Americans Want to Control Their Health Information

Health privacy watchdog Patient Privacy Rights and Zogby International surveyed 2,000 people, and found that almost all object to doctors, hospitals, and insurance companies sharing or selling their information without their consent. An overwhelming majority also wants to decide not only which companies and government agencies can access their electronic health records, but which individuals.

See the Survey Results

Hospitals and doctors are currently busy implementing the first stage of requirements under the HITECH Act, which calls for providing patients within the next two years with an electronic copy of their physical, test results, and medications. Ultimately, patients should be able to access their electronic health record online.

Poll: Huge majorities want control over health info

AUSTIN, TX – Patient Privacy Rights, the health privacy watchdog, has enlisted the help of Zogby International to conduct an online survey of more than 2,000 adults to identify their views on privacy, access to health information, and healthcare IT. The results were overwhelmingly in favor of individual choice and control over personal health information.

View the full poll results here.

Ninety-seven percent of Americans believe that doctors, hospitals, labs and health technology systems should not be allowed to share or sell their sensitive health information without consent.

The poll also found strong opposition to insurance companies gaining access to electronic health records without permission. Ninety-eight percent of respondents opposed payers sharing or selling health information without consent.

“No matter how you look at it, Americans want to control their own private health information,” said Deborah Peel, MD, founder of Patient Privacy Rights. “We asked the question, ‘If you have health records in electronic systems, do YOU want to decide which companies and government agencies can see and use your sensitive data?’ Ninety-three percent said ‘Yes!'”…

…The group advocates a ‘one-stop shop’ website where consumers can set up consent directives or rules to guide the use and disclosure of all or part of their electronic health information; if a request to use or sell health data is not covered by privacy rules, they can be ‘pinged’ via cell phone or e-mailed for informed consent.

Patient Privacy Rights calls this solution the “Do Not Disclose” list – similar to the national “Do Not Call” list. If a patient’s name is on the list, any organization that holds his or her sensitive health information, from prescriptions to DNA, must first explain how that information will be used before being granted permission.

Steady Bleed: State of HealthCare Data Breaches — Comments

Comments on Information Week Article: Steady Bleed: State of HealthCare Data Breaches

This is a very ominous story. As every state rushes to connect offices and hospitals with weak security and privacy together to exchange data, the federal government is giving doctors and hospitals tens-to-hundreds of thousands of dollars to install electronic health records that also lack ironclad security and also prevent patients from controlling their records. Hooking systems of ‘weak links’ to thousands of new systems that are also ‘weak links’ is a prescription for disaster.

Like the author, Patient Privacy Rights has been pointing out the abysmal state of health data security for years. What the author does not know is Congress LISTENED TO PATIENTS. Senator Snowe deserves credit for these consumer protections because she refused to allow the meaningful breach protections she crafted to be weakened. Powerful support by the bipartisan Coalition for Patient Privacy (see our letter to Congress) helped convince Congress to put Senator Snowe’s tough breach reporting and tough penalties into the stimulus bill. Perhaps now those who hold our sensitive health data will start to take security seriously.

What is really new in this story are FairWarning’s report about the very high monthly frequency of breaches in doctor’s offices and major hospitals in the US and across the world. The statistics from FairWarning show clearly that the number of breaches officially reported to HHS are just the tip of the iceberg. See quotes:

  • 200-bed hospital with a few small clinics, Rurally based: 24 confirmed incidents [breaches] per month.
  • U.S. based physician practice with 20 clinics metro and rurally dispersed: 29 confirmed incidents [breaches] per month.
  • UK based teaching hospital in major metropolitan area as well as rurally based facilities: 130 confirmed incidents [breaches] per month
  • Top 50 U.S. Health System with multiple affiliated hospitals and clinics – Based in a major metropolitan area: 125 confirmed incidents [breaches] per month.

You can see reported breaches to HHS affecting 500 or more here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Proposed United States medical privacy rules deemed inadequate

In Tennessee, the theft of 57 computer hard drives at a health insurance call center exposed personal information on as many as one million people. In Virginia, the hacking of a government prescription database compromised millions of records. In California and beyond, celebrity peepers have snooped on the medical particulars of stars.

This is already a digitized world, as the health system juggles vast volumes of the most deeply private information. Add to that the acceleration in US doctors’ offices of electronic record-keeping, spurred by hefty aid from a government eager to reap efficiencies in medical care.

Trying to keep all of that information properly corralled is a tall order. And President Barack Obama’s administration has backtracked on a major attempt to sort out the thicket of privacy rules supporting that effort.

The Health and Human Services Department published a set of regulations governing how health care providers must respond when medical privacy is breached. The rules, although not final, had the force of law. But now the department is retracting them. “This is a complex issue,” the department said by way of understatement.

Privacy advocates and members of Congress had sharply criticized the controls as inadequate. After a period of reflection — and reportedly pressure from the White House — the department appeared to agree…

Watchdogs asserted that health professionals should not be the judge of whether a breach is significant enough to a patient’s livelihood or reputation. “That puts the foxes in charge of the hen coops,” says Dr. Deborah C. Peel, founder and chair of the Patient Privacy Rights Foundation, which presses for strict consumer safeguards. “It shows the incredible overbearing influence of industry in the crafting of regulations. The idea that someone else knows when you’re harmed better than you do, doesn’t make sense.”

