Hospitals enlist vendors for data analytics help

See full article in FierceHealthIT:  Hospitals enlist vendors for data analytics help

“Providers are increasingly turning to big tech companies to help their data mining efforts, according to an article at Bloomberg Businessweek.

Vendors such as Microsoft, SAS, IBM and Oracle are giving mounds of data the once-over in an analytics industry that generated more than $30 billion last year, according to research firm IDC. That figure is expected to grow to $33.6 billion in 2012–and healthcare is a leading customer.

The practice of data-mining, however, raises concerns. Hospitals have been criticized for mining patient data as a means to market to the most lucrative patients, for example. And data mining only exacerbates the concerns of patient advocates such as Deborah Peel, founder of Patient Privacy Rights, who recently told Forbes that people will avoid seeing doctors if they feel their information isn’t secure.”

The Depressing State of HIEs

See the full article at Hospital EMR and EHR: The Depressing State of HIEs

Yes, the state of Health Information Exchanges (HIEs) in the US is depressing, because many don’t work well for patients or doctors. They enable hundreds or thousands of strangers who work for hospitals, insurers, health IT companies, etc to exchange, use, or sell our sensitive medical records without our consent.

The safe way to exchange health information is to use secure email and patient consent, this is called the “Direct Project”. See: http://directproject.org/ . It enables us to share our health information between two health professionals and email physicians. The Direct Project enables “participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.”

Patient Privacy Rights (PPR) endorses the “Direct Project” as the ONLY legal, ethical, and secure way for sensitive patient information to be exchanged.  The public will not trust HIEs or national data exchange models unless patients control the disclosures of their sensitive health records.

A quote from the story below shows financial interests of Accountable Care Organizations (ACOs) can trump patients’ interests: “Some ACO providers are now blocking access to their data so competitors can’t get to it”—-that means doctors who are not part of the ACO but who treat ACO patients can’t see their test results and treatment records–even when these patients want them to have that information.

Some ACOs and other businesses view HIEs as vehicles to get more patient data, rather than as a means to serve patients’ needs for care coordination, to avoid duplicate tests, to ensure better treatment, or enable them to give consent for research use of their data.

Many corporations and businesses that HOLD patient data imagine they own it, so they use and sell it without patient consent. US law and medical ethics still require meaningful, informed patient consent before physicians or data holders can disclose anyone’s health information. “HIPAA compliance” actually does NOT get data holders off the hook for asking patients for consent before disclosing data. According to the HIPAA Privacy Rule, it’s “the floor” for data privacy protection, not the ceiling. 67 Fed. Reg. at 53,212 (August 14, 2002).  HIEs designed to further business interests over patients’ interests will continue to fail, because the public will not support them.

It turns out that the only person who can easily, cheaply, and legally make patient data flow for all the right reasons (treatment, research), to all the right all the people (a specific doctor or researcher) at the right time is YOU.

Only you can tell an ACO to send your data to an outside clinician —- and the ACO must send it, whether it gives competitors an advantage or not. Only you can make your data “fluid”, because patients are the only people with clear, longstanding Constitutional, legal, and ethical rights to disclose personal health information.

In PPR’s recent comments about building a Nationwide Health Information Network (NwHIN), we urged the Office of the National Coordinator for Health IT (ONC) to address the fatal privacy and security flaws in current systems and state and federal data exchanges. We urged ONC to certify that HIEs and data exchanges protect privacy by verifying that only patients decide when/where personal data flows.  “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy. See: http://tiny.cc/e1v0gw for more information.

Harvard’s Data Privacy Lab launching health record bank

Read the full article at: http://www.nhinwatch.com/perspective/harvard’s-data-privacy-lab-launching-health-record-bank

Some key points from the story:

“In a major new development in the world of health IT, the Data Privacy Lab in the Institute of Quantitative Social Science at Harvard University will soon unveil a health record bank (HRB) that allows anyone to own and manage a complete, secure, digital copy of their health records and wellness information with a free account. This is the first time that a prominent academic institution is hosting an HRB for use by the general public and communities nationwide.”

“This launch is important for health IT because an HRB can provide and sustain all the capabilities of a fully functional health information infrastructure (HII):
1. It allows access to comprehensive individual electronic patient records, aggregation of population information for public health and medical research, and record searching to facilitate patient-specific notifications;
2. Privacy is protected since each patient determines who can access which portions of their own health records;
3. Collecting patient information is assured – since patients request their records, all providers must supply them (under HIPAA and for Stage 2 Meaningful Use);
4. It is inexpensive to operate since it obviates the need for the complex and costly real-time record locator services necessary when each patient’s records from all sources are not centrally stored;
5. Patient consent enables innovative applications linked to HRB accounts, providing compelling value to consumers and other stakeholders (e.g., reminders and alerts), thereby ensuring more than enough revenue for financial sustainability. HRBs could even fund permanent, ongoing EHR incentives to office-based providers to help further promote widespread adoption and standards compliance. The HRB at Harvard therefore represents a feasible and readily achievable HII paradigm that can be utilized by individuals and communities nationwide.”

Health privacy issues can be resolved without obstructing care

See full article in FierceHealthIT: Health privacy issues can be resolved without obstructing care

Ken Terry writes about the big issues with patient privacy today and possible solutions.

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices.
Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.”

Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?

HHS quietly withdraws HIPAA breach-notification rule

Following a firestorm of criticism from privacy advocates who say federal officials gave too much leeway to healthcare organizations that inadvertently disclose protected health information, HHS has without fanfare withdrawn its HIPAA “breach notification” final rule that had been submitted to the White House for budgetary approval.

