Report: HIEs failing at true interoperability

See a summary of the report by Mike Miliard at GovHeathITHIEs failing at true interoperability

· Healthcare organizations “must unlock the patient data in EHR silos of hospitals and affiliates to better coordinate and improve quality of care delivered. Health Information Exchange technology is the enabler.”

· Until EHR vendors incorporate a shared set of standards, HIEs will remain in a state of stunted development, said Moore: “Across the board, legacy systems fail to support true interoperability, and vendors are doing little to remedy this situation.”

· The report will also look to the future as to how this [Health Information Exchange or HIE] market will grow and evolve over the next several years as meaningful use requirements take hold, healthcare reform brings forth changes in reimbursement models, access to health data moves to mobile platforms and the consumer takes on a larger role.”
The quotes above show that the health technology industry and the government are beginning to face key facts:

· Data silos endanger patient health and safety: obviously we need our doctors to see relevant parts of our medical records held by other doctors/hospitals.

Electronic Health Records companies, hospitals, and the many other corporations that hold our electronic health information want to continue to “own”, control, and sell our personal health data. They built this system of “silos” that PREVENT data exchange (also called “interoperability”).  Corporations fiduciary duties to make profits for shareholders trump exchanging health information to save patients’ lives and reduce costs!

· Consumers = patients. If we say so, our health records must be shared with our physicians or other health professionals. This is matter of law.

No matter which corporations or health professionals hold our electronic health data, we are entitled to electronic copies. If you say your health data should be sent to another physician or health professional, the data holder must send it. ONLY individual patients or “consumers” have clear rights to control personal health information and have it sent to the other physicians and health professionals who are treating them.

· HIEs, data exchanges where patients have no meaningful control over who can copy and use their health information, are not the answer.

How “Direct” exchange works (via the “Direct Project”): a participant (like our physicians) can send secure, encrypted health information directly to a known, trusted recipient over the Internet. Unlike the case with HIEs, personal health information can’t be “pulled” from the 10, 20, or 100 places that hold our health records. Using the “Direct” method, someone has to decide to send one patient’s data to another person.

We ["consumers"] are the ONLY ones who can quickly, easily, and legally get and “exchange” our own health records at will. Hippocrates Oath, the foundation of the physician-patient relationship, states that sensitive health information should ONLY be shared with the patient’s consent.  Data exchanges like the Direct Project

The only way electronic health systems can work and earn the public’s trust is if data flows are controlled by patients, with very rare legal exceptions.

Proposed Rules Prevent Patient Control Over Sensitive Information in Electronic Health Records (EHRs)

The proposed federal rules will require physicians and hospitals to use Electronic Health Records (EHRs) that prevent patient control over who can see and use sensitive personal health information.

This is the second time the federal government has proposed the use of technology that violates Americans’ strong rights to control the use and sale of their most sensitive personal information, from DNA to prescription records to diagnoses.

The proposed rules require EHRs to be able to show “meaningful use” (MU) and exchange of personal health data. PPR and other consumer and privacy advocacy groups submitted similar comments for the Stage 1 MU rules. These newly proposed rules are known as “Stage 2 MU” requirements for EHRs.

The most important function patients expect from electronic health systems is the power to control who can see and use their most sensitive personal information. Technologies that empower patients to decide who can see and use selected parts of their records have been working for 4 million people for over 10 years in 8 states with mental illness or addiction diagnoses. Today we do not have any way to know where our data flows, or who is using and selling it.

Even if we had a ‘chain of custody’ to prove who saw, used, or sold our personal health data—which we do not—it is still essential to restore patient control over personal health data so we can trust electronic health systems.

Technologies that require patient consent before data flows are cheap, effective, and should be required in all EHRs.

See Patient Privacy Rights’ formal comments on the Stage 2 MU proposed requirements submitted to the Centers for Medicare and Medicaid and the Office of the National Coordinator for Health IT at: http://patientprivacyrights.org/wp-content/uploads/2012/05/PPR-Comments-for-Stage-2MU-5-7-12.pdf

The Depressing State of HIEs

See the full article at Hospital EMR and EHR: The Depressing State of HIEs

Yes, the state of Health Information Exchanges (HIEs) in the US is depressing, because many don’t work well for patients or doctors. They enable hundreds or thousands of strangers who work for hospitals, insurers, health IT companies, etc to exchange, use, or sell our sensitive medical records without our consent.

The safe way to exchange health information is to use secure email and patient consent, this is called the “Direct Project”. See: http://directproject.org/ . It enables us to share our health information between two health professionals and email physicians. The Direct Project enables “participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.”

Patient Privacy Rights (PPR) endorses the “Direct Project” as the ONLY legal, ethical, and secure way for sensitive patient information to be exchanged.  The public will not trust HIEs or national data exchange models unless patients control the disclosures of their sensitive health records.

