PPR was deeply saddened by the loss of one of our greatest privacy heroes, Mr. Alan F. Westin, the “father of modern day privacy” and the nation’s most respected academic authority on public attitudes toward health privacy. We are grateful to have had the opportunity to honor him and his tremendous work as one of PPR’s first Louis D. Brandeis Privacy Award recipients in 2012. He truly was a remarkable man whom we will miss dearly, though we know the extraordinary contributions he made to the field of privacy law are everlasting.
Here is a recent article about SnapChat, which makes pictures and videos shared via the Internet disappear 10 seconds after they are seen. Internet technologies constantly collect and use personal data without consent. American health IT systems do the very same thing: constantly collect and use sensitive personal health data without consent. New technologies that ‘erase’ data after a single use could prevent secondary collection, disclosures, and sales of everything from our diagnoses to prescription records to DNA. We are constantly told young Americans don’t care about privacy. Would you be surprised to learn that’s wrong? The truth is the majority of people, young and old, want to control the use of personal data:
- -”88 percent of participants from ages 18 to 24 responded that there should be a law requiring websites and advertising companies to delete all stored information about an individual upon request”
- -”94 percent of people from 45 to 54 also supported the idea”
“The default setting for almost everything people share online is that it will live for eternity in the cloud” —-we are forced to surrender control of personal information just to be online. Who believes the US public agreed that total surveillance is a fair price for using the Internet?
Since we can’t STOP personal data from being collected, technologies like Snapchat and Wickr that make data “erasable” are critical tools to help restore control over personal data.
Americans want the right to be forgotten, BUT FIRST AND FOREMOST, our constitutional RIGHT TO BE LET ALONE should be restored in the digital age.
KEY QUOTES from the article about Snapchat:
- -”In the U.S., Snapchat was the second-most popular free photo and video app for the iPhone in early February, just behind YouTube and ahead of Instagram.”
- -Pew Research Center survey found that 57 percent of all app users “have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons.”
- -A January 2013 study by the Ponemon Institute… found social media to be among the least trusted industries when it comes to protecting customers’ privacy online.
- -[Snapchat's] rapid growth demonstrates a huge business opportunity—namely, services aimed at the increasing number of people worried about their social media footprints.
- -researchers at the University of California at Berkeley found that ….young Americans ….[are] as anxious as their parents about their permanent social records.
- -88 percent of participants from ages 18 to 24 responded that there should be a law requiring websites and advertising companies to delete all stored information about an individual upon request
- -94 percent of people from 45 to 54 also supported the idea
- -“The early adopters of Snapchat are teens in the U.S.”
- -“Whenever I ask someone, do they want control over the messages and media that they send to others, the answer 100 percent is yes,” says Sell. “There’s no question that this has mainstream appeal.”
- -Sell talks of private communication as “a universal human right” that largely doesn’t exist in the current digital landscape in which big data companies are continuously harvesting and mining information about our every online utterance.
Ephemeral data is the future
American citizens are like just like EU citizens: they want the same strong rights to control personal information online, especially health information.
See the letter Patient Privacy Rights and other NGOs signed supporting the EU’s tough requirements for data protection. The letter urges the US government policy makers to support the same tough data protections for US citizens, also embodied in the protections President Obama laid out in the “Consumer Privacy Bill of Rights”.
Unfortunately, the “Consumer Privacy Bill of Rights” exempts all health data, leaving the flawed HIPAA Privacy Rule that eliminates our control over personal health data in effect. The 563 page Omnibus Privacy Rules adds strong data security protections and stronger enforcement of violations for some health data holders and users, but not all. But it does not restore patients’ rights to consent before personal health information is accessed or used, even though the right to control health information has been the law of land for centuries and is the key ethic in the Hippocratic Oath (requires doctors to keep information private and not share it without consent).
US citizens will not trust their physicians or electronic health systems unless they control who can see and use their records, from diagnoses to DNA to prescriptions.
To view the full article written by Jack Doyle, please visit: Big brother to log your drinking habits and waist size as GPs are forced to hand over confidential records
The UK government proposes to collect citizens’ health data in a “giant information bank”. “A document outlining the scheme even raises the prospect of clinical data being passed on or sold to third parties”.
- -Doctors will be forced to hand over sensitive information about patients as part of a new programme called Everyone Counts.
- -The files will be stored in a giant information bank that privacy campaigners say represents the ‘biggest data grab in NHS history’.
- -Ross Anderson, professor of security engineering at Cambridge University, said: ‘Under these proposals, medical confidentiality is, in effect, dead and there is currently nobody standing in the way.’
