On Monday, September 13th 2010, the Coalition for Patient Privacy sent in comments to HHS regarding Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act. Ensuring Americans’ control over health information is critical for quality health care and the success of health information technology (HIT). The Coalition applauds the efforts of the Department of Health and Human Services (HHS) to revise HIPAA. However, the Coalition also urges HHS to require use of robust electronic consent and segmentation tools to assure compliance with the consumer privacy and security protections in HITECH and existing rights in state and federal law and medical ethics.
Deborah Peel, M.D., founder of Patient Privacy Rights, on protecting the privacy of healthcare information.
Listen to the Interview Here.
Patients have inadequate control over who can access their healthcare information, but existing technologies can solve the problem, says consumer advocate Deborah Peel, M.D.
Her organization, Patient Privacy Rights, recently issued a white paper outlining an approach to giving patients opportunities to offer informed consent for accessing their records. In an interview, Peel outlined the key points in the report…
The Tiger team continues to make policy recommendations that clearly violate the law and the Administration’s new privacy policies. See story on release by Modern Healthcare.
Apparently they did not hear Secretary Sebelius announce a new “Administration-wide commitment to make sure no one has access to your personal information unless you want them to” on July 8th (see here).
Or hear Dr. Blumenthal say “we want to make sure it is possible for patients to have maximal control over PHI.” See: http://patientprivacyrights.org/2010/07/ppr-impressed-with-hhs-privacy-approach/
At the Consumer Choices Technologies Hearing on June 29th, one of the ‘granular consent’ technologies demonstrated has been exchanging behavioral health records on 4 million patients for over 10 years, in 9 states and 22 jurisdictions. Newer, more robust consent technologies showcased that day are also in use. See: http://nmr.rampard.com/hit/20100629/default.html
The Tiger team calls these privacy-enhancing technologies “looming” because they are not widely used. If the HIT Policy Committee recommends against technologies for robust consent and segmentation, as they did for “meaningful use” EHRs, they ensure the limited use of privacy-enhancing technologies, which can therefore continue to be described as “looming”. It’s a neat trick to recommend policy that perpetuates the status quo and violates our rights to health privacy. To create wide use of these technologies, they must be required in policy as well as the law.
HITECH in fact does require patient consent before PHI can be sold and states that private-pay patients should be able to prevent their data from flowing to insurers for payment and health care operations. And it is also a legal and ethical requirement to obtain informed consent before disclosures of sensitive health information in all 50 states. Therefore, robust electronic consents and segmentation are required by law today. Policies should match the law.
Instead, the recommendations from the Tiger team guarantee that the theft and sale of patient data will grow exponentially and data will flow unchecked by patient consent or segmentation through HIEs and the NHIN to even more thieving vendors and corporations. Americans’ jobs, credit, and reputations are being destroyed to improve corporate revenues. This sick, greedy transformation of the health care system cannot be hidden and will destroy trust in HIT, HIE, and in legitimate clinical, academic, and public health and population research.
Most HIT products and systems were not designed to comply with patients’ rights to control personal health information. And vendors won’t ever willingly update them, because selling patient data can be a far greater source of revenue than selling software or caring for sick people.
Back to the crucial question: how can the Tiger team recommend policy that violates existing law? Why don’t the Tiger Team and the HIT Policy Committee recommend that HIT vendors , CEs, and BAs COMPLY with state and federal privacy laws and protections and meet patients’ expectations?
The Tiger Team and HIT Policy Committee are both dominated by CEOs, employees, and beneficiaries of vendors or corporate for–profit “research” industries that want all OUR data without consent. Their fiduciary duties to stockholders explain their decisions to recommend policies that violate our privacy rights.
Today the health data theft/sale industry and corporate for-profit research industry are in charge of federal policy-making.
Their flawed business models, based on misleading shareholders and the public about what they really do, are fraudulent and deceptive trade practices.
