Congress sits on hands as health privacy wanes

By David Pittman | Politico.com | 6/12/14 5:00 AM EDT

Everyone from legal scholars to patient privacy advocates — and even the White House — are saying the country’s landmark health privacy law is antiquated and needs to be updated.

But Congress doesn’t appear to be moving any legislation on the issue.

Backers of tougher health data privacy rules argue that much has changed in how people’s health information is collected and handled since the law governing patient records was passed in 1996. Protections added in 2009 don’t fully address the problem, they say.

The Health Insurance Portability and Accountability Act — commonly called HIPAA — largely applies to use of data by health care providers and insurance companies. But they are a smaller and smaller slice of who deals with patient information today.

For example, employee wellness programs, which are increasingly popular and hold potentially private information such as pregnancy status, don’t fall under the HIPAA umbrella. Hospital discharge data is sold by 33 states, according to the Federal Trade Commission, but only three do so in a HIPAA-compliant fashion.

“I think HIPAA does a really good job where it’s relevant,” said Kirk Nahra, a privacy and information security lawyer at Wiley Rein. “What’s happened in the last 15 years is that the space where it’s not relevant has been what’s growing.”

HIPAA governs the doctor-patient and doctor-payer relationships, but it didn’t envision the rest of the universe, and that’s where there is a need for new privacy protections, Nahra said.

Health and fitness apps — of which there are nearly 100,000 available today — are probably the biggest concern. They fall outside HIPAA and are free to collect and share information on their users.

The Privacy Rights Clearinghouse concluded last year that mobile health and fitness apps “are not particularly safe” when it comes to protecting user privacy. They found 26 percent of the free apps and 40 percent of paid apps didn’t have a privacy policy. Furthermore, 39 percent of free apps and 30 percent of paid apps sent data to a third party not disclosed by the developer.

The FTC mapped where data was being sent from 14 free health and fitness apps. One transmitted data to 18 different third parties with diet, workout, personal identifiers and other information. Fourteen third parties received consumers’ names and email addresses, and 22 received gender, location and symptom-search information.

The free use of consumer information by app makers is one reason privacy advocates are concerned that Apple is entering the game. The tech giant announced last week it would make its HealthKit part of its iOS 8 operating system, set to be released later this year.

The FTC sees all of this as a problem and is looking to Congress for help.

In a recent report on data brokers, the commission recommended Congress consider legislation to force tech companies to obtain express consent from consumers before information is collected or shared.

A White House report on big data and privacy last month noted that current policy “may not be well-suited” in the future. While health data exchanges will help realize technology’s potential, the information often is shared “in ways that might not accord with consumer expectations of the privacy of their medical data.”

“Health care leaders have voiced the need for a broader trust framework to grant all health information, regardless of its source, some level of privacy protection,” the report said.

Despite the pleas for new rules on use of consumer health information, Congress appears to be sitting on its hands. Little legislation exists, and the issue has yet to gain traction.

“The only thing that is likely to get congressional interest is for there to be a major data tragedy,” said Nicolas Terry, health law professor at Indiana University law school. “It’s very hard at the moment to see much consensus out there. Everyone says they believe in privacy. Privacy is very important. Privacy is a right. But actually moving the ball forward to protect consumers, given the massive weight of the information lobby, seems very hard.”

Congress has been working on data security and breach notification issues — especially in light of recent high-profile cases involving Target and others — with a decent chance of passing something by the end of the year.

Privacy is another issue. “There’s no consensus on broader privacy issues,” Nahra said.

Lawmakers on Capitol Hill have taken some steps to improve consumer privacy protections since HIPAA was passed. Seeing the dawn of the advent of electronic medical records, they included several provisions in the 2009 HITECH Act, including a ban on the sale of personal health information, breach notification requirements and penalties for privacy violators.

One possible source of inaction is the seemingly immovable lobbying force. Companies such as Microsoft, Google, Siemens, the Mayo Clinic, WebMD, IMS Health and IBM all spent money lobbying Congress last year on health privacy issues, according to disclosure forms.

Even Nike — maker of the popular fitness app Nike+ that’s implanted on all iPhones — disclosed lobbying on privacy issues in 2013.

Terry said consumers could incite change if they demanded it. Automobile makers lobbied hard against safety regulations in the 1960s and 1970s, but car safety is ubiquitous today because of pressure from car buyers, he said.

The FTC has the authority to halt companies’ deceptive practices if they fail to disclose certain data uses to consumers, notes Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, which advocates stronger protections.

As long as the FTC and Congress remain inactive, and consumers remain passive, it’s up to Washington power brokers to point out HIPAA’s inadequacies.

