Health Privacy
About health privacy, World Privacy Forum key health privacy resources
The World Privacy Forum is extremely active in health privacy, with a long and successful track record of work in this area. We have done groundbreaking work in the area of medical identity theft, as well as substantive analysis and education on critical privacy aspects of health data such as medical research, genomics, and many other issues.
Some of our most frequently accessed health privacy resources include:
* A Patient’s Guide to HIPAA
* Medical Identity Theft Page (resources, reports, more)
* Health privacy tagged materials
* HIPAA tagged materials
* Electronic Health Records tagged materials
* Common Rule and Human Subject Research Protection tagged materials
* Genetic privacy tagged materials
We have many more publications and resources. For a full list of topics and publications, see our key issues page.
See below for health privacy news and content by date.
Following is a reproduction of the Guidelines and Supplement to the Red Flag and Address Discrepancy Rules. The rulemakings may be found at Federal Trade Commission et al., Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 Fed. Reg. (Nov. 9, 2007), .
Health data breach rulemaking — The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.
Self regulation — The Interactive Advertising Bureau has released its self-regulatory guidelines for online advertisers. There are some bright spots in the new guidelines. In the area of sensitive information, especially regarding health privacy, the guidelines are weak and need improvement. The IAB definition of sensitive health information is weaker than the definition of sensitive information already adopted by industry in the formal NAI agreement. Additionally, the new IAB guidelines rely on weak accountability standards. WPF urges the IAB to re-examine the sensitive health definition, provide more accountability, and to include consumer input in a meaningful way into the drafting process.
Data Breach of Health Records – FTC — The World Privacy Forum filed extensive comments with the Federal Trade Commission today regarding its notice of proposed rulemaking for data breaches of information containing actual health care information or health care-related information. The FTC rulemaking will apply to a variety of record holders, especially vendors of personal health records. The Forum supported much of the FTC’s proposed rulemaking, finding the rulemaking generally thoughtful and careful. In some areas, the Forum urged the FTC to narrow and further define and strengthen the proposed rule. The World Privacy Forum urged the FTC to tighten language around scope, the definition of “personal health record,” law enforcement delays of consumer notification, and urged the FTC to further clarify the definition of what falls under the category of “de-identified data.” Citing the research of Dr. LaTanya Sweeney and others, the Forum urged the FTC to require commercial companies and others holding health care data that has been partially de-identified to still report those breaches to the FTC and the public, and to monitor for re-identification.
Public comments re: health data breaches — The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for “limited data set” breaches.