A quote from the story below shows financial interests of Accountable Care Organizations (ACOs) can trump patients’ interests: “Some ACO providers are now blocking access to their data so competitors can’t get to it”—-that means doctors who are not part of the ACO but who treat ACO patients can’t see their test results and treatment records–even when these patients want them to have that information.

Some ACOs and other businesses view HIEs as vehicles to get more patient data, rather than as a means to serve patients’ needs for care coordination, to avoid duplicate tests, to ensure better treatment, or enable them to give consent for research use of their data.

Many corporations and businesses that HOLD patient data imagine they own it, so they use and sell it without patient consent. US law and medical ethics still require meaningful, informed patient consent before physicians or data holders can disclose anyone’s health information. “HIPAA compliance” actually does NOT get data holders off the hook for asking patients for consent before disclosing data. According to the HIPAA Privacy Rule, it’s “the floor” for data privacy protection, not the ceiling. 67 Fed. Reg. at 53,212 (August 14, 2002).  HIEs designed to further business interests over patients’ interests will continue to fail, because the public will not support them.

It turns out that the only person who can easily, cheaply, and legally make patient data flow for all the right reasons (treatment, research), to all the right all the people (a specific doctor or researcher) at the right time is YOU.

Only you can tell an ACO to send your data to an outside clinician —- and the ACO must send it, whether it gives competitors an advantage or not. Only you can make your data “fluid”, because patients are the only people with clear, longstanding Constitutional, legal, and ethical rights to disclose personal health information.

In PPR’s recent comments about building a Nationwide Health Information Network (NwHIN), we urged the Office of the National Coordinator for Health IT (ONC) to address the fatal privacy and security flaws in current systems and state and federal data exchanges. We urged ONC to certify that HIEs and data exchanges protect privacy by verifying that only patients decide when/where personal data flows.  “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy. See: http://tiny.cc/e1v0gw for more information.

Texas Error Exposed Over 13 Million Voters’ Social Security Numbers

See the full article in DataBreaches.net: Texas Error Exposed over 13 Million Voters’ SSNs

This story shows it’s easy to disclose the social security numbers of 13 million people at once. The data came from Texas’ voter registration data base, which was attached to a court report, BUT security breaches of the personal health information of millions of patients is also very common (see recent Utah and BCBS of TN breaches). Today’s electronic systems enable many new ways to breach data security and expose personal information.

The story below is about a government employee who attached over 13 million SSNs to a report and sent it to a 3rd party without anyone else reviewing his/her actions before the data was disclosed.  Where should the bar be set for disclosing personally identifiable information in any report?  At 1 million records? At 100 million records?

Most of the US health care system lacks effective protocols and procedures to protect data security and to prevent inappropriate data release and data breaches. Health data privacy and security require comprehensive and meaningful protections. We have a long way to go. Vastly expanding health IT systems before these problems are solved is a prescription for more data

Debt Collector Is Faulted for Tough Tactics in Hospitals

See full story in the New York Times: Debt Collector Is Faulted for Tough Tactics in Hospitals

“Hospital patients waiting in an emergency room or convalescing after surgery are being confronted by an unexpected visitor: a debt collector at bedside.

This and other aggressive tactics by one of the nation’s largest collectors of medical debts, Accretive Health, were revealed on Tuesday by the Minnesota attorney general, raising concerns that such practices have become common at hospitals across the country…

To patients, the debt collectors may look indistinguishable from hospital employees, may demand they pay outstanding bills and may discourage them from seeking emergency care at all, even using scripts like those in collection boiler rooms, according to the documents and employees interviewed by The New York Times.

In some cases, the company’s workers had access to health information while persuading patients to pay overdue bills, possibly in violation of federal privacy laws, the documents indicate.”

Health records lost, stolen or revealed online

From the Chicago Tribune Article: Health records lost, stolen or revealed online

“Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.

Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.

One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation’s health program for military members, their families and retirees.

Some breaches have resulted in personal information being revealed online. The names and diagnosis codes of almost 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., were posted on a commercial website for nearly a year before it was discovered in September and taken down…

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, a consumer group, would like to see more help for those whose information is breached and tougher punishment for those responsible. The BlueCross BlueShield of Tennessee settlement amounted to “roughly a dollar per breach record, which is nothing,” she said.

Ex-Vernal officer accused of using state database to commit burglary for prescription drugs

See full story in the Salt Lake City Deseret News.

“VERNAL — Two Vernal residents say they intend to sue the state of Utah and the city of Vernal, claiming that a police detective improperly accessed a prescription drug database and used the information he obtained to steal painkillers from them…

That system is the Utah Controlled Substance Database, according to Walker, which was first created in 1995 and then expanded two years ago. It collects and tracks all information on prescription drugs dispensed by pharmacies in Utah. Its use is restricted to doctors, pharmacists and law enforcement officers for the purpose of identifying patients or doctors who might be overusing, over-prescribing or abusing prescription drugs.

