Re: Pres. Obama appoints Todd Park nation’s CTO

The new US Chief Technical Officer (CTO) was chosen for using “innovative technologies to modernize government, reduce waste and make government information more accessible to the public.”

What role does the CTO have in protecting individuals from technology harms? Whose role is it to protect the public from damaging technologies and “big data”?

Technology could enable break-through health research and improve the quality of healthcare. But we won’t have complete and accurate health data needed for transformative research when millions don’t trust electronic health systems. The 35-40% of the public who are “health privacy intense” realize US law doesn’t adequately protect their rights to health privacy.

The full article by Bernie Monegain in Healthcare IT News: President Obama appoints Todd Park Nation’s CTO

Re: Sizing Up the Family Gene Pool

In response to the New York Times article: Sizing Up the Family Gene Pool

This story is about the fact that genetic testing companies sell people’s test results, compromising families’ and descendants’ future jobs and opportunities. “The NYTimes Ethicist” confirmed a questioner’s fears:

“As for the privacy issue, your concern is well founded. Many of these companies do use customers’ data for medical research or commercial applications, or they sell it to third parties whose interests you might never know. Legally they can’t do that without your consent, but the fine print on those consent forms goes by so quickly that it can be hard to follow.”

Americans’ lack of control over sensitive personal health information in electronic systems is a true national disaster. Not everyone knows this yet, but President Obama does.

On Feb 22, the he introduced historic new privacy principles to guide the use of personal data in the global digital economy. He recognized the lack of privacy in current networked technologies and systems has severe economic consequences. See story on the White House Initiative: http://patientprivacyrights.org/2012/02/wh-initiative-consumer-privacy-bill-of-rights/

President Obama’s new principles address the causes of the privacy violation in the story:

  • Current federal law does not protect the right to health information privacy or the right of consent to use health data
  • neither HIPAA nor Genetic Information Non-Discrimination Act (GINA) prevent the systemic corporate business practice of selling Americans’ highly sensitive personal health information (like genetic test results)

He laid out an historic, tough new Consumer Privacy Bill of Rights to stop the data mining and data theft industries. The first principle is that of individual control: “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Key quotes from the Administration’s new “Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”:

  • “Strong consumer data privacy protections are essential to maintaining consumers’ trust in the tech­nologies and companies that drive the digital economy.”
  • The President concluded, “It [privacy] has been at the heart of our democracy from its inception, and we need it now more than ever.”

The only way we can trust the Internet and have a vibrant global digital economy is if individuals control personal information online and in electronic systems. The right of informed consent before personal information is collected or used must be restored.

When will the health IT industry, Congress, and lawmakers across the US act to restore the right to privacy and control over personal information?

WH Initiative: Consumer Privacy Bill Of Rights

In a press release from the White House, February 22nd, 2012:

“The Obama Administration unveiled a “Consumer Privacy Bill of Rights” as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled. This initiative seeks to protect all Americans from having their information misused by giving users new legal and technical tools to safeguard their privacy. The blueprint will guide efforts to protect privacy and assure continued innovation in the Internet economy by providing flexible implementation mechanisms to ensure privacy rules keep up with ever-changing technologies. As a world leader in the Internet marketplace, the Administration believes the United States has a special responsibility to develop privacy practices that meet global standards and establish effective online consumer protection. ”

To read more about the proposed bill here are some additional resources:

Read Fact Sheet

Read Full Proposal

Additional White House Press Release

View the Press Conference on CNN’s Video Library

Leaders in Congress Call Out TRICARE & SAIC

We congratulate the leaders in Congress, Reps Markey, Barton, DeGette, Stearns, and Andrews for calling TRICARE and SAIC on the carpet for not securing military families’ sensitive health data. See the letter here.

We hope this letter leads to Congressional oversight hearings into the industry-wide culture of disregard for the privacy of military personnel’s and all Americans’ sensitive electronic health information. The worst serial corporate abusers should be penalized and prevented from getting federal contracts. We need Congress to get to the roots of the industry-wide disregard for health privacy FAST, before millions more people are harmed, not just by medical identity theft, but by the use of health information to discriminate against them in employment, credit, and other key opportunities in life. Once health records are exposed, they can never be made private again.

It is well-known in the healthcare industry and by privacy advocates that about 80% of healthcare providers and the health IT corporations that manage health information have ignored federal laws requiring encryption and data security protection for years. Obviously, head-in-the-sand approaches to data security simply don’t make sense. Clearly it’s cheaper and easier for corporations to ignore the law and common sense than it is to protect our most sensitive personal information, from diagnoses to DNA.

The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation.

Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed to work in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.

We also strongly support the proposal to make sure that victims of health data breaches receive effective state-of-the-art remediation. Victims should be able to use new technology that enables them to monitor all health insurance claims before they are submitted, so they can prevent the fraud and prevent other people’s health data from being added to their health records.

House to Defense Top Doc: What’s Up With TRICARE Theft?

Four members of the House Energy and Commerce Committee and one member of the House Armed Services Committee want some answers from Dr. Jonathan Woodson, the Pentagon’s top medical official, about how the Defense Department handled the September theft of computer tapes containing the records of 4.9 million TRICARE beneficiaries from the car of an SAIC employee in San Antonio, Texas. Woodson is the assistant secretary of Defense for health affairs and director of the TRICARE Management Activity, which was responsible for the data.

Woodson has been mum on this debacle since it unfolded, and in fact gave a speech in San Antonio the week after the theft was reported and, as far as I can determine, never addressed the issue…

…Last month, TRICARE directed SAIC to offer credit monitoring services to patients whose information was stored on the stolen tapes. Dr. Deborah Peel, founder of Patient Privacy Rights, an advocacy group based in Austin, Texas, says this does nothing to insure the safety of health care information on those tapes.

