U.S. Department of Health and Human Services

WPF advises FDA and HHS on informed consent guidance for medical research

The World Privacy Forum filed detailed comments regarding draft guidance on privacy and medical research to the U.S. Department of Health and Human Services and the U.S. Food and Drug Administration. The proposed guidance, Facilitating Understanding in Informed Consent, is related to consent for human subject research (medical research) and is particularly important. Currently, models of consent are in the process of going digital, which has created a number of challenging problems to solve. In the comments, WPF had several recommendations to improve consent and privacy.

WPF advises HHS on confidentiality of patient records re: alcohol and drug treatment records

The World Privacy Forum (WPF) submitted comments on an important Notice of Proposed Rulemaking that proposes modifications of the protection requirements for substance use disorder (SUD) treatment records. Currently, health records regarding treatment for Substance Use Disorders receive special protections under what is called Part 2 regulations , or, 42 ...

WPF advises Secretary's Advisory Committee on Human Research Protection regarding its proposed AI Framework

WPF recently reviewed and provided recommendations regarding a proposed AI Framework meant to apply to medical research involving human subjects. The issue of human subject research is a critically important one. In the US, The Common Rule (45 CFR subpart A) is a key regulation that protects people from unethical medical research. As research utilizing tools such as AI and SaMD -- software as a medical device -- grows in use, there is an urgent need to determine the proper ethical, legal, and regulatory framework for the use of these tools in the human subject research context. For this reason, WPF was pleased to review and provide recommendations to the Secretary's Advisory Committee on Human Research Protections, SACHRP, on its proposed AI Framework.

WPF urges HHS to clarify the harms of medical identity theft for victims

WPF has urged HHS to clarify the intersection between HIPAA compliance and harms resulting from medical identity theft in its response to the Request for Information from the Office of Civil Rights of the Department of Health and Human Services regarding implementation of the HITECH Act. WPF has a long history of work on the issue of medical identity theft, which has informed its response to HHS.

HHS makes significant changes to COVID-19 reporting process

The Department of Health and Human services has announced major changes for hospitals' COVID-19 data reporting processes. HHS has also made changes to the types of data that hospitals must report, expanding the data collection. This includes new information requests for disaggregated information about adult and pediatric patients, to name a few of the changes. The reporting requirements do contain patient flows, but there are still unknown aspects to the new COVID-19 reporting requirements regarding individual-level data and certain privacy considerations.

May 19, 2020 WPF Statement regarding HHS Secretary's Section 1135 COVID-19 HIPAA Waiver

This statement discusses a 72-hour "statutory waiver" of 5 basic HIPAA rights (including the right to confidential communications). The waiver is triggered by the Secretary of HHS and applies for a 72-hour period beginning upon implementation of a hospital disaster protocol. This statement discusses this waiver, what it is, what is means, who is impacted, and our recommendations.

April 15, 2020 WPF Statement on the COVID-19 Community Based Testing Sites HIPAA Waiver

In response to the COVID-19 (coronavirus) pandemic, the U.S. Department of Health and Human Services announced a HIPAA waiver April 9, 2020 regarding Community Based Testing Sites, which waives enforcement of all HIPAA privacy and security protections and data breach rules from some health care activities affecting COVID-19 testing.  This statement from WPF includes the following information:   -What are the changes the Community Based Testing Sites HIPAA waiver creates?  -What are the privacy concerns?  -WPF recommendations to correct the privacy problems in the Community Based Testing Sites HIPAA waiver   -Background on HIPAA waivers and a list of all current waivers in force

April 6, 2020 WPF Statement on COVID-19 Business Associate HIPAA Waiver

In response to the COVID-19 (coronavirus) pandemic, the U.S. Department of Health and Human Services announced a HIPAA waiver April 2, 2020 regarding Business Associates. The April 2 waiver is consequential and poses significant privacy challenges. This statement from WPF includes the following information:   -What are the changes to HIPAA the April 2 waiver creates?  -What are the privacy concerns?  -WPF recommendations to correct the problems in the April 2, 2020 waiver  

WPF responds to HHS and urges it to keep privacy protections in HIPAA strong

WPF has written to the US Department of Health and Human Services advising them on their Request for Information (RFI) about possible changes to HIPAA privacy and security protections. The RFI has a number of suggestions that, should they become part of a formal proposal, would significantly weaken HIPAA privacy protections.

WPF files comments on US government proposal on confidentiality of drug/alcohol patient records, urges revisions

The World Privacy Forum commented on an important proposal to make changes to the existing rules regarding the confidentiality of alcohol and drug abuse patient records. The proposal is from the Substance Abuse and Mental Health Services Administration (SAMHSA), part of the US Department of Health and Human Services. These ...

WPF Files Comments on Federal Proposal for Human Subject Research (Common Rule)

The Nuremberg Code, an extraordinary document around ethics and research on human subjects written after the research abuses that took place during World War II, is akin to a global Emancipation Proclamation for human research subjects. The Nuremberg Code's 10 principles remain a timeless rendering of thought on what should be in place prior to any entity conducting research on human subjects, and this code forms the philosophical foundation of a regulation in the US known as the Common Rule. We have written extensive comments on the US proposal that will update the Common Rule...

