What You Need to Know About Patient Matching and Your Privacy and What You Can Do About It

Today, ONC released a report on patient matching practices and to the casual reader it will look like a byzantine subject. It’s not.

You should care about patient matching, and you will.

It impacts your ability to coordinate care, purchase life and disability insurance, and maybe even your job. Through ID theft, it also impacts your safety and security. Patient matching’s most significant impact, however, could be to your pocketbook as it’s being used to fix prices and reduce competition in a high deductible insurance system that makes families subject up to $12,700 of out-of-pocket expenses every year.

Patient matching is the healthcare cousin of NSA surveillance.

Health IT’s watershed is when people finally realize that hospital privacy and security practices are unfair and we begin to demand consent, data minimization and transparency for our most intimate information. The practices suggested by Patient Privacy Rights are relatively simple and obvious and will be discussed toward the end of this article.

Health IT tries to be different from other IT sectors. There are many reasons for this, few of them are good reasons. Health IT practices are dictated by HIPAA, where the rest of IT is either FTC or the Fair Credit Reporting Act. Healthcare is mostly paid by third-party insurance and so the risks of fraud are different than in traditional markets.

Healthcare is delivered by strictly licensed professionals regulated differently than the institutions that purchase the Health IT. These are the major reasons for healthcare IT exceptionalism but they are not a good excuse for bad privacy and security practices, so this is about to change.

Health IT privacy and security are in tatters, and nowhere is it more evident than the “patient matching” discussion. Although HIPAA has some significant security features, it also eliminated a patient’s right to consent and Fair Information Practice.

Patient matching by all sorts of health information aggregators and health information exchanges is involuntary and hidden from the patient as much as NSA surveillance is.

Patients don’t have any idea of how many databases are tracking our every healthcare action. We have no equivalent to the Fair Credit Reporting Act to cover these database operators. The databases are both public and private. The public ones are called Health Information Exchanges, All Payer Claims Databases, Prescription Drug Monitoring Programs, Mental Health Registries, Medicaid, and more.

The private ones are called “analytics” and sell $Billions of our aggregated data to hospitals eager to improve their margins, if not their mission.

The ONC report overlooks the obvious issue of FAIRNESS to the patient. The core of Fair Information Practice are Consent, Minimization and Transparency. The current report ignores all of these issues:

- Consent is not asked. By definition, patient matching is required for information sharing. Patient matching without patient consent leads to sharing of PHI without patient consent. The Consent form that is being used to authorize patient matching must list the actual parameters that will be used for the match. Today’s generic Notice of Privacy Practices are as inadequate as signing a blank check.

- Data is not minimized. Citizen matching outside of the health sector is usually based on a unique and well understood identifier such as a phone number, email, or SSN. To the extent that the report does not allow patients to specify their own matching criterion, a lot of extra private data is being shared for patient matching purposes. This violates data minimization.

- Transparency is absent. The patient is not notified when they are matched. This violates the most basic principles of error management and security. In banking or online services, it is routine to get a simple email or a call when a security-sensitive transaction is made.

This must be required of all patient matching in healthcare. In addition, patients are not given access to the matching database. This elementary degree of transparency for credit bureaus that match citizens is law under the Fair Credit Reporting Act and should be at least as strict in health care.

These elementary features of any EHR and any exchange are the watershed defining patient-centered health IT. If a sense of privacy and trust don’t push our service providers to treat patients as first-class users, then the global need for improved cybersecurity will have to drive the shift. Healthcare is critical infrastructure just as much as food and energy.

But what can you, as a patient. do to hasten your emancipation? I would start with this simple checklist:

Opt-out of sharing your health records unless the system offers:

  • Direct secure messaging with patients
  • Plain email or text notification of records matching
  • Patient-specified Direct email as match criterion
  • Your specific matching identifiers displayed on all consent forms
  • Online patient access to matchers and other aggregator databases

None of these five requirements are too hard. Google, Apple and your bank have done all of these things for years. The time has come for healthcare to follow suit.

Adrian Gropper, MD is Chief Technical Officer of Patient Privacy Rights and participates in Blue Button+, Direct secure messaging governance efforts and the evolution of patient-directed health information exchange.

Check out the Latest from Dr. Gropper, courtesy of The Healthcare Blog.

Providers NOT Required To Keep EHR Audit Systems Turned On

“If healthcare providers are using their electronic health records to falsify medical billing or cover their tracks after mistakes, there’s an easy way for investigators to find out: Check the audit trail.”

“Unfortunately, federal rules don’t require healthcare providers to keep their automated audit systems turned on. A study out this week from HHS’ watchdog office (PDF) finds that many healthcare providers can simply disable their logs or alter them after the fact—and experts say the problem may be far worse than what the study found.”