“I do believe it’s time that we look beyond [HIPAA],” Karen DeSalvo, national coordinator for health IT, said at the recent Health Privacy Summit. “As this field rapidly evolves, we need to think about what additional protections might need to be in place.”

To view online:
https://www.politicopro.com/go/?id=35019

 

 

FTC Calls for Data Broker Transparency

By Marianne Kolbasuk McGee | healthcareinfosecurity.com
May 29, 2014

The Federal Trade Commission is urging Congress to enact privacy legislation that would provide consumers with more transparency about the activities of data brokers that collect sensitive health and financial data.

Reacting to the FTC recommendation, two consumer advocates say the explosion of data broker activities in recent years, coupled with regulatory gaps, point to the need for some legislative reforms to protect consumer privacy.

A May 27 FTC report that examined nine companies describes data brokers as “companies whose primary business is collecting personal information about consumers from a variety of sources and aggregating, analyzing and sharing that information, or information derived from it, for purposes such as marketing products, verifying an individual’s identity, or detecting fraud.”

The FTC says data brokers raise privacy concerns for consumers because “significantly, data brokers typically collect, maintain, manipulate and share a wide variety of information about consumers without interacting directly with them.”

The report notes: “In light of these findings, the commission unanimously renews its call for Congress to consider enacting legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities.”

Deborah Peel, M.D., founder of advocacy group Patient Privacy Rights, says federal legislators and regulators need to crack down on data brokers, especially those that deal with sensitive information, such as health data.

“This is clearly a case where the government must pass laws that require personal control over personally identifiable information to restore our rights to privacy, because we can’t possibly do it ourselves,” Peel says. “Worse, the FTC seems not to have a handle on the size of the health data broker industry. … “Personal information is the ‘oil’ of the digital age – and our personal information belongs to each of us. … If the data brokers want our data, they should just ask. If we think the benefits are worth it, we will say ‘yes’.”

To view the full article, please visit FTC Calls for Data Broker Transparency

 

Data Mining to Recruit Sick People

Companies Use Information From Data Brokers, Pharmacies, Social Networks

Some health-care companies are pulling back the curtain on medical privacy without ever accessing personal medical records, by probing readily available information from data brokers, pharmacies and social networks that offer indirect clues to an individual’s health.

Companies specializing in patient recruitment for clinical trials use hundreds of data points—from age and race to shopping habits—to identify the sick and target them with telemarketing calls and direct-mail pitches to participate in research.

“I think patients would be shocked to find out how little privacy protection they have outside of traditional health care,” says Nicolas P. Terry, professor and co-director at the Center for Law and Health at Indiana University’s law school. He adds, “Big Data essentially can operate in a HIPAA-free zone.”

FTC Commissioner Julie Brill says she is worried that the use of nonprotected consumer data can be used to deny employment or inadvertently reveal illnesses that people want kept secret. “As Big Data algorithms become more accurate and powerful, consumers need to know a lot more about the ways in which their data is used,” Ms. Brill says.

To view the full article, please visit: Data Mining to Recruit Sick People (article published December 17, 2013)

 

 

Consumer Watchdog and Other Privacy Groups Urge FTC to Block Pending Facebook Privacy Changes

“A coalition of six consumer privacy groups is calling on the Federal Trade Commission to enforce an earlier consent order with Facebook and block proposed changes in the social network’s Statement of Rights and Responsibilities and its Data Use Policy because the proposed changes violate the 2011 settlement with the Commission.”

“The changes will allow Facebook to routinely use the images and names of Facebook users for commercial advertising without consent,” the groups said. “The changes violate Facebook’s current policies and the 2011 Facebook settlement with the FTC. The Commission must act to enforce its order.”

Signing the letter were Consumer Watchdog, the Electronic Privacy Information (EPIC), the Center for Digital Democracy, Patient Privacy Rights, U.S. PIRG, and Privacy Rights Clearing House. Read a copy of the letter here: http://www.consumerwatchdog.org/resources/ltrfacebookftc090413.pdf

“Facebook has long played fast and loose with users’ data and relied on complex privacy settings to confuse its users, but these proposed changes go well beyond that,” said John M. Simpson, Consumer Watchdog’s Privacy director. “Facebook’s overreach violates the FTC Consent Order that was put in place after the last major privacy violation; if the Commission is to retain any of its credibility, it must act immediately to enforce that order.”

