World Privacy Forum Agency Comments
The World Privacy Forum frequently submits public comments to government agencies in response to Notices of Proposed Rulemaking and other public requests for information. Comments are listed first by agency, then chronologically under each agency. Some of our agency comments have been submitted jointly with other groups. Where this is the case, it is noted.
Department of Commerce
Comments: 06/14/2006 APEC Civil Society Comments, International Trade Administration
EPIC filed comments with the Department of Commerce, which the World Privacy Forum joined. The Office of Technology and Electronic Commerce solicited comments on the development and implementation on “cross-border privacy rules” in the Asia PacificEconomic Cooperation Group (APEC). Seven groups submitted the comments on behalf of civil society organizations (CSO) in the United States concerned about privacy in order to urge the strengthening of privacy rules in the Asia Pacific Economic Cooperation Group.
Department of Health and Human Services (Includes comments to AHIC, AHRQ, CMS, FDA, HHS, NIH.)
Comments: 12/12/2008 GINA - Genetic Information Nondiscrimination Act
In response to a Request for Information (RFI) from U.S. federal agencies regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum filed a detailed response with suggestions on what aspects of GINA need clarification. The comments were filed with DHHS and the US Department of Labor. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls "incidental collection" of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes "incidental collection," and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a "medical database."
Read the World Privacy Forum GINA comments
Comments: 12/19/2007 Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS.
The World Privacy Forum filed extensive comments with the Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.
Comments: 10/12/2007 Centers for Medicare and Medicaid Services (CMS) System of Records Notice regarding substantive changes to the Medicare database release policy
The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.
Comments: 09/07/2007 WPF comments on AHIC successor plans; World Privacy Forum requests adoption of a "no stakeholders left behind" policy
The World Privacy Forum offered public comments on HHS' American Health Information Community (AHIC) successor plans, urging that HHS adopt a "no stakeholders left behind" policy as it forms the new public/private AHIC. The Forum's analysis of the AHIC Successor White Paper concluded that the current succession plans lack processes and checks that would ensure meaningful consumer participation, and that the AHIC successor plans as they currently stand do not bode well for a robust role for privacy or consumer groups in the new AHIC. Specific issues the World Privacy Forum discussed in its comments included fee structures, membership, handling conflicts of interest, stakeholder issues, privacy and identifiability issues, and the need for the new AHIC to achieve credibility.
Comments: 08/23/2007 AHRQ Joint Comments .....World Privacy Forum and EFF submit comments on AHRQ plan for national healthcare database
In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a "public/private" national database of healthcare information tentatively called the "National Health Data Stewardship entity." WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises.
Comments: 08/01/2007 iPledge Program / FDA ..... World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues
Comments: 07/26/2007 National Disaster Medical System / Privacy Act of 1974...... World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA
The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require. Read the comments (PDF).
Comments: 07/10/2007 FDA privacy standards - RiskMAPs.....Testimony... The FDA needs to set privacy standards to protect patients in drug risk programs
Comments: 06/04/2007 AHIC - National Health Information Network World Privacy Forum Comments on AHIC Confidentiality, Privacy, Security Workgroup Hypothesis
The American Health Information Community Workgroup on Confidentiality, Privacy and Security requested public feedback regarding its working hypothesis. WPF responded to the request with public comments encouraging the adoption of a unified policy architecture and encouraging AHIC to focus on enforcement mechanisms that are intended to directly benefit consumers. WPF also encouraged AHIC to look comprehensively at the demands a new national electronic health exchange network will make on privacy in the health care sector. Read the comments (PDF). See also the National Health Information Network Page
Comments: 05/24/2007 NIH....World Privacy Forum files public comments and recommendations on pharmacogenomics privacy: all patient-specific PGx research should require certificates of confidentiality
The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area. Read the comments (PDF). For more information, see the genetic section of the WPF Medical Privacy Page.
Comments: 12/14/2006 Medical privacy / Medicare Part D World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy
In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice. Read the comments (PDF).
Comments: 10/29/2006 Comments to National Institutes of Health regarding its Request for Information for Genome Wide Association Studies repository policy.
Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent.
Comments: 07/20/2006 Comments on draft report "Policy Issues Associated with Undertaking a Large U.S. Population Cohort Project on Genes, Environment, and Disease."
Comments: 06/15/2006 Medicaid Program and State Children's Health Insurance Program Systems Notice
The World Privacy Forum submitted comments to the Centers for Medicare & Medicaid Services requesting that it amend a Systems of Records Notice to address an oversight and address other privacy issues in the notice. The Forum requested that the system of records reference Executive Order 13181 of December 20, 2000, “To Protect the Privacy of Protected Health Information in Oversight Investigations.” The Forum also requested that the routine uses for this system of records be revised to reflect the HIPAA requirements as appropriate when the disclosures involve HIPAA records.
Comments: 02/08/2006 Health Care Claims Attachments
Five groups joined the World Privacy Forum in asking for changes to be made to a proposed rule on how medical healthcare claims attachments are handled electronically. The World Privacy Forum and the EFF, EPIC, Privacy Rights Clearinghouse, Privacy Activism and U.S. Public Interest Research Group (U.S. PIRG) asked that physicians be given more control over what parts of health records they send electronically to insurance companies, that psychotherapy notes not be included when sending health records for insurance payment, and that the HIPAA Privacy Rule be rigorously applied to scanned health records.
