.	WHAT'S NEW \| RESEARCH & TOPICS \| WORKPLACE\| MEDICAL \| ABOUT US \| RESOURCES \| PRIVACY POLICY

05/08/2008 SACGHS | Oversight of genetic testing

Key genetic oversight report released; includes changes based on World Privacy Forum comments

The Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) released its final report on Oversight of Genetic Testing (U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of Health and Human Services, April 2008, PDF, 276 pages). This is a substantial, thoughtful report that is likely to have a long-term impact on the field. The World Privacy Forum submitted formal written comments regarding this report when it was in draft form, and also appeared before the Committee in person in February of 2008 to discuss additional information relevant to the report. The final report reflects the World Privacy Forum comments and testimony. The report now includes a discussion about Direct to Consumer advertising and marketing as well as related privacy issues. The discussion in the final report also now acknowledges the implications of Direct to Consumer marketing of genetic tests regarding online privacy. The final report also reflects generally increased attention to privacy issues.

Read the SACGHS report | Read the WPF comments on the draft SACGHS report | Related: Genetic Privacy Page | Related: WPF behavioral advertising comments

05/07/2008 FERPA

World Privacy Forum files comments on proposed changes to FERPA; requests changes to protect student and parent privacy

The U.S. Department of Education has published proposed changes to its FERPA regulations, FERPA standing for the Family Educational Rights and Privacy Act. FERPA is a significant regulation that controls how students' school records and "directory" information may be shared. The proposed regulations have one item the WPF is supporting, which is that SSNs are not considered part of the directory information. However, other aspects of the proposed regulation still need work to adequately protect students' and parents' privacy interests. The WPF commented in particular that schools should not be allowed to request and then store a full tax refund from parents in order to prove students' eligibility. The Forum also requested that students' electronic identifiers are not included in the definition of directory information. One area of substantial concern is that the Department of Education has not expressly provided that students who opt-out of having their directory information shared should not be penalized for opting out. Currently, the proposed regulations may be read to suggest that schools may be able to deny benefits, services, or even required activities to students who have exercised the right to opt-out of the publication of directory information. FERPA comments may be filed until close of business Eastern time May 8, 2008.

Read the WPF FERPA comments | Read the Notice of Proposed Rulemaking, FERPA

04/22/2008 Health Care Innovations workshop

World Privacy Forum to speak at Federal Trade Commission health workshop

The World Privacy Forum will be speaking at an upcoming FTC workshop on the topics of medical identity theft, personal health records, and direct-to-consumer genetic tests and marketing. The workshop is April 24, 2008. Workshop information is available at the FTC web site.

See the FTC HCI workshop web page | World Privacy Forum PHR page | WPF genetic privacy page | WPF medical identity theft page

04/11/2008 Behaviorally targeted advertising | FTC proposed rules

World Privacy Forum files comments on behaviorally targeted ads online; requests separate rulemaking for sensitive medical information

The World Privacy Forum filed comments in response to the Federal Trade Commission's proposed self-regulatory guidelines for companies targeting online advertising to consumers based on consumer behaviors. The WPF requested a separate, formal rulemaking process for determining how sensitive medical information should be handled online regarding behaviorally targeted advertisements. The WPF also discussed genetic data and requests for genetic tests, and noted that genetic information should be included in any definition of sensitive medical information. The WPF reiterated that the definition of personally identifiable information should include IP address, and encouraged the FTC to work from a rights-based approach regarding online advertising. The WPF also urged the FTC to include all fair information practices in any self-regulatory regime, and to enforce the regime directly.

Read the WPF comments on the FTC proposed self-regulatory rules (PDF ) | WPF Internet privacy page

04/04/2008 Patient Safety Organizations | Proposed rulemaking

World Privacy Forum files comments on proposed rules regarding Patient Safety Organizations

The World Privacy Forum filed extensive comments today regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations. The full set of recommendations is available in the WPF comments. The proposed rulemaking will be open for public comments until April 14, 2008.

