Stanford medical records posted on public website, now removed

Below is part of the story published by MercuryNews.com, quoting Dr. Deborah Peel, founder of Patient Privacy Rights.

“The electronic medical records of 20,000 Stanford Hospital emergency room patients, including names and diagnostic codes, were posted on a commercial website, the hospital disclosed Thursday.

Personal information about patients seen between March 1 and Aug. 31, 2009, has been removed from the website and an investigation is under way, according to Stanford Hospital spokesman Gary Migdol.

But the startling breach — caused by a vendor’s subcontractor, who has assumed responsibility — raises questions about the privacy of medical information as it passes through many hands.

In one instance, it revealed a psychiatric diagnosis of a Santa Clara patient.

The released information also included medical record numbers, hospital account numbers, billing charges and emergency room admission and discharge dates. Credit card and Social Security numbers were not included…

…Americans expect doctors and hospitals to use their records only with consent, said Dr. Deborah C. Peel, founder of the watchdog group Patient Privacy Rights, “not to give them to legions of contractors and strangers. Existing regulations are just not strong enough to protect Americans’ sensitive health information. Today’s electronic health systems are not safe or trustworthy.””

Stanford Hospital investigating how patient data ended up on homework help website

A key conclusion from the audience of experts at the first summit on the future of health privacy was HIPAA has not been effective at protecting patient privacy. Jaikumar Vijayan quoted Deborah C. Peel, MD, founder and chair of Patient Privacy Rights, on the problems with HIPAA and the need to restore patient control over health information in this story. See videos of the summit at: www.healthprivacysummit.org

“Stanford University Hospital in Palo Alto, Calif. is investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up publicly available for nearly one year on a homework help site for students.

The spreadsheet first became available on the site last September as an attachment to a question supposedly posed by a student on Student of Fortune, a website that lets students solicit help with their homework for a fee. The question sought help on how the medical data in the attachment could be presented as a bar graph, The New York Times reported on Thursday.

A Stanford Hospital & Clinics representative told Computerworld in a statement that the hospital discovered the file on August 22, and took action to see it was removed within 24 hours.

“A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information,” the statement said…

The breach shows yet again how ineffective HIPAA has been in getting organizations that handle healthcare data, to take better care of it, said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation .

Much of the problems stem from the indiscriminate sharing of sensitive personal information among “legions of secondary users”, she said. The average hospital has between 200 and 300 outside vendors and partners with access to patient data, Peel said.

“We do not have an effective federal health privacy law. HIPAA was gutted in 2002 when control over who can see and use patient data for all routine uses was eliminated,” she said.

The only way to really get a grip on the problem is to allow patients to exert more control over who has access to their data. “Data should be used for a single purpose after the patient gives consent such as consent to use the data to pay a claim or send to a consultant.”

“Consent should be obtained for any secondary or new uses of data,” she said. All organizations that handle health data, including third parties should be certified to adhere to the highest standards of data security, Peel said.

Patient Data Posted Online in Major Breach of Privacy

This New York Times article by Kevin Sack outlines the key findings by experts at the Health Privacy Sumit: There are SERIOUS flaws in electronic health records when it comes to privacy, and these need to be addressed NOW.

“A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.”

Open-Source Health Care Software

It’s a great read and critical viewpoint. To view the full article, please visit Open-Source Healthcare Software.

Key Quotes:

