IMS Health Files for IPO – Is It Legal?

On January 2nd, IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics.

  • IMS buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” “social media” and more to create “comprehensive,” “longitudinal” health records on “400 million” patients.
  • All purchases and subsequent sales of personal health records are hidden from patients.  Patients are not asked for informed consent or given meaningful notice.
  • IMS Health Holdings sells health data to “5,000 clients,” including the US Government.
  • Despite claims that the data sold is “anonymous”, computer science has long established that re-identification is easy.
  • See brief 3-page paper by Narayanan and Shmatikov at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf)
  • See Prof. Sweeney’s paper on re-identifying patient data sold by states like WA at: http://thedatamap.org/risks.html
  • “Our solutions, which are designed to provide our clients access to our deep healthcare-specific subject matter expertise, take various forms, including information, tailored analytics, subscription software and expert services.” (from IMS Health Holding’s SEC filing)

 

Quotes from IMS Health Holding’s SEC filing:   “We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.”   IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

How can this business model be legal?  How can companies decide that US citizens’ personal health data is “proprietary data,” a corporate asset, and sell it?  If personal health data ‘belongs’ to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information.

Americans’ strongest rights to control personal information are our rights to control personal health information. We have constitutional rights to health information privacy which are not trumped by the 2001 elimination of the right of consent from HIPAA (see: http://patientprivacyrights.org/truth-hipaa/ ). HIPAA is the “floor” for privacy rights, not the ceiling. Strong state and federal laws, and medical ethics require consent before patient data is used or disclosed. 10 state constitutions grant residents a right to privacy, and other states constitutions have been interpreted as giving residents a right to privacy (like TX).

Surely FTC would regard the statement filed with the SEC as evidence of unfair and deceptive trade practices. US patients’ health data is being unfairly and deceptively bought and sold.  Can the SEC deny IMS Health the opportunity to offer an IPO, since its business model is predicated on hidden purchase and sale of Americans’ personal health data?

If we can’t control the use and sale of our most sensitive personal information, data about our minds and bodies, isn’t our right to privacy worthless?

deb

To view the full article published in Modern Healthcare visit:  IMS Health Files for IPO

 

Privacy Group Comments on ONC’s Patient Data Matching Report

December 23, 2013 – “At an Office of the National Coordinator for Health IT meeting last week, advocacy group Patient Privacy Rights said that initial findings from an ONC report on how to match patients with their health data addressed problems with current health IT systems and data exchanges but missed an opportunity to create and leverage patient engagement in controlling their own health data, Health Data Management reports (Goedert, Health Data Management, 12/20).”

To view PPR’s comments and a copy of the full article, please visit: Privacy Group Comments on ONC’s Patient Data Matching Report

The Truth About HIPAA – It Hasn’t Changed

Everyone thinks HIPAA protects personal health data. It doesn’t.

The most valuable data collected and sold by US “data brokers” is sensitive personal health information.

US “data brokers” capture sensitive health information by tracking our searches, social media, phone apps and GPS data. The majority of US healthcare institutions, health-related state and federal government agencies, and health technology vendors are also “data brokers”.

HIPAA gave millions of hidden institutions, healthcare providers, and technology vendors the right to control, use, and sell our medical records, prescriptions, lab tests, claims data, and more. HIPAA gave them the right to be “data brokers”.

If the President’s Consumer Privacy Bill of Rights (CPBOR) was the law of the land AND also was applied to the healthcare system, patients could control who collects and uses health data—not “data brokers”.

The CPBOR’s strong new rights to control the use of personal data could end the use of data for discrimination in every area of life, including  jobs, credit, mortgages, and opportunities.