Peel, who sent me the Congressional letter to Woodson, said those patients should also be provided with new technology that allows them to monitor all health insurance claims before they are submitted, so they can prevent fraud as well as other people’s health data from being added to their health records.

See Patient Privacy Rights’ Press Release

Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

See full article at Loeb & Loeb, LLP Privacy Law Alert: Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

“Planned changes to the European Union’s Data Protection Directive (EU Directive), some of which are directed at non-EU companies, may significantly impact how U.S.-based entities that interact with EU consumers can collect, store and use consumer data.

The revised EU Directive will give consumers more control over their personal data, including requiring explicit user consent before companies can use data and giving consumers the right to delete data, especially data they posted themselves, otherwise known as the “right to be forgotten.”  The proposed changes also will likely include increased transparency for data processing – providing greater information about when and how data is collected, stored and used, and making it easier for consumers to indicate their privacy preferences.”

Re: Study shows privacy of medical records is weaker in the U.S.

A study of US and EU health data protections in the Journal of Science & Technology Law concluded Americans “have no real control over the collection of sensitive medical information if they want to be treated.”

Wow! It’s great to see legal scholars second the message that Americans’ rights to health privacy were eliminated.

You can see the article on the study in The Epoch Times here, written by Mary Silver.

For years, Patient Privacy Rights and the bipartisan Coalition for Patient Privacy were the lone voices carrying this message to Congress and the public.

Public and expert support to restore control over sensitive health data will only build. Soon, no one will buy the argument that privacy is an obstacle to electronic health systems.

Here are some other key quotes from the story:

  • “EU countries have adopted electronic health records and systems, or EHRs, and legally protected privacy at the same time.”
  • “The 1950 Council of Europe Convention identified individual privacy as a fundamental value”
  • “the good aspects of EHRs can be undermined by the bad consequences of poor privacy practices and the ugly effects of inadequate security”
  • “patient privacy is much better protected in Europe”
  • “European patients are able to encapsulate particularly sensitive medical information, and an individual has far greater access to and control over his records in Europe than in America.”

So, again why is the US government rushing to spend $29 billion on health IT systems that offer neither privacy nor security?

HIStalk Interviews Deborah Peel MD, Founder, Patient Privacy Rights

Give me some brief background about yourself and about Patient Privacy Rights.

I never expected to be leading this organization or ever even thought about that. In my younger days, I practiced full time as a psychiatrist and Freudian analyst for a very long time, until it became clear that things were happening in DC that would make effective mental healthcare impossible. Namely, that there were lots of different ideas being floated; for example, the Clinton healthcare initiative. There was a part of it that was going to require everyone’s data from every physician encounter be recorded in federal database.

Fast-forward to the HIPAA privacy rule. That’s what really convinced me of the need for a voice for consumers, because there really wasn’t any. What I’m talking about there is, of course, the change in 2002 that happened under everyone’s radar except for – and this is the is the laugh line – when the 3,000 Freudian psychoanalysts in the nation noticed that consent was eliminated.

In 2004, I started Patient Privacy Rights because there was no effective representation for the expectations and rights that the majority of Americans have for how the healthcare system is going to work. Namely, that people don’t get to see their information without consent. Since founding PPR in 2004, we’ve still been the national leading watchdog on the issues of patient control over information and even internationally. Our power has come because when we came to DC, the other people that were working on privacy, human rights, and civil rights recognized that because of my unique position as a physician and deep understanding of how data flows, that I knew what I was talking about.

We very quickly got a pretty amazing bipartisan coalition of over 50 organizations. That enabled us to put these issues and problems on the map.

We had some incredible successes in HITECH. Virtually all of the new consumer protections came from our group, including the ban on the sale of PHI, the accounting of disclosures, segmentation, the new requirement that if you pay out of pocket for treatment you should be able to block the flow of that data to health plans and health insurers. We were the ones that worked with Congressman Ed Markey on getting encryption, required stronger security protections, and worked with Senator Snow to get meaningful breach notice into the rules.

All of this work lead to the first-ever summit on the future of health privacy this past summer in DC. The videos and the entire meeting can be seen or streamed online at www.healthprivacysummit.org.

If somebody said you had to choose between accepting healthcare IT as it is today or going back to purely paper-based systems, which would you choose?

We’ve never been in favor of going back to paper…

The road to electronic health records is lined with data thieves

The following is a guest post by Reuters contributor Constance Gustke. The opinions expressed are her own. See the full article at http://blogs.reuters.com/reuters-money/2011/08/05/the-road-to-electronic-health-records-is-lined-with-data-thieves/

“The future of your personal health information involves gigantic Internet-driven databases that connect you to doctors, health information and services no matter where you are and what time it is.

With a big push from President Obama, who wants secure electronic health records for every American by 2014, many health insurance companies, hospitals, private practices and pharmacies are already delivering some patient portals using these records as a backbone.

It’s the future of medicine, says Dr. Raymond Casciari, chief medical officer at St. Joseph Hospital in Orange, California, but for now, he adds, “We’re still in the dark ages.”

The portal approach is intended to be beneficial, letting you share key medical data instantly with your family and consult with specialists on another continent. It’s supposed to lower healthcare costs and provide better services. But the data being stored is sensitive and so far it isn’t very secure, say experts. So it’s important to know how your medical information is being shared and managed, especially as access explodes.

Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights, is dubious about patient medical privacy on portals. She believes that data breaches can have harmful effects, including medical discrimination. “Today, we can’t see who uses our electronic records,” she warns. “And they can be back-door mined.”…”

Your Health Information Isn’t Secure But Don’t Blame EHRs

There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.

Your Doctor Isn’t the Only Person Who Knows Your Diagnosis

Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.

Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.

Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.