.	WHAT'S NEW \| RESEARCH & TOPICS \| WORKPLACE\| MEDICAL \| ABOUT US \| RESOURCES \| PRIVACY POLICY

New Consumer Resource

Patient's Guide to HIPAA

The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The Patient's Guide to HIPAA is easy to navigate and digest; the guide is in the form of Frequently Asked Questions & Answers. All of the key points in HIPAA are included, from the 7 basic patient rights to how and when to get copies of health care records. Difficult situations that patients often encounter are included in the guide. The Patient's Guide to HIPAA was written by Robert Gellman, with assistance from Pam Dixon, John Fanning, and Dr. Lewis Lorton.

Go directly to the Patient's Guide to HIPAA | Read the press release

06/01/2009 Data Breach of Health Records - FTC

World Privacy Forum files comments with the FTC regarding proposed rules for health care-related data breaches

The World Privacy Forum filed extensive comments with the Federal Trade Commission today regarding its notice of proposed rulemaking for data breaches of information containing actual health care information or health care-related information. The FTC rulemaking will apply to a variety of record holders, especially vendors of personal health records. The Forum supported much of the FTC's proposed rulemaking, finding the rulemaking generally thoughtful and careful. In some areas, the Forum urged the FTC to narrow and further define and strengthen the proposed rule. The World Privacy Forum urged the FTC to tighten language around scope, the definition of "personal health record," law enforcement delays of consumer notification, and urged the FTC to further clarify the definition of what falls under the category of "de-identified data." Citing the research of Dr. LaTanya Sweeney and others, the Forum urged the FTC to require commercial companies and others holding health care data that has been partially de-identified to still report those breaches to the FTC and the public, and to monitor for re-identification.

Read the comments | Related: Medical privacy page | PHR Page | Medical ID Theft page

05/21/2009 Health Record Data Breaches - HHS

World Privacy Forum files comments with HHS regarding data breach guidance

The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.

Read the comments | Related: Patient's Guide to HIPAA | Medical Privacy Page | NHIN Page

05/08/2009 Job Search Privacy

Job Searcher's Guide to Job Search Sites

The World Privacy Forum's popular and long-standing Job Searcher's Guide has been completely updated. We have a site-by-site comparison of the privacy practices of online job search sites. This guide was originally posted in 2003, and has been updated regularly. This was a major update of this resource. The World Privacy Forum publishes extensive job search privacy resources in addition to the Guide, including a very popular guide to resume posting privacy.

Visit the Job Searcher's Guide | Related: Visit the job search privacy page or visit the resume posting privacy tips

05/07/2009 Credit Freeze

Credit Freeze Guide How-To Guide updated

We have updated the World Privacy Forum's state-by-state guide on how to place a credit, or security, freeze. Only a few states are lacking a security or credit freeze law now.

Visit the credit freeze page

05/01/2009 Genetic Privacy | GINA

World Privacy Forum files comments on proposed genetic discrimination regulations

The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.

Read the comments | Related: WPF Genetic Privacy Page

04/16/2009 Online privacy | FTC

When opting out is hard to do: World Privacy Forum sends letter to FTC about companies offering mail-based opt outs

The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.

Read the letter to the FTC | Related: WPF Top Ten Opt Out page

03/27/2009 CVS Caremark | FTC proposed consent agreement

World Privacy Forum asks FTC to reconsider proposed consent agreement with CVS

The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in response to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach.

Read the WPF comments | Related: FTC consent agreement with CVS

03/27/2009 CHILI - California Health Information Identification data base

California CHILI database now online

A substantial new resource for individuals seeking to research California laws and regulations regarding health information has come online. The CHILI database is a project of the California Office of Health Information Integrity, and has interfaced with the California Privacy and Security Advisory Board, which the World Privacy Forum co-chairs. The CHILI database can be searched by HIPAA section, California Code section, California health information law keywords, or by statutory scheme.

See the CHILI database home page

02/23/2009 New Report

Privacy in the Clouds

The World Privacy Forum's newest report examines the privacy and confidentiality issues of cloud computing that have been largely overlooked to date. It is a thorough analysis with policy findings. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing was written by Robert Gellman for the World Privacy Forum. Cloud computing tips for consumers and business are also available.

