Harvard’s Data Privacy Lab Launching HRB

We are proud that one of our Board of Directors of Patient Privacy Rights, Latanya Sweeney, PhD, is leading this major project that puts patients in control of the collection and use of sensitive personal health information in a very secure ‘health bank’. No information can be disclosed without the patient’s informed consent.

Link to Harvard’s Data Privacy Lab
Link to Article in Healthcare IT News

Health banks can enable health information to exchange data for treatment and other uses WHEN patients say so, instead of the way today’s electronic systems operate: millions of employees of “covered entities” like hospitals and hospital chains, clinics, doctor’s offices, health plans, and health clearinghouses decide when to use, sell, or disclose patients’ health information for a myriad of reasons without obtaining informed patient consent or giving advance notice.

Today, Americans have no idea which parts of their sensitive personal health data is being disclosed to whom or for what purposes. Moving to a health banking system would put patients back in charge of records, not corporate and government users, or researchers.

PPR is working with Professor Sweeney and her lab on a complementary project to map where health data flows. Patients cannot weigh the risks of using electronic health systems without knowing where their data goes and who is using it. Professor Sweeney will unveil the PPR/Harvard Data Privacy Lab Health Data Map on June 6th in DC at the 2nd International Summit on the Future of Health Privacy. Registration to attend or watch via live-streamed video is free.

Harvard’s Data Privacy Lab launching health record bank

Read the full article at: http://www.nhinwatch.com/perspective/harvard’s-data-privacy-lab-launching-health-record-bank

Some key points from the story:

“In a major new development in the world of health IT, the Data Privacy Lab in the Institute of Quantitative Social Science at Harvard University will soon unveil a health record bank (HRB) that allows anyone to own and manage a complete, secure, digital copy of their health records and wellness information with a free account. This is the first time that a prominent academic institution is hosting an HRB for use by the general public and communities nationwide.”

“This launch is important for health IT because an HRB can provide and sustain all the capabilities of a fully functional health information infrastructure (HII):
1. It allows access to comprehensive individual electronic patient records, aggregation of population information for public health and medical research, and record searching to facilitate patient-specific notifications;
2. Privacy is protected since each patient determines who can access which portions of their own health records;
3. Collecting patient information is assured – since patients request their records, all providers must supply them (under HIPAA and for Stage 2 Meaningful Use);
4. It is inexpensive to operate since it obviates the need for the complex and costly real-time record locator services necessary when each patient’s records from all sources are not centrally stored;
5. Patient consent enables innovative applications linked to HRB accounts, providing compelling value to consumers and other stakeholders (e.g., reminders and alerts), thereby ensuring more than enough revenue for financial sustainability. HRBs could even fund permanent, ongoing EHR incentives to office-based providers to help further promote widespread adoption and standards compliance. The HRB at Harvard therefore represents a feasible and readily achievable HII paradigm that can be utilized by individuals and communities nationwide.”

Patient ID information stolen at Memorial hospitals

See full story in the SunSentinel: Patient ID information stolen at Memorial hospitals

“Patients of Memorial hospitals in south Broward County had their identities stolen by employees who wanted to use the information to make money filing phony tax returns, Memorial officials said Thursday.

Two employees have been fired and are under criminal investigation by federal agents for improperly gaining access to the patients’ information, said Kerting Baldwin, a spokeswoman for tax-assisted Memorial Healthcare System, parent of five Memorial hospitals.

Memorial sent letters Thursday to about 9,500 patients whose identities may have been exposed by the two employees. Baldwin could not say how many of the 9,500 identities were stolen or whether any of them were misused to file false tax returns.”

Re: Utah’s Medical Privacy Breach – Nearing 1 Million!

The Utah Dept of Health didn’t protect close to one million patients’ sensitive health data. Utah handles health information the way 80% of the US healthcare sector does: very poorly. Weak passwords and unencrypted health information are typical. Just last November, an SAIC/Tricare data breach of 4.9 million unencrypted records was reported.

