Leaders in Congress Call Out TRICARE & SAIC

We congratulate the leaders in Congress, Reps Markey, Barton, DeGette, Stearns, and Andrews for calling TRICARE and SAIC on the carpet for not securing military families’ sensitive health data. See the letter here.

We hope this letter leads to Congressional oversight hearings into the industry-wide culture of disregard for the privacy of military personnel’s and all Americans’ sensitive electronic health information. The worst serial corporate abusers should be penalized and prevented from getting federal contracts. We need Congress to get to the roots of the industry-wide disregard for health privacy FAST, before millions more people are harmed, not just by medical identity theft, but by the use of health information to discriminate against them in employment, credit, and other key opportunities in life. Once health records are exposed, they can never be made private again.

It is well-known in the healthcare industry and by privacy advocates that about 80% of healthcare providers and the health IT corporations that manage health information have ignored federal laws requiring encryption and data security protection for years. Obviously, head-in-the-sand approaches to data security simply don’t make sense. Clearly it’s cheaper and easier for corporations to ignore the law and common sense than it is to protect our most sensitive personal information, from diagnoses to DNA.

The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation.

Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed to work in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.

We also strongly support the proposal to make sure that victims of health data breaches receive effective state-of-the-art remediation. Victims should be able to use new technology that enables them to monitor all health insurance claims before they are submitted, so they can prevent the fraud and prevent other people’s health data from being added to their health records.

HIStalk Interviews Deborah Peel MD, Founder, Patient Privacy Rights

Give me some brief background about yourself and about Patient Privacy Rights.

I never expected to be leading this organization or ever even thought about that. In my younger days, I practiced full time as a psychiatrist and Freudian analyst for a very long time, until it became clear that things were happening in DC that would make effective mental healthcare impossible. Namely, that there were lots of different ideas being floated; for example, the Clinton healthcare initiative. There was a part of it that was going to require everyone’s data from every physician encounter be recorded in federal database.

Fast-forward to the HIPAA privacy rule. That’s what really convinced me of the need for a voice for consumers, because there really wasn’t any. What I’m talking about there is, of course, the change in 2002 that happened under everyone’s radar except for – and this is the is the laugh line – when the 3,000 Freudian psychoanalysts in the nation noticed that consent was eliminated.

In 2004, I started Patient Privacy Rights because there was no effective representation for the expectations and rights that the majority of Americans have for how the healthcare system is going to work. Namely, that people don’t get to see their information without consent. Since founding PPR in 2004, we’ve still been the national leading watchdog on the issues of patient control over information and even internationally. Our power has come because when we came to DC, the other people that were working on privacy, human rights, and civil rights recognized that because of my unique position as a physician and deep understanding of how data flows, that I knew what I was talking about.

We very quickly got a pretty amazing bipartisan coalition of over 50 organizations. That enabled us to put these issues and problems on the map.

We had some incredible successes in HITECH. Virtually all of the new consumer protections came from our group, including the ban on the sale of PHI, the accounting of disclosures, segmentation, the new requirement that if you pay out of pocket for treatment you should be able to block the flow of that data to health plans and health insurers. We were the ones that worked with Congressman Ed Markey on getting encryption, required stronger security protections, and worked with Senator Snow to get meaningful breach notice into the rules.

All of this work lead to the first-ever summit on the future of health privacy this past summer in DC. The videos and the entire meeting can be seen or streamed online at www.healthprivacysummit.org.

If somebody said you had to choose between accepting healthcare IT as it is today or going back to purely paper-based systems, which would you choose?

We’ve never been in favor of going back to paper…

Stanford Hospital investigating how patient data ended up on homework help website

A key conclusion from the audience of experts at the first summit on the future of health privacy was HIPAA has not been effective at protecting patient privacy. Jaikumar Vijayan quoted Deborah C. Peel, MD, founder and chair of Patient Privacy Rights, on the problems with HIPAA and the need to restore patient control over health information in this story. See videos of the summit at: www.healthprivacysummit.org

“Stanford University Hospital in Palo Alto, Calif. is investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up publicly available for nearly one year on a homework help site for students.

The spreadsheet first became available on the site last September as an attachment to a question supposedly posed by a student on Student of Fortune, a website that lets students solicit help with their homework for a fee. The question sought help on how the medical data in the attachment could be presented as a bar graph, The New York Times reported on Thursday.

A Stanford Hospital & Clinics representative told Computerworld in a statement that the hospital discovered the file on August 22, and took action to see it was removed within 24 hours.

“A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information,” the statement said…

The breach shows yet again how ineffective HIPAA has been in getting organizations that handle healthcare data, to take better care of it, said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation .

Much of the problems stem from the indiscriminate sharing of sensitive personal information among “legions of secondary users”, she said. The average hospital has between 200 and 300 outside vendors and partners with access to patient data, Peel said.