Go directly to the report (PDF) | See the report and the consumer tips on the World Privacy Forum Cloud Privacy Page | Read the press release

02/18/2009 Medical privacy | HIPAA | FTC

CVS Caremark pharmacy chain agrees to pay $2.25 million to settle charges of HIPAA violations; also settles with the FTC

According to a legal complaint, CVS pharmacies -- the largest pharmacy chain in the United States -- did not take appropriate steps to protect its customers' and employees' sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver's license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.

Read the FTC complaint against CVS | Read the FTC consent agreement with CVS | Read the HHS Resolution Agreement with CVS

02/12/2009 Internet privacy

FTC releases its online advertising principles; Commissioner Harbour urges FTC to go beyond self-regulation

The Federal Trade Commission released its self-regulatory principles for behaviorally-targeted advertising today. The World Privacy Forum will be holding a press conference responding to the principles at 12:30 p.m. Eastern.

Read the text of the FTC statements | See the WPF Behavioral Advertising Page for our resources and documents on behavioral advertising

2/05/2009 Biometrics

World Privacy Forum opposes California DMV plan

The California DMV (Division of Motor Vehicles) has proposed, through an expedited 30- day process, that it begin taking detailed facial scans of drivers and storing the scans in a state-wide database. This change, among other proposed DMV changes, represents a substantial policy shift for the state of California. The World Privacy Forum has urged that this process goes through normal legislative procedures so that there is adequate time for public input and for formal hearings.

Read the backgrounder

01/28/2009 International Privacy Day

World Privacy Forum celebrates International Privacy Day

The World Privacy Forum celebrated International Privacy Day by joining other privacy and civil liberties organizations in encouraging the U.S. Senate to adopt the Council of Europe Privacy Convention. The U.S. has already ratified the Council of Europe Convention on Cybercrime. International Privacy Day was founded three years ago by the Council of Europe, and is celebrated by privacy, civil liberties, and consumer groups in Europe, North America and elsewhere.

See the proposed U.S. Senate resolution | Read more about the Council of Europe Privacy Convention | Related: WPF's Fair Information Practices page

01/27/2009 Monster.com | Consumer Alert | Job search privacy

Consumer Alert: Monster.com announces another big data breach

According to the job site Monster.com, its users' IDs and passwords, email addresses, names, phone numbers, and some "basic demographic data" were compromised in a data breach. Monster notified victims of the security breach through its web site on Friday, January 23, 2009. It is unclear how many people this notice impacts, as Monster.com did not give an estimate. In press reports, however, Monster has admitted that the breach is global, with Asia Pacific and Eastern Europe being spared. Job seekers' information can be used like a road map for criminal ventures, including identity theft, phishing and spamming. User passwords, which Monster.com says were compromised in this breach, are especially valuable as they can potentially be used to access other sites or email accounts, especially if a person regularly uses the same passwords. The World Privacy Forum has published a consumer alert about this data breach with tips for victims. This data breach also impacts USAjobs.com, the government job search site affiliated wiith Monster.com.

See the new Consumer Alert with safety tips | See more job search privacy resources

01/05/2009 School privacy | FERPA

New privacy rules for schools released; World Privacy Forum comments had positive impact for student and parent privacy

In May 2008 the World Privacy Forum submitted detailed comments on proposed changes to the Family Educational Rights and Privacy Act regulations (FERPA). The FERPA regulations are the rules that control how schools treat and release student information. The final FERPA regulations have now been published and reveal that the World Privacy Forum comments had a positive impact. The new regulations agreed with WPF's comment that if a school requests a Federal tax return from a parent, that the parent has the right to redact all financial information from the form, and affirmed that the school does not have a requirement to ask for the tax form in the first place. The regulations also agreed with the WPF comment that the risk of re-identification of published student information is cumulative, and made recommendations that educational institutions take into account all releases of student information it has made, not just new releases.

Read the new FERPA regulations (PDF) | See the World Privacy Forum FERPA comments