HIT systems among top 10 health tech hazards, says ECRI

Another story about why health technology is not ready for prime time. Today untested, unsafe health technologies and applications that eliminate patient control over sensitive personal health information are mandated for use by physicians and hospitals.

Today patient health data is widely disclosed and sold through electronic systems See ABC Story about the sale of diabetic patient records for $14-$25 per patient). It will be years until patients can control sensitive information (from prescriptions to DNA to diagnoses) because systems were never designed to comply with patients’ rights to control health records. There is no data map to know where our personal health data is held or what it’s being for (see Prof Sweeney explain the need for a health data map on video).

In addition, health technology also poses serious risks to patient including:

  • -patient/data mismatches between systems (which would not happen if patients controlled the use and disclosure of their information)
  • -interoperability failures with medical devices and health IT systems
  • -Caregiver distractions from smartphones and other mobile devices

Re: Social media and patient privacy lessons ripped from the headlines

Karen Cheung-Larivee’s recent FierceHealthcare article, “Social media and patient privacy lessons ripped from the headlines” once again reminds us that health privacy isn’t a concern limited to how information is exchanged in and among doctors’ offices or hospitals. Rather, it reminds us that even the casual ways people reveal parts of their personal lives to their own social networks can sometimes mean violating someone’s health privacy when they reveal sensitive pieces of information about other people’s lives too.

Unfortunately, there aren’t really rules protecting people from the harms that can occur when someone else broadcasts their personal information in the wild wild west of social media. However, that doesn’t mean institutions are completely absolved of their responsibility to protect patients’ privacy, no matter the environment. As the article points out:

One of the most common situations of social media fumbles are patients posting about other patients. Although it’s not a breach of HIPAA or HITECH (because patients aren’t considered “covered entities”), the hospital still has a responsibility under state law to protect patients.

No doubt social media provides a medium that allows us to connect and reach out to others in new and powerful ways. However, as users of these tools, we must also be mindful of how the ways we connect and interact with the rest of the world can have damaging effects on ourselves and others, whether it’s in the here and now or some point down the line.

Has your health privacy ever been violated as a result of social media? Are you willing to talk about what happened so others might learn from your experience? Please use this form to share your story.

Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide

Aishealth.com explains the new Texas Medical Privacy Act that has recently been signed into law and quotes Dr. Deborah Peel of PPR in their latest report on patient privacy. The report is only available through subscription but below are a few key points and quotes from it. If you have a subscription to aishealth.com, you can view the full article at Aggressive New Texas Law Increases Fines, Training Rules; Could Hit CEs Nationwide.

“A new Texas law governing the privacy and security of protected health information, perhaps the broadest and among the toughest of such laws in the nation, went into effect on Sept. 1. The Texas Medical Privacy Act, signed into law June 17, 2011, by Gov. Rick Perry (R), not only increases requirements beyond those in HIPAA for organizations that are already covered entities (CEs), but greatly expands the number and type of Texas-based CEs required to comply with the privacy standards in HIPAA and adds a bunch of its own requirements. It contains separate mandates for breach notification of electronic PHI and penalties for violations.

The new law ‘is basically HIPAA, but applies to everyone who touches PHI’ and will have a ‘big impact on entities that get PHI but aren’t technically business associates – which are now effectively covered in Texas and must comply with HIPAA restrictions on use and disclosure,’ says longtime HIPAA expert and Texas attorney Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP.
‘The biggest impact on CEs and BAs are the shorter timeframes for giving access to records and the training requirement,’ he says. And the new law, which amends two existing areas of Texas regulations, carries a punch: the law provides for ‘administrative, civil and criminal penalties’ that dwarf even those that were expanded under HITECH.

The law is likely to have an impact outside of Texas and spur privacy advocates to push for similar legislation in their states or at the national level. One of the most outspoken patient privacy advocates, Austin psychiatrist Deborah Peel, was among those who supported the law, testifying before elected officials during their deliberations in 2011.

