Privacy Act of 1974

Public Comments: August 2008 – Border Crossing Information, System of Records Notice, DHS-2007-0040

The World Privacy Forum filed comments regarding DHS’s proposed Border Crossing Information system of records, finding that many of the Routine Uses proposed for the system were impermissible and illegal under the Privacy Act of 1974. The comments focus on the Routine Uses, rather than the system itself.

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

National Disaster Medical System | Privacy Act of 1974 — The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.

Public Comments: March 2007 Commercial drivers’ license applicants requesting exemption from the diabetes standard have their personal medical information, name, age, and more published in the Federal Register; World Privacy Forum urges changes to the practice

The World Privacy Forum filed comments with the Department of Transportation today regarding the department’s publication of the detailed personal medical information of individuals subject to DOT regulations in the Federal Register along with their names, ages, and other identifying information. The WPF comments argue that personal medical information combined with name, age, etc. does not belong in the Federal Register, where it can have potentially far-reaching consequences for those individuals who are named as well as their family members.

WPF comments on proposed guidance on Confidential Information Protection and Efficiency Act of 2002 (CIPSEA)

e-Government /CIPSEA — The World Privacy Forum submitted comments to the Office of Management and Budget regarding proposed guidance on Title V of the e-Government Act. The proposed guidance did not address the relationship between CIPSEA and the USA PATRIOT Act Section 215, and guidance regarding identifiability and the Privacy Act of 1974 needs to be further refined. WPF suggests that OMB consider developing a formal statistical confidentiality seal controlled by a federal agency. The purpose would be to provide an identifiable marker that would tell individuals if the information they provide will receive the highest degree of confidentiality protection available under law.

World Privacy Forum Requests That CMS Bring Its Medicare Part D Data Activities Under HIPAA and Require Certificates of Confidentiality to Protect Patient Privacy

Medical privacy | Medicare Part D — In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice.