World Privacy Forum and EFF submit comments on AHRQ plan for national healthcare database

AHRQ / databases | medical privacy — In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a “public/private” national database of healthcare information tentatively called the “National Health Data Stewardship entity.” WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises.

Consumer Alert: Monster.com data breach impacts hundreds of thousands of job seekers; job seekers who have safety concerns may be especially at risk

Consumer Alert | Internet privacy | Job search safety and privacy — The World Privacy Forum issued a consumer alert today warning about a data breach at Monster.com. Security firms that analyzed the breach have stated the breach impacts hundreds of thousands of job seekers. The immediate information that was stolen included job seekers’ home address, phone numbers, email address, and resume IDs. Some victims may have received further phishing emails. Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking — who typically do not make their home addresses or personal phone numbers public — have an immediate need to know if their personal information may be in the hands of criminals. The consumer alert contains tips for victims and links to resources and more information.

Public Comments: August 2007 – AHRQ Joint Comments …..World Privacy Forum and EFF submit comments on AHRQ plan for national healthcare database

In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a “public/private” national database of healthcare information tentatively called the “National Health Data Stewardship entity.” WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises. Read the joint comments (PDF)

World Privacy Forum responds to June 2007 NCVHS recommendations to the Secretary of HHS regarding health care information at non-HIPAA covered entities

Medical privacy | NCVHS | HIPAA — The World Privacy Forum has sent a letter to Dr. Simon P. Cohn, Chairman of the National Committee on Vital and Health Statistics, supporting the Committee’s formal conclusion that all entities that create, compile, store, transmit, or use personally identifiable health information should be covered by a federal privacy law. More needs to be done about health care data that is left unprotected by HIPAA. The Forum’s letter included a discussion of two HHS programs that operate outside of HIPAA: FDA RiskMAPS, and the National Institutes of Health, which is not a covered entity under HIPAA.

Public Comments: August 2007 – NCVHS letter Update to privacy laws and regulations required to accommodate NHIN data sharing practice

We particularly note the Committee’s observation that the non-covered entities “may even sell personal health information without authorization for the purpose of marketing or other purposes that consumers may find objectionable.” The World Privacy Forum agrees with the Committee, and believes that the use of identifiable patient health care information for marketing is a disturbing possibility. New institutions are being developed and implemented to exploit gaps in HIPAA that allow use of patient data for marketing purposes. Action to close those gaps is needed urgently. The Committee’s letter is a small step in that direction.