HHS Privacy Committee

• Goal
• Background
  • Committee membership and contact information
• Additional Links
  • Bibliography
  • U.S. Federal Government, including Privacy Act of 1974
  • U.S. States
  • Government Data Protection Officials
  • European Union (EU)
  • Organizations
  • International Organizations
  • Policy Documents and Inquiries
  • Communicating Privacy Policies
  • Privacy Impact Assessment Policy
  • Health
  • Human Services
  • Research
  • Statistics

Goal:

To ensure attention to privacy as a fundamental consideration in collection and use of personally-identifiable information.

Background:

In carrying out its mission, HHS collects and uses information about individuals, and funds and stimulates collection and use of such information by State and local governments, universities, health care providers, and many other public and private entities. As HHS works to make more effective use of this data, it is committed to protecting the privacy of individuals. The Privacy Committee was formed to help in carrying out the Data Council's responsibilities in the area of privacy policy.

Committee membership and contact information

Additional Links:

Disclaimer: References or links from these pages to other pages outside the U.S. Department of Health and Human Services (HHS) do not constitute any endorsement or recommendation by the Department or any of its agencies or employees. HHS is also not responsible for the contents of any pages outside our control. HHS does not endorse any product or service provided by any other organization.

Bibliography:

• Confidentiality of electronic health data : methods for protecting personally identifiable information. [448 selected citations, January 1990 through March 1996, produced by the National Library of Medicine with the direction of this committee.]
• Ethical Issues in Research Involving Human Participants - Includes section on privacy and confidentiality. [4650 selected citations, January 1989 through November 1998, produced by the National Library of Medicine.]

U.S. Federal Government, including Privacy Act of 1974:

• The Privacy Act of 1974, 5 U.S.C. § 552a, As Amended
• The Relationship between Citizen and Government: The Privacy Act of 1974. Chapter 13 of the Report of The Privacy Protection Study Commission [July 1977]
• The Privacy Act of 1974: An Assessment. Appendix 4 to the report of the U.S. Privacy Protection Study Commission. [July 1977]
• Office of Management and Budget – Information and Regulatory Policy – Privacy Guidance
• Overview of the Privacy Act of 1974 From Office of Information and Privacy, U.S. Department of Justice [May 2004]
• Privacy Act Issuances - 2001 Compilation. Agency Privacy Act system notices as of date of compilation. From National Archives and Records Administration [March 2003]
• OMB Privacy Act Guidance [July 9, 1975, PDF - 4.8MB]
• Supplementary OMB Guidance [December 4, 1975, PDF - 218K]
• Final OMB Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988 [June 19, 1989, PDF - 1.5MB]
• OMB Circular A-130 [November 30, 2000]
• HHS Privacy Act Regulations, 45 CFR Part 5b
• HHS Privacy Act Contacts
• Centers for Medicare and Medicaid Services (CMS) Privacy Act Site
• FDA Privacy Act Regulations, 21 CFR Part 21
• National Institutes of Health (NIH) Privacy Act Site
• Indian Health Service (IHS) Privacy Act Site
• HHS Privacy Impact Assessments
• Department of Defense Privacy Office
• Social Security Administration Privacy Act System Notices
• Internal Revenue Service Privacy Advocate
• Department of Homeland Security Chief Privacy Officer
• Department of Education Privacy Act Issuances [February 2002]
• Office of Personnel Management Privacy Act Site. Includes systems of records maintained on Federal employees.
• Government Privacy Policy Setting and Management. Recommendations and findings of Computer System Security and Privacy Advisory Board (CSSPAB), on management of privacy responsibilities of Federal agencies. [September 2002]

Note: PDF (Portable Document Format) files can be read using Adobe's Acrobat(TM) Reader. This program, which you must install once on your computer, allows you to view, navigate, and print the documents as originally published. Please contact Adobe for assistance installing and using Adobe's Acrobat(TM) Reader.

