Poll: Huge majorities want control over health info

AUSTIN, TX – Patient Privacy Rights, the health privacy watchdog, has enlisted the help of Zogby International to conduct an online survey of more than 2,000 adults to identify their views on privacy, access to health information, and healthcare IT. The results were overwhelmingly in favor of individual choice and control over personal health information.

View the full poll results here.

Ninety-seven percent of Americans believe that doctors, hospitals, labs and health technology systems should not be allowed to share or sell their sensitive health information without consent.

The poll also found strong opposition to insurance companies gaining access to electronic health records without permission. Ninety-eight percent of respondents opposed payers sharing or selling health information without consent.

“No matter how you look at it, Americans want to control their own private health information,” said Deborah Peel, MD, founder of Patient Privacy Rights. “We asked the question, ‘If you have health records in electronic systems, do YOU want to decide which companies and government agencies can see and use your sensitive data?’ Ninety-three percent said ‘Yes!’”…

…The group advocates a ‘one-stop shop’ website where consumers can set up consent directives or rules to guide the use and disclosure of all or part of their electronic health information; if a request to use or sell health data is not covered by privacy rules, they can be ‘pinged’ via cell phone or e-mailed for informed consent.

Patient Privacy Rights calls this solution the “Do Not Disclose” list – similar to the national “Do Not Call” list. If a patient’s name is on the list, any organization that holds his or her sensitive health information, from prescriptions to DNA, must first explain how that information will be used before being granted permission.

Consumer Advocate: Patient Consent Vital

Deborah Peel, M.D., founder of Patient Privacy Rights, on protecting the privacy of healthcare information.
Listen to the Interview Here.

Patients have inadequate control over who can access their healthcare information, but existing technologies can solve the problem, says consumer advocate Deborah Peel, M.D.

Her organization, Patient Privacy Rights, recently issued a white paper outlining an approach to giving patients opportunities to offer informed consent for accessing their records. In an interview, Peel outlined the key points in the report…

View a PDF version of the white paper: The Case for Informed Consent
Listen to the interview: Patient Consent Vital

What do we think of the new recommendations?

The Tiger team continues to make policy recommendations that clearly violate the law and the Administration’s new privacy policies. See story on release by Modern Healthcare.

Apparently they did not hear Secretary Sebelius announce a new “Administration-wide commitment to make sure no one has access to your personal information unless you want them to” on July 8th (see here).

Or hear Dr. Blumenthal say “we want to make sure it is possible for patients to have maximal control over PHI.” See: http://patientprivacyrights.org/2010/07/ppr-impressed-with-hhs-privacy-approach/

At the Consumer Choices Technologies Hearing on June 29th, one of the ‘granular consent’ technologies demonstrated has been exchanging behavioral health records on 4 million patients for over 10 years, in 9 states and 22 jurisdictions. Newer, more robust consent technologies showcased that day are also in use. See: http://nmr.rampard.com/hit/20100629/default.html

The Tiger team calls these privacy-enhancing technologies “looming” because they are not widely used. If the HIT Policy Committee recommends against technologies for robust consent and segmentation, as they did for “meaningful use” EHRs, they ensure the limited use of privacy-enhancing technologies, which can therefore continue to be described as “looming”. It’s a neat trick to recommend policy that perpetuates the status quo and violates our rights to health privacy. To create wide use of these technologies, they must be required in policy as well as the law.

HITECH in fact does require patient consent before PHI can be sold and states that private-pay patients should be able to prevent their data from flowing to insurers for payment and health care operations. And it is also a legal and ethical requirement to obtain informed consent before disclosures of sensitive health information in all 50 states. Therefore, robust electronic consents and segmentation are required by law today. Policies should match the law.

Instead, the recommendations from the Tiger team guarantee that the theft and sale of patient data will grow exponentially and data will flow unchecked by patient consent or segmentation through HIEs and the NHIN to even more thieving vendors and corporations. Americans’ jobs, credit, and reputations are being destroyed to improve corporate revenues. This sick, greedy transformation of the health care system cannot be hidden and will destroy trust in HIT, HIE, and in legitimate clinical, academic, and public health and population research.

Most HIT products and systems were not designed to comply with patients’ rights to control personal health information. And vendors won’t ever willingly update them, because selling patient data can be a far greater source of revenue than selling software or caring for sick people.

