NHS England patient data ‘uploaded to Google servers’, full disclosure demanded

The UK government has been debating illegal disclosures of patient health data: “The issue of which organisations have acquired medical records has been at the centre of political debate in the past few weeks, following reports that actuaries, pharmaceutical firms, government departments and private health providers had either attempted or obtained patient data.”

The article closes with quotes from Phil Booth of medConfidential:

  • “Every day another instance of whole population level data being sold emerges which had been previously denied”.
  • “There is no way for the public to tell that this data has left the HSCIC. The government and NHS England must now come completely clean. Anything less than full disclosure would be a complete betrayal of trust.”

Far worse privacy violations are the norm in the US, yet our government won’t acknowledge that US health IT systems enable hidden sales and sharing of patients’ health data.  US patients are prevented from controlling who sees their health records and can’t obtain real-time lists of who has seen and used personal health data.

Learn how the data broker industry violates Americans’ strong rights to control the use of personal health information in IMS Health Holdings’ SEC filing for an IPO:

  • IMS buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” “social media” and more to create “comprehensive,” “longitudinal” health records on “400 million” patients.
  • All purchases and subsequent sales of personal health records are hidden from patients.  Patients are not asked for informed consent or given meaningful notice.
  • IMS Health Holdings sells health data to “5,000 clients,” including the US Government.
  • IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

Data brokers claim they don’t violate our rights to health information privacy because our data are “de-identified” or “anonymized”—-but computer scientists have proven it’s easy to re-identify aggregated, longitudinal data sets:

deb

This blog was written in response to the following article: NHS England patient data ‘uploaded to Google servers’, Tory MP says

NHS legally barred from selling patient data for commercial use. When will the US wake up?

When will US bar sale of patient data for commercial use?

1st: Public has to wake up.

2nd: The LIE of sale of patient data for research must be exposed.

US law permits any corporation to buy/sell/sell/share patient data for commerce (i.e. BIG DATA analytics and proprietary products without patient consent or knowledge). This is a fact.

deb

This blog was written in response to the following article: NHS legally barred from selling patient data for commercial use

3 Reasons Your Medical Records Are at Risk

When hospitals find themselves in the middle of a breach, they usually prioritize improving their security to prevent further security breach incidents.

In addition to defending themselves against data breaches, health systems also need to find the right balance to adequately protect their patients’ privacy.

Since medical information is stored digitally, patients may not be fully aware how crucial it is to protect their data from being seen by unauthorized persons. Some privacy breaches may be avoidable, and learning from these mistakes is essential for health systems to maintain security of sensitive patient information. Here are three reasons why patient security may be lacking at health organizations.

Privacy Is on the Back Burner

When health IT systems are built, ensuring patient privacy is usually not on the forefront of designers’ and engineers’ minds. These IT experts usually put system functions ahead of privacy, which could result in poor privacy protection down the road. Some developers may also leave out privacy features altogether, which could put patient information at risk for being compromised.

Human Error

In a recent report, psychiatric facilities in Texas suffered a string of data breaches, but the majority of them were caused by human error, The Republic reported.

Deborah Peel, the Austin founder of watchdog group Patient Privacy Rights, said repeated data breach incidents could lead patients to question whether their information is secure, which could cultivate distrust among patients. “Our patients deserve privacy and expect that their information is kept confidential,” said Christine Mann, spokeswoman for the Texas Department of State Health Services.

To view the full article please visit: 3 Reasons Your Medical Records Are at Risk

Judge Rules Patients Have a Reasonable Expectation of Privacy in Rx Records

The ACLU recently challenged the Drug Enforcement Administration’s practice of obtaining Oregon patients’ confidential prescription records without a warrant. PPR’s Dr. Deborah Peel submitted a declaration in support of the ACLU’s position, which you can read here.

 

Good news: It’s a win for privacy! In an opinion issued today, the judge ruled that patients have a reasonable expectation of privacy in their prescription records under the Fourth Amendment, and that the DEA needs a warrant to obtain records from the Oregon Prescription Drug Management Program (PDMP).

 

To read the judge’s opinion, click here.

 

To read more from Nathan Wessler, an ACLU attorney working on the case, click here.

 

Did Tim Armstrong’s ‘Distressed Babies’ Comment Violate HIPAA Privacy Laws?

