NHS legally barred from selling patient data for commercial use. When will the US wake up?

When will US bar sale of patient data for commercial use?

1st: Public has to wake up.

2nd: The LIE of sale of patient data for research must be exposed.

US law permits any corporation to buy/sell/sell/share patient data for commerce (i.e. BIG DATA analytics and proprietary products without patient consent or knowledge). This is a fact.

deb

This blog was written in response to the following article: NHS legally barred from selling patient data for commercial use

Judge Rules Patients Have a Reasonable Expectation of Privacy in Rx Records

The ACLU recently challenged the Drug Enforcement Administration’s practice of obtaining Oregon patients’ confidential prescription records without a warrant. PPR’s Dr. Deborah Peel submitted a declaration in support of the ACLU’s position, which you can read here.

 

Good news: It’s a win for privacy! In an opinion issued today, the judge ruled that patients have a reasonable expectation of privacy in their prescription records under the Fourth Amendment, and that the DEA needs a warrant to obtain records from the Oregon Prescription Drug Management Program (PDMP).

 

To read the judge’s opinion, click here.

 

To read more from Nathan Wessler, an ACLU attorney working on the case, click here.

 

Revelations by AOL Boss Raise Fears Over Privacy

By Natasha Singer
NYTimes.com, February 10, 2014

Tim Armstrong, the chief executive of AOL, apologized last weekend for publicly revealing sensitive health care details about two employees to explain why the online media giant had decided to cut benefits. He even reinstated the benefits after a backlash.

Tim Armstrong, the chief executive of AOL, apologized last weekend for publicly revealing sensitive health care details about two employees to explain why the online media giant had decided to cut benefits. He even reinstated the benefits after a backlash.

But patient and work force experts say the gaffe could have a lasting impact on how comfortable — or discomfited — Americans feel about bosses’ data-mining their personal lives.

Mr. Armstrong made a seemingly offhand reference to “two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were O.K.” The comments, made in a conference call with employees, brought an immediate outcry, raising questions over corporate access to and handling of employees’ personal medical data.

“This example shows how easy it is for employers to find out if employees have a rare medical condition,” said Dr. Deborah C. Peel, founder of Patient Privacy Rights, a nonprofit group in Austin, Tex. She urged regulators to investigate Mr. Armstrong’s disclosure about the babies, saying “he completely outed these two families.”

To view the full article, please visit Revelations by AOL Boss Raise Fears Over Privacy

 

New CLIA rule talks the talk, but it doesn’t walk the walk

Deborah Peel, MD, Founder and Chair of Patient Privacy Rights

The federal government released an update to the CLIA rule this week that will require all labs to send test results directly to patients. But the regulations fail to achieve the stated intent to help patients. The rule allows labs to delay patient access to test results up to 30 days, and the process for directly obtaining personal test results from labs is not automated.

The new rule also fails to help patients in significant ways:

  • Real-time, online test results are not required. The federal government should have required all labs to use technology that benefits patients by enabling easy, automatic access to test results via the Internet in real-time. Unless we can obtain real-time access to test results, we can’t get a timely second opinion or verify the appropriate tests were ordered at the right time for our symptoms and diseases.
  • Labs are allowed to charge fees for providing test results to patients.  If labs can charge fees, they will not automate the process for patients to obtain results. Labs that automate patient access to test results online would incur a one-time cost.  After labs automate the process, human ‘work’ or time is no longer needed to provide patients their test results, so the labs would have no ongoing costs to recoup from patients.
  • Labs should be banned from selling, sharing, or disclosing patient test results without meaningful informed consent to anyone, except the physician who ordered the tests. This unfair and deceptive trade practice should be stopped. No patient expects labs to sell or share their test results with any other person or company except the physician who ordered the test(s).

This rule raises a question: why do so many federal rules for improving the healthcare system fail to require technologies that benefit patients?

Technology could provide enormous benefits to patients, but the US government caters to the healthcare and technology industries, instead of protecting patients.

Current US health IT systems actually facilitate the exploitation of patients’ records via technology. When HHS eliminated patient control over personal health data from HIPAA in 2002, it created a massive hidden US data broker industry that sells, shares , aggregates and discloses longitudinal patient profiles (for an example, see IMS’ SEC filing with details about selling 400M longitudinal patient profiles to 5K clients, including the U.S. government.

