Health IT group drafts privacy recommendations

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…

According to the tiger team’s draft document posted on the HIT Policy Committee’s website, the team’s recommendations are based on “fair information practices,” a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.

HHS proposes stronger privacy protections under HIPAA

Proposed changes to the HIPAA privacy regulations would expand patients’ rights to access their information and restrict certain types of disclosures of protected health information to health plans, according to InformationWeek.

“We want to make sure it is possible for patients to have maximal control over PHI,” national health IT coordinator Dr. David Blumenthal said at an HHS press conference. The statement–and the proposal itself–thrilled healthcare privacy hawk Dr. Deborah Peel. Her organization, the Patient Privacy Rights Foundation, put out a statement strongly in favor of the changes, saying that the proposed rule “signaled a clear policy change in the Obama administration, strengthening consumer rights to health privacy.”

To learn more:
- read the proposed rule issued by HHS on July 8
- read this Computerworld article via Businessweek
- take a look at CMIO’s article
- read the InformationWeek story
- see this AHIMA press release
- check out this statement from the Patient Privacy Rights Foundation, which includes a video of the HHS press conference

Discussion on Targeting in the UK using the National Health Service

UK patients are outraged over whether the government NHS (National Health Service) data base was used to find individual cancer patients and pressure them to vote for the Labour party.  See article here.

Even if NHS data was not used, CLEARLY there is enough commercial data for sale in both Britain and the US for cancer victims’ addresses to be found and re-identified.

Allowing the secret US data mining industries that steal, collect, aggregate, and sell all Americans’ sensitive personal health information, health-related searches, health-related posts on social websites, email about health, and health-related purchases to continue doing business-as-usual is a prescription for disaster.

It’s a key reason we are seeking 500,000 people to sign the Do Not Disclose list. If Congress gets 500,000 signatures, they will pass a law to restore our control over our digital health records and set up the list.

Don Berwick MD, President Obama’s nominee to lead the Centers for Medicare and Medicaid, agrees that health information should belong to patients—and doctors should have to ask us to see it. See his article on patient empowerment: What ‘Patient-Centered’ Should Mean.

Yes, it’s illegal for employers and banks to use health information—but if they have it, they can use it—and there is no way to stop them.

We should be able to stop anyone from getting our health information. A national Do Not Disclose list would ensure we decide who sees our health information and who doesn’t.

It’s time to prevent corporations and government from being able to get our sensitive health information without consent. Sign the Do Not Disclose list!

Quotes:

  • “The Conservatives and the Liberal Democrats have attacked the Labour Party for sending “alarmist” literature to cancer patients, and called for an inquiry into whether NHS databases had been used to identify recipients. The row erupted after Labour sent cancer patients mailshots saying that their lives may be at risk under a Conservative government.”
  • “Experian, the data management company, confirmed that both Labour and the Conservatives use its Mosaic database, which divides voters into 67 groups. The databases can use anonymised hospital statistics, including postcodes and the diagnoses of patients, to identify the likely addresses of those with particular illnesses.”

PR Firm Behind Propaganda Videos Wins Stimulus Contract

President Obama’s push for electronic medical records has faced resistance from those who question whether health information technology systems can protect patient privacy…

…Consumer advocates warned that the PR contract will only heighten skepticism about the security of online health records. A poll conducted last year by NPR, the Kaiser Family Foundation and the Harvard School of Public Health found that roughly six in 10 Americans lack confidence in the privacy of online health records.

“The public has always been very suspicious over whether electronic health information will be safe,” said Dr. Deborah C. Peel, a physician and founder of the Coalition for Patient Privacy, which includes consumer, privacy and health groups. Peel called Ketchum a “very, very troubling choice because the last thing the public needs are more tricks being pulled on them.”

Your Medical Records Aren’t Secure

Published March 24, 2010

I learned about the lack of health privacy when I hung out my shingle as a psychiatrist. Patients asked if I could keep their records private if they paid for care themselves. They had lost jobs or reputations because what they said in the doctor’s office didn’t always stay in the doctor’s office. That was 35 years ago, in the age of paper. In today’s digital world the problem has only grown worse.

A patient’s sensitive information should not be shared without his consent. But this is not the case now, as the country moves toward a system of electronic medical records.

In 2002, under President George W. Bush, the right of a patient to control his most sensitive personal data—from prescriptions to DNA—was eliminated by federal regulators implementing the Health Information Portability and Accountability Act. Those privacy notices you sign in doctors’ offices do not actually give you any control over your personal data; they merely describe how the data will be used and disclosed.

