Genomes: Behold or Beware

Patients whose physicians “collaborate” with genetic testing corporations should beware. Today, Navigenics and all genetic testing businesses can legally sell genomic data. There is no way to know which ones sell or use data without informed consent and which don’t. Americans’ personal health information is extremely valuable to corporate America. Genomic data requires extreme privacy protection because it can be used to harm not only an individual but all his/her relatives.

According to Navigenics, the personal data shared is “aggregated” and “de-linked” from “your account information”, but Navigenics offers no proof that it cannot be re-identified.

As we learned from the NIH experience, it is very difficult to “de-identify” or “anonymize” genetic data. The NIH closed a public research data base of “de-identified” genetic data after researchers proved the data could be re-identified See: . Corporations that share “de-identified” or “anonymized” health data should be required to publish the algorithms that were used and prove the data cannot be re-identified.

Questions abound:
• How can anyone be sure that Navigenics protects the privacy of genomic tests without trusted external audits of their privacy practices and policies?

• Does Navigenics pay MDVIP’s doctors a “kickback” for “collaborating” each time a patient gets genomic tests? Does MDVIP inform patients that it has a contract with Navigenics and what each doctor is paid?

• Who is being paid for “collaboration”? What exactly are the financial and contractual terms of “collaboration” between MDVIP and Navigenics?

• Do MDVIP’s patients really understand the risks of using Navigenics to do the testing or the risks of letting Navigenics share their genomic data with unknown researchers and research organizations—-that can put their data into public data respositories and publish it in studies? Or the security risks that a particular public respository can be hacked?

• Are MDVIP’s patients coreced into taking Navigenics tests by their doctors? Most patients want to do what their doctors recommend. What is the consent process?

• Did MDVIP contractually sell or give their patients’ genomic data or to Navigenics to own or sell? Should the public trust Navigenics, a for-profit corporation, when personal genomic data is a very valuable commodity?

• Should any for-profit collaboration “define the standards in which preventive genomic medicine will be integrated into patient care for decades to come”? No consumer health privacy expertise, assessment, or input was sought.

• There is not yet an operational, trusted, consumer-led privacy certification organization to audit genomic testing corporations to certify they don’t sell genomic data and that consumers control sensitive personal genomic data in their data bases. In the absence of a trusted privacy certification organization, the privacy principles developed in 2007 by the bipartisan Coalition for Patient Privacy or the Code of Fair Information Practices could be used as guides for building a genomic testing and preventive healthcare system that consumers will trust and be willing to use.

• Would MDVIP’s patients still feel “the experience (was) positive”, “empowered rather than anxious”, and “desire to change their lifestyles and more productively work with their physicians” if they knew their doctors were paid by Navigenics and their data was sold and/or put in public data repositories with unknown security and privacy protections?

This blog is in response to the article: Physician network to use genomic-based preventive healthcare

Broad coalition pushes for quick action on health IT

With Congress looking to wrap up its legislative year, industry and nonprofit groups that have pushed for passage of legislation to create a nationwide system of electronic health records are turning up the heat on Capitol Hill.

More than 175 stakeholders, including the American Cancer Society, American Heart Association, AstraZeneca, Cisco Systems, and Pfizer will send a letter to members of the House and Senate today hoping to spur action.

“Our organizations all share the downstream effects of our inefficient healthcare system, particularly rising healthcare costs,” states the letter from the Health IT Now Coalition, which will be unveiled at a morning briefing.

Lively Debate at HIPAA Summit at Harvard

“It’s working, but it’s got a ways to go,” suggests William Braithwaite, chief medical officer of San Diego-based security and identity management company Anakam. He says that current federal and state privacy rules generally do not address new technologies such as mobile Internet access and personal health records (PHR) platforms.

Deborah Peel, founder and chair of Patient Privacy Rights and the affiliated Coalition for Patient Privacy, begs to differ. She says the August 2002 amendments to the original HIPAA privacy rule effectively eliminated the patient’s right to consent to the use of protected health information by adding permission to share such data for “treatment, payment, and health care operations.”

Online medical records offer convenience, may limit privacy

“The concept is wonderful, but because we have absolutely no control over personal health information in electronic form, they’re very dangerous,” Peel says. “There’s essentially no laws to stop (companies) from data-mining that information and using it in a way that you would never want.

