Guest Article: The Causes of Digital Patient Privacy Loss in EHRs and Other Health IT Systems

Check out the latest from Shahid Shah, courtesy of The Healthcare IT Guy.

This past Friday I was invited by the Patient Privacy Rights (PPR) Foundation to lead a discussion about privacy and EHRs. The discussion, entitled “Fact vs. Fiction: Best Privacy Practices for EHRs in the Cloud,” addressed patient privacy concerns and potential solutions for doctors working with EHRs.

While we are all somewhat disturbed by the slow erosion of privacy in all aspects of our digital lives, the rather rapid loss of patient privacy around health data is especially unnerving because healthcare is so near and dear to us all. In order to make sure we provided some actionable intelligence during the PPR discussion, I started the talk off giving some of the reasons why we’re losing patient privacy in the hopes that it might foster innovators to think about ways of slowing down inevitable losses.

Here are some of the causes I mentioned on Friday, not in any particular order:

  • Most patients, even technically astute ones, don’t really understand the concept of digital privacy. Digital is a “cyber world” and not easy to picture so patients believe their data and privacy is protected when it may not be. I usually explain patient privacy in the digital world to non-techies using the analogy of curtains, doors, and windows. The digital health IT world of today is like walking into a patient’s room in a hospital in which it’s a large shared space with no curtains, no walls, no doors, etc. (even for bathrooms or showers!). In this imaginary world, every private conversation occurs so that others can hear it, all procedures are performed in front of others, etc. without the patient’s consent and their objections don’t even matter. If they can imagine that scenario, then patients will probably have a good idea about how digital privacy is conducted today — a big shared room where everyone sees and hears everything even over patients’ objections.
  • It’s faster and easier to create non-privacy-aware IT solutions than privacy-aware ones. Having built dozens of HIPAA-compliant and highly secure enterprise health IT systems for decades, my anecdotal experience is that when it comes to features and functions vs. privacy, features win. Product designers, architects, and engineers talk the talk but given the difficulties of creating viable systems in a coordinated, integrated digital ecosystem it’s really hard to walk the privacy walk  Because digital privacy is so hard to describe even in simple single enterprise systems, the difficulty of describing and defining it across multiple integrated systems is often the reason for poor privacy features in modern systems.
  • It’s less expensive to create non-privacy-aware IT solutions. Because designing privacy into the software from the beginning is hard and requires expensive security resources to do so, we often see developers wait until the end of the process to consider privacy. Privacy can no more be added on top of an existing system than security can — either it’s built into the functionality or it’s just going to be missing. Because it’s cheaper to leave it out, it’s often left out.
  • The government is incentivizing and certifying functionality over privacy and security. All the meaningful use certification and testing steps are focused too much on prescribed functionality and not enough on data-centric privacy capabilities such as notifications, disclosure tracking, and compartmentalization. If privacy was important in EHRs then the NIST test plans would cover that. Privacy is difficult to define and even more difficult to implement so the testing process doesn’t focus on it at this time.
  • Business models that favor privacy loss tend to be more profitable. Data aggregation and homogenization, resale, secondary use, and related business models tend to be quite profitable. The only way they will remain profitable is to have easy and unfettered (low friction) ways of sharing and aggregating data. Because enhanced privacy through opt-in processes, disclosures, and notifications would end up reducing data sharing and potentially reducing revenues and profit, we see that privacy loss is going to happen with inevitable rise of EHRs.
  • Patients don’t really demand privacy from their providers or IT solutions in the same way they demand other things. We like to think that all patients demand digital privacy for their data. However, it’s rare for patients to choose physicians, health systems, or other care providers based on their privacy views. Even when privacy violations are found and punished, it’s uncommon for patients to switch to other providers.
  • Regulations like HIPAA have made is easy for privacy loss to occur. HIPAA has probably done more to harm privacy over the past decade than any other government regulations. More on this in a later post.

The only way to improve privacy across the digital spectrum is to realize that health providers need to conduct business in a tricky intermediary-driven health system with sometimes conflicting business goals like reduction of medical errors or lower cost (which can only come with more data sharing, not less). Digital patient privacy is important but there are many valid reasons why privacy is either hard or impossible to achieve in today’s environment. Unless we intelligently and honestly understand why we lose patient privacy we can’t really create novel and unique solutions to help curb the loss.

What do you think? What other causes of digital patient privacy loss would you add to my list above?

Courtesy of The Healthcare IT Guy.

The Biggest Data Myths of 2013

The biggest myth about “Big Data” users of the entire nation’s health information is that personal health data was acquired legally and ethically.

Just ask anyone you know if they ever agreed to the hidden use and sale of sensitive personal information about their minds and bodies by corporations or “research” businesses for analytics, sales, research or any other use. The answer is “no.”

Americans have very strong individual rights to health information privacy, i.e., to control the use of their most sensitive personal information. If US citizens have any “right to privacy,” that right has always applied to sensitive personal health information. This was very clear for our paper medical records and is embodied in the Hippocratic Oath as the requirement to obtain informed consent before disclosing patient information (with rare exceptions).

The IPO filing by IMS Health Holdings at the SEC exposed the vast number of hidden health data sellers and buyers. Buying, aggregating, and selling the nation’s health data is an “unfair and deceptive” trade practice. (Read more of Dr. Peel’s comments on the IMS filing here.)

Does the public know or expect that IMS (and the 100’s of thousands of other hidden health data mining companies) buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” and “social media” to create “comprehensive,” “longitudinal” health records on “400 million” patients? Or that IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally”? Again, the answer is “no.”

Given the massive hidden theft, sale, and misuse of the nation’s health information how can any physician, hospital, or health data holder represent that our personal health data is private, secure, or confidential?

deb

IMS Health Files for IPO – Is It Legal?

On January 2nd, IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics.

  • IMS buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” “social media” and more to create “comprehensive,” “longitudinal” health records on “400 million” patients.
  • All purchases and subsequent sales of personal health records are hidden from patients.  Patients are not asked for informed consent or given meaningful notice.
  • IMS Health Holdings sells health data to “5,000 clients,” including the US Government.
  • Despite claims that the data sold is “anonymous”, computer science has long established that re-identification is easy.
  • See brief 3-page paper by Narayanan and Shmatikov at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf)
  • See Prof. Sweeney’s paper on re-identifying patient data sold by states like WA at: http://thedatamap.org/risks.html
  • “Our solutions, which are designed to provide our clients access to our deep healthcare-specific subject matter expertise, take various forms, including information, tailored analytics, subscription software and expert services.” (from IMS Health Holding’s SEC filing)

 

Quotes from IMS Health Holding’s SEC filing:   “We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.”   IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

How can this business model be legal?  How can companies decide that US citizens’ personal health data is “proprietary data,” a corporate asset, and sell it?  If personal health data ‘belongs’ to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information.

Americans’ strongest rights to control personal information are our rights to control personal health information. We have constitutional rights to health information privacy which are not trumped by the 2001 elimination of the right of consent from HIPAA (see: http://patientprivacyrights.org/truth-hipaa/ ). HIPAA is the “floor” for privacy rights, not the ceiling. Strong state and federal laws, and medical ethics require consent before patient data is used or disclosed. 10 state constitutions grant residents a right to privacy, and other states constitutions have been interpreted as giving residents a right to privacy (like TX).

Surely FTC would regard the statement filed with the SEC as evidence of unfair and deceptive trade practices. US patients’ health data is being unfairly and deceptively bought and sold.  Can the SEC deny IMS Health the opportunity to offer an IPO, since its business model is predicated on hidden purchase and sale of Americans’ personal health data?

