U.S. Department of Health and Human Services

Dec 04 2009

Public Comments: December 2009 – Genetic Information Nondiscrimination Act of 2008, GINA NPRM

The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan’s web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.

Oct 26 2009

Medical data breach rule needs more work; World Privacy Forum files comments with HHS requesting changes

Data Breach | HHS HITECH Breach Notification — The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.

Oct 23 2009

Public Comments: October 2009 – WPF files comments with HHS requesting changes

The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.

Aug 19 2009

Health IT standards meeting

Health IT — The Health IT Standards Committee will be meeting tomorrow, August 20, from 9 a.m. to 3 p.m. in Washington DC. Those interested in this meeting can participate in person, or via the phone and web. The privacy and security workgroup will report at 1:30 pm Eastern. Location and call-in information is available at the HHS web site.

May 21 2009

Public Comments: May 2009 – WPF files comments with HHS regarding data breach guidance

The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for “limited data set” breaches.

WPF a panelist at FTC Data Portability Workshop
22 September 2020, Washington, DC via zoom
WPF presenting on COVID-19 and identity at OECD – GPA Workshop
16 September 2020, Paris, France
ID4Africa, Spotlight on Unique Digital Identity Numbers
23 July 2020, Livecast from Paris, France

COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic

The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers. While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.
New Report – Without Consent: An analysis of student directory information practices in U.S. schools, and impacts on privacy

Without Consent is the first major benchmarking privacy report to examine school directory information practices and related privacy issues in a multi-year study across more than 5,000 schools at the primary, secondary, and postsecondary levels. The research found troubling and challenging student privacy problems that need to be urgently addressed. The report contains extensive findings and recommendations regarding student privacy, and includes best practices, sample forms, and resources for schools, parents, and students.
Patient’s Guide to HIPAA: How to Use the Law to Guard your Health Privacy

Download PDF Download ePub Donate Credits → Version 2.0...