Your Medical Records May Not Be Private: ABC News Investigation

ABC TV’s Jim Avila shows how easy it is to buy personal health data. He spoke with security consultant Greg Porter, who showed him how to buy personal health information online for $14-$25. ABC News learned about the lack of effective security and privacy for medical records from “Julie” at the 2nd International Summit on the Future of Health Privacy.

Here is the video (after a short advertisement):

You can also see the above ABC News video on medical records at: http://abcnews.go.com/Health/medical-records-private-abc-news-investigation/story?id=17228986#.UIQCz1H6Acs

ABC’s print story about the TV news segment tells “Julie’s”  story, quotes Patient Privacy Rights (PPR), and links to our free online consumer protection forms so you can take action to better protect your health data. Use the free consent form and ask physicians and hospitals to honor longstanding state laws that require consent before they disclose your health information. According to HIPAA, providers can refuse to honor requests like this, but HIPAA also says stronger state laws and medical ethics should prevail—so ‘ask’ and tell them to honor your rights to control who sees and uses your electronic health information.

Promising research may protect health records privacy

To view the full article in Modern Healthcare, please visit Promising research may protect health records privacy.

A recent article in ModernHealthcare.com explains a new and promising technology developed by the Wake Forest School of Medicine’s Department of Biomedical Engineering. They have developed a “prototype health information exchange that both works for providers and restores patient control over the flow of their medical images.” The article explains how the new exchange utilizes “what’s called a Patient Controlled Access-key Registry to manage access for both patients and providers. A patient, who would allow another provider to see his or her records, releases an ‘access key’ with a digital signature at a patient portal.”

The article also quotes Dr. Peel’s views on the new system: “Psychiatrist and patient privacy advocate Dr. Deborah Peel— often a critic of health IT systems that she sees compromising privacy— says she likes what she reads about the Wake Forest pilot. ‘The majority of current HIT systems and data exchanges violate medical ethics and patients’ long-standing rights to control PHI (protected health information,’ Peel wrote in an email Wednesday. ‘Bravo to the Wake Forest research team for finally building effective electronic patient consent tools. Yes, this model solves the legal problems of data sharing. And yes, it builds patient trust in physicians because it restores the personal control over use and disclosure of protected health information that patients expect.’”

Patient Control Reduces Privacy Issues for Health Data Sharing Networks

See the full article on iHealthBeat.org: Patient Control Reduces Privacy Issues for Health Data Sharing Networks

It’s about time!!!! Congratulations to Wake Forest for building a way to move data that patients can trust. Patients have waited a long time for systems to be built that enable them to move their own information.

YES, this model solves the legal problems of data sharing—there is no need for expensive contracts between hospitals and doctors.  And YES, it builds patient trust in physicians because it restores the personal control over use and disclosure of protected health information (PHI) that patients EXPECT.

The majority of current HIT systems and data exchanges violate medical ethics and patients’ long-standing rights to control PHI. This kind of electronic consent is THE ONLY way patient data should flow.

BRAVO to the Wake Forest research team for finally building effective electronic patient consent tools.

Protecting Our Civil Rights in the Era of Digital Health

See the full article by William Pewen in The Atlantic: Protecting Our Civil Rights in the Era of Digital Health

Bill Pewen has written the BEST BRIEF HISTORY OF HOW HEALTH INFORMATION PRIVACY WAS ELIMINATED I HAVE EVER SEEN, from diagnoses to prescription records to DNA. Terrific to see this in the Atlantic!

He shows how technology-based discrimination works, and makes the case that selling people’s health information/profiles is a major business model for the largest technology/Internet corporations: “Millions [of people] are beginning to recognize that they are not the customers, but the product.”
“[A]dvancing technology was opening a virtual Pandora’s Box of new civil rights challenges. At the crux of these was the fact that scientific progress has been enabling increasingly sophisticated discrimination.” ………”Our experience with GINA helped to reveal the tip of an emerging threat — the use of modern data systems to create new forms of discrimination — and our concern focused on the use of personal medical data. While genetic data expresses probabilities, other parts of one’s medical record reflect established fact — an individual’s diagnoses, the medications one has used, and much more.”

“Genetic discrimination comprised just one of a number of game-changing technological challenges to civil rights. Confronting these presents new obstacles, and points to the need for a paradigm shift in our approach to prevent such inappropriate bias.”

He concluded with a call for “a 2nd civil rights bill of the 21st century”, based on key principles and tests to evaluate whether technology harms people:

Principles:
· First: “certain harmful acts must be clearly prohibited”

· Second: “the possession and use of personal medical data should be restricted without an individual’s consent”.

Harms tests:

To determine “whether an application of technology undermines existing civil rights statutes,…consider its potential to impose harm in terms of three tests.

· First: “the immutability of a trait. Profiling based on an unchangeable [genetic] characteristic should raise questions, as the ability of an individual to impact these is absent.”

