The Reports of the Death of Privacy Were Exaggerated: California Breathes New Life into the Privacy Rights of its Residents

Vast NSA troves of phone and email data and the huge focus on HealthCare.gov’s website provoked intense public concern about hidden uses and sales of personal data…..especially personal health data.

But there is great news from California:  tough new laws to protect data privacy were enacted in September.  See: “The Reports of the Death of Privacy Were Exaggerated: California Breathes New Life into the Privacy Rights of its Residents”, Tuesday, November 19, 2013, by Sharon R. Klein and Odia Kagan

States like CA and TX (HB 300) passed new laws because state residents are demanding stronger data privacy protections, and Congress and federal agencies have failed to act.

Key new data privacy protections in CA:

“Business(es) offering software or hardware to consumers… designed to maintain medical information or to assist in the diagnosis and treatment of individuals” must:

Press your state lawmakers to pass strong new data protection laws like California’s.  People want technology that protects privacy. They won’t trust companies and government that eliminate privacy and use personal data without consent.

The Office Nurse Now Treats Diabetes, Not Headaches

In response to the escalating costs of healthcare many employers are adding on-site medical clinics to help their employees become healthier—and don’t use employees’ personal health data to penalize them or discriminate against them.

But other large employers, such as CVS, use high costs to justify replacing employees’ health insurance with health savings accounts, imposing involuntary health screenings and wellness programs, and penalizing workers who don’t respond to these simplistic solutions.

Two studies in Health Affairs show that wellness programs don’t work:

  • -“Wellness Incentives In The Workplace: Cost Savings Through Cost Shifting To Unhealthy Workers” See: http://content.healthaffairs.org/content/32/3/468.abstract
  • -“A Hospital System’s Wellness Program Linked To Health Plan Enrollment Cut Hospitalizations But Not Overall Costs”  See: http://content.healthaffairs.org/content/32/3/477.abstract
  • -Rising US healthcare costs are NOT caused by sick people who seek treatment, but by industries that decide what to charge for treatment—including the health insurance industry, the hospital industry, the drug industry, the outpatient surgical center industry, and the lobbying industry.  Industry charges have no real constraints because healthcare is not optional, sick people, employers, and/or government must pay.

Learn about why the US pays sky-high healthcare costs in Time magazine’s March 2013 issue, “Bitter Pill: Why Medical Bills Are Killing Us”

To view the full article, please visit The Office Nurse Now Treats Diabetes, Not Headaches.

Employees’ unhealthy habits have growing effect on their insurance premiums

The story below concludes that “Employees now contribute 42 percent more for health care than they did five years ago.”   Just because employees are stuck paying higher healthcare bills doesn’t necessarily mean they are causing costs to increase.

If employees were driving up healthcare costs, then using financial penalties to force them to undergo intrusive health screenings and join wellness programs might make sense.

But employees aren’t causing the high costs of healthcare in the US.  Time magazine concluded that healthcare corporations, such as hospitals and the pharmaceutical industry, outpatient procedures, and lobbying costs are the main culprits.

Time magazine’s issue titled “Bitter Pill, why medical bills are killing us” identified several factors in high US healthcare costs:

The article below quotes the National Business Group on Health (NBGH), a lobbying group with assests of $18,772,047 in 2011. The NBGH blames employees for rising healthcare costs, instead of its many healthcare corporation members.

  • -URL for NBGH members: https://www.businessgrouphealth.org/join/members.cfm
  • -Blaming employees allows the NBGH to defend using coercive, intrusive wellness programs even for employees with complex, hard-to-manage illnesses, that wellness programs don’t help:
    • -See “Wellness Incentives In The Workplace: Cost Savings Through Cost Shifting To Unhealthy Workers” By Jill R. Horwitz, Brenna D. Kelly, and John E. DiNardo. Health Affairs, 32, no.3 (2013):468-476; doi: 10.1377/hlthaff.2012.0683; http://content.healthaffairs.org/content/32/3/468.full.html

Meanwhile screening companies, labs, and wellness programs collect sensitive employee health information and control its use, disclosure, and sale.

  • -There is no ‘chain of custody’ for health data so employees have no way to know who sees their health information.
  • -The US has NO data map to track the thousands of hidden companies that collect, use, or sell Americans’ personal health information.
  • -Corporations that collect employees’ health information treat it as a corporate asset, not as sensitive personal information that patients have strong rights to control.
  • -So it’s impossible to verify whether the NBGH lobbyist’s statement that “few employers would risk intentionally misusing such information” is true or false.

