The Rising Risk of Electronic Medical Records

See the full story at SmartPlanet: The Rising Risk of Electronic Medical Records

This story quotes Lee Tien, Bob Gellman, and me about health information technology, which prevents us from controlling who can see, use, or sell our electronic health data by design—-placing everyone in the nation at risk of job and credit discrimination based on health data.  Current technologies make hidden data flow easy, with no way for patients to opt-out or prevent personal data from flowing to an unlimited number of hidden corporate, government, for-profit research and data analytics users.

“Criminals can buy social security numbers online for about $5 each, but medical profiles can fetch $50 or more because they give identity thieves a much more nuanced look into a victim’s life, said Dr. Deborah Peel, founder of the advocacy group Patient Privacy Rights, which researches data breaches and works for tighter security on people’s personal health records.”

Discrimination causes millions to avoid medical treatment every year. It’s a fact of life with paper medical records too. But electronic health systems enable thousands of strangers to simultaneously access the records of millions of patients, so the theft, sale, and misuse of health data for discrimination, fraud, ID theft, and medical ID theft has skyrocketed. In paper records systems, patient files are kept in locked rooms or filing cabinets, making it hard to use or steal more than a few at a time. Anti-discrimination laws alone aren’t effective—we also need to know who has copies of our health data and be able to control who gets them.

““If the information leaked to an employer, it would have affected their jobs or reputations. All the time I’ve been practicing, it’s been a very important and delicate issue,” Peel said. “There are prejudices associated with psychiatric diagnoses. People have powerful reactions to the names of these things.” … Once genetic profiles are routinely added to the mix, access to electronic health data may predetermine who can get jobs or serve in public office, Peel warned… “If the world looked like that,” Peel said, “Lou Gehrig would never get a contract to be a ball player if the team knew he had a disease that would degenerate his muscles, or Ronald Reagan would never get elected president if they knew dementia ran in his family.””

Strong new laws are needed to prevent our health data from being used or sold without consent.  We should also have a complete ‘chain of custody’, naming every person and organization that has seen or copied our health information. Without these new legal rights, it’s impossible to decide whether the benefits of using health IT outweigh the risks to our future jobs and opportunities, to our kids’ future jobs and opportunities, and to our grandkids’ and relatives’ future jobs and opportunities.

FYI—HIPAA has NOT protected health data privacy since 2002, it is really a ‘Disclosure’ Rule, not a ‘Privacy’ Rule. See how consent, the right to control who can see and use your health information, was eliminated: http://patientprivacyrights.org/media/The_Elimination_of_Consent.pdf

BOTTOM line: existing technology solutions that enable us to control who sees our records are not required. Instead, the stimulus billions are being used to buy ‘Model T Fords’ that prevent patient control over personal data. Government and corporations (inside and outside healthcare) don’t want to ‘ask first’ before taking our most sensitive personal information.

Help build a map to show where health data flows:  Sign up to be a data detective and contribute to mapping the hidden flows of Americans’ health data at: theDataMap.org. A map of health data flow will prove Congress should act NOW to restore personal control over health data.

Electronic Health Records: Balancing Progress and Privacy

See the full story on the Bioethics Forum Blog: Electronic Health Records: Balancing Progress and Privacy

“Regardless of the fate of the Affordable Care Act, it has set in motion a drive toward greater use of information technology, particularly with regard to electronic health records (EHRs). These technologies promise to increase the transmission, sharing, and use of health data across the health care system, thereby improving quality and reducing unnecessary costs. But they do not come without raising serious ethical questions, particularly those related to privacy. This was the topic of the 2nd International Summit on the Future of Health Privacy hosted by Patient Privacy Rights at Georgetown Law School on June 6 and 7. The two-day event brought together national and international experts on health privacy, technology, and law; patient advocates; industry experts; and top governmental officials to discuss whether there is an American health privacy crisis.”

