Benefits of Online Medical Records Outweigh the Risks- Includes Opposing Quotes from Dr. Deborah Peel

An article written by Larry Magid in the Huffington Post quotes PPR when speaking about the issues surrounding electronic health records. You can view the full article here: Benefits of Online Medical Records Outweigh the Risks.

“There are also privacy concerns. In a 2010 Wall Street Journal op-ed, psychiatrist Deborah Peel, founder of Patient Privacy Rights, complained that ‘lab test results are disclosed to insurance companies before we even know the results.’ She added that data is being released to ‘insurers, drug companies, employers and others willing to pay for the information to use in making decisions about you, your job or your treatments, or for research.’ Her group is calling for tighter controls and recognition that “that patients own their health data.’”

Your Medical Records May Not Be Private: ABC News Investigation

ABC TV’s Jim Avila shows how easy it is to buy personal health data. He spoke with security consultant Greg Porter, who showed him how to buy personal health information online for $14-$25. ABC News learned about the lack of effective security and privacy for medical records from “Julie” at the 2nd International Summit on the Future of Health Privacy.

Here is the video (after a short advertisement):

You can also see the above ABC News video on medical records at: http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986#.UIQCz1H6Acs

ABC’s print story about the TV news segment tells “Julie’s”  story, quotes Patient Privacy Rights (PPR), and links to our free online consumer protection forms so you can take action to better protect your health data. Use the free consent form and ask physicians and hospitals to honor longstanding state laws that require consent before they disclose your health information. According to HIPAA, providers can refuse to honor requests like this, but HIPAA also says stronger state laws and medical ethics should prevail—so ‘ask’ and tell them to honor your rights to control who sees and uses your electronic health information.

Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide

Aishealth.com explains the new Texas Medical Privacy Act that has recently been signed into law and quotes Dr. Deborah Peel of PPR in their latest report on patient privacy. The report is only available through subscription but below are a few key points and quotes from it. If you have a subscription to aishealth.com, you can view the full article at Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide.

“A new Texas law governing the privacy and security of protected health information, perhaps the broadest and among the toughest of such laws in the nation, went into effect on Sept. 1. The Texas Medical Privacy Act, signed into law June 17, 2011, by Gov. Rick Perry (R), not only increases requirements beyond those in HIPAA for organizations that are already covered entities (CEs), but greatly expands the number and type of Texas-based CEs required to comply with the privacy standards in HIPAA and adds a bunch of its own requirements. It contains separate mandates for breach notification of electronic PHI and penalties for violations.

The new law ‘is basically HIPAA, but applies to everyone who touches PHI’ and will have a ‘big impact on entities that get PHI but aren’t technically business associates – which are now effectively covered in Texas and must comply with HIPAA restrictions on use and disclosure,’ says longtime HIPAA expert and Texas attorney Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP.
‘The biggest impact on CEs and BAs are the shorter timeframes for giving access to records and the training requirement,’ he says. And the new law, which amends two existing areas of Texas regulations, carries a punch: the law provides for ‘administrative, civil and criminal penalties’ that dwarf even those that were expanded under HITECH.

The law is likely to have an impact outside of Texas and spur privacy advocates to push for similar legislation in their states or at the national level. One of the most outspoken patient privacy advocates, Austin psychiatrist Deborah Peel, was among those who supported the law, testifying before elected officials during their deliberations in 2011.

‘We hope the Texas law inspires other states to write strong laws that emphatically reject hidden data flows that the data mining and data theft industry profit from at our expense,’ Peel tells RPP. ‘The states can restore
and strengthen personal control over health information – it’s what the public expects from health information technology systems and it’s our right to have [such control].’ Peel adds that “It’s also good business to prevent thousands of people from accessing PHI, [as] fraud, identity theft and medical identity theft are exploding.’”

Promising research may protect health records privacy

To view the full article in Modern Healthcare, please visit Promising research may protect health records privacy.

