Health Affairs Briefing: Stimulating Health Information Technology

Deborah Peel, MD– Founder & Chair of Patient Privacy Rights– is one of the speakers at this open event, happening March 10th, 2009 in Washington, DC.

There is widespread agreement that greater investment in information technology (IT) is critical to reforming U.S. health care. The use of such technologies as electronic health record systems, personal health records, e-prescribing, and computerized physician order entry holds the potential for vastly improving care at a reasonable cost. The recently enacted economic stimulus legislation included just over $19 billion for health information technology, so major public and private investments in the sector now lie ahead.

At this crucial moment, Health Affairs devotes its forthcoming March-April 2009 issue to health IT—its transformative promise, but also the challenges to its adoption and the substantial dangers it could pose if that adoption is not done right. The issue will be released at a briefing on Tuesday, March 10, at the JW Marriott in Washington, D.C. At the briefing, speakers will discuss the public policy issues surrounding health IT, particularly those raised by the health IT provisions in the stimulus package. Speakers will also discuss pioneering health IT initiatives, the privacy concerns raised by health IT, and industry health IT innovations.

The briefing and the new Health Affairs issue are supported by grants from the Markle Foundation, the California HealthCare Foundation, and the federal Agency for Healthcare Research and Quality.

Here are the details:

WHEN: Tuesday, March 10, 2009, 9:00 a.m. 12:30 p.m.
WHERE: JW Marriott [Metro Center], 1331 Pennsylvania Ave., NW, Washington, DC, 20004
RSVP:
RSVP online for this event here. For more information call Staci Gorden at 301-652-1558.

SPEAKERS:

Carol Diamond, The Markle Foundation
Linda Dimitropoulos, RTI International
Colin Evans, Dossia Consortium
Robert Kolodner, Office of the National Coordinator for Health Information Technology*
Louise Liang, Kaiser Permanente
Deven McGraw, Center for Democracy and Technology
Farzad Mostashari, New York City Department of Health
Peter Neupert, Microsoft Health Solutions Group
Neal Patterson, Cerner Corporation*
Deborah Peel, Patient Privacy Rights Foundation
Mark Smith, California HealthCare Foundation
James Walker, Geisinger Health System
Jonathan White, Agency for Healthcare Research and Quality

* Invited Speakers

See Full Event Info

From Sharing Music to Sharing Medical Records

Scientific American gets it. Do you? View story here.

Dr. Eric Johnson’s latest study is out. Our job is to inform the public and Congress, who are continually being falsely reassured that health IT systems are secure and private by spinmeisters for the insurance, hospital, drug, Health IT, and health data mining industries.

Industry’s blatant false promises of security and privacy are something we have been urging FTC to investigate (as false and deceptive trade practices) and the new Administration should understand to ensure that the stimulus funds are not spent on primitive health technologies with abysmal security and no consumer control over PHI. We need ‘smart’ health IT, ‘smart’ human processes, and we need the health care industry to step up and use them, so we have trusted electronic systems and don’t waste the stimulus billions.

See Dr. Johnson’s paper here.

The research examined samples of health-care data disclosures and search activity in peer-to-peer file sharing networks of the top 10 publicly traded health care firms (using Fortune Magazine’s list) over a two-week period. More than 500 hospitals were represented in the 10 organizations. 3,328 files were collected for the study.

•”data losses in the healthcare sector continue at a dizzying pace”
•”Far worse than losing a laptop or storage device with patient data (Robenstein 2008), inadvertent disclosures on P2P networks allow many criminals access to the information, each with different levels of sophistication and ability to exploit the information.”
•”Many of the documents were leaked by patients themselves. For example we found several patient-generated spreadsheets containing details of medical treatments and costs–likely for tax purposes.”
•”we found a hospital-generated spreadsheet of personally identifiable information on recently-hired employees including social security numbers, contact information, job category, etc”
•”For a hospital system, we found two spreadsheet data bases that contained detailed information on over 20,000 patients including socials security numbers, contact information, and insurance information.”
•”For a mental health center, we found patient psychiatric evaluations.”

Where is the mainstream and trade journal reporting on this???

