Don’t bet on knowing your records’ whereabouts

Joseph Conn with ModernHealthcare.com wrote about the Health Privacy Summit in the IT Everything blog. You can read the full article here: Don’t bet on knowing your records’ whereabouts

“Do you know where your electronic health information is tonight?

Here’s a reader challenge: I’ll pay $10 to the first adult who has had at least five encounters with the private-sector healthcare system in the past 10 years to come up with a complete map of where all his or her electronic health records have traveled, who has seen them and where they are now.

I feel my money is safe in my pocket, and here’s why:

First, I’ve been covering health IT for nearly 11 years, and there is no system I know in this country that can completely track the whereabouts of someone’s electronic health information.

Second, there are no laws or incentives to induce complete tracking of a patient’s records.

And yet, patients ought to have access to just such a record map, according to health IT and privacy experts participating in the first Health Privacy Summit Monday in Washington. The daylong conference was put together by Patient Privacy Rights and the Lyndon B. Johnson School of Public Affairs at the University of Texas, Austin…”

Mostashari mindful of HIT stakeholder tension

WASHINGTON – At the Health IT Policy Committee meeting Wednesday morning, Farzad Mostashari, MD, the new national coordinator for health information technology, said he will listen attentively to stakeholder interests and is aware of the tensions among them. However, his first objective will be the public interest.

In addition to his national coordinator role, Mostashari will serve as chair of the HIT Policy Committee, an advisory group to the Office of the National Coordinator for Health Information Technology (ONC), which meets once amonth. Like his predecessor, David Blumenthal, MD, his leadership of this committee, in particular, will provide a catalyst for much of the activity the government plans for health IT.

“David is a tough act to follow,” Mostashari said, in some of his first public comments following his appointment last Friday. He added that Blumenthal had a broad range of support and unique skills that helped to move the federal HIT agenda to the next level.

“I’m not David Blumenthal, but I will do my best and will continue down the path he has set,” Mostashari said.

HIPAA privacy actions seen as warning

Computerworld – Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.

The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions.

This week’s other enforcement action involved Massachusetts General Hospital, which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.

The action against Cignet represented the first time since HIPAA became law that such a fine has been imposed on an organization in the healthcare field over a privacy violation.

HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS’s Office for Civil Rights (OCR)…

…The actions could be a sign that HHS is getting serious about enforcing HIPAA’s privacy requirements more stringently, said Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation.

These actions are among “the most significant things that the administration has done for patient privacy,” Peel said.

Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the 2009 stimulus package, contain provisions for protecting the privacy and security of patient data.

“But nobody has been paying attention to them. It’s like mass civil disobedience by industry,” Peel said. “So this is incredibly welcome for patients.”

PPR Comments on the PCAST HIT Report

The President’s Council of Advisors on Science and Technology (PCAST) weighed in on the key problems with how the Administration is building health IT systems and data exchanges. They recommend that patients be able to meta-tag data to protect privacy, that interoperability requires adoption of a common “language”, and that the goal should be a “data-centric” system for research on all health records without consent. The report recommends that HHS and CMS decide when patient data can be used for “secondary” purposes without consent.

See the full PCAST report: http://www.whitehouse.gov/blog/2010/12/08/pcast-releases-health-it-report

Patient Privacy Rights letter of comments to HHS emphasized:

  • Privacy is essential to build in up front.
  • We should not rush to deploy systems and spend billions on electronic systems and data exchanges until we know the privacy technologies PCAST recommends are adequate.
  • The recommendations for de-identifying health data were insufficient. Extensive work needs to be done to ensure that standards for de-identification actually work.

See PPR’s full comments here: http://patientprivacyrights.org/wp-content/uploads/2011/01/PCAST-comments-PPR-Final.pdf

See PPR’s written testimony here: http://patientprivacyrights.org/wp-content/uploads/2011/05/Patient-Privacy-Rights-Testimony-PCAST-WG-Feb-15-2011.pdf

New HIPAA rules need more clarification

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July…

…On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

Coalition Urges HHS To Restore Patient Control Over Access to Health Data NOW

On Monday, September 13th 2010, the Coalition for Patient Privacy sent in comments to HHS regarding Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act. Ensuring Americans’ control over health information is critical for quality health care and the success of health information technology (HIT). The Coalition applauds the efforts of the Department of Health and Human Services (HHS) to revise HIPAA. However, the Coalition also urges HHS to require use of robust electronic consent and segmentation tools to assure compliance with the consumer privacy and security protections in HITECH and existing rights in state and federal law and medical ethics.

View the proposed modifications to HIPAA
View the Full Comments from the Coalition for Patient Privacy
View the Press Release

What do we think of the new recommendations?

