Privacy advocates criticize GAO testimony, HHS

Author’s note: On Tuesday, in testimony before a congressional oversight committee hearing, the Government Accountability Office criticized the lack of progress by HHS and its Office of the National Coordinator for Health Information Technology in developing a federal privacy policy. In this second section of a two-part series, some privacy advocates add their criticism, but direct it at HHS and the GAO, while other healthcare commentators testified both in favor of the privacy rules written by HHS under the Health Insurance Portability and Accountability Act of 1996, and against their application by HHS and the Justice Department.

In late 2000, HHS issued an initial HIPAA privacy rule that required covered organizations to obtain consent “prior to using or disclosing protected health information to carry out treatment, payment or healthcare operations.” In 2002, HHS amended that rule, replacing the consent requirement with a new provision “that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment and healthcare operations.” Covered organizations could obtain patient consent, the HIPAA rule said, but only if they wanted to do so.

James Pyles, a lawyer with the Washington firm Powers Pyles Sutter & Verville, sued HHS on behalf of a coalition of providers and privacy advocates that included the American Association of Practicing Psychiatrists, American Mental Health Alliance, American Psychoanalytic Association and National Coalition of Mental Health Professionals and Consumers. The lawsuit was filed in April 2003 just before the revised HIPAA privacy rule went into effect. It alleged the HHS revisions would violate patients’ constitutional rights to privacy. The lawsuit failed at the trial and appellate court levels and was denied a hearing by the U.S. Supreme Court on appeal.

{The GAO gave testimony before the American Health Information Community (AHIC) on June 22 about how HHS is still not addressing the need for privacy in health IT systems. But neither the GAO nor HHS can face the obvious fact that since HHS gutted the HIPAA privacy rule, relying on it as the federal standard for privacy cannot possibly ensure privacy. This really is an emperor-has-no-clothes situation—the GAO and HHS expect Congress and the nation to go along with the pretense that HHS and HIPAA are protecting our privacy when our records are naked for covered entities to see, use and disclose for virtually any reason. ~ Dr. Deborah Peel, Patient Privacy Rights}

Download Full GAO Report and the GAO Highlights

GAO cites HHS for not establishing IT milestones

In an update of a January report, the Government Accountability Office has again criticized HHS for failing to have an integrated approach to developing a national privacy policy for healthcare information technology. In testimony before a congressional oversight subcommittee Tuesday, the GAO also cited HHS for not establishing milestones to measure its own progress toward that end.
But the GAO itself came in line for some harsh words, this time from a pair of privacy advocates who charge that the congressional watchdog has kept its head in the sand when it comes to the current privacy environment and the lack of protection afforded by a key federal privacy rule.
Meanwhile, the head of a coalition composed mostly of healthcare systems and pharmaceutical manufacturers and resellers testified in defense of the Health Insurance Portability and Accountability Act privacy rule, while warning against adding privacy constraints to it and calling for eliminating by federal pre-emption the more stringent state privacy laws that HIPAA now allows. And, a privacy expert who worked on developing HIPAA during the Clinton administration, chided the Justice Department and HHS for failing to enforce the act’s existing privacy provisions.
{In an update of a January report, the Government Accountability Office has again criticized HHS for failing to have an integrated approach to developing a national privacy policy for healthcare information technology. But the GAO itself came in line for some harsh words, this time from a pair of privacy advocates who charge that the congressional watchdog has kept its head in the sand when it comes to the current privacy environment and the lack of protection afforded by a key federal privacy rule. ~ Dr. Deborah Peel, Patient Privacy Rights}

Peel brings privacy onto the radar screen: profile

(Part two of a two-part series) Psychiatrist Deborah Peel has become an outspoken advocate for patient privacy rights, founding the Austin, Texas-based not-for-profit Patient Privacy Rights Foundation, and working to develop an effective coalition of organizations across the political spectrum to lobby Congress, but hers was not a direct path to advocacy.