If we can’t control the use and sale of our most sensitive personal information, data about our minds and bodies, isn’t our right to privacy worthless?

deb

To view the full article published in Modern Healthcare visit:  IMS Health Files for IPO

 

The Truth About HIPAA – It Hasn’t Changed

Everyone thinks HIPAA protects personal health data. It doesn’t.

The most valuable data collected and sold by US “data brokers” is sensitive personal health information.

US “data brokers” capture sensitive health information by tracking our searches, social media, phone apps and GPS data. The majority of US healthcare institutions, health-related state and federal government agencies, and health technology vendors are also “data brokers”.

HIPAA gave millions of hidden institutions, healthcare providers, and technology vendors the right to control, use, and sell our medical records, prescriptions, lab tests, claims data, and more. HIPAA gave them the right to be “data brokers”.

If the President’s Consumer Privacy Bill of Rights (CPBOR) was the law of the land AND also was applied to the healthcare system, patients could control who collects and uses health data—not “data brokers”.

The CPBOR’s strong new rights to control the use of personal data could end the use of data for discrimination in every area of life, including  jobs, credit, mortgages, and opportunities.

The EU got it right:  no government agency or corporation in the EU can collect, use, or sell personal data without permission.

deb

This blog was written in response to the following article: Senators call for consumer privacy protections

 

ACP Supports Creating National Rx Drug Monitoring Database

Wednesday, December 11, 2013
 
The American College of Physicians supports the development of a national prescription drug monitoring program, which would create a single database that physicians and pharmacies could electronically review before prescribing controlled substances, according to a position paper, CBS News reports. The paper was published in the Annals of Internal Medicine on Monday (Jaslow, CBS News, 12/9).

 

A new national drug data base will extend the failed “War on Drugs”, criminalize millions more, increase patients’ reluctance to use controlled substances, and NOT improve treatment for addiction. US prescriptions are already collected and sold daily by prescription data aggregators like IMS Health, Merck Medco, SureScripts, etc., etc. These businesses all sell the nation’s prescription data to any willing buyers.Meanwhile neither physicians nor patients can get electronic copies of prescription data to improve care.Who should health technology benefit? Patients or corporations?

Why not use patients’ prescription data, already being collected by the hidden data aggregation industry, to improve patient health?

Why not use technology to strengthen the patient-physician relationship and to ensure effective diagnosis and treatment?

For example, here is one way technology could be re-designed to help patients:

Anytime a patient gets a controlled substance prescription, existing systems could automatically search for any prior controlled substance prescriptions the patient received in the last month. If a second or third prescription is found, the physician(s) and patient could be automatically notified and resolve together whether it should be filled or not—and how best to treat the patient’s symptoms

Technology should give patients and doctors they data they need for effective TREATMENT. It’s sad that such a prominent physician group supports giving law enforcement automatic access to every controlled substance prescription in the US. Law enforcement should only be able to access such sensitive patient data AFTER someone has committed a crime or with a judge’s approval.

Why open ALL prescriptions to law enforcement surveillance when the vast majority of patients taking controlled substances are not criminals?

Addiction is NOT a crime, it’s a very treatable medical illness.

deb

 

Can we at least try not to kill 440,000 patients per year?

Check out the latest from Doc Searls, courtesy of Doc Searls Weblog.

Obamacare matters. But the debate about it also misdirects attention away from massive collateral damage to patients. How massive? Dig To Make Hospitals Less Deadly, a Dose of Data, by Tina Rosenberg in The New York Times. She writes,

Until very recently, health care experts believed that preventable hospital error caused some 98,000 deaths a year in the United States — a figure based on 1984 data. But a new report from the Journal of Patient Safety using updated data holds such error responsible for many more deaths — probably around some 440,000 per year. That’s one-sixth of all deaths nationally, making preventable hospital error the third leading cause of death in the United States. And 10 to 20 times that many people suffer nonlethal but serious harm as a result of hospital mistakes.

