Re: “You for Sale, A Data Giant is mapping, and Sharing, the Consumer Genome”

Below comment in response to the New York Times article “You for Sale, A Data Giant is Mapping, and Sharing, the Consumer Genome.”

Acxiom is the poster-child for why tough new laws are needed to protect personal information on the Internet, in electronic systems, and on cell phones ASAP. No data should be collected about Americans without prior meaningful, informed consent.

Natasha Singer’s story is a must read to understand how the use of personal data threaten people’s jobs, reputations, and future opportunities. The information is analyzed and sold to those who want detailed real-time profiles of who we are, including the health of our minds and bodies. Data analytics enable Acxiom to create and sell far more intimate, detailed personality and behavioral portraits than our own mothers or analysts might know about us (and would never share).

Most people have never heard of Acxiom or other hidden data users. Today, most Americans have no idea that personal data is used by thousands of corporations and government agencies to make decisions about whether they will receive jobs or benefits.

Even though the hidden data mining industry began by using personal information to improve marketing and advertising, Acxiom proves that the kind and amounts amount of identifiable data being collected are simply unacceptable. As for the collection of health information, the data mining industry is clearly violating Americans’ very strong legal, Constitutional, and ethical rights to control and keep personal health data private. To the public, this is theft of personal health information.

On June 6th at the 2nd International Summit on the Future of Health Privacy, Professor Latanya Sweeney of the Harvard Data Privacy Lab along with Patient Privacy Rights introduced theDataMap.org. This project will enable citizens and whistleblowers to help create a detailed picture/map of where sensitive personal health information flows, from prescription records, to DNA, to diagnoses. Without a ‘chain of custody’ for our identifiable health data, it’s impossible to know who uses our data or why. A ‘chain of custody’ for personal health data could show us whether potential employers or banks had bought or received our health data, learn about the many ways the federal government uses health data as described in the Federal Health Information Technology Strategic Plans, and see the names of for-profit and public research and public health institutions that use personal health data.

Health data has long been used to discriminate against people for jobs, insurance, and credit. This fact is so well known that every year tens of millions of us refuse to get early diagnoses and treatment for cancer, depression, and sexually transmitted diseases. Hidden data flow causes bad health outcomes; treatment delays can be deadly. We need the same kind of control/consent over the use of electronic health data that we have always had for paper medical records.

US Internet and electronic systems have made us the most intimately surveilled people in the Free World. In Europe, strong laws and privacy-enhancing technologies prevent hidden data collection and data flow, so everyone benefits from technology and harms are avoided.

European standards for the collection of personal data were created after WW II, when data were used to decide who would die. Europeans consequently passed the world’s toughest data privacy laws, preventing personal data from being collected or used without consent.

Europe also established regional Data Privacy Commissioners to defend citizens’ rights to control the collection and use of personal information and ensure data accuracy. The US needs them too.

Unless we know where trillions of bytes of our personal data flow, who uses it and why, we cannot weigh the benefits and risks of using the Internet, electronic systems, or cell phones. It’s time for Congress to end the massive hidden flows of personal data.

Re: Genetic Bar Code Search – Finding People in Huge Gene Pools

In response to the PopSci.com article: Genetic Bar Code Search Can Use RNA to Pick Out Individuals From Huge Gene Pool

Quote from the principle investigator of the Mount Sinai study: “Rather than developing ways to further protect an individual’s privacy given the ability to collect mountains of information on him or her, we would be better served by a society that accepts the fact that new types of high-dimensional data reflect deeply on who we are,” he said. “We need to accept the reality that it is difficult—if not impossible—to shield personal information from others. It is akin to trying to protect privacy regarding appearances, for example, in a public place.”

Genetic privacy may be difficult to achieve, but it remains essential for people to trust physicians, researchers, health IT, and the government.

