New Patient Privacy Poll

Should anyone other than you control your personal health information in electronic health systems? Across the board, Americans resoundingly say “NO.”

Patient Privacy Rights worked with Zogby International to conduct an online survey of over 2000 adults to identify their views on privacy, access to health information, and health information technology (health IT). The results were overwhelmingly in favor of individual choice and control over personal health information.

View the Privacy Poll Results
View the Press Release
Listen to the Press Teleconference here

News Coverage
Healthcare IT News: Poll: Huge majorities want control over health info
Forbes: Americans Want to Control Their Health Information
Fierce Health IT: Majority of Americans want personal control of health information
Modern Healthcare: Privacy desires ignored

Americans are not just concerned about corporations snooping in their medicine cabinets, but also about researchers, nosy employees, and people with malicious intent, such as an ex-spouse or abusive partner.

Over ninety percent of Americans want to be able to decide which individual people can see and use their health information. This reflects a strong desire for very specific, detailed control.

Note: A sampling of Zogby International’s online panel, which is representative of the adult population of the US, was invited to participate. Slight weights were added to region, party, age, race, religion, gender,
education to more accurately reflect the population. The margin of error is +/- 2.2 percentage points.

Holes in the fence?

This story, by Joseph Conn with Modern Healthcare, quotes Patient Privacy Rights, Dr. Blumenthal the National Coordinator for Health IT, and many others, all calling for meaningful consent and privacy.

See these great quotes from Alan Westin:

  • the removal of consent from HIPAA by federal rulemakers in 2002 “left us high and dry,” but with the improvements to HIPAA in the stimulus law, “I think the raw materials for excellence are there.”
  • Privacy protection will depend again on HHS rulemakers, however, he says. (A proposed privacy rule addressing HIPAA modifications from the stimulus law was released by HHS in July, but a final rule is pending.) If it’s not addressed, Westin says, don’t be surprised if there is consumer backlash.
  • “I think we’re at a pivotal moment,” Westin says, given the massive inflows of federal IT subsidies about to begin. “Just imagine a lawsuit as a class action with all the people who would otherwise be swept into a network saying, ‘I did not give my consent,’ and asking the court to intervene.”
  • he sees “a dangerous trend” developing in healthcare IT in which patients are regarded as “inert data elements, not conscious persons” who have the right to make informed choices regarding “how their health information is used beyond the direct care settings.”
  • “You have to have privacy orienting systems at the design,” he says. “If the plumbing all gets in, it’s going to be very costly to tear it down and change it.”

Below are a few sections of the article. To see the full article, follow this link to Modern Healthcare.

Is the primary federal privacy law up to the task of protecting patient information in the 21st century?

It’s a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law…

…A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”

Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don’t say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”

Privacy desires ignored

For psychiatrist Deborah Peel, maybe patient privacy and patient consent aren’t identical twins, but they’re sure close relatives.

Not surprisingly, a recent Zogby International poll commissioned by Peel’s not-for-profit Patient Privacy Rights Foundation, Austin, Texas, focuses on patient consent and its relationship to privacy—a unity the federal government has chosen to either ignore or deny.

The 2,000 adult poll respondents reached by Zogby via the Internet put great store in their right to privacy. They cling to the quaint notion that they should be asked before their electronic health records are sent skittering off to unknown users for unknown purposes. See full poll results here.

Silly them.

HHS rulemakers wrote away a key right to privacy eight years ago.

An HHS revision to the Health Insurance Portability and Accountability Act privacy rule in 2002 stripped away one of the broader authorities giving patients the right to control the flow of their medical information. HHS rulemakers did it by eliminating the right of consent. They took a stringent privacy protection rule and transformed it into a disclosure rule.

There are a lot of bright folks who have warned HHS that this privacy issue broadly—and this HIPAA privacy rule revision, specifically—are going to explode on the healthcare industry. One of the more insistent voices has been Peel’s, but she by no means alone.

Majority of Americans want personal control of health information

It’s hard to get Americans to agree on much these days, but overwhelming majorities seem to want control over their own electronic health information.

A poll from Dr. Deborah Peel’s Patient Privacy Rights Foundation and Zogby International found that 97 percent of the more than 2,000 U.S. adults surveyed believe that hospitals, physicians, laboratories and IT vendors should not be allowed to sell or share “sensitive health information” without consent. Ninety-eight percent are opposed to health insurance companies marketing personal health information, according to the survey.

See full poll results here.

Americans Want to Control Their Health Information

Health privacy watchdog Patient Privacy Rights and Zogby International surveyed 2,000 people, and found that almost all object to doctors, hospitals, and insurance companies sharing or selling their information without their consent. An overwhelming majority also wants to decide not only which companies and government agencies can access their electronic health records, but which individuals.

