It is widely recognized that developments in health information technology (HIT) have the potential to improve health care quality, reduce costs and empower consumers to play a greater role in their own care. However, little progress has been made on resolving the privacy issues associated with the growing liquidity of personally identifiable health information.
CDT’s Health Privacy Project will take on key policy questions, including: the proper role of notice and consent, the right of patients to access their own health records in electronic formats, identification and authentication, secondary uses, and enforcement mechanisms. It will address both the traditional exchange of records among providers and payers, as well as new consumer access services and Personal Health Records.
CDT's Deven McGraw Named to Federal Advisory Health IT Policy Committee - Deven McGraw, director of the Health Privacy Project at CDT, was named today to the federal advisory Health Information Technology Policy Committee. McGraw will serve a three-year term on the Committee. The Committee will make policy recommendations for the development and adoption of a nationwide information infrastructure, including standards for the secure and private exchange of patient medical information. The Committee was established as part of the American Recovery and Reinvestment Act. May 08, 2009
HHS Issues Guidance on Security Technologies for Breach of Health Records - Under the new breach notification requirements for health records imposed by the American Recovery and Reinvestment Act of 2009 (ARRA), individuals do not have to be notified if the information that was breached was rendered "unusuable, unreadable, or indecipherable" through the use of a technology or methodology by the Secretary of the Department of Health and Human Services (HHS). Today, HHS published those recommendations and asked for public comment, which is relevant to the breach notification rules that will be enforced by the Federal Trade Commission and apply to vendors of personal health records and other related entities and to the notification rules that apply to entities covered by HIPAA (the Health Insurance Portability and Accountability Act). In the same posting, HHS issued a request for information (RFI) seeking public input on how the agency should implement the new HIPAA breach notification requirements. The stated purpose of the RFI is to inform HHS' rulemaking on these provisions (which must be issued no later than August 17, 2009). FTC issued its proposed rules yesterday. Comments on the guidance and any response to the RFI are due May 21, 2009. CDT intends to submit comments on the guidance and responses to the RFI. April 17, 2009
FTC Issues Proposed Notification Rules for Breach of Health Records - The Federal Trade Commission (FTC) today posted its proposed rule implementing new breach notification requirements for health records, imposed by the American Recovery and Reinvestment Act of 2009 (ARRA). The FTC rule will apply to vendors of personal health records and related entities not covered by HIPAA (the Health Insurance Portability and Accountability Act). The Department of Health and Human Services is required to issue by August 17 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA. The FTC is the first agency to publish details for implementation of the new privacy and security provisions in ARRA. CDT will be drafting comments to the FTC proposed rule. Public comments are due on June 1, 2009. April 16, 2009