Education New York: Search Items

Federal Protection for Human Research Subjects: An Analysis of the Common Rule and Its Interactions with FDA Regulations and the HIPAA Privacy Rule

Date Captured	Tuesday January 20 2015, 3:08 PM

Challenges Associated With Data-Sharing HIPAA De-identification

Date Captured	Sunday December 21 2014, 6:18 AM
Daniel Barth-Jones & James Janisse

Privacy and Security Developments 2014 Issue 01

Date Captured	Monday November 24 2014, 6:23 AM
Privacy and Security Developments is a periodic briefing of new cases, statutes, articles, books, resources, and other developments. It is authored by Professors Daniel J. Solove and Paul M. Schwartz.

Proposed Changes to Common Rule (2011)

Date Captured

Saturday November 15 2014, 7:44 AM

Proposed Changes to Common Rule: The 3 most important responses related to data privacy - The proposed ban on re-identification would drive re-identification methods further into hidden, commercial activities and deprive the public, the research community and policy makers of knowledge about re-identification risks and potential harms to the public. The de-identification provisions of the HIPAA Privacy Rule do not take advantage of advances in data privacy or the nuances it provides in terms of dealing with different kinds of data and finely matching sensitivity to risk. There needs to be a channel for NCHS, NIST or a professional data privacy body to operationalize research results so that real-world data sharing decisions rely on the latest guidelines and best practices.

Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data

Date Captured

Friday November 14 2014, 7:01 AM

Deven McGraw; The aim of this paper is to summarize concerns with the de-identification standard and methodologies established under the Health Insurance Portability and Accountability Act (HIPAA) regulations, and report some potential policies to address those concerns that were discussed at a recent workshop attended by industry, consumer, academic and research stakeholders. Center for Democracy & Technology, 1634 I Street, NW Suite 1100, Washington, DC 20006, USA; deven@cdt.org J Am Med Inform Assoc 2013;20:29-34 doi:10.1136/amiajnl-2012-000936

Latanya Arvette Sweeney, Ph.D.cv

Date Captured	Saturday November 08 2014, 7:37 PM
Latanya Arvette Sweeney, Ph.D. Professor of Government and Technology in Residence Department of Government Director, Data Privacy Lab dataprivacylab.org/ Harvard University 1737 Cambridge Street, CGIS K310 Cambridge, MA 02138

Latanya Sweeney, Ph.D.

Date Captured	Saturday November 08 2014, 7:31 PM
I think Latanya Sweeney may be back at Harvard

The Importance of Disaggregating Student Data

Date Captured

Saturday November 08 2014, 8:26 AM

Common characteristics used to disaggregate data include (Boeke, 2012): Race/ethnicity (country of origin); Generation status (i.e. first, second, etc. generation or recently arrived); Immigrant/ refugee status (refugee status often means people are eligible for certain services) ;Age group; Gender; Grade; Geographic (within a state there is often enough data to compare school district data versus a state comparison to a national average); Sexual orientation; Free or reduced lunch status (as a SES indicator); Insurance status

Press and Reporting Considerations for Recent Re-Identification Demonstration Attacks: Part 2 (Re-Identification Symposium)

Date Captured	Friday November 07 2014, 10:34 AM

Public Policy Considerations for Recent Re-Identification Demonstration Attacks on Genomic Data Sets: Part 1 (Re-Identification Symposium)

Date Captured	Friday November 07 2014, 10:30 AM

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

Date Captured	Thursday November 06 2014, 3:15 PM

Does de-identification work or not?

Date Captured

Thursday November 06 2014, 9:20 AM

About the author: Daniel C. Barth-Jones, M.P.H., Ph.D., is a HIV and Infectious Disease Epidemiologist on the faculty at the Mailman School of Public Health at Columbia University. His work in the area of statistical disclosure control and implementation under the HIPAA Privacy Rule provisions for de-identification is focused on the importance of properly balancing competing goals of protecting patient privacy and preserving the accuracy of scientific research and statistical analyses conducted with de-identified data.

The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now

Date Captured	Thursday November 06 2014, 9:00 AM
Barth-Jones, Daniel C., The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now (June 4, 2012).

FERPA and the Cloud: What FERPA Can Learn from HIPAA

Date Captured

Tuesday December 18 2012, 7:01 AM

SOLOVE: Parents need to look at what their schools are doing about student privacy and speak up, because the law isn’t protecting their children’s privacy. School officials who want to develop a more meaningful and robust protection of privacy should talk to government officials who are tasked with complying with HIPAA. They can learn a lot from studying HIPAA and following some of its requirements. Congress should remake FERPA more in the model of HIPAA. If Congress won’t act, state legislatures should pass better education privacy laws. Because FERPA does not provide adequate oversight and enforcement of cloud computing providers, schools must be especially aggressive and assume the responsibility. Otherwise, their students’ data will not be adequately protected. School officials shouldn’t assume that the law is providing regulation of cloud computing providers and that they need not worry. The law isn’t, so right now the schools need to be especially vigilant.

