It is widely recognized that developments in health information technology (HIT) have the potential to improve health care quality, reduce costs and empower consumers to play a greater role in their own care. However, little progress has been made on resolving the privacy issues associated with the growing liquidity of personally identifiable health information.

CDT’s Health Privacy Project will take on key policy questions, including: the proper role of notice and consent, the right of patients to access their own health records in electronic formats, identification and authentication, secondary uses, and enforcement mechanisms. It will address both the traditional exchange of records among providers and payers, as well as new consumer access services and Personal Health Records.

• CDT released a Summary of Health Privacy Provisions in the 2009 Economic Stimulus Legislation. [PDF] April 16, 2008
  
  The American Recovery and Reinvestment Act of 2009 (ARRA, sometimes referred to as "the stimulus") included provisions making significant improvement in the privacy and security standards for health information. The provisions on privacy and security (generally in ARRA's Title XIII, Subtitle D and some parts of Subtitle A) can be grouped into four broad categories:
  • Substantive changes to the HIPAA statue and privacy and security regulations
  • Changes in HIPAA enforcement
  • Provisions to address health information held by entities not covered by HIPAA (as either covered entities or business associates)
  • Miscellaneous: Administration/Studies/Reports/Educational Initiatives
  For each set of changes, this summary indicates when the provision goes into effect and whether the Secretary is required to promulgate regulations or guidance or adopt technical standards. Appendisx A also sets forth an overall calendar with effective dates for various provisions and due dates for reports, regulations, and standards related to privacy.
• CDT released the Policy Framework for Protecting the Privacy and Security of Electronic Health Information [PDF] calling for the adoption of a comprehensive privacy and security framework for protection of health data as information technology is increasingly used to support exchange of medical records and other health information. Privacy and security protections will build public trust, which is crucial if the benefits of health IT are to be realized. May 14, 2008
• Beyond Consumer Consent [PDF] February 21, 2008
• These Myths and Facts documents answer common myths about HIPAA and health privacy. These facts correct long-standing myths about the right to privacy, patient consent and rights, enforcement of HIPAA provisions, Internet- based health services, the interaction between HIPAA and state laws, information disclosures, marketing, and de-identified data.
  • Myths and Facts about HIPAA, Part 1 (2004) [PDF]
  • Myths and Facts about HIPAA, Part 2 (2009) [PDF]
  • Why the HIPAA Privacy Rules Would Not Adequately Protect Personal Health Records (September 2008) [PDF]
• Health Privacy Stories [PDF] March 5, 2007
• Know Your Rights: Health Privacy Guide [PDF]
• Health Privacy 101 [PDF]
• File a Health Privacy Complaint [PDF]
• In December of 2007, the Health Privacy Project, the California HealthCare Foundation, and a group of corporate leaders released Best Practices for Employers Offering PHRs. To learn more, read the Press Release, list of ten Best Practices, and an Overview Paper about the Best Practices. December 14, 2007

Headlines

CDT's Deven McGraw Named to Federal Advisory Health IT Policy Committee - Deven McGraw, director of the Health Privacy Project at CDT, was named today to the federal advisory Health Information Technology Policy Committee. McGraw will serve a three-year term on the Committee. The Committee will make policy recommendations for the development and adoption of a nationwide information infrastructure, including standards for the secure and private exchange of patient medical information. The Committee was established as part of the American Recovery and Reinvestment Act. May 08, 2009

• HHS Press Release on Committee Appointments May 08, 2009 [off-site]
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

HHS Issues Guidance on Security Technologies for Breach of Health Records - Under the new breach notification requirements for health records imposed by the American Recovery and Reinvestment Act of 2009 (ARRA), individuals do not have to be notified if the information that was breached was rendered "unusuable, unreadable, or indecipherable" through the use of a technology or methodology by the Secretary of the Department of Health and Human Services (HHS).  Today, HHS published those recommendations and asked for public comment, which is relevant to the breach notification rules that will be enforced by the Federal Trade Commission and apply to vendors of personal health records and other related entities and to the notification rules that apply to entities covered by HIPAA (the Health Insurance Portability and Accountability Act).   In the same posting, HHS issued a request for information (RFI) seeking public input on how the agency should implement the new HIPAA breach notification requirements.  The stated purpose of the RFI is to inform HHS' rulemaking on these provisions (which must be issued no later than August 17, 2009).  FTC issued its proposed rules yesterday.  Comments on the guidance and any response to the RFI are due May 21, 2009.  CDT intends to submit comments on the guidance and responses to the RFI. April 17, 2009

• Text of HHS' Guidance and Request for Information [PDF] April 17, 2009 [off-site]
• CDT Analysis of ARRA Privacy Provisions [PDF] March 24, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

FTC Issues Proposed Notification Rules for Breach of Health Records - The Federal Trade Commission (FTC) today posted its proposed rule implementing new breach notification requirements for health records, imposed by the American Recovery and Reinvestment Act of 2009 (ARRA). The FTC rule will apply to vendors of personal health records and related entities not covered by HIPAA (the Health Insurance Portability and Accountability Act). The Department of Health and Human Services is required to issue by August 17 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA. The FTC is the first agency to publish details for implementation of the new privacy and security provisions in ARRA. CDT will be drafting comments to the FTC proposed rule. Public comments are due on June 1, 2009. April 16, 2009

• Text of FCC's Proposed Rule [PDF] April 16, 2009 [off-site]
• CDT Analysis of ARRA Privacy Provisions [PDF] March 24, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

Earlier Headlines

Previous Headlines