The World Privacy Forum Medical Privacy Project

A key area of focus for the World Privacy Forum is in the area of medical privacy, or health care privacy. In our medical privacy project, we are looking at a range of issues from the networking of electronic health files to DNA to medical identity theft. The focus of this project is to explore the relationship between privacy, security, confidentiality and the digitization of health data.

Current areas of active research include:

• Medical identity theft

• PHRs

• National Health Information Network

• HIPAA

• Electronic Health Records

• Genetic Privacy, including genetic research and pharmacogenomics

World Privacy Forum research and other materials are discussed below.

Spring 2009 New Consumer Resource: A Patient's Guide to HIPAA.

The Patient's Guide to HIPAA is an important new resource for patients. It is a practical, strategic guide to help patients understand HIPAA. The Guide is in the form of Frequently Asked Questions and is easy to digest and use. Visit the Patient's Guide to HIPAA.

Medical Identity Theft

Medical Identity Theft Page (Reports, information, news)

About medical identity theft: Medical identity theft is a crime that can cause great harm to its victims. Yet despite the profound risk it carries, it is the least studied and most poorly documented of the cluster of identity theft crimes. It is also the most difficult to fix after the fact, because victims have limited rights and recourses. The World Privacy Forum published the first major report to exist on medical identity theft in 2006, and has brought the issue to national attention in subsequent years. The World Privacy Forum has been tracking medical identity theft closely since 2005. See our medical identity theft page for details of our activities in this area, and for our medical identity theft listserve resource.

About the 2006 medical identity theft report and consumer tips: The World Privacy Forum report on medical identity theft is the first known report documenting this issue. The report, Medical Identity Theft: The Information Crime that Can Kill, was published May 3, 2006. In addition to the report, we have created a set of consumer tips based on the research. These consumer tips, What to do About Medical Identity Theft, include crucial new information for victims of medical identity theft, and should be considered by anyone who wants to know what to do about medical ID theft. The report is being updated and a new version will be published in 2009.

About the medical identity theft testimony: The World Privacy Forum testified before the National Committee on Vital Health Statistics in August 2005. The testimony stressed the importance of building security, patient privacy, and choice into EHRs and any form of the proposed National Health Information Network due in part to the risks of medical identity theft, among other issues.

Research and Resources:

• Medical ID Theft Page
• Medical ID Theft Report (56 pages) May 3, 2006
• Medical ID Theft Executive Summary (15 pages) May 3, 2006

• Medical ID Theft Consumer tips (HTML) May 3, 2006
• NCVHS testimony HTML, August 16, 2005.
• Newest report: Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers , (30 pages) Sept. 24, 2008

  This report discusses the applicability of the new FTC Red Flag regulations to the health care sector along with suggestions for providers. The recently issued regulations by the FTC require financial institutions and creditors to develop and implement written identity theft prevention programs. Health care providers -- whether they are for-profit, non-profit, or governmental entities -- may have obligations under the new rules. Medical identity theft is a real concern in the health care sector, and is included expressly in the Red Flag Rules Guidelines. The new regulations take effect in 2009.

National Health Information Network (NHIN)

NHIN Page (Information, news, testimony, documents)

About the NHIN: The National Health Information Network is a project that has been undertaken by the U.S. government to network electronic health records. We maintain a regularly updated page with news about the NHIIN. We also maintain a chronology of NHIN events and milestones for historic purposes. We have submitted comments and given testimony about the NHIN, and have conducted research regarding its implications. Source materials are listed below.

About the World Privacy Forum NHIN information page: The World Privacy Forum maintains a regularly updated NHIN information page with news updates, source documents, and links to relevant material.

About the World Privacy Forum NHIN timeline: This is a visual timeline that lists key events in the history and development of the NHIN. It is updated regularly as developments occur. The idea is to provide a quick visual update and briefing on the NHIN and to make the complexity of the project simple for individuals to see and understand.

About our NHIN agency comments: The World Privacy Forum has submitted a number of agency comments -- including some joint comments with other groups -- that address issues raised by the NHIN. Specifically, the Forum has submitted comments urging the U.S. Department of Health and Human Services to consider the issues of medical identity theft, security, privacy, and patient choice, and records access issues.