Back to the crucial question: how can the Tiger team recommend policy that violates existing law? Why don’t the Tiger Team and the HIT Policy Committee recommend that HIT vendors , CEs, and BAs COMPLY with state and federal privacy laws and protections and meet patients’ expectations?

The Tiger Team and HIT Policy Committee are both dominated by CEOs, employees, and beneficiaries of vendors or corporate for–profit “research” industries that want all OUR data without consent. Their fiduciary duties to stockholders explain their decisions to recommend policies that violate our privacy rights.

Today the health data theft/sale industry and corporate for-profit research industry are in charge of federal policy-making.

Their flawed business models, based on misleading shareholders and the public about what they really do, are fraudulent and deceptive trade practices.

The SEC brought Goldman Sachs to heel for misleading shareholders and the public about what their business model really was. The data theft and data sales industries and the corporate for-profit ‘research’ industry do exactly the same thing.

The entire US health care and HIT system will end up tarred and feathered and lose the public’s trust unless the health care and HIT corporations that protect privacy rights, and genuine clinical and academic researchers stand with patients to demand that patients control PHI.

Sign the ‘Do Not Disclose’ petition at http://patientprivacyrights.org/do-not-disclose/ and demand your rights to health privacy be enforced.

ONC IS MAKING HISTORY!

ATTEND THE FIRST EVER HEARING ON PRIVACY-ENHANCING TECHNOLOGIES IN THE NATION.

Register here.

The hearing, scheduled all day on June 29th, will showcase 7 innovative, existing privacy-enhancing Health IT products and systems, and future technologies. The technologies will be discussed by 4 experts and the Privacy and Security Tiger Team.

Early this year, Dr. Blumenthal met with the bipartisan Coalition for Patient Privacy. He told us our idea for this conference struck him as “very intriguing. Two principles should animate our policy development. Patients/consumers come first, and the process should be fair and open.” So he agreed to hold a hearing.

Register to attend the hearing at: http://www.blsmeetings.net/consumerchoicetechnologyhearing/
For agenda see: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2833&PageID=19423

This is the first hearing ONC has ever held that is focused solely on privacy rights and patients’ expectations to control sensitive health records, from prescriptions to DNA. It is VERY timely because billions in stimulus dollars are about to flow.

What kinds of systems do you want to get the stimulus billions??? Current HIT systems that facilitate the data mining, theft, and sale of personal health information or systems that put YOU in control of YOUR information?

Inside-the-beltway domination of policy and standards by major legacy health IT vendors, many major hospitals, the health data mining industries, and physicians’ organizations has made it very hard for consumer and privacy advocates to be heard, even though we represent the majority of the American public. The fear is if they have to ask first to see or use our health information, we might refuse. And we might. But it’s our right to do so.

Today’s HIT systems put our jobs and our kids’ futures at risk by exposing everything from our prescription records to our DNA to sale and theft. Once our health data is exposed, like Paris Hilton’s sex video, we can never make it private again.

Showcasing technology that empowers patients to actively share data for treatment, personal benefit, and for research, while empowering patients to protect personal information to prevent harms is critical—especially now as HHS prepares to spend billions on EHRs and models for data exchange that do not require meaningful and comprehensive privacy controls.

The video of the hearing will be a critical online resource for the public, the media, states, and the world. There is no other way to learn about robust privacy-enhancing technologies that meet patients’ expectations and rights to control use of PHI while enabling compliance with strong state and federal laws, medical ethics, and our Constitutional rights to privacy.

Latanya Sweeney’s testimony and slides show the need to choose the right HIT technologies and systems up front, rather than letting “100 weeds fester.” See her testimony at: http://patientprivacyrights.org/wp-content/uploads/2010/04/Sweeney-CongressTestimony-4-22-10.pdf
See her slides at: http://patientprivacyrights.org/wp-content/uploads/2010/06/Sweeney-TrustworthyNHINDesigns.pdf

If you cannot attend in person, PLEASE listen in and comment at the end during the comment period or submit comments online. The video link of the hearing will be posted the following day.

TAKE PART: Tell ONC to build privacy-enhancing health IT systems you can trust. Tell ONC to build privacy-enhancing EHRs and systems for data exchange, don’t blow the stimulus billions on systems that will never be trusted.

If we don’t fight for our rights to control sensitive personal health information, we will never GAIN the right to control the rest of our personal information online and in the Digital World.

