Your Medical Records Aren’t Secure

Published March 24, 2010

I learned about the lack of health privacy when I hung out my shingle as a psychiatrist. Patients asked if I could keep their records private if they paid for care themselves. They had lost jobs or reputations because what they said in the doctor’s office didn’t always stay in the doctor’s office. That was 35 years ago, in the age of paper. In today’s digital world the problem has only grown worse.

A patient’s sensitive information should not be shared without his consent. But this is not the case now, as the country moves toward a system of electronic medical records.

In 2002, under President George W. Bush, the right of a patient to control his most sensitive personal data—from prescriptions to DNA—was eliminated by federal regulators implementing the Health Information Portability and Accountability Act. Those privacy notices you sign in doctors’ offices do not actually give you any control over your personal data; they merely describe how the data will be used and disclosed.

In a January 2009 speech, President Barack Obama said that his administration wants every American to have an electronic health record by 2014, and last year’s stimulus bill allocated over $36 billion to build electronic record systems. Meanwhile, the Senate health-care bill just approved by the House of Representatives on Sunday requires certain kinds of research and reporting to be done using electronic health records. Electronic records, Mr. Obama said in his 2009 speech, “will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests [and] save lives by reducing the deadly but preventable medical errors that pervade our health-care system.”

But electronic medical records won’t accomplish any of these goals if patients fear sharing information with doctors because they know it isn’t private…

Read More at The Wall Street Journal

There is no need to choose between the benefits of technology and our rights to health privacy. Please support YOUR right to decide who can see your electronic health information: sign the ‘Do Not Disclose’ petition now!

Privacy Degree Zero

We all know that reading medical books can make the world appear awash in disease. Is the same true of books on privacy? Was it because Daniel Solove’s Understanding Privacy was sitting on my desk during the winter that the news seemed awash with stories about challenges to privacy? No sooner were the private “Climategate” e-mails splashed across front pages than the Guardian published a secret climate agreement among the rich nations. Facebook, not for the first time, embarrassed itself by changing its privacy settings–perhaps better called publicity settings–with minimal notification to its members. If that weren’t enough, we learned that Yahoo was selling details of subscribers’ accounts and Sprint was releasing location data of its cellphone users. (For the latter, the police only had to ask for the data, and they did so some 8 million times.) Showing evenhandedness in whom they investigate, a police department in Southern California sought permission to read private text messages on the pagers of its officers. Meanwhile, the Department of Homeland Security was once again caught gathering and circulating information on innocuous citizens.

Exploring Privacy: An FTC Roundtable Discussion

The Federal Trade Commission will hosted a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, was part of the second session.

Read the transcript of Dr. Peel’s session here

Watch the video of all sessions here

Privacy & Publicity

SXSW 2010 Interactive Festival: Opening Remarks: Privacy & Publicity

Danah Boyd explains in this presentation what privacy is and why it is important in all aspects, but specifically in social networking.

One of the world’s foremost authorities on social networks, Boyd works at Microsoft Research New England and also serves as a Fellow at the Harvard University Berkman Center for Internet and Society. Boyd recently completed her PhD in the School of Information at the University of California-Berkeley.

BMA calls for roll-out of electronic patient records to be suspended

The BMA has written to the government calling for a suspension of the programme to upload summaries of patients’ medical records in England to a national database.

In December, the Department of Health announced that the roll-out of the Summary Care Record would be accelerated, and the BMA has serious concerns that the process is being carried out too quickly. Patients can opt out of having a record created, and the BMA believes they are receiving insufficient information about the choices they can make.

GPs have reported that the rushed implementation of the programme means they do not have time to support patients in making an informed choice, and that in some cases records are being created without even implied consent from patients.

How to reconcile Kaiser’s statements about who can access patient data

Two reports of how Kaiser Permanente approaches security left this blogger scratching her head last week as the reports might seem to contradict each other. And because the VA Watchdog had the same questions I have, I decided to follow-up.

On February 28, and as reported by Health Data Management, Eric Liederman, M.D, director of medical informatics at Kaiser Permanente’s Northern California division, described the security approach this way during the Physicians Symposium at the HIMSS 2010 Conference & Exhibition in Atlanta:

VA investigating security breach of veterans’ medical data

The Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center, sources have told Nextgov…

…The breach illustrates the need for patients, not clinicians, to control their medical records, said Dr. Deborah Peel, founder of Patient Privacy Rights, a nonprofit based in Austin, Texas, that works to ensure medical information remains restricted. She said control should include a requirement to obtain a patient’s consent to send clinical information to another doctor or to use it for research. Peel added electronic consent software currently exists to automate the process.

DNA Destruction

In the weeks before state health officials destroyed more than 5 million newborn blood samples they had stored without consent, privacy advocates, parents and lawmakers reached a last-ditch accord to save them — but couldn’t convince the Department of State Health Services to sign on…

Peel said the state’s decision not to seek a non-destructive solution is a shame. She said there was national interest in “saving this treasure trove” of baby blood spots, and that she was working with researchers and lawmakers in Texas and Washington, D.C., to seek funding for a state-of-the-art research database that would allow parents to give consent electronically.

“We were going to … reach out to those 5 million families and let them know they had an alternative to having their blood spots destroyed,” Peel said.

Glitch prompts VA to shut e-health data exchange with Defense

The Veterans Affairs Department closed off access to the Defense Department’s huge electronic health record system on Monday because it found errors in some patients’ medical data clinicians downloaded from the Defense network, according to a departmental patient safety alert, which Nextgov obtained.

Although no patient was injured, the errors shed light on how software glitches could affect the accuracy of electronic medical records and a planned national system that has been backed by the Bush and Obama administrations.

Locking down privacy: Where do we draw the line?

Patient privacy dates back to ancient Greece, beginning with the physician and teacher Hippocrates, who is often called the father of Western medicine. He authored the Hippocratic Oath to establish best practices for his fellow physicians and to build trust with his own patients. It was necessary for him to keep the ailments of his contemporaries secret, lest they be subject to humiliation, personal harm or loss of opportunity.

Ironically, more than 2,400 years later, patient privacy remains a fundamental issue, and the repercussions of information leaks are just as distressing. Areas of vulnerability have now expanded beyond the doctor-patient relationship in the exam room to encompass whole healthcare systems, communities, nations and even the global marketplace. With electronic information storage and transmission coming of age, whispering behind a closed door, as Hippocrates might have done, is obviously not enough to protect privacy.

Deborah Peel, MD, is the founder of Patient Privacy Rights (PPR), a national not-for-profit watchdog coalition. As a physician, she was inspired to adopt privacy as her mission in 1993 after an unnerving proposal from President Bill Clinton called for every patient encounter in America to be recorded in an electronic data-base. She was intimately familiar with the anxiety related to privacy in her own psychiatric-services practice, but the broad reach of electronic health records posed an imminent threat she just couldn’t ignore.

“For 30 years, I’ve been in the most privacy-sensitive specialty in medicine,” Dr. Peel says. “I’ve spent 30 years listening to how people’s reputations and lives are ruined. If you were in my shoes, you’d be doing this, too.”