Public Policy

The National Health Information Network (NHIN) is an ambitious modernization plan proposed by the U.S. government. The idea is to move as an entire nation from paper medical files to electronic medical files that are shared. Specifically, the government goal is to digitize patients’ health records and medical files and create a national network to place the information in. The network, called the NHIN, would be a sophisticated network that hospitals, insurers, doctors, and others could potentially access. Such a network brings patient privacy, security, and confidentiality issues into sharp relief.

School privacy | FERPA — In May 2008 the World Privacy Forum submitted detailed comments on proposed changes to the Family Educational Rights and Privacy Act regulations (FERPA). The FERPA regulations are the rules that control how schools treat and release student information. The final FERPA regulations have now been published and reveal that the World Privacy Forum comments had a positive impact. The new regulations agreed with WPF’s comment that if a school requests a Federal tax return from a parent, that the parent has the right to redact all financial information from the form, and affirmed that the school does not have a requirement to ask for the tax form in the first place. The regulations also agreed with the WPF comment that the risk of re-identification of published student information is cumulative, and made recommendations that educational institutions take into account all releases of student information it has made, not just new releases.

Human Subjects Research Protection (OHRP) — The World Privacy Forum filed comments with the Office of Human Research Protection urging the office to do more to protect the privacy of people who are subjects of research. The comments urge the OHRP to focus more attention on providing privacy-specific training for boards overseeing research, which are often weak in knowledge about the breadth of privacy issues in research. The WPF also voiced its strong support for certificates of confidentiality for research involving human subjects, stating that “nearly all research that involves identifiable health data or other personal data about individuals should have a certificate of confidentiality unless a researcher can state a substantive reason why a certificate is not appropriate for the study.”

The World Privacy Forum filed comments regarding DHS’s proposed Border Crossing Information system of records, finding that many of the Routine Uses proposed for the system were impermissible and illegal under the Privacy Act of 1974. The comments focus on the Routine Uses, rather than the system itself.

FERPA comments: WPF is concerned about the U.S. Department of Education’s proposed changes to its FERPA regulations, FERPA standing for the Family Educational Rights and Privacy Act. FERPA is a significant regulation that controls how students’ school records and “directory” information may be shared. The proposed regulations have one item the WPF is supporting, which is that SSNs are not considered part of the directory information. However, other aspects of the proposed regulation still need work to adequately protect students’ and parents’ privacy interests. The WPF commented in particular that schools should not be allowed to request and then store a full tax refund from parents in order to prove students’ eligibility. The Forum also requested that students’ electronic identifiers are not included in the definition of directory information. One area of substantial concern is that the Department of Education has not expressly provided that students who opt-out of having their directory information shared should not be penalized for opting out. Currently, the proposed regulations may be read to suggest that schools may be able to deny benefits, services, or even required activities to students who have exercised the right to opt-out of the publication of directory information..