Apple and Epic: A privacy disaster? — DeSalvo introduces interoperability roadmap — We stand amended

ASHLEY GOLD | POLITICO’s Morning eHealth | 06/05/14 10:01 AM EDT

APPLE + EPIC ARE PAIRING UP TO TAKE YOUR HEALTH DATA: eHealth’s David Pittman takes a look at the Apple HealthKit announcement and what it means for patient privacy in an article coming out later today. Pretty perfect timing-we’re at the Health Privacy Summit this week, where the topic of who owns patient data and how to protect it is present in everyone’s mind. “Patient privacy watchdogs raised questions regarding privacy and data collection with health apps in Apple’s new operating system, worrying it could usher in a new era of trampled privacy rights…Privacy laws that govern what doctors and hospitals can and cannot do with patient information don’t apply to mobile health apps, meaning they are largely free to sell and disseminate the information collected.” Stay tuned for the full story coming this morning for Pros.

DOES DESALVO KNOW THE WAY…TO INTEROPERABILITY? The Office of the National Coordinator for Health IT is preparing a vision paper on how it hopes to achieve the interoperability of electronic health records, the office’s head, Karen DeSalvo, said Wednesday at the Health Privacy Summit. In addition to outlining ONC’s thoughts, the paper “will be an invitation to folks to come to the table to talk through how we can get there,” DeSalvo said. An ONC spokeswoman said ONC hopes to release the paper later this week.

THIS MORNING, I’m headed to Georgetown Law Center to catch some more of the Health Privacy Summit, which @David_Pittman checked out Wednesday. I’m interested in the privacy debate “That Individuals Should Maintain Their Own Health Data” between the chief privacy officer of IMS Health and a senior associate at Consumer Action. Are people too disengaged or lazy to own their own health data? We shall see.

To view the full article, please visit Apple and Epic: A privacy disaster? — DeSalvo introduces interoperability roadmap — We stand amended

NHS England patient data ‘uploaded to Google servers’, full disclosure demanded

The UK government has been debating illegal disclosures of patient health data: “The issue of which organisations have acquired medical records has been at the centre of political debate in the past few weeks, following reports that actuaries, pharmaceutical firms, government departments and private health providers had either attempted or obtained patient data.”

The article closes with quotes from Phil Booth of medConfidential:

  • “Every day another instance of whole population level data being sold emerges which had been previously denied”.
  • “There is no way for the public to tell that this data has left the HSCIC. The government and NHS England must now come completely clean. Anything less than full disclosure would be a complete betrayal of trust.”

Far worse privacy violations are the norm in the US, yet our government won’t acknowledge that US health IT systems enable hidden sales and sharing of patients’ health data.  US patients are prevented from controlling who sees their health records and can’t obtain real-time lists of who has seen and used personal health data.

Learn how the data broker industry violates Americans’ strong rights to control the use of personal health information in IMS Health Holdings’ SEC filing for an IPO:

  • IMS buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” “social media” and more to create “comprehensive,” “longitudinal” health records on “400 million” patients.
  • All purchases and subsequent sales of personal health records are hidden from patients.  Patients are not asked for informed consent or given meaningful notice.
  • IMS Health Holdings sells health data to “5,000 clients,” including the US Government.
  • IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

Data brokers claim they don’t violate our rights to health information privacy because our data are “de-identified” or “anonymized”—-but computer scientists have proven it’s easy to re-identify aggregated, longitudinal data sets:

deb

This blog was written in response to the following article: NHS England patient data ‘uploaded to Google servers’, Tory MP says

ONC: Looking for ‘realistic’ ways to account for disclosures

“ONC’s Health IT Policy Committee Tiger Team held a virtual hearing Sept. 30 to gather information about the rule and explore ‘realistic ways to provide patients with greater transparency about the uses and disclosures of their digitized, identifiable information,’ according to a Sept. 23 blog post by Committee Chair Devon McGraw. The Tiger Team asked for answers to specific questions, such as what patients want to know and how transparency technologies currently are being used by covered entities.”

“Deborah Peel, Founder and Chair of the Patient Privacy Rights coalition, suggested in her testimony that accounting for disclosures needs to include all of the detailed information about all uses of a patient’s electronic health information; she added that the rule could be implemented by ‘piggybacking’ onto existing initiatives, such as the Blue Button movement.”