Read the WPF patient safety comments (PDF) | Permalink | Related: See the HHS press release on its proposed regulation

03/31/2008 Genetic privacy | medical privacy

Genetic Privacy Page

The World Privacy Forum has published a new page on genetic privacy outlining basic policy issues and collecting World Privacy Forum work in the area. The page also links to key external research being done in privacy and genetics, and also links to key organizations doing work in this area in the U.S. and the U.K.

See the Genetic Privacy page | Related: Medical privacy page

03/18 Medical ID theft

Updated Consumer Tips for Medical ID Theft

Based on interviews with numerous victims and others involved in the crime of medical identity theft, and based on our own work with victims, the World Privacy Forum has added some new information to its 2006 consumer tips for medical identity theft. We have also slightly updated some of the older tips based on new information. The Forum has also updated its medical identity theft landing page to reflect our new and ongoing work in this area.

See the updated consumer tips | See the updated medical identity theft page

02/20/2008 New publication | PHRs and privacy

Legal and Policy Analysis: Personal Health Records: Why Many PHRs Threaten Privacy

The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records -- or PHRs -- and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.

Read the legal analysis (PDF) | Related: PHR Page | Related: PHR Consumer Advisory (PDF)

02/20/2008 Consumer advisory | PHRs and privacy

WPF Consumer Advisory: The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About

The World Privacy Forum has issued a consumer advisory about the privacy of PHRs to help consumers understand and approach the complex privacy issues PHRs can raise. Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.

Read the Consumer Advisory (PDF) | Related: PHR Page | Related: PHR legal analysis (PDF)

02/13/2008 Genetic privacy | SACGHS

World Privacy Forum testifies on genetic privacy and consumer data marketing issues

The World Privacy Forum gave testimony to the Secretary's Advisory Committee on Genetics Health and Society regarding privacy issues stemming from direct-to-consumer advertising and consumer-initiated genetic testing. The World Privacy Forum noted that a great deal of consumer health data circulates outside the protections of HIPAA, and a substantial market for this kind of consumer health data already exists. Genetic data about consumers that is acquired outside the clinical context and is not subject to the protections of HIPAA (for example, through consumer-initiated genetic testing) will likely not be any more protected than other forms of consumers' health-related information from the current demands of the market. However, the consequences of leakage of genetic information about consumers into the marketing stream could have potentially negative consequences for both those consumers and their blood relatives. The World Privacy Forum urged the committee to include specific recommendations about privacy in its upcoming report to the Secretary, and also urged the committee to work with other federal agencies to set up a pre-market oversight structure that includes significant and meaningful privacy protections for genetic testing occurring outside of the protections of HIPAA.

Read the detailed written statement to the committee (PDF) | Related: Genetic Privacy Section of WPF Medical Privacy Page

02/11/2008 Financial privacy / credit reports

World Privacy Forum, NCLC, and Consumer's Union file extensive comments regarding accuracy of credit reports

The NCLC, Consumer's Union, and the World Privacy Forum filed extensive joint comments today regarding the proposed rulemaking, Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies under Section 312 of the Fair and Accurate Credit Transactions Act. The results of the proposed rulemaking will have a significant impact on how the accuracy of credit reports is defined for consumers, and will have a substantive influence over how consumers may handle credit report disputes directly with those who furnish information for the reports.

Read the joint comments (PDF) | See the original proposed rulemaking from the FTC

01/28/2008 Financial privacy / credit reports

Opportunity for public comment on the accuracy of credit reports

Consumers and organizations have an opportunity to submit public comments about the accuracy and integrity of credit reports. Until February 11, the Federal Reserve Board, the Federal Trade Commission and other banking agencies will be accepting comments on their draft rulemaking regarding how creditors and other furnishers provide information to consumer reporting agencies, and which types of direct disputes they must handle. This proposed rulemaking is a key one; it defines what accuracy and integrity of information provided to consumer reporting agencies means, how disputes may be handled directly with the furnishers, and which types of direct disputes furnishers may ignore. The NCLC, Consumer's Union, and the World Privacy Forum have written a sample letter that may be downloaded and used or modified for the comments. To file your letter, submit your comments to the Board of Governors of the Federal Reserve System by mailing the comments to regs.comments@federalreserve.gov with the subject line "Docket No. R–1300."