Meanwhile, even the most mundane, annoying, repetitive tasks patients must perform today–like filling out new paper forms with personal information every time we visit a doctor–are not automated for our convenience or to improve data quality and accuracy.

Shouldn’t IT improve patients’ experiences, treatment, and restore personal control over sensitive health information?

deb

You can also view a copy of this blog post here

Guest Article: Can You Ever Opt Out from Data Brokers?

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

Consumers may wonder how it is that they get ads, emails and other information from companies with whom they have had no interaction on or off-line.  Maybe they’re particularly confused if they’ve set their privacy settings to block cookies and other tracking devices.

The reality is that data brokers gather, compile and then sell lists of personal information to companies.  So what can consumers do if they want to try and protect their information from being compiled and sold by data brokers?  The answer is “it’s not easy” especially given the numbers of data brokers and the range of information they collect.

Julia Angwin has written a newly published book, Dragnet Nation, that focuses, in part, on her efforts to identify data brokers and then get the information that brokers have about her.  I plan on reading her book as I heard her discuss it recently and have just read her January 30th article, “Privacy Tools: Opting Out from Data Brokers” posted on ProPublica (www.propublica.org).

Her ProPublica article summarizes the steps required by some of the data brokers in order for her to opt-out of information collection.  As Ms. Angwin writes, there’s no law requiring data brokers to offer consumers that option.  She very helpfully attaches two spreadsheets to her article with the names of companies tracking information along with links to their privacy pages and, for those data brokers offering an opt-out, the instructions for doing so.  As she writes, many of the data brokers require consumers who want to opt-out to provide personal  information and identification (e.g., driver’s license).

Ms. Angwin’s spreadsheets of 212 data brokers provides consumers with a very useful resource.  She is also very candid in describing the difficulties in finding her own information and what she calls “some minor successes” in finding data brokers who had her information and opting-out.

Should You Lose Your Gun Rights If You Visit a Shrink?

From Michael E. Hammond in the Washington Times: Obama’s gun-control dictate on ‘mental health’ threatens veterans’ rights

 

In a preternatural example of tone-deafness, an administration under fire for snooping into Americans’ privacy is now proposing to waive federal privacy laws so psychiatrists can report their gun-owning patients to the government.

The Department of Health and Human Service’s “notice of proposed rule-making,” floated by the White House in a Friday media dump, would waive portions of the federal Health Insurance Portability and Accountability Act (HIPAA) to allow psychiatrists to report their patients to the FBI’s gun-ban blacklist (the NICS system) on the basis of confidential communications.

The 1968 Gun Control Act bans guns for anyone who is “adjudicated as a mental defective or … committed to a mental institution.”

Unfortunately, under 2008 NICS Improvement Act, drafted by Sen. Charles E. Schumer, New York Democrat, and its regulations, that “adjudication” can be made by any “other lawful authority.” This means a diagnosis by a single psychiatrist in connection with a government program.

To read the full article, please click here.

Transparency: Brand Reputation and Patient Trust

Agreed: transparency is critical for patient trust. With so few HIT corporations putting patients in charge of personal health information (PHI), it is rare good news to see a companies like Jericho working on consent directives.

From the Article:

 
Keeping a solid brand in healthcare requires trust. Trust is important no matter the industry. However, in healthcare, trust is more personal. When it comes to patient care, much private, personal information is given by individuals and also received through physician engagement and various clinical tests. Patient information needs to be safeguarded, just as a patient intends it to be.

Recently, The University of Texas at Austin Health Information Technology Program, Jericho Systems Corporation, and Conemaugh Health System undertook a pilot to test if protected health information (PHI) can adhere to consent directives. The good news is they proved the integrity of a patient’s consent directive through the health information exchange. With this test, greater confidence in patient data security and privacy is gained. The work doesn’t stop here, as there are many practices necessary to support patient privacy and security as networks expand and exchanges broaden.

Equally important are practices to support data transparency in healthcare. Transparency should mean that patients know what data is being collected and who their data is being shared with.

The points are straightforward here, too.

  • Trustworthy brands in healthcare embrace transparency. Open communication about what information is being collected and shared rises to the same standard of protecting the privacy of designated PHI.
  • Brands build relationships, and relationships are built on trust. Transparency builds trust, as does consistently delivering on your promises made.

To read the full article, please visit: Transparency: Brand Reputation and Patient Trust

The Biggest Data Myths of 2013

The biggest myth about “Big Data” users of the entire nation’s health information is that personal health data was acquired legally and ethically.

