HIT systems among top 10 health tech hazards, says ECRI

Another story about why health technology is not ready for prime time. Today untested, unsafe health technologies and applications that eliminate patient control over sensitive personal health information are mandated for use by physicians and hospitals.

Today patient health data is widely disclosed and sold through electronic systems See ABC Story about the sale of diabetic patient records for $14-$25 per patient). It will be years until patients can control sensitive information (from prescriptions to DNA to diagnoses) because systems were never designed to comply with patients’ rights to control health records. There is no data map to know where our personal health data is held or what it’s being for (see Prof Sweeney explain the need for a health data map on video).

In addition, health technology also poses serious risks to patient including:

  • -patient/data mismatches between systems (which would not happen if patients controlled the use and disclosure of their information)
  • -interoperability failures with medical devices and health IT systems
  • -Caregiver distractions from smartphones and other mobile devices

Re: Social media and patient privacy lessons ripped from the headlines

Karen Cheung-Larivee’s recent FierceHealthcare article, “Social media and patient privacy lessons ripped from the headlines” once again reminds us that health privacy isn’t a concern limited to how information is exchanged in and among doctors’ offices or hospitals. Rather, it reminds us that even the casual ways people reveal parts of their personal lives to their own social networks can sometimes mean violating someone’s health privacy when they reveal sensitive pieces of information about other people’s lives too.

Unfortunately, there aren’t really rules protecting people from the harms that can occur when someone else broadcasts their personal information in the wild wild west of social media. However, that doesn’t mean institutions are completely absolved of their responsibility to protect patients’ privacy, no matter the environment. As the article points out:

One of the most common situations of social media fumbles are patients posting about other patients. Although it’s not a breach of HIPAA or HITECH (because patients aren’t considered “covered entities”), the hospital still has a responsibility under state law to protect patients.

No doubt social media provides a medium that allows us to connect and reach out to others in new and powerful ways. However, as users of these tools, we must also be mindful of how the ways we connect and interact with the rest of the world can have damaging effects on ourselves and others, whether it’s in the here and now or some point down the line.

Has your health privacy ever been violated as a result of social media? Are you willing to talk about what happened so others might learn from your experience? Please use this form to share your story.

Insurance dependents can face special challenges on privacy

The article,  “Insurance dependents can face special challenges on privacy” by Michelle Andrews, recently posted in The Washington Post details the liabilities insurance dependents could come in contact with as a result of HIPAA regulations and insurance billing. “The privacy rule of the federal Health Insurance Portability and Accountability Act (HIPAA)… generally prohibits the unauthorized disclosure of individuals’ medical records and other health information. But there’s a catch. Health-care providers and insurers can generally use such information when trying to secure payment for treatment or other services.” This can be a big problem for dependents undergoing sensitive treatments such as substance abuse programs, care and treatment for sexually transmitted diseases, contraception, and mental health support because the bill can be submitted to the policy holder with the treatment outlined in full depending on state law.

Be informed about your state law and insurance policy and ensure your privacy!

  • “Under federal privacy regulations, patients can request that insurers not disclose confidential information or ask that they send it to an address of their choosing. Insurers are required to comply if not doing so would endanger the patient, says English — for example, if disclosure might pose a threat of domestic violence.”

Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide

Aishealth.com explains the new Texas Medical Privacy Act that has recently been signed into law and quotes Dr. Deborah Peel of PPR in their latest report on patient privacy. The report is only available through subscription but below are a few key points and quotes from it. If you have a subscription to aishealth.com, you can view the full article at Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide.

“A new Texas law governing the privacy and security of protected health information, perhaps the broadest and among the toughest of such laws in the nation, went into effect on Sept. 1. The Texas Medical Privacy Act, signed into law June 17, 2011, by Gov. Rick Perry (R), not only increases requirements beyond those in HIPAA for organizations that are already covered entities (CEs), but greatly expands the number and type of Texas-based CEs required to comply with the privacy standards in HIPAA and adds a bunch of its own requirements. It contains separate mandates for breach notification of electronic PHI and penalties for violations.

