“Getting IT Right: Protecting Patient Privacy Rights in a Wired World”

Official Pre-conference for CFP2011

June 13, 2011 Georgetown Law Center Washington, D.C.

“Getting IT Right: Protecting Patient Privacy Rights in a Wired World” is the nation’s first open and inclusive public forum to discuss the future of health privacy in a digital age. The conference will be held June 13, 2011 at the Georgetown Law Center in Washington, D.C. and is the result of a partnership between the Lyndon B. Johnson School of Public Affairs at The University of Texas at Austin and the Patient Privacy Rights Foundation, the premier health privacy advocacy organization in the United States.

You can find the agenda, a list of speakers, and more relevant news on the summit at the official website:www.healthprivacysummit.org.

Register Now: www.healthprivacysummit.org/registration

Re: Data Privacy, Put to the Test

Great story in the NY Times about the fact that patients’ rights to health privacy are being violated by the sale of prescription records. It quotes three of the big stars who will be speaking June 13th at the First Summit on the Future of Health Privacy: Chris Calabrese, Latanya Sweeney, and Lee Tien. See www.healthprivacysummit.org.

See the full story: Data Privacy, Put to the Test

Re: Google Defends Way It Gets Phone Data

Mobile devices will be the future of healthcare and health IT. Today in parts of the world too poor to afford enterprise systems, “mHealth” is now the way healthcare is delivered.

Please see the recent article in the Wall Street Journal: Google Defends Way It Gets Phone Data

This story should serve as a warning to patients: If your doctor uses an iPad, iPhone, or Android to access your electronic health information, Google and Apple may be collecting, using, or selling it.

  • QUOTE: “Amid rising scrutiny of their practices, Google Inc. defended the way it collects location data from Android phones, while Apple Inc. remained silent for a third day. The companies’ smartphones regularly transmit locations back to Google and Apple servers, respectively, according to data and documents analyzed by The Wall Street Journal. Research by a security analyst this week found that an Android phone collected location data every few seconds and sent it to Google several times an hour. Apple disclosed in a letter to Congress last year that its phones “intermittently” collect location data, and the company receives it twice a day.”

Do Androids, iPhones and iPads send health records back to Google and Apple every few seconds the same way they send GPS data? Right now, health data on mobile devices typically isn’t even encrypted.

Do Google and Apple collect and store health data for months, like they do with location data?

Do Google and Apple “anonymize” health data the same way they “anonymize” your cell phone: by assigning a unique number that is directly traceable back to you?

The point is, whatever Apple and Google can do with GPS data, they can do with health data on mobile devices.

Re: Governor Scott Outlines Prescription Drug Problem In Florida

Florida dispenses MORE oxycodone than the whole rest of the nation!

See Gov Scott’s testimony before Congress here.

Bravo to Governor Scott for not being bullied into building an expensive, large data base of extremely sensitive, hard-to-protect personal health information, when the REAL solution is simple and obvious: stop the 98 Florida doctors among the 100 top dispensers of Oxycodone in the nation from prescribing. No wonder Florida is the “Oxy Express”.

It’s actually stunning that no one thought of this before: go after the bad doctors.

Taking away the prescribing licenses of doctors committing unethical and criminal acts is not hard or costly—and it has the great advantage of not exposing prescriptions in a state-run data base of patients who are legitimately taking pain meds to insider theft or hacking.

Quotes from the story

· more Oxycodone is dispensed in the state of Florida than in the rest of the nation

· 98 of the top 100 doctors dispensing Oxycodone nationally are in Florida – concentrated in the Miami, Tampa, and Orlando regions.

· Scott said, “we are moving legislation to limit how doctors dispense narcotics and making sure doctors divest from pharmacies.”

· Scott also said, “The role of doctors who have forsaken their commitment to people’s health in exchange for the quick buck of unethical and criminal dispensing cannot be overstated and absolutely must be put to an end.”

See more on his testimony here.

Re:Epsilon breach used four-month-old attack

In response to the article in ITnews.com by Brett Winterford: Epsilon breach used four-month-old attack

Epsilon, the world’s largest email service provider, did not respond to 4 month-old warnings that their systems were vulnerable to hackers trying to access email deployment systems. Victims reported not only email addresses, but phone numbers were stolen. Some got hundreds of phone calls.

Everyone should expect very sophisticated “spear-phishing” attacks via email, where someone gets you to open an email by pretending to know you by using details from social media, etc.

2500 global companies like Citibank trusted Epsilon with sensitive details about millions of us, their customers.

Hospitals, insurers, pharmacies, and many unknown third parties/corporations/government agencies hold also data bases with millions of Americans’ sensitive financial and health records. Reports of health data breaches are soaring because securing data is very difficult and expensive.

Shouldn’t we demand that Congress and the federal government require and validate that all businesses holding health data have ironclad data security protections in place, BEFORE REQUIRING ever more data exchange, when we already know that healthcare systems are extremely vulnerable?

Shouldn’t health IT systems have ironclad security and require patient consent first? Shouldn’t the horse go before the cart?

Check out the latest proposed Federal Strategic Health IT Plan:
• it requires vast amounts of data-sharing NOW for a myriad of “meaningful uses” and other reporting without patient consent
• we still can’t see who accessed or used our health data because we can’t get audit trails of all disclosures yet, even though federal law (HITECH, 2009) requires that data holders give us a 3-year accounting of all disclosures if requested. This new consumer right and protection has not been implemented in regulations by HHS.
• See: ONC Announces open public comment period on the Federal Health IT Strategic Plan: 2011-2015

PPR will circulate comments for the Coalition for Patient Privacy to sign.