‘We hope the Texas law inspires other states to write strong laws that emphatically reject hidden data flows that the data mining and data theft industry profit from at our expense,’ Peel tells RPP. ‘The states can restore
and strengthen personal control over health information – it’s what the public expects from health information technology systems and it’s our right to have [such control].’ Peel adds that “It’s also good business to prevent thousands of people from accessing PHI, [as] fraud, identity theft and medical identity theft are exploding.’”

Protecting Our Civil Rights in the Era of Digital Health

See the full article by William Pewen in The Atlantic: Protecting Our Civil Rights in the Era of Digital Health

Bill Pewen has written the BEST BRIEF HISTORY OF HOW HEALTH INFORMATION PRIVACY WAS ELIMINATED I HAVE EVER SEEN, from diagnoses to prescription records to DNA. Terrific to see this in the Atlantic!

He shows how technology-based discrimination works, and makes the case that selling people’s health information/profiles is a major business model for the largest technology/Internet corporations: “Millions [of people] are beginning to recognize that they are not the customers, but the product.”
“[A]dvancing technology was opening a virtual Pandora’s Box of new civil rights challenges. At the crux of these was the fact that scientific progress has been enabling increasingly sophisticated discrimination.” ………”Our experience with GINA helped to reveal the tip of an emerging threat — the use of modern data systems to create new forms of discrimination — and our concern focused on the use of personal medical data. While genetic data expresses probabilities, other parts of one’s medical record reflect established fact — an individual’s diagnoses, the medications one has used, and much more.”

“Genetic discrimination comprised just one of a number of game-changing technological challenges to civil rights. Confronting these presents new obstacles, and points to the need for a paradigm shift in our approach to prevent such inappropriate bias.”

He concluded with a call for “a 2nd civil rights bill of the 21st century”, based on key principles and tests to evaluate whether technology harms people:

Principles:
· First: “certain harmful acts must be clearly prohibited”

· Second: “the possession and use of personal medical data should be restricted without an individual’s consent”.

Harms tests:

To determine “whether an application of technology undermines existing civil rights statutes,…consider its potential to impose harm in terms of three tests.

· First: “the immutability of a trait. Profiling based on an unchangeable [genetic] characteristic should raise questions, as the ability of an individual to impact these is absent.”

·Second: “relevance…..[for example] we would not permit such irrelevant traits as race or gender to be used to discriminate in the hiring of flight crews.”

·Third: “the presumption of a zone of privacy. …neither personal medical information nor its correlates should be considered in the public domain.

Senator Snowe and her top health expert, Bill Pewen, are real privacy heroes, responsible for key new consumer privacy and security protections in the technology portion of the stimulus bill (HITECH). The bipartisan Coalition for Patient Privacy worked very closely with them to support consumer protections they championed.

EHRs and Patient Privacy- An Oxymoron? Psychiatric Times Cover Story

A recent article in the Psychiatric Times based on the 2nd International Summit on the Future of Health Privacy describes the major problems with EHRs and the consequences of the misuse of this technology. The article quotes both Dr. Peel and Dr. Scott Monteith as well as “Julie” when describing the flaws of EHRs and HIEs. The article is available by subscription only through Psychiatric Times, but here are some highlights and quotes from the article:

“The escalating use of electronic health records (EHRs) and health information exchanges (HIEs) is fraught with unintended and sometimes dire consequences—including medical coding errors and breaches of psychiatric patients’ privacy and confidentiality, according to [Dr. Peel and Dr. Monteith] who scrutinize the field”

“At the recent Second Annual International Summit on the Future of Health Privacy, psychiatrist Scott Monteith, MD, Clinical Assistant Professor in the Departments of Psychiatry and Family Medicine at Michigan State University and a medical informaticist, relayed the experience of a patient who discovered that her EHR erroneously reported a history of inhalant abuse. In reality, she had a history of  “caffeine intoxication.” After much investigation, the problem was identified. The DSM-IV-TR code (305.90) is used for 4 different diagnoses, including caffeine(Drug information on caffeine) intoxication and inhalant abuse, but the EHR’s printout only made the inhalant abuse diagnosis visible. Although the error was reported to the EHR vendor, the problem persists after almost 2 years.