In a January 2009 speech, President Barack Obama said that his administration wants every American to have an electronic health record by 2014, and last year’s stimulus bill allocated over $36 billion to build electronic record systems. Meanwhile, the Senate health-care bill just approved by the House of Representatives on Sunday requires certain kinds of research and reporting to be done using electronic health records. Electronic records, Mr. Obama said in his 2009 speech, “will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests [and] save lives by reducing the deadly but preventable medical errors that pervade our health-care system.”

But electronic medical records won’t accomplish any of these goals if patients fear sharing information with doctors because they know it isn’t private…

Read More at The Wall Street Journal

There is no need to choose between the benefits of technology and our rights to health privacy. Please support YOUR right to decide who can see your electronic health information: sign the ‘Do Not Disclose’ petition now!

Health Care’s Digital Privacy Debate

As President Obama has learned over the last year, Americans tend to get angry when you try to fix the country’s dysfunctional health care system. But even as the national debate over universal coverage drags on, there’s another sticky issue ahead for health reform: digital privacy.

In a study released Monday by the privacy-focused Ponemon Institute, Americans registered a deep distrust of anyone in either the federal government or private industry who might store digital health records like those that the Obama administration has encouraged hospitals to create. Of the 868 Americans surveyed about their views on digitizing and storing health records, only 27% said they would trust a federal agency to store or access the data–the same percentage as those who would trust a technology firm like Google ( GOOG – news – people ), Microsoft ( MSFT – news – people ) or General Electric ( GE – news – people ).

Bill O’Reilly is REALLY worried about the loss of his personal medical privacy…

So much so that he repeatedly returned to the topic while debating health care reform last night.

See Editorial with Video

68% of Americans share his fears and “Have Little Confidence that Electronic Health Records Will Remain Confidential” (see: Past Meetings: 7/21/09, slide #3 of the “Privacy and Security Work Group: Recommendations” presentation on the HIT Standards Committee website at: http://healthit.hhs.gov/portal/server.ptopen=512&objID=1271&parentname=CommunityPage&parentid=2&mode=2&in_hi_userid=10741&cached=true

O’Reilly debated with a doctor who doesn’t seem to know that we have no control over our personal electronic health records, the massive damage that already causes, and how much more we will all be harmed if the Administration does not stop health IT systems from violating our privacy. Patient control over personal health information must be built into every electronic system up front.

Republicans, Democrats, Libertarians, and the majority of Amercians REALLY care about health privacy. The national concensus is that we should control who sees our health records; which has been our legal and ethical right since the nation’s founding. Restoring the right to control PHI in electronic health systems will quell fears that the majority has have about electronic systems.

Quotes from the story:

• O’Reilly demonstrated his primary fear – almost panic – over the assumption that his medical records may not be private any more if President Obama passes some version of his healthcare bill. But enough with the foreplay — O’Reilly dived right into his main fear. “My health records which are now in the hands of my private physician . . . they’re gonna be in Washington, right, so every malady that I have is gonna be seen by people in Washington. I don’t want that, do you want that?”

• After a little back and forth on the issue, O’Reilly repeated, “On a computer disk in D.C. will be what’s wrong with me . . . based on my medical history. It makes me very, very nervous.” Yes, we noticed.

• O’Reilly, again, focused worriedly on the privacy issue. “Let me ask you this,” O’Reilly posited. “It worries me that my medical history and your medical history is now gonna be on a disk in Washington, D.C., rather than the confidentiality of a doctor-patient, which we have had in this country for decades – that’s gone.”

• “The data is going to go to a bank in Washington, D.C.,” O’Reilly fretted. “ . . . I’m talking about you, Dr. Marc Lemont Hill, having a condition . . . with his program, it goes to D.C. and the bureaucracy decides how to treat you, not your physician. Doesn’t that worry you?”

• “So you don’t mind having your condition – whatever it may be – leave your doctor’s office and go to D.C. . . ,” O’Reilly said.

• O’Reilly hammered the privacy issue, once again, saying, “It’s going to a database that can be accessed . . . okay, if you don’t mind it, I do, and that’s a big concern of mine. We don’t have any privacy as it is in this country . . . .”

• Hill pointed out the bigger issue than the privacy of medical records (to most Americans, but not to O’Reilly) is 50 million uninsured Americans – and said that President Obama addressed that in the press conference.

