OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The below excerpt is from the Bloomberg BNA article OCR Could Include Provision in Forthcoming Omnibus HIPAA Rule written by Alex Ruoff. The article is available by subscription only.

“The final omnibus rule to update Health Insurance Portability and Accountability Act regulations, expected to come out sometime early this year, could provide guidance for health care providers utilizing cloud computing technology to manage their electronic health record systems, the chief privacy officer for the Office of the National Coordinator for Health Information Technology said Jan. 7 during a panel discussion on cloud computing.

The omnibus rule is expected to address the health information security and privacy requirements for business associates of covered entities, provisions that could affect how the HIPAA Privacy Rule affects service providers that contract with health care entities, Joy Pritts, chief privacy officer for ONC, said during the panel, hosted by the consumer advocacy group, Patient Privacy Rights (PPR).

PPR Dec. 19 sent a letter to Health and Human Services’ Office for Civil Rights Director Leon Rodriguez, asking the agency to issue guidance on cloud computing security. PPR leaders say they have not received a response…

…Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information.”

Vast cache of Kaiser patient details was kept in private home

The excerpt below is from the LA Times article Vast cashe of Kaiser patient details was kept in private home by Chad Terhune. This shows both the negligence of Kaiser in caring for their patients, but also the lack of privacy and security that is frequently found in electronic health records.

“Federal and state officials are investigating whether healthcare giant Kaiser Permanente violated patient privacy in its work with an Indio couple who stored nearly 300,000 confidential hospital records for the company.

The California Department of Public Health has already determined that Kaiser “failed to safeguard all patients’ medical records” at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple’s document storage firm kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.

Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients’ names, Social Security numbers, dates of birth and treatment information stored on their home computers.

The state agency said it was awaiting more information from Kaiser on its “plan of correction” before considering any penalties.

Officials at the U.S. Department of Health and Human Services began looking into Kaiser’s conduct last year after receiving a complaint from the Deans about the healthcare provider’s handling of patient data, letters from the agency show. Kaiser said it hadn’t been contacted by federal regulators, and a Health and Human Services spokesman declined to comment.”

Health Care, the Cloud, and Privacy, Jan. 7 Panel

Health Care, the Cloud, and Privacy

Phoenix Park Hotel
520 North Capitol Street, NW | Washington, DC 20001
Georgian Room
Monday, January 7, 2013 | 12:00 p.m. ET

On behalf of Patient Privacy Rights (PPR), you are invited to attend a panel discussion on health care system privacy challenges posed by cloud computing. The one-hour discussion, “Health Care, the Cloud, and Privacy,” will be held on Monday, January 7, 2013 at the Phoenix Park Hotel in Washington, D.C. Boxed lunches will be provided.

With technological innovations that promise better efficiency and lower cost, one of the most anticipated developments is how industry and regulators will respond. That question today is focused intently on cloud computing and the implications for corporations with electronic systems containing sensitive consumer health data. Who is handling patient data? How do HIPAA and other health privacy laws and rights function in the cloud? What can policymakers do to better protect our sensitive medical data?

Our distinguished panel will feature:

Joy Pritts
Chief Privacy Officer
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights (PPR)

Nicolas P. Terry
Hall Render Professor of Law
Indiana University Robert H. McKinney School of Law

Lillie Coney
Associate Director
Electronic Privacy Information Center (EPIC)

Please RSVP to Jenna Alsayegh at jalsayegh@deweysquare.com.

We hope to see you there!

And there is more:
View the Invitation as a PDF
View the Press Release

PPR also sent a letter to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) that urges for more comprehensive guidance on securing patient data in “the cloud.” With the healthcare industry moving their records to electronic databases, PPR sees a number of issues associated with cloud computing services, including compliance with existing healthcare privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, stronger state and federal health information privacy laws, medical ethics, and Americans’ rights to health information privacy. View the letter here.

Patient privacy group (PPR) asks HHS for HIPAA cloud guidance

Government HealthIT recently wrote an article about Dr. Peel’s of Patient Privacy Rights’ letter to the HHS Office for Civil Rights pushing for security guidelines, standards, and enforcements for cloud technology being used in healthcare.

Here are a few key points highlighted in the article:

“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.

“Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed ‘if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.’”

“Patient Privacy Rights, a group founded in 2006, is encouraging HHS to adopt guidelines that highlight ‘the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.’”

