Re: “Web’s Hot New Commodity: Privacy”

In response to the WSJ article: Web’s Hot New Commodity: Privacy

Finally the market for digital privacy is being built! This reflects GROWING public awareness of data theft and misuse.

Yes, PPR will continue to call it “theft”. Data mining corporations are like squatters who sneak onto property and then claim it because the owners didn’t know what they were doing. Data miners are thieves because they know VERY well how hard it is for people to discover what they are doing, and further, they know that there is no way anyone can stop them from stealing personal information. Watch — as ways to protect personal data are developed and laws are proposed to prohibit what they do, they will try to make sure their illegal and unethical practices are “grandfathered in.” These practices must be outlawed in the Digital Age if Americans are to retain the most precious right in a Democracy: the right of law-abiding citizens to be “let alone.”

We must fight back and press Congress to outlaw all data theft and corporate contracts that require giving up control of personal information. We must press Congress to ENFORCE the ban on the sale of health data without consent.

It is now clear to entrepreneurs that people are starting to view personal information as an EXTREMELY valuable asset that many want to have treated as personal property. The fact that the nation’s prescription records were being sold without consent is why Congress banned the sale of protected health information (PHI)—-OUR sensitive electronic health information—without consent in the stimulus bill.

There are many who fear that patients cannot meaningfully give consent to sell their health data; that they will easily sell it for next to nothing and not realize the consequences—such as job loss and generations of job and credit discrimination.

But the current situation is far worse and must be addressed: the huge health data mining industry operates in the shadows. AND we have NO WAY of identifying or preventing data mining corporations from stealing and selling our most sensitive data—from prescriptions to DNA. This secret industry is a behemoth, generating tens to hundreds of billions of dollars in annual revenue.

Letting secret, shadowy corporations continue to make billions/year selling the sensitive personal health data of every person in the U.S. is NOT a fair or sustainable solution to corporate and government data hunger. Why allow any industry built on theft? I can’t think of another legal industry built on theft.

Individuals should control PHI; morally and practically it is the only solution. But we need clear laws and boundaries in addition to individual control (consent), so that there are boundaries around exactly what data can be sold or used.

In Europe most uses of health data are flatly prohibited; in Germany there is no consent, but instead only a handful of uses of health data are permitted—the uses are tightly bounded. This is a very different approach than the US.

We ALSO need a framework of tightly bounded privacy protections for health data (in addition to informed electronic consents) that provides interactive education about consent decisions and sets defaults at the most privacy-protective level.

Holes in the fence?

This story, by Joseph Conn with Modern Healthcare, quotes Patient Privacy Rights, Dr. Blumenthal the National Coordinator for Health IT, and many others, all calling for meaningful consent and privacy.

See these great quotes from Alan Westin:

  • the removal of consent from HIPAA by federal rulemakers in 2002 “left us high and dry,” but with the improvements to HIPAA in the stimulus law, “I think the raw materials for excellence are there.”
  • Privacy protection will depend again on HHS rulemakers, however, he says. (A proposed privacy rule addressing HIPAA modifications from the stimulus law was released by HHS in July, but a final rule is pending.) If it’s not addressed, Westin says, don’t be surprised if there is consumer backlash.
  • “I think we’re at a pivotal moment,” Westin says, given the massive inflows of federal IT subsidies about to begin. “Just imagine a lawsuit as a class action with all the people who would otherwise be swept into a network saying, ‘I did not give my consent,’ and asking the court to intervene.”
  • he sees “a dangerous trend” developing in healthcare IT in which patients are regarded as “inert data elements, not conscious persons” who have the right to make informed choices regarding “how their health information is used beyond the direct care settings.”
  • “You have to have privacy orienting systems at the design,” he says. “If the plumbing all gets in, it’s going to be very costly to tear it down and change it.”

Below are a few sections of the article. To see the full article, follow this link to Modern Healthcare.

Is the primary federal privacy law up to the task of protecting patient information in the 21st century?