But promises are not enough, says Deborah Peel, a physician and founder of Patient Privacy Rights, a non-profit organization that is leading a bipartisan privacy-rights coalition that includes organizations as varied as the American Civil Liberties Union and the Gun Owners of America. “We can’t take anyone’s word for it because the information is so incredibly valuable,” she says.

Patient Privacy Rights Recommends Changes on New Health IT Bill

Dr. Deborah Peel, founder and chair of Patient Privacy Rights and leader of the bipartisan Coalition for Patient Privacy testifies today before the House Energy & Commerce Committee, Subcommittee on Health, and makes privacy recommendations for the new draft Health IT bill, “HITEC.” We ask Congress to ensure both progress and privacy in revisions to the bill.
Patient Privacy Rights is urging Congress to include the definition of privacy and restore Americans’ right to consent to the use and disclosure of their personal information. The definition of privacy is “an individual’s right to control the acquisition, uses, or disclosures of his or her identifiable health data.”

Patient privacy in a digital world

People with behavioral health problems may be particularly sensitive about having their health information shared

During the past decade, behavioral healthcare has seen the advent of new technologies for capturing patient data. In fact, the conversion of paper records to electronic medical records (EMRs) has been identified as a national healthcare priority by a presidential executive order. Such changes have generated many challenges and opportunities for behavioral healthcare organizations looking to capture information about their services’ quality, ensure patient safety, and protect patient privacy in an electronic environment…

…Ensuring that advertent or inadvertent data disclosure will not occur is particularly challenging in an electronic environment, in which third-party vendors often develop and maintain provider databases. Dr. Deborah Peel, founder and chair of the nonprofit organization Patient Privacy Rights, suggests that to protect patient privacy, behavioral healthcare executives should closely examine their vendor contracts. “You should never use a vendor that ever wants to own or data mine protected health information,” she says. “But a great many of them have that in their contracts as a way of helping to pay for the infrastructure…”

…To assist healthcare organizations in choosing a well-protected system, Patient Privacy Rights recently organized a consumer-led coalition for certifying health information systems and products. Dr. Peel estimates that the certification system will be in full operation in the next two to three months. Although the group has not yet developed a Web site, http://www.localhost:8888/pprold will have information about the project in the meantime.

Dr. Peel also says that in an EMR “the consumer should be able to segment within that health record whatever they think is sensitive information.”

Privacy advocates seek to protect prescription information

The Coalition for Patient Privacy and 25 of its member organizations are asking Congress not to pass an e-prescribing mandate unless it includes provisions for protecting the privacy of prescription information.
In a letter to lawmakers, the coalition said the sale of prescription information for data-mining purposes has been a reality for more than a decade. “Mandating e-prescribing without privacy provisions endorses and encourages the current practices,” the letter states. “It sets Americans up for even greater violations of their private health records in the future.”

Groups seek to shield minors’ Web data

Child advocates seek regulatory guidelines to prevent Internet firms from gathering sensitive information.

A coalition of medical groups and child advocates called Friday for guidelines that would prevent Internet companies from tracking the behavior of minors online, contending that many adolescents are divulging more than they realize and aren’t digesting complex privacy policies.

The American Academy of Pediatrics and the American Psychological Assn. were among those asking the Federal Trade Commission to encourage the Internet industry to stop profiling young Web surfers by monitoring the sites they visit and the interests they list on social networks such as MySpace and Facebook.

Just as the government has restricted the amount and nature of television commercials aimed at children, the FTC should step in when interactive ad systems gather sensitive information from minors, the groups said in a filing Friday.

It came amid a flurry of responses to an agency proposal for voluntary guidelines on a burgeoning form of online advertising known as behavioral targeting, a market expected to be worth billions in a few years.

Other nonprofit groups expressed alarm at the rapid consolidation of the largest online ad companies and about Internet service providers beginning to share their vast amounts of data with marketers.

“New ad networks appear to be using . . . traffic data for behavioral advertising without proper safeguards or user consent,” the Center for Democracy and Technology and two other groups wrote. “No regulation or self-regulation exists to address the privacy implications of this new model.”

The medical groups said teens were among the most active Internet users and were the most sought-after by advertisers. But the groups said teens also were the least able to understand how to stop their personal activity from being tracked, used for marketing purposes and sold to others.