Read more at The Hastings Center Bioethics Forum

Get information and updates about the International Summit on the Future of Health Privacy at www.HealthPrivacySummit.org

Experts discuss technology and privacy protections at 2nd International Summit on the Future of Health Privacy

See full story at: HIPAA remains in play as technology outpaces privacy protections

Speakers from the 2nd International Summit on the Future of Health Privacy were interviewed in this article about their ideas and opinions concerning the outpacing of privacy protections by technology. Because technology is being invented quicker than privacy laws can be written and imposed, people everywhere are at risk of having their private medical records used without their knowledge and consent. On June 6-7, over 50 speakers and 300 participants met up to discuss the issues brought about by such technological advances at the 2nd International Summit on the Future of Health Privacy. To learn more about the Health Privacy Summit, please visit HealthPrivacySummit.org.

“Experts assembled on June 6 in Washington for a panel discussion on electronic medical records and privacy noted that HIPAA provides only a minimum standard for safeguards, not a template for best practices. Panelists at the International Summit on the Future of Health Privacy added that the stakes are high when it comes to EMRs and privacy.

“Electronic technology is a game-changer, legally, because the damage that can be done to someone is perpetual and the damages that can be awarded are incalculable,” said James Pyles, co-founder and principal of the law firm of Powers, Pyles, Sutter & Verville….

…Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health Information Technology, said the main problem is technology is moving faster than privacy laws can be written

“I approach this in a simplistic way,” Pritts said. “I look to see, do you have a right to privacy for your health information? So far, the courts say you do. The tort laws say you do. Standards of professional ethics of nearly every segment of the medical profession say you do. The HIPAA privacy rule does not say that at all.”"

Learn more about the Health Privacy Summit here.

Top Experts Discuss Privacy Risks at 2nd International Summit on the Future of Health Privacy

Patient Privacy Rights and Georgetown University Law Center’s O’Neill Institute for National and Global Health Law Host Event

Psychiatry Patient’s Story Highlights Growing Threat to Privacy

WASHINGTON–(BUSINESS WIRE)– When a lawyer named “Julie” sought psychiatric treatment in Boston, she never imagined that the notes of sessions with her therapist would be digitized and made available to thousands of doctors and nurses—even dermatologists and podiatrists with no conceivable need for such private records. But that is precisely what happened. “Personal details that took me years to disclose during therapy are being shared throughout my medical network, against my will,” Julie says. “It’s destroyed my trust with my doctors.”

Julie will tell her story for the first time at the 2nd International Summit on the Future of Health Privacy, to be held in Washington, DC, on June 6-7. Sponsored by Patient Privacy Rights, the nation’s leading health privacy watchdog, and Georgetown University Law Center’s O’Neill Institute for National and Global Health Law, the Summit will explore the often-alarming privacy implications of the nation’s race to digitize patient medical records.

“Every state requires patient permission before sensitive mental health records can be shared with other doctors. But Julie found that hundreds of pages of intimate records, some detailing her abuse as a child, were open to the entire staff of her Boston-based healthcare system,” says Dr. Deborah Peel, founder of Patient Privacy Rights. “Julie is an example of how major electronic health records systems can actually strip patients of their privacy rights. Her tragic story highlights the need for the Privacy Summit—to shine light on these abuses and find solutions to protect patient privacy.”

40 Health-Privacy Experts Drive Debate:

More than 40 health-privacy experts from around the globe will gather for the Summit, including top U.S. government officials and leading CEOs, physicians and academics, along with several hundred live and virtual attendees. Speakers will discuss new policies including a Health Privacy Bill of Rights, data exchanges, secondary uses of health data and social media platforms that threaten patient privacy. In addition, the founder of Harvard’s Data Privacy Lab will announce the launch of a yearlong project, the first of its kind, to map the hundreds of secret organizations and agencies where private medical data is sold and shared in the United States.

Summit organizers also will announce the “The Best Privacy Technologies of 2012,” and companies will demonstrate new products that enhance patient control of personal health data.

Louis D. Brandeis Privacy Award:

To kick off the Summit, Patient Privacy Rights will honor the first-ever recipients of the Louis D. Brandeis Privacy Award. The privacy watchdog group will recognize Congressman Joe Barton (R-TX) and Congressman Ed Markey (D-MA) for their roles as leading congressional privacy advocates. And Alan Westin, Columbia University’s Emeritus Professor of Public Law and Government, and Ross Anderson, the University of Cambridge’s Professor in Security Engineering, will be honored for their groundbreaking work on consumer data privacy and security.

