Data Protection Laws, an Ocean Apart

American citizens are like just like EU citizens: they want the same strong rights to control personal information online, especially health information.

See the letter Patient Privacy Rights and other NGOs signed supporting the EU’s tough requirements for data protection.  The letter urges the US government policy makers to support the same tough data protections for US citizens, also embodied in the protections President Obama laid out in the “Consumer Privacy Bill of Rights”.

Unfortunately, the “Consumer Privacy Bill of Rights” exempts all health data, leaving the flawed HIPAA Privacy Rule that eliminates our control over personal health data in effect. The 563 page Omnibus Privacy Rules adds strong data security protections and stronger enforcement of violations for some health data holders and users, but not all. But it does not restore patients’ rights to consent before personal health information is accessed or used, even though the right to control health information has been the law of land for centuries and is the key ethic in the Hippocratic Oath (requires doctors to keep information private and not share it without consent).

US citizens will not trust their physicians or electronic health systems unless they control who can see and use their records, from diagnoses to DNA to prescriptions.

Article: Big brother to log your drinking habits and waist size as GPs are forced to hand over confidential records

To view the full article written by Jack Doyle, please visit: Big brother to log your drinking habits and waist size as GPs are forced to hand over confidential records

The UK government proposes to collect citizens’ health data in a “giant information bank”.  “A document outlining the scheme even raises the prospect of clinical data being passed on or sold to third parties”.

Quotes:

  • -Doctors will be forced to hand over sensitive information about patients as part of a new programme called Everyone Counts.
  • -The files will be stored in a giant information bank that privacy campaigners say represents the  ‘biggest data grab in NHS history’.
  • -Ross Anderson, professor of security engineering at Cambridge University, said: ‘Under these proposals, medical confidentiality is, in effect, dead and there is currently nobody standing in the way.’

David Cameron was criticized in the Guardian in 2011 when he first announced similar plans for collecting all citizens health data to:

  • -“encourage NHS ties with industry and fuel innovation, including £180m catalyst fund”
  • -encourage “collaboration between the health service and the life sciences industry”
  • -“make it easier for drug companies to run clinical trials in hospitals and to benefit from the NHS’s vast collection of patient data”.

The tens or hundreds of billions generated annually by sales of American citizens’ electronic health information are an attractive model for the UK and EU given the dire economic situation in the EU. It’s hard to know how large the market for health data is or how health data is used without a data map. See Professor Sweeney explain theDataMap research project at: http://tiny.cc/etyxrw

Americans can’t control who sees or uses their health data. Will UK citizens suffer the same fate?

Rekindling the patient ID debate

Unique patient identifiers pose enormous implications for patient control and privacy. Dr. Deborah Peel is quoted in this article explaining how detrimental UPIs will be for patient trust and safety. To view the full article, please visit Rekindling the patient ID debate.

Key Quotations:

“The idea of unique patient identifiers (UPIs) is not a concept extracted from the next dystopian novel. It could very well be reality in the not-so-distant future. The question remaining, however, is whether or not the benefits of such technology outweigh constitutional privacy and patient trust concerns.”

“Deborah Peel, MD, founder of Patient Privacy Rights, and a fierce opponent of UPIs, writes in a Jan. 23 Wall Street Journalarticle, ‘In the end, cutting out the patient will mean the erosion of patient trust. And the less we trust the system, the more patients will put health and life at risk to protect their privacy.’

Peel points to the present reality of patient health information – genetic tests, claims data and prescription records – already being sold and commercialized. ‘Universal healthcare IDs would only exacerbate such practices,’ she avers.”

Questions of Privacy

ModernHealthcare.com recently posted a great article about PPR’s Dr. Deborah Peel and her work.

A few key points from the article:

“In 2002, HHS redrafted the privacy rule of the Health Insurance Portability and Accountability Act, replacing its patient consent requirement for the sharing of most patient records with a new provision. The rewrite afforded ‘regulatory permission,’ according to the rule, for hospitals, physicians, insurance companies, pharmacies, claims clearinghouses and other HIPAA-covered entities to use and disclose patient data for treatment, payment and a long list of other healthcare operations without patient consent.”