See the Sample Letter | See the FTC's Notice of Proposed Rulemaking

01/28/2008 Opt-out / Financial privacy

Updates to Top Ten Opt-Out List

The World Privacy Forum has updated its popular Top Ten Opt Out list to reflect several new change made to the Direct Marketing Association opt outs. In the past, some of the DMA opt-outs, like the Direct Marketing Association's mailing preference lists, used to cost $1. That fee has now been removed for people opting out online. Please see item #3 on the Opt Out list for the complete update.

See updated WPF Top Ten Opt Out List

12/19/2007 Genetic privacy | SACGHS

World Privacy Forum files public comments regarding oversight of genetic testing; warns about the privacy risks related to unregulated commercial genetic tests and the need to prevent phantom genetic tests from becoming a new business model for fraudsters

The World Privacy Forum filed extensive comments with the Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.

See the World Privacy Forum SACGHS comments (PDF) | Permalink | Related: see the draft SACGHS report | WPF medical privacy page

12/19/2007 Fair Information Practices

Fair Information Practices (FIPS) page update

The World Privacy Forum has updated its page on Fair Information Practices to include the new work by Robert Gellman in this area. His article, Fair Information Practices: A Basic History, December 2007, is an important history of the development of Fair Information Practices. It includes information that even experts familiar with FIPs may not know.

See updated WPF Fair Information Practices page | Related: see Robert Gellman's article Fair Information Practices: A Basic History

11/29/2007 Medical identity theft update

New FTC statistics affirm World Privacy Forum's 2006 Medical Identity Theft report; give first robust medical identity theft statistics

The Federal Trade Commission released its national ID theft survey, which for the first time contains statistics specific to medical identity theft. According to the FTC report (p. 21), 3 percent of all identity theft victims in 2005 were victims of medical identity theft, which means of 8.3 million ID theft victims, approximately 250,000 people were victimized by medical identity theft in that year alone. The purpose of the World Privacy Forum 2006 report was to prove that medical identity theft existed, and was already occurring in large numbers. At the time the report was published, the crime of medical identity theft had not been specifically studied, nor was it understood to exist. The FTC statistics abundantly affirm the thesis and conclusions of the WPF report.

See the new FTC ID theft report | See the WPF 2006 Medical Identity Theft Report

11/05/2007 Security Freeze update | Financial privacy

Security Freeze update: as of November 1, security freeze now available to consumers in all states

As of November 1, 2007, the ability to place a security freeze is available nationwide at the three major credit reporting bureaus. To date, 39 states and the District of Columbia have some form of security freeze law. But now, even in the states that did not pass security freeze legislation, consumers will be able to place a security freeze. A security freeze lets you stop the disclosure of your credit report by a credit bureau. A security freeze can be especially helpful to individuals who are having persistent problems with identity theft. For more information:

See the updated WPF Security Freeze page | Related: Top Ten Opt-Out list

11/05/2007 Announcement | CalPSAB

World Privacy Forum appointed to California Security and Privacy Advisory Board

WPF executive director Pam Dixon has been appointed by California Secretary of Health and Human Services Kim Belshe to the California Security and Privacy Advisory Board. Dixon will serve as interim co-chair of the board, which is tasked with addressing health information exchange (HIE) privacy and security efforts in California. The board's meetings will be open to the public. For more information see: CalPSAB's web site.