New HIPAA rules need more clarification

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July…

…On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

Coalition Urges HHS To Restore Patient Control Over Access to Health Data NOW

On Monday, September 13th 2010, the Coalition for Patient Privacy sent in comments to HHS regarding Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act. Ensuring Americans’ control over health information is critical for quality health care and the success of health information technology (HIT). The Coalition applauds the efforts of the Department of Health and Human Services (HHS) to revise HIPAA. However, the Coalition also urges HHS to require use of robust electronic consent and segmentation tools to assure compliance with the consumer privacy and security protections in HITECH and existing rights in state and federal law and medical ethics.

View the proposed modifications to HIPAA
View the Full Comments from the Coalition for Patient Privacy
View the Press Release

Consumer Advocate: Patient Consent Vital

Deborah Peel, M.D., founder of Patient Privacy Rights, on protecting the privacy of healthcare information.
Listen to the Interview Here.

Patients have inadequate control over who can access their healthcare information, but existing technologies can solve the problem, says consumer advocate Deborah Peel, M.D.

Her organization, Patient Privacy Rights, recently issued a white paper outlining an approach to giving patients opportunities to offer informed consent for accessing their records. In an interview, Peel outlined the key points in the report…

View a PDF version of the white paper: The Case for Informed Consent
Listen to the interview: Patient Consent Vital

The Case for Informed Consent

Austin, TX — Patient Privacy Rights (PPR), the nation’s leading health privacy watchdog released a white paper entitled, “The Case for Consent: Why it is Critical to Honor What Patients Expect: for Health Care, Health IT and Privacy.” The paper is designed to be a primer on health privacy and argues that the primary stakeholder in health care, the patient, must retain control over their personal health information. The white paper is available online at http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf.

The white paper tackles the arguments made that patient control is too technically difficult, is too expensive, or is too complex, among others. In fact, robust privacy-enhancing technologies are in use now that ensure both progress and privacy. Technology can enable control over personal health information today and likely simplify our systems and lower costs.

“Patients know what they want,” says Patient Privacy Rights’ founder, Deborah Peel, MD. “It is a mistake to design health IT in a paternalistic manner — assuming a corporation, vendor, provider or government agency knows what is best for each individual patient.”

View the white paper: The Case for Informed Consent

What do we think of the new recommendations?

The Tiger team continues to make policy recommendations that clearly violate the law and the Administration’s new privacy policies. See story on release by Modern Healthcare.

Apparently they did not hear Secretary Sebelius announce a new “Administration-wide commitment to make sure no one has access to your personal information unless you want them to” on July 8th (see here).

Or hear Dr. Blumenthal say “we want to make sure it is possible for patients to have maximal control over PHI.” See: http://patientprivacyrights.org/2010/07/ppr-impressed-with-hhs-privacy-approach/

At the Consumer Choices Technologies Hearing on June 29th, one of the ‘granular consent’ technologies demonstrated has been exchanging behavioral health records on 4 million patients for over 10 years, in 9 states and 22 jurisdictions. Newer, more robust consent technologies showcased that day are also in use. See: http://nmr.rampard.com/hit/20100629/default.html

The Tiger team calls these privacy-enhancing technologies “looming” because they are not widely used. If the HIT Policy Committee recommends against technologies for robust consent and segmentation, as they did for “meaningful use” EHRs, they ensure the limited use of privacy-enhancing technologies, which can therefore continue to be described as “looming”. It’s a neat trick to recommend policy that perpetuates the status quo and violates our rights to health privacy. To create wide use of these technologies, they must be required in policy as well as the law.

HITECH in fact does require patient consent before PHI can be sold and states that private-pay patients should be able to prevent their data from flowing to insurers for payment and health care operations. And it is also a legal and ethical requirement to obtain informed consent before disclosures of sensitive health information in all 50 states. Therefore, robust electronic consents and segmentation are required by law today. Policies should match the law.

Instead, the recommendations from the Tiger team guarantee that the theft and sale of patient data will grow exponentially and data will flow unchecked by patient consent or segmentation through HIEs and the NHIN to even more thieving vendors and corporations. Americans’ jobs, credit, and reputations are being destroyed to improve corporate revenues. This sick, greedy transformation of the health care system cannot be hidden and will destroy trust in HIT, HIE, and in legitimate clinical, academic, and public health and population research.

Most HIT products and systems were not designed to comply with patients’ rights to control personal health information. And vendors won’t ever willingly update them, because selling patient data can be a far greater source of revenue than selling software or caring for sick people.

Back to the crucial question: how can the Tiger team recommend policy that violates existing law? Why don’t the Tiger Team and the HIT Policy Committee recommend that HIT vendors , CEs, and BAs COMPLY with state and federal privacy laws and protections and meet patients’ expectations?

The Tiger Team and HIT Policy Committee are both dominated by CEOs, employees, and beneficiaries of vendors or corporate for–profit “research” industries that want all OUR data without consent. Their fiduciary duties to stockholders explain their decisions to recommend policies that violate our privacy rights.

Today the health data theft/sale industry and corporate for-profit research industry are in charge of federal policy-making.

Their flawed business models, based on misleading shareholders and the public about what they really do, are fraudulent and deceptive trade practices.

The SEC brought Goldman Sachs to heel for misleading shareholders and the public about what their business model really was. The data theft and data sales industries and the corporate for-profit ‘research’ industry do exactly the same thing.

The entire US health care and HIT system will end up tarred and feathered and lose the public’s trust unless the health care and HIT corporations that protect privacy rights, and genuine clinical and academic researchers stand with patients to demand that patients control PHI.

Sign the ‘Do Not Disclose’ petition at http://patientprivacyrights.org/do-not-disclose/ and demand your rights to health privacy be enforced.

Health IT group drafts privacy recommendations

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…

According to the tiger team’s draft document posted on the HIT Policy Committee’s website, the team’s recommendations are based on “fair information practices,” a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.