Proposed Rules Prevent Patient Control Over Sensitive Information in Electronic Health Records (EHRs)

The proposed federal rules will require physicians and hospitals to use Electronic Health Records (EHRs) that prevent patient control over who can see and use sensitive personal health information.

This is the second time the federal government has proposed the use of technology that violates Americans’ strong rights to control the use and sale of their most sensitive personal information, from DNA to prescription records to diagnoses.

The proposed rules require EHRs to be able to show “meaningful use” (MU) and exchange of personal health data. PPR and other consumer and privacy advocacy groups submitted similar comments for the Stage 1 MU rules. These newly proposed rules are known as “Stage 2 MU” requirements for EHRs.

The most important function patients expect from electronic health systems is the power to control who can see and use their most sensitive personal information. Technologies that empower patients to decide who can see and use selected parts of their records have been working for 4 million people for over 10 years in 8 states with mental illness or addiction diagnoses. Today we do not have any way to know where our data flows, or who is using and selling it.

Even if we had a ‘chain of custody’ to prove who saw, used, or sold our personal health data—which we do not—it is still essential to restore patient control over personal health data so we can trust electronic health systems.

Technologies that require patient consent before data flows are cheap, effective, and should be required in all EHRs.

See Patient Privacy Rights’ formal comments on the Stage 2 MU proposed requirements submitted to the Centers for Medicare and Medicaid and the Office of the National Coordinator for Health IT at: http://patientprivacyrights.org/wp-content/uploads/2012/05/PPR-Comments-for-Stage-2MU-5-7-12.pdf

Re: 2012: Time for Action on Health Privacy

Things in Washington DC must really be bad if Deven McGraw, Chair of the Privacy and Security Tiger Team and member of the national Health IT Policy Committee, is speaking out so clearly about the lack of privacy protections in federal policy. She states in the article “2012: Time for Action on Health Privacy” that it’s time for HHS/ONC to change their “pattern” of “too much talk and not enough action” to protect privacy. Is there a privacy crisis? PPR thinks it’s critical to build privacy and patient control over data in up front. Now is the time!

See full article

“Consumers and patients support the electronic sharing of health information and are eager to experience the benefits of widespread adoption and use of electronic health records. Yet a substantial majority continue to express significant concerns regarding the impact of e-health on the privacy and security of their health information. According to a recent survey by the Markle Foundation, the privacy of health information is a significant concern for the American public and doctors who serve them.

Building and maintaining public trust in health IT and health information sharing will be critical to leveraging their benefits to improve individual and population health. The rhetoric from the Office of the National Coordinator for Health IT and HHS has been consistently strong on the importance of respecting the confidentiality of health information; however, with a few exceptions, the pattern has been too much talk and not enough action.”

Don’t bet on knowing your records’ whereabouts

Joseph Conn with ModernHealthcare.com wrote about the Health Privacy Summit in the IT Everything blog. You can read the full article here: Don’t bet on knowing your records’ whereabouts

“Do you know where your electronic health information is tonight?

Here’s a reader challenge: I’ll pay $10 to the first adult who has had at least five encounters with the private-sector healthcare system in the past 10 years to come up with a complete map of where all his or her electronic health records have traveled, who has seen them and where they are now.

I feel my money is safe in my pocket, and here’s why:

First, I’ve been covering health IT for nearly 11 years, and there is no system I know in this country that can completely track the whereabouts of someone’s electronic health information.

Second, there are no laws or incentives to induce complete tracking of a patient’s records.

And yet, patients ought to have access to just such a record map, according to health IT and privacy experts participating in the first Health Privacy Summit Monday in Washington. The daylong conference was put together by Patient Privacy Rights and the Lyndon B. Johnson School of Public Affairs at the University of Texas, Austin…”

Mostashari mindful of HIT stakeholder tension

WASHINGTON – At the Health IT Policy Committee meeting Wednesday morning, Farzad Mostashari, MD, the new national coordinator for health information technology, said he will listen attentively to stakeholder interests and is aware of the tensions among them. However, his first objective will be the public interest.

In addition to his national coordinator role, Mostashari will serve as chair of the HIT Policy Committee, an advisory group to the Office of the National Coordinator for Health Information Technology (ONC), which meets once amonth. Like his predecessor, David Blumenthal, MD, his leadership of this committee, in particular, will provide a catalyst for much of the activity the government plans for health IT.

“David is a tough act to follow,” Mostashari said, in some of his first public comments following his appointment last Friday. He added that Blumenthal had a broad range of support and unique skills that helped to move the federal HIT agenda to the next level.

“I’m not David Blumenthal, but I will do my best and will continue down the path he has set,” Mostashari said.