The move was “to allow for further consideration, given the department’s experience to date in administering the regulations,” the HHS Office for Civil Rights posted on its website late Wednesday. “This is a complex issue and the administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” OCR explained…

…The decision thrilled the Patient Privacy Rights Foundation, headed by noted privacy watchdog Dr. Deborah Peel, which had been adamantly opposed to the so-called “harm standard.”

See the PPR Press Release supporting this decision.

Problems with IBM’s new “massive” research study

Healthcare IT News released an article about IBMs new research project: IBM launches massive health data research project

IBM plans to bring together personal data on individuals far beyond what is available in the health care system – including environmental and financial data on individuals — to “pinpoint incentives governments and businesses might offer” to patients to improve health. The plan is to first study childhood obesity.

The problem is IBM’s research project does not appear to start with obtaining informed consent from the individuals (or their parents) whose data will be collected and studied.

There is no mention of the legal or ethical authority or basis that permits IBM corporation to collect, analyze, and do research on so much sensitive personal information on individual children, in order to decide which “actions” to incentivize to improve a particular child’s health.

Yet, IBM’s research aims to help doctors treating specific individual patients: “all these complex issues need to meld into a single thread of conversation as I talk to my patient.”

The story mentions numerous groups IBM is working with, but it appears that no consumer, patient, child, or privacy advocacy organizations are “partners” in this massive research project.

More Quotes:
• project will combine and analyze massive data sources that have never before been integrated to simulate the cause-and-effect relationships between agriculture, transportation, city planning, eating and exercise habits, socio-economic status, family life, and more
• project could help pinpoint incentives governments and businesses might offer or what types of investments might be needed and how to prioritize them • it’s been impossible to understand and to quantify precisely how each factor in our environment plays a role
• IBM researchers said they will partner with public policy and food experts, medical clinicians, economists, simulation experts, industry leaders, universities and others in this collaborative endeavor
• In many cases, the data and models exist. They just need to be put together in a consumable way that shows the wider connections and potential actions that can enhance individual and community health,” said Paul Maglio, an IBM researcher.

IBM launches massive health data research project

SAN JOSE, CA – IBM has announced it has launched a multi-year research project to connect and analyze enormous collections of data from a wide variety of sources to find ways to improve health. The project will initially focus on childhood obesity.

The IBM Research project will combine and analyze massive data sources that have never before been integrated to simulate the cause-and-effect relationships between agriculture, transportation, city planning, eating and exercise habits, socio-economic status, family life, and more, researchers said.

Re-Identification. From Netflix to Health Records.

Today’s NY Times story points out the FACT that is very easy to re-identify supposedly “de-identified” information. Singer starts with how the Netflix “de-identified” data base was proven to be re-identifiable and moves on to describe Latanya Sweeney’s famous re-identification of the medical records of Gov Weld.

See the NY Times Article: When 2+2 Equals a Privacy Question

Open Source Research

See the Government Health IT article: NCI to open research grid to cancer patient ‘army’

Women desperate to cure breast cancer are contributing their sensitive personal health information to “an army” of researchers.

But there is no reason that these altruistic women have to risk their futures and their daughters’ futures to find a cure.

It’s possible to do research without risking their futures and their daughters’ and granddaughters’ futures by using privacy-protective technologies and robust informed electronic consent. But this project does NOT protect the privacy of these generous and well-intentioned women.

The women’s data can be downloaded by “thousands of users”–all of whom make copies of their extremely sensitive, IDENTIFIABLE records. The records are identifiable so that the women can be contacted by researchers.

Some of the major things wrong with this picture:
1) The NCI system allows “researchers (to) form and maintain large breast cancer disease databases.” Is there any way to tell if the security is ironclad, state-of-the-art? No.
2) How many copies will researchers make? How many times will the data be replicated and backed-up across the world? No way to know.
3) What countries will copies of the records be kept in? No way to know.
4) How many and which researchers will download and keep their data? No way to know.
5) The researchers must sign agreements to protect and not sell the data, but there are no ‘data police’ to enforce those agreements. If there are no ‘data police’ watching this data, how do the women know it’s safe? No way to know.
6) What if a woman does not approve of a particular study or researcher who has their data? Can a woman prevent any researcher from using her information? No.
7) How will the data be handled after the research study is complete? How will the women know if it is destroyed? No way to know.
8) How safe is research access via a web browser? No way to know

The severe flaws in this plan are obvious. Fearful women desperate for cures are being exploited by the government and the research industry that designed these systems to serve their needs, NOT the women’s rights to privacy. Putting such sensitive data out into cyberspace KNOWING it can never be retrieved or destroyed is grossly irresponsible. Like Paris Hilton’s sex video, this data will live forever in cyberspace, risking future jobs and opportunities of every child of every woman desperate for a cure.

The NCI could do this a better way—we can have research and privacy at the same time. But the privacy protective technologies that can enable both are not being used. Why not?????

See our testimony Sept 18th at the national HIT Policy Committee and the many letters from the Coalition for Patient Privacy to federal agencies and Congress describing how to do research while protecting privacy.

And NO–the Genetic Information Nondiscrimination Act (GINA) DOES NOT protect our genetic data. It allows insurers and employers to have our genetic data and it has no enforcement. Zero. And HIPAA has no protections for genetic data either–it allows others to control and use our data without consent.

The cost of contributing to research should not be that your female descendents are unemployable. Unless data is protected, we will have generations of people who cannot work because employers will not risk hiring anyone at risk of getting a disease.