US citizens have a fundamental Constitutional right to health information privacy—but can’t easily sue. Only federal employees can sue under the Privacy Act of 1974, as vets did when a laptop with millions of health records was stolen. Even with strong state health privacy laws and state constitutional rights to privacy in place, it’s very hard to sue because most courts demand proof of monetary harm. This new digital disaster: exposing and/or selling sensitive personal health data–can’t be stopped without stronger, clearer federal laws. OR if US citizens boycott the corporations that violate their rights to health privacy.

-Deb

This blog written in response to the following article:

Did Tim Armstrong’s ‘Distressed Babies’ Comment Violate HIPAA Privacy Laws?
By Abby Ohlheiser
The Wire, February 10, 2014

New CLIA rule talks the talk, but it doesn’t walk the walk

Deborah Peel, MD, Founder and Chair of Patient Privacy Rights

The federal government released an update to the CLIA rule this week that will require all labs to send test results directly to patients. But the regulations fail to achieve the stated intent to help patients. The rule allows labs to delay patient access to test results up to 30 days, and the process for directly obtaining personal test results from labs is not automated.

The new rule also fails to help patients in significant ways:

  • Real-time, online test results are not required. The federal government should have required all labs to use technology that benefits patients by enabling easy, automatic access to test results via the Internet in real-time. Unless we can obtain real-time access to test results, we can’t get a timely second opinion or verify the appropriate tests were ordered at the right time for our symptoms and diseases.
  • Labs are allowed to charge fees for providing test results to patients.  If labs can charge fees, they will not automate the process for patients to obtain results. Labs that automate patient access to test results online would incur a one-time cost.  After labs automate the process, human ‘work’ or time is no longer needed to provide patients their test results, so the labs would have no ongoing costs to recoup from patients.
  • Labs should be banned from selling, sharing, or disclosing patient test results without meaningful informed consent to anyone, except the physician who ordered the tests. This unfair and deceptive trade practice should be stopped. No patient expects labs to sell or share their test results with any other person or company except the physician who ordered the test(s).

This rule raises a question: why do so many federal rules for improving the healthcare system fail to require technologies that benefit patients?

Technology could provide enormous benefits to patients, but the US government caters to the healthcare and technology industries, instead of protecting patients.

Current US health IT systems actually facilitate the exploitation of patients’ records via technology. When HHS eliminated patient control over personal health data from HIPAA in 2002, it created a massive hidden US data broker industry that sells, shares , aggregates and discloses longitudinal patient profiles (for an example, see IMS’ SEC filing with details about selling 400M longitudinal patient profiles to 5K clients, including the U.S. government.

Meanwhile, even the most mundane, annoying, repetitive tasks patients must perform today–like filling out new paper forms with personal information every time we visit a doctor–are not automated for our convenience or to improve data quality and accuracy.

Shouldn’t IT improve patients’ experiences, treatment, and restore personal control over sensitive health information?

deb

You can also view a copy of this blog post here

Report: State mental hospitals dealing with privacy breaches as patient records removed

AUSTIN, Texas — There have been five incidents in the last six months where patients’ health records have made their way out of some of Texas’ 10 public psychiatric facilities, according to a review of state records by a newspaper.

In one incident, an employee at Big Spring State Hospital in West Texas was fired after officials alleged she walked out of the facility with 50 patients’ protected health records, the Austin American-Statesman reported (http://bit.ly/1i0pZ2H ) Sunday.

In the other cases, which involved a total of about a dozen patients, officials determined that the breaches were caused by mistakes.

“This can’t happen,” said Christine Mann, spokeswoman for the Texas Department of State Health Services, which oversees the hospitals. “Our patients deserve privacy and expect that their information is kept confidential. We’re doing everything we can to figure out what happened and how to address it.”

Dr. Deborah Peel, the Austin founder of Patient Privacy Rights, a national watchdog group focused on the protection of medical records, said the multiple incidents at the Texas hospitals indicate a pattern of problems that raise questions about the hospital system’s ability to keep patient records safe.

“Incidents like this broadcast loud and clear that the place I go for help might not keep my information safe,” Peel said.

To view the full article, visit Report: State mental hospitals dealing with privacy breaches as patient records removed

The Biggest Data Myths of 2013

The biggest myth about “Big Data” users of the entire nation’s health information is that personal health data was acquired legally and ethically.

Just ask anyone you know if they ever agreed to the hidden use and sale of sensitive personal information about their minds and bodies by corporations or “research” businesses for analytics, sales, research or any other use. The answer is “no.”