A recent article in ModernHealthcare.com explains a new and promising technology developed by the Wake Forest School of Medicine’s Department of Biomedical Engineering. They have developed a “prototype health information exchange that both works for providers and restores patient control over the flow of their medical images.” The article explains how the new exchange utilizes “what’s called a Patient Controlled Access-key Registry to manage access for both patients and providers. A patient, who would allow another provider to see his or her records, releases an ‘access key’ with a digital signature at a patient portal.”

The article also quotes Dr. Peel’s views on the new system: “Psychiatrist and patient privacy advocate Dr. Deborah Peel— often a critic of health IT systems that she sees compromising privacy— says she likes what she reads about the Wake Forest pilot. ‘The majority of current HIT systems and data exchanges violate medical ethics and patients’ long-standing rights to control PHI (protected health information,’ Peel wrote in an email Wednesday. ‘Bravo to the Wake Forest research team for finally building effective electronic patient consent tools. Yes, this model solves the legal problems of data sharing. And yes, it builds patient trust in physicians because it restores the personal control over use and disclosure of protected health information that patients expect.’”

EHRs and Patient Privacy- An Oxymoron? Psychiatric Times Cover Story

A recent article in the Psychiatric Times based on the 2nd International Summit on the Future of Health Privacy describes the major problems with EHRs and the consequences of the misuse of this technology. The article quotes both Dr. Peel and Dr. Scott Monteith as well as “Julie” when describing the flaws of EHRs and HIEs. The article is available by subscription only through Psychiatric Times, but here are some highlights and quotes from the article:

“The escalating use of electronic health records (EHRs) and health information exchanges (HIEs) is fraught with unintended and sometimes dire consequences—including medical coding errors and breaches of psychiatric patients’ privacy and confidentiality, according to [Dr. Peel and Dr. Monteith] who scrutinize the field”

“At the recent Second Annual International Summit on the Future of Health Privacy, psychiatrist Scott Monteith, MD, Clinical Assistant Professor in the Departments of Psychiatry and Family Medicine at Michigan State University and a medical informaticist, relayed the experience of a patient who discovered that her EHR erroneously reported a history of inhalant abuse. In reality, she had a history of  “caffeine intoxication.” After much investigation, the problem was identified. The DSM-IV-TR code (305.90) is used for 4 different diagnoses, including caffeine(Drug information on caffeine) intoxication and inhalant abuse, but the EHR’s printout only made the inhalant abuse diagnosis visible. Although the error was reported to the EHR vendor, the problem persists after almost 2 years.

“‘It is impossible for consumers to weigh the risks and benefits of using health IT and data exchanges when they have no idea where their data flows, who is using it or the purpose of its use,’ wrote Peel, a psychiatrist and psychoanalyst.”

“…Peel emphasized the importance of patients being able to control access to sensitive personal health information. The open source consent technologies, she explained, have been used for more than 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on some 4 million people in more than 8 states.”

“…’Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows,” she wrote. “Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.’”

If you wish to view the full article by Arline Kaplan and are a subscriber of Psychiatric Times, it can be found at Electronic Health Records and Patient Privacy- An Oxymoron?

The Changing Landscape – The Impact to Patients’ Privacy

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system.  Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

-Patients have no control over who sees or sells sensitive personal health information.

-Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.

-Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.

-Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.

-There is no “chain of custody” for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

-HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779

-HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777

-Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

-The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. “Invisible Wounds of War”, The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President’s Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system — starting with Principle #1:

“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Patient Privacy Rights Calls for Patient Control Over Data Exchange on the Nationwide Health Information Network (NwHIN)

In our comments about the NwHIN, Patient Privacy Rights (PPR) urged the Office of the National Coordinator for Health IT (ONC) to use this critical opportunity to address the fatal privacy and security flaws in current systems and state and federal data exchanges. “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy.

To restore public trust, PPR strongly believes:

  • All state and federal data exchanges should be certified to assure that patients control the exchange of their health data. Privacy certification should be designed by a non-profit, patient-led organization with expertise in health privacy;
  • Data should only be exchanged using the Direct Project for secure email between patients, physicians, and other health professionals (with rare exceptions);
  • Patients should always give meaningful informed consent before their information is disclosed; and
  • Sensitive personal health information should only flow to those directly involved in an individual’s treatment, or to those who are conducting research in which an individual has agreed to participate.