The US healthcare industry has ignored federal law requiring encryption since 2005. Encryption is well-known to be the standard for protecting health data. But why do it if there is no enforcement and the cost of a fine or settlement is so low?

Instead of expanding electronic health records systems and exchanging millions more sensitive health records, the federal government should enforce the law and require the massive security flaws in existing health data systems be fixed. And whenever there are breaches, victims should have the technology tools to verify whether future claims are genuine to prevent medical ID theft and someone else’s record from receive credit monitoring for at least 3 years.

Learn more about the lack of health data privacy and security. Register to attend or watch the 2nd International Summit on the Future of Health Privacy, “Is there an American Health Privacy Crisis” on live streaming video at: http://www.healthprivacysummit.org

Health privacy issues can be resolved without obstructing care

See the full article at FierceHealthIT.com

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices…

…Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.

A study recently published in Health Affairs documents the extent to which five California healthcare organizations follow principles for protection of patient information that were developed by consumer groups and other stakeholders. Although the healthcare providers took privacy and security seriously, the report said, “none of the organizations did much to educate consumers about the data available about them or to enable them to control their data.””

Re: Genetic Bar Code Search – Finding People in Huge Gene Pools

In response to the PopSci.com article: Genetic Bar Code Search Can Use RNA to Pick Out Individuals From Huge Gene Pool

Quote from the principle investigator of the Mount Sinai study: “Rather than developing ways to further protect an individual’s privacy given the ability to collect mountains of information on him or her, we would be better served by a society that accepts the fact that new types of high-dimensional data reflect deeply on who we are,” he said. “We need to accept the reality that it is difficult—if not impossible—to shield personal information from others. It is akin to trying to protect privacy regarding appearances, for example, in a public place.”

Genetic privacy may be difficult to achieve, but it remains essential for people to trust physicians, researchers, health IT, and the government.

The public will not accept the idea that genetic information “is in the public domain” anytime soon. We never agreed to have our genetic information made public, and have fought for years to preserve genetic privacy at the state and federal levels. Those who built systems to take blood and tissue and do research without consent could have easily anticipated massive public concerns about such unethical research practices–and not built systems that violate Americans’ expectations and strong rights to health privacy.

Clearly it’s time for Congress to pass a federal law restoring personal ownership and control over blood and tissue that leaves our bodies, and restore the right of informed consent before any research can be done using our blood, tissue, or health information.

Health privacy issues can be resolved without obstructing care

See full article in FierceHealthIT: Health privacy issues can be resolved without obstructing care

Ken Terry writes about the big issues with patient privacy today and possible solutions.

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices.
Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.”

Featured Participants in 2012 DC Health Privacy Summit Announced

March 21, 2012

FOR IMMEDIATE RELEASE

Contact:
Deborah C. Peel, MD
media@healthprivacysummit.org
(512)732-0033

Featured Participants for 2012 Health Privacy
Summit at Georgetown University Announced
Rep. Joe Barton, R-Texas, to Receive Honor;
Farzad Mostashari, MD, ScM, to Deliver Opening Keynote;
Ross Anderson, PhD, FRS, Delivers Evening Keynote

Austin, TX – March 20, 2012 – Organizers today announced a noted honoreeand two outstanding keynote speakers to be featured at the Second International Summit on the Future of Health Privacy, planned for June6th-7th, 2012, at the Georgetown University Law Center in Washington,D.C.

U.S. Congressman Joe Barton will be honored as a “Privacy Hero” during the 2012 Summit’s “Celebration of Privacy” on the evening of June 6. The award recognizes Rep. Barton’s critical role as a top Congressional privacy advocate beginning with co-founding the Congressional Bipartisan Privacy Caucus with Rep. Edward Markey in 2000. His leadership ensured House support for the historic new consumer privacy and security protections in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The opening keynote will be presented by Farzad Mostashari, MD, ScM, the National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services. In addition, Ross Anderson, PhD, FRS, of the University of Cambridge, U.K., will deliver the evening keynote speech.

