | Financial privacy -- The World Privacy Forum has updated its popular Top Ten Opt Out list to reflect several new change made to the Direct Marketing Association opt outs. In the past, some of the DMA opt-outs, like the Direct Marketing Association's mailing preference lists, used to cost $1. That fee has now been removed for people opting out online. Please see item #3 on the Opt Out list for the complete update.

World Privacy Forum outlines 8 best practice responses to medical identity theft for the healthcare sector

Medical identity theft | Best practice responses -- The World Privacy Forum has outlined 8 best practice responses to medical identity theft for the health care sector. The best practice responses are based on research the Forum is conducting for its second report on medical identity theft, and is a work in progress. The 8 best practice responses were presented to AHIMA delegates October 9; the Forum is soliciting and accepting feedback on the 8 best practices.

Public Comments: World Privacy Forum files comments on CMS plan to allow release of patients' protected health information from Medicare database in some circumstances; benefits do not outweigh the risks

Medicare - CMS -- The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.

Update: World Privacy Forum's NHIN Timeline updated to reflect changes in AHIC

NHIN update -- The National Health Information Network, or NHIN, is part of a major undertaking to digitize and network the health care sector. From electronic health records to multi-state health information hubs, the U.S. government's goal is to modernize and move health care information from paper to digital. The Department of Health and Human Services is the primary mover behind this initiative, which is complex and multi-faceted. The World Privacy Forum keeps a chronology of NHIN events as a public service. The NHIN timeline has been updated to reflect changes in AHIC, a group that is charged in part with ensuring privacy and confidentiality in the NHIN and other aspects of health care modernization. AHIC is set to transition to a "public-private partnership," a move that will need to be watched closely to ensure robust consumer involvement.

Update: Monster.com saying data breach may impact all users of Monster.com, official Federal job site USAJobs.com impacted

Consumer alert update -- Monster.com posted a warning on its site stating that all users of Monster.com may have been impacted by the data breach of its systems by hackers. All job seekers need to be aware of potential phishing attacks that are sophisticated and highly targeted, and job seekers with safety considerations need to be aware that their information has likely been compromised. The U.S. Office of Personnel Management has announced that the Federal job site USAJobs (which is outsourced to Monster.com) has also been impacted by the breach. The World Privacy Forum has updated its job seeking tips, and its consumer alert.

Consumer Alert: Monster.com data breach impacts hundreds of thousands of job seekers; job seekers who have safety concerns may be especially at risk

Consumer Alert | Internet privacy | Job search safety and privacy -- The World Privacy Forum issued a consumer alert today warning about a data breach at Monster.com. Security firms that analyzed the breach have stated the breach impacts hundreds of thousands of job seekers. The immediate information that was stolen included job seekers' home address, phone numbers, email address, and resume IDs. Some victims may have received further phishing emails. Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking -- who typically do not make their home addresses or personal phone numbers public -- have an immediate need to know if their personal information may be in the hands of criminals. The consumer alert contains tips for victims and links to resources and more information.

World Privacy Forum responds to June 2007 NCVHS recommendations to the Secretary of HHS regarding health care information at non-HIPAA covered entities

Medical privacy | NCVHS | HIPAA -- The World Privacy Forum has sent a letter to Dr. Simon P. Cohn, Chairman of the National Committee on Vital and Health Statistics, supporting the Committee's formal conclusion that all entities that create, compile, store, transmit, or use personally identifiable health information should be covered by a federal privacy law. More needs to be done about health care data that is left unprotected by HIPAA. The Forum's letter included a discussion of two HHS programs that operate outside of HIPAA: FDA RiskMAPS, and the National Institutes of Health, which is not a covered entity under HIPAA.

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

National Disaster Medical System | Privacy Act of 1974 -- The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

World Privacy Forum makes presentation at National Academy of Sciences' Institute of Medicine

Genetic privacy -- Executive director Pam Dixon presented key issues and potential solutions regarding privacy and Genome Wide Association Studies at the Institute of Medicine's Board on Health Sciences Policy meeting. Her presentation included recommendations to engage in a comprehensive study of certificates of confidentiality, to encourage standards of identifiability, to encourage study of what more uniform standards of privacy and security for researchers might look like, and a recommendation to work toward broad solutions that extend beyond GWAS activities.

World Privacy Forum files public comments and recommendations on pharmacogenomics privacy: all patient-specific PGx research should require certificates of confidentiality

information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area.

World Privacy Forum and Electronic Frontier Foundation File Public Comments on REAL ID

REAL ID | National ID -- The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on "function creep," the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues.

Stop REAL ID

REAL ID -- REAL ID is a national ID card program. Currently, the Department of Homeland Security is accepting public comments on the REAL ID plan. Comments will be accepted until Tuesday, May 8. The World Privacy Forum has joined with a large coalition of groups to solicit public comments on REAL ID; to file comments, please visit the Speak Out Against REAL ID coalition page for more information. http://www.privacycoalition.org/stoprealid/

World Privacy Forum testifies on genetic privacy and consumer data marketing issues

Genetic privacy | SACGHS -- The World Privacy Forum gave testimony to the Secretary's Advisory Committee on Genetics Health and Society regarding privacy issues stemming from direct-to-consumer advertising and consumer-initiated genetic testing. The World Privacy Forum noted that a great deal of consumer health data circulates outside the protections of HIPAA, and a substantial market for this kind of consumer health data already exists. Genetic data about consumers that is acquired outside the clinical context and is not subject to the protections of HIPAA (for example, through consumer-initiated genetic testing) will likely not be any more protected than other forms of consumers' health-related information from the current demands of the market. However, the consequences of leakage of genetic information about consumers into the marketing stream could have potentially negative consequences for both those consumers and their blood relatives. The World Privacy Forum urged the committee to include specific recommendations about privacy in its upcoming report to the Secretary, and also urged the committee to work with other federal agencies to set up a pre-market oversight structure that includes significant and meaningful privacy protections for genetic testing occurring outside of the protections of HIPAA.

World Privacy Forum comments about the ethical, legal, and social implications of using genetic health care data in electronic health records

Genetic Privacy -- The World Privacy Forum filed public comments with the Department of Health and Human services in response to an HHS request for information regarding the use of patients' genetic data for research, health care, and for use in electronic health records. The World Privacy Forum is requesting that HHS use all Fair Information Principles in any personalized health care projects, and is requesting that a formal ELSI (ethical, legal, and social implications) committee be set up to oversee any projects, among other requests.

World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy

Medical privacy | Medicare Part D -- In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice.

Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes

Privacy Act of 1974 -- The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter.

World Privacy Forum Comments on Proposed Policy for Genetic Database

Genetic privacy -- Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent.