Privacy concerns remain barrier to health information exchanges

A new report on health information exchange says state public-private health information exchange organizations are making progress in some areas, but the question of privacy remains a hurdle.

The report was released Monday by the American Health Information Management Association and the Office of the National Coordinator for Health Information Technology at a joint conference.

ONC chief Robert Kolodner, MD, said one barrier to HIE growth is the lack of trust across all stakeholders. Governance must include all stakeholders or “solutions are sub-optimized,” he said. Now is “a pivotal time” for building sustainable health information exchange, he added.

Preliminary findings in the report issued by AHIMA’s Foundation of Research and Education said goals for improving quality threaten HIE development by creating competing demands among stakeholders.

Genetic testing co. spurs privacy, ethical questions

A new company that offers genetic testing presents a privacy issue, according to patients’ rights advocates.

Navigenics officially launched its company after closing on a $25 million investment from Kleiner Perkins Caufield & Byers, Sequoia Capital and Mohr Davidow Ventures. The Redwood Shores, Calif.-based biotechnology firm will conduct whole genome scanning and analysis to help customers determine genetic material that could lead to diseases later in life.

The hope is that customers will use the information to develop preventive techniques and improve their healthcare.

However, individual patient information is still vulnerable in electronic health systems, and it would be difficult for customers to determine whether any company is selling their data to third parties, said Deborah Peel, a psychiatrist and founder of the Patient Privacy Rights Foundation.

Is There a Heart Attack In Your Future?

What are the chances that you will get heart disease, or Alzheimer’s? Or that you’ll get fat? New genetic tests will soon be available to offer people answers to these questions and more, assessing their risk for a range of conditions based on a sample of saliva.
It’s one of the promises of the genetics revolution: Putting personalized medical information directly into the hands of individuals so they can make informed choices about their health. Yet despite the potential, there are several reasons people might not yet embrace such tests — including skepticism about their scientific soundness, steep prices and insurance and privacy issues.
Indeed, many genetic experts believe predictive gene-based tests aren’t ready for wide use. Besides questions about accuracy, there is also the issue of how useful the answers will be. There’s no evidence, many physicians say, that people will act on such information to lead healthier lives. Little is known about the interplay of genetic and nongenetic factors such as diet, exercise, smoking and pollution that also affect a person’s risk for disease. And few doctors are well-versed in how to interpret genetic tests or what to tell patients based on the results.
One such test is set to be announced today by Navigenics Inc. of Redwood Shores, Calif. Called Health Compass, the test will be available starting early next year and will be offered directly to consumers via the Internet — circumventing the traditional doctor-patient relationship. The company believes people will want to take the $2,500 test when they’re healthy, and then make lifestyle and other changes to avoid or delay disease. Results, which will be posted on a Web site that customers access with a password, will tell consumers their risk for more than 20 conditions, including diabetes, obesity, prostate cancer and glaucoma. Consumers would learn how their risk compares with the general population’s, and what strategies they can follow to possibly reduce their chances of developing it.
“When you’re reading your genetic risk and you realize that you might get this disease, that’s when it’s real and relevant,” says Mari Baker, chief executive of the San Francisco-based start-up. For consumers, the test will say, “What I might get and what I might start doing today so I don’t get it in the future.”
Another company, 23andme Inc. of Mountain View, Calif., is working on a similar direct-to-consumer test that outsiders say will provide gene-based ancestry and health-related information. The company isn’t providing details until it is ready to launch the product, possibly by the end of the year.
These tests are part of a larger rush to capitalize on the growing body of genetic information that has been emerging since scientists finished mapping the human genome. Silicon Valley venture-capital firms Kleiner, Perkins, Caufield & Byers and Sequoia Capital are among Navigenics’ backer, while biotech giant Genentech Inc. and Google Inc. are among those financing 23andme.
{“Don’t ever get a genetic test unless you use an alias. It is simply not safe—although state laws and medical ethics say that your test results cannot be disclosed without your consent, in reality there is no way any of us can control our personal electronic health information. The electronic healthcare system is NOT set up to ensure that we control all access to our health information. And there is no federal law to stop employers or insurers from using genetic data to discriminate against you and your children and relatives. The vast majority of electronic health systems in use today everywhere in America are set up to facilitate the data mining and theft of our health records. Even companies that offer genetic tests directly to consumers cannot be trusted. Many sell the data to other users, sometimes they say the data is aggregated, sometimes not. Aggregated data can easily be re-identified. There is NO WAY to tell which companies sell your genetic data and which do not, because using your personal health information for business purposes without your consent is legal under the gutted misnamed HIPAA Privacy Rule.” ~Dr. Deborah Peel, Patient Privacy Rights}

U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS

Since the launch of the Human Genome Project, genetic testing has been adopted increasingly into standard practice for diagnosing and managing disease, expanding on its roles in predicting the risk of future disease and informing decisions about life planning and behavior change.