“HHS’ inspector general’s office this week reported the results of a voluntary survey of all 900 hospitals that had received federal subsidies to buy electronic health record systems as of March 2012. The survey, which had a 95% response rate, found that 44% of the hospitals reported having the ability to delete their EHR audit logs. Another 33% could disable the audit logs, while 11% could edit the records at will.”

To view the full article please visit: Providers Not Required To Keep EHR Audit Systems Turned On

Testimony of Deborah C. Peel, MD at the ONC’s Patient Matching Stakeholder Meeting

WASHINGTON, DC (December 16, 2013) – Patient Privacy Rights’ (PPR) founder and chair, Deborah C. Peel, MD, submitted written testimony to the U.S. Department of Health and Human Services’ Office of the National Coordinator (ONC) at today’s Patient Matching Stakeholder Meeting. The meeting discussed the initial findings from the ONC’s dedicated initiative to assess which aspects of patient identification matching are working well, where there are gaps, and where improvements are needed.

 

In her prepared testimony, Dr. Peel said that “the Initial Findings address the problems caused by current institutional health information technology (health IT) systems and data exchanges.” However, she also stated that the findings may not adequately address future needs, nor do they foresee how the meaningful use requirements for the Health Information Technology for Clinical Health (HITECH) Act can resolve many of the current problems with patient identity and patient matching.

 

Arguing that the findings present a tremendous opportunity to create and leverage genuine patient engagement, Dr. Peel said that “patients have more interest and stake in data integrity and safety than any other stakeholder.” Describing PPR’s vision of the future, Dr. Peel outlined how meaningful patient engagement will eliminate many of the complex problems caused by current patient identity systems, matching technologies, and algorithms. She also said that meaningful patient engagement means that patients can access, control, or delegate how their personal information is used and disclosed, as well as monitor all exchanges of their health data in real time.

 

Additionally, Dr. Peel discussed key elements for meaningful patient engagement based on Fair Information Practices (FIPs) and federal law. She said that all data holders and all health data aggregators should operate as HIPAA covered entities and should be known to patients. In order to provide accountability and transparency, she said that each data aggregator should provide Notice of Privacy Practices (NPPs), voluntary patient-controlled IDs, patient and physician portals, Direct Secure email between patients and physicians Blue Button Plus (BB+), and real time accounting of disclosures.

 

In her concluding remarks, Dr. Peel stated that polices and best practices should consider how future health IT systems and data exchanges will operate, and should “anticipate meaningful patient and physician engagement, lowering costs, improving data quality, integrity and patient safety.” She urged the ONC to require, promote, and incentivize the rapid adoption of technologies that meaningfully engage patients as described in her testimony.
The complete text of this testimony is here.

ONC: Looking for ‘realistic’ ways to account for disclosures

“ONC’s Health IT Policy Committee Tiger Team held a virtual hearing Sept. 30 to gather information about the rule and explore ‘realistic ways to provide patients with greater transparency about the uses and disclosures of their digitized, identifiable information,’ according to a Sept. 23 blog post by Committee Chair Devon McGraw. The Tiger Team asked for answers to specific questions, such as what patients want to know and how transparency technologies currently are being used by covered entities.”

“Deborah Peel, Founder and Chair of the Patient Privacy Rights coalition, suggested in her testimony that accounting for disclosures needs to include all of the detailed information about all uses of a patient’s electronic health information; she added that the rule could be implemented by ‘piggybacking’ onto existing initiatives, such as the Blue Button movement.”

Read more: ONC: Looking for ‘realistic’ ways to account for disclosures – FierceEMR

To read Dr. Peel’s testimony on Accounting for Disclosures click here

Security and Privacy of Patient Data Subject of Regulatory Hearing

Representatives of patients, providers, insurers and tech companies testify before federal panel yesterday at the HIT Policy Privacy & Security Tiger Team Virtual Hearing on Accounting for Disclosures.

“We believe it’s the patient’s right to have digital access that is real-time and online for accounting of disclosures,” said Dr. Deborah Peel, the head of Patient Privacy Rights, a group she founded in 2004. Patients “need and want the data for our own health. We need to have independent agents as advisors, independent decision-making tools, we need independence from the institutions and data holders that currently control our information. We need to have agents that represent us, not the interests of corporations,” she said.

“I think the day will come when people will understand that their health information is the most valuable personal information about them in the digital world and that it’s an asset that should be protected in the same way that they protect and control their financial information online,” Peel said.

To view the full article click Security and Privacy of Patient Data Subject of Regulatory Hearing

To view a PDF of the hearing click HIT Policy Privacy & Security Tiger Team Virtual Hearing on Accounting for Disclosures

 

HIPAA Omnibus: Gaps In Privacy? — Interview with Deborah C. Peel, MD

Although the HIPAA Omnibus Rule is a step in the right direction for protecting health information, the regulation still leaves large privacy gaps, says patient advocate Deborah Peel, M.D.