WHAT: The 2nd International Summit on the Future of Health Privacy
WHEN: June 6-7th, 2012
WHERE: Georgetown University Law Center
600 New Jersey Avenue, NW. Hart Auditorium, McDonough Hall
Washington, DC 20001

REGISTRATION: http://www.healthprivacysummit.org/d/3cq92g/4W

AGENDA: http://www.healthprivacysummit.org/d/3cq92g/6X

SPEAKERS: http://www.healthprivacysummit.org/d/3cq92g/6K

FOLLOW US ON TWITTER: @PrivacySummit

SPONSORS/PARTNERS: Accenture, CA Technologies, Dell, e-MDs, FairWarning®, Harvard Data Privacy Lab, IDExperts, Jericho Systems, Microsoft, PwC, RTI International, Telemedicine and Advanced Technology Research Center (TATRC), The O’Neill Institute at Georgetown Law Center, The University of Cambridge Computer Laboratory, The University of Texas School of Information

ABOUT PATIENT PRIVACY RIGHTS: Patient Privacy Rights is the nation’s leading bipartisan health privacy organization and leading consumer voice for building ethical, trustworthy healthcare IT systems. For more information, visit http://patientprivacyrights.org

Contact:
Keith Blackman, 202-730-5753
keith@blackmanmediasolutions.com
or
Jim Popkin, 202-686-6699
jim.popkin@sevenoaksmedia.com

Office of the National Coordinator of Health IT, HHS, Announces PPR Summit

To learn more visit Health Privacy Summit and HealthIT.

The Second International Health Privacy Summit is quickly approaching (June 6-7). Our keynote speaker, Farzad Mostashari, MD, ScM is the National Coordinator for Health IT and will be giving a wonderful presentation on “Creating a Culture of Privacy and Security Awareness.” The Office of the National Coordinator for Health IT has given great support to this event and will be participating as well. Here’s what they have to say about the Health Privacy Summit:

June 6-7
2nd International Summit on the Future of Health Privacy

Over 40 leading health-privacy experts from around the globe will gather in Washington, DC for the 2nd International Summit on the Future of Health Privacy to discuss privacy and security issues raised by emerging health technologies. Experts from the U.S. government, the private sector and academia will explore new laws and regulations, data exchanges, secondary uses of health data and social media platforms and how they relate to the privacy and security of patient health information.

National Coordinator for Health Information Technology – Farzad Mostashari, MD, ScM – will kick off this year’s event with a keynote presentation on “Creating a Culture of Privacy and Security Awareness.”

See the full list of speakers at http://www.healthprivacysummit.org/d/3cq92g/6K .

* Agenda: http://www.healthprivacysummit.org/d/3cq92g/6X
* Registration: http://www.healthprivacysummit.org/d/3cq92g/4W FREE to attend or watch live online!

Re: Data-Mining in Doctor’s Office Helps Solve Medical Mysteries

The story concludes that “the benefits (of research) outweigh the (privacy) concerns”. But that statement was made by a hospital administrator, not by the patients whose data were used without consent. They weren’t asked or notified.

There are several problems with the idea that the benefits of doing research without consent outweigh the risks:

·       the lack of privacy and control over health information causes bad outcomes: when people realize that they cannot control health records, millions refuse diagnosis and treatment for cancer, depression, and sexually-transmitted diseases

·       there is no need to choose between respecting patients’ rights to privacy and doing research—it’s a false choice, consent technologies can enable people to easily choose and give automatic consents for research projects they support, or be contacted case-by-case for permission

·       there was no public debate about whether every American’s electronic health information should be used for research without consent

·       current electronic systems do not allow patients to control any uses of their health data—-why continue to use such badly-designed systems?

·       there are no “dangers of over notification” with today’s systems—in fact, patients get no notice at all when personal data is used for research

Americans have not agreed to a healthcare system that turns them into electronic guinea pigs.

