Re: Web Privacy Becomes a Business Imperative

New York Times article Web Privacy Becomes a Business Imperative by Somini Sengupta discusses web privacy affecting businesses’ bottom line. As Mozilla’s Chief Privacy Officer says in the article:

“They’re asking for a different level of privacy on your service,” he said, “You have to listen to that. It’s critical to your business.”

Finally. More Internet companies are realizing the truth behind what PPR has said all along: products and services that don’t offer real privacy and security don’t fly with consumers. While some still may debate the exact meaning of “privacy,” what we consistently see is that consumers want to have control over what happens with their data. It’s about time we start listening to what the public wants and honor everyone’s right to be let alone as they see fit.

Cloud Computing: HIPAA’s Role

The below excerpts are taken from the GOVinfoSecurity.com article Cloud Computing: HIPAA’s Role written by Marianne Kolbasuk McGee after the January 7, 2013 Panel in Washington D.C.: Health Care, the Cloud, & Privacy.

“While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.

Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group…

…Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services’ Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud (see: Cloud Computing: Security a Hurdle).

“The letter … asks that [HHS] look at the key problems in cloud … and what practitioners should know and understand about security and privacy of health data in the cloud,” Peel said during the panel.”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The below excerpt is from the Bloomberg BNA article OCR Could Include Provision in Forthcoming Omnibus HIPAA Rule written by Alex Ruoff. The article is available by subscription only.

“The final omnibus rule to update Health Insurance Portability and Accountability Act regulations, expected to come out sometime early this year, could provide guidance for health care providers utilizing cloud computing technology to manage their electronic health record systems, the chief privacy officer for the Office of the National Coordinator for Health Information Technology said Jan. 7 during a panel discussion on cloud computing.

The omnibus rule is expected to address the health information security and privacy requirements for business associates of covered entities, provisions that could affect how the HIPAA Privacy Rule affects service providers that contract with health care entities, Joy Pritts, chief privacy officer for ONC, said during the panel, hosted by the consumer advocacy group, Patient Privacy Rights (PPR).

PPR Dec. 19 sent a letter to Health and Human Services’ Office for Civil Rights Director Leon Rodriguez, asking the agency to issue guidance on cloud computing security. PPR leaders say they have not received a response…

…Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information.”

Vast cache of Kaiser patient details was kept in private home

The excerpt below is from the LA Times article Vast cashe of Kaiser patient details was kept in private home by Chad Terhune. This shows both the negligence of Kaiser in caring for their patients, but also the lack of privacy and security that is frequently found in electronic health records.

“Federal and state officials are investigating whether healthcare giant Kaiser Permanente violated patient privacy in its work with an Indio couple who stored nearly 300,000 confidential hospital records for the company.

The California Department of Public Health has already determined that Kaiser “failed to safeguard all patients’ medical records” at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple’s document storage firm kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.

Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients’ names, Social Security numbers, dates of birth and treatment information stored on their home computers.

The state agency said it was awaiting more information from Kaiser on its “plan of correction” before considering any penalties.

Officials at the U.S. Department of Health and Human Services began looking into Kaiser’s conduct last year after receiving a complaint from the Deans about the healthcare provider’s handling of patient data, letters from the agency show. Kaiser said it hadn’t been contacted by federal regulators, and a Health and Human Services spokesman declined to comment.”

Health Care, the Cloud, and Privacy, Jan. 7 Panel

Health Care, the Cloud, and Privacy

Phoenix Park Hotel
520 North Capitol Street, NW | Washington, DC 20001
Georgian Room
Monday, January 7, 2013 | 12:00 p.m. ET

On behalf of Patient Privacy Rights (PPR), you are invited to attend a panel discussion on health care system privacy challenges posed by cloud computing. The one-hour discussion, “Health Care, the Cloud, and Privacy,” will be held on Monday, January 7, 2013 at the Phoenix Park Hotel in Washington, D.C. Boxed lunches will be provided.

With technological innovations that promise better efficiency and lower cost, one of the most anticipated developments is how industry and regulators will respond. That question today is focused intently on cloud computing and the implications for corporations with electronic systems containing sensitive consumer health data. Who is handling patient data? How do HIPAA and other health privacy laws and rights function in the cloud? What can policymakers do to better protect our sensitive medical data?

Our distinguished panel will feature:

Joy Pritts
Chief Privacy Officer
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights (PPR)

Nicolas P. Terry
Hall Render Professor of Law
Indiana University Robert H. McKinney School of Law

Lillie Coney
Associate Director
Electronic Privacy Information Center (EPIC)

Please RSVP to Jenna Alsayegh at jalsayegh@deweysquare.com.

We hope to see you there!

And there is more:
View the Invitation as a PDF
View the Press Release

PPR also sent a letter to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) that urges for more comprehensive guidance on securing patient data in “the cloud.” With the healthcare industry moving their records to electronic databases, PPR sees a number of issues associated with cloud computing services, including compliance with existing healthcare privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, stronger state and federal health information privacy laws, medical ethics, and Americans’ rights to health information privacy. View the letter here.

Re: Open data is not a panacea

Regarding the story on MathBabe.org titled Open data is not a panacea

This story is a much-needed tonic to the heavy industry and government spin promoting ONLY the benefits of “open data” without mentioning the harms.