11/02/2007 Report | Internet privacy | NAI

WPF Report: The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation

The World Privacy Forum published a new report today, The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation. The report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement. The NAI was created to protect consumers' online privacy in the behavioral advertising arena. The report finds that the NAI has failed. The report discusses the failure of the NAI opt-out cookie, the uses of persistent consumer tracking technologies that go beyond cookies, such as Flash cookies, browser cache cookies, XML super cookies, and other issues. The report also discusses the practice of re-setting cookies after cookie deletion. The report gathers the details of the difficult membership history of the NAI, as well as the enforcement history of TRUSTe regarding NAI.

Executive director Pam Dixon will be testifying before the FTC eHavioral Town Hall meeting Nov. 2 to discuss the findings of this report, which will be submitted to the FTC.
Read the report (PDF)

10/30/2007 Consensus document | Consumer rights and protections

Privacy and consumer groups unveil consensus document recommending expanded consumer rights and protections in the behavioral advertising sector; call for a Do Not Track list, access, limits of the use of sensitive medical and financial information, expanded notice, accessibility for people with disabilities, and other rights

Ten privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC's eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failed to protect consumers.

Read the consensus document | Permalink | Illustration of Do Not Track List

10/16/2007 Medical identity theft / AHIMA

World Privacy Forum gives keynote speech to AHIMA on medical identity theft; outlines 8 best-practice responses to the crime

Executive director Pam Dixon spoke to thousands of AHIMA delegates in Philadelphia sharing the latest information on medical identity theft and outlining 8 best practice responses to the crime for the health care sector. Dixon specifically asked for the creation of national guidelines for helping medical identity theft victims, the ability for victims to set red flag alerts in their health care files, that providers train and have dedicated personnel to help medical identity theft victims, "john and jane doe" file extractions, a focus on addressing insider access to patient information, risk assessments specifically for medical identity theft, and educational efforts. The information in the speech was based on the latest World Privacy Forum research in the area of medical identity theft.

Read the speech Medical Identity Theft: Issues and Responses (PDF) | See the medical identity theft page | Read tips on what to do if you are a medical identity theft victim | Permalink

10/16/2007 Medical identity theft | Best practice responses

World Privacy Forum outlines 8 best practice responses to medical identity theft for the healthcare sector

The World Privacy Forum has outlined 8 best practice responses to medical identity theft for the health care sector. The best practice responses are based on research the Forum is conducting for its second report on medical identity theft, and is a work in progress. The 8 best practice responses were presented to AHIMA delegates October 9; the Forum is soliciting and accepting feedback on the 8 best practices.

Read Eight best practices for helping victims of medical identity theft | See the medical identity theft page | Tips for medical identity theft victims | Permalink

10/12/2007 Medicare / CMS

World Privacy Forum files comments on CMS plan to allow release of patients' protected health information from Medicare database in some circumstances; benefits do not outweigh the risks

The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.

Read the comments (PDF) | Permalink

09/17/2007 NHIN update

Update: World Privacy Forum's NHIN Timeline updated to reflect changes in AHIC

The National Health Information Network, or NHIN, is part of a major undertaking to digitize and network the health care sector. From electronic health records to multi-state health information hubs, the U.S. government's goal is to modernize and move health care information from paper to digital. The Department of Health and Human Services is the primary mover behind this initiative, which is complex and multi-faceted. The World Privacy Forum keeps a chronology of NHIN events as a public service. The NHIN timeline has been updated to reflect changes in AHIC, a group that is charged in part with ensuring privacy and confidentiality in the NHIN and other aspects of health care modernization. AHIC is set to transition to a "public-private partnership," a move that will need to be watched closely to ensure robust consumer involvement.