To view the full article, please visit: http://www.marketwatch.com/story/consumer-watchdog-and-other-privacy-groups-urge-ftc-to-block-pending-facebook-privacy-changes-2013-09-05

Re: Federal Agencies Paint Regulatory Landscape with Broad Brushstrokes

The Genomics Law Report (GLR) posted an interesting blog about the emergence of mobile health (mHealth) and the role many believe it could play in improving the quality and delivery of health care. It discusses how the mHealth regulatory landscape is still in its early stages of formation and has many key players and components that will help guide its development. It then outlines many of the players, such as the FDA, FCC, FTC, and HHS, and the various ways in which each organization might help shape the future of mHealth.

The story also makes mention of the FTC’s “privacy by design” recommendation for mobile applications, which is undoubtedly a critical component to protecting patients’ privacy as more innovative technologies and apps hit the marketplace. However, aside from ensuring that strong privacy controls are built into the apps up front, it will also be important to make sure patients have other important privacy protections, like control over their sensitive health information, no matter the medium used to collect and share it.

To read the full blog from GLR, click here.

Physician’s computers were stolen

See the full story from MySanAntonio.com: “Physician’s computers were stolen

“Five computers containing medical and personal information of more than 3,000 patients were stolen from a Stone Oak physician’s office in October.

Dr. Sudhir Gogu of the Stone Oak Urgent Care & Family Practice said the computers were stolen after an office door had been pried open sometime during the weekend of Oct. 22-23, according to the police report.

A San Antonio Police Department spokesman said in an email Wednesday that the computers have not been recovered and there have been no arrests…

…Dr. Deborah Peel, founder and chairman of Patient Privacy Rights, an organization focused on putting people in control of their electronic health information, called medical identity theft a dangerous crime.

“It typically costs the average victim at least $20,000, and health plans typically increase your premiums … or may even cancel your coverage,” Peel said.

Peel criticized the health industry for failing to taken data protection seriously.

“It’s estimated that 80 percent of hospitals don’t encrypt data,” she said. “Can you imagine if your banks didn’t encrypt and keep your financial information secure? We wouldn’t even let them be banks.””

PPR Comments on FTC Consumer Privacy Protection Report

We applaud the FTC for creating a report focused on protecting consumer privacy. The proposed framework
upholds many of the practices we believe in: informed consumer consent, privacy protection and data security,
and greater transparency.

View the FTC Staff Report: Protecting Consumer Privacy in an Era of Rapid Change

View PPR’s full comments

Exploring Privacy: An FTC Roundtable Discussion

The Federal Trade Commission will hosted a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, was part of the second session.

Read the transcript of Dr. Peel’s session here

Watch the video of all sessions here

Living Online: Privacy and Security Issues in a Digital Age

Our lives are increasingly lived online. A large number of Americans routinely exchange information in cyberspace for personal, business, and other purposes. What privacy and security issues present themselves in this relatively new and increasingly ubiquitous space? What particular privacy concerns might apply when specific entities, such as the government, hold or process our information? What particular considerations might apply when the information being transmitted is particularly sensitive, such as health care information or financial information? How do privacy, security, and information ownership concerns function when information is being exchanged on social networking sites?

The November 3, 2009 event featured a lunchtime keynote address by Christopher N. Olsen, the Assistant Director in the Division of Privacy and Identity Protection at the Federal Trade Commission.

A panel discussion was held from 1 – 2:30 pm and featured:

  • Moderator, Jeffrey Rosen, Professor of Law at George Washington University and Legal Affairs Editor for The New Republic
  • Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights; Chair, Coalition for Patient Privacy
  • Lillie Coney, Associate Director, Electronic Privacy Information Center; Coordinator, Privacy Coalition
  • Alan Davidson, Director of Public Policy, Google

Here is the Video of the Panel:

Tuesday, November 3, 2009
11:30 am – 2:30 pm
Center for American Progress
1333 H. Street NW, 10th Floor
Washington, DC 20005

Who is tracking YOU?

On the Internet ALL your health searches about scary and stigmatizing illnesses, all searches or purchases of books on health, and all searches or purchases of medications and devices are tracked and sold.

It is impossible to search for health information privately via Google, etc.

Health websites take massive advantage of Americans’ powerful expectations that ALL healthcare providers put their interests and their privacy first—expectations which come from the traditional doctor-patient relationship and the ethics that have governed Medicine for 2,400 years (derived from the Hippocratic Oath).

Americans are not yet ready to believe that every aspect of healthcare in the US is profit-driven, rather than driven by the ethical codes all health professionals swear to at graduation: the promises to “do no harm” and to “guard their secrets”.

Americans are not yet ready to believe that Wall Street has taken over Medicine—and that instead of guaranteeing the strong health privacy rights Americans have under the law, Wall Street erases our rights to ensure shareholder profits.