Public Policy

Medical data breach rule needs more work; World Privacy Forum files comments with HHS requesting changes

Data Breach | HHS HITECH Breach Notification — The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.

WPF Resource Page: State Security Freeze Laws and General Information

A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. Currently, the three credit bureaus are allowing all consumers nationwide to set a security freeze for a fee. Some states have specific security freeze laws; a list of states with security freeze laws may be found below. However, even if you live in a state without a security freeze law, you can still set a security freeze.

WPF asks Treasury to get consumers’ consent before checking their credit reports

Financial privacy – Privacy Act — The World Privacy Forum filed comments today urging the U.S. Treasury Department to obtain consumers’ consent before checking their credit reports. Consumers who participate in the government’s Home Affordable Modification Program (HAMP) — an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes — must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of “Routine Uses” in a Privacy Act notice published along with the proposed system of records for the program. The World Privacy Forum has objected to this, and has filed detailed comments with the Treasury about the lack of consumer consent. The public comment period on this program is open until September 4, 2009.

Public Comments: August 2009 – WPF asks Treasury to get consumers’ consent before checking their credit reports

The World Privacy Forum filed comments today urging the U.S. Treasury Department to obtain consumers’ consent before checking their credit reports. Consumers who participate in the government’s Home Affordable Modification Program (HAMP) — an Obama administration program created to help consumers renegotiate their mortgages so they can keep their homes — must allow the Federal Government to check their credit reports without first obtaining consent. This procedure sets a negative precedent, and is at odds with consumer expectations of privacy. The Treasury gave itself this power in an obscure set of “Routine Uses” in a Privacy Act notice published along with the proposed system of records for the program. The World Privacy Forum has objected to this, and has filed detailed comments with the Treasury about the lack of consumer consent. The public comment period on this program is open until September 4, 2009.

FTC issues final rule on health data breaches

Health data breach rulemaking — The Federal Trade Commission has issued its final Health Breach Notification Rule for vendors of Personal Health Records and related entities, as required under ARRA, The American Recovery and Reinvestment Act of 2009. The initial proposed Health Breach Notification Rule was generally thoughtful and thorough. The World Privacy Forum submitted extensive comments on the proposed rule both supporting parts of it and making some suggestions for changes. The FTC incorporated several specific WPF suggestions into the final rule. In particular, the FTC incorporated the applicability of the rule to foreign entities with U.S. customers (Final Rule p. 17), and the applicability of the rule to search engines appearing on Personal Health Record web sites (Final Rule p. 34). The new rule will be published in the Federal Register shortly; until then, it is available at the FTC web site. Also available is a form that entities covered under this rule can use to report data breaches to the FTC. The Health Breach Notification Rule will be effective 30 days after publication in the Federal Register, and full compliance with the rule will be required beginning 180 days after publication.