HHS proposes stronger privacy protections under HIPAA

Proposed changes to the HIPAA privacy regulations would expand patients’ rights to access their information and restrict certain types of disclosures of protected health information to health plans, according to InformationWeek.

“We want to make sure it is possible for patients to have maximal control over PHI,” national health IT coordinator Dr. David Blumenthal said at an HHS press conference. The statement–and the proposal itself–thrilled healthcare privacy hawk Dr. Deborah Peel. Her organization, the Patient Privacy Rights Foundation, put out a statement strongly in favor of the changes, saying that the proposed rule “signaled a clear policy change in the Obama administration, strengthening consumer rights to health privacy.”

To learn more:
- read the proposed rule issued by HHS on July 8
- read this Computerworld article via Businessweek
- take a look at CMIO’s article
- read the InformationWeek story
- see this AHIMA press release
- check out this statement from the Patient Privacy Rights Foundation, which includes a video of the HHS press conference

PPR impressed with HHS’ privacy approach

Secretary of Health and Human Services (HHS), the Director of the Office of Civil Rights (OCR), and the National Coordinator for HIT all made very strong, pro-privacy statements at the press conference today announcing the Notice of Proposed Rulemaking (NPRM) titled: 45 CFR Parts 160 and 164, RIN: 0991-AB57, Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act.

Signaling a major shift in direction for the Administration and HHS’ Secretary Sebelius said “It’s important to understand this announcement of the NPRM…. is part of an Administration-wide commitment to make sure no one has access to your personal information unless you want them to.”

Patient Privacy Rights heartily congratulates the Administration and Sec. Sebelius for this new pro-privacy, patient-centered approach to personal health information (PHI).

We applaud Secretary Sebelius’ clear acknowledgment that health IT systems should empower patients to control PHI. Putting patients in control of PHI is the only route to prevent wasting billions in stimulus funds on HIT systems that destroy privacy and to stop the theft, misuse, and sale of PHI in today’s primitive HIT systems and data exchanges.

During her remarks, OCR Director Verdugo said, “the benefits of HIT will only be fully realized if health information is kept private and secure at all times.”

And finally Dr. Blumenthal stated, “we want to make sure it is possible for patients to have maximal control over PHI.” He also referred to the Consumer Choices Technology Hearing last week, which demonstrated consent tools that enable patients to control the use and disclosure of their health information from EHRs and for HIE.

Hopefully the NPRM actually gives Americans the control over access to personal information Secretary Sebelius said the Administration is committed to. We are analyzing the 234 page Notice of Proposed Rulemaking (NPRM), and will post our comments on the NPRM as soon as we can.

Below see the Press Conference announcing the Proposed Rule.

HHS pitches new patient privacy safeguards

A new rule proposed today would add substantial protections to the Health Insurance Portability and Accountability Act (HIPAA) for individuals who want to make sure their personal health information remains private and under their control, something that’s considered vital to the eventual success of electronic health record deployments.

Health and Human Services Secretary Kathleen Sebelius acknowledged as much in announcing the rule, saying that, while health IT will help to move the American health system forward, “the privacy and security of personal health data is at the core of all of our work.”

The proposed rule, which will be open to a 60-day comment period starting July 14, takes various routes to providing patient control…

…First reactions to the proposal were generally positive. Deborah Peel, founder and chair of the Patient Privacy Rights organization and an often fierce critic of the government’s record on privacy rights, said she was impressed with Sibelius’s remarks.

“We applaud her for recognizing that HHS should build what the public expects: health IT systems that empower patient control over personal health information,” she said.

HHS’ Health Privacy Site

ONC IS MAKING HISTORY!

ATTEND THE FIRST EVER HEARING ON PRIVACY-ENHANCING TECHNOLOGIES IN THE NATION.

Register here.

The hearing, scheduled all day on June 29th, will showcase 7 innovative, existing privacy-enhancing Health IT products and systems, and future technologies. The technologies will be discussed by 4 experts and the Privacy and Security Tiger Team.