Since the launch of the Human Genome Project, genetic testing has been adopted increasingly into standard practice for diagnosing and managing disease, expanding on its roles in predicting the risk of future disease and informing decisions about life planning and behavior change. Today, genetic tests use combinations of biochemical, cytogenetic, and molecular methods to analyze deoxyribonucleic acid (DNA), ribonucleic acid (RNA), chromosomes, proteins, and selected metabolites. Advances in genetics research are enabling improved prevention, treatment and disease management for common chronic conditions such as cancer, heart disease, and diabetes.

As genetic testing technology is integrated into health care, increasingly detailed information about individual and population genetic variations becomes available to patients and providers. More and more, health professionals are turning to genetic testing to assess the risk of disease in individuals, families, and populations and using this information to guide healthcare decisions. Yet availability of this information requires significant support for efforts to understand its validity, interpretation, and utility in clinical and personal decisionmaking. Scientific and technological advances in genetic testing present certain challenges to existing frameworks for regulation and oversight. It is critical to anticipate and adapt to the impacts of these advances on individual health care and public health.

The significance of the information that can result from genetic tests, their expanded use of genetic testing in clinical practice and public health, and the pace and extent of technological change in the ways testing is performed, have prompted efforts to examine the current systems of oversight and regulation of genetic tests and test results. The Secretary’s Advisory Committee for Genetics, Health, and Society (SACGHS) first identified oversight of genetic tests as a priority area in 2004. After several years of monitoring the issue, SACGHS began a concentrated effort in 2006 to assess the various systems of oversight that play a role in genetic testing. Like SACGT, the Committee’s overarching concern was the adequacy of the oversight system and whether there were gaps in it that could lead to harms in public health. In March 2007, HHS launched the Personalized Health Care (PHC) Initiative to advance the integration of genomic technologies that are capable of tailoring treatment and prevention strategies to each patient’s unique genetic characteristics and individual needs into general health care.

Maryland board can’t punish doctor for defending privacy of patients

A Maryland appeals court handed a victory to a physician who stood up to the state medical board in defense of his patients’ privacy rights.

Judges unanimously found that Bethesda, Md., psychiatrist Harold I. Eist, MD, did nothing wrong when he refused to immediately turn over medical records for three of his patients to the Maryland Board of Physicians because the patients objected.

The agency charged Dr. Eist with failing to cooperate with an investigation into his conduct and levied a $5,000 fine against the doctor.

Dr. Eist said he was just honoring his patients’ wishes. If they knew their confidentiality could be compromised, “it would devastate the trust people have built up over the centuries in the doctor-patient relationship going back to the Hippocratic oath,” said Dr. Eist, a former American Psychiatric Assn. president.

The Maryland Court of Special Appeals agreed and said the board cannot ignore patients’ constitutional rights to medical privacy when investigating a third-party complaint.

{Finally the courts stopped the over-reaching Maryland board. The board asserted that its rights to investigate a complaint trumped patients’ rights to the privacy of their mental health records. These patients did not want the board investigating a complaint against their doctor filed by the estranged parent to see their records. The board simply refused to consider the patients’ rights. This decision means that licensing boards have to show good reason to override patients’ Constitutional rights to privacy before they can access records. Dr. Eist was fined and reprimanded by the Maryland licensing board when he appropriately tried to uphold his patients’ legal rights to withhold consent.}

