HIPAA privacy actions seen as warning

Computerworld – Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.

The agency announced on Thursday that it had imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for violating the Health Insurance Portability and Accountability Act’s privacy provisions.

This week’s other enforcement action involved Massachusetts General Hospital, which agreed to pay HHS a total of $1 million to settle potential HIPAA privacy violations.

The action against Cignet represented the first time since HIPAA became law that such a fine has been imposed on an organization in the healthcare field over a privacy violation.

HHS said the fine was levied on Cignet for two reasons: It did not give 41 patients access to their medical records when they asked for it, and it did not subsequently cooperate with an investigation into the matter by HHS’s Office for Civil Rights (OCR)…

…The actions could be a sign that HHS is getting serious about enforcing HIPAA’s privacy requirements more stringently, said Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation.

These actions are among “the most significant things that the administration has done for patient privacy,” Peel said.

Both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed as part of the 2009 stimulus package, contain provisions for protecting the privacy and security of patient data.

“But nobody has been paying attention to them. It’s like mass civil disobedience by industry,” Peel said. “So this is incredibly welcome for patients.”

Holes in the fence?

This story, by Joseph Conn with Modern Healthcare, quotes Patient Privacy Rights, Dr. Blumenthal the National Coordinator for Health IT, and many others, all calling for meaningful consent and privacy.

See these great quotes from Alan Westin:

  • the removal of consent from HIPAA by federal rulemakers in 2002 “left us high and dry,” but with the improvements to HIPAA in the stimulus law, “I think the raw materials for excellence are there.”
  • Privacy protection will depend again on HHS rulemakers, however, he says. (A proposed privacy rule addressing HIPAA modifications from the stimulus law was released by HHS in July, but a final rule is pending.) If it’s not addressed, Westin says, don’t be surprised if there is consumer backlash.
  • “I think we’re at a pivotal moment,” Westin says, given the massive inflows of federal IT subsidies about to begin. “Just imagine a lawsuit as a class action with all the people who would otherwise be swept into a network saying, ‘I did not give my consent,’ and asking the court to intervene.”
  • he sees “a dangerous trend” developing in healthcare IT in which patients are regarded as “inert data elements, not conscious persons” who have the right to make informed choices regarding “how their health information is used beyond the direct care settings.”
  • “You have to have privacy orienting systems at the design,” he says. “If the plumbing all gets in, it’s going to be very costly to tear it down and change it.”

Below are a few sections of the article. To see the full article, follow this link to Modern Healthcare.

Is the primary federal privacy law up to the task of protecting patient information in the 21st century?

It’s a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law…

…A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”

Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don’t say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”

Comments: ONC studying risks of de-identified patient records

It’s nice to know that that the federal government will “analyze the science of de-identification and re-identification” before releasing health data. See article from Government Health IT: ONC studying risks of de-identified patient records (written by Mary Mosquera).

But instead of each of patient being informed about the level of risk and then deciding if that level risk is acceptable before agreeing to participate in research, the government will decide the “acceptable level of risk in order to be able to use the data”.

Two major problems need to be addressed before “de-identified” public use data (PUD) is released for “research”:

1) The “research” loophole in HIPAA allows any corporation to get access to our health data without consent, at low or no cost, simply by claiming that it is doing research. This loophole needs to be closed. Most ‘research’ use of health data today is NOT what Congress intended: i.e., research to improve patient health or to prevent illness. Instead corporations claim our data will be sued for ‘research’ when in reality they sell it or use it for business analytics. Business analytics is used by industry to discriminate against people in jobs, credit, and educational opportunities. The health data mining industry is exploiting the “research loophole” to obtain Americans’ health data to improve revenues, not to improve patient treatment or health. The name for that is fraud.

2) Who decides what level of de-identification is ‘safe’ enough? Should the federal government decide for us? Or should we be able to decide what risk we are willing to accept?

