Uncategorized

Public Comments: August 2007 - iPledge Program / FDA ..... World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues

Our principal concern with iPledge is that the FDA has failed to set privacy standards for the iPledge program [2] or for similar programs that mandate patient tracking. As a result, the iPledge registry has privacy shortcomings that may potentially impact the individuals who take Accutane or Isotretinoin generics.

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

National Disaster Medical System | Privacy Act of 1974 -- The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

World Privacy Forum's Top Ten Opt Out List

Top ten opt out list -- This is a list of what top things to opt out of, and how to opt out. Millions of people have heard about the Do Not Call list, an opt out list that gets people off of telemarketing lists. But many fewer people have heard about the other opt outs that are available, like those that can take people out of data broker lists or opt outs that can stop schools from giving out directory information like email and home addresses. Opting out can range from the not-too-difficult (the Do Not Call list is a fairly simple opt out) to the challenging. This list is meant to simplify the information about which opt out does what, to help decide if a particular opt out is the right choice, and how to go about opting out.

How to place a security freeze (credit freeze)

Security freeze | identity theft | financial privacy -- A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. A credit freeze can be especially helpful to individuals who are having persistent problems with identity theft. If you live in a state with a security freeze law, then you may be able to place a security freeze on your files. This World Privacy Forum resource gives general background on security freezes, lists the states with security freeze laws, and links to more information for each state.

The FDA needs to set privacy standards to protect patients in drug risk programs

FDA privacy standards - RiskMAPs - World Privacy Forum executive director Pam Dixon testified at an FDA/AHRQ joint public workshop about the need for the FDA to set robust privacy standards for drug risk minimization programs, which are put in place for drugs the FDA has determined to be high risk in some way. Drug risk minimization programs (like the iPledge program for the acne drug Accutane) are not typically covered by HIPAA, and some programs have a privacy policy that allows marketing use of patient information collected as part of the risk program. This kind of marketing activity would not be allowable if the programs fell under HIPAA, and Dixon's testimony stated that patients in these programs should have the same kinds of privacy protections as HIPAA covered programs, and that marketing activities involving patient information should not be allowable in these programs.

World Privacy Forum makes presentation at National Academy of Sciences' Institute of Medicine

Genetic privacy -- Executive director Pam Dixon presented key issues and potential solutions regarding privacy and Genome Wide Association Studies at the Institute of Medicine's Board on Health Sciences Policy meeting. Her presentation included recommendations to engage in a comprehensive study of certificates of confidentiality, to encourage standards of identifiability, to encourage study of what more uniform standards of privacy and security for researchers might look like, and a recommendation to work toward broad solutions that extend beyond GWAS activities.

World Privacy Forum Comments on AHIC Confidentiality, Privacy, Security Workgroup Hypothesis

AHIC - National Health Information Network -- The American Health Information Community Workgroup on Confidentiality, Privacy and Security requested public feedback regarding its working hypothesis. WPF responded to the request with public comments encouraging the adoption of a unified policy architecture and encouraging AHIC to focus on enforcement mechanisms that are intended to directly benefit consumers. WPF also encouraged AHIC to look comprehensively at the demands a new national electronic health exchange network will make on privacy in the health care sector.

World Privacy Forum files public comments and recommendations on pharmacogenomics privacy: all patient-specific PGx research should require certificates of confidentiality

information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area.

World Privacy Forum and Electronic Frontier Foundation File Public Comments on REAL ID

REAL ID | National ID -- The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on "function creep," the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues.

Stop REAL ID

REAL ID -- REAL ID is a national ID card program. Currently, the Department of Homeland Security is accepting public comments on the REAL ID plan. Comments will be accepted until Tuesday, May 8. The World Privacy Forum has joined with a large coalition of groups to solicit public comments on REAL ID; to file comments, please visit the Speak Out Against REAL ID coalition page for more information. http://www.privacycoalition.org/stoprealid/

Launch of the WPF Discussion Forum: The Paradox of Consent, analysis by Bob Gellman

Discussion Forum: Consent and Privacy -- World Privacy Forum launches its Discussion Forum with an inaugural paper by Robert Gellman on the complexities of consent in the privacy sphere. Gellman's analysis focuses on the core privacy issues underlying "The Maine Incident," that is, Maine's historic 1998 passage of medical privacy legislation, and the subsequent repealing of key aspects of that legislation two weeks after it was enacted. Issues related to consent were key factors in the Maine events.

Update: World Privacy Forum's National Health Information Network Timeline

National Health Information Network -- Recently, the first live prototypes of the NHIN were demonstrated in Washington, D.C. This was a milestone event in the development of the planned network. The National Health Information Network is an ambitious project the U.S. government undertook in 2004 to digitize and network patient health records across the nation. This project raises challenging confidentiality, privacy, and security issues.

Genetic Privacy Page

Genetic privacy | medical privacy -- The World Privacy Forum has published a new page on genetic privacy outlining basic policy issues and collecting World Privacy Forum work in the area. The page also links to key external research being done in privacy and genetics, and also links to key organizations doing work in this area in the U.S. and the U.K.