Blaming people who are sick for the high costs of their medical care instead of the corporations that overcharge is a really neat trick. It also provides a rationale for coercing employees to enter wellness programs and violating their rights to health privacy.

Unfortunately, simply “blaming the victims” won’t solve escalating healthcare costs.  We have to look broadly at individuals, the entire healthcare system, the food-chain, and larger cultural factors to identify and deal with all the real causes.

athenahealth and Mashery team up for health developer-friendly API initiative

To view the full article, please visit athenahealth and Mashery team up for health developer-friendly API initiative.

Electronic health records (EHRs) companies allow access to patients sensitive health data and sensitive information about physicians’  practices so technology companies can develop applications.

Applications have the potential to be useful to physicians and patients but at what cost to privacy? Will EHR “apps” secretly collect and sell people’s information the way Smartphone apps collect and sell contact, GPS data and more?  We now know the business model for many technologies is selling intimate personal data.

Quotes:

  • ·athenahealth will open “access to doctors’ appointment data, patient’s medical history (anonymized) , billing information and more”,
  • ·“the company hopes developers will be able to create an ecosystem of apps on top of athenahealth’s EMR service”
  • ·“Other EMR providers, including Allscripts and Greenway, have also opened up their APIs to developers and created app marketplaces.”

The press release on this athenahealth project stated, We’re providing the data and knowledge from our cloud-based network, a captive audience for developers to innovate for, and an online sandbox to do it all in.”

  • ·Who are the “captives”? athenahealth’s 40,000 physicians and their 100’s of thousands of patients

QUESTIONS:

  • ·When were the “captive” patients asked for consent for strangers who want to use and monetize their health records?
  • ·When were “captive” physicians asked consent for strangers to use information about their practices, what they charge, who they treat, how they treat patients, how they are paid by whom, and much more?
  • ·Why does athenahealth claim that patient data is “anonymized”—-when its impossible to prevent “anonymized” patient records from easy re-identification?

Many electronic health record (EHR) companies allow access/or sell sensitive patient data to technology developers and other companies.

BROADER QUESTIONS

  • ·When did the public learn about, debate, or agree to the use of their sensitive patient data by technology companies to build products?
  • ·Why do technology companies claim that “anonymization” and “de-identification” of health data works, when computer science has clearly proved them wrong?
  • ·How is the identifiable health data of hundreds of thousands of patients protected from any OTHER uses the technology developers decide to use it for?
  • ·How can the public weigh the risks and harms vs. benefits of using EHRs when there is no ‘chain of custody’ for our health data and no data map that tracks the thousands of HIDDEN users of our personal health information?
  • See Harvard Prof Latanya Sweeney explain the need for a data map at: http://tiny.cc/5pjqvw
    • -Attend or watch via live-streaming video the 2103 International Summit on the Future of Health Privacy in Washington DC June 5-6 to see the first data map Prof Sweeney’s team has built. Registration to attend or watch is free at: www.healthprivacytsummit.org

HIStalk News 3/22/13 – Quotes Dr. Deborah Peel on new CVS policy

To view the full article, please visit HIStalk News 3/22/13.

Key quote from the article:

“Patient Privacy Rights Founder Deborah Peel, MD calls a new CVS employee policy that charges employees who decline obesity checks $50 per month “incredibly coercive and invasive.” CVS covers the cost of an assessment of height, weight, body fat, blood pressure, and serum glucose and lipid levels, but also reserves the right to send the results to a health management firm even though CVS management won’t have access to the results directly. Peel says a lack of chain of custody requirements means that CVS could review the information and use it to make personnel decisions.”

Debt Collector Is Faulted for Tough Tactics in Hospitals

See full story in the New York Times: Debt Collector Is Faulted for Tough Tactics in Hospitals

“Hospital patients waiting in an emergency room or convalescing after surgery are being confronted by an unexpected visitor: a debt collector at bedside.

This and other aggressive tactics by one of the nation’s largest collectors of medical debts, Accretive Health, were revealed on Tuesday by the Minnesota attorney general, raising concerns that such practices have become common at hospitals across the country…

To patients, the debt collectors may look indistinguishable from hospital employees, may demand they pay outstanding bills and may discourage them from seeking emergency care at all, even using scripts like those in collection boiler rooms, according to the documents and employees interviewed by The New York Times.

In some cases, the company’s workers had access to health information while persuading patients to pay overdue bills, possibly in violation of federal privacy laws, the documents indicate.”