·Second: “relevance…..[for example] we would not permit such irrelevant traits as race or gender to be used to discriminate in the hiring of flight crews.”

·Third: “the presumption of a zone of privacy. …neither personal medical information nor its correlates should be considered in the public domain.

Senator Snowe and her top health expert, Bill Pewen, are real privacy heroes, responsible for key new consumer privacy and security protections in the technology portion of the stimulus bill (HITECH). The bipartisan Coalition for Patient Privacy worked very closely with them to support consumer protections they championed.

EHRs and Patient Privacy- An Oxymoron? Psychiatric Times Cover Story

A recent article in the Psychiatric Times based on the 2nd International Summit on the Future of Health Privacy describes the major problems with EHRs and the consequences of the misuse of this technology. The article quotes both Dr. Peel and Dr. Scott Monteith as well as “Julie” when describing the flaws of EHRs and HIEs. The article is available by subscription only through Psychiatric Times, but here are some highlights and quotes from the article:

“The escalating use of electronic health records (EHRs) and health information exchanges (HIEs) is fraught with unintended and sometimes dire consequences—including medical coding errors and breaches of psychiatric patients’ privacy and confidentiality, according to [Dr. Peel and Dr. Monteith] who scrutinize the field”

“At the recent Second Annual International Summit on the Future of Health Privacy, psychiatrist Scott Monteith, MD, Clinical Assistant Professor in the Departments of Psychiatry and Family Medicine at Michigan State University and a medical informaticist, relayed the experience of a patient who discovered that her EHR erroneously reported a history of inhalant abuse. In reality, she had a history of  “caffeine intoxication.” After much investigation, the problem was identified. The DSM-IV-TR code (305.90) is used for 4 different diagnoses, including caffeine(Drug information on caffeine) intoxication and inhalant abuse, but the EHR’s printout only made the inhalant abuse diagnosis visible. Although the error was reported to the EHR vendor, the problem persists after almost 2 years.

“‘It is impossible for consumers to weigh the risks and benefits of using health IT and data exchanges when they have no idea where their data flows, who is using it or the purpose of its use,’ wrote Peel, a psychiatrist and psychoanalyst.”

“…Peel emphasized the importance of patients being able to control access to sensitive personal health information. The open source consent technologies, she explained, have been used for more than 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on some 4 million people in more than 8 states.”

“…’Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows,” she wrote. “Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.’”

If you wish to view the full article by Arline Kaplan and are a subscriber of Psychiatric Times, it can be found at Electronic Health Records and Patient Privacy- An Oxymoron?

Patient Safety and Health Information Technology: Learning from Our Mistakes

MUST READ article by Ross Koppel about why and how government and industry denial of serious design flaws in electronic health systems endanger patients’ lives and safety. He uses detailed examples, citations, and the historical record to support his case. Flawed technology causes serious patient safety issues in the same way flawed technology prevents patient control over who can see, use, or sell sensitive health information.

Yet technology could vastly improve patient safety and put patients back in control over the use of their health data. Why is poor technology design entrenched and systemic? Koppel states, “The essential question is: why has the promise of health IT—now 40 years old—not been achieved despite the hundreds of billions of dollars the US government and providers have spent on it?”

He makes the case that key problems arise from industry domination over the public interest. “Marketing overdrive” has caused:
· Denial and magical thinking: we see the “systematic refusal to acknowledge health IT’s problems, and, most important, to learn from them”

· Prevention of “meaningful regulations since 1997″: ”This belief that health IT, by itself, improves care and reduces costs has not only diminished government responsibility to set data format standards, it has also caused us to set aside concerns of usability, interoperability, patient safety, and data integrity (keeping data accountable and reliable).”

· Destructive “lock-in” to flawed technology systems: A full software package from a top firm for a large hospital costs over $180 million, and can cost five times that figure for implementation, training, configuration, cross-covering of staff, and so on.(11,12) Because illness, accidents, and pregnancies cannot be scheduled around health IT training and implementation needs, the hospital must continue to operate while its core information systems are developed and installed. This investment of time and money means the hospital is committed for a decade or more. It also reduces incentives for health IT vendors to be responsive to the needs of current customers.(13,14)

We have been to this rodeo before. Koppel points out these same phenomena occur over and over in many other industries:
“we had dozens of railroad gauges, hundreds of time zones, and even areas with both left- and right-hand driving rules. In all cases, the federal government established standards, and the people, the economy, and especially the resistant industries flourished. Industry claims that such standards would restrict innovation were turned on their heads.”

The health technology industry has failed to reform itself for 40 years. Effective federal laws and regulation are the only path to ensuring innovation and interoperability, to make health IT systems safe for patients and useful to doctors, and to restore individual control over who sees the most sensitive personal information on Earth.

See the full article at Web M&M: Patient Safety and Health Information Technology: Learning from Our Mistakes

The Changing Landscape – The Impact to Patients’ Privacy

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system.  Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

-Patients have no control over who sees or sells sensitive personal health information.

-Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.

-Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.

-Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.

-There is no “chain of custody” for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

-HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779

-HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777

-Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

-The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. “Invisible Wounds of War”, The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President’s Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system — starting with Principle #1:

“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Patient Privacy Rights Calls for Patient Control Over Data Exchange on the Nationwide Health Information Network (NwHIN)

In our comments about the NwHIN, Patient Privacy Rights (PPR) urged the Office of the National Coordinator for Health IT (ONC) to use this critical opportunity to address the fatal privacy and security flaws in current systems and state and federal data exchanges. “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy.

To restore public trust, PPR strongly believes:

  • All state and federal data exchanges should be certified to assure that patients control the exchange of their health data. Privacy certification should be designed by a non-profit, patient-led organization with expertise in health privacy;
  • Data should only be exchanged using the Direct Project for secure email between patients, physicians, and other health professionals (with rare exceptions);
  • Patients should always give meaningful informed consent before their information is disclosed; and
  • Sensitive personal health information should only flow to those directly involved in an individual’s treatment, or to those who are conducting research in which an individual has agreed to participate.

Without a network designed to make sure individuals decide who sees their health records, Americans will grow even more wary of seeking needed treatment. We urge the ONC to act now to create a nationwide network that requires comprehensive data privacy and security measures to protect patients’ intimate personal health data. See comments here.

Health Care Reform: Let’s Not Forget Privacy And Data Security

See the full article at Forbes.com: Health Care Reform: Let’s Not Forget Privacy And Data Security

The Affordable Care Act poses many new threats to patient privacy due to an already over loaded health care system. The influx of new consumers in this market will cause much stress on the already insufficient data privacy infrastructure. Bob Gregg, guest writer for Forbes.com, explains the strains and consequences caused by this new legislation.

“The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.”

Mr. Gregg looked to Patient Privacy Rights’ own founder, Dr. Deborah Peel, to explain what kind of ramifications this act will have for patients and their data privacy.

“My friend, Dr. Deborah Peel, founder of Patient Privacy Rights, tells me that “patients have no control over who sees or sells personal health information. Our health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.” Thousands of people, including researchers and government agencies, she says, have easy access to this information.”

The article goes on to list the four major issues this new burden on the health care system will cause and how it will affect consumers. The bottom line, he says, is “…The Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.”

For even more information on how you can help keep patient data private visit our International Summit on the Future of Health Privacy website.

ACC privacy breach victim ‘felt suicidal’

See the full article at Radio New Zealand: ACC privacy breach victim ‘felt suicidal’

This story is about a the effects of a data breach on New Zealand woman with very sensitive information in her electronic health records.

Like “Julie” who told the story of how her mental health records were exposed throughout Partners Healthcare system, the New Zealand woman is also a victim of sexual abuse. The New Zealand corporation holding her data sent it to someone else along with information on thousands of other people.

Similar to the experiences reported by US victims of health data breaches, the response to her data breach was underwhelming and irrelevant to the resulting damages: ie, emotional damage, loss of trust in the data holder, and no compensation for future ID theft or medical ID theft. No assurances or remediation were offered against future use or sale of her information, even though it often takes years to discover ID theft and medical ID theft. She was offered $250 as compensation, and the data holding corporation stated the amount was  “based on the extent of the breach and the level of harm or potential harm associated with it, as well as the client’s individual circumstances.” Clearly an inadequate, insensitive response.

Apparently inadequate, ineffective, insensitive responses to data breaches occur across the globe.

In the US, there is no “chain of custody” for any sensitive personal information and no way to control who gets it.  There is no way to track or prevent the flow of health information to hidden data users and thieves. BUT, you can help by adding to the map of hidden flows at theDataMap.org. US patients can’t weigh the risks vs. benefits of using electronic health systems without knowing who has copies of personal health records, from prescription records to DNA to diagnoses. WE don’t know if it is sold as intimate health profiles, used for ‘research’ or ‘data analytics’, for fraud, for extortion, or for ID or medical ID theft, etc, etc.

In the US, few Congressional leaders fight to restore patient control over health data and to ensure data security. Most in Congress votes for the hidden data mining industry against the public interest and against patients’ rights to health information privacy. Two leaders, the co-chairs of the House Privacy Caucus, Representatives Barton and Markey, received “Louis D. Brandeis Privacy Awards” at the 2nd International Summit on the Future of Health Privacy in Washington, DC on June 6th. See: www.healthprivacysummit.org or http://tiny.cc/nrhkgw for the agenda. The video of the Celebration of Privacy will soon be posted there.

Electronic health information is THE most valuable personal information on Earth—and US corporations and government see and use it without our knowledge or consent to make decisions about us. Tell Congress to put you in control over who can see your sensitive electronic health information—-to protect your job, reputation, and your children’s futures.