Online privacy policies need work, advocates say

Online privacy policies need to be easier to understand and more conspicuous because few people now actually read them, said panelists at a U.S. Federal Trade Commission workshop on targeted online advertising.
While privacy policies can help users understand what personal information is being collected, they often need “college-level reading skills” to understand them, said Lorrie Faith Cranor, a Carnegie Mellon University computer science professor who’s done research on privacy policies.
Cranor suggested FTC action may be necessary to help standardize privacy notices online. “We should look at the whole picture and think, ‘Do we need nutrition labels for privacy?’” she said during the second day of an FTC workshop examining concerns about targeted online advertising.
Representatives of Microsoft, Google and Yahoo told audience members they’re working to make privacy policies easier to understand and notices about data collection more immediate.
Representatives of eBay and Yahoo said their companies are experimenting with small question-mark shaped links on targeted ads that explain why a customer was shown the ad.
Microsoft tries to provide frequent links to its privacy policy, and makes it available every time customers sign up for a service, said Peter Cullen, chief privacy strategist at Microsoft. “Now, do we make sure they have to scroll through the short-form [privacy] notice?” he said. “No, because in all honesty, our customers have said that’s overdoing it.”
But Esther Dyson, Internet policy commentator and founder of, called on online advertising companies to use the same “brilliance” they have for delivering targeted ads to deliver targeted privacy policies and data-collection warnings to individual Web users.
{~“Online privacy policies are often impossible to read. But if you do actually read them, they typically inform you that you have no control over your personal information the website collects. The problem is that the value of personal information is so great, that corporations steal it by burying what they are doing in the terms of use agreement on the website. Then they sell it. Americans MUST demand REAL control over all personal digital information, not just sensitive health data. We don’t need more readable policies, we need Congress to restore our rights to privacy and stop the theft of our data.” Dr.Deborah Peel, Patient Privacy Rights}

The new urgency to fix online privacy

A decade ago, I started writing about online privacy issues. At the time, legal colleagues told me that while they found the topic interesting from an academic standpoint, it had no real world applications. They encouraged me instead to focus on “real” upcoming problems, like Y2K.
Undeterred, I explained that there would come a time when good privacy translated into good business, and bad privacy meant horrible business. That time has arrived.  Y2K came and went without much lasting effect. But privacy protection  has become a real world industry of its own. Unfortunately, privacy and security breaches regularly occur these days. Indeed, the recently concluded meeting of the International Association of Privacy Professionals in San Francisco bore witness to just how important privacy issues have become to businesses, government, educational institutions, and of course, individuals
With hundreds of privacy and security professionals in attendance, the sponsor list included the expected roster of companies from the technology sector. But you also found companies from outside the tech world, like Chevron, and Deloitte, Ernst & Young, and PriceWaterhouseCoopers. The common theme: it’s high time to find privacy solutions that really work.
Privacy is like oxygen. You don’t normally pay attention but when it is gone, the problem is immediate and real. So it was that the conference hosted numerous breakout sessions over the course of three days, ranging across issues that arise in financial services, marketing, health care, retail, government, human resources, children, higher education, international, and technology.
{The greatest need for privacy protections and individual control of personal data is for the nation’s electronic health information. The conference the author mentions did not even discuss the total absence of health information privacy—probably because no one familiar with electronic data systems knows that Americans’ electronic health records and data are the least protected and most stolen electronic data of all. ~ Dr. Deborah Peel, Patient Privacy Rights}

Ethics, respect key to privacy – then IT

It’s been a month abuzz with George Clooney. You know who he is the I’m-not-a doctor-but-I-used-to-play-one-on-TV guy. He was pre-McDreamy handsome as Dr. Doug Ross on ER. Then he went on to become a big film star, director and producer. Still handsome.

He’s such a public figure, and we (a lot of us) have followed his career as he’s ticked off one film success after another. Perhaps that’s why some members of the staff at Palisades Medical Center might have felt it was OK to check on George’s medical record. What could it hurt?

Clooney was treated at the New Jersey hospital after a minor motorcycle accident. Twenty-seven staff members have been accused of taking a peek at his records an unauthorized peek.

The hospital’s union chief did not defend the action, but she said the hospital acted too quickly when it suspended the 27 staff members for one month without pay. Some of the people suspended may have been authorized, she said.

Well, OK. The hospital needs to sort that out. We expect it’s on the case right now checking authorizations, procedures and technology.

One reason the Clooney incident has garnered so much attention here at Healthcare IT News and around the country is that it has put the spotlight on privacy concerns.

Healthcare IT News received more letters on this issue in the past month than we have in the past year.

Some who wrote letters said the penalty was not severe enough. They would have fired the rule breakers.

Others took the opportunity to point to how vulnerable our privacy has become. If it happened to Clooney, it could happen to any one of us. Perhaps dozens of people would not be interested in our condition. But a friend, neighbor or family member might be and perhaps could rationalize taking a quick look at a record that is supposed to be accessible to the patient and those who need it to provide the patient’s care.

“The combination of technology and the right value system can’t single-handedly solve everything, but it does put a hospital on solid footing,” Robert Seliger, co-founder and CEO of Sentillion, an access management vendor, told Healthcare IT News Managing Editor Eric Wicklund. “It is very difficult to practice respectful privacy and deliver healthcare these days while using IT to do both,” he added.