It’s a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law…

…A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”

Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don’t say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”

Attention doctors and vendors: Selling patient data without informed consent is now a federal crime

This post appeared as a guest blog in EHR Watch and in Healthcare IT News.

Another misguided, uninformed EHR vendor will discount the price of EHR software for doctors willing to sell patient data! According to CEO Jonathan Bush, “Athena might be able to halve the amount that physicians pay to use its EHR.”

Great business plan: Entice doctors to violate the law and the Hippocratic Oath.

See story on Athenahealth.

How is it possible to be so unaware of what the public wants? The public doesn’t want anything new or earth-shattering, just restoration of their rights to control who can see and use their medical records in electronic systems.

Not only is the practice of selling patient data an unethical PR/”optics” nightmare, but new consumer protections in the stimulus bill require that patients give informed consent before their protected health information can be sold. Violators are breaking a federal law.

The problem is that health information is an extremely valuable commodity, so people are always trying to use it without consent. Patients’ rights never seem to interfere with these business schemes.

More quotes from the story:

  • “Athena’s EHR customers who opt to share their patients’ data with other providers would pay a discounted rate to use Athena’s health record software.”
  • “Athena would be able to make money with the patient data by charging, say, a hospital a small fee to access a patient’s insurance and medical information from Athena’s network.”
  • “Caritas Christi [Health Care] initially launched Athena’s billing software and service in October and then revealed in January that it decided to offer the company’s EHR to physicians.”

How many patients would agree to sell their health records to help their doctor’s bottom line AND at the same time put their jobs, credit, and insurability at risk?

What will Athena’s informed consent for the sale of health patients health data look like? Will Athena lay out all the risks of harm? Will Athena lay out the fact that once the personal health data is sold, the buyer can re-sell it endlessly to even more users? Will Athena caution patients that once privacy is lost or SOLD, it can never be restored?

Many vendors do not realize that the lack of privacy and lack of trust is a major barrier to patients seeking healthcare. HHS reports 600,000 people a year refuse to get early diagnosis and treatment for cancer because they know the information won’t stay private, another 2,000,000 refuse early diagnosis and treatment for mental illness for the same reasons.

If you wonder what patients expect from electronic health systems, check out my slides (PDF) from a recent Health Innovation conference at the UT McCombs Business School.

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights

New privacy rules, old technology creating a lot of headaches

What’s driving people craziest about the big national push to convert to EMRs? Maybe it’s the technology that some people don’t like. Maybe it’s resistance to change. Perhaps it’s the short timeline to implement before the stimulus program starts–Oct. 1 for hospitals, Jan. 1 for physician practices. There’s a lot of uncertainty, too, since the rules for “meaningful use” of EMRs aren’t final yet and are very much subject to change.

All of those are legitimate concerns, but they pale in comparison to the privacy issue.

The American Recovery and Reinvestment Act tightens HIPAA privacy and security rules, though just like the 1996 HIPAA legislation, it leaves many of the details up to the regulators at HHS. The 2002 “treatment, payment and healthcare operations” exception to the privacy rule is disappearing, meaning that healthcare organizations will have to obtain consent before disclosing personally identifiable health data to third parties.

Paperless Medicine?

Electronic medical records that follow patients from doctor to doctor. Hospitals with instantaneous online access to lab results and health histories. Disease researchers with a state’s worth of field data at their fingertips. It all hinges on a single question: Can Texas physicians go paperless?

…But even the most ardent supporters acknowledge they face an uphill battle. Consumer rights advocates fear e-records could jeopardize patient privacy. Some health care providers aren’t convinced e-records benefit their practice — or their bottom line. And until recently, the only software on the market was clunky and complicated, fueling doctors’ skepticism.

…“The health and financial information that goes along with being treated in a hospital or a doctor’s office is incredibly valuable,” says Deborah Peel, founder and chair of the Austin-based nonprofit Patient Privacy Rights. “Once your sensitive health information is sold or lost, you can’t ever make that information private again.”