The public will not accept the idea that genetic information “is in the public domain” anytime soon. We never agreed to have our genetic information made public, and have fought for years to preserve genetic privacy at the state and federal levels. Those who built systems to take blood and tissue and do research without consent could have easily anticipated massive public concerns about such unethical research practices–and not built systems that violate Americans’ expectations and strong rights to health privacy.

Clearly it’s time for Congress to pass a federal law restoring personal ownership and control over blood and tissue that leaves our bodies, and restore the right of informed consent before any research can be done using our blood, tissue, or health information.

Re: Sizing Up the Family Gene Pool

In response to the New York Times article: Sizing Up the Family Gene Pool

This story is about the fact that genetic testing companies sell people’s test results, compromising families’ and descendants’ future jobs and opportunities. “The NYTimes Ethicist” confirmed a questioner’s fears:

“As for the privacy issue, your concern is well founded. Many of these companies do use customers’ data for medical research or commercial applications, or they sell it to third parties whose interests you might never know. Legally they can’t do that without your consent, but the fine print on those consent forms goes by so quickly that it can be hard to follow.”

Americans’ lack of control over sensitive personal health information in electronic systems is a true national disaster. Not everyone knows this yet, but President Obama does.

On Feb 22, the he introduced historic new privacy principles to guide the use of personal data in the global digital economy. He recognized the lack of privacy in current networked technologies and systems has severe economic consequences. See story on the White House Initiative: http://patientprivacyrights.org/2012/02/wh-initiative-consumer-privacy-bill-of-rights/

President Obama’s new principles address the causes of the privacy violation in the story:

  • Current federal law does not protect the right to health information privacy or the right of consent to use health data
  • neither HIPAA nor Genetic Information Non-Discrimination Act (GINA) prevent the systemic corporate business practice of selling Americans’ highly sensitive personal health information (like genetic test results)

He laid out an historic, tough new Consumer Privacy Bill of Rights to stop the data mining and data theft industries. The first principle is that of individual control: “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Key quotes from the Administration’s new “Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”:

  • “Strong consumer data privacy protections are essential to maintaining consumers’ trust in the tech­nologies and companies that drive the digital economy.”
  • The President concluded, “It [privacy] has been at the heart of our democracy from its inception, and we need it now more than ever.”

The only way we can trust the Internet and have a vibrant global digital economy is if individuals control personal information online and in electronic systems. The right of informed consent before personal information is collected or used must be restored.

When will the health IT industry, Congress, and lawmakers across the US act to restore the right to privacy and control over personal information?

HIStalk Interviews Deborah Peel MD, Founder, Patient Privacy Rights

Give me some brief background about yourself and about Patient Privacy Rights.

I never expected to be leading this organization or ever even thought about that. In my younger days, I practiced full time as a psychiatrist and Freudian analyst for a very long time, until it became clear that things were happening in DC that would make effective mental healthcare impossible. Namely, that there were lots of different ideas being floated; for example, the Clinton healthcare initiative. There was a part of it that was going to require everyone’s data from every physician encounter be recorded in federal database.

Fast-forward to the HIPAA privacy rule. That’s what really convinced me of the need for a voice for consumers, because there really wasn’t any. What I’m talking about there is, of course, the change in 2002 that happened under everyone’s radar except for – and this is the is the laugh line – when the 3,000 Freudian psychoanalysts in the nation noticed that consent was eliminated.

In 2004, I started Patient Privacy Rights because there was no effective representation for the expectations and rights that the majority of Americans have for how the healthcare system is going to work. Namely, that people don’t get to see their information without consent. Since founding PPR in 2004, we’ve still been the national leading watchdog on the issues of patient control over information and even internationally. Our power has come because when we came to DC, the other people that were working on privacy, human rights, and civil rights recognized that because of my unique position as a physician and deep understanding of how data flows, that I knew what I was talking about.

We very quickly got a pretty amazing bipartisan coalition of over 50 organizations. That enabled us to put these issues and problems on the map.

