Article: Big brother to log your drinking habits and waist size as GPs are forced to hand over confidential records

To view the full article written by Jack Doyle, please visit: Big brother to log your drinking habits and waist size as GPs are forced to hand over confidential records

The UK government proposes to collect citizens’ health data in a “giant information bank”.  “A document outlining the scheme even raises the prospect of clinical data being passed on or sold to third parties”.

Quotes:

  • -Doctors will be forced to hand over sensitive information about patients as part of a new programme called Everyone Counts.
  • -The files will be stored in a giant information bank that privacy campaigners say represents the  ‘biggest data grab in NHS history’.
  • -Ross Anderson, professor of security engineering at Cambridge University, said: ‘Under these proposals, medical confidentiality is, in effect, dead and there is currently nobody standing in the way.’

David Cameron was criticized in the Guardian in 2011 when he first announced similar plans for collecting all citizens health data to:

  • -“encourage NHS ties with industry and fuel innovation, including £180m catalyst fund”
  • -encourage “collaboration between the health service and the life sciences industry”
  • -“make it easier for drug companies to run clinical trials in hospitals and to benefit from the NHS’s vast collection of patient data”.

The tens or hundreds of billions generated annually by sales of American citizens’ electronic health information are an attractive model for the UK and EU given the dire economic situation in the EU. It’s hard to know how large the market for health data is or how health data is used without a data map. See Professor Sweeney explain theDataMap research project at: http://tiny.cc/etyxrw

Americans can’t control who sees or uses their health data. Will UK citizens suffer the same fate?

Questions of Privacy

ModernHealthcare.com recently posted a great article about PPR’s Dr. Deborah Peel and her work.

A few key points from the article:

“In 2002, HHS redrafted the privacy rule of the Health Insurance Portability and Accountability Act, replacing its patient consent requirement for the sharing of most patient records with a new provision. The rewrite afforded ‘regulatory permission,’ according to the rule, for hospitals, physicians, insurance companies, pharmacies, claims clearinghouses and other HIPAA-covered entities to use and disclose patient data for treatment, payment and a long list of other healthcare operations without patient consent.”

“’Let’s face it,’ Peel says, ‘HHS is the agency that eliminated patient control over electronic medical records and has remained hostile to patients’ rights ever since.’”

“‘Where I’m coming from is, I’ve spent all this time in a profession with people being hurt,’ Peel says. ‘Starting in the 1970s, when I first let out my shingle, people came to me and said, if I paid you in cash, would you keep my records private. Now, we’ve got a situation where you don’t even know where all your records are. We don’t have a chain of custody for our data, or have a data map’ to track its location.”

Privacy and Health Care – Blog referencing PPR’s “The Case for Informed Consent”

The blog Emergent Chaos wrote an article urging for privacy in the mental health field as a means of minimizing the stigma associated with diagnosis.

Some key statistics pointed out in this post:

“First, between 13 and 17% of Americans admit in surveys to hiding health information in the current system. That’s probably a lower-bound, as we can expect some of the privacy sensitive population will decline to be surveyed, and some fraction of those who are surveyed may hide their information hiding. (It’s information-hiding all the way down.)

Secondly, 1 in 8 Americans (12.5%) put their health at risk because of privacy concerns, including avoiding their regular doctor, asking their doctor to record a different diagnosis, or avoiding tests.”

DNA records pose new privacy risks

To view the full article, please visit: DNA Records Pose New Privacy Risks

An article in the Boston Globe highlights the ease with which DNA records can be re-identified. According to the article, “Scientists at the Whitehead Institute for Biomedical Research showed how easily this sensitive health information could be ­revealed and possibly fall into the wrong hands. Identifying the supposedly anonymous research participants did not require fancy tools or expensive equipment: It took a single researcher with an Internet connection about three to seven hours per person.” Even truly anonymous data was not entirely safe from being re-identified. Yaniv Erlich”…decided to extend the technique to see if it would work with truly anonymous ­data. He began with 10 unidentified men whose DNA ­sequences had been analyzed and posted online as part of the federally funded 1,000 Genomes Project. The men were also part of a separate scientific study in which their family members had provided genetic samples. The samples and the donors’ relationships to one ­another were listed on a website and publicly available from a tissue repository.”

These findings are incredibly relevant because it is highly possible that “something a single researcher did in three to seven hours could easily be automated and used by companies or insurers to make predictions about a person’s risk for disease. ­Although the federal Genetic Information Nondiscrimination Act protects DNA from ­being used by health insurers and employers to discriminate against people”.

Can computers predict medical problems? VA thinks maybe.

To view the full article written by Bob Brewin for Nextgov, please visit Can computers predict medical problems? VA thinks maybe.

“The Veterans Health Administration plans to test how advanced clinical reasoning and prediction systems can use massive amounts of archived patient data to help improve care, efficiency and health outcomes.”

Two veterans commented on the story below:

  • -“total invasion of privacy, I have a big problem with a “vendor” going through my records let alone the VA. the VA doesnt exactly have a good track record of protecting information”
  • -“veterans are NO LONGER guinea pigs without express PRIOR written consent, that is MEDICAL DATA covered by HIPAA, and is expressly forbidden to be managed in an open fashion and is NOT for sale.”

Like 99% of Americans, these vets oppose research use of their health information without consent:

US health IT systems and the VA could offer electronic consent to participate in studies:

  • -Electronic consent tools can enable each patient to set his or her own broad rules to allow research use of their health data.
  • -Vets could be ‘pinged’ for consent for EACH study, set broad rules to allow use of data for all studies, or set their rules for something in between (such as: I will agree to all research use of my data on traumatic brain injury and PTSD, but contact me for consent for all other studies).