Student Weight Status Category Report: 2008-2010 New York State (Exclusive of New York City)

Date Captured	Thursday January 26 2012, 9:31 AM

Identifying Violence-prone Students

Date Captured	Thursday January 13 2011, 2:02 PM
The fine line higher education officials walk in dealing with troubled students is discussed.

Personal Health Information Privacy

Date Captured	Sunday January 10 2010, 4:42 PM
News about medical and electronic health privacy risk.

Washington state bill would make prescription data private

Date Captured

Tuesday January 27 2009, 10:25 AM

["The sharing of prescription information for marketing purposes without consent violates the spirit of privacy law, and destroys the confidentiality of the doctor-patient relationship," said Leigh Sims, a spokeswoman for the coalition behind the bill. HIPAA allows states to pass stronger privacy protections.] [To fight this, Rep. Jamie Pedersen (D-Seattle) and others have introduced House Bill 1493 to close the loophole. Advocates say the change would protect thousands of patients at no cost to taxpayers.]

Bill would make prescription data private

Date Captured

Tuesday January 27 2009, 10:25 AM

Health care meets social networking

Date Captured

Thursday January 22 2009, 3:59 PM

Jacksonville Business Journal - Kimberly Morrison -- [Mayo Clinic, which has a campus in Jacksonville, has come a long way in just a few years, since adding a Facebook page with more than 3,000 friends, a YouTube channel with videos of doctors talking about illness, treatments and research, a health blog for consumers and another for media to improve the process of medical reporting. It’s also creating “secret groups” on Facebook to connect patients to others with similar illnesses, an area it hopes to expand in the future. But that’s just the tip of the iceberg in the brave new world of Health 2.0.]

What Every American Needs to Know about the HIPAA Medical Privacy Rule* -- Updated November 2008

Date Captured

Sunday January 18 2009, 9:39 PM

By Sue A. Blevins, president of the Institute for Health Freedom and Robin Kaigh, Esq., an attorney dedicated to patients’ health privacy rights. [Did you know that under the federal HIPPA (Health Insurance Portability and Accountability Act of 1996) medical privacy rule, your personal health information—including past records and genetic information—can be disclosed without your consent to large organizations such as the following? Data-processing companies; Insurers; Researchers (in some instances); Hospitals; Doctors (even those not treating you); Law enforcement officials; Public health officials; Federal government.

Center for Democracy & Technology (CDT) Applauds Critical Privacy, Security Provisions in Health IT Stimulus Bill

Date Captured

Sunday January 18 2009, 5:59 PM

[The bill's privacy provisions include the following: Stronger protections against the use of personal heath information for marketing purposes; Accountability for all entities that handle personal health information; A federal, individual right to be notified in the event of a breach of identifiable health information; Prohibitions on the sale of valuable patient-identifiable data for inappropriate purposes; Development and implementation of federal privacy and security protections for personal health records; Easy access by patients to electronic copies of their records; and Strengthened enforcement of health privacy rules. The provisions in the bill are similar to those that received bipartisan approval by the House Energy & Commerce Committee in the last Congress.]

Privacy Issue Complicates Push to Link Medical Data

Date Captured

Sunday January 18 2009, 5:39 PM

NY Times By ROBERT PEAR [“Until people are more confident about the security of electronic medical records,” Mr. Whitehouse said, “it’s vitally important that we err on the side of privacy.” The data in medical records has great potential commercial value. Several companies, for example, buy and sell huge amounts of data on the prescribing habits of doctors, and the information has proved invaluable to pharmaceutical sales representatives. “Health I.T. without privacy is an excellent way for companies to establish a gold mine of information that can be used to increase profits, promote expensive drugs, cherry-pick patients who are cheaper to insure and market directly to consumers,” said Dr. Deborah C. Peel, coordinator of the Coalition for Patient Privacy, which includes the American Civil Liberties Union among its members.]

Extortion Manhunt Highlights Need for Privacy Controls

Date Captured

Friday January 09 2009, 6:52 PM

Erik Larkin, PC World - [ Express Scripts, a large company that manages prescription-drug benefits, reported that both it and its clients had received letters threatening to reveal customer information--including Social Security numbers, addresses, dates of birth, and prescription information--if certain extortion demands were not met (for more information, visit the Express Scripts Support Site). Neither the FBI, which is investigating the matter, nor Express Scripts has released many details, but Stephen Littlejohn, Express Scripts's vice president of public affairs, says that the nature of sample records offered by the extortionists in their letters "correlates to data" held in the company's database.]

Secretary Leavitt Announces New Principles, Tools to Protect Privacy, Encourage More Effective Use of Patient Information to Improve Care

Date Captured

Thursday December 18 2008, 5:11 PM

The privacy principles articulated by Secretary Leavitt are as follows: Individual Access – Consumers should be provided with a simple and timely means to access and obtain their personal health information in a readable form and format. Correction – Consumers should be provided with a timely means to dispute the accuracy or integrity of their personal identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied. Consumers also should be able to add to and amend personal health information in products controlled by them such as personal health records (PHRs). Openness and Transparency -- Consumers should have information about the policies and practices related to the collection, use and disclosure of their personal information. This can be accomplished through an easy-to-read, standard notice about how their personal health information is protected. This notice should indicate with whom their information can or cannot be shared, under what conditions and how they can exercise choice over such collections, uses and disclosures. In addition, consumers should have reasonable opportunities to review who has accessed their personal identifiable health information and to whom it has been disclosed. Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared). Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible. Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule. Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.