Peel was born in 1951 in Pittsburgh to Kathryn and Abraham Charnes. A noted mathematics professor, Peel’s father taught at what was then the Carnegie Institute of Technology. He would move the family as he switched academic posts to West Lafayette, Ind., and Purdue University and, by the time Deborah started kindergarten at age 4, to Evanston, Ill., where he served on the faculty of Northwestern University. Charnes moved again in 1968 to Austin to take a position with the University of Texas, where, in 1975, he was named as a finalist for the Nobel Memorial Prize in Economic Sciences.

Peel says she acquired a passion for reading early in life and has what she calls “the testing gene.” She left Evanston Township High School after her junior year, having tested, at age 16, into the University of Texas, then tested out of the last two years of college to enter medical school—at age 18—at the University of Texas Medical Branch at Galveston.

In 1974, the 22-year-old finished her basic medical training and began her residency in psychiatry at Galveston. In 1977, her residency completed, she entered into solo private practice. She concluded her training in psychoanalysis from the Dallas Psychoanalytic Institute in 1999. It included undergoing psychoanalysis herself for 6? years. Peel served as chief of psychiatry at 365-bed Brackenridge Hospital in Austin from 1979 to 1990, when she was asked to help the Texas Society of Psychiatric Physicians with lobbying the Texas Legislature.

Letter: Ban data mining and sale of prescription records

Maine wants to ban the data mining and sale of identifiable prescription records to drug companies. It’s about time. But marketing to doctors is not the only unwanted and illegal use of your personal prescription records.

Identifiable prescription records have been data mined daily from every pharmacy in the U.S. for over a decade and sold to insurers for underwriting and to large employers. These secret uses result in discrimination, job loss, and increased insurance rates or even insurance denial. Losing your job is far worse than having drug companies pressure doctors and pharmacists to change your prescriptions.

Patient Privacy Rights leads a broad bipartisan coalition of national consumer groups working to save medical privacy. We are urging Congress to ban the illegal and unethical uses of everyone’s highly sensitive medical and prescription records. In 2006, our coalition letters to the House stopped a bill to build a national electronic health system without consumer control of electronic medical records.

The nation’s electronic health care system is hemorrhaging personal health information. Our medical and financial records are being used and sold for purposes that no one would want.

No one should have to choose between health care and privacy. We should decide who sees our medical records, not over 600,000 health-related businesses and government agencies.

Stop the illegal data mining of prescriptions in Maine — but tell Congress to also restore your rights to medical privacy and control of your health records.

Dr. Deborah C. Peel
Chair, Patient Privacy Rights Foundation

{The state of Maine is considering a law to ban the use of prescription data for marketing, which is not nearly enough. See Mining our own business in the Kennebec Journal. The author of the story and the people of Maine do not know that their prescription records are also being sold to insurers and employers for underwriting and employment decisions. Those harmful uses should also be banned. ~ Dr. Deborah Peel, Patient Privacy Rights}


Genetic conflict

Advocates, legislators gear up for battle in the fight to keep genetic information, testing secure from employers, insurers.
Carolina Hinestrosa was 35 when she beat breast cancer. She was 40 when she beat it a second time. Her younger sister also battled breast cancer twice, and over the past few years, two of her cousins and an aunt were diagnosed with the disease.
Of course, Hinestrosa, an executive vice president with the National Breast Cancer Coalition, strongly suspects that a genetic mutation for breast cancer runs in her family. Knowing for sure could help her and her relatives take steps to possibly avoid or better manage the disease. But she said she has chosen not to seek confirmation through a genetic test for fear of the potential consequences it may have on her 15-year-old daughter.
Hinestrosa worries that if she tests positive for the “breast cancer gene,” her daughter might be obligated to disclose having a hereditary predisposition to the disease—personal information that could be misused to deny her health insurance or even employment in the future.

