Public Comments

Public Comments: August 2007 - iPledge Program / FDA ..... World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues

Our principal concern with iPledge is that the FDA has failed to set privacy standards for the iPledge program [2] or for similar programs that mandate patient tracking. As a result, the iPledge registry has privacy shortcomings that may potentially impact the individuals who take Accutane or Isotretinoin generics.

Public Comments: July 2007 - WPF requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

Public Comments: June 2007 - FDA/AHRQ Public Workshop, Implementation of Risk Minimization Action Plans to Support Quality Use of Pharmaceuticals: Opportunities and Challenges

The FDA has not paid attention to privacy standards that should be applied to RiskMAP programs. Unfortunately, this lack of FDA attention has resulted in inappropriate and unethical marketing to patients using patient information gathered for treatment purposes. If these marketing activities were being conducted by HIPAA-covered entities, the activities would be illegal. These activities may well be illegal in California, which has a strong state-level medical privacy law that goes beyond HIPAA.

Public Comments: June 2007 - To The American Health Information Community Confidentiality, Privacy, and Security (CPS) workgroup on its Working Hypothesis

The American Health Information Community Workgroup on Confidentiality, Privacy and Security requested public feedback regarding its working hypothesis. WPF responded to the request with public comments encouraging the adoption of a unified policy architecture and encouraging AHIC to focus on enforcement mechanisms that are intended to directly benefit consumers. WPF also encouraged AHIC to look comprehensively at the demands a new national electronic health exchange network will make on privacy in the health care sector.

Public Comments: May 2007 - NIH....World Privacy Forum files public comments and recommendations on pharmacogenomics privacy: all patient-specific PGx research should require certificates of confidentiality

The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area. Read the comments (PDF). For more information, see the genetic section of the WPF Medical Privacy Page.

Public Comments: May 2007 - REAL ID .... Joint Comments .... World Privacy Forum and Electronic Frontier Foundation File Public Comments on REAL ID

The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on "function creep," the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues. Read the comments (PDF). See the EFF REAL ID pages for background about REAL ID.

Public Comments: March 2007 Commercial drivers’ license applicants requesting exemption from the diabetes standard have their personal medical information, name, age, and more published in the Federal Register

The World Privacy Forum filed comments with the Department of Transportation today regarding the department's publication of the detailed personal medical information of individuals subject to DOT regulations in the Federal Register along with their names, ages, and other identifying information. The WPF comments argue that personal medical information combined with name, age, etc. does not belong in the Federal Register, where it can have potentially far-reaching consequences for those individuals who are named as well as their family members.

Public Comments: February 2007 - WPF comments about the ethical, legal, and social implications of using genetic health care data in electronic health records

The World Privacy Forum filed public comments with the Department of Health and Human services in response to an HHS request for information regarding the use of patients' genetic data for research, health care, and for use in electronic health records. The World Privacy Forum is requesting that HHS use all Fair Information Principles in any personalized health care projects, and is requesting that a formal ELSI (ethical, legal, and social implications) committee be set up to oversee any projects, among other requests.

Public Comments: January 2006 - President's Identity Theft Task Force: World Privacy Forum requests that medical identity theft be added to task force agenda

The World Privacy Forum filed comments and recommendations with the President's Identity Theft Task Force. The task force's draft report and recommendations did not include or contemplate medical identity theft solutions for victims; the WPF has requested and recommended that this be corrected. Medical identity theft victims need more help, more recourse, and agency attention.

Public Comments: December 2006 - Confidential Information Protection and Efficiency Act of 2002 (CIPSEA)

The World Privacy Forum submitted comments to the Office of Management and Budget regarding proposed guidance on Title V of the e-Government Act. The proposed guidance did not address the relationship between CIPSEA and the USA PATRIOT Act Section 215, and guidance regarding identifiability and the Privacy Act of 1974 needs to be further refined. WPF suggests that OMB consider developing a formal statistical confidentiality seal controlled by a federal agency. The purpose would be to provide an identifiable marker that would tell individuals if the information they provide will receive the highest degree of confidentiality protection available under law.

Public Comments: December 2006 - Medical privacy / Medicare Part D World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy

In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice.

Public Comments: November 2006 - Privacy Act of 1974 Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes

The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter. Read the comments (PDF).

Public Comments: October 2006 Comments to National Institutes of Health regarding its Request for Information for Genome Wide Association Studies repository policy.

Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent.