Early this year, Dr. Blumenthal met with the bipartisan Coalition for Patient Privacy. He told us our idea for this conference struck him as “very intriguing. Two principles should animate our policy development. Patients/consumers come first, and the process should be fair and open.” So he agreed to hold a hearing.

Register to attend the hearing at: http://www.blsmeetings.net/consumerchoicetechnologyhearing/
For agenda see: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2833&PageID=19423

This is the first hearing ONC has ever held that is focused solely on privacy rights and patients’ expectations to control sensitive health records, from prescriptions to DNA. It is VERY timely because billions in stimulus dollars are about to flow.

What kinds of systems do you want to get the stimulus billions??? Current HIT systems that facilitate the data mining, theft, and sale of personal health information or systems that put YOU in control of YOUR information?

Inside-the-beltway domination of policy and standards by major legacy health IT vendors, many major hospitals, the health data mining industries, and physicians’ organizations has made it very hard for consumer and privacy advocates to be heard, even though we represent the majority of the American public. The fear is if they have to ask first to see or use our health information, we might refuse. And we might. But it’s our right to do so.

Today’s HIT systems put our jobs and our kids’ futures at risk by exposing everything from our prescription records to our DNA to sale and theft. Once our health data is exposed, like Paris Hilton’s sex video, we can never make it private again.

Showcasing technology that empowers patients to actively share data for treatment, personal benefit, and for research, while empowering patients to protect personal information to prevent harms is critical—especially now as HHS prepares to spend billions on EHRs and models for data exchange that do not require meaningful and comprehensive privacy controls.

The video of the hearing will be a critical online resource for the public, the media, states, and the world. There is no other way to learn about robust privacy-enhancing technologies that meet patients’ expectations and rights to control use of PHI while enabling compliance with strong state and federal laws, medical ethics, and our Constitutional rights to privacy.

Latanya Sweeney’s testimony and slides show the need to choose the right HIT technologies and systems up front, rather than letting “100 weeds fester.” See her testimony at: http://patientprivacyrights.org/wp-content/uploads/2010/04/Sweeney-CongressTestimony-4-22-10.pdf
See her slides at: http://patientprivacyrights.org/wp-content/uploads/2010/06/Sweeney-TrustworthyNHINDesigns.pdf

If you cannot attend in person, PLEASE listen in and comment at the end during the comment period or submit comments online. The video link of the hearing will be posted the following day.

TAKE PART: Tell ONC to build privacy-enhancing health IT systems you can trust. Tell ONC to build privacy-enhancing EHRs and systems for data exchange, don’t blow the stimulus billions on systems that will never be trusted.

If we don’t fight for our rights to control sensitive personal health information, we will never GAIN the right to control the rest of our personal information online and in the Digital World.

Thanks for helping to save privacy!

Attention doctors and vendors: Selling patient data without informed consent is now a federal crime

This post appeared as a guest blog in EHR Watch and in Healthcare IT News.

Another misguided, uninformed EHR vendor will discount the price of EHR software for doctors willing to sell patient data! According to CEO Jonathan Bush, “Athena might be able to halve the amount that physicians pay to use its EHR.”

Great business plan: Entice doctors to violate the law and the Hippocratic Oath.

See story on Athenahealth.

How is it possible to be so unaware of what the public wants? The public doesn’t want anything new or earth-shattering, just restoration of their rights to control who can see and use their medical records in electronic systems.

Not only is the practice of selling patient data an unethical PR/”optics” nightmare, but new consumer protections in the stimulus bill require that patients give informed consent before their protected health information can be sold. Violators are breaking a federal law.

The problem is that health information is an extremely valuable commodity, so people are always trying to use it without consent. Patients’ rights never seem to interfere with these business schemes.

More quotes from the story:

  • “Athena’s EHR customers who opt to share their patients’ data with other providers would pay a discounted rate to use Athena’s health record software.”
  • “Athena would be able to make money with the patient data by charging, say, a hospital a small fee to access a patient’s insurance and medical information from Athena’s network.”
  • “Caritas Christi [Health Care] initially launched Athena’s billing software and service in October and then revealed in January that it decided to offer the company’s EHR to physicians.”

