Promising research may protect health records privacy

To view the full article in Modern Healthcare, please visit Promising research may protect health records privacy.

A recent article in ModernHealthcare.com explains a new and promising technology developed by the Wake Forest School of Medicine’s Department of Biomedical Engineering. They have developed a “prototype health information exchange that both works for providers and restores patient control over the flow of their medical images.” The article explains how the new exchange utilizes “what’s called a Patient Controlled Access-key Registry to manage access for both patients and providers. A patient, who would allow another provider to see his or her records, releases an ‘access key’ with a digital signature at a patient portal.”

The article also quotes Dr. Peel’s views on the new system: “Psychiatrist and patient privacy advocate Dr. Deborah Peel— often a critic of health IT systems that she sees compromising privacy— says she likes what she reads about the Wake Forest pilot. ‘The majority of current HIT systems and data exchanges violate medical ethics and patients’ long-standing rights to control PHI (protected health information,’ Peel wrote in an email Wednesday. ‘Bravo to the Wake Forest research team for finally building effective electronic patient consent tools. Yes, this model solves the legal problems of data sharing. And yes, it builds patient trust in physicians because it restores the personal control over use and disclosure of protected health information that patients expect.’”

Jailed Man Narrowly Escapes Fatal Error in EHR

To view the full article, please visit Nextgov.com: Jailed Man Narrowly Escapes Fatal Error in EHR

Problems with EHRs don’t happen only in jails—and many hospitals and clinics that  use EHR are prohibited from criticizing the products in public; ie many health technology vendors have ‘gag’ clauses in their contracts with users.  EHRs like this one can endanger patients’ lives and/or can be very difficult to use (many are NOT designed by clinicians who actually need to use them, can be very time consuming to use, make it hard to find needed information, etc, etc).

Attackers Demand Ransom After Encrypting Medical Center’s Server

To view the full article by John E. Dunn, please visit CIO: Attackers Demand Ransom After Encrypting Medical Center’s Server

What happens to patients when their doctors can’t get their records because thieves encrypted them? Federal law has required strong health data security protections since 2002, but 80% of hospitals and practices don’t encrypt patient data. If The Surgeons of Lake County had been following the law and encrypted their records, this attack could not have happened.

Patient Control Reduces Privacy Issues for Health Data Sharing Networks

See the full article on iHealthBeat.org: Patient Control Reduces Privacy Issues for Health Data Sharing Networks

It’s about time!!!! Congratulations to Wake Forest for building a way to move data that patients can trust. Patients have waited a long time for systems to be built that enable them to move their own information.

YES, this model solves the legal problems of data sharing—there is no need for expensive contracts between hospitals and doctors.  And YES, it builds patient trust in physicians because it restores the personal control over use and disclosure of protected health information (PHI) that patients EXPECT.

The majority of current HIT systems and data exchanges violate medical ethics and patients’ long-standing rights to control PHI. This kind of electronic consent is THE ONLY way patient data should flow.

BRAVO to the Wake Forest research team for finally building effective electronic patient consent tools.

Protecting Our Civil Rights in the Era of Digital Health

See the full article by William Pewen in The Atlantic: Protecting Our Civil Rights in the Era of Digital Health

Bill Pewen has written the BEST BRIEF HISTORY OF HOW HEALTH INFORMATION PRIVACY WAS ELIMINATED I HAVE EVER SEEN, from diagnoses to prescription records to DNA. Terrific to see this in the Atlantic!

He shows how technology-based discrimination works, and makes the case that selling people’s health information/profiles is a major business model for the largest technology/Internet corporations: “Millions [of people] are beginning to recognize that they are not the customers, but the product.”
“[A]dvancing technology was opening a virtual Pandora’s Box of new civil rights challenges. At the crux of these was the fact that scientific progress has been enabling increasingly sophisticated discrimination.” ………”Our experience with GINA helped to reveal the tip of an emerging threat — the use of modern data systems to create new forms of discrimination — and our concern focused on the use of personal medical data. While genetic data expresses probabilities, other parts of one’s medical record reflect established fact — an individual’s diagnoses, the medications one has used, and much more.”

“Genetic discrimination comprised just one of a number of game-changing technological challenges to civil rights. Confronting these presents new obstacles, and points to the need for a paradigm shift in our approach to prevent such inappropriate bias.”

He concluded with a call for “a 2nd civil rights bill of the 21st century”, based on key principles and tests to evaluate whether technology harms people:

Principles:
· First: “certain harmful acts must be clearly prohibited”

· Second: “the possession and use of personal medical data should be restricted without an individual’s consent”.

