Your Medical Records May Not Be Private: ABC News Investigation

ABC TV’s Jim Avila shows how easy it is to buy personal health data. He spoke with security consultant Greg Porter, who showed him how to buy personal health information online for $14-$25. ABC News learned about the lack of effective security and privacy for medical records from “Julie” at the 2nd International Summit on the Future of Health Privacy.

Here is the video (after a short advertisement):

You can also see the above ABC News video on medical records at: http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986#.UIQCz1H6Acs

ABC’s print story about the TV news segment tells “Julie’s”  story, quotes Patient Privacy Rights (PPR), and links to our free online consumer protection forms so you can take action to better protect your health data. Use the free consent form and ask physicians and hospitals to honor longstanding state laws that require consent before they disclose your health information. According to HIPAA, providers can refuse to honor requests like this, but HIPAA also says stronger state laws and medical ethics should prevail—so ‘ask’ and tell them to honor your rights to control who sees and uses your electronic health information.

Two University of Miami Hospital Employees May Have Stolen & Sold Patient Data

To view the full Miami Herald article, please visit: Two University of Miami Hospital Employees May Have Stolen & Sold Patient Data

Two hospital employees are accused of stealing thousands of “face-sheets” from the University of Miami Hospital over a 22-month period. These “face-sheets” included information such as name, address, reason for visiting, insurance policy number (note: Medicare and Medicaid use SSNs as insurance policy numbers), date of birth and the last four digits of the social security number. The employees have admitted to their improper conduct and were terminated immediately, but the lasting damage of the stolen information is still being addressed by the hospital and there is no information about how many of these sheets may have been taken. In a statement released released by the hospital, it was revealed that there is “no indication that medical records are at risk”.

Privacy and Data Management on Mobile Devices

See this link for the entire survey of 1,954 cell phone users (see excerpt below): http://pewinternet.org/~/media//Files/Reports/2012/PIP_MobilePrivacyManagement.pdf

When the public learns about hidden data use and collection on cell phones,  significant numbers of people TURN them OFF:

  • -“57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place”

What will the public do when they realize they CANNOT turn off:

  • -hundreds of software ‘applications’ at hospitals that collect, use, and sell their health information
  • -thousands of EHRs and other health information technologies that collect, use, and sell their health information
  • -health-related websites that collect, use, and sell their health information

Consumers Say No to Mobile Apps That Grab Too Much Data

To view the full article, please visit the New York TimesConsumers Say No to Mobile Apps That Grab Too Much Data

Imagine the reactions smart phone users will have when they discover the vast, hidden industry that collects, uses, and sells personal health data—-from prescription records to DNA to diagnoses.

A recent Pew Research Center study found smartphone users are taking action to protect their privacy:

·50% “decided not to install applications on their mobile phones because they demanded too much personal information”

·Nearly a third uninstalled an application after learning that it was collecting personal information “they didn’t wish to share.”

·And one in five turned off location tracking “because they were concerned that other individuals or companies could access that information.”

What will happen when smartphone users want to protect the privacy of their health information and try to turn off:

·the hundreds or thousands of hidden disclosures and uses of their sensitive health records by hospitals’ and doctors’ health IT systems

·the daily sale of their prescription records by pharmacies and lab test results by clinical laboratories

·the disclosure of personal health information via state “health information exchanges” and the Nationwide Health Information Network

If Americans can figure out and ACT to prevent cell phone apps from grabbing their contacts and location information—what will they do when they find out that electronic health systems collect use, and sell mountains of detailed, intimate information about their minds and bodies—and they can’t turn these “apps” off?

People CAN choose to live without Angry Birds (or whatever app they decide against) but they really CAN’T choose to go without healthcare – at least not without possibly serious health repercussions.  People can choose what personal info to share online (to some degree), but really can’t choose what health info is shared.

Health technology systems that eliminate patient control over who can see and use sensitive health data are causing the nation’s greatest hidden privacy disaster. It can only be fixed when the public finds out.

Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide

Aishealth.com explains the new Texas Medical Privacy Act that has recently been signed into law and quotes Dr. Deborah Peel of PPR in their latest report on patient privacy. The report is only available through subscription but below are a few key points and quotes from it. If you have a subscription to aishealth.com, you can view the full article at Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide.

“A new Texas law governing the privacy and security of protected health information, perhaps the broadest and among the toughest of such laws in the nation, went into effect on Sept. 1. The Texas Medical Privacy Act, signed into law June 17, 2011, by Gov. Rick Perry (R), not only increases requirements beyond those in HIPAA for organizations that are already covered entities (CEs), but greatly expands the number and type of Texas-based CEs required to comply with the privacy standards in HIPAA and adds a bunch of its own requirements. It contains separate mandates for breach notification of electronic PHI and penalties for violations.