Police can access the database by providing an active case number, and they are supposed to have probable cause before accessing an individual’s prescription information.

Former Vernal police detective Ben M. Murray ignored those requirements when he looked up Smithey and Holmes’ information and went to their home several times in 2011, Walker said.

“The officer used that system freely and was able to track these individuals and figure out when they got their prescriptions, how many pills they had,” the attorney said. “He comes in gun, badge, uniform (and) tells them he’s there for a ‘pill count’ and … while they’re talking and distracted, he’s grabbing pills and putting them in his pocket.””

PPR at RSI 2012 Conference in Montreal

Deborah C. Peel, Founder and Chair of PPR, will present at the upcoming RSI 2012 conference in Montreal, discussing the health care system in the United States related to HIT and Data Exchanges.

When: May 3rd, 2012, 1:30pm – 2:20pm
Where: Hyatt Regency Montréal , 1255, rue Jeanne-Mance, Montreal (Québec)·mai 3, 2012

Title: Not even a Fig Leaf for Privacy: American’s Health IT Systems and Data Exchanges

Complexity, legacy architectures divorced from privacy rights, a powerful health data mining industry, government interest in health data, and $27 billion in federal funding have created a health IT environment based on open access to 300 million people’s most sensitive  personal information and the elimination of individual privacy rights. Patient Privacy Rights’ role is to be the voice of the public, to educate decision makers, and to create a movement to build innovative health IT systems worthy of trust.

PPR at ICASM Symposium at Hofstra U.

The Ethical Use of Internet Cloud Based Apps and Social Media (ICASM) in Health Care
Tuesday, April 24, 2012

Deborah C. Peel, MD will be participating on a panel at Hofstra University for their ICASM Symposium

Panel Title: The Ethics of ICASM in Healthcare: Social Policy, Legal Responses, and Medical Strategy
Moderator: Corinne Kyriacou, Ph.D., Hofstra University School of Education, HHS
Panelists:
* Deborah Peel, M.D., Patient Privacy Rights
* Brian Mulligan, North Shore-LIJ Health System
* Michele Mathes, J.D., American College of Physicians
* Scott Gottlieb, M.D., New York University Medical Center

View the Symposium Agenda Here
Register Here

More details are below and on the Symposium Site

“Welcome to Hofstra University and The Ethical Use of Internet Cloud Based Apps and Social Media (ICASM) in Health Care conference. This conference is the first major event of the Hofstra Bioethics Center. The Center, sponsored by the University, the Maurice A. Deane School of Law at Hofstra and the Hofstra North Shore-LIJ School of Medicine, represents an interdisciplinary effort to advance the study of bioethics and to bring the fruits of that study to the worlds of healthcare and biomedical research.

Today we will explore the benefits and the risks of ICASM in healthcare and medical research. Reliance on cloud-based apps by health care professionals, scientists, lawyers, IT personnel, and health educators brings efficiency and promises better healthcare to patients. But this development comes with risks to security and privacy. Similarly, social media gives individual patients and patient groups a means of sharing healthcare information quickly and widely. Social media’s online communities can provide useful information to biomedical researchers, physicians and patients and can foster a productive sharing of information among these players. Yet, social media also comes with ethical risks.

Each of four conference panels will consider the benefits that ICASM offers to healthcase professionals, hospitals, other healthcare facilities, medical researchers and patients, and each of the panels will consider the ethical obligations such modes of instantaneous information sharing should impose on each stakeholder. To encourage wide participation, dialogue and cooperation, conference panels will be plenary, with adequate time provided for panel discussions and for question and answer sessions.”

View more and register at: http://www.hofstra.edu/Community/culctr/culctr_events_ICASM.html

PPR at Atlantic Health Care Forum

Today, April 19th, 2012, Deborah C. Peel, MD will speak on a panel at the Atlantic Healthcare Forum in Washington, DC.  See the agenda here.

View the Forum via a Live Streaming Webcast!

“Join industry experts, policymakers, and business leaders to discuss the latest innovations, trends, and concerns in an industry critical to our lives. The Forum will explore the future of wireless health, the potential of data innovation to improve care, and how to finance health care in the current economy through keynotes, panel discussions, and demonstrations.”

12:30 pm EST
Panel Discussion III. Health Care 2015: Can Big Data Be the Cure-All?
Moderator: Steve Clemons

Panelists:
* Robert Litan, Vice President for Research and Policy
* Ewing Marion Kauffman Foundation
* Susan Love, President, The Dr. Susan Love Research Foundation
* Deborah Peel, Founder, Patient Privacy Rights
* John Wilbanks, Founder, Consent to Research

See more at the Atlantic Healthcare Forum Site

Registration is officially closed, however you can view the full day via live streaming webcast.