See the NHIN timeline | Also: See the NHIN page for background on NHIN | Related: Read more on AHIC transition plans

09/07/2007 AHIC successor / health care privacy

World Privacy Forum requests adoption of a "no stakeholders left behind" policy in AHIC successor plans

The World Privacy Forum offered public comments on HHS' American Health Information Community (AHIC) successor plans, urging that HHS adopt a "no stakeholders left behind" policy as it forms the new public/private AHIC. The Forum's analysis of the AHIC Successor White Paper concluded that the current succession plans lack processes and checks that would ensure meaningful consumer participation, and that the AHIC successor plans as they currently stand do not bode well for a robust role for privacy or consumer groups in the new AHIC. Specific issues the World Privacy Forum discussed in its comments included fee structures, membership, handling conflicts of interest, stakeholder issues, privacy and identifiability issues, and the need for the new AHIC to achieve credibility.

Read the WPF AHIC Successor comments (PDF) | Permalink | Related: World Privacy Forum's NHIN page .... more on the AHIC Successor at HHS.gov

08/30/2007 Consumer alert update

Update: Monster.com saying data breach may impact all users of Monster.com, official Federal job site USAJobs.com impacted

Monster.com posted a warning on its site stating that all users of Monster.com may have been impacted by the data breach of its systems by hackers. All job seekers need to be aware of potential phishing attacks that are sophisticated and highly targeted, and job seekers with safety considerations need to be aware that their information has likely been compromised. The U.S. Office of Personnel Management has announced that the Federal job site USAJobs (which is outsourced to Monster.com) has also been impacted by the breach. The World Privacy Forum has updated its job seeking tips, and its consumer alert.

View the Monster.com consumer alert | Read the updated WPF job seeker's tips

08/24/2007 Data breach / GAO data breach study

GAO's data breach list from its June 2007 report

The World Privacy Forum made an information request to the GAO asking for a copy of the single, non-duplicative list of data breaches its June, 2007 data breach report (GAO -07-737) refers to and was based on. The list was not included in the GAO report. The GAO used a figure in its report of "more than 570 data breaches" from January 2005 to December 2006 based on this non-duplicative breach list. The GAO breach list is straightforward, it tallies data breaches chronologically from January 1, 2005 to December 31, 2006 from three organizations that maintain data breach lists. If the breach appeared on at least one of the three lists, it was apparently included in the final tally. The GAO states that the list was based on a February 15, 2007 download of the lists. Note: the WPF scan of the GAO list includes the first page twice. The front page of the scan is of the GAO list as it looks in the original document, and then the list was scanned for maximum readability into PDF format.

View the GAO breach list | Related: GAO data breach report June 2007 | Permalink

08/23/2007 AHRQ / databases / medical privacy

World Privacy Forum and EFF submit comments on AHRQ plan for national healthcare database

In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a "public/private" national database of healthcare information tentatively called the "National Health Data Stewardship entity." WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises.

Read the joint comments (PDF) | Permalink

08/22/2007 Consumer Alert / Internet privacy / Job search safety and privacy

Consumer Alert: Monster.com data breach impacts hundreds of thousands of job seekers; job seekers who have safety concerns may be especially at risk

The World Privacy Forum issued a consumer alert today warning about a data breach at Monster.com. Security firms that analyzed the breach have stated the breach impacts hundreds of thousands of job seekers. The immediate information that was stolen included job seekers' home address, phone numbers, email address, and resume IDs. Some victims may have received further phishing emails. Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking -- who typically do not make their home addresses or personal phone numbers public -- have an immediate need to know if their personal information may be in the hands of criminals. The consumer alert contains tips for victims and links to resources and more information.

See: Consumer Alert web page

08/08/2007 Medical privacy / NCVHS / HIPAA

World Privacy Forum responds to June 2007 NCVHS recommendations to the Secretary of HHS regarding health care information at non-HIPAA covered entities

The World Privacy Forum has sent a letter to Dr. Simon P. Cohn, Chairman of the National Committee on Vital and Health Statistics, supporting the Committee's formal conclusion that all entities that create, compile, store, transmit, or use personally identifiable health information should be covered by a federal privacy law. More needs to be done about health care data that is left unprotected by HIPAA. The Forum's letter included a discussion of two HHS programs that operate outside of HIPAA: FDA RiskMAPS, and the National Institutes of Health, which is not a covered entity under HIPAA. Read the World Privacy Forum letter to NCVHS here (PDF). The NCVHS letter to the Secretary on HIPAA and non-covered entities is available here (PDF, at the NCVHS web site). For more about RiskMAPs, see WPF testimony from August 1, 2007 (PDF) and June 26, 2007 (PDF).

