The Changing Landscape – The Impact to Patients’ Privacy

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system.  Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

-Patients have no control over who sees or sells sensitive personal health information.

-Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.

-Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.

-Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.

-There is no “chain of custody” for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

-HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779

-HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777

-Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

-The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. “Invisible Wounds of War”, The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President’s Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system — starting with Principle #1:

“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

See the full article at ProPublica.org: How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

Sobering.  Silicon Valley decides what privacy rights we have online, in clouds, in electronic health systems, in apps, on social media, and on mobile devices. Our fundamental Constitutional rights to privacy—to control personal information about our lives, minds, and bodies—is defended by lone grad students, European Data Commissioners, a few small privacy advocacy organizations, the FTC, and a handful of whistleblowers.

A PREDICTION: Selling intimate cyber-profiles will end when the public discovers that NOTHING about their minds and bodies is private.

The lack of control over sensitive health data will be the nation’s wake-up call to rein in Silicon Valley and restore the right to be ‘let alone’. See: Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis J., dissenting).

  • Cyber-profiles of our minds and bodies contain far more sensitive information than mothers, lovers, friends, Rorschach tests, or psychoanalysts could ever reveal.
  • “If you are not paying for it, you’re not the customer; you’re the product being sold”, see Andrew Lewis at: http://www.metafilter.com/user/15556.
  • 35-40% of us are “Health Privacy Intense”—-a very large minority; see Westin’s keynote slides from the 1st International Summit on the Future of Health Privacy:http://tiny.cc/9alvgw

THE TIPPING POINT will be when the public discovers that electronic health systems facilitate cyber-theft, data mining, data sales, ‘research’ without consent, and allow thousands of strangers to snoop in millions of patient records (think George Clooney and more: http://www.foxnews.com/story/0,2933,348988,00.html).

Health data is the most sensitive personal information on Earth. Everything from prescription records to DNA to diagnoses are HOT BUTTONS.

Instead of enabling patients to decide which physicians or researchers they want to see their health records, corporate and government data holders decide who can use and sell Americans’ sensitive health data—-upending centuries of law and ethics based on the Hippocratic Oath, which requires physicians to ask consent before disclosing any information.

Office of the National Coordinator of Health IT, HHS, Announces PPR Summit

To learn more visit Health Privacy Summit and HealthIT.

The Second International Health Privacy Summit is quickly approaching (June 6-7). Our keynote speaker, Farzad Mostashari, MD, ScM is the National Coordinator for Health IT and will be giving a wonderful presentation on “Creating a Culture of Privacy and Security Awareness.” The Office of the National Coordinator for Health IT has given great support to this event and will be participating as well. Here’s what they have to say about the Health Privacy Summit:

June 6-7
2nd International Summit on the Future of Health Privacy

Over 40 leading health-privacy experts from around the globe will gather in Washington, DC for the 2nd International Summit on the Future of Health Privacy to discuss privacy and security issues raised by emerging health technologies. Experts from the U.S. government, the private sector and academia will explore new laws and regulations, data exchanges, secondary uses of health data and social media platforms and how they relate to the privacy and security of patient health information.

National Coordinator for Health Information Technology – Farzad Mostashari, MD, ScM – will kick off this year’s event with a keynote presentation on “Creating a Culture of Privacy and Security Awareness.”

See the full list of speakers at http://www.healthprivacysummit.org/d/3cq92g/6K .

* Agenda: http://www.healthprivacysummit.org/d/3cq92g/6X
* Registration: http://www.healthprivacysummit.org/d/3cq92g/4W FREE to attend or watch live online!

Harvard’s Data Privacy Lab launching health record bank

Read the full article at: http://www.nhinwatch.com/perspective/harvard’s-data-privacy-lab-launching-health-record-bank

Some key points from the story:

“In a major new development in the world of health IT, the Data Privacy Lab in the Institute of Quantitative Social Science at Harvard University will soon unveil a health record bank (HRB) that allows anyone to own and manage a complete, secure, digital copy of their health records and wellness information with a free account. This is the first time that a prominent academic institution is hosting an HRB for use by the general public and communities nationwide.”

