Consumers Say No to Mobile Apps That Grab Too Much Data

To view the full article, please visit the New York TimesConsumers Say No to Mobile Apps That Grab Too Much Data

Imagine the reactions smart phone users will have when they discover the vast, hidden industry that collects, uses, and sells personal health data—-from prescription records to DNA to diagnoses.

A recent Pew Research Center study found smartphone users are taking action to protect their privacy:

·50% “decided not to install applications on their mobile phones because they demanded too much personal information”

·Nearly a third uninstalled an application after learning that it was collecting personal information “they didn’t wish to share.”

·And one in five turned off location tracking “because they were concerned that other individuals or companies could access that information.”

What will happen when smartphone users want to protect the privacy of their health information and try to turn off:

·the hundreds or thousands of hidden disclosures and uses of their sensitive health records by hospitals’ and doctors’ health IT systems

·the daily sale of their prescription records by pharmacies and lab test results by clinical laboratories

·the disclosure of personal health information via state “health information exchanges” and the Nationwide Health Information Network

If Americans can figure out and ACT to prevent cell phone apps from grabbing their contacts and location information—what will they do when they find out that electronic health systems collect use, and sell mountains of detailed, intimate information about their minds and bodies—and they can’t turn these “apps” off?

People CAN choose to live without Angry Birds (or whatever app they decide against) but they really CAN’T choose to go without healthcare – at least not without possibly serious health repercussions.  People can choose what personal info to share online (to some degree), but really can’t choose what health info is shared.

Health technology systems that eliminate patient control over who can see and use sensitive health data are causing the nation’s greatest hidden privacy disaster. It can only be fixed when the public finds out.

Shoppers, Meet Your Scorekeeper

See the article in the NY Times at: Secret E-Scores Chart Consumers’ Buying Power

Let’s call this business what it really is: data theft, not scorekeeping. This great story by Natasha Singer is in the vein of the WSJ series: “What They Know”. There is no way to know if our e-scores, derived from 50,000+ pieces of personal information, are used only for shopping.

  • There is no proof that eBureau does what the CEO says. Unless eBureau reveals all the buyers of the scores or lets us see all the personal data they collect/steal about us there is no way to know if the scores are used to discriminate against us in key life opportunities.

Natasha Singer writes clearly about the business model of hidden data theft and hidden data mining that is used by so many Internet-based corporations.  She profiles Gordy Meyer, CEO of eBureau, who claims his company makes entirely legal use of millions of online and other personal, electronic clues.  He imagines we freely, consciously give personal data away to corporations like his to create instant, extremely detailed, deeply intimate real-life profiles of every one of us (which he sells at 3 to 75 cents/per profile).

When we simply LOOK or CLICK AROUND a website, we are not in any meaningful way giving consent to hidden data-thieving corporations to collect or use personal information. We are victims of unfair and deceptive trade practices and data theft.

The public simply has no concept that extremely detailed digital profiles are being collected used to discriminate against them:

  • Ebureau then adds several thousand details–like age, occupation, property value, length of residence, and retail history–from its data bases to each customer profile. From those raw data points, the system extrapolates up to 50,000 additional variables per person.”

What are the “several thousand details” eBureau adds?  Could they be details like your searches for information on treatment of melanoma? or STDS?  How do we know what the details are?  eBureau will not tell us.

The story closes with a quote from Frank Pasquale:

  • “I’m troubled by the idea that some people will essentially be seeing ads for subprime loans, vocational schools and payday loans,” Professor Pasquale says, “while others might be seeing ads for regular banks and colleges, and not know why.”

One of the worst parts of this story is that eBureau’s CEO makes assertions that cannot be verified:

  • there is no way to know what data is collected or what eBureau does with it
  • there is no way to know if eBureau “meets regulatory requirements” or “has put firewalls in place to separate data bases containing federally regulated data, , like credit or debt information used for purposes like risk management, from databases about consumers used to generate scores for marketing purposes.” because there is no outside auditing.

My bet is that a HUGE part of what is collected is information about our minds and bodies. We already know that personal health information is the most valuable digital information about each of us. Will purchasers of eBureau’s scores offer a credit card to anyone with cancer or Depression? Will we be able to qualify for loans to send our kids to college if we have genetic risks for breast cancer or heart disease?

Patient Control Reduces Privacy Issues for Health Data Sharing Networks

See the full article on iHealthBeat.org: Patient Control Reduces Privacy Issues for Health Data Sharing Networks

It’s about time!!!! Congratulations to Wake Forest for building a way to move data that patients can trust. Patients have waited a long time for systems to be built that enable them to move their own information.