“’Let’s face it,’ Peel says, ‘HHS is the agency that eliminated patient control over electronic medical records and has remained hostile to patients’ rights ever since.’”

“‘Where I’m coming from is, I’ve spent all this time in a profession with people being hurt,’ Peel says. ‘Starting in the 1970s, when I first let out my shingle, people came to me and said, if I paid you in cash, would you keep my records private. Now, we’ve got a situation where you don’t even know where all your records are. We don’t have a chain of custody for our data, or have a data map’ to track its location.”

Privacy and Health Care – Blog referencing PPR’s “The Case for Informed Consent”

The blog Emergent Chaos wrote an article urging for privacy in the mental health field as a means of minimizing the stigma associated with diagnosis.

Some key statistics pointed out in this post:

“First, between 13 and 17% of Americans admit in surveys to hiding health information in the current system. That’s probably a lower-bound, as we can expect some of the privacy sensitive population will decline to be surveyed, and some fraction of those who are surveyed may hide their information hiding. (It’s information-hiding all the way down.)

Secondly, 1 in 8 Americans (12.5%) put their health at risk because of privacy concerns, including avoiding their regular doctor, asking their doctor to record a different diagnosis, or avoiding tests.”

DNA records pose new privacy risks

To view the full article, please visit: DNA Records Pose New Privacy Risks

An article in the Boston Globe highlights the ease with which DNA records can be re-identified. According to the article, “Scientists at the Whitehead Institute for Biomedical Research showed how easily this sensitive health information could be ­revealed and possibly fall into the wrong hands. Identifying the supposedly anonymous research participants did not require fancy tools or expensive equipment: It took a single researcher with an Internet connection about three to seven hours per person.” Even truly anonymous data was not entirely safe from being re-identified. Yaniv Erlich”…decided to extend the technique to see if it would work with truly anonymous ­data. He began with 10 unidentified men whose DNA ­sequences had been analyzed and posted online as part of the federally funded 1,000 Genomes Project. The men were also part of a separate scientific study in which their family members had provided genetic samples. The samples and the donors’ relationships to one ­another were listed on a website and publicly available from a tissue repository.”

These findings are incredibly relevant because it is highly possible that “something a single researcher did in three to seven hours could easily be automated and used by companies or insurers to make predictions about a person’s risk for disease. ­Although the federal Genetic Information Nondiscrimination Act protects DNA from ­being used by health insurers and employers to discriminate against people”.

Can computers predict medical problems? VA thinks maybe.

To view the full article written by Bob Brewin for Nextgov, please visit Can computers predict medical problems? VA thinks maybe.

“The Veterans Health Administration plans to test how advanced clinical reasoning and prediction systems can use massive amounts of archived patient data to help improve care, efficiency and health outcomes.”

Two veterans commented on the story below:

  • -“total invasion of privacy, I have a big problem with a “vendor” going through my records let alone the VA. the VA doesnt exactly have a good track record of protecting information”
  • -“veterans are NO LONGER guinea pigs without express PRIOR written consent, that is MEDICAL DATA covered by HIPAA, and is expressly forbidden to be managed in an open fashion and is NOT for sale.”

Like 99% of Americans, these vets oppose research use of their health information without consent:

US health IT systems and the VA could offer electronic consent to participate in studies:

  • -Electronic consent tools can enable each patient to set his or her own broad rules to allow research use of their health data.
  • -Vets could be ‘pinged’ for consent for EACH study, set broad rules to allow use of data for all studies, or set their rules for something in between (such as: I will agree to all research use of my data on traumatic brain injury and PTSD, but contact me for consent for all other studies).

Unfortunately the new Omnibus Privacy Rule grants open access to all 300 million citizens’ sensitive health information without consent for any ‘research’ or ‘public health’ use.
The broad ‘research loophole’ in HIPAA and the new Omnibus Privacy Rule permits industry (corporations including insurers, employers, drug companies, marketers, pharmacies, labs, and others) to use and sell our personal data for “research” that we would never agree with. ‘Research’ is defined so broadly that:

  • -Blue Health Intelligence (a subsidiary of Blue Cross Blue Shield) does ‘research’. It uses and sells enrollees’ health data without consent.
  • -IMS Health data mines and sells the nation’s prescription records. Claiming to do ‘research’ allows IMS Health to use and sell Americans’ prescription records without consent.
  • -Many electronic health record companies (Cerner, GE Centricity, Greenway, Athena Health, and Practice Fusion) are also ‘research companies’ and sell health data.
  • -The ‘research’ industry sells data that is supposedly ‘de-identified’, but health data is easy to re-identify (See paper by Narayanan and Shmatikov:
  • http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf ). And there is no way to know when ‘de-identified’ data is re-identified. Texas law bans re-identification’ of health data, but the system depends on whistleblowers to report violations.
  • -Most ‘researchers’ are not physicians, scholars, and PhDs at academic centers, as the public assumes.

Why wouldn’t every corporation that touches health data declare itself a ‘research institution’ so it can collect, use, and sell Americans’ health data? Personal health information is THE MOST valuable data of all, but we have no way to control which corporations collect and use health data.
How large a part of the surveillance economy is personal health data?

Clouds in healthcare should be viewed as ominous- Quotes from Dr. Deborah Peel

A recent article in FierceEMR written by Marla Durben Hirsch quotes Dr. Peel about the dangers of cloud technology being used in healthcare. Dr. Peel tells FierceEMR that “There’s a lot of ignorance regarding safety and privacy of these [cloud] technologies”.

Here are a few key quotes from the story:

“It’s surely no safe haven for patient information; to the contrary it is especially vulnerable to security breaches. A lot of EHR vendors that offer cloud-based EHR systems don’t take measures to keep patient data safe. Many of them don’t think they have to comply with HIPAA’s privacy and security rules, and many of their provider clients aren’t requiring their vendors to do so.” (Hirsch)

“Many providers have no idea where the vendor is hosting the providers’ patient data. It could be housed in a different state; or even outside of the country, leaving it even more vulnerable. ‘If the cloud vendor won’t tell you where the information is, walk out the door,’ Peel says.”

“Then there’s the problem of what happens to your data when your contract with the cloud vendor ends. Providers don’t pay attention to that when they sign their EHR contract, Peel warns.”

“‘The cloud can be a good place for health information if you have iron clad privacy and security protections,’ Peel says. ‘[But] people shouldn’t have to worry about their data wherever it’s held.'”

Cloud Computing: HIPAA’s Role

The below excerpts are taken from the GOVinfoSecurity.com article Cloud Computing: HIPAA’s Role written by Marianne Kolbasuk McGee after the January 7, 2013 Panel in Washington D.C.: Health Care, the Cloud, & Privacy.

“While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.

Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group…

…Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services’ Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud (see: Cloud Computing: Security a Hurdle).

“The letter … asks that [HHS] look at the key problems in cloud … and what practitioners should know and understand about security and privacy of health data in the cloud,” Peel said during the panel.”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The quotes below are from an article written by Alex Ruoff in the Bloomberg Health IT Law and Industry Report.

“Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information. Cloud computing solutions are seen as ideal for small health practices as they do not require additional staff to manage information systems, Peel said.
Cloud computing for health care requires the storage of protected health information in the cloud—a shared electronic environment—typically managed outside the health care organization accessing or generating the data (see previous article).
Little is known about the security of data managed by cloud service providers, Nicolas Terry, co-director of the Hall Center for Law and Health at Indiana University, said. Many privacy advocates are concerned that cloud storage, because it often stores information on the internet, is not properly secured, Terry said. He pointed to the April 17 agreement between Phoenix Cardiac Surgery and HHS in which the surgery practice agreed to pay $100,000 to settle allegations it violated HIPAA Security Rules (see previous article).
Phoenix was using a cloud-based application to maintain protected health information that was available on the internet and had no privacy and security controls.

Demands for Guidance

Peel’s group, in the Dec. 19 letter, called for guidance “that highlights the lessons learned from the Phoenix Cardiac Surgery case while making clear that HIPAA does not prevent providers from moving to the cloud.”

Peel’s letter asked for:
• technical safeguards for cloud computing solutions, such as risk assessments of and auditing controls for cloud-based health information technologies;
• security standards that establish the use and disclosure of individually identifiable information stored on clouds; and
• requirements for cloud solution providers and covered entities to enter into a business associate agreement outlining the terms of use for health information managed by the cloud provider.”