Privacy could ‘crash’ big data if not done right

April 15, 2014 | By Ashley Gold | FierceHealthIT

Privacy has the potential to crash big data before there’s a chance to get it right, and finding the right balance is key to future success, experts argued at a Princeton University event earlier this month.

The event, titled “Big Data and Health: Implications for New Jersey’s Health Care System” featured four panels exploring health, privacy, cost and transparency in regard to how big data can improve care and patient outcomes, according to an article on the university’s website.

“Privacy will crash big data if we don’t get it right,” Joel Reidenberg, visiting professor of computer science at Princeton and a professor at Fordham University’s School of Law, said at the event.

To view the full article, please visit Privacy could ‘crash’ big data if not done right

 

Kaiser Had Malware on Server for 2.5 Years

By Joseph Goedert | April 8, 2014 | HealthData Management

The Northern California division of Kaiser Permanente is notifying about 5,100 patients that protected health information was on a server found in February 2014 to be infected with malicious software.

In a letter to patients, the organization says it believes the server was infected in October 2011. Kaiser removed the server–used to store research data–and confirmed other servers were not affected and appropriately secured. “We currently have no information that any unauthorized person accessed the information on the server,” according to the patient letter. “However, the malicious software broke down the server’s security barriers so we are investigating and responding with a very high level of caution and concern. We are very sorry that this happened.”

Information on the server included patient name, date of birth and gender, and also may have included address, race-ethnicity, medical record number, lab results associated with research, and patient responses to questions related to research studies in which they participated. Social Security numbers and data from Kaiser’s electronic health record were not held on the server.

(See also: Top 6 Threats to Enterprise Security)

The new breach soon will be listed on the HHS Office for Civil Rights’ website of major security breaches affecting 500 or more individuals, and it will be Kaiser’s fourth posting on the site.

In late 2013, a missing flash drive from the nuclear medicine department at Anaheim Medical Center resulted in notifications sent to about 49,000 patients. Also in 2013, Kaiser notified 647 patients after learning of unauthorized access/disclosure of the EHR. In late 2009, the organization notified about 15,500 patients following the theft of an electronic portal device.

 

 

 

Advances in health IT must be viewed as a whole

by Andy Oram | @praxagora | April 7, 2014

Reformers in health care claim gigantic disruption on the horizon: devices that track our movements, new treatments through massive data crunching, fluid electronic records that reflect the patient’s status wherever she goes, and even the end of the doctor’s role. But predictions in the area of health IT are singularly detached from the realities of the technical environment that are supposed to make them happen.

To help technologists, clinicians, and the rest of us judge the state of health IT, I’ve released a report titled “The Information Technology Fix for Health: Barriers and Pathways to the Use of Information Technology for Better Health Care.” It offers an overview of each area of innovation to see what’s really happening and what we need to make it progress further and faster.

To view the full article, please visit: Advances in health IT must be viewed as a whole

3 Reasons Your Medical Records Are at Risk

When hospitals find themselves in the middle of a breach, they usually prioritize improving their security to prevent further security breach incidents.

In addition to defending themselves against data breaches, health systems also need to find the right balance to adequately protect their patients’ privacy.

Since medical information is stored digitally, patients may not be fully aware how crucial it is to protect their data from being seen by unauthorized persons. Some privacy breaches may be avoidable, and learning from these mistakes is essential for health systems to maintain security of sensitive patient information. Here are three reasons why patient security may be lacking at health organizations.

Privacy Is on the Back Burner

When health IT systems are built, ensuring patient privacy is usually not on the forefront of designers’ and engineers’ minds. These IT experts usually put system functions ahead of privacy, which could result in poor privacy protection down the road. Some developers may also leave out privacy features altogether, which could put patient information at risk for being compromised.

Human Error

In a recent report, psychiatric facilities in Texas suffered a string of data breaches, but the majority of them were caused by human error, The Republic reported.