“This launch is important for health IT because an HRB can provide and sustain all the capabilities of a fully functional health information infrastructure (HII):
1. It allows access to comprehensive individual electronic patient records, aggregation of population information for public health and medical research, and record searching to facilitate patient-specific notifications;
2. Privacy is protected since each patient determines who can access which portions of their own health records;
3. Collecting patient information is assured – since patients request their records, all providers must supply them (under HIPAA and for Stage 2 Meaningful Use);
4. It is inexpensive to operate since it obviates the need for the complex and costly real-time record locator services necessary when each patient’s records from all sources are not centrally stored;
5. Patient consent enables innovative applications linked to HRB accounts, providing compelling value to consumers and other stakeholders (e.g., reminders and alerts), thereby ensuring more than enough revenue for financial sustainability. HRBs could even fund permanent, ongoing EHR incentives to office-based providers to help further promote widespread adoption and standards compliance. The HRB at Harvard therefore represents a feasible and readily achievable HII paradigm that can be utilized by individuals and communities nationwide.”

WH Initiative: Consumer Privacy Bill Of Rights

In a press release from the White House, February 22nd, 2012:

“The Obama Administration unveiled a “Consumer Privacy Bill of Rights” as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled. This initiative seeks to protect all Americans from having their information misused by giving users new legal and technical tools to safeguard their privacy. The blueprint will guide efforts to protect privacy and assure continued innovation in the Internet economy by providing flexible implementation mechanisms to ensure privacy rules keep up with ever-changing technologies. As a world leader in the Internet marketplace, the Administration believes the United States has a special responsibility to develop privacy practices that meet global standards and establish effective online consumer protection. ”

To read more about the proposed bill here are some additional resources:

Read Fact Sheet

Read Full Proposal

Additional White House Press Release

View the Press Conference on CNN’s Video Library

National experts to meet at HIMSS to promote health record banks

See the full article at: http://www.nhinwatch.com/perspective/national-experts-meet-himss-promote-health-record-banks

Experts are planning to meet at HIMSS to discuss “strategies to promote and accelerate development and adoption of HRBs – community-based personally controlled repositories of electronic health records.”

Some key points:

  • -“HRBs can provide effective and efficient health information infrastructure (HII) in communities by simultaneously addressing the interdependent requirements of privacy, stakeholder participation and financial sustainability.”
  • -“HRB allows patients to readily and conveniently manage their access permissions in one place. In addition to being an effective approach to privacy, patient control also ensures that stakeholders make information available.”

The article goes on to list the cost and efficiency revenue advantages of HRBs as well as the privacy implications.

Much Ado About Data Ownership

Abstract: Recently there have been calls to clarify ownership of data held in large health information networks. This article explores the realities of what patient data ownership would imply to explain why a clearer allocation of entitlements to raw health data would neither enhance patient privacy nor promote access to valuable data resources for public health and research. It updates the debate to account for the 2009 HITECH Act, which correctly recognized that raw patient data are not the valuable resource; these data acquire value only through the application of infrastructure services. The HITECH Act drew on a long tradition of American infrastructure regulation that offers real promise in resolving the infrastructure bottlenecks which (rather than the unresolved status of data ownership) have been the key impediment to data access. Despite this progress there are two unresolved problems, both heretofore neglected in the literature: First, the existing federal regulatory framework governing data access conceives the state’s police power to use data to promote public health much more narrowly than the police power is conceived in all other legal contexts. Second, existing regulatory provisions allowing nonconsensual access to data for research fail to incorporate any “public use” requirement to ensure that unconsented research uses of data are justified by a publicly beneficial purpose. As things stand, persons whose health data are used in research have no assurance that the use will serve any socially beneficial purpose at all. This article reframes the debate. The right question is not who owns health data. Instead, the debate should be about appropriate public uses of private data and how best to facilitate them while adequately protecting individuals’ interests.