The new law ‘is basically HIPAA, but applies to everyone who touches PHI’ and will have a ‘big impact on entities that get PHI but aren’t technically business associates – which are now effectively covered in Texas and must comply with HIPAA restrictions on use and disclosure,’ says longtime HIPAA expert and Texas attorney Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP.
‘The biggest impact on CEs and BAs are the shorter timeframes for giving access to records and the training requirement,’ he says. And the new law, which amends two existing areas of Texas regulations, carries a punch: the law provides for ‘administrative, civil and criminal penalties’ that dwarf even those that were expanded under HITECH.

The law is likely to have an impact outside of Texas and spur privacy advocates to push for similar legislation in their states or at the national level. One of the most outspoken patient privacy advocates, Austin psychiatrist Deborah Peel, was among those who supported the law, testifying before elected officials during their deliberations in 2011.

‘We hope the Texas law inspires other states to write strong laws that emphatically reject hidden data flows that the data mining and data theft industry profit from at our expense,’ Peel tells RPP. ‘The states can restore
and strengthen personal control over health information – it’s what the public expects from health information technology systems and it’s our right to have [such control].’ Peel adds that “It’s also good business to prevent thousands of people from accessing PHI, [as] fraud, identity theft and medical identity theft are exploding.’”

Patients must have control of their medical records

An interesting article written by Mohammad Al-Ubaydli, founder and chief executive of Patients Know Best in which he explains the benefits of using Personal Health Records over electronic ones. To view the full article, please visit Patients must have control of their medical records.

Quotes:

  • -an electronic health record is designed for employees of an institution to work together. It is logistically, technically, and legally difficult to connect such records.
  • -an electronic health record is designed for employees of an institution to work together. It is logistically, technically, and legally difficult to connect such records. The number of connections in a network necessary for integrated care goes up exponentially if the connections are institution to institution, but only linearly if they go through the patient (a hub). In other words, only the latter approach can cope with the networks of care of modern medicine.
  • -There are also formidable legal difficulties with institutions sharing data about patients. Patients, by contrast, can quickly and usefully consent for data sharing if they are in control.
  • -it is hard to see how care can truly be patient centred when patients’ records are scattered and not under their control.

Protecting Our Civil Rights in the Era of Digital Health

See the full article by William Pewen in The Atlantic: Protecting Our Civil Rights in the Era of Digital Health

Bill Pewen has written the BEST BRIEF HISTORY OF HOW HEALTH INFORMATION PRIVACY WAS ELIMINATED I HAVE EVER SEEN, from diagnoses to prescription records to DNA. Terrific to see this in the Atlantic!

He shows how technology-based discrimination works, and makes the case that selling people’s health information/profiles is a major business model for the largest technology/Internet corporations: “Millions [of people] are beginning to recognize that they are not the customers, but the product.”
“[A]dvancing technology was opening a virtual Pandora’s Box of new civil rights challenges. At the crux of these was the fact that scientific progress has been enabling increasingly sophisticated discrimination.” ………”Our experience with GINA helped to reveal the tip of an emerging threat — the use of modern data systems to create new forms of discrimination — and our concern focused on the use of personal medical data. While genetic data expresses probabilities, other parts of one’s medical record reflect established fact — an individual’s diagnoses, the medications one has used, and much more.”

“Genetic discrimination comprised just one of a number of game-changing technological challenges to civil rights. Confronting these presents new obstacles, and points to the need for a paradigm shift in our approach to prevent such inappropriate bias.”

He concluded with a call for “a 2nd civil rights bill of the 21st century”, based on key principles and tests to evaluate whether technology harms people:

Principles:
· First: “certain harmful acts must be clearly prohibited”

· Second: “the possession and use of personal medical data should be restricted without an individual’s consent”.

Harms tests:

To determine “whether an application of technology undermines existing civil rights statutes,…consider its potential to impose harm in terms of three tests.

· First: “the immutability of a trait. Profiling based on an unchangeable [genetic] characteristic should raise questions, as the ability of an individual to impact these is absent.”

·Second: “relevance…..[for example] we would not permit such irrelevant traits as race or gender to be used to discriminate in the hiring of flight crews.”

