Health Privacy

Patient Safety Organizations | Proposed rulemaking — The World Privacy Forum filed extensive comments today regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations.

Medical ID theft — Based on interviews with numerous victims and others involved in the crime of medical identity theft, and based on our own work with victims, the World Privacy Forum has added some new information to its 2006 consumer tips for medical identity theft. We have also slightly updated some of the older tips based on new information. The Forum has also updated its medical identity theft landing page to reflect our new and ongoing work in this area.

PHRs have been promoted in recent years as being an empowering panacea of benefits for consumers, but there has been little meaningful discussion of the complex and serious privacy issues PHRs can raise. For example, very few consumers know that not all PHRs are protected by HIPAA, the federal privacy rule that applies to medical files held at, for example, hospitals.

In PHRs, important information about privacy procedures and policies is contained in the fine print, and the fine print really matters. That’s because some PHRs are covered under HIPAA privacy protections, but many PHRs are not covered under HIPAA privacy protections. Few consumers understand that their health care files are not always protected under HIPAA when their files are in a PHR.

New publication | PHRs and privacy — The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records — or PHRs — and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.