See the Survey Results

Hospitals and doctors are currently busy implementing the first stage of requirements under the HITECH Act, which calls for providing patients within the next two years with an electronic copy of their physical, test results, and medications. Ultimately, patients should be able to access their electronic health record online.

Poll: Huge majorities want control over health info

AUSTIN, TX – Patient Privacy Rights, the health privacy watchdog, has enlisted the help of Zogby International to conduct an online survey of more than 2,000 adults to identify their views on privacy, access to health information, and healthcare IT. The results were overwhelmingly in favor of individual choice and control over personal health information.

View the full poll results here.

Ninety-seven percent of Americans believe that doctors, hospitals, labs and health technology systems should not be allowed to share or sell their sensitive health information without consent.

The poll also found strong opposition to insurance companies gaining access to electronic health records without permission. Ninety-eight percent of respondents opposed payers sharing or selling health information without consent.

“No matter how you look at it, Americans want to control their own private health information,” said Deborah Peel, MD, founder of Patient Privacy Rights. “We asked the question, ‘If you have health records in electronic systems, do YOU want to decide which companies and government agencies can see and use your sensitive data?’ Ninety-three percent said ‘Yes!'”…

…The group advocates a ‘one-stop shop’ website where consumers can set up consent directives or rules to guide the use and disclosure of all or part of their electronic health information; if a request to use or sell health data is not covered by privacy rules, they can be ‘pinged’ via cell phone or e-mailed for informed consent.

Patient Privacy Rights calls this solution the “Do Not Disclose” list – similar to the national “Do Not Call” list. If a patient’s name is on the list, any organization that holds his or her sensitive health information, from prescriptions to DNA, must first explain how that information will be used before being granted permission.

Re: Release of Ponemon “Benchmark Study on Patient Privacy and Data Security” on Nov 9th

Today’s new Ponemon study catalogs the health care industry’s massive indifference to keeping patients’ health data secure.

View the Ponemon Study Press Release

This is not a new problem. The lack of ironclad data protection and security has been a set up for catastrophe from the beginning.  If banks handled the security of financial records as badly as hospitals handle health records, they would have been shut down.

Why is abysmal security for health data tolerated, when it is far more sensitive than financial records and also contains financial and demographic information?

The study details the lack of comprehensive technical protections, the lack of adequate staff, the lack of adequate funding , and the lack of encryption. It even found that 53% of health care organizations are “not confident” they know where patient data is actually located.

It’s painful to read such graphic detail about the breathtaking, systemic disregard for patient data protections. Page after page of awful statistics should make the public and government pause before spending $39 billion dollars of stimulus funds on such fatally flawed systems.

Relentless industry promotion of health IT seems to override the lack of adequate data protection and common sense.

Here are a few statistics from the study:

  • The total economic burden on US hospitals of data breaches is $12 Billion dollars/year.
  • 69% of health care organizations can’t prevent or detect data breaches
  • 71% of health care organizations have inadequate resources to deal with data breaches or improve their systems and technology
  • 70% of hospitals said that data protection is not a priority
  • Strikingly, 41% said that data breaches were discovered by patients, which appears to be low because another 19% of breaches were discovered because of legal complaints and 8% by law enforcement. Both legal actions and law enforcement complaints were also probably because patients discovered breaches and sought help, making the total of patient-discovered breaches closer to 68% than 41%.

If 41-68% of patients reported breaches, they must have suffered direct harms, such as data exposure leading to humiliation/embarrassment, identity theft, or medical identity theft.

Shouldn’t the government spend the stimulus billions on systems that DO ensure data security and EMPOWER patients to selectively disclose sensitive health information only to those they trust?

Privacy advocates fear massive fed health database

Please see the article “Privacy advocates fear massive fed health database” in Computer World, by Jaikumar Vijayan.

Many state and federal agencies either release or will soon release massive free or low cost “public use data files” without testing to make sure that our sensitive personal health information cannot be re-identified or obtaining our consent to use our health information.

Describing data bases as “anonymized” or “de-identified” lulls the public into thinking that their health records are safe and cannot be re-identified. But that isn’t true. Every method to prevent data from being re-identified should first be tested and proven.

Patient Privacy Rights recommends that any health data set should be subject to “adversarial challenge criteria” to assess the actual threats/risks of re-identification of the data before release. See “Notes About Anonymizing Data For Public Release” by Andrew Blumberg PhD at: http://patientprivacyrights.org/wp-content/uploads/2010/10/ABlumberg-anonymization-memo.pdf

After the challenge criteria are used to test the data, patients should be informed of the risk of re-identification and asked for consent to include their data.

