Patient Safety and Health Information Technology: Learning from Our Mistakes

MUST READ article by Ross Koppel about why and how government and industry denial of serious design flaws in electronic health systems endanger patients’ lives and safety. He uses detailed examples, citations, and the historical record to support his case. Flawed technology causes serious patient safety issues in the same way flawed technology prevents patient control over who can see, use, or sell sensitive health information.

Yet technology could vastly improve patient safety and put patients back in control over the use of their health data. Why is poor technology design entrenched and systemic? Koppel states, “The essential question is: why has the promise of health IT—now 40 years old—not been achieved despite the hundreds of billions of dollars the US government and providers have spent on it?”

He makes the case that key problems arise from industry domination over the public interest. “Marketing overdrive” has caused:
· Denial and magical thinking: we see the “systematic refusal to acknowledge health IT’s problems, and, most important, to learn from them”

· Prevention of “meaningful regulations since 1997″: ”This belief that health IT, by itself, improves care and reduces costs has not only diminished government responsibility to set data format standards, it has also caused us to set aside concerns of usability, interoperability, patient safety, and data integrity (keeping data accountable and reliable).”

· Destructive “lock-in” to flawed technology systems: A full software package from a top firm for a large hospital costs over $180 million, and can cost five times that figure for implementation, training, configuration, cross-covering of staff, and so on.(11,12) Because illness, accidents, and pregnancies cannot be scheduled around health IT training and implementation needs, the hospital must continue to operate while its core information systems are developed and installed. This investment of time and money means the hospital is committed for a decade or more. It also reduces incentives for health IT vendors to be responsive to the needs of current customers.(13,14)

We have been to this rodeo before. Koppel points out these same phenomena occur over and over in many other industries:
“we had dozens of railroad gauges, hundreds of time zones, and even areas with both left- and right-hand driving rules. In all cases, the federal government established standards, and the people, the economy, and especially the resistant industries flourished. Industry claims that such standards would restrict innovation were turned on their heads.”

The health technology industry has failed to reform itself for 40 years. Effective federal laws and regulation are the only path to ensuring innovation and interoperability, to make health IT systems safe for patients and useful to doctors, and to restore individual control over who sees the most sensitive personal information on Earth.

See the full article at Web M&M: Patient Safety and Health Information Technology: Learning from Our Mistakes

The Changing Landscape – The Impact to Patients’ Privacy

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system.  Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

-Patients have no control over who sees or sells sensitive personal health information.

-Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.

-Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.

-Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.

-There is no “chain of custody” for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

-HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779

-HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777

-Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

-The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. “Invisible Wounds of War”, The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President’s Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system — starting with Principle #1:

“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Organics industry and privacy industry face similar labeling issues

See the full article in the New York Times at Has ‘Organic’ Been Oversized?

Like the food industry’s label for “organic” foods, the health technology industry wants to label or brand its products, like electronic records systems, data exchanges, health “apps”, and etc as “privacy-protective”.  Regardless of how far from reality that designation is.

This story shows that the federal law setting up an “organic” certification panel for food requires a FAR greater number of consumer and academic seats on the panel than are on the two National Health IT Policy and Standards Committees.  The organic certification panel requires the appointment of “four farmers, three conservationists, three consumer representatives”, for a total of 15 seats for non-industry representatives. But the federal government appointed industry people to those seats anyway. The federal govt. also appointed people who do not represent consumers or consumer organizations to the few consumer seats on the National Health IT Policy and Standards Committees.

But people who want health privacy are a huge percentage of the public: polls show between 75-95% of the public. This is a far greater percentage of the public than buy “organic” food.  Health privacy is not an ‘elitist’ product, as “organic” foods are perceived to be. Everyone is affected  by the lack of control over their health data and everyone cares about it.

A few key quotes from the story:

-The fact is, organic food has become a wildly lucrative business for Big Food and a premium-price-means-premium-profit section of the grocery store. The industry’s image — contented cows grazing on the green hills of family-owned farms — is mostly pure fantasy. Or rather, pure marketing. Big Food, it turns out, has spawned what might be called Big Organic.

-“The board is stacked,” Mr. Potter says. “Either they don’t have a clue, or their interest in making money is more important than their interest in maintaining the integrity of organics.”  He calls the certified-organic label a fraud and refuses to put it on Eden’s products.

-BIG FOOD has also assumed a powerful role in setting the standards for organic foods. Major corporations have come to dominate the board that sets these standards.