Commercial drivers' license applicants requesting exemption from the diabetes standard have their personal medical information, name, age, and more published in the Federal Register; World Privacy Forum urges changes to the practice

Medical privacy | Department of Transportation -- The World Privacy Forum filed comments with the Department of Transportation today regarding the department's publicationof the detailed personal medical information of individuals subject to DOT regulations in the Federal Register along with their names, ages, and other identifying information. The WPF comments argue that personal medical information combined with name, age, etc. does not belong in the Federal Register, where it can have potentially far-reaching consequences for those individuals who are named as well as their family members. The comment period closes April 2.

World Privacy Forum testifies on genetic privacy and consumer data marketing issues

Genetic privacy | SACGHS -- The World Privacy Forum gave testimony to the Secretary's Advisory Committee on Genetics Health and Society regarding privacy issues stemming from direct-to-consumer advertising and consumer-initiated genetic testing. The World Privacy Forum noted that a great deal of consumer health data circulates outside the protections of HIPAA, and a substantial market for this kind of consumer health data already exists. Genetic data about consumers that is acquired outside the clinical context and is not subject to the protections of HIPAA (for example, through consumer-initiated genetic testing) will likely not be any more protected than other forms of consumers' health-related information from the current demands of the market. However, the consequences of leakage of genetic information about consumers into the marketing stream could have potentially negative consequences for both those consumers and their blood relatives. The World Privacy Forum urged the committee to include specific recommendations about privacy in its upcoming report to the Secretary, and also urged the committee to work with other federal agencies to set up a pre-market oversight structure that includes significant and meaningful privacy protections for genetic testing occurring outside of the protections of HIPAA.

World Privacy Forum comments about the ethical, legal, and social implications of using genetic health care data in electronic health records

Genetic Privacy -- The World Privacy Forum filed public comments with the Department of Health and Human services in response to an HHS request for information regarding the use of patients' genetic data for research, health care, and for use in electronic health records. The World Privacy Forum is requesting that HHS use all Fair Information Principles in any personalized health care projects, and is requesting that a formal ELSI (ethical, legal, and social implications) committee be set up to oversee any projects, among other requests.

President's Identity Theft Task Force: World Privacy Forum requests that medical identity theft be added to task force agenda

Identity Theft -- The World Privacy Forum filed comments and recommendations with the President's Identity Theft Task Force. The task force's draft report and recommendations did not include or contemplate medical identity theft solutions for victims; the WPF has requested and recommended that this be corrected. Medical identity theft victims need more help, more recourse, and agency attention.

Public Comments: January 2006 - President's Identity Theft Task Force: World Privacy Forum requests that medical identity theft be added to task force agenda

The World Privacy Forum filed comments and recommendations with the President's Identity Theft Task Force. The task force's draft report and recommendations did not include or contemplate medical identity theft solutions for victims; the WPF has requested and recommended that this be corrected. Medical identity theft victims need more help, more recourse, and agency attention.

WPF comments on proposed guidance on Confidential Information Protection and Efficiency Act of 2002 (CIPSEA)

e-Government /CIPSEA -- The World Privacy Forum submitted comments to the Office of Management and Budget regarding proposed guidance on Title V of the e-Government Act. The proposed guidance did not address the relationship between CIPSEA and the USA PATRIOT Act Section 215, and guidance regarding identifiability and the Privacy Act of 1974 needs to be further refined. WPF suggests that OMB consider developing a formal statistical confidentiality seal controlled by a federal agency. The purpose would be to provide an identifiable marker that would tell individuals if the information they provide will receive the highest degree of confidentiality protection available under law.

World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy

Medical privacy | Medicare Part D -- In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice.

Identity Theft Victims of Choicepoint Data Breach May Now File Reimbursement Claims

Identity theft | Consumer Alert -- The Federal Trade Commission has set up a new web site and phone number for identity theft victims of the Choicepoint data breach. The new site and phone number gives victims information on how to file claims for monetary reimbursement if out- of- pocket losses accrued as a result of the ID theft. A fund of $5 million is available to victims, the deadline for filing is February 4, 2007.

Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes

Privacy Act of 1974 -- The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter.

World Privacy Forum Comments on Proposed Policy for Genetic Database

Genetic privacy -- Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent.

World Privacy Forum Files Comments on a Proposed DHS rulemaking; asks the Department to make a Commitment to Transparency and Accountability

Privacy Act of 1974 -- In response to a proposed Department of Homeland Security rulemaking regarding a system of records, the World Privacy Forum filed comments requesting changes. The primary objections are that the proposed system of records commingles records and functions, the proposed exemption is inconsistent with the system notice, and DHS's proposed exemption from civil remedies was not correct, among other issues. The World Privacy Forum stated in its comments that the Department of Homeland Security should demonstrate its commitment to accountability and transparency in the rulemaking.