Patient Privacy Rights submitted a memo to CMS highlighting the difficulties of anonymizing data for public release and advocating an “adversarial challenge” criterion for assessing the threats associated with such releases. See: NOTES ABOUT ANONYMIZING DATA FOR PUBLIC RELEASE, by Andrew J. Blumberg.

BTW—-what if banks suddenly decided that account holders would now have to accept a .04% risk of electronic theft of funds and/or a .04% rate of errors in our deposits was ‘safe’ enough? Would you accept that low a level of risk? Is any rate of theft or error acceptable for our money?

Why should we accept anything less than a zero% risk of theft or error for our health records?

Proposed United States medical privacy rules deemed inadequate

In Tennessee, the theft of 57 computer hard drives at a health insurance call center exposed personal information on as many as one million people. In Virginia, the hacking of a government prescription database compromised millions of records. In California and beyond, celebrity peepers have snooped on the medical particulars of stars.

This is already a digitized world, as the health system juggles vast volumes of the most deeply private information. Add to that the acceleration in US doctors’ offices of electronic record-keeping, spurred by hefty aid from a government eager to reap efficiencies in medical care.

Trying to keep all of that information properly corralled is a tall order. And President Barack Obama’s administration has backtracked on a major attempt to sort out the thicket of privacy rules supporting that effort.

The Health and Human Services Department published a set of regulations governing how health care providers must respond when medical privacy is breached. The rules, although not final, had the force of law. But now the department is retracting them. “This is a complex issue,” the department said by way of understatement.

Privacy advocates and members of Congress had sharply criticized the controls as inadequate. After a period of reflection — and reportedly pressure from the White House — the department appeared to agree…

Watchdogs asserted that health professionals should not be the judge of whether a breach is significant enough to a patient’s livelihood or reputation. “That puts the foxes in charge of the hen coops,” says Dr. Deborah C. Peel, founder and chair of the Patient Privacy Rights Foundation, which presses for strict consumer safeguards. “It shows the incredible overbearing influence of industry in the crafting of regulations. The idea that someone else knows when you’re harmed better than you do, doesn’t make sense.”

New HIPAA rules need more clarification

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July…

…On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

Coalition Urges HHS To Restore Patient Control Over Access to Health Data NOW

On Monday, September 13th 2010, the Coalition for Patient Privacy sent in comments to HHS regarding Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act. Ensuring Americans’ control over health information is critical for quality health care and the success of health information technology (HIT). The Coalition applauds the efforts of the Department of Health and Human Services (HHS) to revise HIPAA. However, the Coalition also urges HHS to require use of robust electronic consent and segmentation tools to assure compliance with the consumer privacy and security protections in HITECH and existing rights in state and federal law and medical ethics.

View the proposed modifications to HIPAA
View the Full Comments from the Coalition for Patient Privacy
View the Press Release

Consumer Advocate: Patient Consent Vital

Deborah Peel, M.D., founder of Patient Privacy Rights, on protecting the privacy of healthcare information.
Listen to the Interview Here.

Patients have inadequate control over who can access their healthcare information, but existing technologies can solve the problem, says consumer advocate Deborah Peel, M.D.

Her organization, Patient Privacy Rights, recently issued a white paper outlining an approach to giving patients opportunities to offer informed consent for accessing their records. In an interview, Peel outlined the key points in the report…

View a PDF version of the white paper: The Case for Informed Consent
Listen to the interview: Patient Consent Vital

What do we think of the new recommendations?

The Tiger team continues to make policy recommendations that clearly violate the law and the Administration’s new privacy policies. See story on release by Modern Healthcare.

Apparently they did not hear Secretary Sebelius announce a new “Administration-wide commitment to make sure no one has access to your personal information unless you want them to” on July 8th (see here).