U.S. States:

• California - Office of Privacy Protection
• Hawaii - Office of Information Practices

Government Data Protection Officials:

Data protection officials in many countries of the world have developed valuable reference materials on privacy. The sites listed below have at least some material in English.

• Alberta - Office of the Information and Privacy Commissioner
• Australia - Privacy Commissioner
• Austria - Datenschutzkommission (Data Protection Commission)
• British Columbia - Office of the Information and Privacy Commissioner
• Canada - Privacy Commissioner
• Central and Eastern Europe Data Protection Authorities
• Czech Republic - Office for Personal Data Protection
• Estonia - Andmekaitse Inspektsioon (Data Protection Inspectorate)
• Finland - Office of the Data Protection Ombudsman
• France - La Commission Nationale de l'Informatique et des Libertés (CNIL) (Data Protection Authority)
• Germany - Der Bundesbeauftragte für den Datenschutz (Federal Data Protection Commissioner)
• Greece - Hellenic Data Protection Authority
• Hong Kong - Office of the Privacy Commissioner for Personal Data
• Hungary - Parliamentary Commissioner for Data Protection and Freedom of Information
• Iceland - Persónuvernd (Data Protection Authority)
• Italy - Garante per la protezione dei dati personali (Data Protection Commission)
• Ireland - Data Protection Commissioner
• Netherlands - College Bescherming persoonsgegevens (Data Protection Authority)
• New South Wales, Australia - Office of the Privacy Commissioner
• New Zealand - Office of the Privacy Commissioner
• Norway - Datatilsynets (Data Inspectorate)
• Ontario - Information and Privacy Commissioner
• Poland - Generalny Inspektor Ochrony Danych Osobowych (Inspector General for the Protection of Personal Data)
• Portugal -Comissão Nacional De Protecção De Dados (Data Protection Commission)
• Québec - Commission d'accès à la information du Québec
• Sweden - Datainspektionen (Data Inspection Board)
• Switzerland - Federal Data Protection Commissioner
• United Kingdom - Information Commissioner
• Victoria, Australia - Office of the Privacy Commissioner

18th International Conference of Privacy and Data Protection Commissioners, Ottawa, Ontario, Canada, Sept 18-20, 1996– some papers.

21st International Conference on Privacy and Personal Data Protection, Hong Kong, Sept. 13-14, 1999- Meeting of world data protection officials– papers and presentations.

22nd International Conference on Privacy and Personal Data Protection, Venice, Sept. 28-30, 2000- Meeting of world data protection officials– papers and presentations

23rd International Conference on Privacy and Personal Data Protection, Paris, France, Sept. 23-26, 2001- Meeting of the world data protection officials - papers and presentations

24th International Conference on Privacy and Personal Data Protection, Cardiff, Wales, Sept. 9-11, 2002 - papers and presentations

25th International Conference of Data Protection and Privacy Commissioners, Sydney, Australia, September 10-12, 2003 - papers and presentations

26th International Conference of Data Protection and Privacy Commissioners, Wrocaw, Poland, September 14-16, 2004

European Union (EU):

• European Union Data Protection Directive
• Internal Market Directorate General (Data Protection)
• U.S. Department of Commerce, Safe Harbor Privacy Framework

Organizations:

Many organizations are working on privacy and confidentiality issues at different levels, from policy to implementation guides. The following are some of these organizations. Inclusion of these organizations does not imply any endorsement of the organizations or the positions they propound.

• Privacy.org - Information site from Electronic Privacy Information Center and Privacy International
• American Civil Liberties Union (ACLU)
• American Health Information Management Association (AHIMA). Professional association of persons engaged in health information management.
• Center for Democracy and Technology (CDT)
• Computer Professionals for Social Responsibility (CPSR)
• Electronic Frontier Foundation (EFF)
• Electronic Privacy Information Center (EPIC)
• Health Privacy Project
• Privacy International
• Privacy Rights Clearinghouse (PRC)

International Organizations

• Organisation for Economic Co-Operation and Development (OECD), Information Security and Privacy
• Council of Europe, Personal Data Protection

