Re: Social media and patient privacy lessons ripped from the headlines

Karen Cheung-Larivee’s recent FierceHealthcare article, “Social media and patient privacy lessons ripped from the headlines” once again reminds us that health privacy isn’t a concern limited to how information is exchanged in and among doctors’ offices or hospitals. Rather, it reminds us that even the casual ways people reveal parts of their personal lives to their own social networks can sometimes mean violating someone’s health privacy when they reveal sensitive pieces of information about other people’s lives too.

Unfortunately, there aren’t really rules protecting people from the harms that can occur when someone else broadcasts their personal information in the wild wild west of social media. However, that doesn’t mean institutions are completely absolved of their responsibility to protect patients’ privacy, no matter the environment. As the article points out:

One of the most common situations of social media fumbles are patients posting about other patients. Although it’s not a breach of HIPAA or HITECH (because patients aren’t considered “covered entities”), the hospital still has a responsibility under state law to protect patients.

No doubt social media provides a medium that allows us to connect and reach out to others in new and powerful ways. However, as users of these tools, we must also be mindful of how the ways we connect and interact with the rest of the world can have damaging effects on ourselves and others, whether it’s in the here and now or some point down the line.

Has your health privacy ever been violated as a result of social media? Are you willing to talk about what happened so others might learn from your experience? Please use this form to share your story.

Information Technology’s Failure to Disrupt Healthcare

Nicolas Terry wrote a very interesting and informative paper about the effects IT has had on healthcare today. It is available for download in its full text version here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2118653. Below is his abstract.

Abstract: Information Technology (IT) surrounds us every day. IT products and services from smart phones and search engines to online banking and stock trading have been transformative. However, IT has made only modest and less than disruptive inroads into healthcare. This article explores the economic and technological relationships between healthcare and healthcare information technologies (HIT), asks (leveraging the work of Clayton Christensen) whether current conceptions of HIT are disruptive or merely sustaining, and canvasses various explanations for HIT’s failure to disrupt healthcare. The conclusion is that contemporary HIT is only a sustaining rather than disruptive technology. Notwithstanding that we live in a world of disruption, healthcare is more akin to the stubborn television domain, where similarly complex relationships and market concentrations have impeded the forces of disruption. There are three potential exceptions to this pessimistic conclusion. First, because advanced HIT is not a good fit for episodic healthcare delivery, we may be experiencing a holding pattern while healthcare rights itself with the introduction of process-centric care models. Second, the 2010 PCAST report was correct, the healthcare data model is broken. If Stage 3 of the MU subsidy program or some other initiative can funda

Organics industry and privacy industry face similar labeling issues

See the full article in the New York Times at Has ‘Organic’ Been Oversized?

Like the food industry’s label for “organic” foods, the health technology industry wants to label or brand its products, like electronic records systems, data exchanges, health “apps”, and etc as “privacy-protective”.  Regardless of how far from reality that designation is.

This story shows that the federal law setting up an “organic” certification panel for food requires a FAR greater number of consumer and academic seats on the panel than are on the two National Health IT Policy and Standards Committees.  The organic certification panel requires the appointment of “four farmers, three conservationists, three consumer representatives”, for a total of 15 seats for non-industry representatives. But the federal government appointed industry people to those seats anyway. The federal govt. also appointed people who do not represent consumers or consumer organizations to the few consumer seats on the National Health IT Policy and Standards Committees.

But people who want health privacy are a huge percentage of the public: polls show between 75-95% of the public. This is a far greater percentage of the public than buy “organic” food.  Health privacy is not an ‘elitist’ product, as “organic” foods are perceived to be. Everyone is affected  by the lack of control over their health data and everyone cares about it.

A few key quotes from the story:

-The fact is, organic food has become a wildly lucrative business for Big Food and a premium-price-means-premium-profit section of the grocery store. The industry’s image — contented cows grazing on the green hills of family-owned farms — is mostly pure fantasy. Or rather, pure marketing. Big Food, it turns out, has spawned what might be called Big Organic.

