Health Privacy
About health privacy, World Privacy Forum key health privacy resources
The World Privacy Forum is extremely active in health privacy, with a long and successful track record of work in this area. We have done groundbreaking work in the area of medical identity theft, as well as substantive analysis and education on critical privacy aspects of health data such as medical research, genomics, and many other issues.
Some of our most frequently accessed health privacy resources include:
* A Patient’s Guide to HIPAA
* Medical Identity Theft Page (resources, reports, more)
* Health privacy tagged materials
* HIPAA tagged materials
* Electronic Health Records tagged materials
* Common Rule and Human Subject Research Protection tagged materials
* Genetic privacy tagged materials
We have many more publications and resources. For a full list of topics and publications, see our key issues page.
See below for health privacy news and content by date.
One basic privacy right is the right to seek correction of personal information that is incorrect or incomplete. This is a difficult area for health records because health care providers do not like to change records, and they strongly resist removing information from a record. Often, the resistance is reasonable. For example, a preliminary diagnosis may turn out to be wrong, but the record of the diagnosis must remain in the record to explain a particular test or treatment.
Under HIPAA, if a consumer wants to authorize a covered entity to disclose her records, she will usually be obliged to sign an authorization form. The HIPAA rule prescribes the content of the authorization form and its scope. That rule provides some protections because it makes it harder for a consumer to unknowingly sign a form authorizing the disclosure of health records. For example, if a consumer signs a one-sentence form authorizing anyone with records about the consumer to disclose the records to the bearer of the form, it is unlikely that any doctor or hospital would or should honor that form.
For a non-HIPAA covered PHR, the privacy policy becomes a key document, if it is available. The privacy policy of a PHR vendor may tell consumers how the vendor plans to use personal information. It is possible that a commercial or advertising-supported PHR will do a good job of protecting its clients from uninformed or casual disclosures of personal or health information. It is also possible that a cautious client will not be able to evaluate a PHR vendor’s policy or practice.
PHRs that operate outside of HIPAA can negatively affect the privacy interests of consumers in various ways. The best to hope for is that a PHR will not make privacy significantly worse. However, it is not likely that even that weak standard can be met. The existence of electronically available and centralized health information outside the traditional health care system will attract new users and create new risks. The mere adding of health records to a PHR vendor’s files may undermine existing privacy protections of old records. Security is a concern for any electronic records. A consumer’s ability to control the disclosure of PHR records can easily be compromised. The consumer’s ability to correct errors in PHR records may be problematic. Advertising support may not meet a PHR’s profit goals unless at least some consumer information is available for close targeting of ads. Promised PHR privacy protections may vanish overnight if the privacy policy is changed.
Genetic privacy | SACGHS — The World Privacy Forum filed extensive comments with the Secretary’s Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.