Press Release for Health Privacy Summit 2011

View as a PDF

FOR IMMEDIATE RELEASE

LBJ School of Public Affairs and Patient Privacy Rights Foundation to Co-Host
Inaugural International Summit on Health Privacy June 13 in Washington, D.C.

“Getting IT Right: Protecting Patient Privacy in a Wired World” to Look at the
Fundamental Role of a Patient’s Right to Privacy in Health Information Technology

AUSTIN, Texas, May 11, 2011 – The Lyndon B. Johnson School of Public Affairs and the Patient Privacy Rights Foundation will co-host the nation’s first public summit to discuss the future of health privacy in the digital age. “Getting IT Right: Protecting Patient Privacy in a Wired World” will be held on June 13, 2011 at the Georgetown Law Center in Washington, D.C. The event is the first in a planned series of forums on this theme and coincides with the creation of the U.S. government’s plan for a new health information technology (HIT) infrastructure, which will collect personal health information. For agenda and registration information, visit: http://www.healthprivacysummit.org/

The summit will be interactive and audience members will be expected to contribute questions to panels and participate in work groups to identify urgent health privacy needs, along with the immediate steps needed to deliver responsible and realistic solutions.

Deborah C. Peel, MD, chair of the board of directors of Patient Privacy Rights, Summit co-host, explained, “The goal of the summit is to create the world’s premier public forum on health privacy issues by uniting a ‘brain trust’ of experts – academics, advocates, government, health care, and those in the technology field – who are willing to work together to ensure health privacy is a center-piece of U.S. health care system reforms. We’re very pleased with the response to the Summit, from panelists and speakers to sponsors, which no doubt speaks to the importance and urgency of these issues today and into the future.”

Whether or not the new HIT infrastructure will afford individuals proper control over the sharing of their personal health information is the key issue that will be addressed. Benedicte Callan, Sid Richardson Fellow of health innovation and policy at the LBJ School, feels that the United States is reaching a crossroads in patient privacy with the creation of the HIT infrastructure.

“Designed well, this digital health information system could be the foundation for a more efficient 21st Century health care system,” said Callan. “It could lower costs, make care more safe and effective while leading to new treatments by benefiting research. But without proper protections built in up front, the HIT system could compromise the fundamental rights of citizens to protect their most sensitive personal health information.”

In summation, “The LBJ School has been preparing leaders for 40 years to help find innovative solutions to the most complex public policy issues and challenges of our modern world,” said Robert Hutchings, Dean of the LBJ School of Public Affairs. “Therefore, we see it as critically important to engage in this issue on every level—local, state, national, international—through research and collaborative partnerships in conferences such as this one. We are especially pleased to join with Patient Privacy Rights and with the other conference participants on working together towards solutions to one of the greatest privacy challenges of our time.”

The Lyndon B. Johnson School of Public Affairs is a graduate component of The University of Texas at Austin. The School’s mission is to develop leaders and innovative ideas that will help our state, the nation and the international community address critical public policy challenges in an ever increasingly interconnected and interdependent world.

Patient Privacy Rights is the nation’s leading health privacy watchdog and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit: http://patientprivacyrights.org/.

Major sponsors to date include: Microsoft, Jericho Systems, ID Experts, e-MDs, Inc., and Medical Research and Materiel Command, Telemedicine and Advanced Technology Research Center at the U.S. Department of Defense.

###

Interview: Protecting patient privacy rights in a wired world

In this podcast, Andy Oram interviews Dr. Deborah Peel of the Patient Privacy Rights Coalition about Getting IT Right: Protecting Patient Privacy Rights in a Wired World, a preconference to be held in conjunction with the illustrious Computers, Freedom, and Privacy conference this year.

