Experts tout Blue Button as enabling information exchange between medical provider and patient

Blue Button Plus (BB+) and direct secure email technologies could put patients in control of all use and disclosure of their electronic health records. BB+ lets us ‘view, download, and transmit’ our own health data to physicians, researchers, or anyone we choose.

But state Health Information Exchanges (HIEs) don’t allow patients to control the disclosure of personal health data. Some state HIEs don’t even ask consent; the HIE collects and shares everyone’s health records and no one can opt-out. Most state HIEs ask patients to grant thousands of strangers—employees of hospitals, doctors, pharmacies, labs, data clearinghouses, and health insurers—complete access to their electronic health records.

When corporations, government, and HIEs prevent patients from controlling who sees personal health data– from prescriptions, to DNA, to diagnoses– millions of people every year avoid or delay treatment, or hide information.

HIEs that open the door to even more hidden uses of health data will drive even more patients to avoid treatment, rather than share information that won’t be private.

Health IT systems that harm millions/year must be fixed. Technology can put us in control of our data, achieve the benefits and innovations we expect, and prevent harms.  We have to change US law to require technologies that put patients in control of their electronic health records.

Prince William’s DNA

As more individuals start posting their genomes or other genetic information online, privacy issues grow. A recent article from GenomeWeb about Prince William’s DNA highlights one of PPR’s concerns about publicly sharing such information: one person’s choice to research and reveal information about themselves reveals information about so many others who had no say in that decision.

To be clear, PPR is not opposed to genetic testing and actually believes there are many new and exciting possibilities that exist within the realm of genetic analysis. However, there are several issues that need to be addressed before people start encouraging others to publicly share their own genetic information. This excerpt from the article sums up the dilemma quite nicely:

“What is noteworthy is the ethics of publishing details of this genetic analysis at all,” Brice says, noting that “one of the major ethical concerns about genetic information and privacy” is that individual information can lead to the disclosures about family members.

The Duke’s cousins are free to have genetic tests if they want, but disclosing information about other, non-consenting individuals, is “highly questionable,” Brice says.

To read the full article, click here. (Note: Free subscription may be required).

The Individual’s Right to Restrict Disclosure of Health Information

This article gives a great explanation of how industry has fought to influence those in government that write the ‘rules’ for how federal law works in practice. The key industry tactic is to complain that complying with the law is too costly, or impossible, or would take too much time. For reasons we don’t understand, the government agency that writes the ‘rules’ takes the side of industry rather than defending patients.

From ABA Health eSource, Jim Pyles, “The Right to Obtain Restrictions Under the HIPAA/HITECH Rule:
A Return to the Ethical Practice of Medicine
.

The Individual’s Right to Restrict Disclosure of Health Information
AuthorThe HIPAA/HITECH Final Omnibus Rule issued on January 25, 2013 restores the right for Americans to retain some control over the disclosure of their health information as part of the “floor” of federal privacy protections afforded by HIPAA.(1) Under the new rule, individuals have a right to obtain restrictions on the disclosure of health information in electronic or any other form to a health plan for payment or healthcare operations with respect to specific items and services for which the individual has paid the covered entity out of pocket in full.(2) Such requests for restrictions must be granted by the covered entity unless disclosure is required by law. Covered entities must also include this right in their notices of privacy practices.(3) The guidance in the preamble states that only healthcare providers are required to include such a statement in their notices of privacy practices; however, the language of the statute and the regulation itself states that the notice requirement applies to covered entities.(4) The new rule became effective March 26, and covered entities must be in compliance by no later than September 23, 2013.(5)

————-

1 78 Fed. Reg. at 5628 (January 25, 2013).
2 45 C.F.R. § 164. 522(a)(1)(vi).
3 45 C.F.R. § 164.520(b)(1)(iv).
4 HITECH Act, section 13405(a); 45 C.F.R. § 164.522(a)(1)(vi) (as amended).
5 78 Fed. Reg. at 5566.

