Blog Post

Consumers receive breach letters — Pharmaceutical manufacturer GSK, maker of drugs Paxil, Boniva, Advair, and many others, sent a letter to consumers who had registered on one or more of its product websites. Due to the Epsilon data breach, registrants’ names, email, and the product they registered for was breached. Information people give to a company via a pharmaceutical product web site such as this is not usually covered under HIPAA. See our Patient’s Guide to HIPAA for more on what is covered under HIPAA and what is not. WPF recommends that consumers use a “throwaway” or temporary email address if deciding to register at a Pharmaceutical product web sites.

Educational Privacy — The Family Educational Rights and Privacy Act of 1974, FERPA, has been amended substantially. The proposed amendments have been published and are open for comment until May 23, 2011. The current changes impact students’ medical, educational, and informational privacy interests. WPF will be filing detailed comments on FERPA, including how the proposal interacts with California privacy laws. We will be posting additional materials on commenting soon.

Joint Comments on HIEs — California has proposed regulations for health information exchange projects in the state. WPF has submitted comments encouraging more privacy protections, and we are joined in our comments by Privacy Activism and the Center for Digital Democracy. One key request in the comments is that California not allow patient consent to be waived in HIE projects. We are also requesting that California create a unified web listing of its HIE projects for increased transparency and to facilitate patient access to HIE information and policies.

Data Broker Settlement — In April 2009, the World Privacy Forum sent the FTC a complaint regarding a lack of online opt-outs for consumers at some online data broker web sites. Our complaint focused on the difficulties online consumers would have opting out of certain web sites. In our complaint, we noted that online consumers were having difficulties with the opt outs. Today the FTC issued a final decision in this matter, and specifically improved online opt outs for consumers at US Search.

NTIA Multistakeholder Process — The US Department of Commerce has announced that it is supporting privacy legislation and a “stakeholder process” to determine self regulatory rules for Internet privacy. WPF wrote about what a fair stakeholder process needs to include in our comments to the US Department of Commerce. We urge that at a minimum, the stakeholder process will include these items: 1) Consumer and business representation be equal in any multi-stakeholder process. 2) Approval of consumer representatives must be a necessary element in any formal decisions, just as the approval of business will be necessary. 3) Consumers must select their own representatives through a process yet to be determined, and consumer representatives may not be designated or limited by business or government. 4) Consumer organization that require financial assistance to participate in the multi- stakeholder process should receive support for travel and other expenses (but not for staff support). 5) Government agencies may participate in the process, but no agency may have a vote. 6) Participants in the process must chose their own rules and presiding officer. 7) Certifiers of accountability with codes of conduct should be not-for-profit organizations that are wholly independent of business, consumers, and government.