Hospital Workers Sharing Music? They May Also Be Sharing Your Medical Records

Health care workers using Gnutella or other peer-to-peer (P2P) networks to share music and video, may be putting you at risk for medical identity theft, Dartmouth researchers find.
If Pres. Obama has his way, the medical records of every American will be digitized by 2014. The stimulus package (read the text here) includes $19 billion in funding to pay for the effort and calls for the appointment of a chief privacy officer to advise the U.S. Department of Health and Human Services on how best to protect this sensitive information. If a new study of how easily your medical records can be found online by others is any indication, the new chief privacy officer (to be appointed over the next 12 months) will have his work cut out for him because an increase in digital medical records would likely mean an increase in medical identity theft.
Using software written specifically for scanning Internet-based peer-to-peer (P2P) file sharing networks, Eric Johnson, an operations management professor at Dartmouth College’s Tuck School of Business in Hanover, N.H., and colleagues recently found confidential medical files, involving thousands of people, including patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. (The same type of information could have been found without the special search software, although not as quickly because the researchers would have had to search individual computers on each of the P2P networks they visited.)

Identity Theft Through Your Health Records

This post reflects on the article in the Denver Post: Uncovering the Identity Trade Business.

This story details identity theft by a Denver hospital employee. It is a single instance, but it shows how easy it is for any hospital employee, anywhere to steal patients’ identities.

Hospitals will become a major source for identity theft because today’s primitive, poorly designed health IT systems allow thousands of employees access to all patient information–including what’s needed to steal identities. Not only can thousands of hospital employees see every patient’s medical records (think George Clooney and Farah Fawcett–whose records were sold to the Enquirer), they can see and steal the demographic and financial information too.

For whatever reasons, the media has primarily reported on how wonderful electronic health systems are without explaining the severe risks they pose to privacy and the new problems they can create (errors, downtime, work flow obstacles, data sales, lack of interoperability, etc).

The health IT stimulus bill with $20B for HIT needs very strong consumer protections to ensure that the current ‘norm’ for hospital electronic health systems, ie badly designed, open access systems, is replaced by systems that only allow access to the few staff members the patient has given permission to see and use his/her electronic records. The current HIT bill does not require the use of consent management technologies to restore patient control over PHI.

Uncovering the identity trade business

When Brandon Michael rolled up a storage-unit door in Denver on New Year’s Day to sort through the contents he had just purchased at an auction, the young man expected to find the usual items he could later sell on Craigslist or eBay: tools, laptops and furniture. Instead, Michael discovered boxes, filing cabinets and trash bags full of hundreds of U.S. passports, birth certificates, driver’s licenses, Social Security cards and other documents — most stolen within the past two years.

He found St. Anthony Central Hospital records containing dates of birth, Social Security numbers and copies of the driver’s licenses of 150 patients who had been admitted into the emergency room or general surgery.

He found drug paraphernalia, pills and the printer used to make counterfeit documents.

“That’s not right that somebody has all this stuff,” Michael said.

“It’s the mother lode of identity theft,” said Sgt. Ryan McGinty of the Denver police check fraud and forgery unit.

Michael’s discovery has prompted investigations by Denver police, Centura Health and the U.S. Department of Health and Human Services’ Office for Civil Rights.

HIT experts warn about EHR investment in open letter to Obama

Two healthcare information technology experts have penned an open letter to President Obama, warning him against investing too many federal dollars in existing electronic health records systems.

Existing EHR systems are too expensive, difficult to implement, disruptive to practice workflows, not proven to improve patient care, and don’t do a good job of sharing information with each other, wrote David Kibbe, MD, a technology adviser to the American Academy of Family Physicians, and Brian Klepper, PhD, founder of consulting firm Health 2.0 Advisors.

“If America’s physician practices suddenly rushed to install the systems of their choice, it would only dramatically intensify the Babel that already exists,” Kibbe and Klepper wrote.

Read their letter

The true problems in HIT

The experts quoted are correct that cost, interoperability, difficulty of use, work-flow disruption, and lack of proof of safety/effectivenss are good reasons not to spend $20 billion in HIT stimulus money on bad products (the equivalent of buying SUVs instead of hybrids and electric cars).

But Kibbe and Klepper should look beyond their own perspectives to consider the wider context and the real make-or-break issue: what must EHR systems have to ensure the public’s trust and willingness to use them?

Of course, doctors must be able to afford, easily use, and know that EHR systems actually work and are effective, but systemic failure is inevitable unless patients trust electronic systems. Today’s health IT systems and products are not even close to meeting the public’s expectations for control over personal data and and ironclad security.

