The World Privacy Forum commented on an important proposal to make changes to the existing rules regarding the confidentiality of alcohol and drug abuse patient records. The proposal is from the Substance Abuse and Mental Health Services Administration (SAMHSA), part of the US Department of Health and Human Services. These ...
The Nuremberg Code, an extraordinary document around ethics and research on human subjects written after the research abuses that took place during World War II, is akin to a global Emancipation Proclamation for human research subjects. The Nuremberg Code's 10 principles remain a timeless rendering of thought on what should be in place prior to any entity conducting research on human subjects, and this code forms the philosophical foundation of a regulation in the US known as the Common Rule. We have written extensive comments on the US proposal that will update the Common Rule...
In our view, the Department’s proposed changes to HIPAA regarding marketing are contrary to the law. Current law requires that paid communications for any marketing should be allowed only on an opt-in basis. We oppose the Department’s proposed regulation that would allow communications paid for by third parties who are not the entities whose product or service is being described in the communication.
Health privacy and HIPAA -- The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.
Financial privacy and SEC -- The World Privacy Forum filed comments today criticizing the SEC proposed regulations that would release an unprecedented amount of financial details about individual borrowers through the EDGAR database. The WPF was joined by other privacy, consumer, and human rights organizations in its comments, which focused on the privacy issues with the proposed regulations. Pam Dixon, executive director of the WPF, stated in the comments that the SEC's new regulations would "Place on the public record and online the largest amount of personal financial information about borrowers ever disclosed, including information never before made public." The comments also note that the SEC's plan greatly increases the risk of identity theft for individual borrowers whose information will be released publicly.
Genetic non-discrimination regulations (GINA) -- The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan's web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.
Data Breach | HHS HITECH Breach Notification -- The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.
Genetic Privacy | GINA -- The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.
Patient Safety Organizations | Proposed rulemaking -- The World Privacy Forum filed extensive comments today regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations.
Financial privacy / credit reports -- The NCLC, Consumer's Union, and the World Privacy Forum filed extensive joint comments today regarding the proposed rulemaking, Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies under Section 312 of the Fair and Accurate Credit Transactions Act. The results of the proposed rulemaking will have a significant impact on how the accuracy of credit reports is defined for consumers, and will have a substantive influence over how consumers may handle credit report disputes directly with those who furnish information for the reports.
Financial privacy | credit reports -- Consumers and organizations have an opportunity to submit public comments about the accuracy and integrity of credit reports. Until February 11, the Federal Reserve Board, the Federal Trade Commission and other banking agencies will be accepting comments on their draft rulemaking regarding how creditors and other furnishers provide information to consumer reporting agencies, and which types of direct disputes they must handle. This proposed rulemaking is a key one; it defines what accuracy and integrity of information provided to consumer reporting agencies means, how disputes may be handled directly with the furnishers, and which types of direct disputes furnishers may ignore. The NCLC, Consumer's Union, and the World Privacy Forum have written a sample letter that may be downloaded and used or modified for the comments. To file your letter, submit your comments to the Board of Governors of the Federal Reserve System by mailing the comments to regs.comments@federalreserve.gov with the subject line "Docket No. R–1300."
Medical privacy | HIPAA -- Five groups joined the World Privacy Forum in asking for changes to be made to a proposed rule on how medical healthcare claims attachments are handled electronically. The World Privacy Forum and the EFF, EPIC, Privacy Rights Clearinghouse, Privacy Activism and U.S. Public Interest Research Group (U.S. PIRG) asked that physicians be given more control over what parts of health records they send electronically to insurance companies, that psychotherapy notes not be included when sending health records for insurance payment, and that the HIPAA Privacy Rule be rigorously applied to scanned health records.
Extensive, joint comments with EFF and other groups regarding difficulties and issues with RFID in U.S. passports.