HIPAA

Health Industry Cybersecurity Practices: New consensus practices and tools from HHS

The US Department of Health and Human Services (HHS) has produced a set of cybersecurity resources for healthcare provider organizations from small to large. So far, HHS has published four documents: an overview report of cybersecurity issues and practices, two technical volumes, and a toolkit. The documents focus on what an expert multistakeholder consensus group determined to be the five most prevalent cybersecurity threats and the ten core cybersecurity practices. The practices are voluntary, and utilize the NIST cybersecurity framework. The documentation is based in reality, not conjecture, and the documents are not intended to sell any particular products for any particular vendor. This has allowed for a rich and helpful documentation of current challenges along with solutions. See our overview of the four new resources.

Did I just sign a permission slip that lets an in-school dental clinic extract my child's teeth? Navigating student and school health privacy

A Baltimore mom was surprised and unhappy recently when her son came home from school missing three teeth. The source? A mobile dental clinic at a Baltimore city public school had extracted some of her son’s teeth that day. The mother didn’t realize it, but she had already consented to the dental work through signing a permission slip/release form.

The New Healthcare Fraud Continuum: Keynote

This coming Thursday, WPF Executive Director Pam Dixon will give a keynote speech on health privacy and security, "The New Healthcare Fraud Continuum." Based on her latest research in health privacy, this talk will be Dixon's first talk about the new fraud continuum, what it is, how it operates, what ...

WPF's comments to the FDA on cybersecurity, urges increased attention to privacy

The World Privacy Forum submitted comments to the Food and Drug Administration in response to its request for public input on its draft guidance on the cybersecurity of medical devices. The privacy considerations for medical devices is significant. Because there are a large number of stakeholders in the life cycle ...

WPF files comments on US government proposal on confidentiality of drug/alcohol patient records, urges revisions

The World Privacy Forum commented on an important proposal to make changes to the existing rules regarding the confidentiality of alcohol and drug abuse patient records. The proposal is from the Substance Abuse and Mental Health Services Administration (SAMHSA), part of the US Department of Health and Human Services. These ...

WPF files comments on new FERPA student health privacy guidance

The World Privacy Forum filed comments to the US Department of Education regarding its student health privacy guidance published August 18, 2015. The World Privacy Forum supports the DoE guidance, which clarifies how universities and colleges are to handle sensitive student medical records in cases of non-medical litigation. The guidance ...

Student Privacy 101: Health Privacy in Schools --What law applies?

Schools increasingly provide students with more health services. Health clinics, counselors on site, administration of drugs, and vaccinations are among the types of healthcare offered on school campuses ranging from kindergarten through graduate school. Given that schools may have sensitive health information, what law covers health record privacy for school records? The answer is important. It is also messy, because two laws can apply to this information. In some cases, no privacy law applies to the health records.

WPF Universal Periodic Review Comments -- The Right to Health Privacy: Human Rights and the Surveillance and Interception of Medical and Health Records by Security Agencies

The World Privacy Forum provided an intervention for the Civil Society Consultation on the Universal Periodic Review of the United States recommending that health information should only be disclosed for national security purposes pursuant to a judicial warrant, and that there must be procedures under which record keepers can challenge ...

Video: Correcting and amending medical records in an HIE

HIE stands for “Health Information Exchange.” We encourage all patients to request a copy of their medical records and check for errors, whether on paper or digital. If you have received a copy of your medical record from your doctor and you find mistakes or errors, it is a good idea to correct those files as soon as possible with that health care provider. It's also important to see if incorrect information has been circulated into a Health Information Exchange, and get it corrected there as well. See more ….

WPF Report -- Paying out of Pocket to Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure

This Jan. 30, 2014 report discusses a new right to restrict disclosure of health information under the updated HIPAA health privacy rule. The new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure” gives patients the right to request that their health care provider not report or disclose their information to their health plans when they pay for medical services in full. Navigating the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how patients can use it to protect health privacy.

Complete 2013 Update to WPF's Landmark Patient's Guide to HIPAA

San Diego, CA -- The World Privacy Forum is very pleased to announce the publication of a major undertaking, the complete update and revision to our landmark Patient's Guide to HIPAA. The new guide reflects the changes in HIPAA that took effect September 23, 2013. The Patient's Guide to HIPAA is a landmark publication because it is the first and to our knowledge -- only complete guide written expressly for patients. It offers a roadmap through the thicket of dense health privacy laws and rules that many patients have questions about. The purpose of this guide is to help patients understand how to make health privacy laws work to protect their privacy. Longtime World Privacy Forum contributor Bob Gellman is primary author of the Guide, including the new version. Begin exploring the update at the HIPAA Guide Home: https://www.worldprivacyforum.org/2013/09/hipaaguidehome/ .