Comments: September 2006 - WPF Files Comments on a Proposed DHS rulemaking; asks the Department to make a Commitment to Transparency and Accountability

Privacy Act of 1974 In response to a proposed Department of Homeland Security rulemaking regarding a system of records, the World Privacy Forum filed comments requesting changes. The primary objections are that the proposed system of records commingles records and functions, the proposed exemption is inconsistent with the system notice, and DHS's proposed exemption from civil remedies was not correct, among other issues. The World Privacy Forum stated in its comments that the Department of Homeland Security should demonstrate its commitment to accountability and transparency in the rulemaking.

Public Comments: August 2006 - FTC Complaint About Search AOL Data Releases

Internet privacy -- The World Privacy Forum announced today that it would be filing a complaint with the Federal Trade Commission about the posting by AOL of a portion of its users’ search data on the Internet. While the data was not expressly identified by name, the search queries themselves included in some cases personally identifiable information such as individuals’ names, Social Security Numbers, and myriad other personal information. The World Privacy Forum urges consumers to take precautions when using search engines.

Public Comments: July 2006 - WPF comments on draft report "Policy Issues Associated with Undertaking a Large U.S. Population Cohort Project on Genes, Environment, and Disease.

The collection of DNA material from 500,000 to 1,000,000 or more individuals as part of a large U.S. medical research project raises many challenging ethical, legal, and privacy issues. An advisory committee reporting to the Office of the Secretary of Health and Human Services ( the Secretary's Advisory Committee on Genetics, Health and Society) has published a detailed analysis of the issues such a project would raise in a draft report. The committee's final report and policy recommendations will be submitted to the Secretary of HHS. The World Privacy Forum has submitted public comments on the draft report; the comments include key policy recommendations. The Forum's recommendations include the need to provide protection from compelled disclosure of information, the necessity for a full-time project privacy officer with enforcement power, and the need for a far-reaching and robust privacy policy that exceeds the requirements of HIPAA, among other recommendations.

Public Comments: June 2006 - Medicaid Program and State Children's Health Insurance Program Systems Notice

The World Privacy Forum submitted comments to the Centers for Medicare & Medicaid Services requesting that it amend a Systems of Records Notice to address an oversight and address other privacy issues. The Forum requested that CMS add a reference in the system notice to Executive Order 13181 of December 20, 2000, “To Protect the Privacy of Protected Health Information in Oversight Investigations.” The Forum also requested that the routine uses be revised to reflect the HIPAA requirements as appropriate when the disclosures involve HIPAA records.

Public Comments: May 2006 - US Civil Society Organizations (CSO)

EPIC filed comments with the Department of Commerce, which the World Privacy Forum joined. The Office of Technology and Electronic Commerce solicited comments on the development and implementation on “cross-border privacy rules” in the Asia PacificEconomic Cooperation Group (APEC). Seven groups submitted the comments on behalf of civil society organizations (CSO) in the United States concerned about privacy in order to urge the strengthening of privacy rules in the Asia Pacific Economic Cooperation Group.

Public Comments: March 2006 - IRS on Tax Information Sharing

The proposed changes to the regulations represent an important effort to increase taxpayers' awareness of what is done with their personal information. However, the updated regulations fail to adequately safeguard taxpayer privacy because they neglect to protect information once it is disclosed, allow consent that is less than voluntary, and carry penalties that are not harsh enough to ensure tax return preparers obey the law.

Public Comments: January 2006 - Identity theft survey

The World Privacy Forum submitted comments in response to the Federal Trade Commission's request for feedback on its upcoming identity theft survey. The FTC identity theft survey is one of the most quoted surveys on the subject. The World Privacy Forum requested changes and clarifications to the survey, including adding questions about security breach notices and clarifying existing questions about medical identity theft, among other issues.

Public Comments: November 2005 - WPF Files Comments About Proposed Changes to HIPAA

Five groups joined the World Privacy Forum in asking for changes to be made to a proposed rule on how medical healthcare claims attachments are handled electronically. The World Privacy Forum and the EFF, EPIC, Privacy Rights Clearinghouse, Privacy Activism and U.S. Public Interest Research Group (U.S. PIRG) asked that physicians be given more control over what parts of health records they send electronically to insurance companies, that psychotherapy notes not be included when sending health records for insurance payment, and that the HIPAA Privacy Rule be rigorously applied to scanned health records.

Public Comments: November 2005 - HHS about Regulatory Reform/ HIPAA

The World Privacy Forum filed comments with Health and Human Services asking the agency to protect patient choice and privacy. The World Privacy Forum asked that patients continue to be able to receive accounting of disclosures under HIPAA, and asked that this important patient right under HIPAA not be removed or weakened. The World Privacy Forum also asked HHS to review how patients' records can be amended under HIPAA, and recommended that in light of the coming National Health Information Network, that changes to enhance patient choice may be needed in this area.