-As corporate membership on the board has increased, so, too, has the number of nonorganic materials approved for organic foods on what is called the National List.Today, more than 250 nonorganic substances are on the list, up from 77 in 2002.

-This sounds like the way the National Health IT Policy And Standards Committees operate:

o   The organic certification board has 15 members, and a two-thirds majority is required to add a substance to the list. More and more, votes on adding substances break down along corporate-independent lines, with one swing vote.

o   Six board members, for instance, voted in favor of adding ammonium nonanoate, a herbicide, to the accepted organic list in December. Those votes came from General Mills, Campbell’s Soup, Organic Valley, Whole Foods Market and Earthbound Farms, which had two votes at the time.

-CORPORATE APPOINTEES FILL CONSUMER SEATS, just like on the Health IT Policy And Standards Committees:

o   The Organic Foods Act calls for a board consisting of four farmers, three conservationists, three consumer representatives, a scientist, a retailer, a certification agent and two “handlers,” or representatives of companies that process organic food.

o   Cornucopia has challenged the appointment of Ms. Beck, the national organic program manager at Driscoll’s, to a seat that is, by law, supposed to be occupied by a farmer. Officially, “farmer” means someone who “owns or operates an organic farm.”   But Ms. Beck does not own or operate a farm.

§  Driscoll’s nominated Ms. Beck for one of the handler seats — but Tom Vilsack, the agriculture secretary, appointed her to one of the seats reserved for farmers.

§  In contrast, Dominic Marchese, who produces organic beef in Ohio, has tried and failed three times to win a board appointment as a farmer.

o   Similarly, the three consumer seats have never been filled by anyone from a traditional consumer advocacy group like the Organic Consumers Association orthe Consumers Union. Instead, those seats have largely gone to academics with agricultural expertise and to corporate executives.

o   Katrina Heinze, a General Mills executive, was appointed to serve as a consumer representative on the board in December 2005 by Mike Johanns, the agriculture secretary at the time. The outcry over her appointment by advocates and independent organic consumers was so intense that she resigned inFebruary 2006 — but rejoined the board late that year after Mr. Johanns appointed her to the seat designated by law for an expert in toxicology, ecology or biochemistry.

To learn more about preventing health privacy issues and protecting your privacy, please visit our Health Privacy Summit website.

Health Care Reform: Let’s Not Forget Privacy And Data Security

See the full article at Forbes.com: Health Care Reform: Let’s Not Forget Privacy And Data Security

The Affordable Care Act poses many new threats to patient privacy due to an already over loaded health care system. The influx of new consumers in this market will cause much stress on the already insufficient data privacy infrastructure. Bob Gregg, guest writer for Forbes.com, explains the strains and consequences caused by this new legislation.

“The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.”

Mr. Gregg looked to Patient Privacy Rights’ own founder, Dr. Deborah Peel, to explain what kind of ramifications this act will have for patients and their data privacy.

“My friend, Dr. Deborah Peel, founder of Patient Privacy Rights, tells me that “patients have no control over who sees or sells personal health information. Our health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.” Thousands of people, including researchers and government agencies, she says, have easy access to this information.”

The article goes on to list the four major issues this new burden on the health care system will cause and how it will affect consumers. The bottom line, he says, is “…The Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.”

For even more information on how you can help keep patient data private visit our International Summit on the Future of Health Privacy website.

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

See the full article at ProPublica.org: How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

Sobering.  Silicon Valley decides what privacy rights we have online, in clouds, in electronic health systems, in apps, on social media, and on mobile devices. Our fundamental Constitutional rights to privacy—to control personal information about our lives, minds, and bodies—is defended by lone grad students, European Data Commissioners, a few small privacy advocacy organizations, the FTC, and a handful of whistleblowers.

A PREDICTION: Selling intimate cyber-profiles will end when the public discovers that NOTHING about their minds and bodies is private.

The lack of control over sensitive health data will be the nation’s wake-up call to rein in Silicon Valley and restore the right to be ‘let alone’. See: Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis J., dissenting).

  • Cyber-profiles of our minds and bodies contain far more sensitive information than mothers, lovers, friends, Rorschach tests, or psychoanalysts could ever reveal.
  • “If you are not paying for it, you’re not the customer; you’re the product being sold”, see Andrew Lewis at: http://www.metafilter.com/user/15556.
  • 35-40% of us are “Health Privacy Intense”—-a very large minority; see Westin’s keynote slides from the 1st International Summit on the Future of Health Privacy:http://tiny.cc/9alvgw

THE TIPPING POINT will be when the public discovers that electronic health systems facilitate cyber-theft, data mining, data sales, ‘research’ without consent, and allow thousands of strangers to snoop in millions of patient records (think George Clooney and more: http://www.foxnews.com/story/0,2933,348988,00.html).