“In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. ‘HHS and HIPAA guidance in this area, to date, is limited,’ Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.”

Dangers of Consumer Internet Services in Health Care

Although Internet services like Gmail, Yahoo! Mail, Hotmail and Google Calendar are familiar to patients and doctors, use of such services in health care environments creates a serious privacy risk. The U.S. Department of Health & Human Services took action earlier this year when it discovered that Phoenix Cardiac Surgery, a five-physician clinic in Arizona, was posting patient appointments on the web using Google Calendar. As a result, the appointments could be found by anyone searching the Internet. Make sure your doctors and health care providers are not using consumer Internet services such as the ones identified above to store protected health information.

Health care providers should only use cloud services that are designed to comply with HIPAA and offer a HIPAA Business Associate Agreement.

You can contact PPR if you have questions or concerns about the use of consumer Internet services by health care providers and the security of your health information.

Sizing Up De-Identification Guidance, Experts Analyze HIPAA Compliance Report (quotes PPR)

To view the full article by Marianne Kolbasuk McGee, please visit: Sizing Up De-Identification Guidance, Experts Analyze HIPAA Compliance Report.

The federal Office of Civil Rights (OCR), charged with protecting the privacy of nation’s health data, released a ‘guidance’ for “de-identifying” health data. Government agencies and corporations want to “de-identify”, release and sell health data for many uses. There are no penalties for not following the ‘guidance’.

Releasing large data bases with “de-identified” health data on thousands or millions of people could enable break-through research to improve health, lower costs, and improve quality of care—-IF “de-identification” actually protected our privacy, so no one knows it’s our personal data—-but it doesn’t.

The ‘guidance’ allows easy ‘re-identification’ of health data. Publically available data bases of other personal information can be quickly compared electronically with ‘de-identified’ health data bases, so can be names re-attached, creating valuable, identifiable health data sets.

The “de-identification” methods OCR proposed are:

  • -The HIPAA “Safe-Harbor” method:  if 18 specific identifiers are removed (such as name, address, age, etc, etc), data can be released without patient consent. But .04% of the data can still be ‘re-identified’
  • -Certification by a statistical  “expert” that the re-identification risk is “small” allows release of data bases without patient consent.

o   There are no requirements to be an “expert”

o   There is no definition of “small risk”

Inadequate “de-identification” of health data makes it a big target for re-identification. Health data is so valuable because it can be used for job and credit discrimination and for targeted product marketing of drugs and expensive treatment. The collection and sale of intimately detailed profiles of every person in the US is a major model for online businesses.

The OCR guidance ignores computer science, which has demonstrated ‘de-identification’ methods can’t prevent re-identification. No single method or approach can work because more and more ‘personally identifiable information’ is becoming publically available, making it easier and easier to re-identify health data.  See: the “Myths and Fallacies of “Personally Identifiable Information” by Narayanan and Shmatikov,  June 2010 at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf Key quotes from the article:

  • -“Powerful re-identification algorithms demonstrate not just a flaw in a specific anonymization technique(s), but the fundamental inadequacy of the entire privacy protection paradigm based on “de-identifying” the data.”
  • -“Any information that distinguishes one person from another can be used for re-identifying data.”
  • -“Privacy protection has to be built and reasoned about on a case-by-case basis.”

OCR should have recommended what Shmatikov and Narayanan proposed:  case-by-case ‘adversarial testing’ by comparing a “de-identified” health data base to multiple publically available data bases to determine which data fields must be removed to prevent re-identification. See PPR’s paper on “adversarial testing” at: http://patientprivacyrights.org/wp-content/uploads/2010/10/ABlumberg-anonymization-memo.pdf

Simplest, cheapest, and best of all would be to use the stimulus billions to build electronic systems so patients can electronically consent to data use for research and other uses they approve of.  Complex, expensive contracts and difficult ‘work-arounds’ (like ‘adversarial testing’) are needed to protect patient privacy because institutions, not patients, control who can use health data. This is not what the public expects and prevents us from exercising our individual rights to decide who can see and use personal health information.

Re: Heart Gadgets Test Privacy-Law Limits

In response to The Wall Street Journal article “Heart Gadgets Test Privacy-Law Limits

This story shows the ethical and legal absurdity of private corporations’ claims to own and control patient records. Greedy corporations are copying their business models from Google and Facebook: sell every piece of information about every individual to any willing buyer.