Unfortunately the new Omnibus Privacy Rule grants open access to all 300 million citizens’ sensitive health information without consent for any ‘research’ or ‘public health’ use.
The broad ‘research loophole’ in HIPAA and the new Omnibus Privacy Rule permits industry (corporations including insurers, employers, drug companies, marketers, pharmacies, labs, and others) to use and sell our personal data for “research” that we would never agree with. ‘Research’ is defined so broadly that:

  • -Blue Health Intelligence (a subsidiary of Blue Cross Blue Shield) does ‘research’. It uses and sells enrollees’ health data without consent.
  • -IMS Health data mines and sells the nation’s prescription records. Claiming to do ‘research’ allows IMS Health to use and sell Americans’ prescription records without consent.
  • -Many electronic health record companies (Cerner, GE Centricity, Greenway, Athena Health, and Practice Fusion) are also ‘research companies’ and sell health data.
  • -The ‘research’ industry sells data that is supposedly ‘de-identified’, but health data is easy to re-identify (See paper by Narayanan and Shmatikov:
  • http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf ). And there is no way to know when ‘de-identified’ data is re-identified. Texas law bans re-identification’ of health data, but the system depends on whistleblowers to report violations.
  • -Most ‘researchers’ are not physicians, scholars, and PhDs at academic centers, as the public assumes.

Why wouldn’t every corporation that touches health data declare itself a ‘research institution’ so it can collect, use, and sell Americans’ health data? Personal health information is THE MOST valuable data of all, but we have no way to control which corporations collect and use health data.
How large a part of the surveillance economy is personal health data?

Cloud Computing: HIPAA’s Role

The below excerpts are taken from the GOVinfoSecurity.com article Cloud Computing: HIPAA’s Role written by Marianne Kolbasuk McGee after the January 7, 2013 Panel in Washington D.C.: Health Care, the Cloud, & Privacy.

“While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.

Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group…

…Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services’ Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud (see: Cloud Computing: Security a Hurdle).

“The letter … asks that [HHS] look at the key problems in cloud … and what practitioners should know and understand about security and privacy of health data in the cloud,” Peel said during the panel.”

Health Care, the Cloud, and Privacy, Jan. 7 Panel

Health Care, the Cloud, and Privacy

Phoenix Park Hotel
520 North Capitol Street, NW | Washington, DC 20001
Georgian Room
Monday, January 7, 2013 | 12:00 p.m. ET

On behalf of Patient Privacy Rights (PPR), you are invited to attend a panel discussion on health care system privacy challenges posed by cloud computing. The one-hour discussion, “Health Care, the Cloud, and Privacy,” will be held on Monday, January 7, 2013 at the Phoenix Park Hotel in Washington, D.C. Boxed lunches will be provided.

With technological innovations that promise better efficiency and lower cost, one of the most anticipated developments is how industry and regulators will respond. That question today is focused intently on cloud computing and the implications for corporations with electronic systems containing sensitive consumer health data. Who is handling patient data? How do HIPAA and other health privacy laws and rights function in the cloud? What can policymakers do to better protect our sensitive medical data?

Our distinguished panel will feature:

Joy Pritts
Chief Privacy Officer
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights (PPR)

Nicolas P. Terry
Hall Render Professor of Law
Indiana University Robert H. McKinney School of Law

Lillie Coney
Associate Director
Electronic Privacy Information Center (EPIC)

Please RSVP to Jenna Alsayegh at jalsayegh@deweysquare.com.

We hope to see you there!

And there is more:
View the Invitation as a PDF
View the Press Release

PPR also sent a letter to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) that urges for more comprehensive guidance on securing patient data in “the cloud.” With the healthcare industry moving their records to electronic databases, PPR sees a number of issues associated with cloud computing services, including compliance with existing healthcare privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, stronger state and federal health information privacy laws, medical ethics, and Americans’ rights to health information privacy. View the letter here.

Patient privacy group (PPR) asks HHS for HIPAA cloud guidance

Government HealthIT recently wrote an article about Dr. Peel’s of Patient Privacy Rights’ letter to the HHS Office for Civil Rights pushing for security guidelines, standards, and enforcements for cloud technology being used in healthcare.

Here are a few key points highlighted in the article:

“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.

“Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed ‘if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.’”

“Patient Privacy Rights, a group founded in 2006, is encouraging HHS to adopt guidelines that highlight ‘the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.’”

“In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. ‘HHS and HIPAA guidance in this area, to date, is limited,’ Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.”

Health-care sector vulnerable to hackers, researchers say

From the Wall Street Journal article by Robert O’Harrow Jr. titled Health-care sector vulnerable to hackers, researchers say

“As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.

Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.

A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.

“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.””

Re: Federal Agencies Paint Regulatory Landscape with Broad Brushstrokes

The Genomics Law Report (GLR) posted an interesting blog about the emergence of mobile health (mHealth) and the role many believe it could play in improving the quality and delivery of health care. It discusses how the mHealth regulatory landscape is still in its early stages of formation and has many key players and components that will help guide its development. It then outlines many of the players, such as the FDA, FCC, FTC, and HHS, and the various ways in which each organization might help shape the future of mHealth.

The story also makes mention of the FTC’s “privacy by design” recommendation for mobile applications, which is undoubtedly a critical component to protecting patients’ privacy as more innovative technologies and apps hit the marketplace. However, aside from ensuring that strong privacy controls are built into the apps up front, it will also be important to make sure patients have other important privacy protections, like control over their sensitive health information, no matter the medium used to collect and share it.

To read the full blog from GLR, click here.