The Tiger team continues to make policy recommendations that clearly violate the law and the Administration’s new privacy policies. See story on release by Modern Healthcare.

Apparently they did not hear Secretary Sebelius announce a new “Administration-wide commitment to make sure no one has access to your personal information unless you want them to” on July 8th (see here).

Or hear Dr. Blumenthal say “we want to make sure it is possible for patients to have maximal control over PHI.” See: http://patientprivacyrights.org/2010/07/ppr-impressed-with-hhs-privacy-approach/

At the Consumer Choices Technologies Hearing on June 29th, one of the ‘granular consent’ technologies demonstrated has been exchanging behavioral health records on 4 million patients for over 10 years, in 9 states and 22 jurisdictions. Newer, more robust consent technologies showcased that day are also in use. See: http://nmr.rampard.com/hit/20100629/default.html

The Tiger team calls these privacy-enhancing technologies “looming” because they are not widely used. If the HIT Policy Committee recommends against technologies for robust consent and segmentation, as they did for “meaningful use” EHRs, they ensure the limited use of privacy-enhancing technologies, which can therefore continue to be described as “looming”. It’s a neat trick to recommend policy that perpetuates the status quo and violates our rights to health privacy. To create wide use of these technologies, they must be required in policy as well as the law.

HITECH in fact does require patient consent before PHI can be sold and states that private-pay patients should be able to prevent their data from flowing to insurers for payment and health care operations. And it is also a legal and ethical requirement to obtain informed consent before disclosures of sensitive health information in all 50 states. Therefore, robust electronic consents and segmentation are required by law today. Policies should match the law.

Instead, the recommendations from the Tiger team guarantee that the theft and sale of patient data will grow exponentially and data will flow unchecked by patient consent or segmentation through HIEs and the NHIN to even more thieving vendors and corporations. Americans’ jobs, credit, and reputations are being destroyed to improve corporate revenues. This sick, greedy transformation of the health care system cannot be hidden and will destroy trust in HIT, HIE, and in legitimate clinical, academic, and public health and population research.

Most HIT products and systems were not designed to comply with patients’ rights to control personal health information. And vendors won’t ever willingly update them, because selling patient data can be a far greater source of revenue than selling software or caring for sick people.

Back to the crucial question: how can the Tiger team recommend policy that violates existing law? Why don’t the Tiger Team and the HIT Policy Committee recommend that HIT vendors , CEs, and BAs COMPLY with state and federal privacy laws and protections and meet patients’ expectations?

The Tiger Team and HIT Policy Committee are both dominated by CEOs, employees, and beneficiaries of vendors or corporate for–profit “research” industries that want all OUR data without consent. Their fiduciary duties to stockholders explain their decisions to recommend policies that violate our privacy rights.

Today the health data theft/sale industry and corporate for-profit research industry are in charge of federal policy-making.

Their flawed business models, based on misleading shareholders and the public about what they really do, are fraudulent and deceptive trade practices.

The SEC brought Goldman Sachs to heel for misleading shareholders and the public about what their business model really was. The data theft and data sales industries and the corporate for-profit ‘research’ industry do exactly the same thing.

The entire US health care and HIT system will end up tarred and feathered and lose the public’s trust unless the health care and HIT corporations that protect privacy rights, and genuine clinical and academic researchers stand with patients to demand that patients control PHI.

Sign the ‘Do Not Disclose’ petition at http://patientprivacyrights.org/do-not-disclose/ and demand your rights to health privacy be enforced.

Health IT group drafts privacy recommendations

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…

According to the tiger team’s draft document posted on the HIT Policy Committee’s website, the team’s recommendations are based on “fair information practices,” a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.

HHS Withdraws Controversial Breach Notification Rule under HITECH

A recent HHS decision to withdraw the HIPPA final “breach notification” rule drew praise from patient privacy advocates, who cited the need for stronger privacy protections…

The Patient Privacy Rights Foundation, a privacy watchdog organization, called the move “a huge step in the right direction,”and reiterated its objections to the “harm standard.”

HHS quietly withdraws HIPAA breach-notification rule

Following a firestorm of criticism from privacy advocates who say federal officials gave too much leeway to healthcare organizations that inadvertently disclose protected health information, HHS has without fanfare withdrawn its HIPAA “breach notification” final rule that had been submitted to the White House for budgetary approval.

The move was “to allow for further consideration, given the department’s experience to date in administering the regulations,” the HHS Office for Civil Rights posted on its website late Wednesday. “This is a complex issue and the administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” OCR explained…

…The decision thrilled the Patient Privacy Rights Foundation, headed by noted privacy watchdog Dr. Deborah Peel, which had been adamantly opposed to the so-called “harm standard.”

See the PPR Press Release supporting this decision.