De-identified? Yeah, right.

See these articles:
Netflix Contest Seen As Posing Privacy Risk
Netflix is about to commit a privacy Valdez with its customers’ viewing data
AOL, Netflix and the end of open access to research data

Once again Netflix plans to violate the privacy of those who rate the movies they rent. Two University of Texas computer scientists demonstrated that the Netflix database of 500,000 with movie ratings could be re-identified, revealing sensitive political and sexual preferences of the actual people who rated movies. Netflix did not get the consent of renters to expose their ratings to the public or ot researchers.

Yet Netflix is moving ahead to release even MORE personal data for its next million-dollar contest. The major media (NYT’s STeve Lohr for example) has NOT reported at all on how Netflix is violating movie renters’ privacy, but instead trumpets the prizes paid to those who develop more accurate ways to predict which movies you will want to watch next.

The problem of re-identification is VERY serious for the healthcare system because health data is impossible to de-identify. It is so rich in detail that de-identification is almost impossible.

Today, the treasure trove of all Americans’ sensitive health data is being endlessly used and disclosed without informed consent to millions of “covered entities” and “business associates” (and their millions of employees)–subjecting EVERY American to the theft, sale, and misuse of the most sensitive personal information that exists.

Who will hire you knowing all about your prescriptions, illnesses and genes?

NebuAd Halts Plans For Web Tracking

Tech firm NebuAd has put on hold plans to widely deploy an online advertising technology that tracks consumers’ every Web click while Congress reviews privacy concerns associated with the technique.

The Silicon Valley company announced this week that founder and chief executive Bob Dykes was resigning. His departure comes as a number of Internet companies have suspended or canceled trials of NebuAd’s controversial tracking technique, known as deep-packet inspection, marketed to companies seeking to target ads to Web users.

“Our platform was architected to be a multi-channel ad system,” spokeswoman Janet McGraw wrote in an e-mail. “With the Internet service provider channel currently on hold with the events of the summer, we have broadened the focus of our business but continue to enhance our technologies for that ISP channel.”

Healthcare moving to Cloud Computing

Joe Conn looks more deeply into the problems of ‘cloud’ computing for the storage, exchange, and analysis of health data. See his article in Modern Healthcare: ‘Healthcare is slow to change’ to cloud environment

Today there is not yet a trusted organization to certify the privacy of electronic health records systems, whether on servers or in clouds.

Until the privacy of health data can be assured first with trusted security certification and then with a separate stringent privacy certification (proving that patients control the use and disclosure of their sensitive records) Americans will not trust that their data is safe.

Proof that consumers control personal data in clouds will be essential for trust in health IT.

So far all we have are promises of security and privacy. We won’t trust without verification .

Who is tracking YOU?

On the Internet ALL your health searches about scary and stigmatizing illnesses, all searches or purchases of books on health, and all searches or purchases of medications and devices are tracked and sold.

It is impossible to search for health information privately via Google, etc.

Health websites take massive advantage of Americans’ powerful expectations that ALL healthcare providers put their interests and their privacy first—expectations which come from the traditional doctor-patient relationship and the ethics that have governed Medicine for 2,400 years (derived from the Hippocratic Oath).

Americans are not yet ready to believe that every aspect of healthcare in the US is profit-driven, rather than driven by the ethical codes all health professionals swear to at graduation: the promises to “do no harm” and to “guard their secrets”.

Americans are not yet ready to believe that Wall Street has taken over Medicine—and that instead of guaranteeing the strong health privacy rights Americans have under the law, Wall Street erases our rights to ensure shareholder profits.

‘Healthcare is slow to change’ to cloud environment (Part II)

Cloud computing is not just on the healthcare horizon. Partial and pure-play cloud computing architectures are already serving healthcare information technology needs in the U.S.

…When it passed the stimulus act, Congress included several more stringent privacy provisions, including several taking direct aim at vendors of PHR systems, cloud-based on not. The new law sought to place PHR vendors under the same privacy and security rules as hospitals and office-based physicians and other so-called “covered entities” pursuant to the Health Insurance Portability and Accountability Act of 1996. Google and Microsoft Corp. have expressed varying degrees of reluctance toward acknowledging their PHR operations have HIPAA obligations…

Privacy advocate Deborah Peel said renting servers and storing healthcare information in large “ultra-secure facilities,” typical of cloud computing operations, “has always made sense to me. Servers in closets are going to go the way of dinosaurs. They just have to.”

But to allow a company to move healthcare data around a cloud “anywhere in the world is going to be a nightmare,” said Peel, a psychiatrist and the founder of the Austin, Texas-based Patient Privacy Rights Foundation.

“Where are the servers? If data is moved among various facilities, who certifies security among them? You get into the weakest link problem,” which, she said, might also include legal issues if the data is stored in a country with weaker privacy standards than the U.S. Not that the U.S. is a global paragon for privacy rights, according to Peel. “It’s kind of ironic to say they ought to be in the U.S., because the U.S. may not be the best place in the world, but it has to start somewhere,” she said.

And You Thought a Prescription Was Private

Randee Lonergan says a pharmacy sold her prescription history to a local Target without her knowledge.

MORE than 10 years after she tried without success to have a baby, Marcy Campbell Krinsk is still receiving painful reminders in her mail. The ads and promotions started after she bought fertility drugs at a pharmacy in San Diego.

Marketers got hold of her name, and she found coupons and samples in her mail that shadowed the growth of an imaginary child — at first, for Pampers and baby formula, then for discounts on family photos, and all the way through the years to gifts suitable for an elementary school graduate.

Deborah Peel, a psychiatrist in Austin, Tex., who lobbies for privacy rights, said she predicts “a looming battle between the data thieves and those that believe in constructing a digital universe with even stronger protections for the privacy of personal information than we have in the world of medical records on paper.”