Seliger is right. There are many people today working on this very issue.

Among them are Deborah Peel, MD, a psychiatrist and privacy rights activist, and the group of people who make up the Healthcare Information Technology Standards Panel (part of the American Health Information Community). The panel just released a set of standards aimed at keeping medical information secure in an electronic environment. If you think it’s simple, take a look at the so-called “constructs.”

Peel and the bi-partisan Coalition for Patient Privacy are  urging Congress to build ironclad privacy protections into electronic health systems up front.

All of this work and advocacy is laudable, and it must continue. But, as we are often reminded by CIOs and IT directors across the country, technology can’t fix bad processes.

Both the processes and the technology have to be right, in sync and informed by a healthy dose of ethics, common sense and respect for the spirit as well as the letter of the law. Then George Clooney and the rest of us will have a better shot at privacy.

Privacy goes Public

When it comes to advancing healthcare IT you’re more likely to hear about standards, interoperability, sustainability and affordability before you’ll hear about privacy. Most smart legislators and federal officials know to mention it in their second breath or in the fine print, but not front and center.

I’d venture to guess that recent turn of events are going to change all that.

Deborah Peel, MD, staunch activist for privacy, practicing psychiatrist and founder of the Patient Privacy Rights Foundation, won some major ground last month in her effort to capture attention everyone’s attention on the issue of privacy and medical records.

First, Microsoft, Inc. launched a platform Oct. 4 for personal health records that will strictly abide by privacy standards that Peel and a coalition of activists agree will keep control in the patient’s hands.

Now suddenly the radar is bleeping with activity. This has private industry’s attention. Will everyone in the healthcare IT business have to decide to abide by the privacy principles Microsoft has embraced or be left behind? Peel thinks so.

To back that up, Peel and the Coalition for Patient Privacycame to Capitol Hill Oct. 18 to formally urge Congress to pass basic privacy protections this year. “Setting national privacy standards is a job for Congress, not unelected agency appointees, who for the most part represent industry,” they said.

Presidential hopeful Hillary Clinton (D-N.Y.) gave an address at the Kaiser Family Foundation in Washington, D. C. on the same day, endorsing healthcare IT as a cornerstone of improving America’s floundering healthcare system. She proposed a healthcare IT bill this summer with what some would call strong privacy language.

But not strong enough for Peel, who says she has yet to see a bill coming out of Washington with the kind of protection Americans need to ensure their lives are not destroyed by rampant exposure of private health and genetic information that could bring about prejudice in the workplace, at a very minimum.

As if on cue, a bevy of curious healthcare workers took a peek at George Clooney’s medical records last month, causing swift disciplinary action by Palisades Medical Center, where Clooney was being treated. A media blitz ensued, rounding off a month unlike any we have seen when it comes to shedding light on the issue of privacy.

Online Marketers Joining Internet Privacy Efforts

Most consumers are familiar with do-not-call lists, which are meant to keep telemarketers from phoning them. Soon people will be able to sign up for do-not-track lists, which will help shield their Web surfing habits from the prying eyes of marketers.

Such lists will not reduce the number of ads that people see online, but they will prevent advertisers from using their online meanderings to deliver specific ad pitches to them.

Today the AOL division of Time Warner will announce a service of this type, which will be up and running by the end of the year. Other programs are likely to be articulated soon, as online advertisers prepare for a two-day forum on privacy to be held by the Federal Trade Commission.

AOL says it is setting up a new Web site that will link consumers directly to opt-out lists run by the largest advertising networks. The site’s technology will ensure that people’s preferences are not erased later.

{It is very welcome news that AOL and other commercial websites will soon let consumers opt-out of online advertising and data collection by advertisers. This service is desperately needed for health-related websites that track and sell personal data on our interest in specific diseases, medications, and treatments. Today nothing—no law or regulation—prevents any website from using and selling information about our health searches. Microsoft’s HealthVault is the first health website we know of that explicitly states that search data will not be sold or shared, and that search data will be totally deleted in 90 days. The egregious industry-wide practice of stealing personal data about health interests and searches is very exploitive. People who are scared about being sick themselves or want to learn about an illness or treatment options for someone close are being taken advantage of when they are vulnerable. When health information is collected and linked with all other financial and commercial information being collected about us, we have NO privacy. Private corporations, employers, government agencies, and even political parties can and will use health records and health searches to discriminate against us or target us. ~ Dr. Deborah Peel}