·Third: “the presumption of a zone of privacy. …neither personal medical information nor its correlates should be considered in the public domain.

Senator Snowe and her top health expert, Bill Pewen, are real privacy heroes, responsible for key new consumer privacy and security protections in the technology portion of the stimulus bill (HITECH). The bipartisan Coalition for Patient Privacy worked very closely with them to support consumer protections they championed.

Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox Survey

Xerox kindly shared all three years of their annual Electronic Health Records (EHR) online surveys by Harris Interactive. The media, industry and government unrelentingly promote health technology as the latest, greatest best stuff.  But the public ain’t buying it.  They want smart phones, but they don’t  want EHRs.

Clearly the public is not very excited about EHRs; 74% don’t want them. They don’t want them because they understand the problems with EHRs so well.

To view the article, please visit Only 26 Percent of Americans Want Electronic Medical Records, Says Xerox survey

Not only do the surveys show a low percentage of Americans want electronic health records—but it’s remained low; this year at only 26%. Overall 85% of the public has “concerns” about EHRs this year. The surveys also asked about specific ‘concerns’. They found the public is concerned that health data security is poor, data can be lost or corrupted, records can be misused, and that outages or ‘computer problems’ can take records offline and compromise care.  See results below:

To the question do you want your medical records to be digital:

  • 26% said ‘yes’ in 2010
  • 28% said ‘yes’ in 2011
  • 26% said ‘yes’ in 2012

To the question do you have concerns about digital records:

  • 82% said ‘yes’ in 2010
  • 83% said ‘yes’ in 2011
  • 85% said ‘yes’ in 2012

To the question could your information be hacked:

  • 64%  said ‘yes’ in 2010
  • 65%  said ‘yes’ in 2011
  • 63%  said ‘yes’ in 2012

To the question could your digital medical records  be lost or corrupted:

  • 55% said ‘yes’ in 2010
  • 54% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

To the question could your personal information be misused:

  • 57% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 51% said ‘yes’ in 2012

To the question could a power outage or computer problem prevent doctors from accessing my information:

  • 52% said ‘yes’ in 2010
  • 52% said ‘yes’ in 2011
  • 50% said ‘yes’ in 2012

Abercrombie signs Hawaii patient privacy protection law

To view the full article in Bizjournals.com by Vanessa Van Voorhis, please visit Abercrombie signs Hawaii patient privacy protection law.

The people of Hawaii just lost their rights to health privacy. The Hawaiian legislature replaced all its far stronger health privacy laws with HIPAA.

Like most of the public, Hawaiian lawmakers believe HIPAA protects privacy, but it doesn’t.  It hasn’t for 10 years. The key privacy protection in HIPAA  was eliminated in 2002. The media  has never reported this.

  • President Bush put HIPAA in place when he took office. At first, HIPAA required that others had to ask for consent before using or disclosing our health information for treatment, payment, or healthcare operations.

  • “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and healthcare operations.”  67 Fed. Reg. 53,183

That means millions of people who work at hospitals, doctors offices, labs, health plans, data clearinghouse, government agencies, pharmacies and other places that hold health records (“covered entities”) decide when to use and disclose them, not us.

This new law is a privacy disaster for Hawaiians. They will suffer:

  • loss of the privacy of sensitive information about their minds, bodies, and genes
  • generations of discrimination
  • embarrassment and loss of reputation
  • job, credit, and insurance discrimination
  • ID theft
  • medical ID theft (where others use their health insurance to pay for treatment or for insurance fraud)

The Rising Risk of Electronic Medical Records

See the full story at SmartPlanet: The Rising Risk of Electronic Medical Records

This story quotes Lee Tien, Bob Gellman, and me about health information technology, which prevents us from controlling who can see, use, or sell our electronic health data by design—-placing everyone in the nation at risk of job and credit discrimination based on health data.  Current technologies make hidden data flow easy, with no way for patients to opt-out or prevent personal data from flowing to an unlimited number of hidden corporate, government, for-profit research and data analytics users.