Thanks for helping to save privacy!

A Start to Securing PHI?

Sometimes press releases for new products tell us far more about the risk of identity theft in electronic health systems than the mainstream press or trade journals.

Check out this zinger quote: “Most organizations don’t even know where their PHI is.” Why doesn’t the mainstream press tell the public that the health care organizations (like hospitals) have no idea where all their sensitive personal health data resides?

How about this: “The software (Identity Finder) automatically finds PHI such as social security numbers, medical record numbers, dates of birth, driver licenses, personal addresses, and other private data within files, e-mails, databases, websites, and system areas. Once found, the software makes it simple for users or administrators to permanently shred, scrub, or secure the information.” Emails? Who sends drivers license numbers, SS#s, and Dates of Birth in emails? Clearly lots of healthcare organizations do.

We can only hope products like this sell.

See full article at:

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/05-05-2009/0005019328&EDATE

Is not just celebs who need strong security and privacy for PHI

‘Smart’ EHR software designed for security, privacy, and compliance with the law and ethics, would allow only those who have your informed consent to access your records. Staff and employees who carry out the orders of your attending physician could access your records under the informed consent you give your physician, by electronically affirming they are part of your treatment team. Instead of primitive, legacy EHR systems that allow 10,000 hospital staffers or employees access to your records, in a ‘smart’ EHR system only the 100 or so directly involved in your treatment could get into your PHI, preventing 9,900 snoopers’ eyes from seeing anything.

Is not just celebs who need strong security and privacy for PHI–what about women whose abusers work for hospitals? What about all the minor local celebs? Do you want your nosy neighbor who is a clerk to be able to read your records?

Stepping up employee snooping via retroactive audits is EXTREMELY expensive (major hospitals have to have large technical staffs to be able to audits millions of accesses looking for those that should not have occurred). ‘Smart’ consent technologies exist. Retroactive audits for improper access are like looking for needles in a haystack UNLESS you are Nadya Suleman or some other celebrity whose EHR is being actively watched. Why not keep the horses from getting out of the barn in the first place?

Refer to COMPUTERWORLD story: “Kaiser fires 15 workers for snooping in octuplet mom’s medical records“.

DoD does WHAT?

It is fascinating that the DoD clearly believes it owns and can use the personal health information of 12 million active duty military personnel for whatever purpose it decides. In this case, the DoD is paying a for-profit corporation to do research on active duty military personnel without their consent.

Maybe when you join the military you lose all privacy and Constitutional rights. I don’t know, I’m not a lawyer. If so, that is a steep price to pay to serve your country: losing all health privacy for yourself and your relatives forever. Do those who join the armed forces know they are signing up to become medical guinea pigs? Do they really understand the consequences for their futures and their families futures?

Many questions abound:

• Are the electronic records adequately secured? What a rich target: 12 million health records! What if enemies hack the privately held data base to learn about key military leaders?

• Will Phase Forward continue to use and sell the records for other purposes as HIPAA authorizes? Other data management corporations (such as Thomson Medstat) the government pays to perform fraud and waste audits obtain millions of health records that they later aggregate and sell to employers without anyone’s consent.

• Furthermore–this is clearly medical research without informed consent. That is simply unethical and illegal. The US signed the Declaration of Helsinki after WW II because Nazis did human research without consent. Back then America recognized the need for informed consent before research takes place. Today, the codes of research and medical ethics still require patients to give informed consent before personal records can be used or disclosed. Why is this project not being done with informed consent when new ‘smart’ electronic consent tools could make it easy, cheap, and fast to obtain informed consent and explain all the risks and consequences?

Review this article from the Washington Post’s Government Inc. Blog for more information:
Data Mining for DoD Health

Military health forum envisions clinical analytics — by Peter Buxbaum

David Winn is right, when you sign up for the military, you have to do whatever they say.

The problem is that the Administration and the federal government has the same thing in mind for every American–no control over access to PHI.

The payers think they own our PHI and should be able to do whatever they want with it–even though it’s both illegal and unethical. That is why industry is pressing Congress to pass an HIT bill without consumer control over access to PHI. BUT—people will lie or not participate in electronic health systems if their data is used without consent—which means we will never get the kind of research we want because the data analyzed will be incomplete and flawed.

Americans just want to be asked for consent for research and be sure that HIT systems are safe and secure.

View Full Article