YES, this model solves the legal problems of data sharing—there is no need for expensive contracts between hospitals and doctors.  And YES, it builds patient trust in physicians because it restores the personal control over use and disclosure of protected health information (PHI) that patients EXPECT.

The majority of current HIT systems and data exchanges violate medical ethics and patients’ long-standing rights to control PHI. This kind of electronic consent is THE ONLY way patient data should flow.

BRAVO to the Wake Forest research team for finally building effective electronic patient consent tools.

EHRs and Patient Privacy- An Oxymoron? Psychiatric Times Cover Story

A recent article in the Psychiatric Times based on the 2nd International Summit on the Future of Health Privacy describes the major problems with EHRs and the consequences of the misuse of this technology. The article quotes both Dr. Peel and Dr. Scott Monteith as well as “Julie” when describing the flaws of EHRs and HIEs. The article is available by subscription only through Psychiatric Times, but here are some highlights and quotes from the article:

“The escalating use of electronic health records (EHRs) and health information exchanges (HIEs) is fraught with unintended and sometimes dire consequences—including medical coding errors and breaches of psychiatric patients’ privacy and confidentiality, according to [Dr. Peel and Dr. Monteith] who scrutinize the field”

“At the recent Second Annual International Summit on the Future of Health Privacy, psychiatrist Scott Monteith, MD, Clinical Assistant Professor in the Departments of Psychiatry and Family Medicine at Michigan State University and a medical informaticist, relayed the experience of a patient who discovered that her EHR erroneously reported a history of inhalant abuse. In reality, she had a history of  “caffeine intoxication.” After much investigation, the problem was identified. The DSM-IV-TR code (305.90) is used for 4 different diagnoses, including caffeine(Drug information on caffeine) intoxication and inhalant abuse, but the EHR’s printout only made the inhalant abuse diagnosis visible. Although the error was reported to the EHR vendor, the problem persists after almost 2 years.

“‘It is impossible for consumers to weigh the risks and benefits of using health IT and data exchanges when they have no idea where their data flows, who is using it or the purpose of its use,’ wrote Peel, a psychiatrist and psychoanalyst.”

“…Peel emphasized the importance of patients being able to control access to sensitive personal health information. The open source consent technologies, she explained, have been used for more than 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on some 4 million people in more than 8 states.”

“…’Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows,” she wrote. “Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.’”

If you wish to view the full article by Arline Kaplan and are a subscriber of Psychiatric Times, it can be found at Electronic Health Records and Patient Privacy- An Oxymoron?

Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox Survey

Xerox kindly shared all three years of their annual Electronic Health Records (EHR) online surveys by Harris Interactive. The media, industry and government unrelentingly promote health technology as the latest, greatest best stuff.  But the public ain’t buying it.  They want smart phones, but they don’t  want EHRs.

Clearly the public is not very excited about EHRs; 74% don’t want them. They don’t want them because they understand the problems with EHRs so well.

To view the article, please visit Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox survey

Not only do the surveys show a low percentage of Americans want electronic health records—but it’s remained low; this year at only 26%. Overall 85% of the public has “concerns” about EHRs this year. The surveys also asked about specific ‘concerns’. They found the public is concerned that health data security is poor, data can be lost or corrupted, records can be misused, and that outages or ‘computer problems’ can take records offline and compromise care.  See results below:

To the question do you want your medical records to be digital:

  • 26% said ‘yes’ in 2010
  • 28% said ‘yes’ in 2011
  • 26% said ‘yes’ in 2012

To the question do you have concerns about digital records:

  • 82% said ‘yes’ in 2010
  • 83% said ‘yes’ in 2011
  • 85% said ‘yes’ in 2012

To the question could your information be hacked:

  • 64%  said ‘yes’ in 2010
  • 65%  said ‘yes’ in 2011
  • 63%  said ‘yes’ in 2012

To the question could your digital medical records  be lost or corrupted:

  • 55% said ‘yes’ in 2010
  • 54% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

To the question could your personal information be misused:

  • 57% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 51% said ‘yes’ in 2012

To the question could a power outage or computer problem prevent doctors from accessing my information:

  • 52% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

Information Technology’s Failure to Disrupt Healthcare

Nicolas Terry wrote a very interesting and informative paper about the effects IT has had on healthcare today. It is available for download in its full text version here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2118653. Below is his abstract.

