Proposed Rules Prevent Patient Control Over Sensitive Information in Electronic Health Records (EHRs)

The proposed federal rules will require physicians and hospitals to use Electronic Health Records (EHRs) that prevent patient control over who can see and use sensitive personal health information.

This is the second time the federal government has proposed the use of technology that violates Americans’ strong rights to control the use and sale of their most sensitive personal information, from DNA to prescription records to diagnoses.

The proposed rules require EHRs to be able to show “meaningful use” (MU) and exchange of personal health data. PPR and other consumer and privacy advocacy groups submitted similar comments for the Stage 1 MU rules. These newly proposed rules are known as “Stage 2 MU” requirements for EHRs.

The most important function patients expect from electronic health systems is the power to control who can see and use their most sensitive personal information. Technologies that empower patients to decide who can see and use selected parts of their records have been working for 4 million people for over 10 years in 8 states with mental illness or addiction diagnoses. Today we do not have any way to know where our data flows, or who is using and selling it.

Even if we had a ‘chain of custody’ to prove who saw, used, or sold our personal health data—which we do not—it is still essential to restore patient control over personal health data so we can trust electronic health systems.

Technologies that require patient consent before data flows are cheap, effective, and should be required in all EHRs.

See Patient Privacy Rights’ formal comments on the Stage 2 MU proposed requirements submitted to the Centers for Medicare and Medicaid and the Office of the National Coordinator for Health IT at:

PPR on article: What ‘Patient-Centered’ Should Mean…

It is extremely helpful that the nominee to head of one of the largest federal agencies, the Centers for Medicare and Medicaid (CMS), stated he believes medical records should belong to patients.

You will be intrigued by Don Berwick’s terrific and very personal article titled “What ‘Patient-Centered’ Should Mean: Confessions Of An Extremist, A seasoned clinician and expert fears the loss of his humanity if he should become a patient.” He is a highly respected physician and scholar. Key quotes:

  • “Medical records would belong to patients. Clinicians, rather than patients, would need to have permission to gain access to them.”
  • “My proposed definition of “patient-centered care” is this: The experience (to the extent the informed, individual patient desires it) of transparency, individualization, recognition, respect, dignity, and choice in all matters, without exception, related to one’s person, circumstances, and relationships in health care . . .”

Discussion on Targeting in the UK using the National Health Service

UK patients are outraged over whether the government NHS (National Health Service) data base was used to find individual cancer patients and pressure them to vote for the Labour party.  See article here.

Even if NHS data was not used, CLEARLY there is enough commercial data for sale in both Britain and the US for cancer victims’ addresses to be found and re-identified.

Allowing the secret US data mining industries that steal, collect, aggregate, and sell all Americans’ sensitive personal health information, health-related searches, health-related posts on social websites, email about health, and health-related purchases to continue doing business-as-usual is a prescription for disaster.

It’s a key reason we are seeking 500,000 people to sign the Do Not Disclose list. If Congress gets 500,000 signatures, they will pass a law to restore our control over our digital health records and set up the list.

Don Berwick MD, President Obama’s nominee to lead the Centers for Medicare and Medicaid, agrees that health information should belong to patients—and doctors should have to ask us to see it. See his article on patient empowerment: What ‘Patient-Centered’ Should Mean.

Yes, it’s illegal for employers and banks to use health information—but if they have it, they can use it—and there is no way to stop them.

We should be able to stop anyone from getting our health information. A national Do Not Disclose list would ensure we decide who sees our health information and who doesn’t.

It’s time to prevent corporations and government from being able to get our sensitive health information without consent. Sign the Do Not Disclose list!


  • “The Conservatives and the Liberal Democrats have attacked the Labour Party for sending “alarmist” literature to cancer patients, and called for an inquiry into whether NHS databases had been used to identify recipients. The row erupted after Labour sent cancer patients mailshots saying that their lives may be at risk under a Conservative government.”
  • “Experian, the data management company, confirmed that both Labour and the Conservatives use its Mosaic database, which divides voters into 67 groups. The databases can use anonymised hospital statistics, including postcodes and the diagnoses of patients, to identify the likely addresses of those with particular illnesses.”

Economic Stimulus Package Likely To Cost $850 Billion, With Up to $90B for State Medicaid Programs

The economic stimulus package under development by President-elect Barack Obama and congressional Democrats likely will cost almost $850 billion, including up to $90 billion in additional federal funds for state Medicaid programs…

…In related news, privacy and civil liberties groups on Wednesday sent letters to Pelosi, Senate Majority Leader Harry Reid (D-Nev.), and Obama to encourage them to include privacy protections in any provisions in the economic stimulus package that seek to increase adoption of EHRs, CongressDaily reports. The groups — which included the American Civil Liberties Union, Consumer Action, the National Association of Social Workers and Patient Privacy Rights — said that such protections are needed to prevent unauthorized access to and sale of the medical information of patients. At a briefing on Wednesday, Ashley Katz, executive director of Patient Privacy Rights, said, “We all want to innovate and improve health care, but without privacy our system will crash as any system with a persistent and chronic virus will.”

Sen. Olympia Snowe (R-Maine), Rep. Edward Markey (D-Mass.) and Rep. Lloyd Doggett (D-Texas) have expressed support for such protections. Markey in a statement said, “Without robust safeguards, the health IT systems we are planning for today could turn the dream of integrated, seamless electronic health networks into a nightmare for consumers.”

