It is widely recognized that developments in health information technology (HIT) have the potential to improve health care quality, reduce costs and empower consumers to play a greater role in their own care. However, little progress has been made on resolving the privacy issues associated with the growing liquidity of personally identifiable health information.

CDT’s Health Privacy Project will take on key policy questions, including: the proper role of notice and consent, the right of patients to access their own health records in electronic formats, identification and authentication, secondary uses, and enforcement mechanisms. It will address both the traditional exchange of records among providers and payers, as well as new consumer access services and Personal Health Records.

• CDT released a Summary of Health Privacy Provisions in the 2009 Economic Stimulus Legislation. [PDF] April 16, 2008
  
  The American Recovery and Reinvestment Act of 2009 (ARRA, sometimes referred to as "the stimulus") included provisions making significant improvement in the privacy and security standards for health information. The provisions on privacy and security (generally in ARRA's Title XIII, Subtitle D and some parts of Subtitle A) can be grouped into four broad categories:
  • Substantive changes to the HIPAA statue and privacy and security regulations
  • Changes in HIPAA enforcement
  • Provisions to address health information held by entities not covered by HIPAA (as either covered entities or business associates)
  • Miscellaneous: Administration/Studies/Reports/Educational Initiatives
  For each set of changes, this summary indicates when the provision goes into effect and whether the Secretary is required to promulgate regulations or guidance or adopt technical standards. Appendisx A also sets forth an overall calendar with effective dates for various provisions and due dates for reports, regulations, and standards related to privacy.
• CDT released the Policy Framework for Protecting the Privacy and Security of Electronic Health Information [PDF] calling for the adoption of a comprehensive privacy and security framework for protection of health data as information technology is increasingly used to support exchange of medical records and other health information. Privacy and security protections will build public trust, which is crucial if the benefits of health IT are to be realized. May 14, 2008
• Beyond Consumer Consent [PDF] February 21, 2008
• These Myths and Facts documents answer common myths about HIPAA and health privacy. These facts correct long-standing myths about the right to privacy, patient consent and rights, enforcement of HIPAA provisions, Internet- based health services, the interaction between HIPAA and state laws, information disclosures, marketing, and de-identified data.
  • Myths and Facts about HIPAA, Part 1 (2004) [PDF]
  • Myths and Facts about HIPAA, Part 2 (2009) [PDF]
  • Why the HIPAA Privacy Rules Would Not Adequately Protect Personal Health Records (September 2008) [PDF]
• Health Privacy Stories [PDF] March 5, 2007
• Know Your Rights: Health Privacy Guide [PDF]
• Health Privacy 101 [PDF]
• File a Health Privacy Complaint [PDF]
• In December of 2007, the Health Privacy Project, the California HealthCare Foundation, and a group of corporate leaders released Best Practices for Employers Offering PHRs. To learn more, read the Press Release, list of ten Best Practices, and an Overview Paper about the Best Practices. December 14, 2007

Headlines

CDT's Health Privacy Project Releases Paper on De-identification of Personal Health Data - CDT's Health Privacy Project today released a paper advocating the need for stronger standards for "de-identified" personal health information when used for medial research, to promote public health, or other specialized purposes. The paper notes that stronger standards are needed to ensure the "de-identified" data cannot be re-identified in order to maintain patient privacy and build trust in the health care system. CDT's paper makes several policy recommendations on how to strengthen current de-identification standards found in the Health Insurance Portability and Accountability Act Privacy Act and increase the use of anonymized data for many health care purposes. June 25, 2009

• Health Privacy Project De-identification Paper [PDF] June 25, 2009
• CDT De-identification Paper Press Release June 25, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

CDT Files Comments on Health Information Technology Extension Program - CDT filed comments with the Department of Health and Human Services (HHS) regarding the proper role of regional extension centers in supporting privacy and security protections for health data. This year's stimulus legislation called for the creation of nonprofit extension centers to disseminate best practices and offer training and technical assistance to health care providers seeking to adopt health information technology systems. In the comments, CDT urged HHS to explicitly require the extension centers to include privacy and security as components of their training and assistance services. CDT's comments also urged HHS to position extension centers as an interface between health care providers and newly-established HHS regional privacy officers. June 12, 2009

• CDT Comments to HHS Notice [PDF] June 11, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

CDT: Comprehensive Privacy and Security Framework Needed for Personal Health Records - CDT testified today before the National Committee on Vital and Health Statistics (NCVHS) to advocate consistent and comprehensive privacy and security protections for all personal health records (PHRs). CDT recommends that a consistent set of regulations apply to all PHRs, regardless of whether the vendor is covered under HIPAA, and warns that the HIPAA Privacy Rule is not an appropriate safeguard for PHRs because it does not adequately address the unique privacy concerns raised by these records. CDT further recommends that policymakers start with the Markle Common Framework for Networked Personal Health Information, which was endorsed by a broad range of stakeholders, in developing recommendations to safeguard PHRs. June 09, 2009

• CDT's Testimony Before NCVHS [PDF] June 09, 2009
• Share this article

 Slashdot    del.icio.us    Digg    Technorati 
 Google    Yahoo!    Windows Live    reddit  

Earlier Headlines

Previous Headlines