David Cameron was criticized in the Guardian in 2011 when he first announced similar plans for collecting all citizens health data to:
- -“encourage NHS ties with industry and fuel innovation, including £180m catalyst fund”
- -encourage “collaboration between the health service and the life sciences industry”
- -“make it easier for drug companies to run clinical trials in hospitals and to benefit from the NHS’s vast collection of patient data”.
The tens or hundreds of billions generated annually by sales of American citizens’ electronic health information are an attractive model for the UK and EU given the dire economic situation in the EU. It’s hard to know how large the market for health data is or how health data is used without a data map. See Professor Sweeney explain theDataMap research project at: http://tiny.cc/etyxrw
Americans can’t control who sees or uses their health data. Will UK citizens suffer the same fate?
To view the full article, please visit Nearly Half of U.S. Adults Believe They Have Little To No Control Over Personal Info Companies Gather From Them While Online.
No surprise, 80% of US adults do NOT want targeted ads. 24% think they have no control over information shared online.
How will US adults feel when they learn they have no control over sensitive electronic health information? Despite the new Omnibus Privacy Rule, there is still no way we can stop our electronic health records from being disclosed or sold. The only actions we can take are avoiding treatment altogether or seeking physicians who use paper records and paying for treatment ourselves. No one should be faced with such bad choices. There is no reason we should have to give up privacy to benefit from technology.
Today, the only way to prevent OUR health information from being disclosed or sold to hidden third parties is to avoid electronic health systems as much as possible. That puts us in a terrible situation, because technology could have been used to ensure our control over our health data. The stimulus billions can still be used to build trustworthy technology systems that ensure we control personal health information. Institutions, corporations, and government agencies should not control our records and should have to ask us for consent before using our them.
- -”45% of U.S. adults feel that they have little (33%) or no (12%) control over the personal information companies gather while they are browsing the web or using online services such as photo sharing, travel, or gaming.”
- -”many adults (24%) believe that they have little (19%) to no (5%) control over information that they intentionally share online”
- -”one-in-five (20%) said that they only minimally understand (17%), or are totally confused (3%) when it comes to personal online protection”
- -”When asked under what circumstances companies should be able to track individuals browsing the web or using online services, 60% say this should be allowed only after an individual specifically gives the company permission to do so.”
- -”Just 20% of adults say that they want to receive personalized advertising based on their web browsing or online service use, while the large majority (80%) report that they did not wish to receive such ads.”
The blog Emergent Chaos wrote an article urging for privacy in the mental health field as a means of minimizing the stigma associated with diagnosis.
Some key statistics pointed out in this post:
“First, between 13 and 17% of Americans admit in surveys to hiding health information in the current system. That’s probably a lower-bound, as we can expect some of the privacy sensitive population will decline to be surveyed, and some fraction of those who are surveyed may hide their information hiding. (It’s information-hiding all the way down.)
Secondly, 1 in 8 Americans (12.5%) put their health at risk because of privacy concerns, including avoiding their regular doctor, asking their doctor to record a different diagnosis, or avoiding tests.”
Bill Keller’s NYTimes op-ed, “Invasion of the Data Snatchers,” is a fantastic piece on the hazy lines surrounding individual privacy in our new “surveillance economy.” Looking critically at The Journal News’ decision to publish the names and addresses of handgun permit holders in two nearby counties, as well as other instances in which people’s personal information is publicly shared, he asks a critical question: “What is the boundary between a public service and an invasion of privacy?” He then goes on to discuss the erosion of privacy and the challenges we face in determining “what information is worth defending and how to defend it.”
As the article says, “You can take your pick of the ways Facebook and Google are monetizing you by serving up your personal profile and browsing habits to advertisers for profit. Some of this feels harmless, or even useful — why shouldn’t my mobile device serve me ads tailored to my interests? But some of it is flat-out creepy. One of the more obnoxious trends is the custom-targeting of that irresistibly vulnerable market, our children.” Keller makes a good point—with so many different entities vying for a piece of your data, how can you know where to begin fighting back? And, it can be so overwhelming to think about the dirty underbelly of data sharing that it’s easier to say it’s no big deal in the long run, especially if you feel like you’re benefiting from it now.
For PPR, the bottom line is this: the erosion of our individual privacy is a critical issue. While some may be quick to dismiss such concerns, we have to remember that what we do now to protect our fundamental right to privacy matters. It matters to us in the present day and it matters to the futures of our children, our grandchildren, and so on…
Yes, there can be great benefits to the unparalleled connectivity and access people have to information in the rapidly shifting landscape of the digital era. At the same time, we have to make sure we establish clear boundaries and give people a say in the ways in which their information is accessed and used, particularly when it comes to sensitive data, like our personal health information. However, as Keller points out, protection of our privacy “doesn’t happen if we don’t demand it.”
