Resolution of Disapproval in Supreme Court Decision in Sorrell v. IMS Health Case

Lawmaker, author of health privacy protections in economic recovery act, declares privacy rights of doctors, patients should trump commercial interests

WASHINGTON, D.C. – On Friday July 8, 2011, Congressman Edward J. Markey (D-Mass.), co-chairman of the Congressional Bi-Partisan Privacy Caucus and senior member of the House Energy and Commerce Committee, introduced H.Res. 343, a resolution expressing disapproval of the recent Supreme Court decision in Sorrell v. IMS Health. In its decision, the Court struck down a Vermont state law that banned the sale of doctors’ drug prescriptions records if the records are used for commercial purposes without the doctors’ permission.

Rep. Markey’s resolution states that the Court erred in applying free speech protections to a Vermont law that lawfully regulated a purely commercial interest. Before the Vermont law was enacted, data-mining companies would purchase information about doctors’ prescription drug information from pharmacies and then resell the data to pharmaceutical companies. The pharmaceutical companies could use the information – without the doctors’ consent – for the commercial purpose of targeting their sales messages and marketing more expensive, brand-name drugs to physicians.

“In this case, the Supreme Court tipped the scales of justice in favor of big drug companies at the expense of patients and their doctors,” said Rep. Markey. “The privacy of the doctor-patient relationship should outweigh the ability of pharmaceutical companies to mine data simply so they can market expensive drugs to providers and reap huge profits. States should be able to regulate pharmaceutical companies in a way that protects the privacy of their residents and prevents pharmaceutical companies from having undue influence on doctors’ prescribing habits.”

Dissenting in the Supreme Court’s 6-3 decision, Justice Stephen Breyer wrote that the Vermont state law in question “adversely affects expression in one, and only one way. It deprives pharmaceutical and data-mining companies of data…that could help pharmaceutical companies create better sales messages.” The dissent, which was joined by Justices Ruth Bader Ginsburg and Elena Kagan, stated that the Vermont statute is a “lawful governmental effort to regulate a commercial enterprise…The far stricter, specially ‘heightened’ First Amendment standards that the majority would apply to this instance of commercial regulation are out of place here.”

Dr. Deborah Peel, a national health privacy expert and founder of the non-profit Patient Privacy Rights, praised the Markey resolution. “With a Supreme Court that stands up for the interests of pharmaceutical companies, it’s reassuring to know that Congressman Markey is looking out for patients and doctors who value the privacy of their prescription drug information.”

Text of the resolution can be found HERE.

“Getting IT Right: Protecting Patient Privacy Rights in a Wired World”

Official Pre-conference for CFP2011

June 13, 2011 Georgetown Law Center Washington, D.C.

“Getting IT Right: Protecting Patient Privacy Rights in a Wired World” is the nation’s first open and inclusive public forum to discuss the future of health privacy in a digital age. The conference will be held June 13, 2011 at the Georgetown Law Center in Washington, D.C. and is the result of a partnership between the Lyndon B. Johnson School of Public Affairs at The University of Texas at Austin and the Patient Privacy Rights Foundation, the premier health privacy advocacy organization in the United States.

You can find the agenda, a list of speakers, and more relevant news on the summit at the official website:www.healthprivacysummit.org.

Register Now: www.healthprivacysummit.org/registration

Re: Governor Scott Outlines Prescription Drug Problem In Florida

Florida dispenses MORE oxycodone than the whole rest of the nation!

See Gov Scott’s testimony before Congress here.

Bravo to Governor Scott for not being bullied into building an expensive, large data base of extremely sensitive, hard-to-protect personal health information, when the REAL solution is simple and obvious: stop the 98 Florida doctors among the 100 top dispensers of Oxycodone in the nation from prescribing. No wonder Florida is the “Oxy Express”.

It’s actually stunning that no one thought of this before: go after the bad doctors.

Taking away the prescribing licenses of doctors committing unethical and criminal acts is not hard or costly—and it has the great advantage of not exposing prescriptions in a state-run data base of patients who are legitimately taking pain meds to insider theft or hacking.

Quotes from the story

· more Oxycodone is dispensed in the state of Florida than in the rest of the nation

· 98 of the top 100 doctors dispensing Oxycodone nationally are in Florida – concentrated in the Miami, Tampa, and Orlando regions.

· Scott said, “we are moving legislation to limit how doctors dispense narcotics and making sure doctors divest from pharmacies.”

