Re: Pres. Obama appoints Todd Park nation’s CTO

The new US Chief Technical Officer (CTO) was chosen for using “innovative technologies to modernize government, reduce waste and make government information more accessible to the public.”

What role does the CTO have in protecting individuals from technology harms? Whose role is it to protect the public from damaging technologies and “big data”?

Technology could enable break-through health research and improve the quality of healthcare. But we won’t have complete and accurate health data needed for transformative research when millions don’t trust electronic health systems. The 35-40% of the public who are “health privacy intense” realize US law doesn’t adequately protect their rights to health privacy.

The full article by Bernie Monegain in Healthcare IT News: President Obama appoints Todd Park Nation’s CTO

Re: Offense must be the new defense, RSA chief says

In response to the Government Security News (GSN.com) article: Offense must be the new defense, RSA chief says

From a major cybersecurity conference, “IT systems already are or will be compromised and security efforts must shift to detecting and mitigating compromises and protecting data in compromised systems.”

FLASH: Health data systems are just as compromised as those in every other sector of the economy and government, but it’s rarely mentioned. With the HIT and healthcare industries in denial, who will secure and protect the nation’s electronic health information?

At the same conference a solution was proposed, “the future of security and privacy in a world in which vulnerabilities and exploits are inevitable lies in protecting data through the use of metadata associated with policies that will let creators and owners control data.”

FYI: last year meta-tagging health data to protect privacy was proposed by the President’s Council of Advisors on Science and Technology (PCAST). PPR testified at the HIT Policy Committee in favor of meta-tagging health data. But the HIT and Healthcare lobbies killed it.

It’s back to business as usual: selling and using abysmal health IT systems and data exchanges without effective privacy or security protections — so healthcare corporations, hospitals, health plans, doctors, HIT companies, labs, pharmacies, etc can all use or sell our personal health data for discrimination and other purposes we would never agree to.

It’s time for Congress to support the Administration’s new Consumer Bill of Privacy Rights and put people in control of personal data online and in data systems by requiring robust, existing privacy and consent technologies or meta-tagging. Americans’ longstanding legal and ethical rights to health privacy must be restored so people are willing to participate in electronic health systems.

Without remedies now, “trust in our digital world is at risk.”

Press Release: Registration is Open for the 2012 Health Privacy Summit

February 28th, 2012

FOR IMMEDIATE RELEASE

Contact:
Deborah C. Peel, MD
dpeelmd@localhost:8888/pprold

(512)732-0033 or (512)820-6415

Announcing the 2nd International
Summit on the Future of Health Privacy
Is There an American Health Privacy Crisis?

Austin, TX – Patient Privacy Rights announces registration is open for the 2nd International Summit on the Future of Health Privacy: Is There an American Health Privacy Crisis?

We invite you to register for the Summit now.

The Summit will be held on June 6th-7th, 2012 at the Georgetown University Law Center. The O’Neill Institute at Georgetown Law is an academic partner, along with the Harvard Data Privacy Lab, RTI International, The University of Cambridge Computer Laboratory, and the University of Texas School of Information.

We are pleased to announce Ross Anderson PhD, FRS, will be a keynote speaker at the Summit. Anderson is a Professor in Security Engineering at the University of Cambridge Computer Laboratory as well as a researcher, writer, and industry consultant and expert in security engineering.

The 2nd International Summit on the Future of Health Privacy is the first and only international venue for serious discussions by experts and thought leaders on the urgent privacy issues raised by health technologies and architectures (including mHealth and ‘clouds’), by law and regulations, data exchange, secondary uses of health data, and social media platforms. The summit will also explore health privacy through the lens of US and international policies about health information privacy, such as the recent Consumer Bill of Privacy Rights and the EU Draft Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

The 1st International Summit on the Future of Health Privacy successfully created the first global public forum on the future of health privacy. The panels on urgent issues included health privacy experts from academia, industry, technology, consumer advocacy, top government officials, and international experts. Learn more about the 2011 Summit here. Videos are available.

Please register early, seating is limited. Registrants will be updated regularly on the agenda and new speakers and sessions in the coming weeks.

###

Patient Privacy Rights is the nation’s leading bipartisan health privacy organization and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit http://patientprivacyrights.org.

