Statement of Pam Dixon at the FTC Open Commission Meeting regarding health privacy statements and consumer confusion

This statement was delivered orally to the FTC in its Open Commission Meeting, held on 19 January 2023

——————

Statement of Pam Dixon, Executive Director, World Privacy Forum to the FTC at its Open Commission Meeting

Regarding the need for websites to post clear statements about their regulatory status under HIPAA

19 January 2023

Thank you Chair and Commissioners. The profusion of health apps, websites and digital tools that provide consumers with assistance and insights about their health is a positive development. However, it has come at the cost of increasing privacy risks.

One of these risks is that consumers are confused about when and where federal health privacy protections apply to their health information. Many health-related websites and tools have not been clear about their HIPAA status. Some apps may infer HIPAA coverage in privacy policies with terms such as “we are HIPAA-compliant,” even when they are not regulated under HIPAA. Other times, websites or apps will simply omit disclosing they are not regulated under HIPAA.

As the Commission knows, HIPAA does not generally regulate all health data everywhere; HIPAA generally regulates specific entities such as health care providers which are then obliged to apply HIPAA protections to the data they hold. Many fitness and health-related websites and apps are not regulated under HIPAA; this is true even if they hold an entire medical file a customer has shared with them.

Consumers need to know plainly and simply whether a website or digital service or app is regulated under HIPAA, or not. There needs to be a clear and prominent statement in the privacy policy that says: “We are not regulated under HIPAA. If you share your information with us, it will not have HIPAA protections when we hold it.”

The World Privacy Forum urges the Commission to take action to protect consumers by insisting on a prominent, clear, simple statement regarding the status of whether or not a particular digital tool or service is regulated under HIPAA or not.

Thank you. We look forward to working with you on this important issue.

Respectfully submitted,

Pam Dixon

Posted January 19, 2023 in Consumer Privacy, Digital Privacy, Federal Trade Commission (FTC), FTC filing, Health Privacy

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.