The bold-facing is mine. In 2003, one of those statistics was my mother. I too came close in 2008, though the mistake in that case wasn’t a hospital’s, but rather a consequence of incompatibility between different silo’d systems for viewing MRIs, and an ill-informed rush into a diagnostic procedure that proved unnecessary and caused pancreatitis (which happens in 5% of those performed — I happened to be that one in twenty). That event, my doctors told me, increased my long-term risk of pancreatic cancer.

Risk is the game we’re playing here: the weighing of costs and benefits, based on available information. Thus health care is primarily the risk-weighing business we call insurance. For generations, the primary customers of health care — the ones who pay for the services — have been insurance companies. Their business is selling bets on outcomes to us, to our employers, or both. They play that game, to a large extent, by knowing more than we do. Asymmetrical knowledge R them.

Now think about the data involved. Insurance companies live in a world of data. That world is getting bigger and bigger. And yet, McKinsey tells us, it’s not big enough. In The big-data revolution in US health care: Accelerating value and innovation (subtitle: Big data could transform the health-care sector, but the industry must undergo fundamental changes before stakeholders can capture its full value), McKinsey writes,

Fiscal concerns, perhaps more than any other factor, are driving the demand for big-data applications. After more than 20 years of steady increases, health-care expenses now represent 17.6 percent of GDP—nearly $600 billion more than the expected benchmark for a nation of the United States’s size and wealth.1 To discourage overutilization, many payors have shifted from fee-for-service compensation, which rewards physicians for treatment volume, to risk-sharing arrangements that prioritize outcomes. Under the new schemes, when treatments deliver the desired results, provider compensation may be less than before. Payors are also entering similar agreements with pharmaceutical companies and basing reimbursement on a drug’s ability to improve patient health. In this new environment, health-care stakeholders have greater incentives to compile and exchange information.

While health-care costs may be paramount in big data’s rise, clinical trends also play a role. Physicians have traditionally used their judgment when making treatment decisions, but in the last few years there has been a move toward evidence-based medicine, which involves systematically reviewing clinical data and making treatment decisions based on the best available information. Aggregating individual data sets into big-data algorithms often provides the most robust evidence, since nuances in subpopulations (such as the presence of patients with gluten allergies) may be so rare that they are not readily apparent in small samples.

Although the health-care industry has lagged behind sectors like retail and banking in the use of big data—partly because of concerns about patient confidentiality—it could soon catch up. First movers in the data sphere are already achieving positive results, which is prompting other stakeholders to take action, lest they be left behind. These developments are encouraging, but they also raise an important question: is the health-care industry prepared to capture big data’s full potential, or are there roadblocks that will hamper its use

The word “patient” appears nowhere in that long passage. The word “stakeholder” appears twice, plus eight more times in the whole piece. Still, McKinsey brooks some respect for the patient, though more as a metric zone than as a holder of a stake in outcomes:

Health-care stakeholders are well versed in capturing value and have developed many levers to assist with this goal. But traditional tools do not always take complete advantage of the insights that big data can provide. Unit-price discounts, for instance, are based primarily on contracting and negotiating leverage. And like most other well-established health-care value levers, they focus solely on reducing costs rather than improving patient outcomes. Although these tools will continue to play an important role, stakeholders will only benefit from big data if they take a more holistic, patient-centered approach to value, one that focuses equally on health-care spending and treatment outcomes.

McKinsey’s customers are not you and me. They are business executives, many of which work in health care. As players in their game, we have zero influence. As voters in the democracy game, however, we have a bit more. That’s one reason we elected Barack Obama.

So, viewed from the level at which it plays out, the debate over health care, at least in the U.S., is between those who believe in addressing problems with business (especially the big kind) and those who believe in addressing problems with policy (especially the big kind, such as Obamacare).

Big business has been winning, mostly. This is why Obamacare turned out to be a set of policy tweaks on a business that was already highly regulated, mostly by captive lawmakers and regulators.

