Health Privacy

Public Comments: May 2010 - WPF comments on possible changes to HIPAA privacy rule; requests more patient access to audit logs

The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."

WPF comments on proposed changes to HIPAA

Health privacy and HIPAA -- The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."

Genetic regulations and privacy: Department of Labor

Genetic privacy -- The World Privacy Forum filed comments today with the Department of Labor requesting that the DOL expand its protections of how genetic information may be used by health insurance companies or group health plans. The World Privacy Forum urged the DOL to include genetic information posted on social networking sites in its consideration of the GINA regulations.

World Privacy Forum comments on genetic non-discrimination to HHS

Genetic non-discrimination regulations (GINA) -- The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan's web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.

World Privacy Forum testifies before the House Energy and Commerce Committee

Congressional testimony -- WPF executive director Pam Dixon testified at a joint subcommittee hearing focused on privacy and the collection and use of online and offline consumer information. Dixon's testimony focused on the new "modern permanent record" and how it is used and created. Dixon said "The merging of offline and online data is creating highly personalized, granular profiles of consumers that affect consumers’ opportunities in the marketplace and in their lives. Consumers are largely unaware of these profiles and their consequences, and they have insufficient legal rights to change things even if they did know." The testimony explored concrete examples of problematic consumer profiling activities.

Medical data breach rule needs more work; World Privacy Forum files comments with HHS requesting changes

Data Breach | HHS HITECH Breach Notification -- The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.

WPF updates Red Flag report

WPF Red Flag Report -- The World Privacy Forum has updated its Red Flag report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers. The update reflects the new effective date of the Red Flag Rule, (November 1, 2009) and incorporates other minor updates in the text. This report replaces the original Red Flag report published September 2008.

Red Flag Rule: Executive Summary

Under recently issued regulations, the Federal Trade Commission requires financial institutions and creditors to develop and implement written identity theft prevention programs. The broad purpose of these Red Flag and Address Discrepancy Rules [1] is to require financial institutions and creditors to formally address the risks of identity theft and develop a mitigation plan. Health care providers can be creditors and, therefore, subject to the new rules, which were originally were scheduled to take effect on November 1, 2008. The FTC suspended enforcement until November 1, 2009. [2]

Red Flag Rule: Background

The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission and bank regulatory agencies to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. The requirement includes special regulations directing debit and credit card issuers to validate notifications of changes of address under certain circumstances. 15 U.S.C. § 1681m(e). Another FCRA amendment calls for additional joint regulations offering guidance regarding reasonable policies and procedures that a user of a consumer report (e.g., a credit grantor) should employ when the user receives a Notice of Address Discrepancy. 15 U.S.C. § 1681c(h).

Red Flag Rule: How the Red Flag Rule Affects Health Care Providers

The Red Flag Rule applies broadly to financial institutions, credit grantors, and some others, including some health care providers. A health care provider comes under the Red Flag rule if the provider: 1) meets the definition of creditor under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)). A health care provider comes under the Address Discrepancy Rule if they: 1) use consumer credit reports.

Red Flag Rule: What are the Obligations for a Health Care Provider Covered by the Red Flag Rule as a Creditor?

A health care provider that qualifies as a creditor that offers or maintains covered accounts must develop and implement a written Identity Theft Prevention Program. The purpose of the program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. The Program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. A large hospital will need a more robust program than a two-doctor office.

Red Flag Rule: What are the Address Discrepancy Obligations for a Health Care Provider That Uses Credit Reports?

The Address Discrepancy rule requires a user of a consumer report (credit report) to develop and implement reasonable policies and procedures to enable the user to deal with an address discrepancy. These requirements are narrower than the Red Flag rule for creditors. However, applicability of the address discrepancy requirement may affect a broader class of health care provider (and health insurers) than the Red Flag rule.

Red Flag Rule: Appendix 1 - Reproduction of the Red Flag and Address Discrepancy Guidelines and Supplement

Following is a reproduction of the Guidelines and Supplement to the Red Flag and Address Discrepancy Rules. The rulemakings may be found at Federal Trade Commission et al., Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 Fed. Reg. (Nov. 9, 2007), <http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf>.

FTC issues final rule on health data breaches

Health data breach rulemaking -- The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.

IAB releases guidelines for controlling behavioral advertising practices

Self regulation -- The Interactive Advertising Bureau has released its self-regulatory guidelines for online advertisers. There are some bright spots in the new guidelines. In the area of sensitive information, especially regarding health privacy, the guidelines are weak and need improvement. The IAB definition of sensitive health information is weaker than the definition of sensitive information already adopted by industry in the formal NAI agreement. Additionally, the new IAB guidelines rely on weak accountability standards. WPF urges the IAB to re-examine the sensitive health definition, provide more accountability, and to include consumer input in a meaningful way into the drafting process.

World Privacy Forum files comments with the FTC regarding proposed rules for health care-related data breaches

Data Breach of Health Records - FTC -- The World Privacy Forum filed extensive comments with the Federal Trade Commission today regarding its notice of proposed rulemaking for data breaches of information containing actual health care information or health care-related information. The FTC rulemaking will apply to a variety of record holders, especially vendors of personal health records. The Forum supported much of the FTC's proposed rulemaking, finding the rulemaking generally thoughtful and careful. In some areas, the Forum urged the FTC to narrow and further define and strengthen the proposed rule. The World Privacy Forum urged the FTC to tighten language around scope, the definition of "personal health record," law enforcement delays of consumer notification, and urged the FTC to further clarify the definition of what falls under the category of "de-identified data." Citing the research of Dr. LaTanya Sweeney and others, the Forum urged the FTC to require commercial companies and others holding health care data that has been partially de-identified to still report those breaches to the FTC and the public, and to monitor for re-identification.

World Privacy Forum files comments with HHS regarding data breach guidance

Public comments re: health data breaches -- The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.

World Privacy Forum Publishes A Patient’s Guide to HIPAA, First Comprehensive HIPAA Privacy Guide Written Expressly For Patients

“This guide is not just a retread of what HIPAA is and does,” said Pam Dixon, executive director of the World Privacy Forum. “Our guide gives patients practical details and strategies on how they can use the law to protect their privacy and navigate the medical system. Best of all, it is easy to use.”

World Privacy Forum asks FTC to reconsider proposed consent agreement with CVS

CVS Caremark | FTC proposed consent agreement -- The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach.

California Health Information Identification data base California CHILI database now online

Resource -- A substantial new resource for individuals seeking to research California laws and regulations regarding health information has come online. The CHILI database is a project of the California Office of Health Information Integrity, and has interfaced with the California Privacy and Security Advisory Board, which the World Privacy Forum co-chairs. The CHILI database can be searched by HIPAA section, California Code section, California health information law keywords, or by statutory scheme.

Public Comments: March 2009 - Comments on the Proposed Consent Agreement with CVS / Caremark

The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach. The World Privacy Forum urged the FTC to reconsider the agreement.