AMA supports health IT adoption in doctor’s offices; calls for increased security of patient data and funding assistance

The American Medical Association (AMA) today expressed support for advancing health information technology (HIT) in physician offices, while urging Congress to make privacy and security of patient information a top priority and called for funding assistance to implement HIT into physician practices. The AMA submitted its stance in a statement to the House Committee on Small Business Subcommittee on Regulations, Healthcare and Trade.
“We share the widespread optimism over the promise that HIT holds for transforming patient care if properly developed and carefully integrated into the existing health care delivery system,” said William G. Plested, MD, AMA President. “If carefully structured, HIT has the potential to raise the overall quality and safety of patient care.”
Protecting patients’ privacy and security is a top concern of physicians, and the AMA encourages Congress to make those issues a top priority when creating an HIT infrastructure
“Safeguarding the privacy and confidentiality of patient information is a professional responsibility that physicians take very seriously,” said Dr. Plested. “When a patient’s private and sensitive health care information can be made public with the touch of a button, it is imperative that adequate privacy and security standards and protections be developed.”
A common barrier to HIT implementation in physician practices, especially smaller practices, is the significant cost. The AMA strongly urges Congress to consider direct means to assist physicians, such as grants, low-interest loans, increased reimbursement for the use of HIT, accelerated depreciation for HIT investments, tax credits, and other economic incentives. A study by Robert H. Miller found that initial electronic health record costs were approximately $44,000 per physician with ongoing costs of about $8,500 annually. A report by the Congressional Research Service estimates similar per physician cost, with HIT start-up costs ranging from $16,000 to $36,000.
{This strong public statement to Congress by the nation’s leading professional organization of physicians is very welcome support for consumers’ medical privacy rights. Patient Privacy Rights has been keeping the AMA’s legal and legislative team informed about the need for privacy in the electronic health systems and the great importance of privacy to consumers (i.e. “privacy” means patient control of access to personal health information). The AMA is aware that the California Medical Association and the American Association of Physicians and Surgeons signed our Coalition letters to Congress last year urging that basic privacy protections be added to the health information technology bills. ~ Dr. Deborah Peel, Patient Privacy Rights}

HHS Secretary Leavitt Announces Steps Toward A Future of “Personalized Health Care”

HHS Secretary Mike Leavitt today outlined a course for achieving gene-based medical care combined with health information technology, which he called “Personalized Health Care.” He said the initiative has the potential to transform the quality, safety and value of health care for patients in the future.
“Personalized health care will combine the basic scientific breakthroughs of the human genome with computer-age ability to exchange and manage data,” Secretary Leavitt said. “Increasingly it will give us the ability to deliver the right treatment to the right patient at the right time — every time.”
In a speech before the annual meetings of the Personalized Medicine Coalition, at the National Press Club, the Secretary outlined steps already under way to develop the needed information, as well as new steps he is undertaking to build the foundation for personalized health care and ensure that gene-based medical data and health information technology are used appropriately.
“Every one of us is biologically unique. We’ve always known that, but we haven’t had the knowledge or the tools to deliver health care at that kind of individual level. That’s what’s changing,” Secretary Leavitt said.
Gene-based medicine can help individuals identify their particular susceptibilities to disease while they are well and take effective preventive steps. In the future, it will help detect the onset of disease much earlier, enabling treatment to prevent disease progression, and can help bring about medical products that are tailored more precisely to the needs of each individual.
{The Department of Health and Human Services (HHS) once again is putting the privacy rights of American citizens dead last in its rush to ensure the profits and viability of healthcare corporations involved in the field of genetics and data mining. In setting his course for “achieving gene-based medical care combined with health information technology,” which he called ‘Personalized Health Care,’ Secretary Leavitt flaunts long-established legal rights to medical privacy and 2,400 years of medical ethics that require patient consent BEFORE access to any sensitive medical and genetic information is allowed. His goals are to ‘ensure open information access to researchers,’ ‘create a new electronic network that would draw together the nation’s major health data repositories,’ and use the American Health Information Community (AHIC) to ‘develop recommendations to identify standards for including genetic test information on electronic health records.’ The public does not want ‘open access’ to genetic records by researchers without consent, does not want the nation’s health data repositories to be connected for data sharing without explicit consent, and does not want the industry appointees and unelected federal officials on AHIC to determine the fundamental privacy rights Americans will have for their genomes and genetic information—–We all want the enormous benefits that genetic research can bring, but the benefits will never occur unless Congress gives Americans control over who has access to their genetic records. There is a strong and clear public consensus for the right to genetic privacy. ~ Dr. Deborah Peel, Patient Privacy Rights}

Peel: Electronic prescribing is no panacea

When a coalition of technology companies, insurers and health care providers launched a $100 million project last month to provide free electronic prescribing software to every physician in the United States, it was greeted with cheers. The presence of brand name vendors was supposed to ensure that sensitive prescription records would be private and secure.

