Information Asymmetry – The Politics of Health IT Policy

Let’s recognize Healthcare.gov as the dawn of mass patient engagement – and applaud it. Before this website, patients were along for the ride. Employers choose most of the insurance benefits, hospital web portals are an afterthought, and getting anything done with an insurance company, for both doctors and patients, means a phone call and paper. Can you imagine going online to find out the actual cost and buy anything? All that changed with Healthcare.gov.

Information is valuable and not evenly distributed. The haves are immensely valuable corporations. The have nots are patients and doctors. Welcome to the world of health IT politics where the rich get richer ($20 Billion of “incentives” have caused massive health IT consolidation and a hidden health surveillance state) and the poor get frustrated (talk to an independent physician about their EHR or to a patient trying to access her own health records).

Information asymmetry drives $1 Trillion waste of our $2.7 Trillion health care cost. That waste is about $3,000 per year per citizen.

The politics of health IT policy are not left vs. right but institution vs. individual. Politicians and regulators alike are now scrambling to understand the role of health IT policy in that $3,000 annual waste per citizen.

The asymmetry that drives health IT policy is easy to understand when you consider that health IT is sold to corporations. As physicians and patients, we do not prescribe or buy information technology and we are paying the price through a total lack of price and quality transparency.

Incumbent “stakeholders” and multi-$Billion not-for-profit “delivery networks” stand to lose half their revenue if our cost structure aligned with the rest of the developed world. Information asymmetry drives our health IT policy as we implement the Affordable Care Act and the HITECH information technology mandates. From the earliest days, the strategy of costly health IT “certification” seems designed to drive small vendors and open source software out of the market. In the middle ages of post ACA health IT policy, circa 2012, our federal health architecture EHR procurement (the VA and Department of Defense, among others) began wild gyrations that have muted one of the few potential sources of rational, citizen-funded open source health information technology. We are now in the predictive analytics era, as our healthcare “providers” figure out how to manage the physician-patient relationship to their economic advantage. They call it Population Health Management.

Population Health Management doesn’t have to increase information asymmetry. Patient engagement and Fair Information Practice principles are not controversial. Combined with patient-directed automation via Blue Button Plus and NSTIC-style voluntary identities, we can have Big Data analytics to drive health reform policy and population health management. All it takes is democratizing access to our own information and reasserting the primacy of the physician-patient relationship. To get there, our federal and state policymakers will need to use the reduction of information asymmetry as a guiding principle.

The opportunities for policymakers to reduce information asymmetry and engage patients abound:

  • Confirm the patient’s right to access all information using Blue Button Plus so we can delegate that access to the physicians and analytics services we trust.

  • Confirm the patient’s right to specify a voluntary identity for patient matching when we participate in health information exchange.

  • Confirm the patient’s right to a real-time online Accounting of Disclosures so that we can know who is getting our information and see what they’re getting.

  • Confirm the physician’s right to communicate with anyone using Direct secure messages without interference from their employer or a state health information bureaucracy.

We already have these rights under existing law. What we don’t have is regulators and public procurement processes that put consumer protection ahead of politics. It’s time for them to step up. Start by fixing Healthcare.gov with privacy-preserving, voluntary sign-in credentials that we can use with Blue Button Plus to access our hospitals, insurers and state databases without risk of identity theft. There’s $3,000 in it for each of us.

Adrian Gropper, MD is Chief Technical Officer of Patient Privacy Rights and participates in Blue Button+, Direct secure messaging governance efforts and the evolution of patient-directed health information exchange.

Check out the Latest from Dr. Gropper, courtesy of The Healthcare Blog.

A Fraying of the Public/Private Surveillance Partnership

To view the full article, please visit: A Fraying of the Public/Private Surveillance Partnership

The lack of data security and privacy on the ‘HealthCare.gov’ triggered national outrage.For the first time patient privacy is a national issue.

Healthcare.gov’s serious technology flaws sparked huge privacy fears even though ONLY one piece of health data is collected, “Do you smoke?”.

The public now fears that the US government and the health IT industry don’t protect sensitive personal health data. Rightly so. See:

 

But current US health IT systems also enable hidden armies of corporations and government agencies to use sensitive personal health data without patient consent.