Just ask anyone you know if they ever agreed to the hidden use and sale of sensitive personal information about their minds and bodies by corporations or “research” businesses for analytics, sales, research or any other use. The answer is “no.”

Americans have very strong individual rights to health information privacy, i.e., to control the use of their most sensitive personal information. If US citizens have any “right to privacy,” that right has always applied to sensitive personal health information. This was very clear for our paper medical records and is embodied in the Hippocratic Oath as the requirement to obtain informed consent before disclosing patient information (with rare exceptions).

The IPO filing by IMS Health Holdings at the SEC exposed the vast number of hidden health data sellers and buyers. Buying, aggregating, and selling the nation’s health data is an “unfair and deceptive” trade practice. (Read more of Dr. Peel’s comments on the IMS filing here.)

Does the public know or expect that IMS (and the 100’s of thousands of other hidden health data mining companies) buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” and “social media” to create “comprehensive,” “longitudinal” health records on “400 million” patients? Or that IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally”? Again, the answer is “no.”

Given the massive hidden theft, sale, and misuse of the nation’s health information how can any physician, hospital, or health data holder represent that our personal health data is private, secure, or confidential?

deb

IMS Health Files for IPO – Is It Legal?

On January 2nd, IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics.

  • IMS buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” “social media” and more to create “comprehensive,” “longitudinal” health records on “400 million” patients.
  • All purchases and subsequent sales of personal health records are hidden from patients.  Patients are not asked for informed consent or given meaningful notice.
  • IMS Health Holdings sells health data to “5,000 clients,” including the US Government.
  • Despite claims that the data sold is “anonymous”, computer science has long established that re-identification is easy.
  • See brief 3-page paper by Narayanan and Shmatikov at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf)
  • See Prof. Sweeney’s paper on re-identifying patient data sold by states like WA at: http://thedatamap.org/risks.html
  • “Our solutions, which are designed to provide our clients access to our deep healthcare-specific subject matter expertise, take various forms, including information, tailored analytics, subscription software and expert services.” (from IMS Health Holding’s SEC filing)

 

Quotes from IMS Health Holding’s SEC filing:   “We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.”   IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

How can this business model be legal?  How can companies decide that US citizens’ personal health data is “proprietary data,” a corporate asset, and sell it?  If personal health data ‘belongs’ to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information.

Americans’ strongest rights to control personal information are our rights to control personal health information. We have constitutional rights to health information privacy which are not trumped by the 2001 elimination of the right of consent from HIPAA (see: http://patientprivacyrights.org/truth-hipaa/ ). HIPAA is the “floor” for privacy rights, not the ceiling. Strong state and federal laws, and medical ethics require consent before patient data is used or disclosed. 10 state constitutions grant residents a right to privacy, and other states constitutions have been interpreted as giving residents a right to privacy (like TX).

Surely FTC would regard the statement filed with the SEC as evidence of unfair and deceptive trade practices. US patients’ health data is being unfairly and deceptively bought and sold.  Can the SEC deny IMS Health the opportunity to offer an IPO, since its business model is predicated on hidden purchase and sale of Americans’ personal health data?

If we can’t control the use and sale of our most sensitive personal information, data about our minds and bodies, isn’t our right to privacy worthless?

deb

To view the full article published in Modern Healthcare visit:  IMS Health Files for IPO

 

Data Mining to Recruit Sick People

Companies Use Information From Data Brokers, Pharmacies, Social Networks

Some health-care companies are pulling back the curtain on medical privacy without ever accessing personal medical records, by probing readily available information from data brokers, pharmacies and social networks that offer indirect clues to an individual’s health.

Companies specializing in patient recruitment for clinical trials use hundreds of data points—from age and race to shopping habits—to identify the sick and target them with telemarketing calls and direct-mail pitches to participate in research.

“I think patients would be shocked to find out how little privacy protection they have outside of traditional health care,” says Nicolas P. Terry, professor and co-director at the Center for Law and Health at Indiana University’s law school. He adds, “Big Data essentially can operate in a HIPAA-free zone.”

FTC Commissioner Julie Brill says she is worried that the use of nonprotected consumer data can be used to deny employment or inadvertently reveal illnesses that people want kept secret. “As Big Data algorithms become more accurate and powerful, consumers need to know a lot more about the ways in which their data is used,” Ms. Brill says.

To view the full article, please visit: Data Mining to Recruit Sick People (article published December 17, 2013)