Re: Big Changes Coming in EU Privacy Law

Regarding the article in the Genomics Law Report: Big Changes Coming in EU Privacy Law

The new EU standards for data privacy apply to health data and require the level of personal control over health data and informed consent that Americans expect from electronic health systems, but don’t have. US companies doing business in the EU will have to comply with these tough new privacy protections in a year or face penalties. If companies can build privacy-protective systems there, why not here?

Quote:

  • Companies doing business in the EU must prove “every subject has given consent for the processing of their data for specified purposes. Consent is defined as “any freely given specific, informed and explicit [emphasis added] indication of will,” and can be withdrawn at any time. The subject will also have a controversial “right to be forgotten and to erasure.” This means that when the subject withdraws consent or “the data are no longer necessary” for the purposes for which they were collected, the company must render the data inaccessible, including on the Internet.”

Americans feel the exact same way the European public feels; they too want ethics-based systems that comply with longstanding rights to health privacy.

Since US companies will have to comply with strong patient privacy rights in the EU, they could obviously do the same in the US. Unless the US builds in the same strong patient protections, research comparing electronic health records in the US and EU will be impossible.

The Administration should use the EU example to move forward and require US electronic systems and data exchanges be built to comply with Americans’ longstanding rights to control the use of personal health information.

Re: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

In response to the Security Week article: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

The US is facing an unprecedented privacy crisis. The healthcare industry is extremely negligent about protecting data security and privacy (patient consent). At the same time 3/4 of the healthcare industry further risks patient privacy by selling or intending to sell data for secondary uses. Data theft and sales are driven in large part because, “Digitized health data is becoming one of the most highly valued assets in the health industry.”

  • Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers, and 38 percent or providers currently share information externally. Of those organizations that share data externally, only two in five pharmaceutical and life sciences companies (43 percent) and one in four insurers (25 percent) and providers (26 percent) have identified contractual, policy or legal restrictions on how the data can be used.
  • Most corporations using patient data lack an effective consent process, “Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients’ consent for how their information can be used.”

It’s a double whammy—not only is sensitive health information at high risk of misuse, sale, and breach INSIDE healthcare organizations, it’s also sold to OUTSIDE organizations that lack effective security and privacy measures.

  • “Nearly three quarters (74 percent) of healthcare organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.”

PriceWaterhouseCoopers surveyed 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies. Data security and privacy practices were abysmal despite new enforcement efforts by the Administration, and despite hundreds of major data breaches compromising the privacy of millions of Americans.

Why aren’t Congress and the public outraged that the privacy and security of health information is so bad? If the banking industry operated like this there would be MAJOR oversight hearings and new laws.

The idea that today’s electronic healthcare systems and data exchanges safeguard health data is simply wrong. Clearly federal and state oversight and penalties for failure to protect the most sensitive personal data on earth need to be increased.

Re: 2012: Time for Action on Health Privacy

Things in Washington DC must really be bad if Deven McGraw, Chair of the Privacy and Security Tiger Team and member of the national Health IT Policy Committee, is speaking out so clearly about the lack of privacy protections in federal policy. She states in the article “2012: Time for Action on Health Privacy” that it’s time for HHS/ONC to change their “pattern” of “too much talk and not enough action” to protect privacy. Is there a privacy crisis? PPR thinks it’s critical to build privacy and patient control over data in up front. Now is the time!

See full article

“Consumers and patients support the electronic sharing of health information and are eager to experience the benefits of widespread adoption and use of electronic health records. Yet a substantial majority continue to express significant concerns regarding the impact of e-health on the privacy and security of their health information. According to a recent survey by the Markle Foundation, the privacy of health information is a significant concern for the American public and doctors who serve them.

Building and maintaining public trust in health IT and health information sharing will be critical to leveraging their benefits to improve individual and population health. The rhetoric from the Office of the National Coordinator for Health IT and HHS has been consistently strong on the importance of respecting the confidentiality of health information; however, with a few exceptions, the pattern has been too much talk and not enough action.”