Your Health Information Isn’t Secure But Don’t Blame EHRs

There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.

Your Doctor Isn’t the Only Person Who Knows Your Diagnosis

Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.

Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.

Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.

Insurers: Records weren’t lost at health fair

See Story: Insurers: Records weren’t lost at health fair

This story just gets worse, highlighting the poor judgment of the insurance companies. Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan never even considered how sensitive patients are about the privacy of personal health information, from their prescription records to DNA.

Now Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan claim that taking the health records of 285,691 people to community health fairs is a way to “save lives”. That particular argument is often used to make people believe that a decision was made for important and worthwhile, even essential reasons. So let’s take a look and see if the decision to take health records to community health fairs is a good decision or makes sense.

The insurers want their employees to check people’s medical records and decide if a test is needed, like a mammogram, and schedule it—at a health fair. But as a matter of law, ONLY physicians can order tests like mammograms—not insurance company employees. Their employees cannot schedule doctor’s appointments, much less medical tests. Besides, most people are very uncomfortable with strangers, who are not health professionals that treat them, looking at their medical records.

Most people would never want their sensitive health records taken to health fairs in the first place. Obviously, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan did not ask those enrolled for consent to take their records to health fairs, or anywhere outside of their offices where personal records are supposed to be used to ONLY to pay claims.

Most people strongly object to health insurers even having, keeping, or using their sensitive health records. Patients want insurers to have the bare minimum information about them to pay claims. Patients typically do not turn to insurers for advice about their health, about treatment, or to recommend tests.

And the insurers say conflicting things about what kinds of information and how much was on the flash drive. If only recent screenings were on a flash drive, a woman’s last mammogram might not be there. No physician would order a test like a mammogram without knowing the exact date of the last one and the details of her history, like what risks she has for breast cancer. Unnecessary mammograms expose women to radiation.

It appears that this example of helping women at health fairs to get needed mammograms doesn’t make any sense, because the employees of insurance companies cannot order or schedule mammograms—or doctor’s appointments.

The example of saving women from breast cancer at community health fairs is so far-fetched that it may have been fabricated to try and make it seem that the insurers had good reasons to take sensitive health records out of their offices. But it’s hard to judge their reasons and intentions without full disclosure, so we are left with the few things they said and did. They exposed 285,691 people’s sensitive demographic and health information to loss, sale, identity theft, and medical identity theft for reasons that don’t make sense.

Is it responsible to allow insurance employees access to people’s sensitive health records at health fairs and risk the loss or theft of that sensitive data?

If the insurers actually put complete or very detailed health information on enrolled patients on a flash drive that would enable a health professional to know enough to order certain tests, and the stated goal is to increase screening for needed tests, and there are far more effective and privacy-protective ways to do that. They do not have health professional staffing their booths at health fairs. Insurers could contact patients directly by mail or email or phone IF the patient had opted in to receiving advice or reminders from them. Or insurers could contact doctors if they think a test is needed, so doctors can evaluate full records and decide whether tests should be ordered.

Risking the privacy of 285,691 people at a health fair to improve screening for breast cancer or other unnamed conditions is a bad decision—whether they encrypt the data or not. Encrypting the data would have lowered the risk of loss, theft, or sale of the information, but would not solve the problem of using patients’ sensitive health information in ways that they would never want or agree to.

Privacy Risk Calculator

Is your sensitive health information at risk of being exposed and sold?

Take the following quick quiz to see if your health privacy is at risk.

Please Note:
Keep track of the total points earned by each answer
to calculate your health information’s privacy risk.

BEGIN THE PRIVACY QUIZ RISK CALCULATOR

More than just google

In response to the Consumer Watch article: “U.S. Senate Records Reveal Google Inc. Lobbying Campaign On Personal Medical Records Law Despite Internet Giant’s Denials

This story is of interest because the public has no idea which corporations lobbied against their privacy rights in the stimulus bill or how much was spent overall to try to eliminate health privacy.

The focus on Google alone is misleading and actually distracts from the real work of informing the public about the major health-related industries that have long opposed Americans’ privacy rights. The real question is which other industry giants that are not household names lobbied against privacy?

The total lobbying money spent by the massive secret health data mining industry, insurers, hospitals, and big Pharma to oppose Americans’ rights to privacy far exceeds Google’s lobbying expenses.

If we don’t know who all the culprits are, we can’t stop them and restore privacy.

The most dangerous enemies of privacy are the ones we don’t know about.