HIPAA Omnibus finally affirmed that states can pass laws that are tougher than HIPAA, and that’s really good news because HIPAA is so full of flaws and defects that we are concerned that what is being built and funded will not be trusted by the pubic,” Peel says in an interview with HealthcareInfoSecurity during the 2013 HIMSS Conference.

Listen to this interview and read the full article here.

Cloud Computing: HIPAA’s Role

The below excerpts are taken from the GOVinfoSecurity.com article Cloud Computing: HIPAA’s Role written by Marianne Kolbasuk McGee after the January 7, 2013 Panel in Washington D.C.: Health Care, the Cloud, & Privacy.

“While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.

Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group…

…Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services’ Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud (see: Cloud Computing: Security a Hurdle).

“The letter … asks that [HHS] look at the key problems in cloud … and what practitioners should know and understand about security and privacy of health data in the cloud,” Peel said during the panel.”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The below excerpt is from the Bloomberg BNA article OCR Could Include Provision in Forthcoming Omnibus HIPAA Rule written by Alex Ruoff. The article is available by subscription only.

“The final omnibus rule to update Health Insurance Portability and Accountability Act regulations, expected to come out sometime early this year, could provide guidance for health care providers utilizing cloud computing technology to manage their electronic health record systems, the chief privacy officer for the Office of the National Coordinator for Health Information Technology said Jan. 7 during a panel discussion on cloud computing.

The omnibus rule is expected to address the health information security and privacy requirements for business associates of covered entities, provisions that could affect how the HIPAA Privacy Rule affects service providers that contract with health care entities, Joy Pritts, chief privacy officer for ONC, said during the panel, hosted by the consumer advocacy group, Patient Privacy Rights (PPR).

PPR Dec. 19 sent a letter to Health and Human Services’ Office for Civil Rights Director Leon Rodriguez, asking the agency to issue guidance on cloud computing security. PPR leaders say they have not received a response…

…Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information.”

Patient Privacy Rights Calls for Patient Control Over Data Exchange on the Nationwide Health Information Network (NwHIN)

In our comments about the NwHIN, Patient Privacy Rights (PPR) urged the Office of the National Coordinator for Health IT (ONC) to use this critical opportunity to address the fatal privacy and security flaws in current systems and state and federal data exchanges. “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy.

To restore public trust, PPR strongly believes:

  • All state and federal data exchanges should be certified to assure that patients control the exchange of their health data. Privacy certification should be designed by a non-profit, patient-led organization with expertise in health privacy;
  • Data should only be exchanged using the Direct Project for secure email between patients, physicians, and other health professionals (with rare exceptions);
  • Patients should always give meaningful informed consent before their information is disclosed; and
  • Sensitive personal health information should only flow to those directly involved in an individual’s treatment, or to those who are conducting research in which an individual has agreed to participate.

Without a network designed to make sure individuals decide who sees their health records, Americans will grow even more wary of seeking needed treatment. We urge the ONC to act now to create a nationwide network that requires comprehensive data privacy and security measures to protect patients’ intimate personal health data. See comments here.

Proposed Rules Prevent Patient Control Over Sensitive Information in Electronic Health Records (EHRs)

The proposed federal rules will require physicians and hospitals to use Electronic Health Records (EHRs) that prevent patient control over who can see and use sensitive personal health information.

This is the second time the federal government has proposed the use of technology that violates Americans’ strong rights to control the use and sale of their most sensitive personal information, from DNA to prescription records to diagnoses.

The proposed rules require EHRs to be able to show “meaningful use” (MU) and exchange of personal health data. PPR and other consumer and privacy advocacy groups submitted similar comments for the Stage 1 MU rules. These newly proposed rules are known as “Stage 2 MU” requirements for EHRs.

The most important function patients expect from electronic health systems is the power to control who can see and use their most sensitive personal information. Technologies that empower patients to decide who can see and use selected parts of their records have been working for 4 million people for over 10 years in 8 states with mental illness or addiction diagnoses. Today we do not have any way to know where our data flows, or who is using and selling it.

Even if we had a ‘chain of custody’ to prove who saw, used, or sold our personal health data—which we do not—it is still essential to restore patient control over personal health data so we can trust electronic health systems.

Technologies that require patient consent before data flows are cheap, effective, and should be required in all EHRs.

See Patient Privacy Rights’ formal comments on the Stage 2 MU proposed requirements submitted to the Centers for Medicare and Medicaid and the Office of the National Coordinator for Health IT at: http://patientprivacyrights.org/wp-content/uploads/2012/05/PPR-Comments-for-Stage-2MU-5-7-12.pdf