Group Finds Privacy Holes in Digital Health Records

A consumer watchdog group is warning that many leading electronic medical record systems don’t do enough to secure sensitive patient information

“We’re alarmed about the growing use of personal health information without patients’ knowledge or explicit permission,” Ashley Katz, executive director of Patient Privacy Rights, told reporters on a conference call.

Katz’s group today released a report card evaluating the privacy protections embedded in several leading electronic medical record systems, finding that while results varied widely, many products come up short.

The push to digitize medical records, both as a means to reduce costs and improve patient outcomes, has emerged as a policy priority of the Obama administration, which backed a stimulus bill that included $19 billion to fund electronic personal health records (PHRs).

Patient Privacy Rights grades PHRs

Patient Privacy Rights has issued a privacy-oriented report card on some of the available PHRs (personal health records).

Inspection of the summary chart suggests that if you’re concerned about people accessing your information, be very cautious about using PHRs where “partners” or add-on programs or providers of tools may not have clear policies that tell you how they will or might use your data or that do not allow you to track who has accessed your information. While a platform may allow you to totally remove your data and information, their partners or add-on programs may not all you to do.

Patient Privacy Rights Prepares Report Card on PHRs (Personal Health Records)

This report card was based on what was determined to be privacy protection. Below I have listed the comments about using an employer or insurer PHR as stated on the report card you may be giving up some privacy with others having access with waivers or surveys that come with using the program. According to the study, No More Clipboard seems to be the only one receiving an “A”, with Microsoft HealthVault coming in second and the rest you can see from the image below. You can visit the links for each PHR and see the individual grading areas.

There’s also an FAQ section on how the results were obtained and areas of privacy to be aware of.

Facebook privacy revisions ‘sign post’ for healthcare

Facebook, the global phenomenon in Web-based social media, rolled out a massive overhaul of its privacy protection policies and technology this week–and in so doing may have drawn up a playbook for healthcare as well, industry experts say.

…”Every single Facebook user in the entire world has to redo their privacy settings,” said Pam Dixon, founder of the World Privacy Forum, a not-for-profit privacy advocacy group based in San Diego. “That’s a big deal. This is a proof of concept that we can in fact have granular control over sensitive data. This gives me great hope that we can tackle the issue of sensitive control of information in healthcare.”

…”Peel said she often hears the argument from people working on healthcare IT standards that it is impossible to build a healthcare IT system that accommodates patient consent, but “PHRs are doing it right now. And now Facebook has access controls, too.”

Electronic health records could be a deadly target during a cyberwar

Most health officials worry about hackers stealing sensitive information such as an AIDS diagnosis from someone’s electronic medical record, but a technology manager for a health care system in the Pacific Northwest said it’s just as likely the digital files could be a target of terrorists or a nation state during war.

Countries have invested millions of dollars in computer systems to conduct a cyberwar against the United States “and the best way to do that is to destabilize the population,” said Chad Skidmore, director of network services for Inland Northwest Health Services, a network of 34 hospitals in Spokane, Wash. To do that, hackers could infiltrate health systems to change patient records so misinformation will lead to deadly consequences.

Skidmore, speaking on Friday before a health IT standards committee organized by the Health and Human Services Department, said what “keeps me up night and fairly scared” is that an attacker could get into a system and, for example, change data fields that indicate patients who have an allergy to penicillin do not have an allergic reaction to the antibiotic. About 400 patients in the United States die each year from penicillin allergies, according to the Web site Wrong Diagnosis.

Smartphones start doing the rounds

Pagers have for long been considered the doctor’s sidekick but in the United States, as hospitals face pressure for greater efficiency, smartphones are taking over.

However, the rise of smartphone healthcare comes amid added concern about patient privacy. Although apps such as AirStrip OB and mVisum are approved by the FDA (The Food and Drugs Administration) and HIPAA (Health Insurance Portability and Accountability Act), some critics remain sceptical about data security.