• But the biggest question of all – what’s O’Reilly’s medical condition? The one O’Reilly is terrified might fall into the hands of the government? Is it really so awful that O’Reilly (not usually one to worry about privacy) is willing to kill health care reform just to protect it?

HIMSS & Who is Promoting HIT in Stimulus Spending?

This story tells how HIMSS and Harvard’s Blackford Middleton promoted spending billions on health IT in the stimulus bill.

HIMSS and Blackford believe that health technology will be the silver bullet that enables healthcare reform and kills/slows higher costs. That may be possible, but is highly doubtful because the billions are such a bonanza for the health IT industry.

Will this be yet another example of the stimulus billions being used to prop up large corporations, but not to save individual patients who are sick?

Not only does most of health IT vendor industry NOT care about whether healthcare reform succeeds or not, they actively fought to weaken Americans’ rights to privacy and security. By law, industry cares about maximizing revenue, not treating the sick.

So the BIG question is: will the government require all electronic health records systems to have the tough privacy and security measures the public expects and needs to trust these systems? Will the government require electonic health systems to build in our legal and ethical rights to privacy up front?

Most of the HIT industry lobbied to sell the same old dinosaur products and against privacy. The incumbents are very powerful and not interested in change OR IN OUR PRIVACY RIGHTS.

The Machinery Behind Health-Care Reform

Robert O’Harrow tells the story of how Harvard, Harvard Partners HealthCare, Blackford Middleton, and the Health Information and Management Systems Society (HIMSS), the health IT industry’s lobby, got $27B for HIT into the stimulus bill.

HIMSS used classic industry lobbying strategy:
1. Never let a crisis go to waste (in this case the economic crisis) to drive funding for industry.
  1. a. They were very clever because

  • i. The HIT industry was NOT failing (unlike the auto industry) and did not need a stimulus

2. Fund a ‘think tank’ to produce ‘research’ promoting HIT as a way to lower costs, improve healthcare, etc., etc.—in this case headed by Blackford Middleton MD of Harvard.
3. Use the ‘research’ to promote HIT and lobby for stimulus funds.
-Harvard-branded  ‘research’ is very powerful:
  1. b. Non-profit organizations were funded “
  2. to press for electronic health records”

  3. c. Blumenthal, Daschle, and the Obama Administration were ‘sold’ on the ‘research’.
  4. d. The ‘research’ gave Blumenthal, Daschle, and the Obama Administration a way to justify dismissing the problems OMB and other sceptics raised about the ‘research’
  • iii. Mark Frisse and Joseph Antos are sceptics quoted about the ‘research’.
  1. e. Congress was ‘sold’ on the ‘research’ which claims that HIT will reduce costs, etc.
4. HIMSS and the Harvard ‘think tank’ draft much of HITECH’s plan to purchase flawed HIT systems.
5. Congress passed the stimulus bill with $2B more for HIT than the $25B HIMSS recommended
6. Industry wins.
7. Public loses.
  1. f. The public’s expectations and rights of control over health information are eliminated by funding flawed HIT/EHRs and data exchanges.

The result almost 4 years later is we have no idea where our health data is held, who is using it or why—no health data map, no ‘chain of custody’ for where our data flows, no way to control health data in electronic systems or data exchanges, and no way to stop data sales (a recent example is Medtronics selling records from patients’ wireless heart monitors).

Soon, we will finally be able to download electronic copies of our health data, a crucial first step to restoring control over our own information. Once we have all our health information, then we can press to restore control over whi can see, use or sell it.
To view the full article, please visit: The Machinery Behind Health-Care Reform

A Start to Securing PHI?

Sometimes press releases for new products tell us far more about the risk of identity theft in electronic health systems than the mainstream press or trade journals.

Check out this zinger quote: “Most organizations don’t even know where their PHI is.” Why doesn’t the mainstream press tell the public that the health care organizations (like hospitals) have no idea where all their sensitive personal health data resides?

How about this: “The software (Identity Finder) automatically finds PHI such as social security numbers, medical record numbers, dates of birth, driver licenses, personal addresses, and other private data within files, e-mails, databases, websites, and system areas. Once found, the software makes it simple for users or administrators to permanently shred, scrub, or secure the information.” Emails? Who sends drivers license numbers, SS#s, and Dates of Birth in emails? Clearly lots of healthcare organizations do.

We can only hope products like this sell.

See full article at:

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/05-05-2009/0005019328&EDATE