Mostashari mindful of HIT stakeholder tension

WASHINGTON – At the Health IT Policy Committee meeting Wednesday morning, Farzad Mostashari, MD, the new national coordinator for health information technology, said he will listen attentively to stakeholder interests and is aware of the tensions among them. However, his first objective will be the public interest.

In addition to his national coordinator role, Mostashari will serve as chair of the HIT Policy Committee, an advisory group to the Office of the National Coordinator for Health Information Technology (ONC), which meets once amonth. Like his predecessor, David Blumenthal, MD, his leadership of this committee, in particular, will provide a catalyst for much of the activity the government plans for health IT.

“David is a tough act to follow,” Mostashari said, in some of his first public comments following his appointment last Friday. He added that Blumenthal had a broad range of support and unique skills that helped to move the federal HIT agenda to the next level.

“I’m not David Blumenthal, but I will do my best and will continue down the path he has set,” Mostashari said.

Re: They’ve got an app for that

In response to Modern Healthcare’s article: They’ve got an app for that

On Feb 15th and 16th , the President’s Council on Science and Technology (PCAST) report was discussed in DC by the national HIT Policy PCAST Worgroup. A key PCAST recommendation was that data be meta-tagged for many uses—one key use is so patients can add tags that say: “do not disclose this sensitive data unless I say so”. Patient Privacy Rights and the Coalition for Patient Privacy have LONG argued that all health IT systems and data exchanges MUST restore patient control over the most sensitive personal information that exists: electronic health data.

We are glad to see privacy-enhancing technologies being demonstrated and used in the nation’s largest electronic health system: the military health system covering 9 million lives.

This story shows how the VA is actually ALREADY using data meta-tags so patients can control who sees what health data—see the video that goes along with the story below at: http://www.modernhealthcare.com/article/20110224/VIDEO/302249949/-1

Re: “Web’s Hot New Commodity: Privacy”

In response to the WSJ article: Web’s Hot New Commodity: Privacy

Finally the market for digital privacy is being built! This reflects GROWING public awareness of data theft and misuse.

Yes, PPR will continue to call it “theft”. Data mining corporations are like squatters who sneak onto property and then claim it because the owners didn’t know what they were doing. Data miners are thieves because they know VERY well how hard it is for people to discover what they are doing, and further, they know that there is no way anyone can stop them from stealing personal information. Watch — as ways to protect personal data are developed and laws are proposed to prohibit what they do, they will try to make sure their illegal and unethical practices are “grandfathered in.” These practices must be outlawed in the Digital Age if Americans are to retain the most precious right in a Democracy: the right of law-abiding citizens to be “let alone.”

We must fight back and press Congress to outlaw all data theft and corporate contracts that require giving up control of personal information. We must press Congress to ENFORCE the ban on the sale of health data without consent.

It is now clear to entrepreneurs that people are starting to view personal information as an EXTREMELY valuable asset that many want to have treated as personal property. The fact that the nation’s prescription records were being sold without consent is why Congress banned the sale of protected health information (PHI)—-OUR sensitive electronic health information—without consent in the stimulus bill.

There are many who fear that patients cannot meaningfully give consent to sell their health data; that they will easily sell it for next to nothing and not realize the consequences—such as job loss and generations of job and credit discrimination.

But the current situation is far worse and must be addressed: the huge health data mining industry operates in the shadows. AND we have NO WAY of identifying or preventing data mining corporations from stealing and selling our most sensitive data—from prescriptions to DNA. This secret industry is a behemoth, generating tens to hundreds of billions of dollars in annual revenue.

Letting secret, shadowy corporations continue to make billions/year selling the sensitive personal health data of every person in the U.S. is NOT a fair or sustainable solution to corporate and government data hunger. Why allow any industry built on theft? I can’t think of another legal industry built on theft.

Individuals should control PHI; morally and practically it is the only solution. But we need clear laws and boundaries in addition to individual control (consent), so that there are boundaries around exactly what data can be sold or used.

In Europe most uses of health data are flatly prohibited; in Germany there is no consent, but instead only a handful of uses of health data are permitted—the uses are tightly bounded. This is a very different approach than the US.

We ALSO need a framework of tightly bounded privacy protections for health data (in addition to informed electronic consents) that provides interactive education about consent decisions and sets defaults at the most privacy-protective level.

HIPAA privacy actions seen as warning

Computerworld – Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.

The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions.

This week’s other enforcement action involved Massachusetts General Hospital, which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.

The action against Cignet represented the first time since HIPAA became law that such a fine has been imposed on an organization in the healthcare field over a privacy violation.

HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS’s Office for Civil Rights (OCR)…

…The actions could be a sign that HHS is getting serious about enforcing HIPAA’s privacy requirements more stringently, said Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation.

These actions are among “the most significant things that the administration has done for patient privacy,” Peel said.

Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the 2009 stimulus package, contain provisions for protecting the privacy and security of patient data.

“But nobody has been paying attention to them. It’s like mass civil disobedience by industry,” Peel said. “So this is incredibly welcome for patients.”

PPR Comments on FTC Consumer Privacy Protection Report

We applaud the FTC for creating a report focused on protecting consumer privacy. The proposed framework
upholds many of the practices we believe in: informed consumer consent, privacy protection and data security,
and greater transparency.

View the FTC Staff Report: Protecting Consumer Privacy in an Era of Rapid Change

View PPR’s full comments