“The problems are common to all mobile devices: encryption at rest on the device and in transit, and whether data on lost or stolen devices can be easily accessed,” says Deborah Peel, founder of US watchdog organisation – Patient Privacy Rights.

Living Online: Privacy and Security Issues in a Digital Age

Our lives are increasingly lived online. A large number of Americans routinely exchange information in cyberspace for personal, business, and other purposes. What privacy and security issues present themselves in this relatively new and increasingly ubiquitous space? What particular privacy concerns might apply when specific entities, such as the government, hold or process our information? What particular considerations might apply when the information being transmitted is particularly sensitive, such as health care information or financial information? How do privacy, security, and information ownership concerns function when information is being exchanged on social networking sites?

The November 3, 2009 event featured a lunchtime keynote address by Christopher N. Olsen, the Assistant Director in the Division of Privacy and Identity Protection at the Federal Trade Commission.

A panel discussion was held from 1 – 2:30 pm and featured:

  • Moderator, Jeffrey Rosen, Professor of Law at George Washington University and Legal Affairs Editor for The New Republic
  • Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights; Chair, Coalition for Patient Privacy
  • Lillie Coney, Associate Director, Electronic Privacy Information Center; Coordinator, Privacy Coalition
  • Alan Davidson, Director of Public Policy, Google

Here is the Video of the Panel:

Tuesday, November 3, 2009
11:30 am – 2:30 pm
Center for American Progress
1333 H. Street NW, 10th Floor
Washington, DC 20005

Smartphones increase trust among doctors; privacy concerns for patients

“The problems are common to all mobile devices: encryption at rest on the device and in transit, and whether data on lost or stolen devices can be easily accessed,” says Deborah Peel, founder Patient Privacy Rights.

Peel’s concerns should not be taken lightly, security and privacy cannot be an afterthought for any wireless health solution that includes personal health information. BlackBerry-maker Research In Motion’s Fraser Edward shared similar concernts to Peel’s during an interview with MobiHealthNews earlier this year. Edwards said that BlackBerry Enterprise Server tools enables the IT group in a care facility to enforce the passwords on a device, to ensure that the device’s external memory card is encrypted and to remotely wipe a device should it be lost.

Employers after DNA: GINA does not protect like you think.

See this CBS News article: Want A Job In Akron? Hand Over Your DNA

The idea that GINA protects genetic tests from being held or used by employers and insurers is wrong. Genetic tests ordered by your doctor at any other time–when you are NOT seeking a job or insurance–can be collected and used by your employer and insurer to make decisions about you.

Lobbyists for the insurance industry and employers got this massive loophole into the bill, eliminating the intended consumer protections. Instead GINA should have forbidden employers and insurers to ever collect or access genetic tests.

This is one of the key reasons we need Congress to restore OUR rights to control our personal health information, so WE can make sure employers and insurers do not get our genetic records. Genetic information is so sensitive it should ONLY be seen by health professionals directly involved in our treatment, or if we choose to participate in research and share it.

Want A Job In Akron? Hand Over Your DNA

It’s not unusual for employers to conduct criminal background checks during the hiring process. But the University of Akron has taken this to a surprising new level. The Ohio school now reserves the right to require any prospective faculty, staff, or contractor to submit a DNA sample, which genetic-testing experts say makes it the first employer in the nation to take such an extreme and potentially intrusive step.

The new policy, which says a “DNA sample for purpose of a federal criminal background check” may be collected, took the campus by surprise after it was announced last week. An adjunct faculty member has resigned in protest and is contemplating a lawsuit, and the local chapter of the American Association of University Professors says that genetic testing violates a collective bargaining agreement.

“At any number of levels, it’s alarming,” says Stephen Aby, a professor of bibliography who is the past president of Akron’s AAUP chapter. “It’s awfully broad. It gives them the discretion to do fingerprinting or DNA testing as they see fit.”

Adopting the policy, which the university’s board of trustees did in time for the fall semester, appears to violate a federal law that takes effect on November 21 called the Genetic Information Nondiscrimination Act, better known as GINA. It also could conflict with the Americans with Disabilities Act.