Comments: ONC studying risks of de-identified patient records

It’s nice to know that that the federal government will “analyze the science of de-identification and re-identification” before releasing health data. See article from Government Health IT: ONC studying risks of de-identified patient records (written by Mary Mosquera).

But instead of each of patient being informed about the level of risk and then deciding if that level risk is acceptable before agreeing to participate in research, the government will decide the “acceptable level of risk in order to be able to use the data”.

Two major problems need to be addressed before “de-identified” public use data (PUD) is released for “research”:

1) The “research” loophole in HIPAA allows any corporation to get access to our health data without consent, at low or no cost, simply by claiming that it is doing research. This loophole needs to be closed. Most ‘research’ use of health data today is NOT what Congress intended: i.e., research to improve patient health or to prevent illness. Instead corporations claim our data will be sued for ‘research’ when in reality they sell it or use it for business analytics. Business analytics is used by industry to discriminate against people in jobs, credit, and educational opportunities. The health data mining industry is exploiting the “research loophole” to obtain Americans’ health data to improve revenues, not to improve patient treatment or health. The name for that is fraud.

2) Who decides what level of de-identification is ‘safe’ enough? Should the federal government decide for us? Or should we be able to decide what risk we are willing to accept?

Patient Privacy Rights submitted a memo to CMS highlighting the difficulties of anonymizing data for public release and advocating an “adversarial challenge” criterion for assessing the threats associated with such releases. See: NOTES ABOUT ANONYMIZING DATA FOR PUBLIC RELEASE, by Andrew J. Blumberg.

BTW—-what if banks suddenly decided that account holders would now have to accept a .04% risk of electronic theft of funds and/or a .04% rate of errors in our deposits was ‘safe’ enough? Would you accept that low a level of risk? Is any rate of theft or error acceptable for our money?

Why should we accept anything less than a zero% risk of theft or error for our health records?

New HIPAA rules need more clarification

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July…

…On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

What do we think of the new recommendations?

The Tiger team continues to make policy recommendations that clearly violate the law and the Administration’s new privacy policies. See story on release by Modern Healthcare.

Apparently they did not hear Secretary Sebelius announce a new “Administration-wide commitment to make sure no one has access to your personal information unless you want them to” on July 8th (see here).

Or hear Dr. Blumenthal say “we want to make sure it is possible for patients to have maximal control over PHI.” See: http://patientprivacyrights.org/2010/07/ppr-impressed-with-hhs-privacy-approach/

At the Consumer Choices Technologies Hearing on June 29th, one of the ‘granular consent’ technologies demonstrated has been exchanging behavioral health records on 4 million patients for over 10 years, in 9 states and 22 jurisdictions. Newer, more robust consent technologies showcased that day are also in use. See: http://nmr.rampard.com/hit/20100629/default.html

The Tiger team calls these privacy-enhancing technologies “looming” because they are not widely used. If the HIT Policy Committee recommends against technologies for robust consent and segmentation, as they did for “meaningful use” EHRs, they ensure the limited use of privacy-enhancing technologies, which can therefore continue to be described as “looming”. It’s a neat trick to recommend policy that perpetuates the status quo and violates our rights to health privacy. To create wide use of these technologies, they must be required in policy as well as the law.

HITECH in fact does require patient consent before PHI can be sold and states that private-pay patients should be able to prevent their data from flowing to insurers for payment and health care operations. And it is also a legal and ethical requirement to obtain informed consent before disclosures of sensitive health information in all 50 states. Therefore, robust electronic consents and segmentation are required by law today. Policies should match the law.

Instead, the recommendations from the Tiger team guarantee that the theft and sale of patient data will grow exponentially and data will flow unchecked by patient consent or segmentation through HIEs and the NHIN to even more thieving vendors and corporations. Americans’ jobs, credit, and reputations are being destroyed to improve corporate revenues. This sick, greedy transformation of the health care system cannot be hidden and will destroy trust in HIT, HIE, and in legitimate clinical, academic, and public health and population research.

Most HIT products and systems were not designed to comply with patients’ rights to control personal health information. And vendors won’t ever willingly update them, because selling patient data can be a far greater source of revenue than selling software or caring for sick people.

Back to the crucial question: how can the Tiger team recommend policy that violates existing law? Why don’t the Tiger Team and the HIT Policy Committee recommend that HIT vendors , CEs, and BAs COMPLY with state and federal privacy laws and protections and meet patients’ expectations?

The Tiger Team and HIT Policy Committee are both dominated by CEOs, employees, and beneficiaries of vendors or corporate for–profit “research” industries that want all OUR data without consent. Their fiduciary duties to stockholders explain their decisions to recommend policies that violate our privacy rights.