US Department of Health and Human Services fines Arizona provider $100,000 for HIPAA violations

In a rare enforcement action of HIPAA, HHS fined an Arizona health care provider $100,000 for a variety of HIPAA violations, especially regarding electronic exchanges of protected health information. The HHS document outlining the reasons for the fine should act as a wake-up call to health care providers using public email, calendaring, and other tools for communication of ePHI. HHS specifically noted that the fined health care provider did not conduct an adequate risk assessment prior to using the email and Internet tools. The full HHS document is a must-read for health care providers. WPF has been warning about the need for full e-risk assessments since 2005 and strongly advocates for medical-identity-theft-specific risk assessments.

WPF urges HHS to do more to protect the privacy of people who are medical research subjects

Common Rule | Health Privacy -- The World Privacy Forum filed extensive comments with the US Department of Health and Human Services about its proposed changes regarding the rules governing human subject medical research. In the comments, WPF noted that the HHS approach to privacy for research subjects was incomplete and did not use all Fair Information Practices. WPF strongly urged HHS to revise its proposal on a number of issues, including consent and the use of biospecimens in research. The World Privacy Forum is urging HHS to acknowledge that the realm of health data that is truly non-identifiable has shrunken remarkably, for example, biospecimens with DNA cannot be considered non-identifiable anymore. "In our comments, we are requesting that HHS give individuals the opportunity to make choices about the use of their own health data and specimens," said Executive director Pam Dixon. WPF also stated in its comments that "A central database with identifiable information about participants in human subjects research is a terrible idea." (See p. 21 of WPF comments.)

Public Comments: October 2011 - WPF urges HHS to do more to protect the privacy of medical research subjects

The World Privacy Forum filed extensive comments with the US Department of Health and Human Services about its proposed changes regarding the rules governing human subject medical research. In the comments, WPF noted that the HHS approach to privacy for research subjects was incomplete and did not use all Fair Information Practices. WPF strongly urged HHS to revise its proposal on a number of issues, including consent and the use of biospecimens in research. The World Privacy Forum is urging HHS to acknowledge that the realm of health data that is truly non-identifiable has shrunken remarkably, for example, biospecimens with DNA cannot be considered non-identifiable anymore. "In our comments, we are requesting that HHS give individuals the opportunity to make choices about the use of their own health data and specimens," said Executive director Pam Dixon. WPF also stated in its comments that "A central database with identifiable information about participants in human subjects research is a terrible idea." (See p. 21 of WPF comments.)

WPF files substantive comments on HIPAA

Medical privacy and HIPAA -- The World Privacy Forum today filed its comments on the proposed changes to the HIPAA privacy rule, supporting some proposed changes and suggesting additional changes to enhance patient choice. In particular, the WPF supports the new patient right to an access report that has been added (p. 4), and has requested that Health Information Exchanges also be required to provide accountings of disclosures to patients (p. 18). The WPF generally argued that HHS needs to look forward and allow changes in information technology to fully benefit patients by providing the facility for more accounting rather than less (pp. 2-3) . If the HIPAA rule gives patients a greater ability to monitor how their information is used and disclosed, patients will pay attention and requests for accounting of disclosures will become more common.

Public Comments: August 2011 - Proposed changes to the HIPAA Privacy Rule regarding Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act

The World Privacy Forum today filed its comments on the proposed changes to the HIPAA privacy rule, supporting some proposed changes and suggesting additional changes to enhance patient choice. In particular, the WPF supports the new patient right to an access report that has been added (p. 4), and has requested that Health Information Exchanges also be required to provide accountings of disclosures to patients (p. 18). The WPF generally argued that HHS needs to look forward and allow changes in information technology to fully benefit patients by providing the facility for more accounting rather than less (pp. 2-3). If the HIPAA rule gives patients a greater ability to monitor how their information is used and disclosed, patients will pay attention and requests for accounting of disclosures will become more common.

Public Comments: December 2010 Personal Health Records and online advertising

The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.

WPF comments about Personal Health Records and online advertising

Health privacy -- The World Privacy Forum filed comments today about how medical records and other health information is intersecting with online advertising and online activities. The WPF comments were filed with the Department of Health and Human Services in response to its request for comments on personal health records, privacy, and social media.

Public Comments: September 2010 - Joint comments on the Proposed Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

In our view, the Department’s proposed changes to HIPAA regarding marketing are contrary to the law. Current law requires that paid communications for any marketing should be allowed only on an opt-in basis. We oppose the Department’s proposed regulation that would allow communications paid for by third parties who are not the entities whose product or service is being described in the communication.

Public Comments: September 2010 Proposed Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH (long version)

The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.

WPF files two sets of key comments on HIPAA privacy rule

Health privacy and HIPAA -- The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.

Public Comments: May 2010 - WPF comments on possible changes to HIPAA privacy rule; requests more patient access to audit logs

The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."

WPF comments on proposed changes to HIPAA

Health privacy and HIPAA -- The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients' current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that "An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential."

Public Comments: December 2009 - Genetic Information Nondiscrimination Act of 2008, GINA NPRM

The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan's web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.