Press Release: Registration is Open for the 2012 Health Privacy Summit

February 28th, 2012

FOR IMMEDIATE RELEASE

Contact:
Deborah C. Peel, MD
dpeelmd@localhost:8888/pprold

(512)732-0033 or (512)820-6415

Announcing the 2nd International
Summit on the Future of Health Privacy
Is There an American Health Privacy Crisis?

Austin, TX – Patient Privacy Rights announces registration is open for the 2nd International Summit on the Future of Health Privacy: Is There an American Health Privacy Crisis?

We invite you to register for the Summit now.

The Summit will be held on June 6th-7th, 2012 at the Georgetown University Law Center. The O’Neill Institute at Georgetown Law is an academic partner, along with the Harvard Data Privacy Lab, RTI International, The University of Cambridge Computer Laboratory, and the University of Texas School of Information.

We are pleased to announce Ross Anderson PhD, FRS, will be a keynote speaker at the Summit. Anderson is a Professor in Security Engineering at the University of Cambridge Computer Laboratory as well as a researcher, writer, and industry consultant and expert in security engineering.

The 2nd International Summit on the Future of Health Privacy is the first and only international venue for serious discussions by experts and thought leaders on the urgent privacy issues raised by health technologies and architectures (including mHealth and ‘clouds’), by law and regulations, data exchange, secondary uses of health data, and social media platforms. The summit will also explore health privacy through the lens of US and international policies about health information privacy, such as the recent Consumer Bill of Privacy Rights and the EU Draft Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

The 1st International Summit on the Future of Health Privacy successfully created the first global public forum on the future of health privacy. The panels on urgent issues included health privacy experts from academia, industry, technology, consumer advocacy, top government officials, and international experts. Learn more about the 2011 Summit here. Videos are available.

Please register early, seating is limited. Registrants will be updated regularly on the agenda and new speakers and sessions in the coming weeks.

###

Patient Privacy Rights is the nation’s leading bipartisan health privacy organization and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit http://patientprivacyrights.org.

Re: Sizing Up the Family Gene Pool

In response to the New York Times article: Sizing Up the Family Gene Pool

This story is about the fact that genetic testing companies sell people’s test results, compromising families’ and descendants’ future jobs and opportunities. “The NYTimes Ethicist” confirmed a questioner’s fears:

“As for the privacy issue, your concern is well founded. Many of these companies do use customers’ data for medical research or commercial applications, or they sell it to third parties whose interests you might never know. Legally they can’t do that without your consent, but the fine print on those consent forms goes by so quickly that it can be hard to follow.”

Americans’ lack of control over sensitive personal health information in electronic systems is a true national disaster. Not everyone knows this yet, but President Obama does.

On Feb 22, the he introduced historic new privacy principles to guide the use of personal data in the global digital economy. He recognized the lack of privacy in current networked technologies and systems has severe economic consequences. See story on the White House Initiative: http://patientprivacyrights.org/2012/02/wh-initiative-consumer-privacy-bill-of-rights/

President Obama’s new principles address the causes of the privacy violation in the story:

  • Current federal law does not protect the right to health information privacy or the right of consent to use health data
  • neither HIPAA nor Genetic Information Non-Discrimination Act (GINA) prevent the systemic corporate business practice of selling Americans’ highly sensitive personal health information (like genetic test results)

He laid out an historic, tough new Consumer Privacy Bill of Rights to stop the data mining and data theft industries. The first principle is that of individual control: “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Key quotes from the Administration’s new “Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”:

  • “Strong consumer data privacy protections are essential to maintaining consumers’ trust in the tech­nologies and companies that drive the digital economy.”
  • The President concluded, “It [privacy] has been at the heart of our democracy from its inception, and we need it now more than ever.”

The only way we can trust the Internet and have a vibrant global digital economy is if individuals control personal information online and in electronic systems. The right of informed consent before personal information is collected or used must be restored.

When will the health IT industry, Congress, and lawmakers across the US act to restore the right to privacy and control over personal information?

911 Broadcasts: A Privacy Invasion?

See the full article on GovInfoSecurity.com: 911 Broadcasts: A Privacy Invasion?

The extensive news media coverage of a 911 emergency call about actress Demi Moore is calling attention to an important issue: The need to protect privacy…

…Daniel Solove, professor at the George Washington University Law School, wrote in a blog that the release of 911 calls violates the constitutional right to privacy. He also argues that although 911 call centers are not HIPAA-regulated, like a hospital or a physician, they often provide healthcare advice.

Solove writes: “If the call from Demi Moore’s home had been to a hospital or a doctor or any other type of healthcare provider, public disclosure of the call would be forbidden. Why isn’t a 911 call seen in the same light?” And that, indeed, is a good question.