We had some incredible successes in HITECH. Virtually all of the new consumer protections came from our group, including the ban on the sale of PHI, the accounting of disclosures, segmentation, the new requirement that if you pay out of pocket for treatment you should be able to block the flow of that data to health plans and health insurers. We were the ones that worked with Congressman Ed Markey on getting encryption, required stronger security protections, and worked with Senator Snow to get meaningful breach notice into the rules.

All of this work lead to the first-ever summit on the future of health privacy this past summer in DC. The videos and the entire meeting can be seen or streamed online at www.healthprivacysummit.org.

If somebody said you had to choose between accepting healthcare IT as it is today or going back to purely paper-based systems, which would you choose?

We’ve never been in favor of going back to paper…

Is football worth surrendering genetic privacy for generations?

The NCAA mandated testing 170,000 athletes for the sickle cell trait because of a lawsuit following the death of a freshman in 2006. See the Washington Post article: Sickle cell testing of athletes stirs discrimination fears

The NCAA apparently did not consider the effect of testing on students’ future employment, even though carrying the sickle cell trait has long been a cause of discrimination.

Better training and monitoring of athletes could help prevent the deaths of athletes with other health problems besides the sickle cell trait, and prevent exposing athletes’ entire families to discrimination.

Quotes:

  • for decades blacks were stigmatized by sickle cell because they carried it far more commonly than whites, marking them as supposedly genetically inferior, barring them from jobs, the military, insurance and even discouraging them from marrying and having children.
  • Since 2000, as many as 10 Division I college football players who had the trait without knowing it have died suddenly following workouts.
  • “What doesn’t exist is scientific data to support the screening,” said Elliott Vichinsky, director of hematology-oncology at Children’s Hospital in Oakland and director of the Northern California Sickle Cell Center. “There are a lot of other people at risk for heat-related illness from exertion.”
  • The best solution, they argue, would be better monitoring, training and care for all athletes – a strategy that worked for the military.
  • “If you want to protect people, there’s an easy way to do that: change the training protocol for everyone,” said Lanetta Jordan, the Sickle Cell Disease Association of America’s chief medical officer.

The Case for Informed Consent

Austin, TX — Patient Privacy Rights (PPR), the nation’s leading health privacy watchdog released a white paper entitled, “The Case for Consent: Why it is Critical to Honor What Patients Expect: for Health Care, Health IT and Privacy.” The paper is designed to be a primer on health privacy and argues that the primary stakeholder in health care, the patient, must retain control over their personal health information. The white paper is available online at http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf.

The white paper tackles the arguments made that patient control is too technically difficult, is too expensive, or is too complex, among others. In fact, robust privacy-enhancing technologies are in use now that ensure both progress and privacy. Technology can enable control over personal health information today and likely simplify our systems and lower costs.

“Patients know what they want,” says Patient Privacy Rights’ founder, Deborah Peel, MD. “It is a mistake to design health IT in a paternalistic manner — assuming a corporation, vendor, provider or government agency knows what is best for each individual patient.”

View the white paper: The Case for Informed Consent

Re: State agency swaps babies’ blood for supplies

This is a response to the recent article in the Austin American Statesman: State agency swaps babies’ blood for supplies

Institutional Review Boards (IRBs) are NO LONGER the best solution – or even an adequate solution – for state problems (or for research) when informed consent is needed for the use of individual health information, tissue, or bloodspots. There are now effective, affordable technology solutions that enable individual families to make their own informed choices.

The state of Texas was sued because families could not individually decide how their spots were handled – whether they should be kept and how they could be used. Technology offers great solutions for those sensitive problems.

Governance of bio-banks like the NBS Program is critical as Dr. Callan points out, BUT governance cannot replace individuals’ existing rights to privacy and informed consent.

And there is no longer a need to use IRBs (typically stacked with members who have conflicts of interest) to replace individual families’ rights to make decisions about their child’s newborn bloodspots, now that technology offers much better solutions where each family can set their own preferences and be contacted for use/sale of their spots.