Read more: ONC: Looking for ‘realistic’ ways to account for disclosures – FierceEMR

To read Dr. Peel’s testimony on Accounting for Disclosures click here

Health Care, the Cloud, and Privacy, Jan. 7 Panel

Health Care, the Cloud, and Privacy

Phoenix Park Hotel
520 North Capitol Street, NW | Washington, DC 20001
Georgian Room
Monday, January 7, 2013 | 12:00 p.m. ET

On behalf of Patient Privacy Rights (PPR), you are invited to attend a panel discussion on health care system privacy challenges posed by cloud computing. The one-hour discussion, “Health Care, the Cloud, and Privacy,” will be held on Monday, January 7, 2013 at the Phoenix Park Hotel in Washington, D.C. Boxed lunches will be provided.

With technological innovations that promise better efficiency and lower cost, one of the most anticipated developments is how industry and regulators will respond. That question today is focused intently on cloud computing and the implications for corporations with electronic systems containing sensitive consumer health data. Who is handling patient data? How do HIPAA and other health privacy laws and rights function in the cloud? What can policymakers do to better protect our sensitive medical data?

Our distinguished panel will feature:

Joy Pritts
Chief Privacy Officer
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights (PPR)

Nicolas P. Terry
Hall Render Professor of Law
Indiana University Robert H. McKinney School of Law

Lillie Coney
Associate Director
Electronic Privacy Information Center (EPIC)

Please RSVP to Jenna Alsayegh at jalsayegh@deweysquare.com.

We hope to see you there!

And there is more:
View the Invitation as a PDF
View the Press Release

PPR also sent a letter to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) that urges for more comprehensive guidance on securing patient data in “the cloud.” With the healthcare industry moving their records to electronic databases, PPR sees a number of issues associated with cloud computing services, including compliance with existing healthcare privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, stronger state and federal health information privacy laws, medical ethics, and Americans’ rights to health information privacy. View the letter here.

Can Privacy & Electronic Medical Records Coexist? — Quotes PPR

An article written at Pacific Standard discusses the struggle to maintain patient privacy when electronic health records are becoming the norm. To view the full article, please visit Can Privacy & Electronic Medical Records Coexist?.

A few key quotes from the story:

“…researchers have to figure out how to digitize some of your most sensitive personal information to make it easily accessible to you and your doctors without compromising your privacy before the many other parties who might also like to peek at this data. Researchers lament that it’s currently impossible to track all of the places your digital medical information travels once you leave the doctor’s office. Certainly, pieces of it are shared with your doctor’s office, your doctor’s hospital, your insurance company, your pharmacist and the pharmaceutical company that makes your medicine. Your personal information may also be anonymized and aggregated with other patients to produce data sets used by researchers or traded on the commercial market.”

“Researchers and industry innovators gunning for that 2014 deadline have to figure out how to set all of this information free — when it comes to maximizing the benefit to you as a patient — while, on the other hand, keeping it under some kind of control. And it’s not entirely clear how that architecture might look.”

“‘My big fear is that if we don’t build these systems right, people won’t see doctors,’ said Deborah Peel, the executive director of Patient Privacy Rights and the moderator of the conference discussion.”

Proposed Rules Prevent Patient Control Over Sensitive Information in Electronic Health Records (EHRs)

The proposed federal rules will require physicians and hospitals to use Electronic Health Records (EHRs) that prevent patient control over who can see and use sensitive personal health information.

This is the second time the federal government has proposed the use of technology that violates Americans’ strong rights to control the use and sale of their most sensitive personal information, from DNA to prescription records to diagnoses.

The proposed rules require EHRs to be able to show “meaningful use” (MU) and exchange of personal health data. PPR and other consumer and privacy advocacy groups submitted similar comments for the Stage 1 MU rules. These newly proposed rules are known as “Stage 2 MU” requirements for EHRs.

The most important function patients expect from electronic health systems is the power to control who can see and use their most sensitive personal information. Technologies that empower patients to decide who can see and use selected parts of their records have been working for 4 million people for over 10 years in 8 states with mental illness or addiction diagnoses. Today we do not have any way to know where our data flows, or who is using and selling it.

Even if we had a ‘chain of custody’ to prove who saw, used, or sold our personal health data—which we do not—it is still essential to restore patient control over personal health data so we can trust electronic health systems.