Research and Resources:

• NHIN Page
• NHIN timeline

• WPF comments to HHS about the creation of the NHIN.  February 15, 2005

• WPF comments to HHS about HIPAA and the NHIN.  November 4, 2005
• WPF letter to NCVHS regarding secondary uses of health care information and NHIN. August, 2007.
• Or see the Agency Comments Page for a complete listing of HHS comments.

HIPAA

The primary work the World Privacy Forum has accomplished in the area of HIPAA is research on HIPAA and medical identity theft. We have also submitted comments on proposed changes to HIPAA, and we have pointed out flaws in consumer protection with HIPAA. In winter 2007 the World Privacy Forum will be publishing a substantial report relating to HIPAA.

Research and Resources:

• Comments to HHS on Proposed Changes to HIPAA re: Electronic Healthcare Claims Attachments. 02/08/ 2006
• Comments to HHS about Regulatory Reform/ HIPAA. November 4, 2005
• Medical ID theft report, in particular the section "Medical ID Theft and HIPAA" beginning at page 42.

Electronic Health Records

About EHRs: The transition from paper records to electronic health records raises many privacy and confidentiality issues that do not necessarily have resolutions or answers. Our discussion of this issue may be found in these materials:

Research and Resources:

• Testimony on the Privacy and Security of Electronic Health Records and the NHIN (Before the National Committee on Vital and Health Statistics). August 16, 2005.
• See also the Comments to HHS on Electronic Healthcare Claims Attachments February 2006
• See also the Medical Identity Theft Report, EHR discussion is throughout this report. May 2006
• See also Agency comments page for numerous agency comments about EHR and e-Health. Check under HHS, CMS, and AHIC.
• See also Genetic privacy section on this page.
• Letter to NCVHS on secondary uses of data in the electronic environment. August 2007.
• Testimony to the FDA on RiskMAPS and the iPledge electronic system. June and August 2007.

Genetic Privacy (research, pharmacogenomics, personalized medicine, electronic health records).

Genetic privacy is an area rich with policy issues related to privacy and human rights. A few of the key policy areas include, (among many others):

Genetic Privacy Page (Information, news, testimony, documents)

• Use of genetic material to discriminate against individuals (for example, for employment),
• Storage issues related to genetic material after sample collection (for example, how long are samples kept and why, how securely are the samples kept, how are the samples destroyed, and so on)
• Access and purpose specification issues (who has access to genetic material that has been collected, and is that access in tandem with the original purpose for which the DNA was collected. For example, are newborn screening samples also used for law enforcement purposes, etc.)
• Identifiability issues -- can "anonymous" research be re-linked with a person. The answer is increasingly yes. The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future.
• Consent issues, especially related to the genetic ripple effect, that is, the ability to tie other members of a family to a single source of genetic material. While robust consent may have been obtained for a single original use, if the DNA is used for secondary purposes to identify or describe a relative that has not given consent, challenging ethical questions arise. The issue of compelled consent also raises numerous ethical and legal issues.

Research and Resources:

The World Privacy Forum's work in this area has focused on the use of genetic information in research, for pharmacogenomics and personalized medicine, and in electronic health records.

• Comments of the World Privacy Forum to the Secretary’s Advisory Committee on Genetics, Health, and Society regarding the draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Read the comments (PDF).

• Comments of the World Privacy Forum on the Draft Report of the Secretary’s Advisory Committee on Genetics, Health, and Society, Realizing the Promise of Pharmacogenomics: Opportunities and Challenges. These comments include WPF recommendations for protecting privacy in pharmacogenomics research, an area of increasingly crucial importance.

  Read the comments (PDF).

• Comments of the World Privacy Forum on the Draft Report on Policy Issues Associated with Undertaking a Large U.S. Population Cohort Project on Genetics, Environment, and Disease.

  Read the comments on the Web or PDF.

• Comments of the World Privacy Forum to the U.S. Department of Health and Human Service on its Request For Information regarding Improving Health and Accelerating Personalized Health Care Through Health Information Technology and Genomic Information inPopulation- and Community-Based Health Care Delivery Systems

  Read the comments (PDF).