The new law ‘is basically HIPAA, but applies to everyone who touches PHI’ and will have a ‘big impact on entities that get PHI but aren’t technically business associates – which are now effectively covered in Texas and must comply with HIPAA restrictions on use and disclosure,’ says longtime HIPAA expert and Texas attorney Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP.
‘The biggest impact on CEs and BAs are the shorter timeframes for giving access to records and the training requirement,’ he says. And the new law, which amends two existing areas of Texas regulations, carries a punch: the law provides for ‘administrative, civil and criminal penalties’ that dwarf even those that were expanded under HITECH.

The law is likely to have an impact outside of Texas and spur privacy advocates to push for similar legislation in their states or at the national level. One of the most outspoken patient privacy advocates, Austin psychiatrist Deborah Peel, was among those who supported the law, testifying before elected officials during their deliberations in 2011.

‘We hope the Texas law inspires other states to write strong laws that emphatically reject hidden data flows that the data mining and data theft industry profit from at our expense,’ Peel tells RPP. ‘The states can restore
and strengthen personal control over health information – it’s what the public expects from health information technology systems and it’s our right to have [such control].’ Peel adds that “It’s also good business to prevent thousands of people from accessing PHI, [as] fraud, identity theft and medical identity theft are exploding.'”

Survey uncovers lax attitudes toward BYOD security

To view the full article by Eric Wicklund in mHIMSS, please visit Survey uncovers lax attitudes toward BYOD security.

Ask your doctor about his/her smart phone or iPad: does he/she use it for work, is your data encrypted, can the data on the device be wiped if its lost or stolen?

The number of people who work in healthcare using personal devices like smart phones and Apple products is exploding—but many mobile devices lack the strong data security protections required for health data-like encryption. So if the device is lost or stolen, so is the sensitive information about your mind and body.

Key quotes from the story:

* 51% say their companies don’t have the capability of remotely wiping data from a device if it is stolen or lost

* Less than half had (data security) controls in place for mobile devices

* 84%  of individuals stated they use the same smartphone for personal and work issues.

* 47% reported they have no passcode on their mobile phone.

Senator Al Franken is pressing Congress and the Department of Health and Human Services (HHS) to specifically require health data to be protected on portable media. The government is pouring billions into build an electronic healthcare system but failing to require or enforce effective rules to protect our sensitive health information, from prescription records to DNA to diagnoses. Electronic health records are far easier to steal, sell, or lose than paper records because hundreds or thousands of people who work at hospitals and health plans can access our health data.

It’s crazy that health data is not protected by ironclad security protections at all times, no matter where its being used. You’d think even without government regulations for data protection that anyone handling our most sensitive personal information would protect it, but many don’t.

Patient Trust in Confidentiality Affects Health Decisions

To view the full article by Pablo Valerio, please visit Enterprise Efficiency: Patient Trust in Confidentiality Affects Health Decisions

This article highlights a survey sponsored by FairWarning that looks at how “patient privacy considerations impact the actual delivery of healthcare” in the UK and US.

Key quotes from the story:

-“CIOs and healthcare providers need to ensure the best security, not only because it is the law, but because data breaches actually affect how honest a patient might be with a doctor and how quickly they will seek medical attention.”

-“It is not enough to comply with government regulations about data protection. If a data breach occurs patients are not going to check if the institution was following rules, they are going to blame their executives for allowing the breach to happen, regardless of the reasons.”

The survey, “UK: How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes; Trust in the confidentiality of medical records influences when, where, who and what kind of medical treatment is delivered to patients” cited in the article below compares attitudes about health information privacy in the UK and US.

Some key UK findings are:

-38.3 percent stated they have or would postpone seeking care for a sensitive medical condition due to privacy concerns

-More than half of patients stated that if they had a sensitive medical condition, they would withhold information from their care provider.

-Nearly 2 out of 5 stated they would postpone seeking care out of privacy concerns.

-45.1 percent would seek care outside of their community due to privacy concerns

-37 percent would travel… 30 miles or more, to avoid being treated at a hospital they did not trust

US vs UK patients:

-UK patients are almost twice as likely to withhold information from their care provider…if they had a poor record of protecting patient privacy.

-4 out of 10 UK patients versus nearly 3 out of 10 US patients … would put off seeking care … due to privacy concerns.

-97 percent of UK and US patients stated chief executives and healthcare providers have a legal and ethical responsibility to protect patients’ medical records from being breached.

Patients must have control of their medical records

An interesting article written by Mohammad Al-Ubaydli, founder and chief executive of Patients Know Best in which he explains the benefits of using Personal Health Records over electronic ones. To view the full article, please visit Patients must have control of their medical records.

