The Rising Risk of Electronic Medical Records

See the full story at SmartPlanet: The Rising Risk of Electronic Medical Records

This story quotes Lee Tien, Bob Gellman, and me about health information technology, which prevents us from controlling who can see, use, or sell our electronic health data by design—-placing everyone in the nation at risk of job and credit discrimination based on health data.  Current technologies make hidden data flow easy, with no way for patients to opt-out or prevent personal data from flowing to an unlimited number of hidden corporate, government, for-profit research and data analytics users.

“Criminals can buy social security numbers online for about $5 each, but medical profiles can fetch $50 or more because they give identity thieves a much more nuanced look into a victim’s life, said Dr. Deborah Peel, founder of the advocacy group Patient Privacy Rights, which researches data breaches and works for tighter security on people’s personal health records.”

Discrimination causes millions to avoid medical treatment every year. It’s a fact of life with paper medical records too. But electronic health systems enable thousands of strangers to simultaneously access the records of millions of patients, so the theft, sale, and misuse of health data for discrimination, fraud, ID theft, and medical ID theft has skyrocketed. In paper records systems, patient files are kept in locked rooms or filing cabinets, making it hard to use or steal more than a few at a time. Anti-discrimination laws alone aren’t effective—we also need to know who has copies of our health data and be able to control who gets them.

““If the information leaked to an employer, it would have affected their jobs or reputations. All the time I’ve been practicing, it’s been a very important and delicate issue,” Peel said. “There are prejudices associated with psychiatric diagnoses. People have powerful reactions to the names of these things.” … Once genetic profiles are routinely added to the mix, access to electronic health data may predetermine who can get jobs or serve in public office, Peel warned… “If the world looked like that,” Peel said, “Lou Gehrig would never get a contract to be a ball player if the team knew he had a disease that would degenerate his muscles, or Ronald Reagan would never get elected president if they knew dementia ran in his family.””

Strong new laws are needed to prevent our health data from being used or sold without consent.  We should also have a complete ‘chain of custody’, naming every person and organization that has seen or copied our health information. Without these new legal rights, it’s impossible to decide whether the benefits of using health IT outweigh the risks to our future jobs and opportunities, to our kids’ future jobs and opportunities, and to our grandkids’ and relatives’ future jobs and opportunities.

FYI—HIPAA has NOT protected health data privacy since 2002, it is really a ‘Disclosure’ Rule, not a ‘Privacy’ Rule. See how consent, the right to control who can see and use your health information, was eliminated: http://patientprivacyrights.org/media/The_Elimination_of_Consent.pdf

BOTTOM line: existing technology solutions that enable us to control who sees our records are not required. Instead, the stimulus billions are being used to buy ‘Model T Fords’ that prevent patient control over personal data. Government and corporations (inside and outside healthcare) don’t want to ‘ask first’ before taking our most sensitive personal information.

Help build a map to show where health data flows:  Sign up to be a data detective and contribute to mapping the hidden flows of Americans’ health data at: theDataMap.org. A map of health data flow will prove Congress should act NOW to restore personal control over health data.

20 Million Affected by Health Breaches

See full story at Govinfosecurity.com: 20 Million Affected by Health Breaches

“The federal tally of individuals affected by major healthcare information breaches since September 2009 now exceeds 20 million. But two recently reported major incidents, estimated to have affected a combined total of more than 675,000, have yet to make the list, which now includes 435 incidents.

As of May 23, the breach list includes 29 incidents in 2012 affecting a total of about 935,000. By far the largest of those breaches is a Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children’s Health Insurance Plan recipients and others.”

Targeted attacks cost companies an average of $200k

See the full article at SC Magazine: Targeted attacks cost companies an average of $200k

It always costs more to repair than to prevent. The curious thing is that federal law mandated basic security protections in HIPAA, but industry never bothered because the law was never enforced.