If our health data was actually private, how could it be sold on the Internet? Three short videos:

 

We have no map of all the hidden flows of our health data. See examples mapping the hidden flows of US health data:

o   states sell health data: http://thedatamap.org/states.html

o   top buyers of health data: http://thedatamap.org/buyers.html

o   data breaches reveal who purchased health data: http://thedatamap.org/history.html

o   health data is easy to re-identify: http://thedatamap.org/risks.html

The consequences of the lack of patient privacy (control over personal health data) are millions people act to keep health data private:

  • Today 40-50 million people/year act to try to keep health data private:

o   37.5 million people every year hide information to try to keep it private

§  November, 2005. National Consumer Health Privacy Survey, California Healthcare Foundation:http://www.chcf.org/publications/2005/11/national-consumer-health-privacy-survey-2005

o   Over 5 million every year avoid or delay early diagnosis for cancer, mental illness, or sexually-transmitted diseases

§  65 Fed. Reg. at 82,779, 65 Fed. Reg. at 82,777, 65 Fed. Reg. at 82,778

§  Or see page 7: http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf

Technology can ensure all the benefits and prevent harms. The idea that we must surrender privacy forever to ‘wire’ the healthcare system is false.

Technology should “do no harm” to patients. The cure is to use tough privacy-enhancing technologies.

Healthcare.gov sends user information to third parties, violating its own privacy policy

You might be interested in this story “Healthcare.gov sends user information to third parties, violating its own privacy policy.” 

The site sends user information to third parties like Pingdom and DoubleClick that are hidden data collectors.  Here you can find a screenshot in which Ghostery is used to show 7 hidden trackers: Healthcare.gov trackers

 

Update on Adobe Attack: Millions More Victims

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

 

Back on October 4th and 7th, I wrote about the hackers who had gotten into the customer Adobe files (see, “Top 5 Things to Know About Abobe Hacking” and “Alert! Adobe Hacking Update”).

 

When the breach was first reported, Brad Arkin, Adobe’s Chief Security Officer, estimated there were around 2.9 million Adobe customers whose Adobe IDs, names, encrypted passwords, encrypted credit and/or debit card numbers (and expiration dates) along with order details had been hacked.  That now seems like a vastly underestimated number.

 

Anna Brading just reported that the final number is 38 million active Adobe customers (see, nakedsecurity.sophos.com; “Adobe breach THIRTEEN times worse than thought”).  Ms. Brading’s report is based on an announcement by Heather Edell, an Adobe spokesperson.   In her announcement, Ms. Edell says that Adobe has finished its investigation during which it identified the 38 million Adobe customers with active accounts who were affected.  Ms. Edell says those customers have already been contacted and that Adobe is now investigating whether any inactive Adobe customer accounts were hacked.

 

This is a “heads up” to Adobe customers — keep an eye on your credit and debit card bills and other financial account statements.  Remember to change passwords and don’t use the same one for multiple accounts.  Do check the Adobe website for further updates.

 courtesy of Privacy Made Simple.

Shine a Light on Online Tracking

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

 

Many consumers know that advertisers and companies are tracking their online footprints.  People might not like it but they accept it as part of using the Internet regularly.

Mozilla understands that consumers might want to know whose tracking them. To do so, Mozilla created Lightbeam, a new app that allows consumers to do just that.  It’s an add-on that can be downloaded onto the Firefox browser.  Lightbeam is an updated version of Collusion which is an earlier Firefox add-on.

How does Lightbeam work?  Nick Heath has an excellent article that also has a screen shot showing how LIghtbeam works (www.zdnet.com; “Want to know who’s spying on you online? There’s an app for that”; October 25).   In a nutshell, per Mr. Heath, each time a consumer visits a website Lightbeam will log “….every web address that is connecting to your machine, revealing how visiting a single website can result in your computer to (sic) connecting to many different web servers. Each of these servers may be controlled by different companies, and send and collect different information —for example, serving up images and adverts on the site or placing tracking cookies on your computer.”

Mr. Heath’s screen shot is a visual depiction of what a consumer will be able to see about the tracking.

I went to the Mozilla site to read more about Lightbeam (https://addons.mozilla.org; “Lightbeam for Firefox 1.0.2″).  The Mozilla site has more details about Lightbeam and the fact that it will enable consumers who download it to see both first and third party sites with which the consumer is interacting.  Consumers will, per the Mozilla article, be able to save a copy of the “connection history” which is the place where a consumer “…can see the specific data collected by the add-on.”

Consumers might want to take a look at Lightbeam, if for no other reason, to understand more about the different methods being used for online tracking.

What a Small Moment in the Obamacare Debate Says About Ideological Media

Politics aside, a huge majority of the public agrees that ALL personal information should be protected online, not just when they apply for Obamacare, use electronic health systems, or search online about health.  The right to control the use of personal health data is strongly supported by 95% of Americans.

But like the public, the author doesn’t know that government and corporations already have access to every citizen’s personal health information. See: http://patientprivacyrights.org/truth-hipaa/  HIPAA has not protected our rights to health ‘privacy’ since 2002.