Deborah Peel M.D. of Patient Privacy Rights argues that release of a 911 tape or transcript should be considered a HIPAA violation because the 911 operators “are in effect working on behalf of hospitals and emergency centers as part of the patient’s treatment team.”

Peel highlights another risk involved in publicizing 911 calls: “If the public realizes that 911 calls can be made public, then anyone with a medical emergency they don’t want the information to be seen by the local media or read by everyone in the city or state will stop calling and risk their lives.”

A HIPAA Violation?

So why are audio tapes of 911 calls broadcast so commonly on TV? Well, technically, 911 services aren’t covered entities under HIPAA because they don’t directly deliver or bill for healthcare, says attorney Robert Belfort of Manatt, Phelps & Phillips LLP.

Stanford Hospital investigating how patient data ended up on homework help website

A key conclusion from the audience of experts at the first summit on the future of health privacy was HIPAA has not been effective at protecting patient privacy. Jaikumar Vijayan quoted Deborah C. Peel, MD, founder and chair of Patient Privacy Rights, on the problems with HIPAA and the need to restore patient control over health information in this story. See videos of the summit at: www.healthprivacysummit.org

“Stanford University Hospital in Palo Alto, Calif. is investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up publicly available for nearly one year on a homework help site for students.

The spreadsheet first became available on the site last September as an attachment to a question supposedly posed by a student on Student of Fortune, a website that lets students solicit help with their homework for a fee. The question sought help on how the medical data in the attachment could be presented as a bar graph, The New York Times reported on Thursday.

A Stanford Hospital & Clinics representative told Computerworld in a statement that the hospital discovered the file on August 22, and took action to see it was removed within 24 hours.

“A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information,” the statement said…

The breach shows yet again how ineffective HIPAA has been in getting organizations that handle healthcare data, to take better care of it, said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation .

Much of the problems stem from the indiscriminate sharing of sensitive personal information among “legions of secondary users”, she said. The average hospital has between 200 and 300 outside vendors and partners with access to patient data, Peel said.

“We do not have an effective federal health privacy law. HIPAA was gutted in 2002 when control over who can see and use patient data for all routine uses was eliminated,” she said.

The only way to really get a grip on the problem is to allow patients to exert more control over who has access to their data. “Data should be used for a single purpose after the patient gives consent such as consent to use the data to pay a claim or send to a consultant.”

“Consent should be obtained for any secondary or new uses of data,” she said. All organizations that handle health data, including third parties should be certified to adhere to the highest standards of data security, Peel said.

Re: Top 100 – Under Their Influence

This is in response to the article in Modern Healthcare By Andis Robeznieks: “Under their influence, Washington insiders hold sway over our ’100 Most Influential’ ranking, but real change seems to be coming from elsewhere.”

“The Politics of Privacy” is one of four key areas in Modern Healthcare’s story about the “100 Most Influential People in Healthcare” in 2011. Privacy was highlighted because the expectation to control personal health data is a truly bipartisan, trans-partisan issue.

The historic first-ever summit on the future of health privacy co-sponsored by Patient Privacy Rights (PPR) and the UT LBJ School in June was highlighted (see www.healthprivacysummit.org to watch videos of the sessions).

The story recognizes the crucial importance of PPR’s leadership on building patients’ rights to control use of the most sensitive personal information into the healthcare system up front, so patients will use and trust health IT systems and data exchanges.

Unfortunately, many of the new consumer privacy protections the Obama Administration supported in the stimulus bill (HITECH) are being implemented by federal agencies in ways that do not comply with HITECH and other existing federal regulations.

If industry and key government rule makers continue to ignore the American people’s expectations for control over the use of sensitive personal health data, the stimulus billions will be wasted on systems that can’t be trusted and the tremendous potential benefits health IT can bring to treatment and research may never be realized.

Re: HIPAA Auditor Involved in Own Data Breach

OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.

You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”

KPMG absolved itself of doing any harm:

  • “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
  • “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”

Then KPMG prescribed its own remedy:

  • “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.

This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.

Time for Congressional oversight?

Your Health Information Isn’t Secure But Don’t Blame EHRs

There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.

Your Doctor Isn’t the Only Person Who Knows Your Diagnosis

Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.

Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.

Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.

Press Release for Health Privacy Summit 2011

View as a PDF

FOR IMMEDIATE RELEASE

LBJ School of Public Affairs and Patient Privacy Rights Foundation to Co-Host
Inaugural International Summit on Health Privacy June 13 in Washington, D.C.