Listen to the Interview here

Topics covered in the interview include:

  • The evolution of patient privacy.
  • Weaknesses in the current privacy regime for health care.
  • Goals, structure, and intended outcomes for the conference.
  • A look at featured speakers and attendees, including: Joy Pritts, ONC, Chief Privacy Officer; Jessica Rich, Deputy Director, FTC Bureau of Consumer Protection; Stephania Griffin, VHA Privacy Officer; AZ Senator Nancy Barto, Chairman of the Senate Healthcare and Medical Liability Reform Committee; Stephanie Perrin, Canadian privacy expert; Ross Anderson, Cambridge University, UK; Latanya Sweeney, Harvard, MIT, Carnegie Mellon; Helen Nissenbaum , Professor of Media, Culture and Communication, and Computer Science, New York University; Lee Tien, EFF.

Related links:

Listen to the O’Reilly Interview on Health Privacy Summit with Deborah Peel

“Getting IT Right: Protecting Patient Privacy Rights in a Wired World”

Official Pre-conference for CFP2011

June 13, 2011 Georgetown Law Center Washington, D.C.

“Getting IT Right: Protecting Patient Privacy Rights in a Wired World” is the nation’s first open and inclusive public forum to discuss the future of health privacy in a digital age. The conference will be held June 13, 2011 at the Georgetown Law Center in Washington, D.C. and is the result of a partnership between the Lyndon B. Johnson School of Public Affairs at The University of Texas at Austin and the Patient Privacy Rights Foundation, the premier health privacy advocacy organization in the United States.

You can find the agenda, a list of speakers, and more relevant news on the summit at the official website:www.healthprivacysummit.org.

Register Now: www.healthprivacysummit.org/registration

HIPAA privacy actions seen as warning

Computerworld – Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.

The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions.

This week’s other enforcement action involved Massachusetts General Hospital, which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.

The action against Cignet represented the first time since HIPAA became law that such a fine has been imposed on an organization in the healthcare field over a privacy violation.

HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS’s Office for Civil Rights (OCR)…

…The actions could be a sign that HHS is getting serious about enforcing HIPAA’s privacy requirements more stringently, said Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation.

These actions are among “the most significant things that the administration has done for patient privacy,” Peel said.

Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the 2009 stimulus package, contain provisions for protecting the privacy and security of patient data.

“But nobody has been paying attention to them. It’s like mass civil disobedience by industry,” Peel said. “So this is incredibly welcome for patients.”

Holes in the fence?

This story, by Joseph Conn with Modern Healthcare, quotes Patient Privacy Rights, Dr. Blumenthal the National Coordinator for Health IT, and many others, all calling for meaningful consent and privacy.

See these great quotes from Alan Westin:

  • the removal of consent from HIPAA by federal rulemakers in 2002 “left us high and dry,” but with the improvements to HIPAA in the stimulus law, “I think the raw materials for excellence are there.”
  • Privacy protection will depend again on HHS rulemakers, however, he says. (A proposed privacy rule addressing HIPAA modifications from the stimulus law was released by HHS in July, but a final rule is pending.) If it’s not addressed, Westin says, don’t be surprised if there is consumer backlash.
  • “I think we’re at a pivotal moment,” Westin says, given the massive inflows of federal IT subsidies about to begin. “Just imagine a lawsuit as a class action with all the people who would otherwise be swept into a network saying, ‘I did not give my consent,’ and asking the court to intervene.”
  • he sees “a dangerous trend” developing in healthcare IT in which patients are regarded as “inert data elements, not conscious persons” who have the right to make informed choices regarding “how their health information is used beyond the direct care settings.”
  • “You have to have privacy orienting systems at the design,” he says. “If the plumbing all gets in, it’s going to be very costly to tear it down and change it.”

Below are a few sections of the article. To see the full article, follow this link to Modern Healthcare.

Is the primary federal privacy law up to the task of protecting patient information in the 21st century?

It’s a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law…

…A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”

Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don’t say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”

Comments: ONC studying risks of de-identified patient records

It’s nice to know that that the federal government will “analyze the science of de-identification and re-identification” before releasing health data. See article from Government Health IT: ONC studying risks of de-identified patient records (written by Mary Mosquera).

But instead of each of patient being informed about the level of risk and then deciding if that level risk is acceptable before agreeing to participate in research, the government will decide the “acceptable level of risk in order to be able to use the data”.