Comments: 2/15/2005 NHIN Request for Information
The World Privacy Forum and the Electronic Frontier Foundation submitted comments in response to the U.S. government's "Request for Information" about its plan to digitize all patient medical records and create an electronic "National Health Information Network" or NHIN. The comments urge caution in designing the NHIN and call for the government to build privacy, security, and open source technologies into the system from the beginning of the project.
Comments: 11/04/2005 HHS Regulatory Reform
The World Privacy Forum filed comments with Health and Human Services asking the agency to protect patient choice and privacy. The World Privacy Forum asked that patients continue to be able to receive accounting of disclosures under HIPAA, and asked that this important patient right under HIPAA not be removed or weakened. The World Privacy Forum also asked HHS to review how patients' records can be amended under HIPAA, and recommended that in light of the coming National Health Information Network, that changes to enhance patient choice may be needed in this area.
Department of Homeland Security
Comments: 08/21/2008 Border Crossing Information, System of Records Notice, DHS-2007-0040
The World Privacy Forum filed comments regarding DHS's proposed Border Crossing Information system of records, finding that many of the Routine Uses proposed for the system were impermissible and illegal under the Privacy Act of 1974. The comments focus on the Routine Uses, rather than the system itself. Read the comments (PDF).
Comments: 05/08/2007 REAL ID .... Joint Comments .... World Privacy Forum and Electronic Frontier Foundation File Public Comments on REAL ID
The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on "function creep," the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues. Read the comments (PDF). See the EFF REAL ID pages for background about REAL ID.
Comments: 09/27/2006 DHS System of Records Notice
In response to a proposed Department of Homeland Security rulemaking regarding a system of records, the World Privacy Forum filed comments requesting changes. The primary objections are that the proposed system of records commingles records and functions, the proposed exemption is inconsistent with the system notice, and DHS's proposed exemption from civil remedies was not correct, among other issues. The World Privacy Forum stated in its comments that the Department of Homeland Security should demonstrate its commitment to accountability and transparency in the rulemaking.
Department of Justice
Comments: 11/27/2006 Privacy Act of 1974 Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes
The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter. Read the comments (PDF).
Department of Transportation
Comments: 03/21/2007 FMCSA notice of applications for exemption from the diabetes standard (publication of personal medical information in the Federal Register)
The World Privacy Forum filed comments with the Department of Transportation regarding the department's publication of the detailed personal medical information of individuals subject to DOT regulations in the Federal Register along with their names, ages, and other identifying information. The WPF comments argue that personal medical information combined with name, age, etc. does not belong in the Federal Register, where it can have potentially far-reaching consequences for those individuals who are named as well as their family members.
Federal Communications Commission
Comments: 08/04/2005 Telemarketing
In official comments filed with the Federal Communications Commission, the World Privacy Forum urged the Commission to maintain state telemarketing regulations.
Federal Trade Commission
Comments: 03/27/2009 Comments on the Proposed
Consent Agreement with CVS /Caremark
Comments: 11/02/2007 Comments for the eHavioral FTC workshop
The World Privacy Forum published a new report today, The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation. The report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement. The NAI was created to protect consumers' online privacy in the behavioral advertising arena. The report finds that the NAI has failed. The report discusses the failure of the NAI opt-out cookie, the uses of persistent consumer tracking technologies that go beyond cookies, such as Flash cookies, browser cache cookies, XML super cookies, and other issues. The report also discusses the practice of re-setting cookies after cookie deletion. The report gathers the details of the difficult membership history of the NAI, as well as the enforcement history of TRUSTe regarding NAI.
Executive director Pam Dixon will be testifying before the FTC eHavioral
Town Hall meeting Nov. 2 to discuss the findings of this report, which
will be submitted to the FTC.
Comments: 10/30/2007 Consensus Document, Do Not Track Proposal
Ten privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC's eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failed to protect consumers.
Comments: 09/18/2006 Red Flag draft rule
The World Privacy Forum filed comments with the Federal Trade Commission, the Treasury, and other federal agencies regarding the draft rule on "Red Flags" for identity theft. In its comments, the Forum requested that medical identity theft be added to several aspects and portions of the proposed joint rule. Adding medical identity theft to the proposed rule is essential to help close gaps in agency protection for consumers.
Comments: 01/04/2006 Identity theft survey
The World Privacy Forum submitted comments in response to the Federal Trade Commission's request for feedback on its upcoming identity theft survey. The FTC identity theft survey is one of the most quoted surveys on the subject. The World Privacy Forum requested changes and clarifications to the survey, including adding questions about security breach notices and clarifying existing questions about medical identity theft, among other issues.
Internal Revenue Service
Comments: 03/08/2006 Tax information sharing
Joint comments on tax information sharing filed by EPIC, Privacy Rights Clearinghouse, and World Privacy Forum. Comments are available at the EPIC site.
National Institute of Standards and Technology
Comments: 12/23/2004 Contactless ID cards for federal employees
WPF, EFF, Privacy Rights Clearinghouse, and PrivacyActivism called for greater attention to privacy provisions of the proposed new Federal ID card, which will be "contactless."
Comments: 04/04/2005 RFID in passports
Joint comments with EFF and other groups regarding difficulties and issues with RFID in U.S. passports.
|© WORLD PRIVACY FORUM | CONTACT | RESOURCES|