Americans have very strong individual rights to health information privacy, i.e., to control the use of their most sensitive personal information. If US citizens have any “right to privacy,” that right has always applied to sensitive personal health information. This was very clear for our paper medical records and is embodied in the Hippocratic Oath as the requirement to obtain informed consent before disclosing patient information (with rare exceptions).

The IPO filing by IMS Health Holdings at the SEC exposed the vast number of hidden health data sellers and buyers. Buying, aggregating, and selling the nation’s health data is an “unfair and deceptive” trade practice. (Read more of Dr. Peel’s comments on the IMS filing here.)

Does the public know or expect that IMS (and the 100’s of thousands of other hidden health data mining companies) buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” and “social media” to create “comprehensive,” “longitudinal” health records on “400 million” patients? Or that IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally”? Again, the answer is “no.”

Given the massive hidden theft, sale, and misuse of the nation’s health information how can any physician, hospital, or health data holder represent that our personal health data is private, secure, or confidential?

deb

Here’s Scary: Your Social Security Number Is Just a Click Away

From Nancy Smith of the Sunshine State News:

Snafus involving the mandated switch from paper to electronic medical records have been happening for the last few years as the Affordable Care Act geared up. Horror stories — like the one about a California orthopedic surgeon whose medical-records software provider sold his patients’ records to anybody who wanted them — are more common than most people realize. Read the incredible story.

“This is a nightmare. It’s nothing we’ve ever seen before in medicine,” said patient privacy-rights advocate Dr. Deborah Peel.

Peel said many patients and doctors don’t know the federal government quietly eliminated patients’ privacy rights for electronic records. “It’s a free-for-all,” she said. “It’s the Wild West. Today there are over 4 million different kinds of organizations and companies that can see and use our medical records without our knowledge, without our permission and we can’t refuse.”

Peel said we can actually thank Healthcare.gov, the Obamacare sign-up website, for waking us up and making us think about what happens to our personal health information on a big bureaucratic website.

All of a sudden, Americans get it, she said — and the Obama administration isn’t pleased at having to deal with another strain of negativity in the rollout of its health plan. The government, remember, spent some $2 billion just to encourage the adoption of electronic health records.

Peel, a physician and probably the most renowned national speaker on health privacy, believes Healthcare.gov will amount to government surveillance of all health information unless some mobile “app” is developed so patients can access and control the dispersal of their own data, with Social Security numbers at the top of the list.

“Health information is the most valuable personal data about you, bar none,” Peel said. “We (at Patientprivacyrights.org) tremendously support technology, but technology that’s smart, that serves you and does what you expect — that doesn’t serve hidden industries that steal data or (is subject to) government surveillance. Government technology could put us in much better control of our information.

“We need to develop a mobile ‘app’ that would let you find out what happens to your information We need new technology and privacy protections to be put in place.” See Peel’s remarks on Patientprivacyrights.org.

Please click here to read the full article.

Company That Knows What Drugs Everyone Takes Going Public

Nearly every time you fill out a prescription, your pharmacy sells details of the transaction to outside companies which compile and analyze the information to resell to others. The data includes age and gender of the patient, the name, address and contact details of their doctor, and details about the prescription.

A 60-year-old company little known by the public, IMS Health, is leading the way in gathering this data. They say they have assembled “85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.”

IMS Health sells data and reports to all the top 100 worldwide global pharmaceutical and biotechnology companies, as well as consulting firms, advertising agencies, government bodies and financial firms. In a January 2nd filing to the Security and Exchange Commission announcing an upcoming IPO, IMS said it processes data from more 45 billion healthcare transactions annually (more than six for each human on earth on average) and collects information from more than 780,000 different streams of data worldwide.

Deborah Peel, a Freudian psychoanalyst who founded Patient Privacy Rights in Austin, Texas, has long been concerned about corporate gathering of medical records.

“I’ve spent 35 years or more listening to how people have been harmed because their records went somewhere they didn’t expect,” she says. “It got to employers who either fired them or demoted them or used the information to destroy their reputation.”

“It’s just not right. I saw massive discrimination in the paper age. Exponential isn’t even a big enough word for how far and how much the data is going to be used in the information age,” she continued. “If personal health data ‘belongs’ to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information.”

To view the full article please visit: Company That Knows What Drugs Everyone Takes Going Public