Here we are 12 years after the HIPAA Privacy Rule was implemented:

· the Coalition for Patient Privacy got MUCH tougher security rules and enforcement into HITECH

· breaches are rampant

· 80% of hospitals still don’t encrypt data

What’s wrong with this picture? Register for the 2nd International Summit on the Future of Health Privacy June 6-7 in Washington, DC–attending or watching via live streamingvideo is free: http://tiny.cc/p4fqew Security technologies are critical for privacy—see top US computer scientists discuss “ideal” technologies for health data privacy and security.

Re: Data-Mining in Doctor’s Office Helps Solve Medical Mysteries

The story concludes that “the benefits (of research) outweigh the (privacy) concerns”. But that statement was made by a hospital administrator, not by the patients whose data were used without consent. They weren’t asked or notified.

There are several problems with the idea that the benefits of doing research without consent outweigh the risks:

·       the lack of privacy and control over health information causes bad outcomes: when people realize that they cannot control health records, millions refuse diagnosis and treatment for cancer, depression, and sexually-transmitted diseases

·       there is no need to choose between respecting patients’ rights to privacy and doing research—it’s a false choice, consent technologies can enable people to easily choose and give automatic consents for research projects they support, or be contacted case-by-case for permission

·       there was no public debate about whether every American’s electronic health information should be used for research without consent

·       current electronic systems do not allow patients to control any uses of their health data—-why continue to use such badly-designed systems?

·       there are no “dangers of over notification” with today’s systems—in fact, patients get no notice at all when personal data is used for research

Americans have not agreed to a healthcare system that turns them into electronic guinea pigs.

Why not build patient-centered systems so we can make important decisions about ourselves, instead of hospital administrators and researchers choosing for us?  “Nothing about me without me.”

Crunch Two Data Sets, Call Me in the Morning

See full article in Bloomberg Businessweek Article

As hospitals are acquiring more and more digital patient data, they are quickly turning to “Big Data” tech companies with expertise in data-mining, which “has already led to some measurable improvements in patient care” according to hospital administration. However, patients are rarely notified when their records are being used in this way because the data is exempt from federal privacy protection due to their necessity for “quality improvement”. “People do not like to have researchers of any stripe using their electronic health records”, says Deborah Peel, MD of Patient Privacy Rights. “As a matter of respect and autonomy and patient-centeredness, patients want to be asked. When they are asked, by and large, they support this. It’s the not-being-asked stuff that’s really bad”. A breakdown in patient-physician trust about data privacy can cause huge problems with patient care arising from patients refusing to share all necessary information with physicians as a means to avoid exposure.

Report: HIEs failing at true interoperability

See a summary of the report by Mike Miliard at GovHeathITHIEs failing at true interoperability

· Healthcare organizations “must unlock the patient data in EHR silos of hospitals and affiliates to better coordinate and improve quality of care delivered. Health Information Exchange technology is the enabler.”

· Until EHR vendors incorporate a shared set of standards, HIEs will remain in a state of stunted development, said Moore: “Across the board, legacy systems fail to support true interoperability, and vendors are doing little to remedy this situation.”

· The report will also look to the future as to how this [Health Information Exchange or HIE] market will grow and evolve over the next several years as meaningful use requirements take hold, healthcare reform brings forth changes in reimbursement models, access to health data moves to mobile platforms and the consumer takes on a larger role.”
The quotes above show that the health technology industry and the government are beginning to face key facts:

· Data silos endanger patient health and safety: obviously we need our doctors to see relevant parts of our medical records held by other doctors/hospitals.

Electronic Health Records companies, hospitals, and the many other corporations that hold our electronic health information want to continue to “own”, control, and sell our personal health data. They built this system of “silos” that PREVENT data exchange (also called “interoperability”).  Corporations fiduciary duties to make profits for shareholders trump exchanging health information to save patients’ lives and reduce costs!

· Consumers = patients. If we say so, our health records must be shared with our physicians or other health professionals. This is matter of law.