  • -”Unlike devices and services, most medical software is not regulated, placing the burden of safe and effective use on the physician.”
  • -”Despite the obvious benefits, open-source software is still rare in medical practice because, as with music and other information-based products, it is easy to copy.”
  • -”As medical software begins to offer decision support, risk management, performance rating, and analytic features, physicians should not accept black boxes and secret formulas that constrain sharing and intimately affect patient care and remuneration.”
  • -”Software creators will not switch to producing open-source products voluntarily because they stand to lose money by doing so. Only physicians can drive this change, and this paper describes the reasons why doing so is important to our profession and our patients.”
  • -”The Direct Project hosted by the Department of Health and Human Services is open-source software for secure e-mail to replace the fax as the primary means of communication between practices and even with patients. Direct Project has many unique features as a result of its noncommercial open-source design, including universal addressing that is not tied to a particular vendor or institution. Universal addressing, like modern e-mail, does not restrict communications to members of a particular exchange.”
  • -”Open-source software offers the same benefits in medicine as it does in other fields. These include ethical advantages, access, innovation, cost, interoperability, integration, and safety.”
  • -”As physician income becomes increasingly tied to patient outcomes and dependent on coordination of care, lack of interoperability, integration, and standardization has begun to impact clinical practice. It is hardly surprising that interoperability and integration costs related to proprietary health care software are extremely high and that the true value of health care services is difficult to measure and compare.”
  • -”The broad ability of users to adopt and improve software creates diverse, global communities on the Internet with significant incentive to help each other.”
  • -”Proprietary software puts the physician at the mercy of the vendor, who is often more interested in acquiring new customers than serving locked-in customers”

Re: Top 100 – Under Their Influence

This is in response to the article in Modern Healthcare By Andis Robeznieks: “Under their influence, Washington insiders hold sway over our ’100 Most Influential’ ranking, but real change seems to be coming from elsewhere.”

“The Politics of Privacy” is one of four key areas in Modern Healthcare’s story about the “100 Most Influential People in Healthcare” in 2011. Privacy was highlighted because the expectation to control personal health data is a truly bipartisan, trans-partisan issue.

The historic first-ever summit on the future of health privacy co-sponsored by Patient Privacy Rights (PPR) and the UT LBJ School in June was highlighted (see www.healthprivacysummit.org to watch videos of the sessions).

The story recognizes the crucial importance of PPR’s leadership on building patients’ rights to control use of the most sensitive personal information into the healthcare system up front, so patients will use and trust health IT systems and data exchanges.

Unfortunately, many of the new consumer privacy protections the Obama Administration supported in the stimulus bill (HITECH) are being implemented by federal agencies in ways that do not comply with HITECH and other existing federal regulations.

If industry and key government rule makers continue to ignore the American people’s expectations for control over the use of sensitive personal health data, the stimulus billions will be wasted on systems that can’t be trusted and the tremendous potential benefits health IT can bring to treatment and research may never be realized.

PPR Makes the List: 100 Most Influential People in Healthcare

Each year Modern Healthcare Magazine encourages the public to nominate and vote for the top “100 Most Influential People in Healthcare.” This year we are happy to announce that Dr. Peel is back on the list at #52. You can see the full list here.

She and Patient Privacy Rights are also highlighted in this article in Modern Healthcare: “Under their influence, Washington insiders hold sway over our ’100 Most Influential’ ranking, but real change seems to be coming from elsewhere.” Subscription is required to read the entire story, however one of four sections on the list of 100 addresses privacy, and highlights Patient Privacy Rights and Dr. Deborah Peel as leaders in this area.

Dr. Peel first appeared on the list in 2007 as #4 of the “100 Most Powerful People in Healthcare” for her work to make sure patients control access to their electronic medical records, and continued to be the only privacy advocate on the list in 2008 and 2009. She was nominated but did not make the final list in 2010. Her recognition this year shows that people are aware of privacy being a major issue in health care and that they are starting to realize we still do not have control over who sees our health records.

Re: HIPAA Auditor Involved in Own Data Breach

OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.

You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”

KPMG absolved itself of doing any harm:

  • “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
  • “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”

Then KPMG prescribed its own remedy:

  • “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.

This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.

Time for Congressional oversight?

The road to electronic health records is lined with data thieves

The following is a guest post by Reuters contributor Constance Gustke. The opinions expressed are her own. See the full article at http://blogs.reuters.com/reuters-money/2011/08/05/the-road-to-electronic-health-records-is-lined-with-data-thieves/

“The future of your personal health information involves gigantic Internet-driven databases that connect you to doctors, health information and services no matter where you are and what time it is.

With a big push from President Obama, who wants secure electronic health records for every American by 2014, many health insurance companies, hospitals, private practices and pharmacies are already delivering some patient portals using these records as a backbone.

It’s the future of medicine, says Dr. Raymond Casciari, chief medical officer at St. Joseph Hospital in Orange, California, but for now, he adds, “We’re still in the dark ages.”