Why not build patient-centered systems so we can make important decisions about ourselves, instead of hospital administrators and researchers choosing for us?  “Nothing about me without me.”

Crunch Two Data Sets, Call Me in the Morning

See full article in Bloomberg Businessweek Article

As hospitals are acquiring more and more digital patient data, they are quickly turning to “Big Data” tech companies with expertise in data-mining, which “has already led to some measurable improvements in patient care” according to hospital administration. However, patients are rarely notified when their records are being used in this way because the data is exempt from federal privacy protection due to their necessity for “quality improvement”. “People do not like to have researchers of any stripe using their electronic health records”, says Deborah Peel, MD of Patient Privacy Rights. “As a matter of respect and autonomy and patient-centeredness, patients want to be asked. When they are asked, by and large, they support this. It’s the not-being-asked stuff that’s really bad”. A breakdown in patient-physician trust about data privacy can cause huge problems with patient care arising from patients refusing to share all necessary information with physicians as a means to avoid exposure.

Proposed Rules Prevent Patient Control Over Sensitive Information in Electronic Health Records (EHRs)

The proposed federal rules will require physicians and hospitals to use Electronic Health Records (EHRs) that prevent patient control over who can see and use sensitive personal health information.

This is the second time the federal government has proposed the use of technology that violates Americans’ strong rights to control the use and sale of their most sensitive personal information, from DNA to prescription records to diagnoses.

The proposed rules require EHRs to be able to show “meaningful use” (MU) and exchange of personal health data. PPR and other consumer and privacy advocacy groups submitted similar comments for the Stage 1 MU rules. These newly proposed rules are known as “Stage 2 MU” requirements for EHRs.

The most important function patients expect from electronic health systems is the power to control who can see and use their most sensitive personal information. Technologies that empower patients to decide who can see and use selected parts of their records have been working for 4 million people for over 10 years in 8 states with mental illness or addiction diagnoses. Today we do not have any way to know where our data flows, or who is using and selling it.

Even if we had a ‘chain of custody’ to prove who saw, used, or sold our personal health data—which we do not—it is still essential to restore patient control over personal health data so we can trust electronic health systems.

Technologies that require patient consent before data flows are cheap, effective, and should be required in all EHRs.

See Patient Privacy Rights’ formal comments on the Stage 2 MU proposed requirements submitted to the Centers for Medicare and Medicaid and the Office of the National Coordinator for Health IT at: http://patientprivacyrights.org/wp-content/uploads/2012/05/PPR-Comments-for-Stage-2MU-5-7-12.pdf

Health records lost, stolen or revealed online

From the Chicago Tribune Article: Health records lost, stolen or revealed online

“Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.

Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.

One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation’s health program for military members, their families and retirees.

Some breaches have resulted in personal information being revealed online. The names and diagnosis codes of almost 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., were posted on a commercial website for nearly a year before it was discovered in September and taken down…

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, a consumer group, would like to see more help for those whose information is breached and tougher punishment for those responsible. The BlueCross BlueShield of Tennessee settlement amounted to “roughly a dollar per breach record, which is nothing,” she said.

PPR at RSI 2012 Conference in Montreal

Deborah C. Peel, Founder and Chair of PPR, will present at the upcoming RSI 2012 conference in Montreal, discussing the health care system in the United States related to HIT and Data Exchanges.

When: May 3rd, 2012, 1:30pm – 2:20pm
Where: Hyatt Regency Montréal , 1255, rue Jeanne-Mance, Montreal (Québec)·mai 3, 2012

Title: Not even a Fig Leaf for Privacy: American’s Health IT Systems and Data Exchanges

Complexity, legacy architectures divorced from privacy rights, a powerful health data mining industry, government interest in health data, and $27 billion in federal funding have created a health IT environment based on open access to 300 million people’s most sensitive  personal information and the elimination of individual privacy rights. Patient Privacy Rights’ role is to be the voice of the public, to educate decision makers, and to create a movement to build innovative health IT systems worthy of trust.