Meanwhile we have this irony to contemplate: while dying of bad data at a rate rivaling war and plague, our physical bodies are being doubled into digital ones. It is now possible to know one’s entire genome, including clear markers of risks such as cancer and dementia. That’s in addition to being able to know one’s quantified self (QS), plus one’s health care history.

Yet all of that data is scattered and silo’d. This is why it is hard to integrate all our available QS data, and nearly impossible to integrate all our health care history. After I left the Harvard University Health Services (HUHS) system in 2010, my doctor at the time (Richard Donohue, MD, whom I recommend highly) obtained and handed over to me the entirety of my records from HUHS. It’s not data, however. It’s a pile of paper, as thick as the Manhattan phone book. Its utility to other doctors verges on nil. Such is the nature of the bizarre information asymmetry (and burial) in the current system.

On top of that, our health care system incentivizes us to conceal our history, especially if any of that history puts us in a higher risk category, sure to pay more in health insurance premiums.

But what happens when we solve these problems, and our digital selves become fully knowable — by both our selves and our health care providers? What happens to the risk calculation business we have today, which rationalizes more than 400,000 snuffed souls per annum as collateral damage? Do we go to single-payer then, for the simple reason that the best risk calculations are based on the nation’s entire population?

I don’t know.

I do know the current system doesn’t want to go there, on either the business or the policy side. But it will. Inevitably.

At the end of whatever day this is, our physical selves will know our data selves better than any system built to hoard and manage our personal data for their interests more than for ours. When that happens the current system will break, and another one will take its place.

How many more of us will die needlessly in the meantime? And does knowing (or guessing at) that number make any difference? It hasn’t so far.

But that shouldn’t stop us. Hats off to leadership in the direction of actually solving these problems, starting with Adrian Gropper, ePatient Dave, Patient Privacy RightsBrian Behlendorf, Esther Dyson, John Wilbanks, Tom Munnecke and countless other good people and organizations who have been pushing this rock up a hill for a long time, and aren’t about to stop. (Send Doc more names or add comments directly to this blog here.)

Courtesy of Doc Searls Weblog

What Makes 23andMe “Terrifying”?

In a recent “warning letter” to 23andMe, the FDA informed the genetic testing company that they are marketing their Saliva Collection Kit and Personal Genome Service (PGS) to the public without the proper marketing clearance or approval from the FDA. The FDA then went on to say that 23andMe needs to discontinue marketing the PSG kit until the company has received FDA approval to do so. The Genomics Law Report outlines some background and details of the cease and desist letter in two posts, here and here. If you’re interested in more of the legalities and potential implications of the FDA v. 23andMe battle, the posts are a great read.

However, what really resonated with PPR was this Scientific American article by Charles Seife, also prompted by the recent FDA/23andMe kerfuffle: 23andMe is Terrifying, But Not for the Reasons the FDA Thinks. Seife also touches on the regulatory issue with the FDA, but really captures what we see to be the bigger problem with 23andMe with this:

But as the FDA frets about the accuracy of 23andMe’s tests, it is missing their true function, and consequently the agency has no clue about the real dangers they pose. The Personal Genome Service isn’t primarily intended to be a medical device. It is a mechanism meant to be a front end for a massive information-gathering operation against an unwitting public.

As Seife also reports, the company wants to become the “Google of personalized health care.” Well, yikes.

For now, 23andMe says they won’t sell your information without your explicit consent, but we’ve seen enough policies and rules change over time (e.g., Google’s constantly changing policies, HIPAA and the elimination of consent, etc.) to know that “guarantee” isn’t written in stone. Sure, it’s possible that the company wants to use the data it collects for research that proves beneficial to the public, but…it doesn’t seem like a huge leap to say that 23andMe isn’t gathering all that data for altruistic purposes.