The portal approach is intended to be beneficial, letting you share key medical data instantly with your family and consult with specialists on another continent. It’s supposed to lower healthcare costs and provide better services. But the data being stored is sensitive and so far it isn’t very secure, say experts. So it’s important to know how your medical information is being shared and managed, especially as access explodes.

Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights, is dubious about patient medical privacy on portals. She believes that data breaches can have harmful effects, including medical discrimination. “Today, we can’t see who uses our electronic records,” she warns. “And they can be back-door mined.”…”

Putting Data In The Cloud? Retain Control

At the beginning of Stanley Kubrick’s epic, “2001: A Space Odyssey,” apes benefit from the use of technology, in the form of a club. By the end of the movie, however, humans are threatened by the technology used to help them survive in the stars, the artificial intelligence HAL.

In some ways, this technological arc — from tool to master — is an apt allegory for companies entering the cloud, Davi Ottenheimer, president of security consultancy Flying Penguin, plans to argue in his presentation at the B-Sides Security conference in Las Vegas next week. Firms seeking greater efficiency and more features may rely on the technology of a cloud provider, leaving themselves vulnerable to a single security incident.

In his presentation, Ottenheimer plans to draw illustrate the need a more secure approach to clouds using the themes from “2001: A Space Odyssey.”

“The central question for companies is, ‘Do you have control?’” Ottenheimer says. “The fight between the humans and HAL in a nutshell is the fight between the customers and the cloud provider. Humans reliance on the tools to survive in space is almost their undoing, and reliance on cloud services can similarly be a firm’s undoing.”

All Videos from the 2011 Health Privacy Summit Now Available

FOR IMMEDIATE RELEASE:

All Videos from Health Privacy Summit Now Available

**Note**: Videos can now all be found at http://www.healthprivacysummit.org.

AUSTIN, Texas, July 21, 2011 – Organizers of the June 13th, D.C. Health Privacy Summit, “Getting IT Right: Protecting Patient Privacy in a Wired World”, today announced the release of all videos from the Summit.

Videos include all of the morning panel sessions, the keynote speakers, as well as the final session: “Looking Forward – The 2012 Health Privacy Agenda.” These panels include academics, advocates, government officials, health care providers, industry executives, and technology experts, who discussed the major technical, legal, and cultural issues and solutions to privacy and patient control over personal health information in electronic health systems and data exchanges.

Video Highlights:

  • *Jeff Rosen, Author and Professor of Law at George Washington University, interviewed Alan Westin, Author, Of Counsel and Senior Policy Advisor, Arnall Golden and Gregory, Atlanta and Washington DC, for the keynote session titled, “What do research and history tell us about privacy today?
  • *Anita Allen, Deputy Dean at the University of Pennsylvania Law School, moderated the first session titled: “Contrasting Beliefs about Privacy Protection in the Digital Era.” She utilized the diverse panel to spark the exciting discussions about health information privacy that continued throughout the day.
  • *The third of the case study panels featured a discussion of the Sorrell vs. IMS Health case. This panel titled, “Secondary uses of personal health information in health databases” included the Assistant Attorney General from the state of Vermont and the Chief Privacy Officer from IMS Health, along with consumer, government, academic, and international experts.

For the full agenda, more information on the panels, and links to each video, see: http://www.healthprivacysummit.org/agenda.

“Getting IT Right: Protecting Patient Privacy in a Wired World”, was jointly hosted by The Lyndon B. Johnson School of Public Affairs at The University of Texas at Austin and the Patient Privacy Rights Foundation.

The summit was interactive and audience members participated in work groups to identify urgent health privacy issues, along with identifying the immediate steps needed to deliver responsible and realistic solutions, a synopsis of which will be forthcoming.

For up-to-date health privacy information, Summit materials and resources, visit: http://www.healthprivacysummit.org

###

The Lyndon B. Johnson School of Public Affairs is a graduate component of The University of Texas at Austin. The School’s mission is to develop leaders and innovative ideas that will help our state, the nation and the international community address critical public policy challenges in an ever increasingly interconnected and interdependent world.

Patient Privacy Rights is the nation’s leading health privacy watchdog and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit: http://patientprivacyrights.org