Just learned about this.
Attorneys and data privacy policy analysts at IAPP, EPIC and EFF are assessing impact and issues.
On the surface this appears to establish guidelines for data security framework.
However, as we've become all too aware of previously, virtually everything this administration does and says, is far from the truth and stated intent.
Stay tuned.
Decree....now they are saying these are law?
Up until now all medicine as been imprecise, but now that the government is running the show it is suddenly precise!
Health privacy analysis:
This privacy framework appears to be an Opposite-of-its-name Trojan Horse from the White house and good for nothing collaborating legislators.
This finding report was released a week before the 05/25/16 Whitehouse privacy framework.
Attorney’s and policy analysts are still combing thru the latest document.
Key concerns, below.
Big ones**:
“the Privacy Act’s disclosure provisions allow agencies considerable authority to disclose records subject to the Act and to define new categories of disclosures at any time through new rules.
**In particular, the Act allows many types of disclosure to foreign, national, state, and local law enforcement agencies with few procedural prerequisites. **
We do not yet know what disclosure authority will apply to PMI records or even if they are subject to the Privacy Act. (See Appendix C.)
**Patients who share their health records and biospecimens with the PMI could lose the ability to claim a physician-patient privilege in unrelated judicial proceedings.”
New WPF Report – The Precision Medicine Initiative and Privacy: Will Any Legal Protections Apply? | World Privacy Forum
World Privacy Forum
Hot Topics
Medical Identity Theft
Health Privacy
Biometrics
Mobile Privacy
Patient’s Guide to HIPAA
Congressional Testimony
New WPF Report – The Precision Medicine Initiative and Privacy: Will Any Legal Protections Apply?
PMI_cover_02_hi-res
The report, The Precision Medicine Initative and Privacy: Will Any Legal Protections Apply? was published May 18, 2016.
Report Authors: Robert Gellman and Pam Dixon.
You are at the report main page, where you can download the report in PDF format.
Report Links:
Download Full Report (PDF, 27 pages).
Read the Report Brief Summary, Findings, and Recommendations, below
—-
Brief Summary of Report
This report reviews privacy law applicable to the Precision Medicine Initiative (PMI), and the large medical information and biospecimen database at its center. Precision medicine approaches to disease seek to incorporate individual variability in genes, environment, and lifestyle in research to eventually reach the goal of maximizing treatment effectiveness for individuals. The PMI will include a robust genetic research component. The HIPAA health privacy rule and its protections for individuals will not apply to PMI research activities. Other privacy laws may apply, such as the Privacy Act of 1974, but there is uncertainty regarding if or how this and other laws apply. The PMI offers a set of privacy guidelines, but the guidelines lack detail and fail to address underlying legal requirements and protections.
The key privacy concerns raised by the PMI are the lack of applicable law to govern its collection and use of individuals’ health data, the potential waiver of the patient-physician legal privilege that can shield data from disclosure through litigation, and the possibility of law enforcement access to patient records held in the PMI. Before it launches, the PMI needs to clarify the legal and administrative privacy protections that apply to its activities. People who volunteer their medical data and biospecimens must be told what specific legal protections apply and do not apply.
About the Authors
Robert Gellman is a privacy and information policy consultant in Washington DC. (www.bobgellman.com.) He has written extensively on health, de-identification, Fair Information Practices, and other privacy topics. Pam Dixon is the founder and Executive Director of the World Privacy Forum. She is the author of eight books, hundreds of articles, and numerous privacy studies, including her landmark Medical Identity Theft study. She has testified before Congress on consumer privacy issues as well as before federal agencies. Dixon and Gellman’s writing collaborations include the seminal report on predictive algorithms, The Scoring of America, and numerous well-regarded privacy-focused research, articles, and policy analyses. They co-authored a reference book on privacy, Online Privacy: A Reference Handbook, (ABC-CLIO 2011) and most recently a chapter on privacy regulation and law in Enforcing Privacy: Regulatory, Legal, and Technological Approaches, (Springer Nature, 2016.)
About the World Privacy Forum
The World Privacy Forum is a non-profit public interest research and consumer education group that focuses on the research and analysis of privacy-related issues. Founded in 2003, the Forum publishes significant privacy research and policy studies on health privacy, privacy self-regulation, financial privacy and identity issues, biometrics, and data broker privacy practices among other issues. www.worldprivacyforum.org.
Key Findings:
Medical record data and biospecimen data that consumers donate to the PMI are not covered by the core federal health privacy law while in the hands of the PMI. The health privacy rule issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA) does not apply to the PMI and will not apply to most research activities conducted using information available from the PMI.
Consumers may have no formal legal right to obtain their own information from the PMI unless a US government agency administers the PMI, something that is not expected. The Privacy Act of 1974, which provides citizens with the ability to review data collected about them by a government agency, applies only if a federal agency operates the PMI. We do not yet know with certainty if a federal agency will operate any part of the PMI. However, if a federal agency operates the PMI, the Privacy Act’s disclosure provisions allow agencies considerable authority to disclose records subject to the Act and to define new categories of disclosures at any time through new rules. In particular, the Act allows many types of disclosure to foreign, national, state, and local law enforcement agencies with few procedural prerequisites. We do not yet know what disclosure authority will apply to PMI records or even if they are subject to the Privacy Act. (See Appendix C.)