Abstract: Information Technology (IT) surrounds us every day. IT products and services from smart phones and search engines to online banking and stock trading have been transformative. However, IT has made only modest and less than disruptive inroads into healthcare. This article explores the economic and technological relationships between healthcare and healthcare information technologies (HIT), asks (leveraging the work of Clayton Christensen) whether current conceptions of HIT are disruptive or merely sustaining, and canvasses various explanations for HIT’s failure to disrupt healthcare. The conclusion is that contemporary HIT is only a sustaining rather than disruptive technology. Notwithstanding that we live in a world of disruption, healthcare is more akin to the stubborn television domain, where similarly complex relationships and market concentrations have impeded the forces of disruption. There are three potential exceptions to this pessimistic conclusion. First, because advanced HIT is not a good fit for episodic healthcare delivery, we may be experiencing a holding pattern while healthcare rights itself with the introduction of process-centric care models. Second, the 2010 PCAST report was correct, the healthcare data model is broken. If Stage 3 of the MU subsidy program or some other initiative can funda

Abercrombie signs Hawaii patient privacy protection law

To view the full article in Bizjournals.com by Vanessa Van Voorhis, please visit Abercrombie signs Hawaii patient privacy protection law.

The people of Hawaii just lost their rights to health privacy. The Hawaiian legislature replaced all its far stronger health privacy laws with HIPAA.

Like most of the public, Hawaiian lawmakers believe HIPAA protects privacy, but it doesn’t.  It hasn’t for 10 years. The key privacy protection in HIPAA  was eliminated in 2002. The media  has never reported this.

  • President Bush put HIPAA in place when he took office. At first, HIPAA required that others had to ask for consent before using or disclosing our health information for treatment, payment, or healthcare operations.

  • “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and healthcare operations.”  67 Fed. Reg. 53,183

That means millions of people who work at hospitals, doctors offices, labs, health plans, data clearinghouse, government agencies, pharmacies and other places that hold health records (“covered entities”) decide when to use and disclose them, not us.

This new law is a privacy disaster for Hawaiians. They will suffer:

  • loss of the privacy of sensitive information about their minds, bodies, and genes
  • generations of discrimination
  • embarrassment and loss of reputation
  • job, credit, and insurance discrimination
  • ID theft
  • medical ID theft (where others use their health insurance to pay for treatment or for insurance fraud)

Patient Safety and Health Information Technology: Learning from Our Mistakes

MUST READ article by Ross Koppel about why and how government and industry denial of serious design flaws in electronic health systems endanger patients’ lives and safety. He uses detailed examples, citations, and the historical record to support his case. Flawed technology causes serious patient safety issues in the same way flawed technology prevents patient control over who can see, use, or sell sensitive health information.

Yet technology could vastly improve patient safety and put patients back in control over the use of their health data. Why is poor technology design entrenched and systemic? Koppel states, “The essential question is: why has the promise of health IT—now 40 years old—not been achieved despite the hundreds of billions of dollars the US government and providers have spent on it?”

He makes the case that key problems arise from industry domination over the public interest. “Marketing overdrive” has caused:
· Denial and magical thinking: we see the “systematic refusal to acknowledge health IT’s problems, and, most important, to learn from them”

· Prevention of “meaningful regulations since 1997″: ”This belief that health IT, by itself, improves care and reduces costs has not only diminished government responsibility to set data format standards, it has also caused us to set aside concerns of usability, interoperability, patient safety, and data integrity (keeping data accountable and reliable).”

· Destructive “lock-in” to flawed technology systems: A full software package from a top firm for a large hospital costs over $180 million, and can cost five times that figure for implementation, training, configuration, cross-covering of staff, and so on.(11,12) Because illness, accidents, and pregnancies cannot be scheduled around health IT training and implementation needs, the hospital must continue to operate while its core information systems are developed and installed. This investment of time and money means the hospital is committed for a decade or more. It also reduces incentives for health IT vendors to be responsive to the needs of current customers.(13,14)

We have been to this rodeo before. Koppel points out these same phenomena occur over and over in many other industries:
“we had dozens of railroad gauges, hundreds of time zones, and even areas with both left- and right-hand driving rules. In all cases, the federal government established standards, and the people, the economy, and especially the resistant industries flourished. Industry claims that such standards would restrict innovation were turned on their heads.”

The health technology industry has failed to reform itself for 40 years. Effective federal laws and regulation are the only path to ensuring innovation and interoperability, to make health IT systems safe for patients and useful to doctors, and to restore individual control over who sees the most sensitive personal information on Earth.

