WPF urges FTC Chair and Commissioners to update FTC Health Breach Notification Rule

The FTC held an historic open FTC Commission meeting on July 1, 2021, during which the Chair and Commissioners conducted their business openly and provided an opportunity for public comments. The World Privacy Forum was selected to provide a public comment, which focused on the need to update the Health Breach Notification Rule.

Our live public comments to the Commission will be made public. Here is a copy of our comments, in PDF or text, with additional background documents included.

Comments of the World Privacy Forum to FTC Chair and Commissioners, July 1, 2021 (PDF, 2 pages)

Text of Comments:

July 1, 2021
Chair Khan and Commissioners,

Thank you for the opportunity to make a public comment at this Open FTC Commission meeting.

The FTC Health Breach Notification Rule implements the American Recovery and Reinvestment Act of 2009. Congress asked the FTC to craft a rule applicable to a vendor of PHRs or to a PHR-related entity in connection with a product or service offered by that entity. The FTC crafted an excellent rule, consistent with the limits provided by Congress.

Fifteen years ago, PHR technology was clunky, and data transfers could be challenging. Today, there is significant expansion in health data ecosystems outside of HIPAA and include apps, smartwatches, mobile devices, and personal health records among other devices and mechanisms.

The health ecosystem data flows outside of HIPAA protections have escaped the boundaries of the original rule. The World Privacy Forum requests that the Commission re-examine the Health Breach Notification rule to update it. The impacts of the global pandemic have put an exclamation point on the importance of this issue.

Related documents:

Comments of the World Privacy Forum to the FTC regarding Proposed Consent Order, In the Matter of Flo Health, File No. 1923133. March 1, 2021. (PDF, 4 pages) https://www.worldprivacyforum.org/2021/03/wpf-urges-us-federal-trade-commission-to-re-examine-data-breach-notification-requirements-for-health-data-in-flo-health-proposal/
Comments of the World Privacy Forum to the Federal Trade Commission regarding Health Breach Notification Rulemaking, Project No. R91102. June 1, 2009. (PDF, 12 Pages) https://www.worldprivacyforum.org/2009/06/blog-wpf-files-comments-with-the-ftc-regarding-proposed-rules-for-health-care-related-data-breaches/

Posted July 1, 2021 in Data Breach, Digital Health Ecosystems, Federal Trade Commission (FTC), Health Privacy, HIPAA, Public Comments

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.