Quotes:

  • -an electronic health record is designed for employees of an institution to work together. It is logistically, technically, and legally difficult to connect such records.
  • -an electronic health record is designed for employees of an institution to work together. It is logistically, technically, and legally difficult to connect such records. The number of connections in a network necessary for integrated care goes up exponentially if the connections are institution to institution, but only linearly if they go through the patient (a hub). In other words, only the latter approach can cope with the networks of care of modern medicine.
  • -There are also formidable legal difficulties with institutions sharing data about patients. Patients, by contrast, can quickly and usefully consent for data sharing if they are in control.
  • -it is hard to see how care can truly be patient centred when patients’ records are scattered and not under their control.

Patients worried about medical records going digital

To view the full article, please visit American Medical News: Patients worried about medical records going digital

This article recently posted in American Medical News puts forth some important numbers from Xerox’s Third Annual Electronic Health Records Survey pertaining to the public’s view of EHRs. It also addresses that “Many patient concerns stem from the fact that the value of EHRs has not been made clear to [them].” The article advises that physicians “…really have to figure out how we make the EHR a focal point of collaboration between patients and members of multidisciplinary care teams rather than just a thing that’s in the room that we have to use to document so we can bill”.

Here are a few key points from the story:

“A survey of more than 2,100 patients by Xerox found that only 26% want their medical records to be digital, down two percentage points from a year ago. Only 40% believe EHRs will result in better, more efficient care. And 85% expressed concern about digital records. Their main worries: privacy and security of their information.”

63%: With EHRs my information could be stolen by a hacker.
51%: My personal information could be misused.
50%: Digital medical records could be lost, damaged or corrupted.
40%: Digital records mean better, more efficient care.
31%: I feel I am adequately informed about when and how my medical records are used.
26%: I want my records to be digital.
26%: EHRs have improved my interactions with my physician office.
24%: My doctor involved me in the conversion from paper to electronic.
21%: I expect EHRs to improve the quality of service I receive.
14%: I think my health care provider is technically savvy enough to use EHRs.

Shoppers, Meet Your Scorekeeper

See the article in the NY Times at: Secret E-Scores Chart Consumers’ Buying Power

Let’s call this business what it really is: data theft, not scorekeeping. This great story by Natasha Singer is in the vein of the WSJ series: “What They Know”. There is no way to know if our e-scores, derived from 50,000+ pieces of personal information, are used only for shopping.

  • There is no proof that eBureau does what the CEO says. Unless eBureau reveals all the buyers of the scores or lets us see all the personal data they collect/steal about us there is no way to know if the scores are used to discriminate against us in key life opportunities.

Natasha Singer writes clearly about the business model of hidden data theft and hidden data mining that is used by so many Internet-based corporations.  She profiles Gordy Meyer, CEO of eBureau, who claims his company makes entirely legal use of millions of online and other personal, electronic clues.  He imagines we freely, consciously give personal data away to corporations like his to create instant, extremely detailed, deeply intimate real-life profiles of every one of us (which he sells at 3 to 75 cents/per profile).

When we simply LOOK or CLICK AROUND a website, we are not in any meaningful way giving consent to hidden data-thieving corporations to collect or use personal information. We are victims of unfair and deceptive trade practices and data theft.

The public simply has no concept that extremely detailed digital profiles are being collected used to discriminate against them:

  • Ebureau then adds several thousand details–like age, occupation, property value, length of residence, and retail history–from its data bases to each customer profile. From those raw data points, the system extrapolates up to 50,000 additional variables per person.”

What are the “several thousand details” eBureau adds?  Could they be details like your searches for information on treatment of melanoma? or STDS?  How do we know what the details are?  eBureau will not tell us.

The story closes with a quote from Frank Pasquale:

  • “I’m troubled by the idea that some people will essentially be seeing ads for subprime loans, vocational schools and payday loans,” Professor Pasquale says, “while others might be seeing ads for regular banks and colleges, and not know why.”

One of the worst parts of this story is that eBureau’s CEO makes assertions that cannot be verified:

  • there is no way to know what data is collected or what eBureau does with it
  • there is no way to know if eBureau “meets regulatory requirements” or “has put firewalls in place to separate data bases containing federally regulated data, , like credit or debt information used for purposes like risk management, from databases about consumers used to generate scores for marketing purposes.” because there is no outside auditing.

My bet is that a HUGE part of what is collected is information about our minds and bodies. We already know that personal health information is the most valuable digital information about each of us. Will purchasers of eBureau’s scores offer a credit card to anyone with cancer or Depression? Will we be able to qualify for loans to send our kids to college if we have genetic risks for breast cancer or heart disease?