Ultimately, as Seife says, the real issue here is what 23andMe (and any other company or organization that collects personal health information) should be allowed to do with the data it collects. There are a number of privacy problems that must be considered when answering that question, which Seife also outlines quite well in the article. Of course, the debate over how we can best manage privacy concerns vs. public benefit and other interests is complex and varied. But at the very least, PPR believes you should be in charge of how your personal information is used. And, you should be able to see who all has access to it, when someone has accessed it, and why.

 
Side Note: As always, we want to point out that we’re not trying to stand in the way of the very cool things happening with research and technology. In fact, we are very excited about the possibilities offered by advancements in these fields. We like you, research and technology, we really like you. But we like research and technology that does what the public expects and truly protects your privacy; that doesn’t allow your personal information to be used or shared in hidden ways; that allows you to be in charge and aware of what’s happening with your personal information at all times; that you can trust to honor your wishes regarding how your sensitive health information is used.

Canadian Woman Denied Entry To U.S. Because Of Her Medical History

This story deeply troubles me as a practicing psychiatrist and Freudian psychoanalyst. It’s appalling to see technology used in ways that increase the harms and stigma people with mental illness and addiction endure.
 
 
The story is about a disabled Canadian woman denied the right to travel by a U.S. Customs and Border Protection agent because of her history of hospitalization for Depression.
 
Quotes from the story about the agent who denied her US entry for the cruise:
  •   He cited the U.S. Immigration and Nationality Act, Section 212, which denies entry to people who have had a physical or mental disorder that may pose a “threat to the property, safety or welfare’’ of themselves or others.
  •    The agent gave her a signed document which stated that “system checks’’ had found she “had a medical episode in June 2012’’ and that because of the “mental illness episode’’ she would need a medical evaluation before being accepted.
How did the US obtain electronic health data on Canadian citizens?
How frequently is the US Government accessing the electronic health records of Canadians?
How frequently is the US Government (and state governments) accessing our electronic health records?
 
Partial answers come from a CBC News story with information from Wikileaks. Quotes:
  • According to an RCMP (Royal Canadian Mounted Police) website, the CPIC (Canadian Police Information Centre) database stores 9.6 million records in its investigative databanks.
  • The RCMP and U.S. law enforcement agencies provide reciprocal direct access to each other’s criminal databases in order to stem the flow of narcotics and criminal dealings into North America, according to the WikiLeaks cable.
  • When asked about the sharing of police information for security purposes, Kamenitz says the government is “obviously not considering what the impact of that can be and how much that can alter a person’s life.”
 
How does the US use electronic health information on American citizensor people with histories of treatment for mental illness or hospitalization?  
 
This is ominous because of the proliferation of federal laws requiring that state data bases of involuntary commitments for hospitalization be reported to the National Instant Criminal Background Check System (NICS) to prevent violent mentally ill people from buying gunsand the proliferation of state Prescription Drug Monitoring Programs (PDMs) for controlled substances. 
  • (FYI—-Currently US patients are denied their federal rights to have a list of who used their electronic health records and why—the war over the regulations to implement this critical consumer protection is intense. Industry has held this up for almost 5 years claiming its too hard, too expensive, no technology exists, it will burden and scare patients to see how many 1000s of access there are every day, etc, etc.)
There is a huge state and national push to build/use data bases about mental illness or addiction for many purposes. 

 

It’s the same phenomena we saw in 2009 when the technology industry got $29B in subsidies for health IT written into the stimulus bill—despite the absence of interest or support of the majority of patients and physicians. See story by Robert O’Harrow on “The Machinery Behind Healthcare Reform”: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/15/AR2009051503667.html 
Every family and every person is close to someone suffering from Depression, addiction, or another mental illnesses. The lack of privacy already drives over 2 million people a year away from treatment for Depression and major mental illness.
 
This is truly a national tragedy. Knowing the US government accesses the nation’s electronic health records will discourage even more people from seeking treatment for serious mental illnesses that are VERY treatable.  
 