The SEC brought Goldman Sachs to heel for misleading shareholders and the public about what their business model really was. The data theft and data sales industries and the corporate for-profit ‘research’ industry do exactly the same thing.
The entire US health care and HIT system will end up tarred and feathered and lose the public’s trust unless the health care and HIT corporations that protect privacy rights, and genuine clinical and academic researchers stand with patients to demand that patients control PHI.
Sign the ‘Do Not Disclose’ petition at http://patientprivacyrights.org/do-not-disclose/ and demand your rights to health privacy be enforced.
A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.
The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…
“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.
Proposed changes to the HIPAA privacy regulations would expand patients’ rights to access their information and restrict certain types of disclosures of protected health information to health plans, according to InformationWeek.
“We want to make sure it is possible for patients to have maximal control over PHI,” national health IT coordinator Dr. David Blumenthal said at an HHS press conference. The statement–and the proposal itself–thrilled healthcare privacy hawk Dr. Deborah Peel. Her organization, the Patient Privacy Rights Foundation, put out a statement strongly in favor of the changes, saying that the proposed rule “signaled a clear policy change in the Obama administration, strengthening consumer rights to health privacy.”
To learn more:
- read the proposed rule issued by HHS on July 8
- read this Computerworld article via Businessweek
- take a look at CMIO’s article
- read the InformationWeek story
- see this AHIMA press release
- check out this statement from the Patient Privacy Rights Foundation, which includes a video of the HHS press conference
Secretary of Health and Human Services (HHS), the Director of the Office of Civil Rights (OCR), and the National Coordinator for HIT all made very strong, pro-privacy statements at the press conference today announcing the Notice of Proposed Rulemaking (NPRM) titled: 45 CFR Parts 160 and 164, RIN: 0991-AB57, Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act.
Signaling a major shift in direction for the Administration and HHS’ Secretary Sebelius said “It’s important to understand this announcement of the NPRM…. is part of an Administration-wide commitment to make sure no one has access to your personal information unless you want them to.”
Patient Privacy Rights heartily congratulates the Administration and Sec. Sebelius for this new pro-privacy, patient-centered approach to personal health information (PHI).
We applaud Secretary Sebelius’ clear acknowledgment that health IT systems should empower patients to control PHI. Putting patients in control of PHI is the only route to prevent wasting billions in stimulus funds on HIT systems that destroy privacy and to stop the theft, misuse, and sale of PHI in today’s primitive HIT systems and data exchanges.
During her remarks, OCR Director Verdugo said, “the benefits of HIT will only be fully realized if health information is kept private and secure at all times.”
And finally Dr. Blumenthal stated, “we want to make sure it is possible for patients to have maximal control over PHI.” He also referred to the Consumer Choices Technology Hearing last week, which demonstrated consent tools that enable patients to control the use and disclosure of their health information from EHRs and for HIE.
Hopefully the NPRM actually gives Americans the control over access to personal information Secretary Sebelius said the Administration is committed to. We are analyzing the 234 page Notice of Proposed Rulemaking (NPRM), and will post our comments on the NPRM as soon as we can.
Below see the Press Conference announcing the Proposed Rule.
A new rule proposed today would add substantial protections to the Health Insurance Portability and Accountability Act (HIPAA) for individuals who want to make sure their personal health information remains private and under their control, something that’s considered vital to the eventual success of electronic health record deployments.
Health and Human Services Secretary Kathleen Sebelius acknowledged as much in announcing the rule, saying that, while health IT will help to move the American health system forward, “the privacy and security of personal health data is at the core of all of our work.”
The proposed rule, which will be open to a 60-day comment period starting July 14, takes various routes to providing patient control…
…First reactions to the proposal were generally positive. Deborah Peel, founder and chair of the Patient Privacy Rights organization and an often fierce critic of the government’s record on privacy rights, said she was impressed with Sibelius’s remarks.