· Scott also said, “The role of doctors who have forsaken their commitment to people’s health in exchange for the quick buck of unethical and criminal dispensing cannot be overstated and absolutely must be put to an end.”

See more on his testimony here.

Re: “Web’s Hot New Commodity: Privacy”

In response to the WSJ article: Web’s Hot New Commodity: Privacy

Finally the market for digital privacy is being built! This reflects GROWING public awareness of data theft and misuse.

Yes, PPR will continue to call it “theft”. Data mining corporations are like squatters who sneak onto property and then claim it because the owners didn’t know what they were doing. Data miners are thieves because they know VERY well how hard it is for people to discover what they are doing, and further, they know that there is no way anyone can stop them from stealing personal information. Watch — as ways to protect personal data are developed and laws are proposed to prohibit what they do, they will try to make sure their illegal and unethical practices are “grandfathered in.” These practices must be outlawed in the Digital Age if Americans are to retain the most precious right in a Democracy: the right of law-abiding citizens to be “let alone.”

We must fight back and press Congress to outlaw all data theft and corporate contracts that require giving up control of personal information. We must press Congress to ENFORCE the ban on the sale of health data without consent.

It is now clear to entrepreneurs that people are starting to view personal information as an EXTREMELY valuable asset that many want to have treated as personal property. The fact that the nation’s prescription records were being sold without consent is why Congress banned the sale of protected health information (PHI)—-OUR sensitive electronic health information—without consent in the stimulus bill.

There are many who fear that patients cannot meaningfully give consent to sell their health data; that they will easily sell it for next to nothing and not realize the consequences—such as job loss and generations of job and credit discrimination.

But the current situation is far worse and must be addressed: the huge health data mining industry operates in the shadows. AND we have NO WAY of identifying or preventing data mining corporations from stealing and selling our most sensitive data—from prescriptions to DNA. This secret industry is a behemoth, generating tens to hundreds of billions of dollars in annual revenue.

Letting secret, shadowy corporations continue to make billions/year selling the sensitive personal health data of every person in the U.S. is NOT a fair or sustainable solution to corporate and government data hunger. Why allow any industry built on theft? I can’t think of another legal industry built on theft.

Individuals should control PHI; morally and practically it is the only solution. But we need clear laws and boundaries in addition to individual control (consent), so that there are boundaries around exactly what data can be sold or used.

In Europe most uses of health data are flatly prohibited; in Germany there is no consent, but instead only a handful of uses of health data are permitted—the uses are tightly bounded. This is a very different approach than the US.

We ALSO need a framework of tightly bounded privacy protections for health data (in addition to informed electronic consents) that provides interactive education about consent decisions and sets defaults at the most privacy-protective level.

Poll shows: We trust our doctors, not their systems

This computer world article by Lucas Mearian discusses a new survey from CDW, showing patients trust their doctors but not electronic health records. And Many respondents don’t even trust themselves with their own records!

See the full article: U.S. patients trust docs, but not e-health records, survey shows

Sadly, patients should not trust their doctors unless they know their doctors’ electronic health records systems do not sell their personal health information.

The public has no idea that many electronic health systems sell their data. Even doctors may not realize the EHR systems in their offices or in hospitals sell patient data. Many claim to sell “de-identified” data, but it is very easy to re-identify health data.

This practice of selling health data was banned in the stimulus bill but has not been implemented in federal regulations, so it continues unabated.

Worse, the proposed regulations are directed ONLY at the use of health data for marketing, NOT at the health data mining industry that sells real-time, sensitive, detailed patient data profiles to corporations, government, and anyone who can pay for it.

The point of the ban on sale of health data without consent was to end the daily sale of every American’s prescription records from all 54,000 pharmacies, to end the sale of health data from electronic health systems and data exchanges, and to end the sale of health data by all the other organizations that are part of the healthcare system food chain like: insurers, state governments, labs, data warehouses, data management companies, the data analytics industry, business associates, secondary and tertiary data users, etc., etc.

See a brief TV investigative story about one EHR vendor that gives the software to doctors for “free” because its business is selling the patient data: http://www.ktvu.com/news/24278317/detail.html

Experts Forecast Top Seven Trends in Healthcare Information Privacy for 2011

A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011. These experts suggest that as health information exchanges take form, millions of patient records—soon to be available as digital files—will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.