08/01/2007 iPledge Program / FDA

World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues

The World Privacy Forum testified before the Dermatologic and Ophthalmic Drugs Advisory Committee and the Drug Safety and Risk Management Advisory Committee of the Food and Drug Administration regarding privacy issues related to iPledge, a mandatory program for patients taking the drug Accutane or isotretinoin generics. The FDA has stated that the program, which it requires four drug manufacturers to have in place, does not fall under HIPAA. The program collects substantive amounts of patient information. The Forum urged the FDA to set privacy standards for all RiskMAPs in general, and to resolve privacy issues in the iPledge program specifically. The Forum requested that all marketing provisions of the iPledge program privacy policy be removed, that patients be expressly informed the program does not fall under HIPAA, and that patients be given a printed copy of the iPledge program privacy policy, among other requests. Read the written testimony (PDF). Related: earlier WPF testimony to FDA/AHRQ regarding RiskMAPs.

07/26/2007 National Disaster Medical System / Privacy Act of 1974

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require. Read the comments (PDF).

07/22/2007 Top ten opt out list

World Privacy Forum's Top Ten Opt Out List

This is a list of what top things to opt out of, and how to opt out. Millions of people have heard about the Do Not Call list, an opt out list that gets people off of telemarketing lists. But many fewer people have heard about the other opt outs that are available, like those that can take people out of data broker lists or opt outs that can stop schools from giving out directory information like email and home addresses. Opting out can range from the not-too-difficult (the Do Not Call list is a fairly simple opt out) to the challenging. This list is meant to simplify the information about which opt out does what, to help decide if a particular opt out is the right choice, and how to go about opting out. See the WPF Top Ten Opt Out List.

07/22/2006 Security freeze / identity theft / financial privacy

How to place a security freeze (credit freeze)

A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. A credit freeze can be especially helpful to individuals who are having persistent problems with identity theft. If you live in a state with a security freeze law, then you may be able to place a security freeze on your files. This World Privacy Forum resource gives general background on security freezes, lists the states with security freeze laws, and links to more information for each state. See the Security Freeze page.

07/10/2007 FDA privacy standards - RiskMAPs

The FDA needs to set privacy standards to protect patients in drug risk programs

World Privacy Forum executive director Pam Dixon testified at an FDA/AHRQ joint public workshop about the need for the FDA to set robust privacy standards for drug risk minimization programs, which are put in place for drugs the FDA has determined to be high risk in some way. Drug risk minimization programs (like the iPledge program for the acne drug Accutane) are not typically covered by HIPAA, and some programs have a privacy policy that allows marketing use of patient information collected as part of the risk program. This kind of marketing activity would not be allowable if the programs fell under HIPAA, and Dixon's testimony stated that patients in these programs should have the same kinds of privacy protections as HIPAA covered programs, and that marketing activities involving patient information should not be allowable in these programs. Read the testimony (PDF).

06/07/2007 Genetic privacy

World Privacy Forum makes presentation at National Academy of Sciences' Institute of Medicine

Executive director Pam Dixon presented key issues and potential solutions regarding privacy and Genome Wide Association Studies at the Institute of Medicine's Board on Health Sciences Policy meeting. Her presentation included recommendations to engage in a comprehensive study of certificates of confidentiality, to encourage standards of identifiability, to encourage study of what more uniform standards of privacy and security for researchers might look like, and a recommendation to work toward broad solutions that extend beyond GWAS activities. Related: Read WPF public comments on GWAS here (PDF).