“We applaud her for recognizing that HHS should build what the public expects: health IT systems that empower patient control over personal health information,” she said.
Published March 24, 2010
I learned about the lack of health privacy when I hung out my shingle as a psychiatrist. Patients asked if I could keep their records private if they paid for care themselves. They had lost jobs or reputations because what they said in the doctor’s office didn’t always stay in the doctor’s office. That was 35 years ago, in the age of paper. In today’s digital world the problem has only grown worse.
A patient’s sensitive information should not be shared without his consent. But this is not the case now, as the country moves toward a system of electronic medical records.
In 2002, under President George W. Bush, the right of a patient to control his most sensitive personal data—from prescriptions to DNA—was eliminated by federal regulators implementing the Health Information Portability and Accountability Act. Those privacy notices you sign in doctors’ offices do not actually give you any control over your personal data; they merely describe how the data will be used and disclosed.
In a January 2009 speech, President Barack Obama said that his administration wants every American to have an electronic health record by 2014, and last year’s stimulus bill allocated over $36 billion to build electronic record systems. Meanwhile, the Senate health-care bill just approved by the House of Representatives on Sunday requires certain kinds of research and reporting to be done using electronic health records. Electronic records, Mr. Obama said in his 2009 speech, “will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests [and] save lives by reducing the deadly but preventable medical errors that pervade our health-care system.”
But electronic medical records won’t accomplish any of these goals if patients fear sharing information with doctors because they know it isn’t private…
Read More at The Wall Street Journal
There is no need to choose between the benefits of technology and our rights to health privacy. Please support YOUR right to decide who can see your electronic health information: sign the ‘Do Not Disclose’ petition now!
Patient privacy dates back to ancient Greece, beginning with the physician and teacher Hippocrates, who is often called the father of Western medicine. He authored the Hippocratic Oath to establish best practices for his fellow physicians and to build trust with his own patients. It was necessary for him to keep the ailments of his contemporaries secret, lest they be subject to humiliation, personal harm or loss of opportunity.
Ironically, more than 2,400 years later, patient privacy remains a fundamental issue, and the repercussions of information leaks are just as distressing. Areas of vulnerability have now expanded beyond the doctor-patient relationship in the exam room to encompass whole healthcare systems, communities, nations and even the global marketplace. With electronic information storage and transmission coming of age, whispering behind a closed door, as Hippocrates might have done, is obviously not enough to protect privacy.
Deborah Peel, MD, is the founder of Patient Privacy Rights (PPR), a national not-for-profit watchdog coalition. As a physician, she was inspired to adopt privacy as her mission in 1993 after an unnerving proposal from President Bill Clinton called for every patient encounter in America to be recorded in an electronic data-base. She was intimately familiar with the anxiety related to privacy in her own psychiatric-services practice, but the broad reach of electronic health records posed an imminent threat she just couldn’t ignore.
“For 30 years, I’ve been in the most privacy-sensitive specialty in medicine,” Dr. Peel says. “I’ve spent 30 years listening to how people’s reputations and lives are ruined. If you were in my shoes, you’d be doing this, too.”
What’s driving people craziest about the big national push to convert to EMRs? Maybe it’s the technology that some people don’t like. Maybe it’s resistance to change. Perhaps it’s the short timeline to implement before the stimulus program starts–Oct. 1 for hospitals, Jan. 1 for physician practices. There’s a lot of uncertainty, too, since the rules for “meaningful use” of EMRs aren’t final yet and are very much subject to change.
All of those are legitimate concerns, but they pale in comparison to the privacy issue.
The American Recovery and Reinvestment Act tightens HIPAA privacy and security rules, though just like the 1996 HIPAA legislation, it leaves many of the details up to the regulators at HHS. The 2002 “treatment, payment and healthcare operations” exception to the privacy rule is disappearing, meaning that healthcare organizations will have to obtain consent before disclosing personally identifiable health data to third parties.