How many patients would agree to sell their health records to help their doctor’s bottom line AND at the same time put their jobs, credit, and insurability at risk?

What will Athena’s informed consent for the sale of health patients health data look like? Will Athena lay out all the risks of harm? Will Athena lay out the fact that once the personal health data is sold, the buyer can re-sell it endlessly to even more users? Will Athena caution patients that once privacy is lost or SOLD, it can never be restored?

Many vendors do not realize that the lack of privacy and lack of trust is a major barrier to patients seeking healthcare. HHS reports 600,000 people a year refuse to get early diagnosis and treatment for cancer because they know the information won’t stay private, another 2,000,000 refuse early diagnosis and treatment for mental illness for the same reasons.

If you wonder what patients expect from electronic health systems, check out my slides (PDF) from a recent Health Innovation conference at the UT McCombs Business School.

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights

Dr. Peel Testifies before Texas Public Health Committee

On Tuesday, May 11th, 2010 Patient Privacy Rights’ founder and chair testified before the Texas Public Health Committee on Health IT moving forward. Her presentation,“Patient Expectations for Health IT: Control over Health Records Privacy Solutions for HIE” is available here.  The agenda for the hearing is below as well as a link to a video of the hearing. The video provided is in the .ram format, and will play in RealPlayer and other limited mediums.

Video of the Public Health Committee Hearing

View a PDF of our briefing
View a PDF of our presentation
View the additional slides on Data Mining

Hearing Purpose: Determine how the state can best coordinate efforts to streamline health care delivery with health information technology (HIT). Identify areas in state law that affect the adoption and use of HIT. Recommend statutory changes as necessary.

Panels:

A. Overview and Update: Forming Frameworks and Consensus

Mr. Stephen Palmer: Director, Office of e-Health Coordination, Health and Human Services Commission
Mr. Manfred Sternberg: President, Texas Health Service Authority

B. Providers and Stakeholders: Updates and Ideas

Mr. Rob Thomas: CEO of Columbus Community Hospital, TORCH
Dr. Karen Van Wagner: Executive Director, North Texas Specialty Physicians Board Member, Sandlot, LLC
Mr. Ed Marx: CIO of Texas Health Resources
Dr. Robert W. Warren: Pediatric Rheumatologist, Texas Medical Association and the Texas Pediatric Society

C. Privacy Concerns: The Issue of Consent

Dr. Dave Wanser: Visiting Fellow at the LBJ School of Public Affairs at the University of Texas at Austin
Dr. Deborah Peel: Founder and Chair of Patient Privacy Rights

D. Workforce Planning: Future Potential Needs for Texas

Mrs. Sue Biedermann MSHP, RHIA, FAHIMA: Chair, HIM Program, Texas State University
Dr. Jack Smith: Dean of the School of Health Information Science, The University of Texas Health Science Center at Houston


E.
Public Comment

Re: State agency swaps babies’ blood for supplies

This is a response to the recent article in the Austin American Statesman: State agency swaps babies’ blood for supplies

Institutional Review Boards (IRBs) are NO LONGER the best solution – or even an adequate solution – for state problems (or for research) when informed consent is needed for the use of individual health information, tissue, or bloodspots. There are now effective, affordable technology solutions that enable individual families to make their own informed choices.

The state of Texas was sued because families could not individually decide how their spots were handled – whether they should be kept and how they could be used. Technology offers great solutions for those sensitive problems.

Governance of bio-banks like the NBS Program is critical as Dr. Callan points out, BUT governance cannot replace individuals’ existing rights to privacy and informed consent.

And there is no longer a need to use IRBs (typically stacked with members who have conflicts of interest) to replace individual families’ rights to make decisions about their child’s newborn bloodspots, now that technology offers much better solutions where each family can set their own preferences and be contacted for use/sale of their spots.