See the full article at Web M&M: Patient Safety and Health Information Technology: Learning from Our Mistakes

The Changing Landscape – The Impact to Patients’ Privacy

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system.  Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

-Patients have no control over who sees or sells sensitive personal health information.

-Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.

-Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.

-Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.

-There is no “chain of custody” for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

-HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779

-HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777

-Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

-The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. “Invisible Wounds of War”, The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President’s Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system — starting with Principle #1:

“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Organics industry and privacy industry face similar labeling issues

See the full article in the New York Times at Has ‘Organic’ Been Oversized?

Like the food industry’s label for “organic” foods, the health technology industry wants to label or brand its products, like electronic records systems, data exchanges, health “apps”, and etc as “privacy-protective”.  Regardless of how far from reality that designation is.

This story shows that the federal law setting up an “organic” certification panel for food requires a FAR greater number of consumer and academic seats on the panel than are on the two National Health IT Policy and Standards Committees.  The organic certification panel requires the appointment of “four farmers, three conservationists, three consumer representatives”, for a total of 15 seats for non-industry representatives. But the federal government appointed industry people to those seats anyway. The federal govt. also appointed people who do not represent consumers or consumer organizations to the few consumer seats on the National Health IT Policy and Standards Committees.

But people who want health privacy are a huge percentage of the public: polls show between 75-95% of the public. This is a far greater percentage of the public than buy “organic” food.  Health privacy is not an ‘elitist’ product, as “organic” foods are perceived to be. Everyone is affected  by the lack of control over their health data and everyone cares about it.

A few key quotes from the story:

-The fact is, organic food has become a wildly lucrative business for Big Food and a premium-price-means-premium-profit section of the grocery store. The industry’s image — contented cows grazing on the green hills of family-owned farms — is mostly pure fantasy. Or rather, pure marketing. Big Food, it turns out, has spawned what might be called Big Organic.

-“The board is stacked,” Mr. Potter says. “Either they don’t have a clue, or their interest in making money is more important than their interest in maintaining the integrity of organics.”  He calls the certified-organic label a fraud and refuses to put it on Eden’s products.

-BIG FOOD has also assumed a powerful role in setting the standards for organic foods. Major corporations have come to dominate the board that sets these standards.

-As corporate membership on the board has increased, so, too, has the number of nonorganic materials approved for organic foods on what is called the National List.Today, more than 250 nonorganic substances are on the list, up from 77 in 2002.

-This sounds like the way the National Health IT Policy And Standards Committees operate:

o   The organic certification board has 15 members, and a two-thirds majority is required to add a substance to the list. More and more, votes on adding substances break down along corporate-independent lines, with one swing vote.

o   Six board members, for instance, voted in favor of adding ammonium nonanoate, a herbicide, to the accepted organic list in December. Those votes came from General Mills, Campbell’s Soup, Organic Valley, Whole Foods Market and Earthbound Farms, which had two votes at the time.

-CORPORATE APPOINTEES FILL CONSUMER SEATS, just like on the Health IT Policy And Standards Committees:

o   The Organic Foods Act calls for a board consisting of four farmers, three conservationists, three consumer representatives, a scientist, a retailer, a certification agent and two “handlers,” or representatives of companies that process organic food.

o   Cornucopia has challenged the appointment of Ms. Beck, the national organic program manager at Driscoll’s, to a seat that is, by law, supposed to be occupied by a farmer. Officially, “farmer” means someone who “owns or operates an organic farm.”   But Ms. Beck does not own or operate a farm.

§  Driscoll’s nominated Ms. Beck for one of the handler seats — but Tom Vilsack, the agriculture secretary, appointed her to one of the seats reserved for farmers.

§  In contrast, Dominic Marchese, who produces organic beef in Ohio, has tried and failed three times to win a board appointment as a farmer.

o   Similarly, the three consumer seats have never been filled by anyone from a traditional consumer advocacy group like the Organic Consumers Association orthe Consumers Union. Instead, those seats have largely gone to academics with agricultural expertise and to corporate executives.

o   Katrina Heinze, a General Mills executive, was appointed to serve as a consumer representative on the board in December 2005 by Mike Johanns, the agriculture secretary at the time. The outcry over her appointment by advocates and independent organic consumers was so intense that she resigned inFebruary 2006 — but rejoined the board late that year after Mr. Johanns appointed her to the seat designated by law for an expert in toxicology, ecology or biochemistry.

To learn more about preventing health privacy issues and protecting your privacy, please visit our Health Privacy Summit website.