-“The board is stacked,” Mr. Potter says. “Either they don’t have a clue, or their interest in making money is more important than their interest in maintaining the integrity of organics.”  He calls the certified-organic label a fraud and refuses to put it on Eden’s products.

-BIG FOOD has also assumed a powerful role in setting the standards for organic foods. Major corporations have come to dominate the board that sets these standards.

-As corporate membership on the board has increased, so, too, has the number of nonorganic materials approved for organic foods on what is called the National List.Today, more than 250 nonorganic substances are on the list, up from 77 in 2002.

-This sounds like the way the National Health IT Policy And Standards Committees operate:

o   The organic certification board has 15 members, and a two-thirds majority is required to add a substance to the list. More and more, votes on adding substances break down along corporate-independent lines, with one swing vote.

o   Six board members, for instance, voted in favor of adding ammonium nonanoate, a herbicide, to the accepted organic list in December. Those votes came from General Mills, Campbell’s Soup, Organic Valley, Whole Foods Market and Earthbound Farms, which had two votes at the time.

-CORPORATE APPOINTEES FILL CONSUMER SEATS, just like on the Health IT Policy And Standards Committees:

o   The Organic Foods Act calls for a board consisting of four farmers, three conservationists, three consumer representatives, a scientist, a retailer, a certification agent and two “handlers,” or representatives of companies that process organic food.

o   Cornucopia has challenged the appointment of Ms. Beck, the national organic program manager at Driscoll’s, to a seat that is, by law, supposed to be occupied by a farmer. Officially, “farmer” means someone who “owns or operates an organic farm.”   But Ms. Beck does not own or operate a farm.

§  Driscoll’s nominated Ms. Beck for one of the handler seats — but Tom Vilsack, the agriculture secretary, appointed her to one of the seats reserved for farmers.

§  In contrast, Dominic Marchese, who produces organic beef in Ohio, has tried and failed three times to win a board appointment as a farmer.

o   Similarly, the three consumer seats have never been filled by anyone from a traditional consumer advocacy group like the Organic Consumers Association orthe Consumers Union. Instead, those seats have largely gone to academics with agricultural expertise and to corporate executives.

o   Katrina Heinze, a General Mills executive, was appointed to serve as a consumer representative on the board in December 2005 by Mike Johanns, the agriculture secretary at the time. The outcry over her appointment by advocates and independent organic consumers was so intense that she resigned inFebruary 2006 — but rejoined the board late that year after Mr. Johanns appointed her to the seat designated by law for an expert in toxicology, ecology or biochemistry.

To learn more about preventing health privacy issues and protecting your privacy, please visit our Health Privacy Summit website.

Patient Privacy Rights Calls for Patient Control Over Data Exchange on the Nationwide Health Information Network (NwHIN)

In our comments about the NwHIN, Patient Privacy Rights (PPR) urged the Office of the National Coordinator for Health IT (ONC) to use this critical opportunity to address the fatal privacy and security flaws in current systems and state and federal data exchanges. “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy.

To restore public trust, PPR strongly believes:

  • All state and federal data exchanges should be certified to assure that patients control the exchange of their health data. Privacy certification should be designed by a non-profit, patient-led organization with expertise in health privacy;
  • Data should only be exchanged using the Direct Project for secure email between patients, physicians, and other health professionals (with rare exceptions);
  • Patients should always give meaningful informed consent before their information is disclosed; and
  • Sensitive personal health information should only flow to those directly involved in an individual’s treatment, or to those who are conducting research in which an individual has agreed to participate.

Without a network designed to make sure individuals decide who sees their health records, Americans will grow even more wary of seeking needed treatment. We urge the ONC to act now to create a nationwide network that requires comprehensive data privacy and security measures to protect patients’ intimate personal health data. See comments here.