IRBs and privacy boards were needed in the past when the time and cost of contacting hundreds and thousands of people to ask consent for the use of their records was prohibitive, but that is no longer true thanks to technology. Millions can be contacted by email or text mail on cell phones instantly, at virtually no cost. And their responses can be addressed automatically via technology—think of online response cards when you donate money, you get an email confirming what you did. Technology can enable each family to make their own informed decisions.

There are many problems with using IRBs to replace individual informed consents. IRBs tend to be dominated by researchers and data users — people who want to use patient records or bio-specimens, rather than consumers and privacy advocates. IRBs have not focused on protecting medical record privacy — the focus has been on clinical research on the use and effectiveness of new drugs and devices that can directly harm people’s minds bodies weighing the safety of the study vs. the risk of side-effects and even death. IRBs were designed to protect people who participate in research from harm and death. So IRBs view research in patients’ records and bio-specimens as safe—as if no serious harms or risks result from these kinds of research. But research using bio-specimens or sensitive personal health information poses great risks to privacy. Personal health information, from prescriptions to DNA, are very valuable commodities that are sold and used to discriminate against patients and their children and grandchildren. Bio-specimens contain genetic information, which can be re-identified, and put families at risk for generations of discrimination.

In addition, the public does not agree that researchers should have unfettered access to their medical records. Open access to the nation’s sensitive health information is not seen as a desired public good. In fact Alan Westin’s survey for the Institute of Medicine on this subject showed that only 1% of Americans would agree to let researchers freely use their health records for any purpose. See: http://patientprivacyrights.org/media/WestinIOMSrvyRept.pdf?docID=2501

Also, the story did not highlight how deceptive ‘opt-out’ consents are. ‘Opt-out’ consent has been utterly rejected in the UK as the method of consent for transferring people’s health records to the NHS—the program had to be stopped when the public found out. ‘Opt-out’ consent was perceived by the public as deceptive, unfair, difficult to understand and enact. See: http://patientprivacyrights.org/2010/04/controversial-medical-records-database-suspended/

The proposal to ‘Save the Spots’ team including Patient Privacy Rights, the Genetic alliance, the UT LBJ School, and innovative technology corporations would have offered an online consent tool where Texas families could choose to:

  • Destroy the spot
  • store and do nothing
  • store and allow use for research, etc.
  • store and contact us for each use
  • send a copy of the test results to us for use with our doctor and our health planning

The story missed the key point about how technology can improve the informed consent process and create trust. Think about this example: you can set your preferences for how your bank pays your bills. Online banking allows you to set preferences for how something of yours ($ instead of spots or information)) is shared with whom, for what purpose. You can set up the bank to pay some bills automatically every month, others are one-time occurrences– ALL at your direction. And you can change your preferences at any time. We need dynamic, real-time patient-centric technology like that in the health care system—technology has NOT been used to assure patients rights, expectations, or convenience. I just saw a system for consent Friday where you can receive requests to use your health information on your cell phone, with the doctor’s name, and how long access is needed.

ALSO—the details about what we offered were not correct in the story—naturally we did not have the funding in hand when we went to the state. How would that be possible? We formally asked the state to agree with the plaintiffs for a delay for 90 days (easy to get from the judge, when both parties agree) so that we could seek the funding from federal and other state and national funders. Funders would not even look at our proposal UNLESS the state had agreed to work with us; ie, without the state’s agreement we could NOT DO IT. The state would not agree.

We could not have come to the state with funds for our proposal in hand—that’s why we needed the state’s formal agreement to the delay and approval to let us seek the funds to execute our proposal.

Unfortunately the story also did not explain why electronic consents can solve seemingly difficult problems, or why IRBs should no longer be used to replace individuals’ rights of consent when technology enables individuals to make their own informed choices about research.

The issue of what kind of consents we will have for the state of Texas as we move toward requiring and exchanging electronic health information is VERY CRITICAL—it is critical for lawmakers and the public to realize that innovative consent and privacy-enhancing technologies can be used to protect their rights in electronic health systems, not destroy them.

