In drafting its recommendations, the FTC looked at the Fair Information Practices Principles, or FIPPs, developed by the Department of Health Education and Welfare in 1973. One of the five FIPPs says: “There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.”
The FIPPs have been one of America's most welcome exports, forming the basis for privacy policies (PDF) in Canada and Europe.
A similar path was cleared for HHS by the Commerce Department in its report on commercial data privacy released Thursday. It called for a privacy policy relying on self-regulation and voluntary compliance by “stakeholders” such as the Direct Marketing Association, Network Advertising Initiative, Financial Services Forum, Intel, Google and Microsoft. The Commerce Department suggests these guidelines might be based on “revitalized” FIPPs that would “emphasize substantive privacy protection rather than simply creating procedural hurdles.”
And the department recommended these self-regulators “promote informed consent.”
Finally, last week, the President's Council of Advisors on Science and Technology said data-tagging technology should be used to enable patients' consent and control over their information.
All three bodies recommended personal control and consent. But if HHS decides to follow their advice, it will have to do some backtracking.
That's because in 2002, HHS rule-makers scrapped a patient's right of consent that had been part of an earlier privacy rule. They replaced consent with “regulatory permission” for the movement of a patient's medical records without consent for a vast array of uses. HHS has been stumbling over its pro-privacy rhetoric ever since.
In late 2008, after badgering by the General Accountability Office, HHS released its National Privacy and Security Framework. The document cited as one of its authorities—you guessed it—FIPPs.
Yet the HHS framework never mentions consent and goes on to define privacy, not as a right, but merely a patient's “interest” in controlling the disclosure of his healthcare information.
A workgroup of the federally chartered Health Information Technology Policy Committee has been drawing fire from industry quarters for having the temerity to try to re-introduce the concept of patient consent—albeit in a very limited form—in its recommendations to the government.
First the Federation of American Hospitals and then Kevin Nicholson, the vice president of government affairs for the National Association of Chain Drug Stores, expressed displeasure at the tiger team's direction.
HHS rule-makers soon have to update the language on enforcement, breach notification and the final updates to the HIPAA privacy rule in the American Recovery and Reinvestment Act of 2009.
Which path will they take?