Experts discuss technology and privacy protections at 2nd International Summit on the Future of Health Privacy

See full story at: HIPAA remains in play as technology outpaces privacy protections

Speakers from the 2nd International Summit on the Future of Health Privacy were interviewed in this article about their ideas and opinions concerning the outpacing of privacy protections by technology. Because technology is being invented quicker than privacy laws can be written and imposed, people everywhere are at risk of having their private medical records used without their knowledge and consent. On June 6-7, over 50 speakers and 300 participants met up to discuss the issues brought about by such technological advances at the 2nd International Summit on the Future of Health Privacy. To learn more about the Health Privacy Summit, please visit HealthPrivacySummit.org.

“Experts assembled on June 6 in Washington for a panel discussion on electronic medical records and privacy noted that HIPAA provides only a minimum standard for safeguards, not a template for best practices. Panelists at the International Summit on the Future of Health Privacy added that the stakes are high when it comes to EMRs and privacy.

“Electronic technology is a game-changer, legally, because the damage that can be done to someone is perpetual and the damages that can be awarded are incalculable,” said James Pyles, co-founder and principal of the law firm of Powers, Pyles, Sutter & Verville….

…Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health Information Technology, said the main problem is technology is moving faster than privacy laws can be written

“I approach this in a simplistic way,” Pritts said. “I look to see, do you have a right to privacy for your health information? So far, the courts say you do. The tort laws say you do. Standards of professional ethics of nearly every segment of the medical profession say you do. The HIPAA privacy rule does not say that at all.”"

Learn more about the Health Privacy Summit here.

Top Experts Discuss Privacy Risks at 2nd International Summit on the Future of Health Privacy

Patient Privacy Rights and Georgetown University Law Center’s O’Neill Institute for National and Global Health Law Host Event

Psychiatry Patient’s Story Highlights Growing Threat to Privacy

WASHINGTON–(BUSINESS WIRE)– When a lawyer named “Julie” sought psychiatric treatment in Boston, she never imagined that the notes of sessions with her therapist would be digitized and made available to thousands of doctors and nurses—even dermatologists and podiatrists with no conceivable need for such private records. But that is precisely what happened. “Personal details that took me years to disclose during therapy are being shared throughout my medical network, against my will,” Julie says. “It’s destroyed my trust with my doctors.”

Julie will tell her story for the first time at the 2nd International Summit on the Future of Health Privacy, to be held in Washington, DC, on June 6-7. Sponsored by Patient Privacy Rights, the nation’s leading health privacy watchdog, and Georgetown University Law Center’s O’Neill Institute for National and Global Health Law, the Summit will explore the often-alarming privacy implications of the nation’s race to digitize patient medical records.

“Every state requires patient permission before sensitive mental health records can be shared with other doctors. But Julie found that hundreds of pages of intimate records, some detailing her abuse as a child, were open to the entire staff of her Boston-based healthcare system,” says Dr. Deborah Peel, founder of Patient Privacy Rights. “Julie is an example of how major electronic health records systems can actually strip patients of their privacy rights. Her tragic story highlights the need for the Privacy Summit—to shine light on these abuses and find solutions to protect patient privacy.”

40 Health-Privacy Experts Drive Debate:

More than 40 health-privacy experts from around the globe will gather for the Summit, including top U.S. government officials and leading CEOs, physicians and academics, along with several hundred live and virtual attendees. Speakers will discuss new policies including a Health Privacy Bill of Rights, data exchanges, secondary uses of health data and social media platforms that threaten patient privacy. In addition, the founder of Harvard’s Data Privacy Lab will announce the launch of a yearlong project, the first of its kind, to map the hundreds of secret organizations and agencies where private medical data is sold and shared in the United States.

Summit organizers also will announce the “The Best Privacy Technologies of 2012,” and companies will demonstrate new products that enhance patient control of personal health data.