Health data is the most sensitive personal information on Earth. Everything from prescription records to DNA to diagnoses are HOT BUTTONS.

Instead of enabling patients to decide which physicians or researchers they want to see their health records, corporate and government data holders decide who can use and sell Americans’ sensitive health data—-upending centuries of law and ethics based on the Hippocratic Oath, which requires physicians to ask consent before disclosing any information.

Top Experts Discuss Privacy Risks at 2nd International Summit on the Future of Health Privacy

Patient Privacy Rights and Georgetown University Law Center’s O’Neill Institute for National and Global Health Law Host Event

Psychiatry Patient’s Story Highlights Growing Threat to Privacy

WASHINGTON–(BUSINESS WIRE)– When a lawyer named “Julie” sought psychiatric treatment in Boston, she never imagined that the notes of sessions with her therapist would be digitized and made available to thousands of doctors and nurses—even dermatologists and podiatrists with no conceivable need for such private records. But that is precisely what happened. “Personal details that took me years to disclose during therapy are being shared throughout my medical network, against my will,” Julie says. “It’s destroyed my trust with my doctors.”

Julie will tell her story for the first time at the 2nd International Summit on the Future of Health Privacy, to be held in Washington, DC, on June 6-7. Sponsored by Patient Privacy Rights, the nation’s leading health privacy watchdog, and Georgetown University Law Center’s O’Neill Institute for National and Global Health Law, the Summit will explore the often-alarming privacy implications of the nation’s race to digitize patient medical records.

“Every state requires patient permission before sensitive mental health records can be shared with other doctors. But Julie found that hundreds of pages of intimate records, some detailing her abuse as a child, were open to the entire staff of her Boston-based healthcare system,” says Dr. Deborah Peel, founder of Patient Privacy Rights. “Julie is an example of how major electronic health records systems can actually strip patients of their privacy rights. Her tragic story highlights the need for the Privacy Summit—to shine light on these abuses and find solutions to protect patient privacy.”

40 Health-Privacy Experts Drive Debate:

More than 40 health-privacy experts from around the globe will gather for the Summit, including top U.S. government officials and leading CEOs, physicians and academics, along with several hundred live and virtual attendees. Speakers will discuss new policies including a Health Privacy Bill of Rights, data exchanges, secondary uses of health data and social media platforms that threaten patient privacy. In addition, the founder of Harvard’s Data Privacy Lab will announce the launch of a yearlong project, the first of its kind, to map the hundreds of secret organizations and agencies where private medical data is sold and shared in the United States.

Summit organizers also will announce the “The Best Privacy Technologies of 2012,” and companies will demonstrate new products that enhance patient control of personal health data.

Louis D. Brandeis Privacy Award:

To kick off the Summit, Patient Privacy Rights will honor the first-ever recipients of the Louis D. Brandeis Privacy Award. The privacy watchdog group will recognize Congressman Joe Barton (R-TX) and Congressman Ed Markey (D-MA) for their roles as leading congressional privacy advocates. And Alan Westin, Columbia University’s Emeritus Professor of Public Law and Government, and Ross Anderson, the University of Cambridge’s Professor in Security Engineering, will be honored for their groundbreaking work on consumer data privacy and security.

WHAT: The 2nd International Summit on the Future of Health Privacy
WHEN: June 6-7th, 2012
WHERE: Georgetown University Law Center
600 New Jersey Avenue, NW. Hart Auditorium, McDonough Hall
Washington, DC 20001

REGISTRATION: http://www.healthprivacysummit.org/d/3cq92g/4W

AGENDA: http://www.healthprivacysummit.org/d/3cq92g/6X

SPEAKERS: http://www.healthprivacysummit.org/d/3cq92g/6K

FOLLOW US ON TWITTER: @PrivacySummit

SPONSORS/PARTNERS: Accenture, CA Technologies, Dell, e-MDs, FairWarning®, Harvard Data Privacy Lab, IDExperts, Jericho Systems, Microsoft, PwC, RTI International, Telemedicine and Advanced Technology Research Center (TATRC), The O’Neill Institute at Georgetown Law Center, The University of Cambridge Computer Laboratory, The University of Texas School of Information

ABOUT PATIENT PRIVACY RIGHTS: Patient Privacy Rights is the nation’s leading bipartisan health privacy organization and leading consumer voice for building ethical, trustworthy healthcare IT systems. For more information, visit http://patientprivacyrights.org

Contact:
Keith Blackman, 202-730-5753
keith@blackmanmediasolutions.com
or
Jim Popkin, 202-686-6699
jim.popkin@sevenoaksmedia.com

Office of the National Coordinator of Health IT, HHS, Announces PPR Summit

To learn more visit Health Privacy Summit and HealthIT.