Without a network designed to make sure individuals decide who sees their health records, Americans will grow even more wary of seeking needed treatment. We urge the ONC to act now to create a nationwide network that requires comprehensive data privacy and security measures to protect patients’ intimate personal health data. See comments here.

Health Care Reform: Let’s Not Forget Privacy And Data Security

See the full article at Forbes.com: Health Care Reform: Let’s Not Forget Privacy And Data Security

The Affordable Care Act poses many new threats to patient privacy due to an already over loaded health care system. The influx of new consumers in this market will cause much stress on the already insufficient data privacy infrastructure. Bob Gregg, guest writer for Forbes.com, explains the strains and consequences caused by this new legislation.

“The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.”

Mr. Gregg looked to Patient Privacy Rights’ own founder, Dr. Deborah Peel, to explain what kind of ramifications this act will have for patients and their data privacy.

“My friend, Dr. Deborah Peel, founder of Patient Privacy Rights, tells me that “patients have no control over who sees or sells personal health information. Our health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.” Thousands of people, including researchers and government agencies, she says, have easy access to this information.”

The article goes on to list the four major issues this new burden on the health care system will cause and how it will affect consumers. The bottom line, he says, is “…The Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.”

For even more information on how you can help keep patient data private visit our International Summit on the Future of Health Privacy website.

2-part story on “Julie” who spoke at the 2nd International Summit on the Future of Health Privacy

See the stories written by Joe Conn at ModernHealthcare.com: ‘Julie’ learns that privacy is more illusion than reality & How ‘Julie’ got a big surprise about medical records privacy

These stories matter for many reasons, not the least of which is that Partners is switching to Epic EHRs and Epic’s CEO has openly opposed data segmentation for years. She claims it’s impossible, too expensive, can’t be done, etc. Partners is about to spend hundreds of millions of dollars on a failed electronic health records system.

The claim that data segmentation cannot be done is incorrect. One example is the open source consent technologies used for over 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on over 4 million people in over 8 states (the states belong to the NDIIC). Further, the state of MA has very strong laws that require consent for the disclosure of mental health information (actually all 50 states do too).

Why would Partners’ choose a product that fails to protect patient privacy in a such a major way? This will prevent trust in doctors, hospitals, and worst—in ALL electronic systems. Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows. Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.

Who Should Have Access to Mental Health Records?

See the full story in The Globe: Who Should Have Access to Mental Health Records?

“Under federal health privacy laws, patients must sign a standard permission form for providers to share their medical information for purposes of treatment and billing. Policies on sharing psychiatric notes vary.

At Beth Israel Deaconess Medical Center, for example, psychiatrists decide whether to put notes in a locked area of the record, which other doctors can see only if they provide written justification.

At Partners, patients can ask that notes be restricted, but the organization evaluates the requests on a case-by-case basis. In the case of Julie — who does not want her full name published because she’s worried about being stigmatized — Partners eventually agreed to restrict access to the therapy notes written between 2002 and 2009. But the provider network would not automatically sequester future notes.

Julie told her story during the International Summit on the Future of Health Privacy, held in Washington, D.C. earlier this month and sponsored by advocacy group Patient Privacy Rights and Georgetown University Law Center’s O’Neill Institute for National and Global Health Law.

There is a push in health care policy toward more integration of mental and medical health services to better serve patient needs in all settings. Dr. Thomas Lee, head of the Partners’ physician organization, points to it in this story.

“Schizophrenia and Parkinson’s disease are both biochemical disorders of the brain,” he told Kowalczyk. “Why is one considered mental health and the other medical?’’

The catch is that privacy — trust, really — is paramount in serving people with sensitive mental health concerns. So, what’s the solution? How should records be handled to protect patients and provide the best possible care?”