Re: Poor Prognosis for Privacy

In response to The Wall Street Journal article by Melinda Beck: Poor Prognosis for Privacy

Most healthcare institutions and John Halamka ignore the fact that for over a decade technology has empowered millions of patients to control which parts of their electronic health records are disclosed for mental health and addiction treatment. The technology for ‘segmentation’ exists.

Congress, the courts, state and federal laws, and medical ethics require that patients control who can see and use sensitive personal health data, yet federal regulators who write the rules for industry have not required electronic health systems to use either ‘segmentation’ or other technologies like meta-data tagging that could also enable selective disclosures of health information.

When the public finds out they can’t control the use or disclosure of sensitive personal health data, many millions will refuse early diagnosis and treatment for cancer, depression, and STDs every year—and millions more will hide information, refuse tests, and act in ways that put their health at risk. These are bad outcomes.

Should the public be forced to use health technology systems that cause bad outcomes? Why not require technology that IMPROVES health outcomes?

The Right to Obtain Restrictions Under the HIPAA/HITECH Rule: A Return to the Ethical Practice of Medicine

To view the full article, please visit: The Right to Obtain Restrictions Under the HIPAA/HITECH Rule: A Return to the Ethical Practice of Medicine.

Great explanation of how industry has fought to influence those in government that write the ‘rules’ for how federal law works in practice. The key industry tactic is to complain that complying with the law is too costly or impossible or would take too much time. For reasons we don’t understand, the government agency that writes the ‘rules’ takes the side of industry rather than defending patients.

GOP senators seek to ‘reboot’ federal health IT policy, unveil white paper

This article is by subscription only: GOP senators seek to ‘reboot’ federal health IT policy, unveil white paper

“Key GOP senators released a white paper Tuesday (April 16) raising concerns with federal policy on health information technology, and the lawmakers seek feedback from stakeholders — including the administration, hospitals and vendors – on how the program can be improved. The senators worry that the $35 billion allocated to health IT in the 2009 stimulus package is being spent inefficiently and suggest Congress, the administration and stakeholders work together to “reboot” the electronic health record incentive program so that it to accomplish its goals.”

Materials of interest:

More articles discussing this action:

Employees’ unhealthy habits have growing effect on their insurance premiums

The story below concludes that “Employees now contribute 42 percent more for health care than they did five years ago.”   Just because employees are stuck paying higher healthcare bills doesn’t necessarily mean they are causing costs to increase.

If employees were driving up healthcare costs, then using financial penalties to force them to undergo intrusive health screenings and join wellness programs might make sense.

But employees aren’t causing the high costs of healthcare in the US.  Time magazine concluded that healthcare corporations, such as hospitals and the pharmaceutical industry, outpatient procedures, and lobbying costs are the main culprits.

Time magazine’s issue titled “Bitter Pill, why medical bills are killing us” identified several factors in high US healthcare costs:

The article below quotes the National Business Group on Health (NBGH), a lobbying group with assests of $18,772,047 in 2011. The NBGH blames employees for rising healthcare costs, instead of its many healthcare corporation members.

  • -URL for NBGH members: https://www.businessgrouphealth.org/join/members.cfm
  • -Blaming employees allows the NBGH to defend using coercive, intrusive wellness programs even for employees with complex, hard-to-manage illnesses, that wellness programs don’t help:
    • -See “Wellness Incentives In The Workplace: Cost Savings Through Cost Shifting To Unhealthy Workers” By Jill R. Horwitz, Brenna D. Kelly, and John E. DiNardo. Health Affairs, 32, no.3 (2013):468-476; doi: 10.1377/hlthaff.2012.0683; http://content.healthaffairs.org/content/32/3/468.full.html

Meanwhile screening companies, labs, and wellness programs collect sensitive employee health information and control its use, disclosure, and sale.

  • -There is no ‘chain of custody’ for health data so employees have no way to know who sees their health information.
  • -The US has NO data map to track the thousands of hidden companies that collect, use, or sell Americans’ personal health information.
  • -Corporations that collect employees’ health information treat it as a corporate asset, not as sensitive personal information that patients have strong rights to control.
  • -So it’s impossible to verify whether the NBGH lobbyist’s statement that “few employers would risk intentionally misusing such information” is true or false.

Blaming people who are sick for the high costs of their medical care instead of the corporations that overcharge is a really neat trick. It also provides a rationale for coercing employees to enter wellness programs and violating their rights to health privacy.

Unfortunately, simply “blaming the victims” won’t solve escalating healthcare costs.  We have to look broadly at individuals, the entire healthcare system, the food-chain, and larger cultural factors to identify and deal with all the real causes.

athenahealth and Mashery team up for health developer-friendly API initiative

To view the full article, please visit athenahealth and Mashery team up for health developer-friendly API initiative.

Electronic health records (EHRs) companies allow access to patients sensitive health data and sensitive information about physicians’  practices so technology companies can develop applications.

Applications have the potential to be useful to physicians and patients but at what cost to privacy? Will EHR “apps” secretly collect and sell people’s information the way Smartphone apps collect and sell contact, GPS data and more?  We now know the business model for many technologies is selling intimate personal data.