The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information

Date Captured

Thursday December 18 2008, 4:56 PM

The principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information below establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a netwo

Education Department Reworks Privacy Regulations

Date Captured

Monday December 08 2008, 8:46 PM

Wall Street Journal (WSJ) ELIZABETH BERNSTEIN -- [Ferpa has long allowed colleges to share information about a student if there is a "health or safety" emergency, but had stipulated that the definition of such an emergency must be strictly construed. The new regulations strip away this condition that the definition of the emergency must be narrow and emphasize that schools may use this health-or-safety exception as long as there is an "articulable" and significant threat to the student or other individuals. The regulations also specifically state that parents are among the appropriate parties who may be called in case of a health-or-safety emergency] [The new regulations will also tweak other parts of Ferpa, including areas dealing with electronic records, students' Social Security numbers, and outside contractors hired by educational institutions who are given access to student records to perform services for the institution. In addition, they will address the circumstances under which schools may give researchers access to aggregated student records.]

Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records (ID: CSD5578)

Date Captured

Thursday December 04 2008, 4:36 PM

The HIPAA Privacy Rule specifically excludes from its coverage those records that are protected by FERPA. At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district. Some schools may receive a grant from a foundation or government agency to hire a nurse. Notwithstanding the source of the funding, if the nurse is hired as a school official (or contractor), the records maintained by the nurse or clinic are “education records” subject to FERPA.

Medical Blogs May Threaten Patient Privacy

Date Captured

Friday August 08 2008, 4:57 PM

US News and World Report -- "In some cases, patients described in medical blogs may be able to identify themselves, the researchers said. For example, three of the blogs in the study had recognizable photos of patients, including one with an extensive description of the patient and links to photos. The researchers also found that some of the medical blogs allowed advertisements, and some promoted health -care products within the blog text. None of the bloggers who described products within the text adhered to medical ethics standards of providing information on conflicts of interest, or whether payment was received for promotion of the products. The study was published online in the Journal of General Internal Medicine." (Dr. Tara Lagu, Robert Wood Johnson Foundation Clinical Scholar, and colleagues at the University of Pennsylvania)

CDT Testimony before House Health Subcommittee, June 04, 2008

Date Captured

Wednesday June 04 2008, 4:20 PM

CDT Testimony Supports Draft Health Health Information Legislation -- We need a comprehensive privacy and security framework that is based on fair information practices (i.e., the Markle Foundation Common Framework) and sets clear guidelines for use and disclosure of electronic health information. The framework should build on HIPAA and incorporate protections for health information held by non-health care entities.CDT today testified before the House Health Subcommittee in support of draft legislation regarding health information technology and privacy legislation. CDT supports the draft language because it takes critical steps toward the goal of a comprehensive privacy and security framework, and targets many of the key issues raised by the new e-health environment. CDT urged the Subcommittee to develop this framework by building on the HIPAA Privacy and Security Rules. CDT also recommended including strong protections for health information held, or managed on behalf of consumers, by employers and companies not part of the traditional health care system

Personal Health Records: Why Many PHRs Threaten Privacy

Date Captured

Monday June 02 2008, 5:26 PM

Prepared by Robert Gellman for the World Privacy Forum - "Significant privacy consequences of PHRs not covered under HIPAA can include: • Health records in a PHR may lose their privileged status. • PHR records can be more easily subpoenaed by a third party than health records covered under HIPAA. • Identifiable health information may leak out of a PHR into the marketing system or to commercial data brokers. • In some cases, the information in a non-HIPAA covered PHR may be sold, rented, or otherwise shared. • It may be easier for consumers to accidentally or casually authorize the sharing of records in a PHR. • Consumers may think they have more control over the disclosure of PHR records than they actually do. • The linkage of PHR records from different sources may be embarrassing, cause family problems, or have other unexpected consequences. • Privacy protections offered by PHR vendors may be weaker than consumers expect and may be subject to change without notice or consumer consent."

Hospitals, patients clash on privacy rights

Date Captured	Monday June 02 2008, 3:45 PM
"California has a medical privacy act 'designed to prevent patients from being used as a marketing database,' said San Francisco attorney Khaldoun Baghdadi, who has handled claims from patients who believe their privacy has been violated. 'If that medical information was disclosed negligently, each patient can be awarded $1,000 per violation.'"

University of Hawai'i athletics to review privacy policy

Date Captured

Wednesday September 13 2006, 10:55 AM

The Honolulu Advertiser reports, "Manin [sports information director] said the department, faced with some athletes who requested privacy and some who agreed to waivers, wanted to adopt a uniform approach. She said the policy was 'implemented to protect the privacy of student-athletes in accordance with the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).'"


*Search*