But those who believe there is anything private about e-prescribing under the National ePrescribing Patient Safety Initiative (NEPSI) — or any other e-prescription system — are simply incorrect.

Security makes little difference because every identifiable prescription in the country is data mined and sold daily. Nobody needs to break into pharmacies to steal our prescriptions; they are for sale. For example, market intelligence firm IMS Health reported revenues of  $1.75 billion in 2005 solely from the sale of prescription records, primarily to drug companies.

Privacy is the right to control who sees your sensitive health records and the right to decide if those records are even entered into electronic systems. But it is impossible for anyone to have a private prescription — meaning that it is never disclosed without a patient’s consent — because data mining has eliminated that right.

Furthermore, many people refuse to take psychiatric medication or other medications in an attempt to prevent the pharmacy benefits management industry from reporting to employers that they are on antidepressants or other medications.

Knowing that prescriptions are not private also keeps people with other sensitive illnesses from taking medications. And that exerts pressure on doctors to avoid prescribing pain medications — out of concern that the Drug Enforcement Administration is tracking their prescribing patterns. The lack of prescription privacy is a problem that endangers people’s lives and quality of life.

Advantage: Dems

Health IT remains a bipartisan issue, but with Democrats now in charge on Capitol Hill, the rush for national health IT legislation is on.

In the past year, lawmakers have struggled in their efforts to pass health information technology legislation. The Senate and House each passed a bill that they sent to conference committee by early fall, but the prospects for creating a framework for a National Health Information Network died without ever being presented for a full vote in either chamber.

“We all worked so hard, so we were extremely disappointed that Congress threw away all the progress that had been made over the past two years — when there was real opportunity to pass a good bill,” said David Merritt, a project director at the Center for Health Transformation, a health policy think tank that former House Speaker Newt Gingrich founded. “It’s not like this was Social Security or Medicare reform. This was a bipartisan issue.”

Now it’s the Democrats’ turn, and the new majority party appears to be committed to tackling health care. Health IT advocates are optimistic the new leadership will make health IT a priority, build on the progress of the past two years and create a better, more comprehensive legislative framework.

{The Democrats are committed to adding basic privacy rights to health IT this year, as they were last year during the hearings and votes on health IT legislation. In 2006, they tried to add a strong privacy amendment based on the principles the Coalition for Patient Privacy urged them to add to the legislation HR 4157, but the amendment was defeated by the then Republican majority. But the insurance, pharmaceutical, IT, hospital, and data aggregating industries will oppose privacy again this year. An involved public is the only force that can prevail against such powerful corporate interests. ~ Dr. Deborah Peel, Patient Privacy Rights}

I.B.M. to Put Genetic Data of Workers Off Limits

As concerns grow that genetic information could become a modern tool of discrimination, I.B.M. plans to announce a new work force privacy policy today.

I.B.M., the world’s largest technology company by revenue, is promising not to use genetic information in hiring or in determining eligibility for its health care or benefits plans. Genetics policy specialists and privacy rights groups say that the I.B.M. pledge to its more than 300,000 employees worldwide appears to be the first such move by a major corporation.

The new policy, which comes as Congress is considering legislation on genetic privacy, is a response to the growing trend in medical research to focus on a person’s genetic propensity for disease in hopes of tailoring treatments to specific medical needs.

Gene tests are not yet widespread, but start-up companies are already intent on developing a market for genetic testing and counseling. I.B.M. has a business stake in promoting genetic data gathering and processing, as a leading information technology company with a growing presence in the medical industry.

Research on genetics is already beginning to lead to improvements in health care. But polls have shown that Americans worry that gene tests and genetic profiling could be used to keep people deemed at genetic risk of certain diseases or conditions from getting jobs and health insurance. And there have already been instances of employers trying to use genetic data to workers’ detriment.

