HIPAA

World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues

iPledge Program | FDA — The World Privacy Forum testified before the Dermatologic and Ophthalmic Drugs Advisory Committee and the Drug Safety and Risk Management Advisory Committee of the Food and Drug Administration regarding privacy issues related to iPledge, a mandatory program for patients taking the drug Accutane or isotretinoin generics. The FDA has stated that the program, which it requires four drug manufacturers to have in place, does not fall under HIPAA. The program collects substantive amounts of patient information. The Forum urged the FDA to set privacy standards for all RiskMAPs in general, and to resolve privacy issues in the iPledge program specifically. The Forum requested that all marketing provisions of the iPledge program privacy policy be removed, that patients be expressly informed the program does not fall under HIPAA, and that patients be given a printed copy of the iPledge program privacy policy, among other requests.

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

National Disaster Medical System | Privacy Act of 1974 — The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

Public Comments: July 2007 – WPF requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

The FDA needs to set privacy standards to protect patients in drug risk programs

FDA privacy standards – RiskMAPs – World Privacy Forum executive director Pam Dixon testified at an FDA/AHRQ joint public workshop about the need for the FDA to set robust privacy standards for drug risk minimization programs, which are put in place for drugs the FDA has determined to be high risk in some way. Drug risk minimization programs (like the iPledge program for the acne drug Accutane) are not typically covered by HIPAA, and some programs have a privacy policy that allows marketing use of patient information collected as part of the risk program. This kind of marketing activity would not be allowable if the programs fell under HIPAA, and Dixon’s testimony stated that patients in these programs should have the same kinds of privacy protections as HIPAA covered programs, and that marketing activities involving patient information should not be allowable in these programs.

World Privacy Forum testifies on genetic privacy and consumer data marketing issues

Genetic privacy | SACGHS — The World Privacy Forum gave testimony to the Secretary’s Advisory Committee on Genetics Health and Society regarding privacy issues stemming from direct-to-consumer advertising and consumer-initiated genetic testing. The World Privacy Forum noted that a great deal of consumer health data circulates outside the protections of HIPAA, and a substantial market for this kind of consumer health data already exists. Genetic data about consumers that is acquired outside the clinical context and is not subject to the protections of HIPAA (for example, through consumer-initiated genetic testing) will likely not be any more protected than other forms of consumers’ health-related information from the current demands of the market. However, the consequences of leakage of genetic information about consumers into the marketing stream could have potentially negative consequences for both those consumers and their blood relatives. The World Privacy Forum urged the committee to include specific recommendations about privacy in its upcoming report to the Secretary, and also urged the committee to work with other federal agencies to set up a pre-market oversight structure that includes significant and meaningful privacy protections for genetic testing occurring outside of the protections of HIPAA.