This year, PPR will address a similar topic at its 3rd International Summit on the Future of Health Privacy: The Value of Health Data vs. Privacy — How Can the Conflict Be Resolved? We urge you to join us to be a part of the important conversations that will take place as we look at how our health information is valued, who has access to it, and what we can do to protect our privacy in an increasingly connected world.
In her acceptance speech for the Cecil B. DeMille award at the Golden Globes, Jodie Foster spoke briefly on the value of privacy. Her poignant words are a reminder not to take privacy for granted. If we don’t stand up and fight to preserve our rights to privacy, we will lose them..
“But seriously, if you had been a public figure from the time that you were a toddler, if you’d had to fight for a life that felt real and honest and normal against all odds, then maybe you too might value privacy above all else. Privacy. Someday, in the future, people will look back and remember how beautiful it once was.”
To view the full article written by Bob Brewin for Nextgov, please visit Can computers predict medical problems? VA thinks maybe.
“The Veterans Health Administration plans to test how advanced clinical reasoning and prediction systems can use massive amounts of archived patient data to help improve care, efficiency and health outcomes.”
Two veterans commented on the story below:
- -“total invasion of privacy, I have a big problem with a “vendor” going through my records let alone the VA. the VA doesnt exactly have a good track record of protecting information”
- -“veterans are NO LONGER guinea pigs without express PRIOR written consent, that is MEDICAL DATA covered by HIPAA, and is expressly forbidden to be managed in an open fashion and is NOT for sale.”
Like 99% of Americans, these vets oppose research use of their health information without consent:
- -See Alan Westin’s study of Americans’ attitudes toward research use of health data for the Institute of Medicine (IOM): http://patientprivacyrights.org/media/WestinIOMSrvyRept.pdf?docID=2501. Only 1% of Americans would agree to unfettered access to their electronic health records for research.
US health IT systems and the VA could offer electronic consent to participate in studies:
- -Electronic consent tools can enable each patient to set his or her own broad rules to allow research use of their health data.
- -Vets could be ‘pinged’ for consent for EACH study, set broad rules to allow use of data for all studies, or set their rules for something in between (such as: I will agree to all research use of my data on traumatic brain injury and PTSD, but contact me for consent for all other studies).
Unfortunately the new Omnibus Privacy Rule grants open access to all 300 million citizens’ sensitive health information without consent for any ‘research’ or ‘public health’ use. The broad ‘research loophole’ in HIPAA and the new Omnibus Privacy Rule permits industry (corporations including insurers, employers, drug companies, marketers, pharmacies, labs, and others) to use and sell our personal data for “research” that we would never agree with. ‘Research’ is defined so broadly that:
- -Blue Health Intelligence (a subsidiary of Blue Cross Blue Shield) does ‘research’. It uses and sells enrollees’ health data without consent.
- -IMS Health data mines and sells the nation’s prescription records. Claiming to do ‘research’ allows IMS Health to use and sell Americans’ prescription records without consent.
- -Many electronic health record companies (Cerner, GE Centricity, Greenway, Athena Health, and Practice Fusion) are also ‘research companies’ and sell health data.
- -The ‘research’ industry sells data that is supposedly ‘de-identified’, but health data is easy to re-identify (See paper by Narayanan and Shmatikov:
- http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf ). And there is no way to know when ‘de-identified’ data is re-identified. Texas law bans re-identification’ of health data, but the system depends on whistleblowers to report violations.
- -Most ‘researchers’ are not physicians, scholars, and PhDs at academic centers, as the public assumes.
Why wouldn’t every corporation that touches health data declare itself a ‘research institution’ so it can collect, use, and sell Americans’ health data? Personal health information is THE MOST valuable data of all, but we have no way to control which corporations collect and use health data. How large a part of the surveillance economy is personal health data?
The below excerpts are taken from the GOVinfoSecurity.com article Cloud Computing: HIPAA’s Role written by Marianne Kolbasuk McGee after the January 7, 2013 Panel in Washington D.C.: Health Care, the Cloud, & Privacy.
“While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.
Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group…
…Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services’ Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud (see: Cloud Computing: Security a Hurdle).
“The letter … asks that [HHS] look at the key problems in cloud … and what practitioners should know and understand about security and privacy of health data in the cloud,” Peel said during the panel.”