Harms tests:

To determine “whether an application of technology undermines existing civil rights statutes,…consider its potential to impose harm in terms of three tests.

· First: “the immutability of a trait. Profiling based on an unchangeable [genetic] characteristic should raise questions, as the ability of an individual to impact these is absent.”

·Second: “relevance…..[for example] we would not permit such irrelevant traits as race or gender to be used to discriminate in the hiring of flight crews.”

·Third: “the presumption of a zone of privacy. …neither personal medical information nor its correlates should be considered in the public domain.

Senator Snowe and her top health expert, Bill Pewen, are real privacy heroes, responsible for key new consumer privacy and security protections in the technology portion of the stimulus bill (HITECH). The bipartisan Coalition for Patient Privacy worked very closely with them to support consumer protections they championed.

EHRs and Patient Privacy- An Oxymoron? Psychiatric Times Cover Story

A recent article in the Psychiatric Times based on the 2nd International Summit on the Future of Health Privacy describes the major problems with EHRs and the consequences of the misuse of this technology. The article quotes both Dr. Peel and Dr. Scott Monteith as well as “Julie” when describing the flaws of EHRs and HIEs. The article is available by subscription only through Psychiatric Times, but here are some highlights and quotes from the article:

“The escalating use of electronic health records (EHRs) and health information exchanges (HIEs) is fraught with unintended and sometimes dire consequences—including medical coding errors and breaches of psychiatric patients’ privacy and confidentiality, according to [Dr. Peel and Dr. Monteith] who scrutinize the field”

“At the recent Second Annual International Summit on the Future of Health Privacy, psychiatrist Scott Monteith, MD, Clinical Assistant Professor in the Departments of Psychiatry and Family Medicine at Michigan State University and a medical informaticist, relayed the experience of a patient who discovered that her EHR erroneously reported a history of inhalant abuse. In reality, she had a history of  “caffeine intoxication.” After much investigation, the problem was identified. The DSM-IV-TR code (305.90) is used for 4 different diagnoses, including caffeine(Drug information on caffeine) intoxication and inhalant abuse, but the EHR’s printout only made the inhalant abuse diagnosis visible. Although the error was reported to the EHR vendor, the problem persists after almost 2 years.

“‘It is impossible for consumers to weigh the risks and benefits of using health IT and data exchanges when they have no idea where their data flows, who is using it or the purpose of its use,’ wrote Peel, a psychiatrist and psychoanalyst.”

“…Peel emphasized the importance of patients being able to control access to sensitive personal health information. The open source consent technologies, she explained, have been used for more than 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on some 4 million people in more than 8 states.”

“…’Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows,” she wrote. “Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.’”

If you wish to view the full article by Arline Kaplan and are a subscriber of Psychiatric Times, it can be found at Electronic Health Records and Patient Privacy- An Oxymoron?

Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox Survey

Xerox kindly shared all three years of their annual Electronic Health Records (EHR) online surveys by Harris Interactive. The media, industry and government unrelentingly promote health technology as the latest, greatest best stuff.  But the public ain’t buying it.  They want smart phones, but they don’t  want EHRs.

Clearly the public is not very excited about EHRs; 74% don’t want them. They don’t want them because they understand the problems with EHRs so well.

To view the article, please visit Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox survey

Not only do the surveys show a low percentage of Americans want electronic health records—but it’s remained low; this year at only 26%. Overall 85% of the public has “concerns” about EHRs this year. The surveys also asked about specific ‘concerns’. They found the public is concerned that health data security is poor, data can be lost or corrupted, records can be misused, and that outages or ‘computer problems’ can take records offline and compromise care.  See results below:

To the question do you want your medical records to be digital:

  • 26% said ‘yes’ in 2010
  • 28% said ‘yes’ in 2011
  • 26% said ‘yes’ in 2012

To the question do you have concerns about digital records:

  • 82% said ‘yes’ in 2010
  • 83% said ‘yes’ in 2011
  • 85% said ‘yes’ in 2012

To the question could your information be hacked:

  • 64%  said ‘yes’ in 2010
  • 65%  said ‘yes’ in 2011
  • 63%  said ‘yes’ in 2012

To the question could your digital medical records  be lost or corrupted:

  • 55% said ‘yes’ in 2010
  • 54% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

To the question could your personal information be misused:

  • 57% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 51% said ‘yes’ in 2012

To the question could a power outage or computer problem prevent doctors from accessing my information:

  • 52% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

Information Technology’s Failure to Disrupt Healthcare

Nicolas Terry wrote a very interesting and informative paper about the effects IT has had on healthcare today. It is available for download in its full text version here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2118653. Below is his abstract.