Deborah Peel, the Austin founder of watchdog group Patient Privacy Rights, said repeated data breach incidents could lead patients to question whether their information is secure, which could cultivate distrust among patients. “Our patients deserve privacy and expect that their information is kept confidential,” said Christine Mann, spokeswoman for the Texas Department of State Health Services.

To view the full article please visit: 3 Reasons Your Medical Records Are at Risk

Judge Rules Patients Have a Reasonable Expectation of Privacy in Rx Records

The ACLU recently challenged the Drug Enforcement Administration’s practice of obtaining Oregon patients’ confidential prescription records without a warrant. PPR’s Dr. Deborah Peel submitted a declaration in support of the ACLU’s position, which you can read here.

 

Good news: It’s a win for privacy! In an opinion issued today, the judge ruled that patients have a reasonable expectation of privacy in their prescription records under the Fourth Amendment, and that the DEA needs a warrant to obtain records from the Oregon Prescription Drug Management Program (PDMP).

 

To read the judge’s opinion, click here.

 

To read more from Nathan Wessler, an ACLU attorney working on the case, click here.

 

Revelations by AOL Boss Raise Fears Over Privacy

By Natasha Singer
NYTimes.com, February 10, 2014

Tim Armstrong, the chief executive of AOL, apologized last weekend for publicly revealing sensitive health care details about two employees to explain why the online media giant had decided to cut benefits. He even reinstated the benefits after a backlash.

Tim Armstrong, the chief executive of AOL, apologized last weekend for publicly revealing sensitive health care details about two employees to explain why the online media giant had decided to cut benefits. He even reinstated the benefits after a backlash.

But patient and work force experts say the gaffe could have a lasting impact on how comfortable — or discomfited — Americans feel about bosses’ data-mining their personal lives.

Mr. Armstrong made a seemingly offhand reference to “two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were O.K.” The comments, made in a conference call with employees, brought an immediate outcry, raising questions over corporate access to and handling of employees’ personal medical data.

“This example shows how easy it is for employers to find out if employees have a rare medical condition,” said Dr. Deborah C. Peel, founder of Patient Privacy Rights, a nonprofit group in Austin, Tex. She urged regulators to investigate Mr. Armstrong’s disclosure about the babies, saying “he completely outed these two families.”

To view the full article, please visit Revelations by AOL Boss Raise Fears Over Privacy

 

Petition for OSTP to Conduct Public Comment Process on Big Data and the Future of Privacy

February 10, 2013

Patient Privacy Rights, joined by EPIC, ACLU, Center for Democracy & Technology, EFF and 24 other consumer privacy and public interest organizations asked the White House’s Office of Science and Technology Policy to issue a Request for Information in order to conduct a review that incorporates the concerns and opinions of those whose data may be collected in bulk as a result of their engagement with technology.

“We believe that the public policy considerations arising from big data and privacy are issues of national concerns that ‘require the attention at the highest levels of Government.’”

The Coalition for Patient Privacy believes that the “OSTP should consider a broad range of big data privacy issues, including but not limited to:
(1) What potential harms arise from big data collection and how are these risks currently addressed?
(2) What are the legal frameworks currently governing big data, and are they adequate?
(3) How could companies and government agencies be more transparent in the use of big data, for example, by publishing algorithms?
(4) What technical measures could promote the benefits of big data while minimizing the privacy risks?
(5) What experience have other countries had trying to address the challenges of big data?
(6) What future trends concerning big data could inform the current debate?”

For more information, see EPIC, Coalition Urge White House to Listen to Public on “Big Data and Privacy”

To view a copy of the letter, please visit Petition for OSTP to Conduct Public Comment Process on Big Data and the Future of Privacy

My Baby and AOL’s Bottom Line

By Deanna Fei
Slate Magazine, February 9, 2014

That “distressed baby” who Tim Armstrong blamed for benefit cuts? She’s my daughter.

Late last week, Tim Armstrong, the chief executive officer of AOL, landed himself in a media firestorm when he held a town hall with employees to explain why he was paring their retirement benefits. After initially blaming Obamacare for driving up the company’s health care costs, he pointed the finger at an unlikely target: babies.

Specifically, my baby.

