It is widely recognized that developments in health information technology (HIT) have the potential to improve health care quality, reduce costs and empower consumers to play a greater role in their own care. However, little progress has been made on resolving the privacy issues associated with the growing liquidity of personally identifiable health information.

CDT’s Health Privacy Project will take on key policy questions, including: the proper role of notice and consent, the right of patients to access their own health records in electronic formats, identification and authentication, secondary uses, and enforcement mechanisms. It will address both the traditional exchange of records among providers and payers, as well as new consumer access services and Personal Health Records.

• CDT released a Summary of Health Privacy Provisions in the 2009 Economic Stimulus Legislation. [PDF] April 16, 2008
  
  The American Recovery and Reinvestment Act of 2009 (ARRA, sometimes referred to as "the stimulus") included provisions making significant improvement in the privacy and security standards for health information. The provisions on privacy and security (generally in ARRA's Title XIII, Subtitle D and some parts of Subtitle A) can be grouped into four broad categories:
  • Substantive changes to the HIPAA statue and privacy and security regulations
  • Changes in HIPAA enforcement
  • Provisions to address health information held by entities not covered by HIPAA (as either covered entities or business associates)
  • Miscellaneous: Administration/Studies/Reports/Educational Initiatives
  For each set of changes, this summary indicates when the provision goes into effect and whether the Secretary is required to promulgate regulations or guidance or adopt technical standards. Appendisx A also sets forth an overall calendar with effective dates for various provisions and due dates for reports, regulations, and standards related to privacy.
• CDT released the Policy Framework for Protecting the Privacy and Security of Electronic Health Information [PDF] calling for the adoption of a comprehensive privacy and security framework for protection of health data as information technology is increasingly used to support exchange of medical records and other health information. Privacy and security protections will build public trust, which is crucial if the benefits of health IT are to be realized. May 14, 2008
• Beyond Consumer Consent [PDF] February 21, 2008
• These Myths and Facts documents answer common myths about HIPAA and health privacy. These facts correct long-standing myths about the right to privacy, patient consent and rights, enforcement of HIPAA provisions, Internet- based health services, the interaction between HIPAA and state laws, information disclosures, marketing, and de-identified data.
  • Myths and Facts about HIPAA, Part 1 (2004) [PDF]
  • Myths and Facts about HIPAA, Part 2 (2009) [PDF]
  • Why the HIPAA Privacy Rules Would Not Adequately Protect Personal Health Records (September 2008) [PDF]
• Health Privacy Stories [PDF] March 5, 2007
• Know Your Rights: Health Privacy Guide [PDF]
• Health Privacy 101 [PDF]
• File a Health Privacy Complaint [PDF]
• In December of 2007, the Health Privacy Project, the California HealthCare Foundation, and a group of corporate leaders released Best Practices for Employers Offering PHRs. To learn more, read the Press Release, list of ten Best Practices, and an Overview Paper about the Best Practices. December 14, 2007

Headlines

Report examines Privacy Implications of Data.Gov - CDT today released a Policy Post discussing privacy implications for the federal data clearinghouse known as data.gov and de-identification considerations for the Open Government Directive. While this initiative signifies a step in the right direction towards a more open and transparent federal government, it must be done in concert with protecting the privacy of individuals. The Policy Post recommends specialized review procedures for each data set on data.gov. In addition, it says that different levels of data protections should be implemented in different contexts and that de-identification guidelines should be adaptable over time. This is essential in addressing consumer privacy risks associated with handling large data sets, as is the case with data.gov. July 13, 2009

• Policy Post July 13, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

CDT's Health Privacy Project Releases Paper on De-identification of Personal Health Data - CDT's Health Privacy Project today released a paper advocating the need for stronger standards for "de-identified" personal health information when used for medial research, to promote public health, or other specialized purposes. The paper notes that stronger standards are needed to ensure the "de-identified" data cannot be re-identified in order to maintain patient privacy and build trust in the health care system. CDT's paper makes several policy recommendations on how to strengthen current de-identification standards found in the Health Insurance Portability and Accountability Act Privacy Act and increase the use of anonymized data for many health care purposes. June 25, 2009

• Health Privacy Project De-identification Paper [PDF] June 25, 2009
• CDT De-identification Paper Press Release June 25, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

CDT Files Comments on Health Information Technology Extension Program - CDT filed comments with the Department of Health and Human Services (HHS) regarding the proper role of regional extension centers in supporting privacy and security protections for health data. This year's stimulus legislation called for the creation of nonprofit extension centers to disseminate best practices and offer training and technical assistance to health care providers seeking to adopt health information technology systems. In the comments, CDT urged HHS to explicitly require the extension centers to include privacy and security as components of their training and assistance services. CDT's comments also urged HHS to position extension centers as an interface between health care providers and newly-established HHS regional privacy officers. June 12, 2009

• CDT Comments to HHS Notice [PDF] June 11, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

Earlier Headlines

Previous Headlines