“Getting IT Right: Protecting Patient Privacy in a Wired World” to Look at the
Fundamental Role of a Patient’s Right to Privacy in Health Information Technology

AUSTIN, Texas, May 11, 2011 – The Lyndon B. Johnson School of Public Affairs and the Patient Privacy Rights Foundation will co-host the nation’s first public summit to discuss the future of health privacy in the digital age. “Getting IT Right: Protecting Patient Privacy in a Wired World” will be held on June 13, 2011 at the Georgetown Law Center in Washington, D.C. The event is the first in a planned series of forums on this theme and coincides with the creation of the U.S. government’s plan for a new health information technology (HIT) infrastructure, which will collect personal health information. For agenda and registration information, visit: http://www.healthprivacysummit.org/

The summit will be interactive and audience members will be expected to contribute questions to panels and participate in work groups to identify urgent health privacy needs, along with the immediate steps needed to deliver responsible and realistic solutions.

Deborah C. Peel, MD, chair of the board of directors of Patient Privacy Rights, Summit co-host, explained, “The goal of the summit is to create the world’s premier public forum on health privacy issues by uniting a ‘brain trust’ of experts – academics, advocates, government, health care, and those in the technology field – who are willing to work together to ensure health privacy is a center-piece of U.S. health care system reforms. We’re very pleased with the response to the Summit, from panelists and speakers to sponsors, which no doubt speaks to the importance and urgency of these issues today and into the future.”

Whether or not the new HIT infrastructure will afford individuals proper control over the sharing of their personal health information is the key issue that will be addressed. Benedicte Callan, Sid Richardson Fellow of health innovation and policy at the LBJ School, feels that the United States is reaching a crossroads in patient privacy with the creation of the HIT infrastructure.

“Designed well, this digital health information system could be the foundation for a more efficient 21st Century health care system,” said Callan. “It could lower costs, make care more safe and effective while leading to new treatments by benefiting research. But without proper protections built in up front, the HIT system could compromise the fundamental rights of citizens to protect their most sensitive personal health information.”

In summation, “The LBJ School has been preparing leaders for 40 years to help find innovative solutions to the most complex public policy issues and challenges of our modern world,” said Robert Hutchings, Dean of the LBJ School of Public Affairs. “Therefore, we see it as critically important to engage in this issue on every level—local, state, national, international—through research and collaborative partnerships in conferences such as this one. We are especially pleased to join with Patient Privacy Rights and with the other conference participants on working together towards solutions to one of the greatest privacy challenges of our time.”

The Lyndon B. Johnson School of Public Affairs is a graduate component of The University of Texas at Austin. The School’s mission is to develop leaders and innovative ideas that will help our state, the nation and the international community address critical public policy challenges in an ever increasingly interconnected and interdependent world.

Patient Privacy Rights is the nation’s leading health privacy watchdog and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit: http://patientprivacyrights.org/.

Major sponsors to date include: Microsoft, Jericho Systems, ID Experts, e-MDs, Inc., and Medical Research and Materiel Command, Telemedicine and Advanced Technology Research Center at the U.S. Department of Defense.

###

Interview: Protecting patient privacy rights in a wired world

In this podcast, Andy Oram interviews Dr. Deborah Peel of the Patient Privacy Rights Coalition about Getting IT Right: Protecting Patient Privacy Rights in a Wired World, a preconference to be held in conjunction with the illustrious Computers, Freedom, and Privacy conference this year.

Listen to the Interview here

Topics covered in the interview include:

  • The evolution of patient privacy.
  • Weaknesses in the current privacy regime for health care.
  • Goals, structure, and intended outcomes for the conference.
  • A look at featured speakers and attendees, including: Joy Pritts, ONC, Chief Privacy Officer; Jessica Rich, Deputy Director, FTC Bureau of Consumer Protection; Stephania Griffin, VHA Privacy Officer; AZ Senator Nancy Barto, Chairman of the Senate Healthcare and Medical Liability Reform Committee; Stephanie Perrin, Canadian privacy expert; Ross Anderson, Cambridge University, UK; Latanya Sweeney, Harvard, MIT, Carnegie Mellon; Helen Nissenbaum , Professor of Media, Culture and Communication, and Computer Science, New York University; Lee Tien, EFF.

Related links:

Listen to the O’Reilly Interview on Health Privacy Summit with Deborah Peel

“Getting IT Right: Protecting Patient Privacy Rights in a Wired World”

Official Pre-conference for CFP2011

June 13, 2011 Georgetown Law Center Washington, D.C.

“Getting IT Right: Protecting Patient Privacy Rights in a Wired World” is the nation’s first open and inclusive public forum to discuss the future of health privacy in a digital age. The conference will be held June 13, 2011 at the Georgetown Law Center in Washington, D.C. and is the result of a partnership between the Lyndon B. Johnson School of Public Affairs at The University of Texas at Austin and the Patient Privacy Rights Foundation, the premier health privacy advocacy organization in the United States.

You can find the agenda, a list of speakers, and more relevant news on the summit at the official website:www.healthprivacysummit.org.

Register Now: www.healthprivacysummit.org/registration