Quotes:

  • ·athenahealth will open “access to doctors’ appointment data, patient’s medical history (anonymized) , billing information and more”,
  • ·“the company hopes developers will be able to create an ecosystem of apps on top of athenahealth’s EMR service”
  • ·“Other EMR providers, including Allscripts and Greenway, have also opened up their APIs to developers and created app marketplaces.”

The press release on this athenahealth project stated, We’re providing the data and knowledge from our cloud-based network, a captive audience for developers to innovate for, and an online sandbox to do it all in.”

  • ·Who are the “captives”? athenahealth’s 40,000 physicians and their 100’s of thousands of patients

QUESTIONS:

  • ·When were the “captive” patients asked for consent for strangers who want to use and monetize their health records?
  • ·When were “captive” physicians asked consent for strangers to use information about their practices, what they charge, who they treat, how they treat patients, how they are paid by whom, and much more?
  • ·Why does athenahealth claim that patient data is “anonymized”—-when its impossible to prevent “anonymized” patient records from easy re-identification?

Many electronic health record (EHR) companies allow access/or sell sensitive patient data to technology developers and other companies.

BROADER QUESTIONS

  • ·When did the public learn about, debate, or agree to the use of their sensitive patient data by technology companies to build products?
  • ·Why do technology companies claim that “anonymization” and “de-identification” of health data works, when computer science has clearly proved them wrong?
  • ·How is the identifiable health data of hundreds of thousands of patients protected from any OTHER uses the technology developers decide to use it for?
  • ·How can the public weigh the risks and harms vs. benefits of using EHRs when there is no ‘chain of custody’ for our health data and no data map that tracks the thousands of HIDDEN users of our personal health information?
  • See Harvard Prof Latanya Sweeney explain the need for a data map at: http://tiny.cc/5pjqvw
    • -Attend or watch via live-streaming video the 2103 International Summit on the Future of Health Privacy in Washington DC June 5-6 to see the first data map Prof Sweeney’s team has built. Registration to attend or watch is free at: www.healthprivacytsummit.org

Mostashari, policy committee take critical look at CommonWell

To view the full article, please visit: Mostashari, policy committee take critical look at CommonWell

The ONLY way patients/the public will trust health technology systems is if THEY control ‘interoperability’—-ie if THEY control their sensitive health data. Patients have strong rights to control exactly who can collect, use, and disclose their health data. This also happens to be what the public expects and wants MOST from HIT……The public has strong legal rights to control PHI, despite our flawed HIT systems.

The story below is about an attempt by large technology vendors and the government to maintain control over the nation’s sensitive health data. Institutional/government-sanctioned models like the CommonWell Alliance violate patients’ rights to control their medical records (from diagnoses to DNA to prescription records).  Patients should be able to:

  • -choose personal email addresses as their IDs, there is no need for Institutions to choose ID’s for us—email addresses on the Internet work very well as IDs
  • -download and store their health information from electronic records systems (EHRs)–required by HIPAA since 2001, but only now becoming reality via the Blue Button+ project
  • -email their doctors using Direct secure email

Today’s systems violate 2,400 years of ethics underlying the doctor-patient relationship and the practice of Medicine: ie Hippocrates’ discovery that patients would only be able to trust physicians with deeply personal information about their bodies and minds IF the doctors never shared that information without consent. That ‘ethic’—-ie, to guard the patient’s information and act as the patient’s agent and protector is codified in the Hippocratic Oath and embodied in American law and the AMA Code of Medical Ethics. Americans have strong rights to health information privacy which HIPAA has not wiped out (HIPAA is the FLOOR, not the CEILING for our privacy rights).

The public does NOT agree that their sensitive health data should be used without consent—they expect to control health information with rare legal exceptions. See: http://patientprivacyrights.or…. HUGE majorities believe that individuals alone should decide what data they want to share with whom—not one-size-fits-all law or policies.

Nor does the public agree to use of their personal health data for “research”—whether for clinical research about diseases or by industry for commercial use of the data via the ‘research and public health loopholes’ in HIPAA. Only 1% of the public agrees to unfettered use of personal health data for research. Read more about these survey results here.

The entire healthcare system depends TOTALLY on a two-person relationship, and whether there is trust between those two people. We must look at the fact that today’s HIT systems VIOLATE that personal relationship by making it ‘public’ via the choice of health technology systems designed for data mining and surveillance. Instead we need technology designed to ensure patient control over personal health information (with rare legal exceptions). When patients cannot trust their doctors, health professionals, or the flawed technology systems they use, the consequence is many millions of patients avoid or delay of treatment and hide information. Every year many millions of Americans take actions which CAUSE BAD OUTCOMES.

Current health technologies and data exchange systems cause millions of people annually to risk their health and lives, ie the technologies we are using now cause BAD OUTCOMES.