IRBs and privacy boards were needed in the past when the time and cost of contacting hundreds and thousands of people to ask consent for the use of their records was prohibitive, but that is no longer true thanks to technology. Millions can be contacted by email or text mail on cell phones instantly, at virtually no cost. And their responses can be addressed automatically via technology—think of online response cards when you donate money, you get an email confirming what you did. Technology can enable each family to make their own informed decisions.

There are many problems with using IRBs to replace individual informed consents. IRBs tend to be dominated by researchers and data users — people who want to use patient records or bio-specimens, rather than consumers and privacy advocates. IRBs have not focused on protecting medical record privacy — the focus has been on clinical research on the use and effectiveness of new drugs and devices that can directly harm people’s minds bodies weighing the safety of the study vs. the risk of side-effects and even death. IRBs were designed to protect people who participate in research from harm and death. So IRBs view research in patients’ records and bio-specimens as safe—as if no serious harms or risks result from these kinds of research. But research using bio-specimens or sensitive personal health information poses great risks to privacy. Personal health information, from prescriptions to DNA, are very valuable commodities that are sold and used to discriminate against patients and their children and grandchildren. Bio-specimens contain genetic information, which can be re-identified, and put families at risk for generations of discrimination.

In addition, the public does not agree that researchers should have unfettered access to their medical records. Open access to the nation’s sensitive health information is not seen as a desired public good. In fact Alan Westin’s survey for the Institute of Medicine on this subject showed that only 1% of Americans would agree to let researchers freely use their health records for any purpose. See: http://patientprivacyrights.org/media/WestinIOMSrvyRept.pdf?docID=2501

Also, the story did not highlight how deceptive ‘opt-out’ consents are. ‘Opt-out’ consent has been utterly rejected in the UK as the method of consent for transferring people’s health records to the NHS—the program had to be stopped when the public found out. ‘Opt-out’ consent was perceived by the public as deceptive, unfair, difficult to understand and enact. See: http://patientprivacyrights.org/2010/04/controversial-medical-records-database-suspended/

The proposal to ‘Save the Spots’ team including Patient Privacy Rights, the Genetic alliance, the UT LBJ School, and innovative technology corporations would have offered an online consent tool where Texas families could choose to:

  • Destroy the spot
  • store and do nothing
  • store and allow use for research, etc.
  • store and contact us for each use
  • send a copy of the test results to us for use with our doctor and our health planning

The story missed the key point about how technology can improve the informed consent process and create trust. Think about this example: you can set your preferences for how your bank pays your bills. Online banking allows you to set preferences for how something of yours ($ instead of spots or information)) is shared with whom, for what purpose. You can set up the bank to pay some bills automatically every month, others are one-time occurrences– ALL at your direction. And you can change your preferences at any time. We need dynamic, real-time patient-centric technology like that in the health care system—technology has NOT been used to assure patients rights, expectations, or convenience. I just saw a system for consent Friday where you can receive requests to use your health information on your cell phone, with the doctor’s name, and how long access is needed.

ALSO—the details about what we offered were not correct in the story—naturally we did not have the funding in hand when we went to the state. How would that be possible? We formally asked the state to agree with the plaintiffs for a delay for 90 days (easy to get from the judge, when both parties agree) so that we could seek the funding from federal and other state and national funders. Funders would not even look at our proposal UNLESS the state had agreed to work with us; ie, without the state’s agreement we could NOT DO IT. The state would not agree.

We could not have come to the state with funds for our proposal in hand—that’s why we needed the state’s formal agreement to the delay and approval to let us seek the funds to execute our proposal.

Unfortunately the story also did not explain why electronic consents can solve seemingly difficult problems, or why IRBs should no longer be used to replace individuals’ rights of consent when technology enables individuals to make their own informed choices about research.

The issue of what kind of consents we will have for the state of Texas as we move toward requiring and exchanging electronic health information is VERY CRITICAL—it is critical for lawmakers and the public to realize that innovative consent and privacy-enhancing technologies can be used to protect their rights in electronic health systems, not destroy them.