Two major problems need to be addressed before “de-identified” public use data (PUD) is released for “research”:

1) The “research” loophole in HIPAA allows any corporation to get access to our health data without consent, at low or no cost, simply by claiming that it is doing research. This loophole needs to be closed. Most ‘research’ use of health data today is NOT what Congress intended: i.e., research to improve patient health or to prevent illness. Instead corporations claim our data will be sued for ‘research’ when in reality they sell it or use it for business analytics. Business analytics is used by industry to discriminate against people in jobs, credit, and educational opportunities. The health data mining industry is exploiting the “research loophole” to obtain Americans’ health data to improve revenues, not to improve patient treatment or health. The name for that is fraud.

2) Who decides what level of de-identification is ‘safe’ enough? Should the federal government decide for us? Or should we be able to decide what risk we are willing to accept?

Patient Privacy Rights submitted a memo to CMS highlighting the difficulties of anonymizing data for public release and advocating an “adversarial challenge” criterion for assessing the threats associated with such releases. See: NOTES ABOUT ANONYMIZING DATA FOR PUBLIC RELEASE, by Andrew J. Blumberg.

BTW—-what if banks suddenly decided that account holders would now have to accept a .04% risk of electronic theft of funds and/or a .04% rate of errors in our deposits was ‘safe’ enough? Would you accept that low a level of risk? Is any rate of theft or error acceptable for our money?

Why should we accept anything less than a zero% risk of theft or error for our health records?

Proposed United States medical privacy rules deemed inadequate

In Tennessee, the theft of 57 computer hard drives at a health insurance call center exposed personal information on as many as one million people. In Virginia, the hacking of a government prescription database compromised millions of records. In California and beyond, celebrity peepers have snooped on the medical particulars of stars.

This is already a digitized world, as the health system juggles vast volumes of the most deeply private information. Add to that the acceleration in US doctors’ offices of electronic record-keeping, spurred by hefty aid from a government eager to reap efficiencies in medical care.

Trying to keep all of that information properly corralled is a tall order. And President Barack Obama’s administration has backtracked on a major attempt to sort out the thicket of privacy rules supporting that effort.

The Health and Human Services Department published a set of regulations governing how health care providers must respond when medical privacy is breached. The rules, although not final, had the force of law. But now the department is retracting them. “This is a complex issue,” the department said by way of understatement.

Privacy advocates and members of Congress had sharply criticized the controls as inadequate. After a period of reflection — and reportedly pressure from the White House — the department appeared to agree…

Watchdogs asserted that health professionals should not be the judge of whether a breach is significant enough to a patient’s livelihood or reputation. “That puts the foxes in charge of the hen coops,” says Dr. Deborah C. Peel, founder and chair of the Patient Privacy Rights Foundation, which presses for strict consumer safeguards. “It shows the incredible overbearing influence of industry in the crafting of regulations. The idea that someone else knows when you’re harmed better than you do, doesn’t make sense.”

New HIPAA rules need more clarification

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July…

…On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

Coalition Urges HHS To Restore Patient Control Over Access to Health Data NOW

On Monday, September 13th 2010, the Coalition for Patient Privacy sent in comments to HHS regarding Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act. Ensuring Americans’ control over health information is critical for quality health care and the success of health information technology (HIT). The Coalition applauds the efforts of the Department of Health and Human Services (HHS) to revise HIPAA. However, the Coalition also urges HHS to require use of robust electronic consent and segmentation tools to assure compliance with the consumer privacy and security protections in HITECH and existing rights in state and federal law and medical ethics.

View the proposed modifications to HIPAA
View the Full Comments from the Coalition for Patient Privacy
View the Press Release

Consumer Advocate: Patient Consent Vital

Deborah Peel, M.D., founder of Patient Privacy Rights, on protecting the privacy of healthcare information.
Listen to the Interview Here.

Patients have inadequate control over who can access their healthcare information, but existing technologies can solve the problem, says consumer advocate Deborah Peel, M.D.

Her organization, Patient Privacy Rights, recently issued a white paper outlining an approach to giving patients opportunities to offer informed consent for accessing their records. In an interview, Peel outlined the key points in the report…

View a PDF version of the white paper: The Case for Informed Consent
Listen to the interview: Patient Consent Vital