“‘It is impossible for consumers to weigh the risks and benefits of using health IT and data exchanges when they have no idea where their data flows, who is using it or the purpose of its use,’ wrote Peel, a psychiatrist and psychoanalyst.”

“…Peel emphasized the importance of patients being able to control access to sensitive personal health information. The open source consent technologies, she explained, have been used for more than 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on some 4 million people in more than 8 states.”

“…’Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows,” she wrote. “Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.’”

If you wish to view the full article by Arline Kaplan and are a subscriber of Psychiatric Times, it can be found at Electronic Health Records and Patient Privacy- An Oxymoron?

Health privacy issues can be resolved without obstructing care

See the full article at FierceHealthIT.com

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices…

…Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.

A study recently published in Health Affairs documents the extent to which five California healthcare organizations follow principles for protection of patient information that were developed by consumer groups and other stakeholders. Although the healthcare providers took privacy and security seriously, the report said, “none of the organizations did much to educate consumers about the data available about them or to enable them to control their data.””

Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?

Re: Pres. Obama appoints Todd Park nation’s CTO

The new US Chief Technical Officer (CTO) was chosen for using “innovative technologies to modernize government, reduce waste and make government information more accessible to the public.”

What role does the CTO have in protecting individuals from technology harms? Whose role is it to protect the public from damaging technologies and “big data”?

Technology could enable break-through health research and improve the quality of healthcare. But we won’t have complete and accurate health data needed for transformative research when millions don’t trust electronic health systems. The 35-40% of the public who are “health privacy intense” realize US law doesn’t adequately protect their rights to health privacy.

The full article by Bernie Monegain in Healthcare IT News: President Obama appoints Todd Park Nation’s CTO

Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

See full article at Loeb & Loeb, LLP Privacy Law Alert: Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

“Planned changes to the European Union’s Data Protection Directive (EU Directive), some of which are directed at non-EU companies, may significantly impact how U.S.-based entities that interact with EU consumers can collect, store and use consumer data.

The revised EU Directive will give consumers more control over their personal data, including requiring explicit user consent before companies can use data and giving consumers the right to delete data, especially data they posted themselves, otherwise known as the “right to be forgotten.”  The proposed changes also will likely include increased transparency for data processing – providing greater information about when and how data is collected, stored and used, and making it easier for consumers to indicate their privacy preferences.”

Much Ado About Data Ownership

Abstract: Recently there have been calls to clarify ownership of data held in large health information networks. This article explores the realities of what patient data ownership would imply to explain why a clearer allocation of entitlements to raw health data would neither enhance patient privacy nor promote access to valuable data resources for public health and research. It updates the debate to account for the 2009 HITECH Act, which correctly recognized that raw patient data are not the valuable resource; these data acquire value only through the application of infrastructure services. The HITECH Act drew on a long tradition of American infrastructure regulation that offers real promise in resolving the infrastructure bottlenecks which (rather than the unresolved status of data ownership) have been the key impediment to data access. Despite this progress there are two unresolved problems, both heretofore neglected in the literature: First, the existing federal regulatory framework governing data access conceives the state’s police power to use data to promote public health much more narrowly than the police power is conceived in all other legal contexts. Second, existing regulatory provisions allowing nonconsensual access to data for research fail to incorporate any “public use” requirement to ensure that unconsented research uses of data are justified by a publicly beneficial purpose. As things stand, persons whose health data are used in research have no assurance that the use will serve any socially beneficial purpose at all. This article reframes the debate. The right question is not who owns health data. Instead, the debate should be about appropriate public uses of private data and how best to facilitate them while adequately protecting individuals’ interests.

Barbara J. Evans: Associate Professor; Co-director, Health Law & Policy Institute, University of Houston Law Center, : Barbara J. Evans, Much Ado About Data Ownership, 25 HARVARD JOURNAL OF LAW & TECHNOLOGY (forthcoming 2011), available at: http://ssrn.com/abstract=1857986
bjevans@central.uh.edu. J.D., Yale Law School; Ph.D., Stanford University; Post-doctoral Fellow, The University of Texas M.D. Anderson Cancer Center. This research has been supported by the Greenwall Foundation and by the University of Houston Law Foundation.