Re: David Cameron ready to put chunks of NHS up for sale, says Labour

The British Prime Minister proposes opening up and selling the health information of British citizens, ie copying the US model of data sales because he sees it’s worth tens-hundreds of billions in annual revenue to those in the US selling data. For at least the past decade, US industry has been violating Americans’ expectations and strong rights to health privacy by selling and using sensitive patient health information without consent, and without public awareness, much less, debate.

See more here: David Cameron ready to put chunks of NHS up for sale, says Labour

Key quotes:

  • Prime Minister “[Cameron] sees no limit on the involvement of the private sector and says he wants it to be a ‘fantastic business’. In his desperation to develop a credible industrial strategy, he seems willing to put large chunks of our NHS up for sale.”
  • Roger Gross, from the pressure group Patient Concern, said that allowing private firms access to NHS data would mean “the death of patient confidentiality”.
  • “We understand GP surgeries will have the right to refuse to release their patients’ records, but whether patients will ever be told what is happening, let alone have the choice to protect their privacy, is still unclear,” Gross said.

Leaders in Congress Call Out TRICARE & SAIC

We congratulate the leaders in Congress, Reps Markey, Barton, DeGette, Stearns, and Andrews for calling TRICARE and SAIC on the carpet for not securing military families’ sensitive health data. See the letter here.

We hope this letter leads to Congressional oversight hearings into the industry-wide culture of disregard for the privacy of military personnel’s and all Americans’ sensitive electronic health information. The worst serial corporate abusers should be penalized and prevented from getting federal contracts. We need Congress to get to the roots of the industry-wide disregard for health privacy FAST, before millions more people are harmed, not just by medical identity theft, but by the use of health information to discriminate against them in employment, credit, and other key opportunities in life. Once health records are exposed, they can never be made private again.

It is well-known in the healthcare industry and by privacy advocates that about 80% of healthcare providers and the health IT corporations that manage health information have ignored federal laws requiring encryption and data security protection for years. Obviously, head-in-the-sand approaches to data security simply don’t make sense. Clearly it’s cheaper and easier for corporations to ignore the law and common sense than it is to protect our most sensitive personal information, from diagnoses to DNA.

The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation.

Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed to work in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.

We also strongly support the proposal to make sure that victims of health data breaches receive effective state-of-the-art remediation. Victims should be able to use new technology that enables them to monitor all health insurance claims before they are submitted, so they can prevent the fraud and prevent other people’s health data from being added to their health records.

House to Defense Top Doc: What’s Up With TRICARE Theft?

Four members of the House Energy and Commerce Committee and one member of the House Armed Services Committee want some answers from Dr. Jonathan Woodson, the Pentagon’s top medical official, about how the Defense Department handled the September theft of computer tapes containing the records of 4.9 million TRICARE beneficiaries from the car of an SAIC employee in San Antonio, Texas. Woodson is the assistant secretary of Defense for health affairs and director of the TRICARE Management Activity, which was responsible for the data.

Woodson has been mum on this debacle since it unfolded, and in fact gave a speech in San Antonio the week after the theft was reported and, as far as I can determine, never addressed the issue…

…Last month, TRICARE directed SAIC to offer credit monitoring services to patients whose information was stored on the stolen tapes. Dr. Deborah Peel, founder of Patient Privacy Rights, an advocacy group based in Austin, Texas, says this does nothing to insure the safety of health care information on those tapes.

Peel, who sent me the Congressional letter to Woodson, said those patients should also be provided with new technology that allows them to monitor all health insurance claims before they are submitted, so they can prevent fraud as well as other people’s health data from being added to their health records.

See Patient Privacy Rights’ Press Release

Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

See full article at Loeb & Loeb, LLP Privacy Law Alert: Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

“Planned changes to the European Union’s Data Protection Directive (EU Directive), some of which are directed at non-EU companies, may significantly impact how U.S.-based entities that interact with EU consumers can collect, store and use consumer data.

The revised EU Directive will give consumers more control over their personal data, including requiring explicit user consent before companies can use data and giving consumers the right to delete data, especially data they posted themselves, otherwise known as the “right to be forgotten.”  The proposed changes also will likely include increased transparency for data processing – providing greater information about when and how data is collected, stored and used, and making it easier for consumers to indicate their privacy preferences.”