New Epidemic Fears: Hackers

The government is committing billions of dollars for technology systems that help healthcare providers share information. But making patient data more accessible has the unpleasant side effect of it potentially falling into the wrong hands.

Under the Obama administration’s stimulus bill and other proposals, portions of a $29 billion fund are available to reimburse hospitals and doctors’ offices that invest in electronic records systems and other software that might improve care and lower health-care costs. The government has stressed the need for increased security as part of this digitization initiative, but hasn’t yet proposed mechanisms for how the data will be protected.

Now, many privacy advocates are concerned the administration’s effort could end up making health information less secure. “If there isn’t a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.

Security and Hacking, Real Fears

See the WSJ Article: New Epidemic Fears: Hackers

Securing health records in small doctor’s offices and clinics is not easy: small offices can’t afford Fort-Knox style data protection measures, like hiring security experts to make sure hackers aren’t getting into their systems. Even if electronic health records software includes encryption and other security features doesn’t mean those features will be turned on and used.

• Now, many privacy advocates are concerned the administration’s effort could end up making health information less secure. “If there isn’t a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.

• “As more information is shared, it is subjected to the weak-link effect.”

• Mr. Osteen’s efforts to safeguard information won’t be useful if smaller providers he shares it with haven’t made the same kind of security investments.”

Job 1 for the AHIC successor? — by Nancy Ferris

Notice how the for-profit research industry wants access “baked” into all EHRs up front for research uses, to avoid getting individuals’ consents.

They call this a “value case” for the nation’s electronic health system. What great Lakoffian re-framing and propaganda. How do you argue against “value”?

It’s a “value” alright, just not a “value” for patients, because it sets up a system that is both unethical (no consent) and illegal (violates Amercians’ longstanding rights to privacy).

The story says the research industry wants open access to “de-identified” data, but that is NOT what they tell Congress or the regulators. They say they must have access to longitudinal data, which CANNOT be de-identified, because most research cannot be conducted using de-identified data.

The new AHIC 2 will be industry-driven and industry-paid for, with so-called “standards” being devised to meet the needs of corporations, not to adhere to the laws and ethics that governed the healthcare until the ’90’s and the advent of electronic systems for health data.

Today there are ‘smart’ technology solutions to make consent easy, cheap, understandable, and instantaneous (see the consents on HealthVault by application partners for a preview of how simple and clear and specific consents can be). Electronic consents can be interactive and actually explain things, rather than be densely written in legalese so no one understands them.

Why continue to use the kind of privacy-violating blanket coerced consents that were necessary in the paper health system? ‘Smart’ technologies can do a far better job. Using robust consent management tools, we can obtain valid and easy-to-understand specific, time-limited, and cheap consents from millions instantaneously.

View Full Article

Bill O’Reilly is REALLY worried about the loss of his personal medical privacy…

So much so that he repeatedly returned to the topic while debating health care reform last night.

See Editorial with Video

68% of Americans share his fears and “Have Little Confidence that Electronic Health Records Will Remain Confidential” (see: Past Meetings: 7/21/09, slide #3 of the “Privacy and Security Work Group: Recommendations” presentation on the HIT Standards Committee website at:

O’Reilly debated with a doctor who doesn’t seem to know that we have no control over our personal electronic health records, the massive damage that already causes, and how much more we will all be harmed if the Administration does not stop health IT systems from violating our privacy. Patient control over personal health information must be built into every electronic system up front.

Republicans, Democrats, Libertarians, and the majority of Amercians REALLY care about health privacy. The national concensus is that we should control who sees our health records; which has been our legal and ethical right since the nation’s founding. Restoring the right to control PHI in electronic health systems will quell fears that the majority has have about electronic systems.

Quotes from the story:

• O’Reilly demonstrated his primary fear – almost panic – over the assumption that his medical records may not be private any more if President Obama passes some version of his healthcare bill. But enough with the foreplay — O’Reilly dived right into his main fear. “My health records which are now in the hands of my private physician . . . they’re gonna be in Washington, right, so every malady that I have is gonna be seen by people in Washington. I don’t want that, do you want that?”

• After a little back and forth on the issue, O’Reilly repeated, “On a computer disk in D.C. will be what’s wrong with me . . . based on my medical history. It makes me very, very nervous.” Yes, we noticed.

• O’Reilly, again, focused worriedly on the privacy issue. “Let me ask you this,” O’Reilly posited. “It worries me that my medical history and your medical history is now gonna be on a disk in Washington, D.C., rather than the confidentiality of a doctor-patient, which we have had in this country for decades – that’s gone.”

• “The data is going to go to a bank in Washington, D.C.,” O’Reilly fretted. “ . . . I’m talking about you, Dr. Marc Lemont Hill, having a condition . . . with his program, it goes to D.C. and the bureaucracy decides how to treat you, not your physician. Doesn’t that worry you?”

• “So you don’t mind having your condition – whatever it may be – leave your doctor’s office and go to D.C. . . ,” O’Reilly said.

• O’Reilly hammered the privacy issue, once again, saying, “It’s going to a database that can be accessed . . . okay, if you don’t mind it, I do, and that’s a big concern of mine. We don’t have any privacy as it is in this country . . . .”

• Hill pointed out the bigger issue than the privacy of medical records (to most Americans, but not to O’Reilly) is 50 million uninsured Americans – and said that President Obama addressed that in the press conference.

• But the biggest question of all – what’s O’Reilly’s medical condition? The one O’Reilly is terrified might fall into the hands of the government? Is it really so awful that O’Reilly (not usually one to worry about privacy) is willing to kill health care reform just to protect it?