Patients who share their health records and biospecimens with the PMI could lose the ability to claim a physician-patient privilege in unrelated judicial proceedings.
A limited amount of patient records shared with PMI may be protected from subsequent disclosure if 42 C.F.R. Part 2 (rules governing substance abuse records) applied to the records at their original source. If so, records disclosed to the PMI from health care providers subject to the substance abuse privacy rules would retain their confidentiality if disclosed to the PMI. This may be the only existing privacy law applicable to the PMI, although it would cover few of the health records in the PMI.
Certificates of confidentiality for research activities available through the Department of Health and Human Services may offer some legal protections for research records, but there are many uncertainties about the scope and value of the certificates. There are known limitations about the protections this would offer.
When volunteers enroll in the PMI, they donate a great deal of personal information in the form of medical records and biospecimens. However, cell phone data monitoring, social media monitoring, sensor monitoring and other real-time monitoring are under discussion. How the privacy of the real time systems will be handled is an unknown. Further administrative records about volunteers – as opposed to health information – may be extensive and presents their own privacy concerns. Administrative records may include contact information, identification numbers, employment and educational history, location data, and more.
Key Recommendations:
The PMI needs to detail its structure and organization with clarity so that the privacy protections or lack of privacy protections for its records can be assessed. The public needs to know what institutions will maintain information in the PMI and where they are located. The PMI must explain how privacy laws, if any, will apply to it. The privacy and security standards issued so far do not answer the questions about what legal protections will apply.
The PMI should not begin soliciting information or biospecimens from or about individuals until it clearly describes the applicable privacy protections. The description should include potential uses and disclosures of PMI information for law enforcement and national security purposes. The description of applicable privacy rules should cover health records, administrative records, and any real-time monitoring from mobile or other devices. Volunteers should be told expressly if HIPAA does not apply to the PMI.
The E-Government Act of 2002 requires federal agencies to conduct a Privacy Impact Assessment before they develop or procure information technology systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public.[1] We have not seen a PIA for the PMI. There is an immediate need for a PIA that includes an opportunity for public comment and debate.
If the Privacy Act of 1974 applies to PMI or any significant part of it, then the National Institutes of Health should publish a system of records notice and allow adequate time for public comment.
If the Privacy Act of 1974 does not apply to the PMI, then it is possible that no health privacy or other privacy law will apply to most data and biospecimens. As a result, patient data could be vulnerable to a host of unrelated public and private demands and activities. If so, then PMI may need its own privacy law in place before it starts.
Obama invents the lock for the file cabinet.
MSM is astonished no one ever thought of this....
This Whitehouse release only addresses data security*, Not data privacy.
Judging from the OPM military personnel data breach, and State Dept oversight of national security emails on Hillary’s private email server, we can all breath a sigh of relief. The gov’t has your back and assures our security.
Not.
The World Privacy Forum finding criticism still stands.
The way the PMI is written, every US gov’t agency as well as US and foreign law enforcement agencies will have access to your health data, and bio-medical genetic information.
You also lose expectations of physician-patient privacy.
Your personal Healthcare information is already bought, sold and shared among 8000+ Healthcare related organizations for “research” purposes.
Look at Harvard Medical’s: thedatamap.org to see the extent of who shares what about you in what’s become a Two Billion dollar healthcare data broker business.
BTW: you have No guarantee that your Healthcare data is anonymized.
Furthermore, Obola’s 09/15/2015 Behavioral Health Executive Order has created an interagency behavioral health database for all citizens.
Happy goldfish bowl.
I fear this is just part 1 of a large number of memorial weekend news dumps....
Politically self-serving boilerplate.
Reads like a Soviet proclamation.
Key factors
1) Government bureaucracy is slow. Technology is fast. Government bureaucracy will never be able to do anything but follow the leader and nip at its heels. .... Unless government goes for a police state on the tech side.
2) Government bureaucracy wants access to the personal data (PHI, PII) that security is intended to protect. Government bureaucracy does not see it as a double standard that they can view PHI, PII that they don’t think others should view.
3) As the government bureaucracy grows, the inefficiency of the IT shops that interface with the government grows. UHC, IBM, HP, etal will increase their costs and pass them along to CMS and other government agencies, including the many states that contract with state government for Medicaid, etc.
4) As Federal bureaucracy grows, State bureaucracy and overhead costs for Medicaid will grow.
Replace Obama’s name with Kim Il What’s his face and this announcement, heaping praise on Dear Leader and all, could have come out of the DPRK.
How soon we forget that OPM was hacked just last year and every goobermint employees “private” information was stolen.
Even the fingerprints.
PING!!!
Article, comments, esp #1, #5, #7, #9, #16
Thanks MarchonDC09122009
I just finished the process of updating my will and directives. I was schooled on this by my legal counsel before I signed anything.
Believe me, you will be appalled at the powers that are being given to the government to make decisions about your healthcare, especially if you’re elderly. This directive makes it too, too easy for life altering decisions to be taken out of the hands of family members and given to government agencies, even for minor children.
How on earth has America allowed this to happen and why? We’re going down the Communist/Marxist hole and no one seems to be able to call a halt.