We have to face facts and design systems that can be trusted. Patient Privacy Rights’ Trust Framework details in 75 auditable criteria what it takes to be a trusted technology or systems. See:http://patientprivacyrights.or… or download the paper at:
http://ssrn.com/abstract=22316…

Sensitive data still pose special challenges

At a recent meeting of the National Health IT Policy Committee, the CEO of a large electronic health records (EHR) corporation said technology for “data segmentation”—which ensures patients control who sees and uses sensitive data—is something “vendors don’t know how to do.”  But that simply isn’t true. Vendors do know how to build that kind of technology, in fact it already exists.

At the same meeting, the National Coordinator for Health IT recognized the Department of Veterans Affairs and the Substance Abuse and Mental Health Services Administration for their “demonstration of technology developed for data segmentation and tagging for patient consent management”, but he seemed to forget that millions of people receiving mental health and addiction treatment have been using EHRS with consent and data segmentation technologies for over 12 years. Again, the technology already exists.

Facts:

  • -Technology is NOT the problem—it’s not too hard or too expensive to build or use consent and data segmentation technologies.
  • -Data segmentation and consent technologies exist:  the oldest example is EHRs used for millions of mental health and addiction treatment records for the past 12 years.
  • -All EHRs must be able to “segment” erroneous data to keep it from being disclosed and harming patients—that same technology can be used to “segment” sensitive health data.
  • -Data segmentation and consent technologies were demonstrated ‘live’ at the Consumer Choices Technology Hearing in 2010. See a video: http://nmr.rampard.com/hit/20100629/default.html
  • -Starting in 2001, HIPAA required data segmentation and consent technology for EHRs that keep “psychotherapy notes” separated from other health data.  “Psychotherapy notes” can ONLY be disclosed with patient permission.
  • -The 2013 amendments to HIPAA require EHRs to enable other situations where data must be segmented and consent is required. For example:
  • -If you pay out-of-pocket for treatment or for a prescription in order to keep your sensitive information private, technology systems must prevent your data from being disclosed to other parties.
  • -After the first time you are contacted by hospital fundraisers who saw your health data, you can opt-out and block the fundraisers from future access to your EHR.

The real problem is current  technology systems and data exchanges are not built to work the way the public expects them to—they violate Americans’ ethical and legal rights to health information privacy.

The public will discover that today’s health technologies and systems have fatal privacy flaws. The unintended consequence of using flawed technology is millions of people will avoid or delay treatment and hide information to keep their health information private and suffer from bad health outcomes.

US health technology should improve health and outcomes, not cause the health of millions to worsen.

How can the US fix the privacy flaws in health technology systems so EHRs and other health technologies can be trusted?

Groups develop privacy framework for health IT

To view the full article, please visit Groups develop privacy framework for health IT.

An article written at ModernHealthcare.com about our new Privacy Trust Framework explains how the framework came into being and what it’s major principles are.

Key quote from the article:

“‘This comes from what the American public wants and was devised by Microsoft and PricewaterhouseCoopers,’ Peel said. ‘Some of the bigger corporations see the future as the public controlling things. Microsoft wanted to distinguish itself from Google Health (its one-time rival as a developer of PHR platforms) and wanted HealthVault to be the privacy place and wanted to compete in that way.’ PricewaterhouseCoopers saw a future auditing opportunity, she said. ‘We’re now moving with the Blue Button where patients can access their information and control it. The ultimate consumer is the patient.'”

The Privacy Trust Framework can be found here.

The Immortal Life of Henrietta Lacks, the Sequel

This is an amazing article written by Rebekah Skloot, author of ‘The Immortal Life of Henrietta Lacks’, demanding consent and trust.

Rebecca is right—-the only way Americans will trust researchers is when they are treated with respect and their rights of consent for use of genomes and genetic information is restored.

The public does not yet realize that they have no control over ALL sensitive health information in electronic systems. We have NO idea how many hundreds of data mining and research corporations are collecting and using our blood and body parts. We ALSO have no control over our sensitive health information in electronic systems violating hundreds of years of privacy rights.

This week the many stories about CVS showed employers can force employees to take blood tests, health screenings, and be forced into “wellness” programs–all of which REQUIRE collection of sensitive health information—which employees cannot control.

We have NO map of who collects and uses personal health data—Henrietta Lacks family was NEVER asked for consent to use her genome.

Contribute to build a map to track the thousands of hidden users of health data at: www.localhost:8888/pprold

Attend or watch the 3rd International summit on the Future of Health Privacy (free). Register at: www.healthprivacysummit.org

HIStalk News 3/22/13 – Quotes Dr. Deborah Peel on new CVS policy

To view the full article, please visit HIStalk News 3/22/13.

Key quote from the article:

“Patient Privacy Rights Founder Deborah Peel, MD calls a new CVS employee policy that charges employees who decline obesity checks $50 per month “incredibly coercive and invasive.” CVS covers the cost of an assessment of height, weight, body fat, blood pressure, and serum glucose and lipid levels, but also reserves the right to send the results to a health management firm even though CVS management won’t have access to the results directly. Peel says a lack of chain of custody requirements means that CVS could review the information and use it to make personnel decisions.”