Dr. Peel at Authors’ Roundtable at HIMSS 2013

Dr. Deborah Peel, PPR Founder & Chair, will join her co-authors to talk about pressing privacy issues raised in HIMSS’s just released book, Information Privacy in the Evolving Healthcare Environment. As a co-author, Dr. Peel’s contributing chapter discusses patients’ rights to privacy and consent and outlines the auditable criteria of PPR’s Trust Framework, which includes 15 clear principles to ensure meaningful consent within all electronic systems.

Purchase the book here.

Restoring patient control over PHI will be a key topic discussed, with additional focus on the technologies and laws needed to address the gaps and flaws in the Omnibus Privacy Rule.

Date: Tuesday, March 5, 2013
Time: 11:00 AM CT
Where:
HIMSS 2013 Annual Conference and Exhibition
Room 213
New Orleans Ernest N. Morial Convention Center
900 Convention Center Boulevard
New Orleans, Louisiana

An advocate for patients’ rights to health privacy since 2004, when she formed PPR, Dr. Peel has led the charge for more stringent data privacy and security protections, as well as tough new enforcement and penalties for violations that were included in the January 2013 release of the Omnibus Privacy Rule.

Re: HIPAA Auditor Involved in Own Data Breach

OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.

You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”

KPMG absolved itself of doing any harm:

  • “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
  • “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”

Then KPMG prescribed its own remedy:

  • “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.

This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.

Time for Congressional oversight?

Your Health Information Isn’t Secure But Don’t Blame EHRs

There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.

Your Doctor Isn’t the Only Person Who Knows Your Diagnosis

Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.

Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.

Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.

Missing Laptop Keeps Firm From Registering New Fliers — by Joseph Galante

Verified Identity Pass (Clear), a firm that specializes in keeping fliers sensitive personal information secure, doesn’t encrypt data and had a laptop stolen. Do you think your sensitive health information is any safer in the healthcare system? ….Remember the stolen NIH laptop that had unencrypted data? What about your local hospital? Will your local hospital do a better job than UCLA Medical Center in keeping snoops out of your records?

Here’s what Verified Identity Pass says about security and privacy. They had an audit by Ernst and Young, but apparently it didn’t mean much:

Clear’s Commitment to Privacy

“Since our founding in 2003, we have been committed to the privacy and security rights of our members. We have created an exhaustive privacy and data security program and we will always clearly communicate any changes to that program with members.

We are committed to the transparency of our privacy practices and that’s why we have instituted open, independent checks on our privacy promises, including an independent and public security and privacy audit, the appointment of an independent privacy ombudsman, and an unprecedented Clear Identity Theft Warranty.

In June, 2007, Ernst & Young LLP concluded a comprehensive, independent audit of our privacy policies and practices. This was the first ever independent privacy audit conducted for a national registered traveler program.”

View Full Article