Best,
Deborah

Will Texans Own Their DNA?

Will Texans Own Their DNA?

Greg Abbott, candidate for Governor, thinks they should

 

On November 12th, Abbott released his “We the People Plan” for Texas. Clearly he’s heard from Texans who want tough new health data privacy protections.

 

Topping his list are four terrific privacy recommendations for health and genetic data:

  • “Recognize a property right in one’s own DNA.”
  • “Make state agencies, before selling database information, acquire the consent of any individual whose data is to be released.”
  • “Prohibit data resale and anonymous purchasing by third parties.”
  • “Prohibit the use of cross referencing techniques to identify individuals whose data is used as a larger set of information in an online data base.”

 

The Omnibus Privacy Rule operationalized the technology section of the stimulus bill. It also clarified that states can pass data privacy laws that are stronger than HIPAA (which is a very weak floor for data protections).

 

Texans would overwhelmingly support the new state data protection laws Abbott recommends . If elected, hopefully Abbott would also include strong penalties for violations. Contracts don’t enforce themselves. External auditing and proof of trustworthy practices should be required.

 

Is this the beginning of a national trend?  I think so.

 

The more the public learns about today’s health IT systems, the more they will reject health surveillance technologies that steal and sell sensitive personal health data.

Myth: The Benefits of Electronic Health Records Outweigh the Privacy Risks

Myth: The Benefits of Electronic Health Records Outweigh the Privacy Risks

Fact: It’s impossible to weigh the ‘benefits’ of EHRs vs. the ‘risks’ when we have no way of knowing what all the ‘risks’ are. Current health IT systems and data exchanges enable unlimited hidden use and sale of personal health data.

There is no map that tracks hidden disclosures of health data to secondary, tertiary, quaternary, etc, etc users. It’s crazy, but we have no ‘chain of custody’ for our most sensitive personal information, health data.

How can we make informed decisions about using EHRs when there is no map to track the 100s-1000s-1,000,000s of places our personal health information, from prescriptions to DNA to diagnoses, ends up?

Take a look at this website: http://www.theDataMap.org

·        Harvard Professor Latanya Sweeney leads this project to map the hidden flows of health data.

·        Patient Privacy Rights is a sponsor.

·        Not only is it impossible for individuals to make an informed decision about the risks and benefits of EHRs, but it’s ALSO impossible for Congress to create sane health reform and healthcare laws, formulate appropriate health and privacy policies that provide ironclad data privacy and security protections when we have no idea where PHI goes, who uses and sells it, or what it’s used for.

·        One example of not knowing where/how our personal health data ends up: Identifiable diabetic patient records are sold online for $14-$25 each. See: http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986&singlePage=true#.UFKTXVHUF-Y

If you think about privacy-destructive health IT,  it is the exact opposite of what patients expect. And it violates patients’ strong existing rights to health information privacy and control over personal health data:

·        One example: Patients give pharmacies a prescription for only one purpose: to fill their prescription. They don’t expect all 55,000 US pharmacies to sell every prescription, every night. The prescription data mining industry sells our easily identifiable prescription records collects 10s-100s of billions in revenue every year.

·        Another example: Patients expect physicians to keep their records private. They don’t expect physicians or EHRs to sell their sensitive data, treating patient data as another way to make money. But selling patient data is the business model of almost all EHRs, including Practice Fusion, Greenway, Cerner, Athena, GE Centricity, etc, etc. Patients give doctors information for one purpose only: to treat them. They don’t expect it to be used and sold by Business Associates, subcontractors, and subcontractors of the subcontractors for other purposes. Again, in the US patients have had a very long history of rights to health information privacy in law and ethics (the Hippocratic Oath).

 

Fact: the public will only trust health technology if they control their health data and can have real-time lists of those who use their health data. Hidden use of personal health data must stop. Users should ask our consent first. We need control, accountability and transparency to trust health technology.