“What I.B.M. is doing is significant because you have a big, leadership company that is saying to its workers, ‘We aren’t going to use genetic testing against you,’ ” said Arthur L. Caplan, director of the Center for Bioethics at the University of Pennsylvania medical school.

“If you want a genomic revolution,” Mr. Caplan added, “then you better have policies, practices and safeguards that give people comfort and trust.”

In a handful of publicly disclosed cases, genetic data has been used without workers’ knowledge. Perhaps the best known involved a $2.2 million settlement in 2002 that the United States Equal Employment Opportunity Commission reached with the Burlington Northern and Santa Fe Railway Company. The government had sued, saying the railroad tested, or sought to test, 36 of its employees, using blood samples, without their knowledge or consent. According to testimony, the company performed the tests in the hopes of claiming that the workers’ arm injuries stemmed from a rare genetic condition instead of from work-related stress on muscles and nerves. The railroad denied that it violated the law, but agreed not to use genetic tests in future medical examinations.

The Genetic Alliance, a Washington coalition of patient advocacy groups, receives a few inquiries a week, said Sharon F. Terry, president and chief executive of the alliance. Some are complaints from people who have had trouble getting health insurance after they disclosed a genetic condition, while others come from people concerned about how employers might use any genetic information they might reveal in health forms.

“It is a problem already, and the prospect is that the problem will only grow,” Ms. Terry said. “That is why we need rules and practices from government and the private sector to prevent abuses.”

Congress has certainly taken notice of the issue. This year, the Senate passed a genetic information nondiscrimination bill, by a vote of 98 to 0, and the House is now considering similar legislation. Two years ago, after the Senate passed a genetic privacy act, the House never voted on the legislation. But House sponsors are more optimistic this time. Also, about 40 states have laws that address some aspect of genetic privacy and discrimination.

To some extent, the privacy provisions in existing statutes like the Health Insurance Portability and Accountability Act and disability and civil rights laws already address the issue. They include prohibitions against using personal medical information to discriminate against people in hiring and in providing health insurance. But the current laws tend to deal with the diseases or disabilities that people already have.

Some critics say the genetic privacy bill would deny insurers a means of measuring risk that would be available to the people they insure, allowing some people to take advantage of that information. For example, there is a strong genetic marker for the early onset of Alzheimer’s disease. A person could test for it privately, and then take out long-term care insurance.

Health insurers have expressed skepticism about the need for federal legislation to protect genetic privacy. They say that current federal and state laws are adequate, and that a new law could have the unintended effect of, say, preventing insurers from providing disease management programs to people who have tested positive for a genetic risk. But the industry’s big trade association, America’s Health Insurance Plans, has not lobbied against the Senate bill, according to Congressional staff members.

I.B.M. has become a big player in what is called information-based medicine, which relies on genetic information. The company’s involvement goes beyond the hardware and software often employed in such work. I.B.M. scientists and technology consultants are engaged in projects including research at the Mayo Clinic and a venture with the National Geographic Society to trace the genealogy of the world’s population.

The trends in scientific research and medicine, along with the questions I.B.M. has heard from outsiders and some of its employees about its handling of genetic information, all contributed to the decision to adopt a formal genetic privacy policy.

“The time is right,” explained Harriet Pearson, I.B.M.’s chief privacy officer. “The market and medical practice is moving in this direction – to gather and use genetic information.”

In an e-mail message to be sent to all I.B.M. employees today, Samuel J. Palmisano, I.B.M.’s chief executive, writes that the spread of gene-testing and genomic research is “enormously promising – but it also raises very significant issues, especially in the areas of privacy and security.”

Opinion polls have repeatedly showed that workers are leery of companies using genetic test information against them. For example, a poll in 2000 by the National Center for Genome Resources, a research group, found that 63 percent of workers would not take genetic tests if employers could get access to the results.

Genetic specialists regard I.B.M.’s move as a positive step and one that could help prod policy forward. But many also insist that a federal law would be the best protection.

In an article last month in The Journal of the American Medical Association, Dr. Francis S. Collins, director of the National Human Genome Research Institute, and Dr. Alan E. Guttmacher, the deputy director, wrote that “potential discrimination in health insurance or employment based on the results of genetic testing has been apparent for years and requires a national legislative solution.”