Technologies that require patient consent before data flows are cheap, effective, and should be required in all EHRs.

See Patient Privacy Rights’ formal comments on the Stage 2 MU proposed requirements submitted to the Centers for Medicare and Medicaid and the Office of the National Coordinator for Health IT at: http://patientprivacyrights.org/wp-content/uploads/2012/05/PPR-Comments-for-Stage-2MU-5-7-12.pdf

Re: Study shows privacy of medical records is weaker in the U.S.

A study of US and EU health data protections in the Journal of Science & Technology Law concluded Americans “have no real control over the collection of sensitive medical information if they want to be treated.”

Wow! It’s great to see legal scholars second the message that Americans’ rights to health privacy were eliminated.

You can see the article on the study in The Epoch Times here, written by Mary Silver.

For years, Patient Privacy Rights and the bipartisan Coalition for Patient Privacy were the lone voices carrying this message to Congress and the public.

Public and expert support to restore control over sensitive health data will only build. Soon, no one will buy the argument that privacy is an obstacle to electronic health systems.

Here are some other key quotes from the story:

  • “EU countries have adopted electronic health records and systems, or EHRs, and legally protected privacy at the same time.”
  • “The 1950 Council of Europe Convention identified individual privacy as a fundamental value”
  • “the good aspects of EHRs can be undermined by the bad consequences of poor privacy practices and the ugly effects of inadequate security”
  • “patient privacy is much better protected in Europe”
  • “European patients are able to encapsulate particularly sensitive medical information, and an individual has far greater access to and control over his records in Europe than in America.”

So, again why is the US government rushing to spend $29 billion on health IT systems that offer neither privacy nor security?

Re: SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft

See article for reference from NextGov, “SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft,” by Bob Brewin.

We can expect to see many more lawsuits over breaches because most US health systems have abysmal data security and by design allow thousands of employees to access the sensitive health information of millions of patients. This immense scale of damage was simply impossible with paper systems.

Ironclad security is very difficult technically (think WikiLeaks) because health systems were architected to enable ‘open access’ by hundreds or thousands of employees to millions of sensitive health records.

Today, the only ‘barrier’ to health data access in the US are ‘pop-up’ screens that ask, “Do you have a right to access this patient’s information?’ This is hardly effective. Yes, of course, after-the-fact audit trails of access can be used to identify those who should not have seen a record. It is a very weak kind of data protection; in fact, today patients identify the majority of data breaches, not health IT systems.

When will the US get serious about building privacy-enhancing architectures where ONLY clinical staff or others who are directly involved in a patient’s care can access the patient’s data with informed consent. Systems that prevent access by MOST employees could prevent the vast majorities of data breaches and data thefts.

Using and building systems designed for privacy would be a FAR better use of the stimulus billions than how they are currently being spent: to buy and promote the use of HIT systems that cannot possibly protect health data from misuse and theft, and in fact is designed to spread health information to many unseen and unknown secondary corporate and government users.

Baby’s death spotlights safety risks linked to computerized systems

Check out this very relavant story from the Chicago Tribune Health section, “Baby’s death spotlights safety risks linked to computerized systems,” written by Judith Graham and Cynthia Dizikes.

As a topic discussed a lot in Session 3.2 of the Health Privacy Summit, “Control of patient information – Health Information Exchanges,” this subject is the tip of the iceberg on the many risks of electronic health records that must be addressed as billions of stimulus dollars go into creating a health IT infrastructure.

Baby’s death spotlights safety risks linked to computerized systems, Chicago Tribune, by Judith Graham and Cynthia Dizikes, June 27, 2011

Experts name top 7 trends in health information privacy for 2011

A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach and governance have identified the top seven trends in healthcare information privacy for 2011.

The experts suggest that as health information exchanges take form, millions of patient records – soon to be available as digital files – will lead to potential unauthorized access, violation of new data breach laws and exposure to the threat of medical and financial identity theft.

“Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy plaguing in the healthcare industry,” said Larry Ponemon, chairman and founder, Ponemon Institute.

“Millions of patients are at risk for medical and financial identity fraud due to inadequate information security,” he said. “Information security in the healthcare industry is at the fulcrum of economic, technological, and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges – but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it,” he said…