Louis D. Brandeis Privacy Award:

To kick off the Summit, Patient Privacy Rights will honor the first-ever recipients of the Louis D. Brandeis Privacy Award. The privacy watchdog group will recognize Congressman Joe Barton (R-TX) and Congressman Ed Markey (D-MA) for their roles as leading congressional privacy advocates. And Alan Westin, Columbia University’s Emeritus Professor of Public Law and Government, and Ross Anderson, the University of Cambridge’s Professor in Security Engineering, will be honored for their groundbreaking work on consumer data privacy and security.

WHAT: The 2nd International Summit on the Future of Health Privacy
WHEN: June 6-7th, 2012
WHERE: Georgetown University Law Center
600 New Jersey Avenue, NW. Hart Auditorium, McDonough Hall
Washington, DC 20001

REGISTRATION: http://www.healthprivacysummit.org/d/3cq92g/4W

AGENDA: http://www.healthprivacysummit.org/d/3cq92g/6X

SPEAKERS: http://www.healthprivacysummit.org/d/3cq92g/6K

FOLLOW US ON TWITTER: @PrivacySummit

SPONSORS/PARTNERS: Accenture, CA Technologies, Dell, e-MDs, FairWarning®, Harvard Data Privacy Lab, IDExperts, Jericho Systems, Microsoft, PwC, RTI International, Telemedicine and Advanced Technology Research Center (TATRC), The O’Neill Institute at Georgetown Law Center, The University of Cambridge Computer Laboratory, The University of Texas School of Information

ABOUT PATIENT PRIVACY RIGHTS: Patient Privacy Rights is the nation’s leading bipartisan health privacy organization and leading consumer voice for building ethical, trustworthy healthcare IT systems. For more information, visit http://patientprivacyrights.org

Contact:
Keith Blackman, 202-730-5753
keith@blackmanmediasolutions.com
or
Jim Popkin, 202-686-6699
jim.popkin@sevenoaksmedia.com

Office of the National Coordinator of Health IT, HHS, Announces PPR Summit

To learn more visit Health Privacy Summit and HealthIT.

The Second International Health Privacy Summit is quickly approaching (June 6-7). Our keynote speaker, Farzad Mostashari, MD, ScM is the National Coordinator for Health IT and will be giving a wonderful presentation on “Creating a Culture of Privacy and Security Awareness.” The Office of the National Coordinator for Health IT has given great support to this event and will be participating as well. Here’s what they have to say about the Health Privacy Summit:

June 6-7
2nd International Summit on the Future of Health Privacy

Over 40 leading health-privacy experts from around the globe will gather in Washington, DC for the 2nd International Summit on the Future of Health Privacy to discuss privacy and security issues raised by emerging health technologies. Experts from the U.S. government, the private sector and academia will explore new laws and regulations, data exchanges, secondary uses of health data and social media platforms and how they relate to the privacy and security of patient health information.

National Coordinator for Health Information Technology – Farzad Mostashari, MD, ScM – will kick off this year’s event with a keynote presentation on “Creating a Culture of Privacy and Security Awareness.”

See the full list of speakers at http://www.healthprivacysummit.org/d/3cq92g/6K .

* Agenda: http://www.healthprivacysummit.org/d/3cq92g/6X
* Registration: http://www.healthprivacysummit.org/d/3cq92g/4W FREE to attend or watch live online!

Report: HIEs failing at true interoperability

See a summary of the report by Mike Miliard at GovHeathITHIEs failing at true interoperability

· Healthcare organizations “must unlock the patient data in EHR silos of hospitals and affiliates to better coordinate and improve quality of care delivered. Health Information Exchange technology is the enabler.”

· Until EHR vendors incorporate a shared set of standards, HIEs will remain in a state of stunted development, said Moore: “Across the board, legacy systems fail to support true interoperability, and vendors are doing little to remedy this situation.”