Despite patients’ strong rights to obtain copies of their entire medical records, including data from devices that monitor health status, most hospitals and electronic health systems don’t yet offer patients a way to download personal health information, which is required by HIPAA and HITECH.

EVEN MORE IMPORTANTLY patients also have very strong ethical, legal, and Constitutional rights to control the disclosure and use of personal health information.

Today’s health IT systems and data exchanges were designed to prevent patient control over personal health information. Most health IT systems have abysmal data security (millions of health data breaches and thefts) and no means for patients to control who can see, use or sell their health data.

Government and Congress have poured $29 billion in stimulus funds into defective technology systems that violate the public’s rights to privacy and control over health information in electronic systems.

Medtronic and hospitals are hiding behind illegal contracts that violate patients’ rights to access and control sensitive personal health information.

We need clear new laws to ban the sale of personal health information without informed consent and RESTORE patient control over use, disclosure, and sale of health information.

-Deborah Peel

HIT systems among top 10 health tech hazards, says ECRI

Another story about why health technology is not ready for prime time. Today untested, unsafe health technologies and applications that eliminate patient control over sensitive personal health information are mandated for use by physicians and hospitals.

Today patient health data is widely disclosed and sold through electronic systems See ABC Story about the sale of diabetic patient records for $14-$25 per patient). It will be years until patients can control sensitive information (from prescriptions to DNA to diagnoses) because systems were never designed to comply with patients’ rights to control health records. There is no data map to know where our personal health data is held or what it’s being for (see Prof Sweeney explain the need for a health data map on video).

In addition, health technology also poses serious risks to patient including:

  • -patient/data mismatches between systems (which would not happen if patients controlled the use and disclosure of their information)
  • -interoperability failures with medical devices and health IT systems
  • -Caregiver distractions from smartphones and other mobile devices

Re: Social media and patient privacy lessons ripped from the headlines

Karen Cheung-Larivee’s recent FierceHealthcare article, “Social media and patient privacy lessons ripped from the headlines” once again reminds us that health privacy isn’t a concern limited to how information is exchanged in and among doctors’ offices or hospitals. Rather, it reminds us that even the casual ways people reveal parts of their personal lives to their own social networks can sometimes mean violating someone’s health privacy when they reveal sensitive pieces of information about other people’s lives too.

Unfortunately, there aren’t really rules protecting people from the harms that can occur when someone else broadcasts their personal information in the wild wild west of social media. However, that doesn’t mean institutions are completely absolved of their responsibility to protect patients’ privacy, no matter the environment. As the article points out:

One of the most common situations of social media fumbles are patients posting about other patients. Although it’s not a breach of HIPAA or HITECH (because patients aren’t considered “covered entities”), the hospital still has a responsibility under state law to protect patients.

No doubt social media provides a medium that allows us to connect and reach out to others in new and powerful ways. However, as users of these tools, we must also be mindful of how the ways we connect and interact with the rest of the world can have damaging effects on ourselves and others, whether it’s in the here and now or some point down the line.

Has your health privacy ever been violated as a result of social media? Are you willing to talk about what happened so others might learn from your experience? Please use this form to share your story.

Insurance dependents can face special challenges on privacy

The article,  ”Insurance dependents can face special challenges on privacy” by Michelle Andrews, recently posted in The Washington Post details the liabilities insurance dependents could come in contact with as a result of HIPAA regulations and insurance billing. “The privacy rule of the federal Health Insurance Portability and Accountability Act (HIPAA)… generally prohibits the unauthorized disclosure of individuals’ medical records and other health information. But there’s a catch. Health-care providers and insurers can generally use such information when trying to secure payment for treatment or other services.” This can be a big problem for dependents undergoing sensitive treatments such as substance abuse programs, care and treatment for sexually transmitted diseases, contraception, and mental health support because the bill can be submitted to the policy holder with the treatment outlined in full depending on state law.

Be informed about your state law and insurance policy and ensure your privacy!

  • “Under federal privacy regulations, patients can request that insurers not disclose confidential information or ask that they send it to an address of their choosing. Insurers are required to comply if not doing so would endanger the patient, says English — for example, if disclosure might pose a threat of domestic violence.”