Quotes from the story:

  • When important data goes public, the edge goes to the most sophisticated data engineer, not the general public. The Goldman Sachs’s of the world will always know how to make use of “freely available to everyone” data before the average guy.
  • If there’s one thing I learned working in finance, it’s not to be naive about how information will be used. You’ve got to learn to think like an asshole to really see what to worry about.
  • So, if you’re giving me information on where public schools need help, I’m going to imagine using that information to cut off credit for people who live nearby. If you tell me where environmental complaints are being served, I’m going to draw a map and see where they aren’t being served so I can take my questionable business practices there.

Patient Privacy Rights’ goal is a major overhaul of U.S. health technology systems, so your health data is NOT OPEN DATA. Your health data should only be “open” and used with your knowledge and informed consent for purposes you agree with, like treatment and research. It will take a major overhaul for the public to trust health IT systems.

Why does Patient Privacy Rights advocate for personal control over health information and against “open data”? Answer:

For reasons that are NOT apparent, the healthcare industry shuns learning from computer scientists, mathematicians, and privacy experts about the harms and risks posed by today’s poorly designed “open” healthcare technology systems, the Internet, and the “surveillance economy”.

The health care industry and government shun facts like:

YOU can help build a data map so industry and government are forced to stop pretending that the health information of every person in the US is safe, secure, and private. Donate at: http://patientprivacyrights.org/donate/

Health-care sector vulnerable to hackers, researchers say

From the Wall Street Journal article by Robert O’Harrow Jr. titled Health-care sector vulnerable to hackers, researchers say

“As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.

Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.

A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.

“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”"

Re: Heart Gadgets Test Privacy-Law Limits

In response to The Wall Street Journal article “Heart Gadgets Test Privacy-Law Limits

This story shows the ethical and legal absurdity of private corporations’ claims to own and control patient records. Greedy corporations are copying their business models from Google and Facebook: sell every piece of information about every individual to any willing buyer.

Despite patients’ strong rights to obtain copies of their entire medical records, including data from devices that monitor health status, most hospitals and electronic health systems don’t yet offer patients a way to download personal health information, which is required by HIPAA and HITECH.

EVEN MORE IMPORTANTLY patients also have very strong ethical, legal, and Constitutional rights to control the disclosure and use of personal health information.

Today’s health IT systems and data exchanges were designed to prevent patient control over personal health information. Most health IT systems have abysmal data security (millions of health data breaches and thefts) and no means for patients to control who can see, use or sell their health data.

Government and Congress have poured $29 billion in stimulus funds into defective technology systems that violate the public’s rights to privacy and control over health information in electronic systems.

Medtronic and hospitals are hiding behind illegal contracts that violate patients’ rights to access and control sensitive personal health information.

We need clear new laws to ban the sale of personal health information without informed consent and RESTORE patient control over use, disclosure, and sale of health information.

-Deborah Peel

HIT systems among top 10 health tech hazards, says ECRI

Another story about why health technology is not ready for prime time. Today untested, unsafe health technologies and applications that eliminate patient control over sensitive personal health information are mandated for use by physicians and hospitals.

Today patient health data is widely disclosed and sold through electronic systems See ABC Story about the sale of diabetic patient records for $14-$25 per patient). It will be years until patients can control sensitive information (from prescriptions to DNA to diagnoses) because systems were never designed to comply with patients’ rights to control health records. There is no data map to know where our personal health data is held or what it’s being for (see Prof Sweeney explain the need for a health data map on video).

In addition, health technology also poses serious risks to patient including:

  • -patient/data mismatches between systems (which would not happen if patients controlled the use and disclosure of their information)
  • -interoperability failures with medical devices and health IT systems
  • -Caregiver distractions from smartphones and other mobile devices

A Future Perspective: Have We Seen The End Of Consumer Privacy In Health Care?

PPR Founder & Chair, Deborah C. Peel, MD, presents on a panel at the 8th Annual Open Minds Technology & Informatics Institute. View her presentation slides here.

In an era of Facebook, reality television, and the internet, it seems that as a society, we don’t view privacy in the same way that we did in the past – that is, except when it comes to health care. Yet the reality is that even that may be changing; in today’s environment, data is more easily shared with electronic health records and consumers have increased access to their own records, and therefore the ability to share information as they choose. But are consumers truly ready to give up privacy? And if they aren’t ready, is there anything we can do to protect patient privacy in our increasingly digital world? In this unique session, our panel of experts will discuss how our definition of privacy has changed over the years and answer the question – Is privacy dead in health care?

Faculty:
Deborah C. Peel, M.D., Founder & Chair, Patient Privacy Rights Foundation
Tim Timmons, CCEP, CHPC, CHP, CHSS, Corporate Integrity Officer, Greater Oregon Behavioral Health, Inc.
Julie Caliwan, Senior Associate, OPEN MINDS

Institute Overview

We know the future of health care will be shaped by technology.
Everything from the way we communicate with consumers, to how we deliver services, to the way we interact with other health care providers is under the influence of technological innovation. The relationship between consumers and provider organizations is already shifting as these innovations change our system in ways that would have been unfathomable just a decade ago – from robots and remote monitoring systems, to neurotechnology and smartphone apps.

Organizations with the best technology strategy will have the competitive edge.
The 2012 OPEN MINDS Technology & Informatics Institute is designed to provide an inside look at the ground-breaking technologies that will influence the health care market in the years to come. By gathering together the industry’s greatest technological innovators, a team of expert faculty, and the country’s top health and human service executives, this institute will not only provide you with a glimpse at the future, but also a strategic roadmap for success along the way.