Policy Documents and Inquiries:

• Records, Computers, and the Rights of Citizens. Report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education and Welfare. [July 1973]
• Personal Privacy in an Information Society. The Report of the Privacy Protection Study Commission, [July, 1977] Selected Chapters.
• Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Organisation for Economic Co-operation and Development (OECD) [September 1980]
• Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information - by Privacy Working Group of the President's Information Infrastructure Task Force. [June 1995]
• Model Code for the Protection of Personal Information, Canadian Standards Association [March 1996]
• Council of Europe - Treaties
  • Convention for the protection of individuals with regard to automatic processing of personal data [January 1981]
• Council of Europe – Recommendations and Resolutions of the Committee of Ministers
  • Data collected and processed for insurance purposes [18 September 2002]
  • Protection of privacy on the Internet [23 February 1999]
  • Data collected and processed for statistical purposes [30 September 1997]
  • Protection of medical data [13 February 1997]
  • Protection of personal data for social security purposes [23 January 1986]
  • Regulations for automated medical data banks [23 January 1981]

Privacy in the Information Age - Project of the Computer Science and Telecommunications Board (CSTB) of The National Academies. "... comprehensive assessment that will evaluate causes for concern about privacy in the information age and tools and strategies for responding." [in progress, September 2001]

Who Goes There? Authentication Through the Lens of Privacy. Report of the Committee on Authentication Technologies and Their Privacy Implications of the Computer Science and Telecommunications Board of the National Academies. Explores authentication technologies (including passwords, PKI, biometrics, etc.) and their implications for the privacy of the individuals being authenticated. [April 2003]

IDs – Not That Easy: Questions About Nationwide Identity Systems. - Report of the Committee on Authentication Technologies and Their Privacy Implications of the Computer Science and Telecommunications Board of the National Academy of Sciences. Discusses policy, procedural, and technological issues presented by nationwide identity systems [April 2002]

Privacy and Data-Sharing: The Way Forward for Public Services. Report from United Kingdom Cabinet Office, Performance and Innovation Unit, on " how public services should look to balance the individual right to privacy with the wider social benefits that data-sharing can deliver." [April 2002]

Options for Promoting Privacy on the National Information Infrastructure – Draft for Public Comment. From Information Policy Committee, National Information Infrastructure Task Force [April 1997]

Communicating Privacy Policies:

• Financial institution regulatory agencies' request for public comment on ways to improve privacy notices.
• Effective communication of information on data protection and privacy practices. Resources on improving communications between organizations and individuals about data protection. From Privacy Commissioner of Australia. [September 2003]
• Plain Language Principles and Thesaurus for Making HIPAA Privacy Notices More Readable. From Health Resources and Services Administration.[May 2003]
• Get Noticed: Effective Financial Privacy Notices. Resources from workshop of Federal Trade Commission. [December 2001]
• Plain Language Tools. Material from Office of the Federal Register on drafting government documents in plain language.
• Plain Language Action & Information Network. U.S. Government plain language initiative.

Privacy Impact Assessment Policy:

• OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. Includes Privacy Impact Assessment guidance. [September 2003]
• Internal Revenue Service, Model Information Technology, Privacy Impact Assessment - offered by the U.S. Federal Chief Information Officer's Council
• Privacy Impact Assessment Policy, Department of the Interior
• Privacy Impact Assessment Model - Alberta Information and Privacy Commissioner
• Privacy Impact Assessment Tool - British Columbia Information and Privacy Commissioner
• Privacy Impact Assessment Guidelines- Ontario Government Management Board Secretariat [June 2001]
• Privacy Impact Assessment - An Essential Tool for Data Protection. Presentation by David H. Flaherty at the 22nd Annual Meeting of Privacy and Data Protection Officials, Venice, Italy. [September 27-30, 2000]
• Working Paper, Privacy Impact Assessment for Justice Information Systems, From Office of Justice Programs, U.S. Department of Justice. [February 2001]
• Privacy Impact Assessment: Some Approaches, Issues and Examples, by Blair Stewart, Assistant Commissioner, Office of the Privacy Commissioner, New Zealand
• Privacy Impact Assessment Handbook, From Office of the Privacy Commissioner, New Zealand [March 2002].
• Privacy Impact Assessment Policy, from Chief Information Officer Branch, Treasury Board Secretariat, Government of Canada [April 2002]