· The report will also look to the future as to how this [Health Information Exchange or HIE] market will grow and evolve over the next several years as meaningful use requirements take hold, healthcare reform brings forth changes in reimbursement models, access to health data moves to mobile platforms and the consumer takes on a larger role.”
The quotes above show that the health technology industry and the government are beginning to face key facts:

· Data silos endanger patient health and safety: obviously we need our doctors to see relevant parts of our medical records held by other doctors/hospitals.

Electronic Health Records companies, hospitals, and the many other corporations that hold our electronic health information want to continue to “own”, control, and sell our personal health data. They built this system of “silos” that PREVENT data exchange (also called “interoperability”).  Corporations fiduciary duties to make profits for shareholders trump exchanging health information to save patients’ lives and reduce costs!

· Consumers = patients. If we say so, our health records must be shared with our physicians or other health professionals. This is matter of law.

No matter which corporations or health professionals hold our electronic health data, we are entitled to electronic copies. If you say your health data should be sent to another physician or health professional, the data holder must send it. ONLY individual patients or “consumers” have clear rights to control personal health information and have it sent to the other physicians and health professionals who are treating them.

· HIEs, data exchanges where patients have no meaningful control over who can copy and use their health information, are not the answer.

How “Direct” exchange works (via the “Direct Project”): a participant (like our physicians) can send secure, encrypted health information directly to a known, trusted recipient over the Internet. Unlike the case with HIEs, personal health information can’t be “pulled” from the 10, 20, or 100 places that hold our health records. Using the “Direct” method, someone has to decide to send one patient’s data to another person.

We ["consumers"] are the ONLY ones who can quickly, easily, and legally get and “exchange” our own health records at will. Hippocrates Oath, the foundation of the physician-patient relationship, states that sensitive health information should ONLY be shared with the patient’s consent.  Data exchanges like the Direct Project

The only way electronic health systems can work and earn the public’s trust is if data flows are controlled by patients, with very rare legal exceptions.

Proposed Rules Prevent Patient Control Over Sensitive Information in Electronic Health Records (EHRs)

The proposed federal rules will require physicians and hospitals to use Electronic Health Records (EHRs) that prevent patient control over who can see and use sensitive personal health information.

This is the second time the federal government has proposed the use of technology that violates Americans’ strong rights to control the use and sale of their most sensitive personal information, from DNA to prescription records to diagnoses.

The proposed rules require EHRs to be able to show “meaningful use” (MU) and exchange of personal health data. PPR and other consumer and privacy advocacy groups submitted similar comments for the Stage 1 MU rules. These newly proposed rules are known as “Stage 2 MU” requirements for EHRs.

The most important function patients expect from electronic health systems is the power to control who can see and use their most sensitive personal information. Technologies that empower patients to decide who can see and use selected parts of their records have been working for 4 million people for over 10 years in 8 states with mental illness or addiction diagnoses. Today we do not have any way to know where our data flows, or who is using and selling it.

Even if we had a ‘chain of custody’ to prove who saw, used, or sold our personal health data—which we do not—it is still essential to restore patient control over personal health data so we can trust electronic health systems.

Technologies that require patient consent before data flows are cheap, effective, and should be required in all EHRs.

See Patient Privacy Rights’ formal comments on the Stage 2 MU proposed requirements submitted to the Centers for Medicare and Medicaid and the Office of the National Coordinator for Health IT at: http://patientprivacyrights.org/wp-content/uploads/2012/05/PPR-Comments-for-Stage-2MU-5-7-12.pdf

Health records lost, stolen or revealed online

From the Chicago Tribune Article: Health records lost, stolen or revealed online

“Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.

Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.

One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation’s health program for military members, their families and retirees.

Some breaches have resulted in personal information being revealed online. The names and diagnosis codes of almost 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., were posted on a commercial website for nearly a year before it was discovered in September and taken down…

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, a consumer group, would like to see more help for those whose information is breached and tougher punishment for those responsible. The BlueCross BlueShield of Tennessee settlement amounted to “roughly a dollar per breach record, which is nothing,” she said.