Senate and industry leaders push stagnant HIT bill

Senate and industry leaders met on Capitol Hill Wednesday to push a healthcare IT bill that came close to passing by special vote last December but hasn’t budged since. The Wired for Healthcare Quality Act was nearly passed in December by special measures that require no open floor debate.
Now the bill is once again in the spotlight, with strong opposition from privacy activists.
The bill, introduced in June by Sens. Edward Kennedy (D-Mass. ) and Michael Enzi (R-Wyo. ) would provide a foundation for spurring the adoption of a nationwide healthcare IT system.
“We can save thousands of lives and conserve billions of dollars for health care with this one stroke, and we can do it this year,” Kennedy said at a press conference co-hosted by the Business Roundtable. The roundtable is an association of CEOs from leading companies totaling $4.5 trillion in annual revenues, a third of the total value of the U.S. stock market.
Ivan Seidenberg, CEO of Verizon Communications, Inc. and chairman of the Business Roundtable on Health & Retirement Task Force, said healthcare is “stuck in time” without this bill.
Former Rep. Nancy Johnson (R-Conn), chairman of Health IT Now, said timing is critical because passage will become more difficult as the election year progresses.
That’s precisely what privacy activists are hoping. According to Deborah Peel, MD, chairman of Patient Privacy Rights, the WIRED Act lacks proper protection. Peel’s organization, as part of the  Coalition for Patient Privacy and representing 7 million Americans, supports the Technologies For Restoring Users’ Security and Trust (TRUST) in Health Information Act, sponsored by Rep. Edward Markey (D-Mass. )
Peel warned against a bill that would strip patient privacy, as she said the WIRED Act does. “These consumer organizations have not told their members there is no need to give up privacy in order to have the benefits of health IT,” she said. “Privacy consumer control over personal health information is the only way Americans with expensive or stigmatized or genetic diseases will ever trust the electronic health system enough to participate in it.”

Ethics, respect key to privacy – then IT

It’s been a month abuzz with George Clooney. You know who he is the I’m-not-a doctor-but-I-used-to-play-one-on-TV guy. He was pre-McDreamy handsome as Dr. Doug Ross on ER. Then he went on to become a big film star, director and producer. Still handsome.

He’s such a public figure, and we (a lot of us) have followed his career as he’s ticked off one film success after another. Perhaps that’s why some members of the staff at Palisades Medical Center might have felt it was OK to check on George’s medical record. What could it hurt?

Clooney was treated at the New Jersey hospital after a minor motorcycle accident. Twenty-seven staff members have been accused of taking a peek at his records an unauthorized peek.

The hospital’s union chief did not defend the action, but she said the hospital acted too quickly when it suspended the 27 staff members for one month without pay. Some of the people suspended may have been authorized, she said.

Well, OK. The hospital needs to sort that out. We expect it’s on the case right now checking authorizations, procedures and technology.

One reason the Clooney incident has garnered so much attention here at Healthcare IT News and around the country is that it has put the spotlight on privacy concerns.

Healthcare IT News received more letters on this issue in the past month than we have in the past year.

Some who wrote letters said the penalty was not severe enough. They would have fired the rule breakers.

Others took the opportunity to point to how vulnerable our privacy has become. If it happened to Clooney, it could happen to any one of us. Perhaps dozens of people would not be interested in our condition. But a friend, neighbor or family member might be and perhaps could rationalize taking a quick look at a record that is supposed to be accessible to the patient and those who need it to provide the patient’s care.

“The combination of technology and the right value system can’t single-handedly solve everything, but it does put a hospital on solid footing,” Robert Seliger, co-founder and CEO of Sentillion, an access management vendor, told Healthcare IT News Managing Editor Eric Wicklund. “It is very difficult to practice respectful privacy and deliver healthcare these days while using IT to do both,” he added.

Seliger is right. There are many people today working on this very issue.

Among them are Deborah Peel, MD, a psychiatrist and privacy rights activist, and the group of people who make up the Healthcare Information Technology Standards Panel (part of the American Health Information Community). The panel just released a set of standards aimed at keeping medical information secure in an electronic environment. If you think it’s simple, take a look at the so-called “constructs.”

Peel and the bi-partisan Coalition for Patient Privacy are  urging Congress to build ironclad privacy protections into electronic health systems up front.

All of this work and advocacy is laudable, and it must continue. But, as we are often reminded by CIOs and IT directors across the country, technology can’t fix bad processes.

Both the processes and the technology have to be right, in sync and informed by a healthy dose of ethics, common sense and respect for the spirit as well as the letter of the law. Then George Clooney and the rest of us will have a better shot at privacy.