“Two things that happened in 2012,” Armstrong said. “We had two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were OK in general. And those are the things that add up into our benefits cost. So when we had the final decision about what benefits to cut because of the increased healthcare costs, we made the decision, and I made the decision, to basically change the 401(k) plan.”

Within hours, that quote was all over the Internet. On Friday, Armstrong’s logic was the subject of lengthy discussions on CNN, MSNBC, and other outlets. Mothers’ advocates scolded him for gross insensitivity. Lawyers debated whether he had violated his employees’ privacy. Health care experts noted that his accounting of these “million-dollar babies” seemed, at best, fuzzy.

Plenty of smart, witty people took to Twitter to express their outrage—or mock outrage. The phrase “distressed babies” became practically an inside joke, as in, “How many distressed babies does AOL pay this guy?” A few AOL employees made cracks like this: “I swear I didn’t have any babies in 2012. Don’t hate me for messing up your 401(k).”

To view the full article, please visit My Baby and AOL’s Bottom Line

Privacy Tools: Opting Out from Data Brokers

By Julia Angwin
ProPublica, Jan. 30, 2014

Data brokers have been around forever, selling mailing lists to companies that send junk mail. But in today’s data-saturated economy, data brokers know more information than ever about us, with sometimes disturbing results.

Earlier this month, OfficeMax sent a letter to a grieving father addressed to “daughter killed in car crash.” And in December, privacy expert Pam Dixon testified in Congress that she had found data brokers selling lists with titles such as “Rape Sufferers” and “Erectile Dysfunction sufferers.” And retailers are increasingly using this type of data to make from decisions about what credit card to offer people or how much to charge individuals for a stapler.

During my book research, I sought to obtain the data that brokers held about me. At first, I was excited to be reminded of the address of my dorm room and my old phone numbers. But thrill quickly wore off as the reports rolled in. I was equally irked by the reports that were wrong — data brokers who thought I was a single mother with no education — as I was by the ones that were correct — is it necessary for someone to track that I recently bought underwear online? So I decided to opt out from the commercial data brokers.

View the full article here, Privacy Tools: Opting Out from Data Brokers and get a list of the names of companies that track your information, links to their privacy pages, and instructions on how to opt out.

 

 

WPF Report — Paying out of Pocket to Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure

San Diego & Washington, D.C. — The World Privacy Forum published a new report today that helps patients understand and use the new HIPAA right to restrict disclosure of their medical information to health plans when treatment is paid for out of pocket in full. The report contains practical advice and tips for patients about how to navigate the new right, which went into effect last year. Paying Out of Pocket to Protect Health Privacy: A New But complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure is one of the first reports on this topic written for patients.

“The new HIPAA right that lets patients restrict disclosures of their health information is actually not well known yet, and that needs to change,” said Pam Dixon, Executive Director of the World Privacy Forum. “This report has specific, concrete tips and information that will help patients use this important new right.” The report, written by Bob Gellman and Pam Dixon is available free of charge at www.worldprivacyforum.org.

Key points:

  • A patient has the right to prevent a health care provider from reporting information to a health insurer if the patient pays in full.
  • In order to prevent disclosure of information to a health plan, patients must make a Request to Restrict Disclosure.
  • Under the new changes to HIPAA, a patient has the firm right to demand, not just request, that a provider not disclose PHI to a health plan when certain conditions are met.
  • The conditions to be met can be complex, and work best with some advance planning.

Additional tips are in the report.

The bipartisan Coalition for Patient Privacy worked to get this key consumer protection into HITECH.

Bob Gellman and Pam Dixon are available to discuss tips and advice for patients on how to use the new HIPAA right.

Links:

The report Paying Out of Pocket to Protect Health Privacy: A New But complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure is available in PDF or in text.

Permalink: http://www.worldprivacyforum.org/2014/01/wpf-report-paying-out-of-pocket-to-protect-health-privacy/

Contact:

Bob Gellman 202-543-7023

Pam Dixon 760-712-4281

info@worldprivacyforum.org