Barbara J. Evans: Associate Professor; Co-director, Health Law & Policy Institute, University of Houston Law Center, : Barbara J. Evans, Much Ado About Data Ownership, 25 HARVARD JOURNAL OF LAW & TECHNOLOGY (forthcoming 2011), available at: http://ssrn.com/abstract=1857986
bjevans@central.uh.edu. J.D., Yale Law School; Ph.D., Stanford University; Post-doctoral Fellow, The University of Texas M.D. Anderson Cancer Center. This research has been supported by the Greenwall Foundation and by the University of Houston Law Foundation.

Open-Source Health Care Software

It’s a great read and critical viewpoint. To view the full article, please visit Open-Source Healthcare Software.

Key Quotes:

  • -“Unlike devices and services, most medical software is not regulated, placing the burden of safe and effective use on the physician.”
  • -“Despite the obvious benefits, open-source software is still rare in medical practice because, as with music and other information-based products, it is easy to copy.”
  • -“As medical software begins to offer decision support, risk management, performance rating, and analytic features, physicians should not accept black boxes and secret formulas that constrain sharing and intimately affect patient care and remuneration.”
  • -“Software creators will not switch to producing open-source products voluntarily because they stand to lose money by doing so. Only physicians can drive this change, and this paper describes the reasons why doing so is important to our profession and our patients.”
  • -“The Direct Project hosted by the Department of Health and Human Services is open-source software for secure e-mail to replace the fax as the primary means of communication between practices and even with patients. Direct Project has many unique features as a result of its noncommercial open-source design, including universal addressing that is not tied to a particular vendor or institution. Universal addressing, like modern e-mail, does not restrict communications to members of a particular exchange.”
  • -“Open-source software offers the same benefits in medicine as it does in other fields. These include ethical advantages, access, innovation, cost, interoperability, integration, and safety.”
  • -“As physician income becomes increasingly tied to patient outcomes and dependent on coordination of care, lack of interoperability, integration, and standardization has begun to impact clinical practice. It is hardly surprising that interoperability and integration costs related to proprietary health care software are extremely high and that the true value of health care services is difficult to measure and compare.”
  • -“The broad ability of users to adopt and improve software creates diverse, global communities on the Internet with significant incentive to help each other.”
  • -“Proprietary software puts the physician at the mercy of the vendor, who is often more interested in acquiring new customers than serving locked-in customers”

Hospitals Wary of Hackers Seek Insurance from AIG

Bloomberg News aired a segment on the rising threat of electronic health information systems to patient privacy and tapped Jim Pyles, an expert from the first health privacy summit to speak.  He pointed out that the lack of adequate health data security, the ability to breach thousands or millions of records simultaneously, and the value of health data on black market as key causes of the growing number of reported health data breaches.

View the video here.

Synopsis: Doctors and hospitals adopting electronic patient records under a U.S. government program are exploring insurance policies to help cover the costs of medical-data breaches. Data breaches cost U.S. hospitals $12 billion over the past two years, according to a study by the Poneman Institute. Bloomberg’s Megan Hughes reports on “InBusiness with Margaret Brennan.”

Consumer Advocate: Patient Consent Vital

Deborah Peel, M.D., founder of Patient Privacy Rights, on protecting the privacy of healthcare information.
Listen to the Interview Here.

Patients have inadequate control over who can access their healthcare information, but existing technologies can solve the problem, says consumer advocate Deborah Peel, M.D.

Her organization, Patient Privacy Rights, recently issued a white paper outlining an approach to giving patients opportunities to offer informed consent for accessing their records. In an interview, Peel outlined the key points in the report…

View a PDF version of the white paper: The Case for Informed Consent
Listen to the interview: Patient Consent Vital