The 2012 Summit is hosted by Patient Privacy Rights and Georgetown University’s O’Neill Institute on Global and Health Law to provide an international venue for serious discussion by experts and thought leaders on timely privacy issues. Participants will consider how patients’ privacy and civil rights are impacted by current law and regulations, health technologies and architectures (including mHealth and ‘clouds’), data exchange, secondary uses of health data, and social media platforms. The theme addressed at this year’s Summit will be: Is There an American Health Privacy Crisis?

Summit sessions will also explore health privacy through the lens of U.S. and international policies about health information privacy, such as the recent Consumer Bill of Privacy Rights and the EU Draft Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

More About U.S. Representative Joe Barton, R-Texas
Rep. Joe Barton, a 28-year veteran member of the U.S. Congress and Chairman Emeritus of the U.S. House of Representatives’ Energy and Commerce Committee, will receive a “Privacy Hero” award at the 2012 Summit.

The award recognizes Rep. Barton’s critical role as a top Congressional privacy advocate beginning with co-founding the Congressional Bipartisan Privacy Caucus with Rep. Edward Markey in 2000. His award is for his leadership in 2009, which ensured House support for the historic new consumer privacy and security protections in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

More About Farzad Mostashari, MD, ScM
As National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services, Farzad Mostashari, MD, ScM, is charged with promoting the development of a secure and interoperable nationwide health information technology infrastructure.

Dr. Mostashari’s position was mandated through the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and is focused on improving healthcare and clinical research, reducing its cost, and protecting patient health information. Previously, Dr. Mostashari held leadership positions at the New York City Department of Health, including establishing their Bureau of Epidemiology Services, and helped pioneer real-time electronic disease surveillance systems.

More About Ross Anderson PhD, FRS
Ross Anderson PhD, FRS, is a professor of security engineering at the University of Cambridge Computer Laboratory in the United Kingdom. Dr. Anderson is a researcher, writer, industry consultant, and expert in “building systems to remain dependable in the face of malice, error or mischance.”

More About the 2012 Summit Partners
Organizations partnering with Patient Privacy Rights to present the 2012 Health Privacy Summit include:

Registration for the 2012 Summit is free, but space is limited. Register now at http://www.healthprivacysummit.org. Last year’s First International Summit on the Future of Health Privacy successfully established a global public forum on the future of health privacy. Panel members included health privacy experts from academia, industry, technology, consumer advocacy, top government officials, and international experts. Learn more about the 2011 Summit here. Videos are available.

###

O’Neill Institute for National and Global Health Law
The O’Neill Institute for National and Global Health Law at Georgetown University was established in 2007 to respond to the need for innovative solutions to the most pressing national and international health concerns. For more information, visit http://www.law.georgetown.edu/oneillinstitute/about/index.html.

Patient Privacy Rights
Patient Privacy Rights is the nation’s leading bipartisan health privacy organization and leading consumer voice for building ethical, trustworthy healthcare IT systems. For more information, visit http://patientprivacyrights.org.

PPR Founder Interviewed – America in the Balance

03/14/2012: U.S. citizens are concerned about “ObamaCare”- style health care reform and the escalating loss of personal health information and privacy rights. Today’s guest is Dr. Deborah C. Peel, founder of Patient Privacy Rights. PPR was started in 2004 to speak and advocate for the patient’s right to health privacy. Peel has been chosen one of Modern Healthcare’s “100 Most Influential in Healthcare” 4 times in the last 5 years, and is the leading voice for patient control over the use of sensitive health information. Join us as we discuss HIPPA, mHealth, and the upcoming 2nd Annual International Summit on the Future of Health Privacy to be held in June 2012 in D.C.

You can listen to the article by following this link and scrolling down to the 3/14/12 show.

Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?