Again, you can see the Article referenced here at this link: http://patientprivacyrights.org/2010/05/state-agency-swaps-babies-blood-for-supplies/

State agency swaps babies’ blood for supplies

When a California company asked Texas for blood samples from newborns in 2008, the state charged $1,600 for 400 blood spots. A North Carolina company swapped 16 HIV testing kits for 5,400 blood spots from the Department of State Health Services in 2006 and 2007. And another company has a five-year contract to get 3,800 blood spots a month in exchange for $456,000 worth of lab supplies.

Blood taken from Texas newborns in a state-mandated program to screen for defects and potentially deadly disorders has proved to be a valuable commodity — not just for researchers who might discover causes and treatments for diseases, but for companies developing, manufacturing and selling lab tests around the world. The blood samples — which were stored indefinitely starting in July 2002 without parents’ knowledge until recently — help companies evaluate and bring disease screening tests to market. In exchange, the health department gets needed supplies to conduct lab tests on newborns and other patients…

…In March 2009, the Texas Civil Rights Project sued the state over the storage program, claiming the state was violating constitutional protections against unlawful searches and seizures as well as state privacy laws. It wanted the state to stop storing blood without parental consent — state law doesn’t require consent — and asked that samples be destroyed unless consent was obtained.

The issue struck a chord nationally as parents learned other states had similar programs and feared the potential for misusing private genetic information.

“Newborn screening programs are under attack nationally, and they hope this will just go away, but it won’t,” said Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights, a national organization that advocates for patient privacy. “The public is terrified of the state owning their DNA.”

The Texas suit was settled in December when the state agreed to destroy 5.3 million blood spots stored since 2002, despite last-minute efforts led by Peel and others to try to save the spots by creating an informed consent process. New state laws passed last year put controls on the samples, and now the department must inform parents of possible uses and allow them to opt out of having their baby’s blood stored for up to 25 years.

Indian Tribe Wins Fight to Limit Research of Its DNA

This article from the New York Times, Indian Tribe Wins Fight to Limit Research of Its DNA, shows how patients are willing to opt in to certain research, but are outraged when their information is used for research and other purposes they are unaware of.

“SUPAI, Ariz. — Seven years ago, the Havasupai Indians, who live amid the turquoise waterfalls and red cliffs miles deep in the Grand Canyon, issued a “banishment order” to keep Arizona State University employees from setting foot on their reservation — an ancient punishment for what they regarded as a genetic-era betrayal.

Members of the tiny, isolated tribe had given DNA samples to university researchers starting in 1990, in the hope that they might provide genetic clues to the tribe’s devastating rate of diabetes. But they learned that their blood samples had been used to study many other things, including mental illness and theories of the tribe’s geographical origins that contradict their traditional stories.

The geneticist responsible for the research has said that she had obtained permission for wider-ranging genetic studies.

Acknowledging a desire to “remedy the wrong that was done,” the university’s Board of Regents on Tuesday agreed to pay $700,000 to 41 of the tribe’s members, return the blood samples and provide other forms of assistance to the impoverished Havasupai — a settlement that legal experts said was significant because it implied that the rights of research subjects can be violated when they are not fully informed about how their DNA might be used…”

DNA Destruction

In the weeks before state health officials destroyed more than 5 million newborn blood samples they had stored without consent, privacy advocates, parents and lawmakers reached a last-ditch accord to save them — but couldn’t convince the Department of State Health Services to sign on…

Peel said the state’s decision not to seek a non-destructive solution is a shame. She said there was national interest in “saving this treasure trove” of baby blood spots, and that she was working with researchers and lawmakers in Texas and Washington, D.C., to seek funding for a state-of-the-art research database that would allow parents to give consent electronically.

“We were going to … reach out to those 5 million families and let them know they had an alternative to having their blood spots destroyed,” Peel said.