The EU got it right:  no government agency or corporation in the EU can collect, use, or sell personal data without permission.

deb

This blog was written in response to the following article: Senators call for consumer privacy protections

 

Testimony of Deborah C. Peel, MD at the ONC’s Patient Matching Stakeholder Meeting

WASHINGTON, DC (December 16, 2013) – Patient Privacy Rights’ (PPR) founder and chair, Deborah C. Peel, MD, submitted written testimony to the U.S. Department of Health and Human Services’ Office of the National Coordinator (ONC) at today’s Patient Matching Stakeholder Meeting. The meeting discussed the initial findings from the ONC’s dedicated initiative to assess which aspects of patient identification matching are working well, where there are gaps, and where improvements are needed.

 

In her prepared testimony, Dr. Peel said that “the Initial Findings address the problems caused by current institutional health information technology (health IT) systems and data exchanges.” However, she also stated that the findings may not adequately address future needs, nor do they foresee how the meaningful use requirements for the Health Information Technology for Clinical Health (HITECH) Act can resolve many of the current problems with patient identity and patient matching.

 

Arguing that the findings present a tremendous opportunity to create and leverage genuine patient engagement, Dr. Peel said that “patients have more interest and stake in data integrity and safety than any other stakeholder.” Describing PPR’s vision of the future, Dr. Peel outlined how meaningful patient engagement will eliminate many of the complex problems caused by current patient identity systems, matching technologies, and algorithms. She also said that meaningful patient engagement means that patients can access, control, or delegate how their personal information is used and disclosed, as well as monitor all exchanges of their health data in real time.

 

Additionally, Dr. Peel discussed key elements for meaningful patient engagement based on Fair Information Practices (FIPs) and federal law. She said that all data holders and all health data aggregators should operate as HIPAA covered entities and should be known to patients. In order to provide accountability and transparency, she said that each data aggregator should provide Notice of Privacy Practices (NPPs), voluntary patient-controlled IDs, patient and physician portals, Direct Secure email between patients and physicians Blue Button Plus (BB+), and real time accounting of disclosures.

 

In her concluding remarks, Dr. Peel stated that polices and best practices should consider how future health IT systems and data exchanges will operate, and should “anticipate meaningful patient and physician engagement, lowering costs, improving data quality, integrity and patient safety.” She urged the ONC to require, promote, and incentivize the rapid adoption of technologies that meaningfully engage patients as described in her testimony.
The complete text of this testimony is here.

Can Big Data Make Healthcare Better, Cheaper?

December 12, 2013
Medical records are being digitized on a massive scale to bring down the costs of healthcare and, maybe, to produce better outcomes. It also means a loss of patient privacy. President Obama’s Affordable Care Act promotes the digitization of millions of medical records to measure outcomes and contain costs. Big Data may also help doctors better understand many diseases, who’s most likely to get them and what the best treatments might be. It also makes the most intimate kind of personal information available to the government, insurance and drug companies — even prospective employers. Should patients be able to say “yes” or “no?”

 

Host, Warren Olney of NPR affiliate KCRW, interviews Dr. Deborah Peel, to discuss the risks and the benefits of Big Data in the field of medicine. She is joined by fellow panelists Joel Dudley, Department of Genetics and Genomic Sciences, Mt. Sinai Medical School, Iya Khalil, Executive VP and Co-Founder, GNS Healthcare, and Nortin Hadler, Professor of Medicine and Microbiology/Immunology, University of North Carolina at Chapel Hill.
Subscribe to this Podcast:
PodcastiTunes Podcast
Listen to/Watch entire show:
ListenDownloadAdd to My Shows

ACP Supports Creating National Rx Drug Monitoring Database

Wednesday, December 11, 2013
 
The American College of Physicians supports the development of a national prescription drug monitoring program, which would create a single database that physicians and pharmacies could electronically review before prescribing controlled substances, according to a position paper, CBS News reports. The paper was published in the Annals of Internal Medicine on Monday (Jaslow, CBS News, 12/9).

 

A new national drug data base will extend the failed “War on Drugs”, criminalize millions more, increase patients’ reluctance to use controlled substances, and NOT improve treatment for addiction. US prescriptions are already collected and sold daily by prescription data aggregators like IMS Health, Merck Medco, SureScripts, etc., etc. These businesses all sell the nation’s prescription data to any willing buyers.Meanwhile neither physicians nor patients can get electronic copies of prescription data to improve care.Who should health technology benefit? Patients or corporations?

