WPF provided detailed comments to the US Department of Health and Human Services regarding its proposal for changes to HIPAA regarding modifications to the Privacy Rule. Specifically, HHS proposed modifications to standards for the privacy of individually identifiable health information. WPF supports many of the changes proposed in the NPRM.
WPF is urging the National Institutes of Health to do more to properly advise the research community and to protect data subjects in its draft guidance on data management and sharing. WPF is asking for changes to the NIH guidance because in the US, much health research data in the hands of researchers is not subject to the privacy or security rules in HIPAA.
The World Privacy Forum submitted comments to the Food and Drug Administration in response to its request for public input on its draft guidance on the cybersecurity of medical devices. The privacy considerations for medical devices is significant. Because there are a large number of stakeholders in the life cycle ...
This video is part 8 of a 14-part video series on health privacy and health information exchanges Video: I just read the privacy policy at the doctor's office, and it said that I would have to opt out of an HIE. What does that mean exactly? Opt in and opt ...
The World Privacy Forum will be speaking about medical and health privacy rights in the Universal Periodic Review as part of the Civil Society Consultation for the United States. The UPR is an important cyclical process run under the auspices of the UN Human Rights Council. The last UPR was ...
WPF's new interactive map identifies Health Information Exchanges in California. A Health Information Exchange, or HIE, is technology that enables the electronic movement of health-related information among health care providers and others. HIEs are an increasingly popular way for hospitals, pharmacies, labs, and emergency room physicians to share patient information. HIEs can exchange records across one hospital, across multiple hospitals in a region, or across a whole state. If your health information is being shared through an HIE, your lab test results, medications, medical history, or other clinical information related to your health care may be included in the sharing. See more about HIEs and our California HIE Map here.
July 15, 2013 New Consumer Tipsheets, FAQ, and Glossary about Health Information Exchanges Patients have a new resource that simplifies the clutter and confusion around Health Information Exchanges. WPF has published a new HIE Tipsheet and FAQ. These resources are written for consumers, and delivers bite-sized, digestible information about the ...
Data breach -- The state of California issues a first-ever statewide data breach report. In 2012, 2.5 million Californians had their data breached. Of those breached, the study found that The report found that "1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company’s network."
Arizona School of Law -- Pam Dixon participated as a discussant and contributor to the Arizona School of Law's private workshop on the topic of the future of privacy. Key areas of discussion included the European Union's Right to be Forgotten proposal, consent and health privacy, and Do Not Track.
July 21, 2012 San Diego, California -- Today the World Privacy Forum filed comments on California's plan to harmonize existing California state law to federal health privacy laws. California's health privacy law, the CMIA, offers Californian's stronger privacy protections than national level health privacy laws. WPF urges California to reconsider its plan to weaken Californian's privacy. Executive director Pam Dixon said "The harmonization plan coming out of California's Department of Health and Human Services is not in harmony with California patients and their health privacy."
HIE interactive map -- WPF has posted a new interactive map of health information organizations and exchanges in California. This is a map-in-progress, and we will be adding data to the map in stages.
World Privacy Forum information and materials on medical identity theft.
World Privacy Forum information and materials on medical privacy topics.
Consumers can learn about Medical Identity Theft, what how to avoid it, and what actions to take if you are a victim.
In a rare enforcement action of HIPAA, HHS fined an Arizona health care provider $100,000 for a variety of HIPAA violations, especially regarding electronic exchanges of protected health information. The HHS document outlining the reasons for the fine should act as a wake-up call to health care providers using public email, calendaring, and other tools for communication of ePHI. HHS specifically noted that the fined health care provider did not conduct an adequate risk assessment prior to using the email and Internet tools. The full HHS document is a must-read for health care providers. WPF has been warning about the need for full e-risk assessments since 2005 and strongly advocates for medical-identity-theft-specific risk assessments.
In our view, the Department’s proposed changes to HIPAA regarding marketing are contrary to the law. Current law requires that paid communications for any marketing should be allowed only on an opt-in basis. We oppose the Department’s proposed regulation that would allow communications paid for by third parties who are not the entities whose product or service is being described in the communication.
The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."
Health privacy and HIPAA -- The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."
Data Breach | HHS HITECH Breach Notification -- The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.
Public comments re: health data breaches -- The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.
New Health Privacy Resource -- The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The ...
“This guide is not just a retread of what HIPAA is and does,” said Pam Dixon, executive director of the World Privacy Forum. “Our guide gives patients practical details and strategies on how they can use the law to protect their privacy and navigate the medical system. Best of all, it is easy to use.”
PHRs have been promoted in recent years as being an empowering panacea of benefits for consumers, but there has been little meaningful discussion of the complex and serious privacy issues PHRs can raise. For example, very few consumers know that not all PHRs are protected by HIPAA, the federal privacy rule that applies to medical files held at, for example, hospitals.
New publication | PHRs and privacy -- The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records -- or PHRs -- and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.
Version 1: October 16, 2007 The World Privacy Forum, as part of its ongoing in-depth research into medical identity theft issues and responses, has outlined 8 best-practice responses to the crime by the health care sector. These best practices are based on interviews with victims, providers, and other stakeholders. These ...