06/04/2007 AHIC - National Health Information Network

World Privacy Forum Comments on AHIC Confidentiality, Privacy, Security Workgroup Hypothesis

The American Health Information Community Workgroup on Confidentiality, Privacy and Security requested public feedback regarding its working hypothesis. WPF responded to the request with public comments encouraging the adoption of a unified policy architecture and encouraging AHIC to focus on enforcement mechanisms that are intended to directly benefit consumers. WPF also encouraged AHIC to look comprehensively at the demands a new national electronic health exchange network will make on privacy in the health care sector. Read the comments (PDF). See also the National Health Information Network Page for more about the NHIN, and the WPF medical privacy page.

05/24/2007 Genetic privacy / PGx

World Privacy Forum files public comments and recommendations on pharmacogenomics privacy: all patient-specific PGx research should require certificates of confidentiality

The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area. Read the comments (PDF). For more information, see the genetic section of the WPF Medical Privacy Page. Related note: Executive director Pam Dixon will be speaking about genetic research and privacy at the Institute of Medicine on June 7.

05/08/2007 REAL ID /National ID

World Privacy Forum and Electronic Frontier Foundation File Public Comments on REAL ID

The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on "function creep," the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues. Read the comments (PDF). See the EFF REAL ID pages for background about REAL ID.

05/04/2007 REAL ID

Stop REAL ID

REAL ID is a national ID card program. Currently, the Department of Homeland Security is accepting public comments on the REAL ID plan. Comments will be accepted until Tuesday, May 8. The World Privacy Forum has joined with a large coalition of groups to solicit public comments on REAL ID; to file comments, please visit the Speak Out Against REAL ID coalition page for more information. http://www.privacycoalition.org/stoprealid/

04/20/2007 Discussion Forum: Consent and Privacy

Launch of the WPF Discussion Forum: The Paradox of Consent, analysis by Bob Gellman

World Privacy Forum launches its Discussion Forum with an inaugural paper by Robert Gellman on the complexities of consent in the privacy sphere. Gellman's analysis focuses on the core privacy issues underlying "The Maine Incident," that is, Maine's historic 1998 passage of medical privacy legislation, and the subsequent repealing of key aspects of that legislation two weeks after it was enacted. Issues related to consent were key factors in the Maine events. Read Gellman's paper in the WPF discussion forum, or jump directly to Gellman's paper: Consent for Disclosures of Health Records: Lessons from the Past (PDF).

04/03/2007 National Health Information Network

Update: World Privacy Forum's National Health Information Network Timeline

Recently, the first live prototypes of the NHIN were demonstrated in Washington, D.C. This was a milestone event in the development of the planned network. The National Health Information Network is an ambitious project the U.S. government undertook in 2004 to digitize and network patient health records across the nation. This project raises challenging confidentiality, privacy, and security issues. See the World Privacy Forum's updated NHIN page and NHIN Timeline for more information. Also see the Forum's Medical ID theft report for an analysis of the potential impact of an NHIN on medical ID theft issues.

03/21/2007 Medical privacy / Department of Transportation

Commercial drivers' license applicants requesting exemption from the diabetes standard have their personal medical information, name, age, and more published in the Federal Register; World Privacy Forum urges changes to the practice

The World Privacy Forum filed comments with the Department of Transportation today regarding the department's publication of the detailed personal medical information of individuals subject to DOT regulations in the Federal Register along with their names, ages, and other identifying information. The WPF comments argue that personal medical information combined with name, age, etc. does not belong in the Federal Register, where it can have potentially far-reaching consequences for those individuals who are named as well as their family members. The comment period closes April 2. Read the WPF comments (PDF).

