Uncategorized

Consensus document | Consumer rights and protections — Nine privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC’s eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failedto protect consumers.

Medical identity theft | Best practice responses — The World Privacy Forum has outlined 8 best practice responses to medical identity theft for the health care sector. The best practice responses are based on research the Forum is conducting for its second report on medical identity theft, and is a work in progress. The 8 best practice responses were presented to AHIMA delegates October 9; the Forum is soliciting and accepting feedback on the 8 best practices.

Medical identity theft is a crime that harms people and it is a crime that hides itself. This combination makes medical identity theft an insidious crime. It can cause extraordinary damages and harms to its individual and institutional victims. And once begun, the harmful effects of this crime can linger in the lives of its victims for years or even decades.

The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.

NHIN update — The National Health Information Network, or NHIN, is part of a major undertaking to digitize and network the health care sector. From electronic health records to multi-state health information hubs, the U.S. government’s goal is to modernize and move health care information from paper to digital. The Department of Health and Human Services is the primary mover behind this initiative, which is complex and multi-faceted. The World Privacy Forum keeps a chronology of NHIN events as a public service. The NHIN timeline has been updated to reflect changes in AHIC, a group that is charged in part with ensuring privacy and confidentiality in the NHIN and other aspects of health care modernization. AHIC is set to transition to a “public-private partnership,” a move that will need to be watched closely to ensure robust consumer involvement.