Health Privacy

For a non-HIPAA covered PHR, the privacy policy becomes a key document, if it is available. The privacy policy of a PHR vendor may tell consumers how the vendor plans to use personal information. It is possible that a commercial or advertising-supported PHR will do a good job of protecting its clients from uninformed or casual disclosures of personal or health information. It is also possible that a cautious client will not be able to evaluate a PHR vendor’s policy or practice.

PHRs that operate outside of HIPAA can negatively affect the privacy interests of consumers in various ways. The best to hope for is that a PHR will not make privacy significantly worse. However, it is not likely that even that weak standard can be met. The existence of electronically available and centralized health information outside the traditional health care system will attract new users and create new risks. The mere adding of health records to a PHR vendor’s files may undermine existing privacy protections of old records. Security is a concern for any electronic records. A consumer’s ability to control the disclosure of PHR records can easily be compromised. The consumer’s ability to correct errors in PHR records may be problematic. Advertising support may not meet a PHR’s profit goals unless at least some consumer information is available for close targeting of ads. Promised PHR privacy protections may vanish overnight if the privacy policy is changed.

Genetic privacy | SACGHS — The World Privacy Forum filed extensive comments with the Secretary’s Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.

Announcement | CalPSAB — WPF executive director Pam Dixon has been appointed by California Secretary of Health and Human Services Kim Belshe to the California Security and Privacy Advisory Board. Dixon will serve as interim co-chair of the board, which is tasked with addressing health information exchange (HIE) privacy and security efforts in California. The board’s meetings will be open to the public.

Version 1: October 16, 2007   The World Privacy Forum, as part of its ongoing in-depth research into medical identity theft issues and responses, has outlined 8 best-practice responses to the crime by the health care sector. These best practices are based on interviews with victims, providers, and other stakeholders. These 8 best practices are