“We do not have an effective federal health privacy law. HIPAA was gutted in 2002 when control over who can see and use patient data for all routine uses was eliminated,” she said.

The only way to really get a grip on the problem is to allow patients to exert more control over who has access to their data. “Data should be used for a single purpose after the patient gives consent such as consent to use the data to pay a claim or send to a consultant.”

“Consent should be obtained for any secondary or new uses of data,” she said. All organizations that handle health data, including third parties should be certified to adhere to the highest standards of data security, Peel said.

Patient Data Posted Online in Major Breach of Privacy

This New York Times article by Kevin Sack outlines the key findings by experts at the Health Privacy Sumit: There are SERIOUS flaws in electronic health records when it comes to privacy, and these need to be addressed NOW.

“A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.”

Re: Top 100 – Under Their Influence

This is in response to the article in Modern Healthcare By Andis Robeznieks: “Under their influence, Washington insiders hold sway over our ’100 Most Influential’ ranking, but real change seems to be coming from elsewhere.”

“The Politics of Privacy” is one of four key areas in Modern Healthcare’s story about the “100 Most Influential People in Healthcare” in 2011. Privacy was highlighted because the expectation to control personal health data is a truly bipartisan, trans-partisan issue.

The historic first-ever summit on the future of health privacy co-sponsored by Patient Privacy Rights (PPR) and the UT LBJ School in June was highlighted (see www.healthprivacysummit.org to watch videos of the sessions).

The story recognizes the crucial importance of PPR’s leadership on building patients’ rights to control use of the most sensitive personal information into the healthcare system up front, so patients will use and trust health IT systems and data exchanges.

Unfortunately, many of the new consumer privacy protections the Obama Administration supported in the stimulus bill (HITECH) are being implemented by federal agencies in ways that do not comply with HITECH and other existing federal regulations.

If industry and key government rule makers continue to ignore the American people’s expectations for control over the use of sensitive personal health data, the stimulus billions will be wasted on systems that can’t be trusted and the tremendous potential benefits health IT can bring to treatment and research may never be realized.

PPR Makes the List: 100 Most Influential People in Healthcare

Each year Modern Healthcare Magazine encourages the public to nominate and vote for the top “100 Most Influential People in Healthcare.” This year we are happy to announce that Dr. Peel is back on the list at #52. You can see the full list here.

She and Patient Privacy Rights are also highlighted in this article in Modern Healthcare: “Under their influence, Washington insiders hold sway over our ’100 Most Influential’ ranking, but real change seems to be coming from elsewhere.” Subscription is required to read the entire story, however one of four sections on the list of 100 addresses privacy, and highlights Patient Privacy Rights and Dr. Deborah Peel as leaders in this area.

Dr. Peel first appeared on the list in 2007 as #4 of the “100 Most Powerful People in Healthcare” for her work to make sure patients control access to their electronic medical records, and continued to be the only privacy advocate on the list in 2008 and 2009. She was nominated but did not make the final list in 2010. Her recognition this year shows that people are aware of privacy being a major issue in health care and that they are starting to realize we still do not have control over who sees our health records.

All Videos from the 2011 Health Privacy Summit Now Available

FOR IMMEDIATE RELEASE:

All Videos from Health Privacy Summit Now Available

**Note**: Videos can now all be found at http://www.healthprivacysummit.org.

AUSTIN, Texas, July 21, 2011 – Organizers of the June 13th, D.C. Health Privacy Summit, “Getting IT Right: Protecting Patient Privacy in a Wired World”, today announced the release of all videos from the Summit.

Videos include all of the morning panel sessions, the keynote speakers, as well as the final session: “Looking Forward – The 2012 Health Privacy Agenda.” These panels include academics, advocates, government officials, health care providers, industry executives, and technology experts, who discussed the major technical, legal, and cultural issues and solutions to privacy and patient control over personal health information in electronic health systems and data exchanges.

Video Highlights:

  • *Jeff Rosen, Author and Professor of Law at George Washington University, interviewed Alan Westin, Author, Of Counsel and Senior Policy Advisor, Arnall Golden and Gregory, Atlanta and Washington DC, for the keynote session titled, “What do research and history tell us about privacy today?
  • *Anita Allen, Deputy Dean at the University of Pennsylvania Law School, moderated the first session titled: “Contrasting Beliefs about Privacy Protection in the Digital Era.” She utilized the diverse panel to spark the exciting discussions about health information privacy that continued throughout the day.
  • *The third of the case study panels featured a discussion of the Sorrell vs. IMS Health case. This panel titled, “Secondary uses of personal health information in health databases” included the Assistant Attorney General from the state of Vermont and the Chief Privacy Officer from IMS Health, along with consumer, government, academic, and international experts.