The Second International Health Privacy Summit is quickly approaching (June 6-7). Our keynote speaker, Farzad Mostashari, MD, ScM is the National Coordinator for Health IT and will be giving a wonderful presentation on “Creating a Culture of Privacy and Security Awareness.” The Office of the National Coordinator for Health IT has given great support to this event and will be participating as well. Here’s what they have to say about the Health Privacy Summit:

June 6-7
2nd International Summit on the Future of Health Privacy

Over 40 leading health-privacy experts from around the globe will gather in Washington, DC for the 2nd International Summit on the Future of Health Privacy to discuss privacy and security issues raised by emerging health technologies. Experts from the U.S. government, the private sector and academia will explore new laws and regulations, data exchanges, secondary uses of health data and social media platforms and how they relate to the privacy and security of patient health information.

National Coordinator for Health Information Technology – Farzad Mostashari, MD, ScM – will kick off this year’s event with a keynote presentation on “Creating a Culture of Privacy and Security Awareness.”

See the full list of speakers at http://www.healthprivacysummit.org/d/3cq92g/6K .

* Agenda: http://www.healthprivacysummit.org/d/3cq92g/6X
* Registration: http://www.healthprivacysummit.org/d/3cq92g/4W FREE to attend or watch live online!

20 Million Affected by Health Breaches

See full story at Govinfosecurity.com: 20 Million Affected by Health Breaches

“The federal tally of individuals affected by major healthcare information breaches since September 2009 now exceeds 20 million. But two recently reported major incidents, estimated to have affected a combined total of more than 675,000, have yet to make the list, which now includes 435 incidents.

As of May 23, the breach list includes 29 incidents in 2012 affecting a total of about 935,000. By far the largest of those breaches is a Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children’s Health Insurance Plan recipients and others.”

Targeted attacks cost companies an average of $200k

See the full article at SC Magazine: Targeted attacks cost companies an average of $200k

It always costs more to repair than to prevent. The curious thing is that federal law mandated basic security protections in HIPAA, but industry never bothered because the law was never enforced.

Here we are 12 years after the HIPAA Privacy Rule was implemented:

· the Coalition for Patient Privacy got MUCH tougher security rules and enforcement into HITECH

· breaches are rampant

· 80% of hospitals still don’t encrypt data

What’s wrong with this picture? Register for the 2nd International Summit on the Future of Health Privacy June 6-7 in Washington, DC–attending or watching via live streamingvideo is free: http://tiny.cc/p4fqew Security technologies are critical for privacy—see top US computer scientists discuss “ideal” technologies for health data privacy and security.

Re: Data-Mining in Doctor’s Office Helps Solve Medical Mysteries

The story concludes that “the benefits (of research) outweigh the (privacy) concerns”. But that statement was made by a hospital administrator, not by the patients whose data were used without consent. They weren’t asked or notified.

There are several problems with the idea that the benefits of doing research without consent outweigh the risks:

·       the lack of privacy and control over health information causes bad outcomes: when people realize that they cannot control health records, millions refuse diagnosis and treatment for cancer, depression, and sexually-transmitted diseases

·       there is no need to choose between respecting patients’ rights to privacy and doing research—it’s a false choice, consent technologies can enable people to easily choose and give automatic consents for research projects they support, or be contacted case-by-case for permission

·       there was no public debate about whether every American’s electronic health information should be used for research without consent

·       current electronic systems do not allow patients to control any uses of their health data—-why continue to use such badly-designed systems?

·       there are no “dangers of over notification” with today’s systems—in fact, patients get no notice at all when personal data is used for research

Americans have not agreed to a healthcare system that turns them into electronic guinea pigs.

Why not build patient-centered systems so we can make important decisions about ourselves, instead of hospital administrators and researchers choosing for us?  “Nothing about me without me.”