Abstract: Information Technology (IT) surrounds us every day. IT products and services from smart phones and search engines to online banking and stock trading have been transformative. However, IT has made only modest and less than disruptive inroads into healthcare. This article explores the economic and technological relationships between healthcare and healthcare information technologies (HIT), asks (leveraging the work of Clayton Christensen) whether current conceptions of HIT are disruptive or merely sustaining, and canvasses various explanations for HIT’s failure to disrupt healthcare. The conclusion is that contemporary HIT is only a sustaining rather than disruptive technology. Notwithstanding that we live in a world of disruption, healthcare is more akin to the stubborn television domain, where similarly complex relationships and market concentrations have impeded the forces of disruption. There are three potential exceptions to this pessimistic conclusion. First, because advanced HIT is not a good fit for episodic healthcare delivery, we may be experiencing a holding pattern while healthcare rights itself with the introduction of process-centric care models. Second, the 2010 PCAST report was correct, the healthcare data model is broken. If Stage 3 of the MU subsidy program or some other initiative can funda

Abercrombie signs Hawaii patient privacy protection law

To view the full article in Bizjournals.com by Vanessa Van Voorhis, please visit Abercrombie signs Hawaii patient privacy protection law.

The people of Hawaii just lost their rights to health privacy. The Hawaiian legislature replaced all its far stronger health privacy laws with HIPAA.

Like most of the public, Hawaiian lawmakers believe HIPAA protects privacy, but it doesn’t.  It hasn’t for 10 years. The key privacy protection in HIPAA  was eliminated in 2002. The media  has never reported this.

  • President Bush put HIPAA in place when he took office. At first, HIPAA required that others had to ask for consent before using or disclosing our health information for treatment, payment, or healthcare operations.

  • “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and healthcare operations.”  67 Fed. Reg. 53,183

That means millions of people who work at hospitals, doctors offices, labs, health plans, data clearinghouse, government agencies, pharmacies and other places that hold health records (“covered entities”) decide when to use and disclose them, not us.

This new law is a privacy disaster for Hawaiians. They will suffer:

  • loss of the privacy of sensitive information about their minds, bodies, and genes
  • generations of discrimination
  • embarrassment and loss of reputation
  • job, credit, and insurance discrimination
  • ID theft
  • medical ID theft (where others use their health insurance to pay for treatment or for insurance fraud)

Patient Safety and Health Information Technology: Learning from Our Mistakes

MUST READ article by Ross Koppel about why and how government and industry denial of serious design flaws in electronic health systems endanger patients’ lives and safety. He uses detailed examples, citations, and the historical record to support his case. Flawed technology causes serious patient safety issues in the same way flawed technology prevents patient control over who can see, use, or sell sensitive health information.

Yet technology could vastly improve patient safety and put patients back in control over the use of their health data. Why is poor technology design entrenched and systemic? Koppel states, “The essential question is: why has the promise of health IT—now 40 years old—not been achieved despite the hundreds of billions of dollars the US government and providers have spent on it?”

He makes the case that key problems arise from industry domination over the public interest. “Marketing overdrive” has caused:
· Denial and magical thinking: we see the “systematic refusal to acknowledge health IT’s problems, and, most important, to learn from them”

· Prevention of “meaningful regulations since 1997″: ”This belief that health IT, by itself, improves care and reduces costs has not only diminished government responsibility to set data format standards, it has also caused us to set aside concerns of usability, interoperability, patient safety, and data integrity (keeping data accountable and reliable).”

· Destructive “lock-in” to flawed technology systems: A full software package from a top firm for a large hospital costs over $180 million, and can cost five times that figure for implementation, training, configuration, cross-covering of staff, and so on.(11,12) Because illness, accidents, and pregnancies cannot be scheduled around health IT training and implementation needs, the hospital must continue to operate while its core information systems are developed and installed. This investment of time and money means the hospital is committed for a decade or more. It also reduces incentives for health IT vendors to be responsive to the needs of current customers.(13,14)

We have been to this rodeo before. Koppel points out these same phenomena occur over and over in many other industries:
“we had dozens of railroad gauges, hundreds of time zones, and even areas with both left- and right-hand driving rules. In all cases, the federal government established standards, and the people, the economy, and especially the resistant industries flourished. Industry claims that such standards would restrict innovation were turned on their heads.”

The health technology industry has failed to reform itself for 40 years. Effective federal laws and regulation are the only path to ensuring innovation and interoperability, to make health IT systems safe for patients and useful to doctors, and to restore individual control over who sees the most sensitive personal information on Earth.

See the full article at Web M&M: Patient Safety and Health Information Technology: Learning from Our Mistakes