For the full agenda, more information on the panels, and links to each video, see: http://www.healthprivacysummit.org/agenda.

“Getting IT Right: Protecting Patient Privacy in a Wired World”, was jointly hosted by The Lyndon B. Johnson School of Public Affairs at The University of Texas at Austin and the Patient Privacy Rights Foundation.

The summit was interactive and audience members participated in work groups to identify urgent health privacy issues, along with identifying the immediate steps needed to deliver responsible and realistic solutions, a synopsis of which will be forthcoming.

For up-to-date health privacy information, Summit materials and resources, visit: http://www.healthprivacysummit.org

###

The Lyndon B. Johnson School of Public Affairs is a graduate component of The University of Texas at Austin. The School’s mission is to develop leaders and innovative ideas that will help our state, the nation and the international community address critical public policy challenges in an ever increasingly interconnected and interdependent world.

Patient Privacy Rights is the nation’s leading health privacy watchdog and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit: http://patientprivacyrights.org

Resolution of Disapproval in Supreme Court Decision in Sorrell v. IMS Health Case

Lawmaker, author of health privacy protections in economic recovery act, declares privacy rights of doctors, patients should trump commercial interests

WASHINGTON, D.C. – On Friday July 8, 2011, Congressman Edward J. Markey (D-Mass.), co-chairman of the Congressional Bi-Partisan Privacy Caucus and senior member of the House Energy and Commerce Committee, introduced H.Res. 343, a resolution expressing disapproval of the recent Supreme Court decision in Sorrell v. IMS Health. In its decision, the Court struck down a Vermont state law that banned the sale of doctors’ drug prescriptions records if the records are used for commercial purposes without the doctors’ permission.

Rep. Markey’s resolution states that the Court erred in applying free speech protections to a Vermont law that lawfully regulated a purely commercial interest. Before the Vermont law was enacted, data-mining companies would purchase information about doctors’ prescription drug information from pharmacies and then resell the data to pharmaceutical companies. The pharmaceutical companies could use the information – without the doctors’ consent – for the commercial purpose of targeting their sales messages and marketing more expensive, brand-name drugs to physicians.

“In this case, the Supreme Court tipped the scales of justice in favor of big drug companies at the expense of patients and their doctors,” said Rep. Markey. “The privacy of the doctor-patient relationship should outweigh the ability of pharmaceutical companies to mine data simply so they can market expensive drugs to providers and reap huge profits. States should be able to regulate pharmaceutical companies in a way that protects the privacy of their residents and prevents pharmaceutical companies from having undue influence on doctors’ prescribing habits.”

Dissenting in the Supreme Court’s 6-3 decision, Justice Stephen Breyer wrote that the Vermont state law in question “adversely affects expression in one, and only one way. It deprives pharmaceutical and data-mining companies of data…that could help pharmaceutical companies create better sales messages.” The dissent, which was joined by Justices Ruth Bader Ginsburg and Elena Kagan, stated that the Vermont statute is a “lawful governmental effort to regulate a commercial enterprise…The far stricter, specially ‘heightened’ First Amendment standards that the majority would apply to this instance of commercial regulation are out of place here.”

Dr. Deborah Peel, a national health privacy expert and founder of the non-profit Patient Privacy Rights, praised the Markey resolution. “With a Supreme Court that stands up for the interests of pharmaceutical companies, it’s reassuring to know that Congressman Markey is looking out for patients and doctors who value the privacy of their prescription drug information.”

Text of the resolution can be found HERE.

Baby’s death spotlights safety risks linked to computerized systems

Check out this very relavant story from the Chicago Tribune Health section, “Baby’s death spotlights safety risks linked to computerized systems,” written by Judith Graham and Cynthia Dizikes.

As a topic discussed a lot in Session 3.2 of the Health Privacy Summit, “Control of patient information – Health Information Exchanges,” this subject is the tip of the iceberg on the many risks of electronic health records that must be addressed as billions of stimulus dollars go into creating a health IT infrastructure.

Baby’s death spotlights safety risks linked to computerized systems, Chicago Tribune, by Judith Graham and Cynthia Dizikes, June 27, 2011

Hospitals Wary of Hackers Seek Insurance from AIG

Bloomberg News aired a segment on the rising threat of electronic health information systems to patient privacy and tapped Jim Pyles, an expert from the first health privacy summit to speak.  He pointed out that the lack of adequate health data security, the ability to breach thousands or millions of records simultaneously, and the value of health data on black market as key causes of the growing number of reported health data breaches.

View the video here.

Synopsis: Doctors and hospitals adopting electronic patient records under a U.S. government program are exploring insurance policies to help cover the costs of medical-data breaches. Data breaches cost U.S. hospitals $12 billion over the past two years, according to a study by the Poneman Institute. Bloomberg’s Megan Hughes reports on “InBusiness with Margaret Brennan.”