Key conclusions:

  • “The Bush and Obama Administrations both showed with perfect clarity that they don’t give a damn about the privacy rights of Americans; federal bureaucrats serving in both eras have broken the law to hoover up our private information; and every trend points to a federal government intent on expanding its ability to collect information on Americans and share it among agencies. The U.S. has also shown an inability to protect data it stores from being hacked or stolen. Given all that, it isn’t paranoid to imagine that any health information handed over to the federal government won’t remain private for long. A betting man would be wise to conclude that somehow or other, it will at least be seen more widely than Obama Administration officials are promising—especially if additional steps aren’t taken to make the information better protected.”
  • “Outsmarting the most hackish Republicans isn’t enough to fix the flaws in legislation that you championed and passed, substantial warts and all.”

Congress must pass a strong new law soon to giving patients a clear, strong right to control personal health information.  We should decide who can see and use our most sensitive personal information. The nation’s trust in government will only worsen if we cannot protect even our MOST sensitive personal data, from prescription records, to DNA to diagnoses.

deb

This blog was written in response to the following article: What a Small Moment in the Obamacare Debate Says About Ideological Media

Scammers Using Police Caller ID Numbers: Alert!

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

 

The Better Business Bureau (BBB) has just issued an alert about the latest scam being used by thieves to steal money and/or personal information (see, scam alert@council.bbb.org, “Scammers Impersonate Police with Spoofed Caller ID”).  Consumers need to be very alert to this ploy. BBB says the scams being used all around the country.

The scammers have gotten hold of a computer program that lets them change phone numbers that can be displayed on Caller ID — the spoofing part of this scam.  The scammers are using this technology to send calls with the right phone numbers of the local sheriff or police offices appearing when the recipients hit Caller ID.

The intended victims see the legitimate phone number, answer the call and are then told by the scammers (posing as the local sheriff or police) that there’s an arrest warrant out for them.  BBB reports that some of the scammers have been using the real names of local sheriffs or police officers in the calls — thus making the threat seem more legitimate.

The scammer tells the intended victim that he can avoid the criminal charge by paying a fine.  Here’s the next part of the scam: the scammer says the fine can only be paid by a money order or pre-paid debit card.

Now many people will see through this scam but others will be scared into doing so — maybe because the scammer uses a real name of a local police officer; or because they might not know what fines could exist for them; or because the scammer already has some personal information about the intended victim.  BBB cited the case of a Detroit-area woman who became a victim because the scammer specifically mentioned a loan she’d taken out (that alone raises more problems about how the scammers got that information).

Consumers should remember these “Do’s” and “Don’ts” to avoid becoming a victim:

  • Don’t wire money: legitimate police forces don’t operate by calling people and asking for money over the phone;
  • Do hang up ASAP: don’t call back as doing so might give the scammers more personal information they can later use for other criminal ends;
  • Do call the real local police or sheriff’s office: let them know about the call so they can alert others in the area; and
  • Don’t give out personal information: scams come in different formats and approaches but they all want the same thing — consumers’ money and/or personal information.

Facebook Eases Privacy Rules for Teenagers

Vindu Goel ties all the critical factors together in Facebook’s ongoing decisions that eliminate teens’ privacy on Facebook: the history of social media and children, teen psychology and bullying, the EU’s response, and how exposing teens online is driven by Zuckerberg’s quest for ever greater profits.

To view the full article, please visit: Facebook Eases Privacy Rules for Teenagers

Everyone expects information they share to be used only once, for one purpose.

This expectation is not a surprise. This ethical principle is called  ‘single use’ of data.

Humans expect to set and regulate personal boundaries in relationships with others.  We only trust people and institutions that don’t share sensitive personal information without asking us first.

People don’t trust governments or corporations that violate their expectations and rights to privacy, ie, rights to control the use of personal data.

When the US public realizes their rights to health information privacy are violated by hidden government  and corporate use and sale of their most intimate, sensitive information: health data, from prescriptions to diagnoses to DNA—the fallout will be far more devastating than the NSA revelations.

After all, Americans expect some level of government surveillance to protect us from terrorism, but the hidden collection and sale of health data by industry and government is very different: it completely shatters trust in the patient-physician relationship. The lack of trust in electronic health systems already causes 40-50 million people to delay or avoid treatment for serious illnesses, or to hide health information. Current technology causes bad health outcomes.

The Internet and US health technology systems are currently designed to violate human and civil rights to privacy.  The Internet and technology must be rebuilt to restore trust and restore our rights to control personal information.

Deb