From the consumer perspective, the worst defects in today’s EHR systems are:

1) Patients have no control over the use or disclosure of their personal health information in these systems.

2) Doctors, hospitals, labs, pharmacies, PBMs, insurers, data miners, data aggregators, etc, etc, and software vendors control the disclosure, use, and sale of the nation’s personal health information.

3) Most of today’s EHR technology is extremely primitive (20-30 years old) and does not comply with patients’ longstanding legal and ethical privacy rights:
•most EHRs do not have the functional capacity to segment sensitive records
•human-readable audit trails of disclosures are not required, so patients have no way to know who snooped in their records or where their personal health information has been sent or sold
•the security measures are abysmal. CIO magazine story from 2006 reported that all 850 EHR systems examined could easily be hacked: http://searchcio.techtarget.com/originalContent/0,289142,sid182_gci1273006,00.html

The most important reason not to buy $20 billion dollars worth of dinosaur EHR technology is that consumers will NEVER trust electronic health systems unless they control sensitive personal data and unless the systems have state-of-the-art security to prevent the frequent breaches, losses, and thefts of millions health records.

Until the American public has PROOF electronic systems can be trusted, failure is inevitable. Why not build EHRs and the electronic health system right from the start, rather than spending billions later to rebuild?

Must we repeat the mistakes made in the UK? The NHS system was built without patient control over data. Billions of dollars and many years were wasted before the government realized that forcing patients into an electronic health system that shares data without consent doesn’t work.

View the full story referenced

Treasury Moves to Restrict Lobbyists From Influencing Bailout Program

Treasury Secretary Timothy F. Geithner issued new guidelines yesterday aimed at eliminating the influence of lobbyists on the $700 billion financial bailout program by restricting their contact with officials who are reviewing applications for money and deciding how to disburse it.
Treasury officials also will seek to limit political influence over the funds, saying they will use similar restrictions that forbid such influence in tax matters as a model. The department’s Office of Financial Stability will be required to certify to Congress that each government investment is based solely on objective criteria. As part of that effort, only banks recommended by their primary regulator will be eligible for capital investments.
“American taxpayers deserve to know that their money is spent in the most effective way to stabilize the financial system,” Geithner said in a statement yesterday. “Today’s actions reaffirm our commitment toward that goal.”

Treasury Moves to Restrict Lobbyists From Influencing Bailout Program

Will we see the same kind of problems the Treasury Dept has had when HHS allocates the 20 Billion in funds for HIT? Will HHS limit the massive health industry’s lobbyists influence over how HIT funds are spent? Will HHS turn to real consumer coalitions like the Coalition for Patient Privacy for guidance instead of faux consumer, industry-funded trade organizations?

The dominant HIT industry lobby wants to ensure that Americans get primitive, legacy HIT products and systems, instead of innovative privacy-protective technologies.

If the stimulus dollars are used to purchase existing health IT products that don’t restore consumers’ rights to control the use and sale of personal health information, corporations will continue to “lock down” and own our personal health information. See Peter Neupert’s comments:

• Peter Neupert of Microsoft recently wrote in a TechNet blog about the health IT industry: “The thing is, nobody can make good decisions without good data,” Neupert wrote. “Unfortunately, too many in our industry use data ‘lock-in’ as a tactic to keep their customers captive. Policy makers’ myopic focus on standards and certification does little but provide good air cover for this status quo. Our fundamental first step has to be to ensure data liquidity—making it easy for the data to move around and do some good for us all.”

• The health IT industry’s ‘customers’ are the large hospital chains, health plans, labs, pharmacies, PBMs, and other health-related corporations that collect, store, handle and sell Americans’ personal health information from prescription records to DNA. They do not serve the public or have much regard for our legal and ethical rights to control personal health information.

The people who can’t make good decisions without the data are patients and doctors! We have almost no access to our own electronic health information. That’s our personal health data Neupert and Kibbe wrote about—and they make it clear that industry believes it owns our data.

The last thing Americans need is for the HIT stimulus funds be used to buy outdated, primitive technologies without meaningful or comprehensive privacy protections. That’s a prescription for waste and failure. Will the initial consumer privacy protections in the stimulus be nullified by purchases of inferior, privacy-destructive technologies?

View the Washington Post Article: Treasury Moves to Restrict Lobbyists From Influencing Bailout Program