Or hear Dr. Blumenthal say “we want to make sure it is possible for patients to have maximal control over PHI.” See: http://patientprivacyrights.org/2010/07/ppr-impressed-with-hhs-privacy-approach/

At the Consumer Choices Technologies Hearing on June 29th, one of the ‘granular consent’ technologies demonstrated has been exchanging behavioral health records on 4 million patients for over 10 years, in 9 states and 22 jurisdictions. Newer, more robust consent technologies showcased that day are also in use. See: http://nmr.rampard.com/hit/20100629/default.html

The Tiger team calls these privacy-enhancing technologies “looming” because they are not widely used. If the HIT Policy Committee recommends against technologies for robust consent and segmentation, as they did for “meaningful use” EHRs, they ensure the limited use of privacy-enhancing technologies, which can therefore continue to be described as “looming”. It’s a neat trick to recommend policy that perpetuates the status quo and violates our rights to health privacy. To create wide use of these technologies, they must be required in policy as well as the law.

HITECH in fact does require patient consent before PHI can be sold and states that private-pay patients should be able to prevent their data from flowing to insurers for payment and health care operations. And it is also a legal and ethical requirement to obtain informed consent before disclosures of sensitive health information in all 50 states. Therefore, robust electronic consents and segmentation are required by law today. Policies should match the law.

Instead, the recommendations from the Tiger team guarantee that the theft and sale of patient data will grow exponentially and data will flow unchecked by patient consent or segmentation through HIEs and the NHIN to even more thieving vendors and corporations. Americans’ jobs, credit, and reputations are being destroyed to improve corporate revenues. This sick, greedy transformation of the health care system cannot be hidden and will destroy trust in HIT, HIE, and in legitimate clinical, academic, and public health and population research.

Most HIT products and systems were not designed to comply with patients’ rights to control personal health information. And vendors won’t ever willingly update them, because selling patient data can be a far greater source of revenue than selling software or caring for sick people.

Back to the crucial question: how can the Tiger team recommend policy that violates existing law? Why don’t the Tiger Team and the HIT Policy Committee recommend that HIT vendors , CEs, and BAs COMPLY with state and federal privacy laws and protections and meet patients’ expectations?

The Tiger Team and HIT Policy Committee are both dominated by CEOs, employees, and beneficiaries of vendors or corporate for–profit “research” industries that want all OUR data without consent. Their fiduciary duties to stockholders explain their decisions to recommend policies that violate our privacy rights.

Today the health data theft/sale industry and corporate for-profit research industry are in charge of federal policy-making.

Their flawed business models, based on misleading shareholders and the public about what they really do, are fraudulent and deceptive trade practices.

The SEC brought Goldman Sachs to heel for misleading shareholders and the public about what their business model really was. The data theft and data sales industries and the corporate for-profit ‘research’ industry do exactly the same thing.

The entire US health care and HIT system will end up tarred and feathered and lose the public’s trust unless the health care and HIT corporations that protect privacy rights, and genuine clinical and academic researchers stand with patients to demand that patients control PHI.

Sign the ‘Do Not Disclose’ petition at http://patientprivacyrights.org/do-not-disclose/ and demand your rights to health privacy be enforced.

Health IT group drafts privacy recommendations

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…

According to the tiger team’s draft document posted on the HIT Policy Committee’s website, the team’s recommendations are based on “fair information practices,” a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.

HHS proposes stronger privacy protections under HIPAA

Proposed changes to the HIPAA privacy regulations would expand patients’ rights to access their information and restrict certain types of disclosures of protected health information to health plans, according to InformationWeek.

“We want to make sure it is possible for patients to have maximal control over PHI,” national health IT coordinator Dr. David Blumenthal said at an HHS press conference. The statement–and the proposal itself–thrilled healthcare privacy hawk Dr. Deborah Peel. Her organization, the Patient Privacy Rights Foundation, put out a statement strongly in favor of the changes, saying that the proposed rule “signaled a clear policy change in the Obama administration, strengthening consumer rights to health privacy.”

To learn more:
- read the proposed rule issued by HHS on July 8
- read this Computerworld article via Businessweek
- take a look at CMIO’s article
- read the InformationWeek story
- see this AHIMA press release
- check out this statement from the Patient Privacy Rights Foundation, which includes a video of the HHS press conference