02/05/2007 Genetic privacy

World Privacy Forum comments about the ethical, legal, and social implications of using genetic health care data in electronic health records

The World Privacy Forum filed public comments with the Department of Health and Human services in response to an HHS request for information regarding the use of patients' genetic data for research, health care, and for use in electronic health records. The World Privacy Forum is requesting that HHS use all Fair Information Principles in any personalized health care projects, and is requesting that a formal ELSI (ethical, legal, and social implications) committee be set up to oversee any projects, among other requests. Read the comments (PDF). Also see: WPF Fair Information Practices page.

Search by date, type of material, or keyword

WPF Site Navigation Options

Alphabetical

Keyword listing of World Privacy Forum reports, research, comments, tips

What's New

Listing of most recent WPF materials

Chronological

Listing of World Privacy Forum materials by date

Reports

Listing of WPF reports

Consumer Tips

Listing of WPF consumer tips

Agency Comments

Listing of agency comments

WHAT'S NEW

What's new page

Medical identity theft page

What to do about medical ID theft

FAQ for victims of medical identity theft

FINANCIAL PRIVACY

Top ten opt out list

How to place a security freeze (credit freeze)

How to order a free credit report

JOB SEARCH PRIVACY

Job search privacy landing page

Avoiding job scams ..tips and report

Workplace privacy project landing page

MEDICAL PRIVACY

Medical privacy project landing page

Medical identity theft page

PHR Page

Genetic Privacy page

NHIN page and timeline

Pharmacogenomic (PGx) privacy recommendations

SEARCH ENGINE PRIVACY

Search engine privacy tips

Internet Privacy landing page

EVENTS

World Congress leadership summit, July 22-23, Boston.

FTC HCI workshop, April 24, 2008, Washington DC. Web site.

CalPSAB, April 16, Oakland.

California Information Management Conference, April 9-10, Los Angeles.

Cyber Security Summit, March 4-5, Los Angeles. Web site.

University of San Diego, Feb. 25, Ethics at the Frontiers of Science, Kroc Institute for Peace & Justice, lecture on genetic information, privacy, and ethics, 2:30 p.m.

CHIA Feb. 21 Audio seminar

Secretary's Advisory Committee on Genetics, Health and Society, Feb. 13, Washington D.C.

CalPSAB, Feb. 7, Los Angeles.

CalPSAB, Dec. 4, San Francisco.

FTC Town Hall Workshop, Nov. 1-2, Washington D.C.

AHIMA National Convention, Plenary presentation on medical identity theft (morning) workshop on medical identity theft prevention (afternoon), October 9, 2007, Philadelphia. Web site.

FDA testimony, iPledge program, August 1, 2007, Washington D.C.

FDA Public Workshop, Public testimony on RiskMAPs and privacy implications, June 25-26 2007, Washington, D.C.

California Health Information Association State Convention, Presentation on solutions for medical identity theft, June 13, 2007, La Quinta, CA. Web site.

Institute of Medicine, Board on Health Sciences Policy, Presentation on privacy and Genome Wide Association Studies, June 7, 2007, Washington D.C.

Lecture, Ethics at the Frontiers of Science, University of San Diego Kroc Institute for Peace & Justice, April 23, 2:30 p.m. Web site.

Regional Meeting, HISPC, Nov. 6, 2006, Seattle. Presentation, Medical Identity Theft: Issues and Solutions.

Regional Meeting, HISPC, Nov. 3, 2006, Indianapolis. Presentation, Medical Identity Theft: Issues and Solutions.

Network Security Workshop, October 5 2006, Echigo Yuzawa, Japan. Keynote presentation. See the Workshop web site for more.

Internal Auditor's Association, October 4, 2006, Tokyo, Japan. Lecture, Global Perspectives on Privacy.

The Institute of Information Security, October 4 2006, Tokyo, Japan. Special lecture. See IISEC web site for more.

ISACA Tokyo Chapter, October 3 2006, Tokyo, Japan, "Identity Theft, Computer Fraud, and Privacy." See ISACA Tokyo web site for more.