Why not use patients’ prescription data, already being collected by the hidden data aggregation industry, to improve patient health?

Why not use technology to strengthen the patient-physician relationship and to ensure effective diagnosis and treatment?

For example, here is one way technology could be re-designed to help patients:

Anytime a patient gets a controlled substance prescription, existing systems could automatically search for any prior controlled substance prescriptions the patient received in the last month. If a second or third prescription is found, the physician(s) and patient could be automatically notified and resolve together whether it should be filled or not—and how best to treat the patient’s symptoms

Technology should give patients and doctors they data they need for effective TREATMENT. It’s sad that such a prominent physician group supports giving law enforcement automatic access to every controlled substance prescription in the US. Law enforcement should only be able to access such sensitive patient data AFTER someone has committed a crime or with a judge’s approval.

Why open ALL prescriptions to law enforcement surveillance when the vast majority of patients taking controlled substances are not criminals?

Addiction is NOT a crime, it’s a very treatable medical illness.

deb

 

Canadian Woman Denied Entry To U.S. Because Of Her Medical History

This story deeply troubles me as a practicing psychiatrist and Freudian psychoanalyst. It’s appalling to see technology used in ways that increase the harms and stigma people with mental illness and addiction endure.
 
 
The story is about a disabled Canadian woman denied the right to travel by a U.S. Customs and Border Protection agent because of her history of hospitalization for Depression.
 
Quotes from the story about the agent who denied her US entry for the cruise:
  •   He cited the U.S. Immigration and Nationality Act, Section 212, which denies entry to people who have had a physical or mental disorder that may pose a “threat to the property, safety or welfare’’ of themselves or others.
  •    The agent gave her a signed document which stated that “system checks’’ had found she “had a medical episode in June 2012’’ and that because of the “mental illness episode’’ she would need a medical evaluation before being accepted.
How did the US obtain electronic health data on Canadian citizens?
How frequently is the US Government accessing the electronic health records of Canadians?
How frequently is the US Government (and state governments) accessing our electronic health records?
 
Partial answers come from a CBC News story with information from Wikileaks. Quotes:
  • According to an RCMP (Royal Canadian Mounted Police) website, the CPIC (Canadian Police Information Centre) database stores 9.6 million records in its investigative databanks.
  • The RCMP and U.S. law enforcement agencies provide reciprocal direct access to each other’s criminal databases in order to stem the flow of narcotics and criminal dealings into North America, according to the WikiLeaks cable.
  • When asked about the sharing of police information for security purposes, Kamenitz says the government is “obviously not considering what the impact of that can be and how much that can alter a person’s life.”
 
How does the US use electronic health information on American citizensor people with histories of treatment for mental illness or hospitalization?  
 
This is ominous because of the proliferation of federal laws requiring that state data bases of involuntary commitments for hospitalization be reported to the National Instant Criminal Background Check System (NICS) to prevent violent mentally ill people from buying gunsand the proliferation of state Prescription Drug Monitoring Programs (PDMs) for controlled substances. 
  • (FYI—-Currently US patients are denied their federal rights to have a list of who used their electronic health records and why—the war over the regulations to implement this critical consumer protection is intense. Industry has held this up for almost 5 years claiming its too hard, too expensive, no technology exists, it will burden and scare patients to see how many 1000s of access there are every day, etc, etc.)
There is a huge state and national push to build/use data bases about mental illness or addiction for many purposes. 

 

It’s the same phenomena we saw in 2009 when the technology industry got $29B in subsidies for health IT written into the stimulus bill—despite the absence of interest or support of the majority of patients and physicians. See story by Robert O’Harrow on “The Machinery Behind Healthcare Reform”: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/15/AR2009051503667.html 
Every family and every person is close to someone suffering from Depression, addiction, or another mental illnesses. The lack of privacy already drives over 2 million people a year away from treatment for Depression and major mental illness.
 