Senate gets early start on health reform plan

Sens. Baucus and Kennedy are working with a bipartisan group on the goal of moving a consensus bill through the Senate next year.

Washington — Even before Congress had closed the book on its 2008 session, leaders in the Senate began laying the groundwork for comprehensive health system reform in 2009.

Sen. Max Baucus (D, Mont.), chair of the Senate Finance Committee, on Nov. 12 released an 89-page vision for health system reform. The proposal calls for revising Medicare’s physician payment formula, requiring everyone to have insurance and expanding eligibility for Medicaid and the State Children’s Health Insurance Program. Baucus’ “Call To Action: Health Reform 2009” is the culmination of months of committee hearings.

Sen. Edward Kennedy (D, Mass.), chair of the Senate Health, Education, Labor and Pensions Committee, is staking his own place in the debate. He announced Nov. 18 that three committee members would lead working groups on health reform to tackle the issues of prevention and public health, quality improvement and insurance coverage.

Speakers cast dim, then positive health IT outlooks

According to Wikipedia, a male African elephant can weigh up to of 26,000 pounds. That gives you some idea how ponderously depressing acting CMS Administrator Kerry Weems was as the first general session speaker Tuesday morning on Day Two of the 80th American Health Information Management Association convention in Seattle. Weems’ job was to give an account of present-day conditions in the healthcare industry.

“In 21 short days there will be an election,” Weems said. “Seventy-seven days after that, a new administration will be in office.”

So far, so good. But Weems didn’t stop there. No matter who wins the White House, Weems said, “the elephant in the room is the rising cost of healthcare.”

Then he proceeded to lumber through a deflating recitation of past healthcare costs and future cost estimates:

National expenditures on healthcare in 1980 were $364 billion, representing 9% of the economy.

By 2017, healthcare costs are projected to rise to $4 trillion and consume 20% of the economy.

The next year, 2018, the Medicare trust fund is projected to go bankrupt.

Right now, state Medicaid expenditures are on par with state spending for primary and secondary education.

Medical records going online, but will information be safe?

Medicaid patients’ medical records are going online in South Carolina so that people providing treatment have easier access to the information they need to offer the best care, officials said.

… Dr. Deborah Peel, a psychiatrist and founder of the Texas-based Patient Privacy Rights Foundation, says she’s not against EHR, so long as systems are built with consumers in control, though few systems do that. Because once exposed, she says, someone’s medical records can live on the Internet forever. And the consequences can be devastating, including employment and insurance discrimination.

Georgia Patients’ Records Exposed on Web for Weeks

A company hired by the State of Georgia to administer health benefits for low-income patients is sending letters to notify tens of thousands of residents that their private records were exposed on the Internet for nearly seven weeks before the error was caught and corrected, a company spokeswoman said on Thursday.

The records of as many as 71,000 adults and children enrolled in the Medicaid or PeachCare for Kids programs were inadvertently posted on Feb. 12, said Amy Knapp, a spokeswoman for the company, WellCare Health Plans Inc., whose headquarters are in Tampa, Fla.

The company learned on March 28 that the information was publicly accessible, Ms. Knapp said, and it took five more days to remove all the data, which included names, Social Security numbers, birth dates, Medicaid or PeachCare for Kids numbers, and dates of eligibility for insurance programs.

An employee who was updating information for the Georgia Department of Community Health posted the normally secure data to an unsecured Web site by mistake, Ms. Knapp said.

Lisa Marie Shekell, the department’s communications director, said there was no evidence that any of the information had been improperly used.

WellCare Health Plans has offered to pay the patients for credit monitoring services for a year, Ms. Knapp said.

This is the second time in a year that records for Medicaid and PeachCare for Kids participants in Georgia have been compromised.

Last April, the Department of Community Health announced that a different private contractor had lost a computer disk containing data on 2.9 million people. The disk, which was apparently lost in the mail, was never recovered.

Records of up to 71,000 Georgians made available on Internet

The state Department of Community Health said it has notified state and federal agencies that a Florida company mistakenly put the private records of up to 71,000 Georgians on the Internet.
The records were made available on the Internet for several days by WellCare Health Plans Inc. of Tampa, Fla., and some may have been viewed by unauthorized people, company officials said.
The problem was caused by human error, the Department of Community Health said.
The department said Wednesday it has informed the federal Department of Health and Human Services and its Office of Civil Rights; the Centers for Medicare and Medicaid; the Governor’s Office of Consumer Affairs; and the Georgia Attorney General’s office about the data breach.
Any exposure of private health information is a potential violation of HIPAA, the Health Insurance Portability and Accountability Act.
The Department of Community Health said the families whose data may have been accessed are members of the federal Medicaid health program for the poor, and the federal-state PeachCare for Kids program for children of the working poor.

HHS urges Congress to include IT adoption in physician payment fix bill

Secretary of Health and Human Services Michael Leavitt urged Congress yesterday to include a requirement for doctors to use electronic health records as part of any proposed Medicare physician payment bill.

On Nov. 1, the Centers for Medicare and Medicaid Services issued a final rule calling for a 10.1 percent reduction in payment rates for physicians beginning Jan. 1, 2008.

Physician groups hope to have this reversed by last minute legislation before Congress breaks for the holidays, and for the last five years, Congress has intervened to temporarily suspend requirements the would require decreases.

Despite Leavitt’s call for healthcare IT adoption, a physician payment fix bill already faces strain. Congress’ last-minute deferral of a 5 percent cut to Medicare reimbursements last year puts extra pressure on retaining the cut this year.