Even the NIH had to close down a database of genetic information that was supposedly de-identified after the 141st researchers who downloaded the data base reported that they could re-identify actual patients.

It’s extremely hard to create health data sets that cannot be re-identified. Given that fact, patient consent should be required for the use of health data and patients should be informed of the risks of re-identification BEFORE their data is included in public use data sets.

Without basic protections, i.e., requiring informed consent and adversarial challenges, our health data will be used to create valuable, detailed profiles of each of us—and our own health records will be sold and used to discriminate against us in employment, credit, and other opportunities in life–not for research to improve our health and improve treatment.

Insurers: Records weren’t lost at health fair

See Story: Insurers: Records weren’t lost at health fair

This story just gets worse, highlighting the poor judgment of the insurance companies. Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan never even considered how sensitive patients are about the privacy of personal health information, from their prescription records to DNA.

Now Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan claim that taking the health records of 285,691 people to community health fairs is a way to “save lives”. That particular argument is often used to make people believe that a decision was made for important and worthwhile, even essential reasons. So let’s take a look and see if the decision to take health records to community health fairs is a good decision or makes sense.

The insurers want their employees to check people’s medical records and decide if a test is needed, like a mammogram, and schedule it—at a health fair. But as a matter of law, ONLY physicians can order tests like mammograms—not insurance company employees. Their employees cannot schedule doctor’s appointments, much less medical tests. Besides, most people are very uncomfortable with strangers, who are not health professionals that treat them, looking at their medical records.

Most people would never want their sensitive health records taken to health fairs in the first place. Obviously, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan did not ask those enrolled for consent to take their records to health fairs, or anywhere outside of their offices where personal records are supposed to be used to ONLY to pay claims.

Most people strongly object to health insurers even having, keeping, or using their sensitive health records. Patients want insurers to have the bare minimum information about them to pay claims. Patients typically do not turn to insurers for advice about their health, about treatment, or to recommend tests.

And the insurers say conflicting things about what kinds of information and how much was on the flash drive. If only recent screenings were on a flash drive, a woman’s last mammogram might not be there. No physician would order a test like a mammogram without knowing the exact date of the last one and the details of her history, like what risks she has for breast cancer. Unnecessary mammograms expose women to radiation.

It appears that this example of helping women at health fairs to get needed mammograms doesn’t make any sense, because the employees of insurance companies cannot order or schedule mammograms—or doctor’s appointments.

The example of saving women from breast cancer at community health fairs is so far-fetched that it may have been fabricated to try and make it seem that the insurers had good reasons to take sensitive health records out of their offices. But it’s hard to judge their reasons and intentions without full disclosure, so we are left with the few things they said and did. They exposed 285,691 people’s sensitive demographic and health information to loss, sale, identity theft, and medical identity theft for reasons that don’t make sense.

Is it responsible to allow insurance employees access to people’s sensitive health records at health fairs and risk the loss or theft of that sensitive data?

If the insurers actually put complete or very detailed health information on enrolled patients on a flash drive that would enable a health professional to know enough to order certain tests, and the stated goal is to increase screening for needed tests, and there are far more effective and privacy-protective ways to do that. They do not have health professional staffing their booths at health fairs. Insurers could contact patients directly by mail or email or phone IF the patient had opted in to receiving advice or reminders from them. Or insurers could contact doctors if they think a test is needed, so doctors can evaluate full records and decide whether tests should be ordered.

Risking the privacy of 285,691 people at a health fair to improve screening for breast cancer or other unnamed conditions is a bad decision—whether they encrypt the data or not. Encrypting the data would have lowered the risk of loss, theft, or sale of the information, but would not solve the problem of using patients’ sensitive health information in ways that they would never want or agree to.

Unsafe data in Texas

Last month, a Texas online news site, the Austin Bulldog, published a lengthy investigative report on the sale and gifting of patient-level hospital data by the Texas Department of State Health Services.

Reporter Suzanne Batchelor’s remarkable story found that if you’re a Texan, your healthcare data can be given away or sold without your consent. And the Health Insurance Portability and Accountability Act, the main federal health information privacy law, won’t—or can’t—protect you.

In Texas, the health services department gathers claims data from hospitals by law—providers can be fined as much as $10,000 if they don’t hand it over. But the department isn’t a so-called “covered entity” as defined by HIPAA. So, the state isn’t covered under the HIPAA privacy rule if it does anything that would be a violation if performed by a data-providing hospital…

…The state knows the public-use data file is vulnerable. A user’s manual (PDF) contains this caveat: “It may be possible in rare instances, through complex analysis and with outside information, to ascertain from the PUDF the identity of individual patients. Considerable harm could result if this were done.”