HIPAA

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

National Disaster Medical System | Privacy Act of 1974 -- The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

Public Comments: July 2007 - WPF requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

The FDA needs to set privacy standards to protect patients in drug risk programs

FDA privacy standards - RiskMAPs - World Privacy Forum executive director Pam Dixon testified at an FDA/AHRQ joint public workshop about the need for the FDA to set robust privacy standards for drug risk minimization programs, which are put in place for drugs the FDA has determined to be high risk in some way. Drug risk minimization programs (like the iPledge program for the acne drug Accutane) are not typically covered by HIPAA, and some programs have a privacy policy that allows marketing use of patient information collected as part of the risk program. This kind of marketing activity would not be allowable if the programs fell under HIPAA, and Dixon's testimony stated that patients in these programs should have the same kinds of privacy protections as HIPAA covered programs, and that marketing activities involving patient information should not be allowable in these programs.

World Privacy Forum testifies on genetic privacy and consumer data marketing issues

Genetic privacy | SACGHS -- The World Privacy Forum gave testimony to the Secretary's Advisory Committee on Genetics Health and Society regarding privacy issues stemming from direct-to-consumer advertising and consumer-initiated genetic testing. The World Privacy Forum noted that a great deal of consumer health data circulates outside the protections of HIPAA, and a substantial market for this kind of consumer health data already exists. Genetic data about consumers that is acquired outside the clinical context and is not subject to the protections of HIPAA (for example, through consumer-initiated genetic testing) will likely not be any more protected than other forms of consumers' health-related information from the current demands of the market. However, the consequences of leakage of genetic information about consumers into the marketing stream could have potentially negative consequences for both those consumers and their blood relatives. The World Privacy Forum urged the committee to include specific recommendations about privacy in its upcoming report to the Secretary, and also urged the committee to work with other federal agencies to set up a pre-market oversight structure that includes significant and meaningful privacy protections for genetic testing occurring outside of the protections of HIPAA.

World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy

Medical privacy | Medicare Part D -- In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice.

World Privacy Forum Comments on Privacy Issues Relating to a Nationwide Genetic Research Project

Genetic privacy -- The collection of DNA material from 500,000 to 1,000,000 or more individuals as part of a large U.S. medical research project raises many challenging ethical, legal, and privacy issues. An advisory committee reporting to the Office of the Secretary of Health and Human Services ( the Secretary's Advisory Committee on Genetics, Health and Society) has published a detailed analysis of the issues such a project and its associated databases and biobanks would raise in a draft report. The committee's final report and policy recommendations will be submitted to the Secretary of HHS. The World Privacy Forum has submitted public comments on the draft; the comments include key policy recommendations. The Forum's recommendations include the need to provide protection from compelled disclosure of information, the necessity for a full-time project privacy officer with enforcement power, the need to address identifiability issues, and the need for a far-reaching and robust privacy policy that exceeds the requirements of HIPAA, among other recommendations.

Public Comments: June 2006 - Medicaid Program and State Children's Health Insurance Program Systems Notice

The World Privacy Forum submitted comments to the Centers for Medicare & Medicaid Services requesting that it amend a Systems of Records Notice to address an oversight and address other privacy issues. The Forum requested that CMS add a reference in the system notice to Executive Order 13181 of December 20, 2000, “To Protect the Privacy of Protected Health Information in Oversight Investigations.” The Forum also requested that the routine uses be revised to reflect the HIPAA requirements as appropriate when the disclosures involve HIPAA records.

Public Comments: November 2005 - WPF Files Comments About Proposed Changes to HIPAA

Five groups joined the World Privacy Forum in asking for changes to be made to a proposed rule on how medical healthcare claims attachments are handled electronically. The World Privacy Forum and the EFF, EPIC, Privacy Rights Clearinghouse, Privacy Activism and U.S. Public Interest Research Group (U.S. PIRG) asked that physicians be given more control over what parts of health records they send electronically to insurance companies, that psychotherapy notes not be included when sending health records for insurance payment, and that the HIPAA Privacy Rule be rigorously applied to scanned health records.

Public Comments: November 2005 - HHS about Regulatory Reform/ HIPAA

The World Privacy Forum filed comments with Health and Human Services asking the agency to protect patient choice and privacy. The World Privacy Forum asked that patients continue to be able to receive accounting of disclosures under HIPAA, and asked that this important patient right under HIPAA not be removed or weakened. The World Privacy Forum also asked HHS to review how patients' records can be amended under HIPAA, and recommended that in light of the coming National Health Information Network, that changes to enhance patient choice may be needed in this area.

World Privacy Forum Testifies on Electronic Health Records and Privacy

Medical privacy -- The World Privacy Forum testified before the National Committee on Vital Health Statistics in August regarding the importance of patient choice in the area of Electronic Health Records. The testimony stressed the importance of building security, patient privacy, and choice into EHRs and any form of the proposed National Health Information Network (NHIN).

Testimony of Pam Dixon, before the National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Privacy and Confidentiality

The World Privacy Forum has been particularly interested in developments related to EHRs and the NHIN. Given the impetus of the 2004 Executive Order [1] mandating forward movement in these areas, and the broad impact digitized medical records will potentially have on patients and on the healthcare sector, the World Privacy Forum believes that the decisions this Committee and others shaping these efforts arrive at will be of lasting importance. Given the transition of many parts of our society from analog to digital, it is crucial to ask what this digitization will look like and to carefully examine and discuss what form EHRs and related systems should take in regards to patient choice, privacy, and security.