Privacy Hawk: Put Patients at Center of Health Information Exchange (Quotes Dr. Peel)

“If healthcare organizations truly want to protect patient privacy and earn public trust regarding electronic health records (EHRs), they need to let go of the notion that institutions control individual data and look for technology that lets patients take charge of information flow…”

Key quotes from the article:

  • -”Many commercial EHRs started as systems to improve the operational side of healthcare and increase reimbursement, not to improve clinical care”
  • -”‘We’re stuck with these frankly primitive and privacy-disruptive systems that need to be fixed,’ Peel said at WTN Media’s 11th annual Digital Health Conference.”
  • -To Peel, last week’s revelations that the National Security Agency has been tracking phone calls and e-mails of virtually every American for at least six years shined a light on an issue that long has been prevalent in the healthcare industry.
  • -”‘In healthcare we actually have a total surveillance economy, too,’ said Peel, an Austin, Texas, psychiatrist.”
  • “‘We don’t actually know where our health data goes. We have no chain of custody, much less control over our health information,’ she said. Having personal information get out could lead to ‘health discrimination’ in employment or insurance coverage for patients with mental health disorders, sexually transmitted diseases or cancer, Peel added, and the threat of a breach often leads to care avoidance.”

The Verizon order, the NSA, and what call records might reveal about psychiatric patients

The NSA knows we are sick because we phone doctors’ offices.

As a mental health professional, Dissent Doe explains in her blog (below) how revealing phone call metadata is:

“Because my phone is used mainly for calls to and from patients and clients, can the NSA figure out who my patients are?  And could they, with just a query or bit of analysis, figure out when my patients were going into crisis or periods of symptom worsening?  I suspect that they can. And because I am nationally and internationally known as an expert on a particular disorder, could the government also deduce the diagnosis or diagnoses of my patients or their family members? Probably.”

There is a huge national media response to the NSA spying on Americans’ cell phone calls, but the media does NOT report on the far worse systemic corporate and government spying on the nation’s electronic health records.

The US healthcare system is engineered for hidden corporate and government surveillance of personal data about the minds and bodies of all 300 million Americans –from prescriptions to diagnoses to DNA—it’s all collected and sold.

The US media simply repeats industry and government talking points about the benefits of electronic health systems without reporting on the massive harms:

  • -Millions of patients/year avoid early diagnosis and treatment of cancer, depression, and sexually transmitted diseases because they know that information will not be private (see citations and statistics in:http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf)
  • -1/8 people hide health information because they know that information will not be private
  • -Should we use technology that causes millions to suffer bad outcomes?

2013 is a critical year: every state will share your health data with hundreds-thousands more hidden users via Health Information Exchanges (HIEs).

  • -Many states to not allow you to ‘opt-out’ of HIEs that exchange your health data.
  • -Most states do not allow you to prevent your most sensitive health information from being exchanged.
  • -So far, not one state gives patients control over data exchange.

SIGN PPR’s petition and say “no” to data exchange without your consent at: http://patientprivacyrights.org/2013/06/sign-the-petition-for-patient-controlled-exchange-of-health-information/

We need trustworthy technologies that put patients back in control of the use, disclosure, and sale of their sensitive health data.

  • -Patients have always controlled who could see and use paper medical records.
  • -Now institutions (corporations and government) control who can see and use the nation’s electronic health records.

Great existing technologies can fix badly designed electronic health systems, but we need new laws that require privacy-protective technologies are built into all electronic systems that handle health data.

Panel: Cloud’s role in healthcare still up in the air

As hospitals and healthcare facilities continue to adopt electronic tools to store and share patient data, some are turning to cloud-based tools to meet their needs. What that means for privacy and protection still is up for debate, as evidenced in the tone of a discussion panel at last week’s Health Privacy Summit in Washington, D.C.