“Criminals can buy social security numbers online for about $5 each, but medical profiles can fetch $50 or more because they give identity thieves a much more nuanced look into a victim’s life, said Dr. Deborah Peel, founder of the advocacy group Patient Privacy Rights, which researches data breaches and works for tighter security on people’s personal health records.”

Discrimination causes millions to avoid medical treatment every year. It’s a fact of life with paper medical records too. But electronic health systems enable thousands of strangers to simultaneously access the records of millions of patients, so the theft, sale, and misuse of health data for discrimination, fraud, ID theft, and medical ID theft has skyrocketed. In paper records systems, patient files are kept in locked rooms or filing cabinets, making it hard to use or steal more than a few at a time. Anti-discrimination laws alone aren’t effective—we also need to know who has copies of our health data and be able to control who gets them.

““If the information leaked to an employer, it would have affected their jobs or reputations. All the time I’ve been practicing, it’s been a very important and delicate issue,” Peel said. “There are prejudices associated with psychiatric diagnoses. People have powerful reactions to the names of these things.” … Once genetic profiles are routinely added to the mix, access to electronic health data may predetermine who can get jobs or serve in public office, Peel warned… “If the world looked like that,” Peel said, “Lou Gehrig would never get a contract to be a ball player if the team knew he had a disease that would degenerate his muscles, or Ronald Reagan would never get elected president if they knew dementia ran in his family.””

Strong new laws are needed to prevent our health data from being used or sold without consent.  We should also have a complete ‘chain of custody’, naming every person and organization that has seen or copied our health information. Without these new legal rights, it’s impossible to decide whether the benefits of using health IT outweigh the risks to our future jobs and opportunities, to our kids’ future jobs and opportunities, and to our grandkids’ and relatives’ future jobs and opportunities.

FYI—HIPAA has NOT protected health data privacy since 2002, it is really a ‘Disclosure’ Rule, not a ‘Privacy’ Rule. See how consent, the right to control who can see and use your health information, was eliminated: http://patientprivacyrights.org/media/The_Elimination_of_Consent.pdf

BOTTOM line: existing technology solutions that enable us to control who sees our records are not required. Instead, the stimulus billions are being used to buy ‘Model T Fords’ that prevent patient control over personal data. Government and corporations (inside and outside healthcare) don’t want to ‘ask first’ before taking our most sensitive personal information.

Help build a map to show where health data flows:  Sign up to be a data detective and contribute to mapping the hidden flows of Americans’ health data at: theDataMap.org. A map of health data flow will prove Congress should act NOW to restore personal control over health data.

Experts discuss technology and privacy protections at 2nd International Summit on the Future of Health Privacy

See full story at: HIPAA remains in play as technology outpaces privacy protections

Speakers from the 2nd International Summit on the Future of Health Privacy were interviewed in this article about their ideas and opinions concerning the outpacing of privacy protections by technology. Because technology is being invented quicker than privacy laws can be written and imposed, people everywhere are at risk of having their private medical records used without their knowledge and consent. On June 6-7, over 50 speakers and 300 participants met up to discuss the issues brought about by such technological advances at the 2nd International Summit on the Future of Health Privacy. To learn more about the Health Privacy Summit, please visit HealthPrivacySummit.org.

“Experts assembled on June 6 in Washington for a panel discussion on electronic medical records and privacy noted that HIPAA provides only a minimum standard for safeguards, not a template for best practices. Panelists at the International Summit on the Future of Health Privacy added that the stakes are high when it comes to EMRs and privacy.

“Electronic technology is a game-changer, legally, because the damage that can be done to someone is perpetual and the damages that can be awarded are incalculable,” said James Pyles, co-founder and principal of the law firm of Powers, Pyles, Sutter & Verville….

…Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health Information Technology, said the main problem is technology is moving faster than privacy laws can be written

“I approach this in a simplistic way,” Pritts said. “I look to see, do you have a right to privacy for your health information? So far, the courts say you do. The tort laws say you do. Standards of professional ethics of nearly every segment of the medical profession say you do. The HIPAA privacy rule does not say that at all.””

Learn more about the Health Privacy Summit here.