This is truly a national tragedy. Knowing the US government accesses the nation’s electronic health records will discourage even more people from seeking treatment for serious mental illnesses that are VERY treatable.  
 
Best,
Deborah

What a Small Moment in the Obamacare Debate Says About Ideological Media

Politics aside, a huge majority of the public agrees that ALL personal information should be protected online, not just when they apply for Obamacare, use electronic health systems, or search online about health.  The right to control the use of personal health data is strongly supported by 95% of Americans.

But like the public, the author doesn’t know that government and corporations already have access to every citizen’s personal health information. See: http://patientprivacyrights.org/truth-hipaa/  HIPAA has not protected our rights to health ‘privacy’ since 2002.

Key conclusions:

  • “The Bush and Obama Administrations both showed with perfect clarity that they don’t give a damn about the privacy rights of Americans; federal bureaucrats serving in both eras have broken the law to hoover up our private information; and every trend points to a federal government intent on expanding its ability to collect information on Americans and share it among agencies. The U.S. has also shown an inability to protect data it stores from being hacked or stolen. Given all that, it isn’t paranoid to imagine that any health information handed over to the federal government won’t remain private for long. A betting man would be wise to conclude that somehow or other, it will at least be seen more widely than Obama Administration officials are promising—especially if additional steps aren’t taken to make the information better protected.”
  • “Outsmarting the most hackish Republicans isn’t enough to fix the flaws in legislation that you championed and passed, substantial warts and all.”

Congress must pass a strong new law soon to giving patients a clear, strong right to control personal health information.  We should decide who can see and use our most sensitive personal information. The nation’s trust in government will only worsen if we cannot protect even our MOST sensitive personal data, from prescription records, to DNA to diagnoses.

deb

This blog was written in response to the following article: What a Small Moment in the Obamacare Debate Says About Ideological Media

Google to Sell Users’ Endorsements

The New York Times posted an article reminding us about the permanence of our digital footprints.  Those old posts are never forgotten and can now be used by Google to make a profit.

“Those long-forgotten posts on social networks, from the pasta someone photographed to the rant about her dentist, are forgotten no more. Social networks want to make them easier to find, and in some cases, to show them in ads.  Google on Friday announced that it would soon be able to show users’ names, photos, ratings and comments in ads across the Web, endorsing marketers’ products. Facebook already runs similar endorsement ads.”

“’People expect when they give information, it’s for a single use, the obvious one,’ said Dr. Deborah C. Peel, a psychoanalyst and founder of Patient Privacy Rights, an advocacy group. ‘That’s why the widening of something you place online makes people unhappy. It feels to them like a breach, a boundary violation.’”

“’We set our own boundaries,’” she added. ‘We don’t want them set by the government or Google or Facebook.’”

“Dr. Peel said the rise of new services like Snapchat, which features person-to-person messages that disappear after they are opened, showed how much people wanted more control over how their information was shared.”

To view the full article click here

ONC: Looking for ‘realistic’ ways to account for disclosures

“ONC’s Health IT Policy Committee Tiger Team held a virtual hearing Sept. 30 to gather information about the rule and explore ‘realistic ways to provide patients with greater transparency about the uses and disclosures of their digitized, identifiable information,’ according to a Sept. 23 blog post by Committee Chair Devon McGraw. The Tiger Team asked for answers to specific questions, such as what patients want to know and how transparency technologies currently are being used by covered entities.”

“Deborah Peel, Founder and Chair of the Patient Privacy Rights coalition, suggested in her testimony that accounting for disclosures needs to include all of the detailed information about all uses of a patient’s electronic health information; she added that the rule could be implemented by ‘piggybacking’ onto existing initiatives, such as the Blue Button movement.”

Read more: ONC: Looking for ‘realistic’ ways to account for disclosures – FierceEMR

To read Dr. Peel’s testimony on Accounting for Disclosures click here