“When data is managed or stored in-house [by a provider], there’s a very clear responsibility of one company” to protect that data, Adrian Gropper, chief technology officer for Patient Privacy Rights, the non-porofit organization that hoted the event, said. “The cloud blurs that distinction–sometimes intentionally.”

Why privacy should be among the first considerations of a health care app developer

Given all the complexities app developers need to worry about already–user experience, piquing doctors’ and patients’ interest, performance, accommodation of multiple devices–do they have time to worry about patient privacy too? The Health Privacy Summit on June 5 and 6 in Washington, DC explained why they should–in fact, that a respect for privacy may do more to promote an app than any other feature.

The headlines over the past week should be enough to persuade you that you don’t want to be seen as one of the creeps. It’s takes more time and digging around, though, to learn what patients really want and how to write an app that fulfills their expectations.

Certainly, Fair Information Practices and proper security are a place to start, and below I’ll list a few things developers need to keep in mind. But overriding all these technical details are questions of business model. Can you make money without treating patients as so many assets to sell?

What Do Patients Really Think?

Health reform activists and privacy mavens have been at loggerheads for years. Those touting health reform complain that an oversensitivity to privacy risks would hold back progress in treatments. Running in parallel but in the opposite direction, the privacy side argues that current policies are endangering patients and that the current rush to electronic records and health information exchange can make things worse.

It’s time to get past these arguments and find a common ground on which to institute policies that benefit patients. Luckily, the moment is here where we can do so. The common concern these two camps have for giving patients power and control can drive technological and policy solutions.

Deborah Peel, a psychiatrist who founded Patient Privacy Rights, has been excoriated by data use advocates for ill-considered claims and statements in the past. But her engagement with technology experts has grown over the years, and given the appointment of a Chief Technology Officer, Adrian Gropper, who is a leading blogger on this site, PPR is making real contributions to the discussion of appropriate technologies.

PPR has also held three Health Privacy Summits in Washington, DC, at the Georgetown Law Center, just a few blocks from the Capitol building. Although Congressional aides haven’t found their way to these conferences as we hoped (I am on the conference’s planning committee), they do draw a wide range of state and federal administrators along with technologists, lawyers, academics, patient advocates, and health care industry analysts. The most recent summit, held on June 5 and 6, found some ways to move forward on the data sharing vs. privacy stand-off in such areas as patient repositories, consent, anonymization, and data segmentation. It also highlighted how difficult these tasks are.

Georgetown Law Hosts Health Privacy Summit

In 2007, an American woman who had once participated in a study sponsored by the National Institutes of Health stumbled upon her name, address, birth date, medical procedures and diagnosis stored on a German Internet site for video game enthusiasts.

“I expected complete privacy,” said the patient, who told her story via live video feed during a two-day Health Privacy Summit at Georgetown Law on June 5 and 6, co-hosted by the Law Center’s O’Neill Institute for National and Global Health Law and the Patient Privacy Rights coalition. “I expected the same kind of privacy that we all expect [when] we see our physicians and medical providers.”

Ways to put the patient first when collecting health data

The timing was superb for last week’s Health Privacy Summit, held on June 5 and 6 in Washington, DC. First, it immediately followed the 2000-strong Health Data Forum (Health Datapalooza), where concern for patients rights came up repeatedly. Secondly, scandals about US government spying were breaking out and providing a good backdrop for talking about protection our most sensitive personal information–our health data.

The health privacy summit, now in its third year, provides a crucial spotlight on the worries patients and their doctors have about their data. Did you know that two out of three doctors (and probably more–this statistic cites just the ones who admit to it on a survey) have left data out of a patient’s record upon the patient’s request? I have found that the summit reveals the most sophisticated and realistic assessment of data protection in health care available, which is why I look forward to it each year. (I’m also on the planning committee for the summit.) For instance, it took a harder look than most observers at how health care would be affected by patient access to data, and the practice of sharing selected subsets of data, called segmentation.