Again, you can see the Article referenced here at this link: http://patientprivacyrights.org/2010/05/state-agency-swaps-babies-blood-for-supplies/

Problems with IBM’s new “massive” research study

Healthcare IT News released an article about IBMs new research project: IBM launches massive health data research project

IBM plans to bring together personal data on individuals far beyond what is available in the health care system – including environmental and financial data on individuals — to “pinpoint incentives governments and businesses might offer” to patients to improve health. The plan is to first study childhood obesity.

The problem is IBM’s research project does not appear to start with obtaining informed consent from the individuals (or their parents) whose data will be collected and studied.

There is no mention of the legal or ethical authority or basis that permits IBM corporation to collect, analyze, and do research on so much sensitive personal information on individual children, in order to decide which “actions” to incentivize to improve a particular child’s health.

Yet, IBM’s research aims to help doctors treating specific individual patients: “all these complex issues need to meld into a single thread of conversation as I talk to my patient.”

The story mentions numerous groups IBM is working with, but it appears that no consumer, patient, child, or privacy advocacy organizations are “partners” in this massive research project.

More Quotes:
• project will combine and analyze massive data sources that have never before been integrated to simulate the cause-and-effect relationships between agriculture, transportation, city planning, eating and exercise habits, socio-economic status, family life, and more
• project could help pinpoint incentives governments and businesses might offer or what types of investments might be needed and how to prioritize them • it’s been impossible to understand and to quantify precisely how each factor in our environment plays a role
• IBM researchers said they will partner with public policy and food experts, medical clinicians, economists, simulation experts, industry leaders, universities and others in this collaborative endeavor
• In many cases, the data and models exist. They just need to be put together in a consumable way that shows the wider connections and potential actions that can enhance individual and community health,” said Paul Maglio, an IBM researcher.

State agency swaps babies’ blood for supplies

When a California company asked Texas for blood samples from newborns in 2008, the state charged $1,600 for 400 blood spots. A North Carolina company swapped 16 HIV testing kits for 5,400 blood spots from the Department of State Health Services in 2006 and 2007. And another company has a five-year contract to get 3,800 blood spots a month in exchange for $456,000 worth of lab supplies.

Blood taken from Texas newborns in a state-mandated program to screen for defects and potentially deadly disorders has proved to be a valuable commodity — not just for researchers who might discover causes and treatments for diseases, but for companies developing, manufacturing and selling lab tests around the world. The blood samples — which were stored indefinitely starting in July 2002 without parents’ knowledge until recently — help companies evaluate and bring disease screening tests to market. In exchange, the health department gets needed supplies to conduct lab tests on newborns and other patients…

…In March 2009, the Texas Civil Rights Project sued the state over the storage program, claiming the state was violating constitutional protections against unlawful searches and seizures as well as state privacy laws. It wanted the state to stop storing blood without parental consent — state law doesn’t require consent — and asked that samples be destroyed unless consent was obtained.

The issue struck a chord nationally as parents learned other states had similar programs and feared the potential for misusing private genetic information.

“Newborn screening programs are under attack nationally, and they hope this will just go away, but it won’t,” said Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights, a national organization that advocates for patient privacy. “The public is terrified of the state owning their DNA.”

The Texas suit was settled in December when the state agreed to destroy 5.3 million blood spots stored since 2002, despite last-minute efforts led by Peel and others to try to save the spots by creating an informed consent process. New state laws passed last year put controls on the samples, and now the department must inform parents of possible uses and allow them to opt out of having their baby’s blood stored for up to 25 years.

IBM launches massive health data research project

SAN JOSE, CA – IBM has announced it has launched a multi-year research project to connect and analyze enormous collections of data from a wide variety of sources to find ways to improve health. The project will initially focus on childhood obesity.

The IBM Research project will combine and analyze massive data sources that have never before been integrated to simulate the cause-and-effect relationships between agriculture, transportation, city planning, eating and exercise habits, socio-economic status, family life, and more, researchers said.