These predictions are supported by the recent Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security, published November 2010, which found that data breaches of patient information cost the healthcare industry $6 billion annually; protecting patient data is a low priority for hospitals; and the healthcare industry lags behind the recently enacted HITECH laws…

Industry-Wide Experts Share Their Opinions and Insight…

Dr. Deborah Peel, M.D., practicing physician and founder of Patient Privacy Rights; the nation’s health privacy watchdog

“2011 will be the year that Americans recognize they can’t control personal health information in health IT systems and data exchanges. Will 2011 be the year that data security and privacy are the top of the nation’s agenda? I hope so. The right to privacy is the essential right of individuals in vibrant Democracies. If we don’t do it right in healthcare, we won’t have any privacy in the Digital Age.”…

Experts name top 7 trends in health information privacy for 2011

A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach and governance have identified the top seven trends in healthcare information privacy for 2011.

The experts suggest that as health information exchanges take form, millions of patient records – soon to be available as digital files – will lead to potential unauthorized access, violation of new data breach laws and exposure to the threat of medical and financial identity theft.

“Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy plaguing in the healthcare industry,” said Larry Ponemon, chairman and founder, Ponemon Institute.

“Millions of patients are at risk for medical and financial identity fraud due to inadequate information security,” he said. “Information security in the healthcare industry is at the fulcrum of economic, technological, and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges – but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it,” he said…

Holes in the fence?

This story, by Joseph Conn with Modern Healthcare, quotes Patient Privacy Rights, Dr. Blumenthal the National Coordinator for Health IT, and many others, all calling for meaningful consent and privacy.

See these great quotes from Alan Westin:

  • the removal of consent from HIPAA by federal rulemakers in 2002 “left us high and dry,” but with the improvements to HIPAA in the stimulus law, “I think the raw materials for excellence are there.”
  • Privacy protection will depend again on HHS rulemakers, however, he says. (A proposed privacy rule addressing HIPAA modifications from the stimulus law was released by HHS in July, but a final rule is pending.) If it’s not addressed, Westin says, don’t be surprised if there is consumer backlash.
  • “I think we’re at a pivotal moment,” Westin says, given the massive inflows of federal IT subsidies about to begin. “Just imagine a lawsuit as a class action with all the people who would otherwise be swept into a network saying, ‘I did not give my consent,’ and asking the court to intervene.”
  • he sees “a dangerous trend” developing in healthcare IT in which patients are regarded as “inert data elements, not conscious persons” who have the right to make informed choices regarding “how their health information is used beyond the direct care settings.”
  • “You have to have privacy orienting systems at the design,” he says. “If the plumbing all gets in, it’s going to be very costly to tear it down and change it.”

Below are a few sections of the article. To see the full article, follow this link to Modern Healthcare.

Is the primary federal privacy law up to the task of protecting patient information in the 21st century?

It’s a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law…

…A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”

Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don’t say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”

Privacy desires ignored

For psychiatrist Deborah Peel, maybe patient privacy and patient consent aren’t identical twins, but they’re sure close relatives.

Not surprisingly, a recent Zogby International poll commissioned by Peel’s not-for-profit Patient Privacy Rights Foundation, Austin, Texas, focuses on patient consent and its relationship to privacy—a unity the federal government has chosen to either ignore or deny.

The 2,000 adult poll respondents reached by Zogby via the Internet put great store in their right to privacy. They cling to the quaint notion that they should be asked before their electronic health records are sent skittering off to unknown users for unknown purposes. See full poll results here.

Silly them.

HHS rulemakers wrote away a key right to privacy eight years ago.

An HHS revision to the Health Insurance Portability and Accountability Act privacy rule in 2002 stripped away one of the broader authorities giving patients the right to control the flow of their medical information. HHS rulemakers did it by eliminating the right of consent. They took a stringent privacy protection rule and transformed it into a disclosure rule.

There are a lot of bright folks who have warned HHS that this privacy issue broadly—and this HIPAA privacy rule revision, specifically—are going to explode on the healthcare industry. One of the more insistent voices has been Peel’s, but she by no means alone.

Majority of Americans want personal control of health information

It’s hard to get Americans to agree on much these days, but overwhelming majorities seem to want control over their own electronic health information.

A poll from Dr. Deborah Peel’s Patient Privacy Rights Foundation and Zogby International found that 97 percent of the more than 2,000 U.S. adults surveyed believe that hospitals, physicians, laboratories and IT vendors should not be allowed to sell or share “sensitive health information” without consent. Ninety-eight percent are opposed to health insurance companies marketing personal health information, according to the survey.

See full poll results here.