Health:

• Standards for Privacy of Individually Identifiable Health Information. – The Department has published , under authority in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) a privacy regulation applicable to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The text of the regulation and other information can be found on web site of the Office for Civil Rights.
• Health Insurance Portability and Accountability Act of 1996. The Department is developing other regulations to implement HIPAA. The text of the act, recommendations for confidentiality legislation, proposed and final regulations, and other information can be reached through our Administrative Simplification web site.
  • Milestones in Health Information Privacy under HIPAA
• For the Record: Protecting Electronic Health Information - Produced by the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. National Academy Press, Washington, 1997. General overview of the nature of concerns with the privacy and confidentiality of health care information in the electronic age, as well as specific recommendations, with special attention to security.
• Substance Abuse Patient Confidentiality Requirements
  • Statute - Public Health Service Act, section 543 (42 U.S.C. 290dd-2)
  • Regulation - 42 CFR part 2
• Model State Public Health Privacy Act, prepared by Model State Public Heath Privacy Project, Georgetown University Law School [1999]
• The Domain of Health Care Information Privacy - Protecting Identifiable Health Care Informational Privacy: A Consensus Report on Eight Content Areas for Performance Measure Development. From Ethical Force Program of the American Medical Association.
• Health Records: Social Needs and Personal Privacy. Proceedings of a Conference sponsored by the U.S. Department of Health and Human Services. [February 1993]
• Protecting Privacy in Computerized Medical Information. Report of Office of Technology Assessment [September 1993]. From Woodrow Wilson School of Public and International Affairs OTA archive.
• Personal Privacy in an Information Society, Chapter 7, Record-keeping in the Medical-Care Relationship Portion of the report of the Privacy Protection Study Commission addressing health records. [July 1977]
• Protecting Patient Confidentiality: Final Report. Confidentiality and Security Advisory Group for Scotland (CSAGS), Scottish Executive Health Department [April 2002]
• Genetic Information – Privacy, Discrimination and Legal Issues. From National Human Genome Research Institute, NIH.
• Protecting Privacy When Using Telehealth Technology in Healthcare, Volume 1 & Volume 2. Reports with guidance for protecting patient information when using information and communications technologies to deliver care across a distance. From Telehealth Deployment Research Testbed (TDRT), sponsored by Office for the Advancement of Telehealth, Health Resources and Services Administration. [October 2002]
• Privacy Issues in Mental Health and Substance Abuse Treatment: Information Sharing Between Providers and Managed Care Organizations. Study of privacy issues with regard to what personal information should be shared for patients receiving mental health or substance abuse treatment. By Mathematica Policy Research, Inc., for the Office of the Assistant Secretary for Planning and Evaluation, January 17, 2003.

Human Services

• Personal Privacy in an Information Society, Chapter 11, The Citizen as Beneficiary of Government Assistance Portion of the report of the Privacy Protection Study Commission addressing records in public assistance and social services agencies.[July 1977]

Research:

• Confidentiality Certificates to Protect Personally-Identifiable Research Information:
  • Office of Extramural Research, National Institutes of Health
• Protecting Data Privacy in Health Services Research. Report of the Institute of Medicine with recommendations on protection of privacy and the role of Institutional Review Boards in health services research, funded by the Agency for Health Care Research and Quality and the Office of the Assistant Secretary for Planning and Evaluation. [August 2000]
• The National Cancer Institute conducted an inquiry into confidentiality issues surrounding research, with two documents:
  • Confidentiality, Data Security, and Cancer Research: Perspectives from the National Cancer Institute [March 23, 1999] and
  • Confidentiality, Data Security, and Cancer Research: Report of a Workshop [1999]
• Privacy and Health Research - Report to the Secretary of HHS by William W. Lowrance, Ph.D. on privacy and health research. [May 1997]
• Improving Access to and Confidentiality of Research Data: Report of a Workshop. Proceedings of workshop conducted by Committee on National Statistics, National Research Council, on effective use of microdata and preservation of confidentiality, particularly with use of longitudinal data linked to administrative records. [September 2000]
• Medical Research Council (MRC) of the United Kingdom. Includes:
  • Personal Information in Medical Research [October 2000]
  • Human Tissue and Biological Samples for Use in Research - Operational and Ethical Guidelines [April 2001]
  • MRC Interim Guidance on Ethics of Research Involving Human Material Derived from the Nervous System [June 2003]
• Canadian Institute for Health Information (CIHI). Privacy and Data Protection. Includes "Privacy and Confidentiality of Health Information at CIHI: Principles and policies for the protection of health information" [April 2002]
• Personal Privacy in an Information Society, Chapter 15, The Relationship Between Citizen and Government: The Citizen as Participant in Research and Statistical Studies. Portion of the report of the Privacy Protection Study Commission addressing research and statistical uses of personal information.[July 1977]
• Panel on Institutional Review Boards, Surveys, and Social Science Research, Committee on National Statistics. Panel is reviewing current and proposed methods of human subjects' protection in social science data collection. Protecting Participants and Facilitating Social and Behavioral Sciences Research (2003)
• Office for Human Research Protections of the Department of Health and Human Services.
• Archive of National Human Research Protections Advisory Committee (NHRPAC).
• Analyses and recommendations and draft documents of the Social and Behavioral Science Working Group of the National Human Research Protections Advisory Committee. On web site of American Sociological Association.
• National Bioethics Advisory Commission, Ethical and Policy Issues in Research Involving Human Participants, Volume II: Commissioned Papers, [August 2001]:(B-1) Privacy and Confidentiality: As Related to Human Research in Social and Behavioral Science, by Joan E. Sieber; and (C-1) Privacy and Confidentiality in Health Research, by Janlori Goldman and Angela Choy.
• Summary of Human Subjects Protection Issues Related to Large Sample Surveys, by Joan E. Sieber. Study prepared for Bureau of Justice Statistics, U. S. Department of Justice [June 2001]
• Canadian Institutes for Health Research. Includes:
  • Selected International Legal Norms on the Protection of Personal Information in Health Research [December 2001]
  • Secondary Use of Personal Information in Health Research: Case Studies [November 2002]
  • Draft Guidelines for Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research. Draft for comment [May 2004]
• Privacy Issues in Biomedical and Clinical Research. Board on Biology, National Academy of Sciences. Proceedings of a forum. Addresses genetic information issues [1998].
• Administrative Data for Policy-Relevant Research: Assessment of Current Utility and Recommendations for Development. Chapter 3 discusses safeguards to ensure that information on individuals and households contained in administrative databases and used for research remains confidential and that privacy interests of individuals are maintained. From Advisory Panel on Research Uses of Administrative Data, under auspices of the Joint Center for Poverty Research, funded by Office of Assistant Secretary for Planning and Evaluation. [January 1998].
• Learning from Experience : Privacy and the Secondary Use of Data In Health Research. Study from Nuffield Trust, by Dr. William W. Lowrance, of use of personal health information in research, in United Kingdom context [November 2002].
• Secretary's Advisory Committee on Human Research Protections (SACHRP)
• Social and Behavioral Sciences Working Group on Human Research Protections

Statistics:

• American Statistical Association's Privacy, Confidentiality, and Data Security Website
• Confidential Information Protection and Statistical Efficiency Act of 2002
• Confidentiality and Data Access Committee (CDAC) - Interest Group of Federal Committee on Statistical Methodology (FCSM)
• Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics. Produced by Panel on Confidentiality and Data Access, National Research Council and Committee on National Statistics. National Academy Press, 1983.