Today the health data theft/sale industry and corporate for-profit research industry are in charge of federal policy-making.

Their flawed business models, based on misleading shareholders and the public about what they really do, are fraudulent and deceptive trade practices.

The SEC brought Goldman Sachs to heel for misleading shareholders and the public about what their business model really was. The data theft and data sales industries and the corporate for-profit ‘research’ industry do exactly the same thing.

The entire US health care and HIT system will end up tarred and feathered and lose the public’s trust unless the health care and HIT corporations that protect privacy rights, and genuine clinical and academic researchers stand with patients to demand that patients control PHI.

Sign the ‘Do Not Disclose’ petition at http://patientprivacyrights.org/do-not-disclose/ and demand your rights to health privacy be enforced.

Health IT group drafts privacy recommendations

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…

According to the tiger team’s draft document posted on the HIT Policy Committee’s website, the team’s recommendations are based on “fair information practices,” a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.

ONC IS MAKING HISTORY!

ATTEND THE FIRST EVER HEARING ON PRIVACY-ENHANCING TECHNOLOGIES IN THE NATION.

Register here.

The hearing, scheduled all day on June 29th, will showcase 7 innovative, existing privacy-enhancing Health IT products and systems, and future technologies. The technologies will be discussed by 4 experts and the Privacy and Security Tiger Team.

Early this year, Dr. Blumenthal met with the bipartisan Coalition for Patient Privacy. He told us our idea for this conference struck him as “very intriguing. Two principles should animate our policy development. Patients/consumers come first, and the process should be fair and open.” So he agreed to hold a hearing.

Register to attend the hearing at: http://www.blsmeetings.net/consumerchoicetechnologyhearing/
For agenda see: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2833&PageID=19423

This is the first hearing ONC has ever held that is focused solely on privacy rights and patients’ expectations to control sensitive health records, from prescriptions to DNA. It is VERY timely because billions in stimulus dollars are about to flow.

What kinds of systems do you want to get the stimulus billions??? Current HIT systems that facilitate the data mining, theft, and sale of personal health information or systems that put YOU in control of YOUR information?

Inside-the-beltway domination of policy and standards by major legacy health IT vendors, many major hospitals, the health data mining industries, and physicians’ organizations has made it very hard for consumer and privacy advocates to be heard, even though we represent the majority of the American public. The fear is if they have to ask first to see or use our health information, we might refuse. And we might. But it’s our right to do so.

Today’s HIT systems put our jobs and our kids’ futures at risk by exposing everything from our prescription records to our DNA to sale and theft. Once our health data is exposed, like Paris Hilton’s sex video, we can never make it private again.

Showcasing technology that empowers patients to actively share data for treatment, personal benefit, and for research, while empowering patients to protect personal information to prevent harms is critical—especially now as HHS prepares to spend billions on EHRs and models for data exchange that do not require meaningful and comprehensive privacy controls.

The video of the hearing will be a critical online resource for the public, the media, states, and the world. There is no other way to learn about robust privacy-enhancing technologies that meet patients’ expectations and rights to control use of PHI while enabling compliance with strong state and federal laws, medical ethics, and our Constitutional rights to privacy.

Latanya Sweeney’s testimony and slides show the need to choose the right HIT technologies and systems up front, rather than letting “100 weeds fester.” See her testimony at: http://patientprivacyrights.org/wp-content/uploads/2010/04/Sweeney-CongressTestimony-4-22-10.pdf
See her slides at: http://patientprivacyrights.org/wp-content/uploads/2010/06/Sweeney-TrustworthyNHINDesigns.pdf

If you cannot attend in person, PLEASE listen in and comment at the end during the comment period or submit comments online. The video link of the hearing will be posted the following day.

TAKE PART: Tell ONC to build privacy-enhancing health IT systems you can trust. Tell ONC to build privacy-enhancing EHRs and systems for data exchange, don’t blow the stimulus billions on systems that will never be trusted.

If we don’t fight for our rights to control sensitive personal health information, we will never GAIN the right to control the rest of our personal information online and in the Digital World.

Thanks for helping to save privacy!

Health IT coordinator attacks rumors that spy agencies would tap into patient information network

Dr. David Blumenthal, national coordinator for health information technology, has strongly denied any plans to develop a national network that would transmit patients’ medical information to the Justice and Homeland Security departments…

…Rather than defusing concerns, privacy advocates said Blumenthal’s remarks only heightened questions about what role NIEM standards, and the law enforcement agencies that developed them, will play in a national health information network.

Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation, said she believes Blumenthal is well-intentioned in his aim to ensure patient information is not transmitted to law enforcement or intelligence agencies. But promises do not have the force of law, she noted.