World Privacy Forum: California, Don’t Weaken Californian’s Health Privacy Laws

July 21, 2012 San Diego, California -- Today the World Privacy Forum filed comments on California's plan to harmonize existing California state law to federal health privacy laws. California's health privacy law, the CMIA, offers Californian's stronger privacy protections than national level health privacy laws. WPF urges California to reconsider its plan to weaken Californian's privacy. Executive director Pam Dixon said "The harmonization plan coming out of California's Department of Health and Human Services is not in harmony with California patients and their health privacy."

US Department of Health and Human Services fines Arizona provider $100,000 for HIPAA violations

In a rare enforcement action of HIPAA, HHS fined an Arizona health care provider $100,000 for a variety of HIPAA violations, especially regarding electronic exchanges of protected health information. The HHS document outlining the reasons for the fine should act as a wake-up call to health care providers using public email, calendaring, and other tools for communication of ePHI. HHS specifically noted that the fined health care provider did not conduct an adequate risk assessment prior to using the email and Internet tools. The full HHS document is a must-read for health care providers. WPF has been warning about the need for full e-risk assessments since 2005 and strongly advocates for medical-identity-theft-specific risk assessments.

WPF urges HHS to do more to protect the privacy of people who are medical research subjects

Common Rule | Health Privacy -- The World Privacy Forum filed extensive comments with the US Department of Health and Human Services about its proposed changes regarding the rules governing human subject medical research. In the comments, WPF noted that the HHS approach to privacy for research subjects was incomplete and did not use all Fair Information Practices. WPF strongly urged HHS to revise its proposal on a number of issues, including consent and the use of biospecimens in research. The World Privacy Forum is urging HHS to acknowledge that the realm of health data that is truly non-identifiable has shrunken remarkably, for example, biospecimens with DNA cannot be considered non-identifiable anymore. "In our comments, we are requesting that HHS give individuals the opportunity to make choices about the use of their own health data and specimens," said Executive director Pam Dixon. WPF also stated in its comments that "A central database with identifiable information about participants in human subjects research is a terrible idea." (See p. 21 of WPF comments.)

WPF files substantive comments on HIPAA

Medical privacy and HIPAA -- The World Privacy Forum today filed its comments on the proposed changes to the HIPAA privacy rule, supporting some proposed changes and suggesting additional changes to enhance patient choice. In particular, the WPF supports the new patient right to an access report that has been added (p. 4), and has requested that Health Information Exchanges also be required to provide accountings of disclosures to patients (p. 18). The WPF generally argued that HHS needs to look forward and allow changes in information technology to fully benefit patients by providing the facility for more accounting rather than less (pp. 2-3) . If the HIPAA rule gives patients a greater ability to monitor how their information is used and disclosed, patients will pay attention and requests for accounting of disclosures will become more common.

Public Comments: August 2011 - Proposed changes to the HIPAA Privacy Rule regarding Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act

The World Privacy Forum today filed its comments on the proposed changes to the HIPAA privacy rule, supporting some proposed changes and suggesting additional changes to enhance patient choice. In particular, the WPF supports the new patient right to an access report that has been added (p. 4), and has requested that Health Information Exchanges also be required to provide accountings of disclosures to patients (p. 18). The WPF generally argued that HHS needs to look forward and allow changes in information technology to fully benefit patients by providing the facility for more accounting rather than less (pp. 2-3). If the HIPAA rule gives patients a greater ability to monitor how their information is used and disclosed, patients will pay attention and requests for accounting of disclosures will become more common.

HIPAA Countdown

HIPAA opened for comment -- The US Department of Health and Human Services has opened sections of the HIPAA rule for comments. All members of the public may comment on the proposed changes to the rule. Comments are due by August 1.

WPF comments about Personal Health Records and online advertising

Health privacy -- The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.

Public Comments: September 2010 - Joint comments on the Proposed Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

In our view, the Department’s proposed changes to HIPAA regarding marketing are contrary to the law. Current law requires that paid communications for any marketing should be allowed only on an opt-in basis. We oppose the Department’s proposed regulation that would allow communications paid for by third parties who are not the entities whose product or service is being described in the communication.

WPF files two sets of key comments on HIPAA privacy rule

Health privacy and HIPAA -- The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.

Public Comments: August 2010 - WPF files comments on deeply flawed SEC plan

The World Privacy Forum filed comments today criticizing the SEC proposed regulations that would release an unprecedented amount of financial details about individual borrowers through the EDGAR database. The WPF was joined by other privacy, consumer, and human rights organizations in its comments, which focused on the privacy issues with the proposed regulations. Pam Dixon, executive director of the WPF, stated in the comments that the SEC's new regulations would "Place on the public record and online the largest amount of personal financial information about borrowers ever disclosed, including information never before made public." The comments also note that the SEC's plan greatly increases the risk of identity theft for individual borrowers whose information will be released publicly.