An American Quilt of Privacy Laws, Incomplete

The MOST “incomplete” US privacy law is HIPAA, which eliminated Americans’ rights to control the collection, use, disclosure and sale of their health data in 2001.

The new Omnibus Privacy Rule did not fix this disaster. It made things worse by explicitly permitting health data sales for virtually any purpose without patients’ consent or knowledge. These new regulations violate Congress’ intent to ban the sale of health data in the 2009 stimulus bill.

In addition to not being able to control personal health information Americans have no ‘chain of custody’ for their health data, so there is no way to know who is using or selling our health data.

We need a data map to track all the hidden users and sellers of our personal health information, from our DNA, to our diagnoses, to our prescription records:

  • -Watch Professor Sweeney describe the Harvard Data Privacy Lab/Patient Privacy Rights research project to track hidden users of our health data at: http://patientprivacyrights.org/thedatamap/
  • -WE NEED A DATA MAP TO SHOW THE GOVERNMENT IT’S TIME TO FIX THIS PRIVACY DISASTER!

Attend or watch the next health privacy summit June 5-6 in Washington, DC to learn about these urgent health data problems and potential solutions:

HIStalk News 3/22/13 – Quotes Dr. Deborah Peel on new CVS policy

To view the full article, please visit HIStalk News 3/22/13.

Key quote from the article:

“Patient Privacy Rights Founder Deborah Peel, MD calls a new CVS employee policy that charges employees who decline obesity checks $50 per month “incredibly coercive and invasive.” CVS covers the cost of an assessment of height, weight, body fat, blood pressure, and serum glucose and lipid levels, but also reserves the right to send the results to a health management firm even though CVS management won’t have access to the results directly. Peel says a lack of chain of custody requirements means that CVS could review the information and use it to make personnel decisions.”

Re: The Internet is a surveillance state

In response to the CNN article by Bruce Schneier: The Internet is a surveillance state

Bruce Schneier is wrong. Privacy is not over — the public is just now learning how invasive Internet technology, tech corporations, and government really are, and that they ACT to protect and maintain the US surveillance economy. When enough citizens tell Congress and the President to stop, this privacy disaster will stop.

The public is just beginning to WAKE UP. Today is the start of privacy in the Digital Age in the US, not the end.

It’s a lie that people happily give up privacy for “targeted ads” — tech giants like Google, Facebook, etc. have PREVENTED us from having apps and tools that enable privacy (ie, our right TO control personal information online). We have NO choices because government and the data mining industry have prevented us from having meaningful choices.

Signs of intelligent life in the Universe:

  • Attend or watch the 3rd International Summit on the Future of Health Privacy (its free). The EU Data Protection Supervisor will keynote and so will the US Chief Technology Officer—-the stark differences between US and EU data protections will be discussed—register at: http://www.healthprivacysummit.org/d/vcq3vz/4W
  • SnapChat—millions of free downloads of an app that shows people want technology that gives THEM control over their data: single use of info (a picture in this case) and the ability to delete info. See: http://patientprivacyrights.org/2013/02/snapchat-and-the-erasable-future-of-social-media/
  • A recent Pew Research Center study found smartphone users are taking action to protect their privacy:
  • The default for Microsoft’s Windows 8 browser is ‘Do Not Track’
    • Microsoft’s Chief Privacy Officer Brendon Lynch said a recent company study of computer users in the United States and Europe concluded that 75 percent wanted Microsoft to turn on the Do Not Track mechanism. “Consumers want and expect strong privacy protection to be built into Microsoft products and services.”
    • See more in the New York Times article: Do Not Track? Advertisers Say ‘Don’t Tread on Us’

DONATE to help Latanya Sweeney and Patient Privacy Rights build a health data map—-we MUST prove that thousands of hidden data users are stealing, using , and selling our personal health data: http://patientprivacyrights.org/donate/

SEE Latanya describe thedataMap at: http://patientprivacyrights.org/thedatamap/
This is the beginning of privacy, the war has just begun.

Health IT Gurus predict the Next Big App

To view the full article, please visit Health IT Gurus predict the Next Big App.

“Mobile healthcare apps are multiplying fast and putting a vast array of new tools in the hands of patients and the providers who deliver their care. The pace and scope of innovation makes it hard to imagine what app developers will create next. So we put the question to some of the thinkers in the best position to know what’s needed and what’s possible.”

Here are a few key quotes from the article:

Dr. Deborah Peel, founder of Patient Privacy Rights Foundation, a privacy advocacy organization:

“People want control of their information. They want to be able to decide who sees it and make it go away. And so I think that the next big thing in healthcare is going to be that kind of control for patients over their information.”

Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health Information Technology at HHS:

“We are going to be in an era where everyone is going to be looking to improve health and healthcare at lower cost. And we are going to be looking at every underutilized resource in healthcare. And the greatest, the most underutilized resource in healthcare is the patient and their family members…”

Should the U.S. Adopt European-Style Data-Privacy Protections?

You can read more of the Wall Street Journal debate between Joel R. Reidenberg (Yes) & Thomas H. Davenport (No) here: Should the U.S. Adopt European-Style Data-Privacy Protections?

This urgent issue will be debated at the 3rd International Summit on the Future of Health Privacy in Washington, DC on June 5-6, 2013 at Georgetown Law Center.

The opening keynote will be Peter Hustinx, the EU Data Protection Supervisor: A health check on data privacy”

Register to attend at www.healthprivacysummit.org .

UPMC, Oracle to help with ID management

To view the article, please visit UPMC, Oracle to help with ID management.

UPMC revealed plans on Thursday to collaborate with Oracle in the development of cloud-based identity management technology to be utilized by small to mid-sized healthcare providers.

According to the article, “CloudConnect Health IT will enable healthcare users to easily manage computer accounts, including adding, modifying and terminating a user’s computer access, officials say. They’ll also help providers manage access based on the user’s job responsibility and provide self-service tools for retrieving forgotten passwords and unlocking accounts, as well as offer comprehensive management reporting.”

This poses a problem because, as Adrian Gropper, MD, points out “Proprietary identity systems risk being coercive of the patient to the extent that they allow aggregation of a patient’s records across multiple institutions without informed patient consent. Voluntary ID systems can be created that are not coercive while still offering the value of global uniqueness.”

Should the U.S. Adopt European-Style Data-Privacy Protections?

View the full article at Should the U.S. Adopt European-Style Data-Privacy Protections?

This urgent issue will be debated at the 3rd International Summit on the Future of Health Privacy in Washington, DC on June 5-6, 2013 at Georgetown Law Center.

The opening keynote will be Peter Hustinx, the EU Data Protection Supervisor. He will speak on “A health check on data privacy?”

Register to attend at www.healthprivacysummit.org . Later we will post a link to watch via live-streaming video.

HIPAA Omnibus: Gaps In Privacy? — Interview with Deborah C. Peel, MD

Although the HIPAA Omnibus Rule is a step in the right direction for protecting health information, the regulation still leaves large privacy gaps, says patient advocate Deborah Peel, M.D.

HIPAA Omnibus finally affirmed that states can pass laws that are tougher than HIPAA, and that’s really good news because HIPAA is so full of flaws and defects that we are concerned that what is being built and funded will not be trusted by the pubic,” Peel says in an interview with HealthcareInfoSecurity during the 2013 HIMSS Conference.

Listen to this interview and read the full article here.

theDataMap™

theDataMap™ is an online portal for documenting flows of personal data. The goal is to produce a detailed description of personal data flows in the United States.

A comprehensive data map will encourage new uses of personal data, help innovators find new data sources, and educate the public and inform policy makers on data sharing practices so society can act responsibly to reap benefits from sharing while addressing risks for harm. To accomplish this goal, the portal engages members of the public in a game-like environment to report and vet reports of personal data sharing. More…

Members of the public sign-up to be Data Detectives and then work with other Data Detectives to report and vet data sharing arrangements found on the Internet. Data Detectives are responsible for content on theDataMap™.

See the debut of theDataMap™ from the “Celebration of Privacy” during the 2nd International Summit on the Future of Health Privacy here:

Data Protection Laws, an Ocean Apart

American citizens are like just like EU citizens: they want the same strong rights to control personal information online, especially health information.

See the letter Patient Privacy Rights and other NGOs signed supporting the EU’s tough requirements for data protection.  The letter urges the US government policy makers to support the same tough data protections for US citizens, also embodied in the protections President Obama laid out in the “Consumer Privacy Bill of Rights”.

Unfortunately, the “Consumer Privacy Bill of Rights” exempts all health data, leaving the flawed HIPAA Privacy Rule that eliminates our control over personal health data in effect. The 563 page Omnibus Privacy Rules adds strong data security protections and stronger enforcement of violations for some health data holders and users, but not all. But it does not restore patients’ rights to consent before personal health information is accessed or used, even though the right to control health information has been the law of land for centuries and is the key ethic in the Hippocratic Oath (requires doctors to keep information private and not share it without consent).

US citizens will not trust their physicians or electronic health systems unless they control who can see and use their records, from diagnoses to DNA to prescriptions.