HIPAA

WPF advises FDA and HHS on informed consent guidance for medical research

The World Privacy Forum filed detailed comments regarding draft guidance on privacy and medical research to the U.S. Department of Health and Human Services and the U.S. Food and Drug Administration. The proposed guidance, Facilitating Understanding in Informed Consent, is related to consent for human subject research (medical research) and is particularly important. Currently, models of consent are in the process of going digital, which has created a number of challenging problems to solve. In the comments, WPF had several recommendations to improve consent and privacy.

WPF comments to NIST regarding its differential privacy guidance

WPF submitted comments to the National Institute of Standards and Technology regarding its Draft Guidelines for Evaluating Differential Privacy Guarantees . The comments approach the NIST Draft Guidance from a policy perspective, and urged changes to some parts of the definitional language in the Draft Guidance. Key areas of the ...

WPF advises HHS regarding proposed changes to standards for privacy under HIPAA

WPF provided detailed comments to the US Department of Health and Human Services regarding its proposal for changes to HIPAA regarding modifications to the Privacy Rule. Specifically, HHS proposed modifications to standards for the privacy of individually identifiable health information. WPF supports many of the changes proposed in the NPRM.

Emerging Technologies, Human Subject Research, and the Common Rule: High level overview of the 2023 OHRP Research Community Forum

Earlier this month, WPF attended a joint conference focused on the shifting dynamics of how the Common Rule that governs human subject research in the US will be interpreted amidst new technological shifts such as AI. The department of Health and Human Services is seeking to define what the next steps and new policy frameworks should be to ensure the Common Rule protects individuals in current and future research environments. Details on the presentations, conversations, and key takeaways in the post.

FTC takes first enforcement action under its Health Breach Notification Rule; also takes action against misrepresentation of HIPAA compliance

The FTC announced its first enforcement action under its Health Breach Notification Rule . This rule applies to entities that are not covered under HIPAA. The announcement of the proposed order was filed by the U.S. Department of Justice on behalf of the FTC against the " ...telehealth and prescription ...

How New Procedural Controls Using the Privacy Act of 1974 Can Improve the Protections of Reproductive Health Information Held by Federal Agencies

September 2022 By Robert Gellman and Pam Dixon Download this Report Executive Summary This report suggests specific procedural and substantive ways that the Executive Branch can revise implementation of the Privacy Act of 1974 to restrict and more carefully administer some disclosures of reproductive health information by federal agencies to ...

WPF urges HHS to clarify the harms of medical identity theft for victims

WPF has urged HHS to clarify the intersection between HIPAA compliance and harms resulting from medical identity theft in its response to the Request for Information from the Office of Civil Rights of the Department of Health and Human Services regarding implementation of the HITECH Act. WPF has a long history of work on the issue of medical identity theft, which has informed its response to HHS.

WPF supports CDC guidance prohibiting use of vaccine recipients' data for commercial marketing purposes, urges that protections are extended to proof of vaccination systems

WPF's Executive Director spoke today before the US Center For Disease Control's ACIP Committee regarding privacy protections for vaccine recipients' data. WPF supported the CDC’s prohibition on the use of vaccine recipient data for commercial marketing purposes. The CDC’s Vaccination Program Provider Requirement s , published in May 18, 2021, ...

WPF urges FTC Chair and Commissioners to update FTC Health Breach Notification Rule

The FTC held an historic open FTC Commission meeting, during which the Chair and Commissioners conducted their business openly and also provided an opportunity for public comments. The World Privacy Forum was selected to provide a public comment, which focused on the need to update the Health Breach Notification Rule. 

COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic

The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers. While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.

May 19, 2020 WPF Statement regarding HHS Secretary's Section 1135 COVID-19 HIPAA Waiver

This statement discusses a 72-hour "statutory waiver" of 5 basic HIPAA rights (including the right to confidential communications). The waiver is triggered by the Secretary of HHS and applies for a 72-hour period beginning upon implementation of a hospital disaster protocol. This statement discusses this waiver, what it is, what is means, who is impacted, and our recommendations.

April 15, 2020 WPF Statement on the COVID-19 Community Based Testing Sites HIPAA Waiver

In response to the COVID-19 (coronavirus) pandemic, the U.S. Department of Health and Human Services announced a HIPAA waiver April 9, 2020 regarding Community Based Testing Sites, which waives enforcement of all HIPAA privacy and security protections and data breach rules from some health care activities affecting COVID-19 testing.  This statement from WPF includes the following information:   -What are the changes the Community Based Testing Sites HIPAA waiver creates?  -What are the privacy concerns?  -WPF recommendations to correct the privacy problems in the Community Based Testing Sites HIPAA waiver   -Background on HIPAA waivers and a list of all current waivers in force

April 6, 2020 WPF Statement on COVID-19 Business Associate HIPAA Waiver

In response to the COVID-19 (coronavirus) pandemic, the U.S. Department of Health and Human Services announced a HIPAA waiver April 2, 2020 regarding Business Associates. The April 2 waiver is consequential and poses significant privacy challenges. This statement from WPF includes the following information:   -What are the changes to HIPAA the April 2 waiver creates?  -What are the privacy concerns?  -WPF recommendations to correct the problems in the April 2, 2020 waiver  

March 18 WPF Statement on COVID-19 Telehealth HIPAA Waiver

In response to the COVID-19 (coronavirus) pandemic, the U.S. Department of Health and Human Services announced some changes in HIPAA practices. This statement from WPF includes the following information:   -What are the changes to HIPAA during the COVID-19 emergency?  -What are the privacy concerns?  -WPF recommendations to ensure patient privacy is protected  

WPF urges National Institutes of Health to expand privacy guidance for researchers

WPF is urging the National Institutes of Health to do more to properly advise the research community and to protect data subjects in its draft guidance on data management and sharing. WPF is asking for changes to the NIH guidance because in the US, much health research data in the hands of researchers is not subject to the privacy or security rules in HIPAA.

WPF to testify before NCVHS on emerging privacy concerns in health privacy — Beyond Digitization: Artificial Intelligence, APIs, and health privacy

WPF Executive Director Pam Dixon will testify before the full committee of the National Committee on Vital and Health Statistics (NCVHS) regarding emerging privacy concerns in the healthcare environment, including the role of artificial intelligence, patient authorizations, and automated access to patient health information. The NCVHS is the statutory [42 ...

WPF responds to HHS and urges it to keep privacy protections in HIPAA strong

WPF has written to the US Department of Health and Human Services advising them on their Request for Information (RFI) about possible changes to HIPAA privacy and security protections. The RFI has a number of suggestions that, should they become part of a formal proposal, would significantly weaken HIPAA privacy protections.