No matter which corporations or health professionals hold our electronic health data, we are entitled to electronic copies. If you say your health data should be sent to another physician or health professional, the data holder must send it. ONLY individual patients or “consumers” have clear rights to control personal health information and have it sent to the other physicians and health professionals who are treating them.

· HIEs, data exchanges where patients have no meaningful control over who can copy and use their health information, are not the answer.

How “Direct” exchange works (via the “Direct Project”): a participant (like our physicians) can send secure, encrypted health information directly to a known, trusted recipient over the Internet. Unlike the case with HIEs, personal health information can’t be “pulled” from the 10, 20, or 100 places that hold our health records. Using the “Direct” method, someone has to decide to send one patient’s data to another person.

We [“consumers”] are the ONLY ones who can quickly, easily, and legally get and “exchange” our own health records at will. Hippocrates Oath, the foundation of the physician-patient relationship, states that sensitive health information should ONLY be shared with the patient’s consent.  Data exchanges like the Direct Project

The only way electronic health systems can work and earn the public’s trust is if data flows are controlled by patients, with very rare legal exceptions.

The Depressing State of HIEs

See the full article at Hospital EMR and EHR: The Depressing State of HIEs

Yes, the state of Health Information Exchanges (HIEs) in the US is depressing, because many don’t work well for patients or doctors. They enable hundreds or thousands of strangers who work for hospitals, insurers, health IT companies, etc to exchange, use, or sell our sensitive medical records without our consent.

The safe way to exchange health information is to use secure email and patient consent, this is called the “Direct Project”. See: http://directproject.org/ . It enables us to share our health information between two health professionals and email physicians. The Direct Project enables “participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.”

Patient Privacy Rights (PPR) endorses the “Direct Project” as the ONLY legal, ethical, and secure way for sensitive patient information to be exchanged.  The public will not trust HIEs or national data exchange models unless patients control the disclosures of their sensitive health records.

A quote from the story below shows financial interests of Accountable Care Organizations (ACOs) can trump patients’ interests: “Some ACO providers are now blocking access to their data so competitors can’t get to it”—-that means doctors who are not part of the ACO but who treat ACO patients can’t see their test results and treatment records–even when these patients want them to have that information.

Some ACOs and other businesses view HIEs as vehicles to get more patient data, rather than as a means to serve patients’ needs for care coordination, to avoid duplicate tests, to ensure better treatment, or enable them to give consent for research use of their data.

Many corporations and businesses that HOLD patient data imagine they own it, so they use and sell it without patient consent. US law and medical ethics still require meaningful, informed patient consent before physicians or data holders can disclose anyone’s health information. “HIPAA compliance” actually does NOT get data holders off the hook for asking patients for consent before disclosing data. According to the HIPAA Privacy Rule, it’s “the floor” for data privacy protection, not the ceiling. 67 Fed. Reg. at 53,212 (August 14, 2002).  HIEs designed to further business interests over patients’ interests will continue to fail, because the public will not support them.

It turns out that the only person who can easily, cheaply, and legally make patient data flow for all the right reasons (treatment, research), to all the right all the people (a specific doctor or researcher) at the right time is YOU.

Only you can tell an ACO to send your data to an outside clinician —- and the ACO must send it, whether it gives competitors an advantage or not. Only you can make your data “fluid”, because patients are the only people with clear, longstanding Constitutional, legal, and ethical rights to disclose personal health information.

In PPR’s recent comments about building a Nationwide Health Information Network (NwHIN), we urged the Office of the National Coordinator for Health IT (ONC) to address the fatal privacy and security flaws in current systems and state and federal data exchanges. We urged ONC to certify that HIEs and data exchanges protect privacy by verifying that only patients decide when/where personal data flows.  “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy. See: http://tiny.cc/e1v0gw for more information.

Texas Error Exposed Over 13 Million Voters’ Social Security Numbers

See the full article in DataBreaches.net: Texas Error Exposed over 13 Million Voters’ SSNs

This story shows it’s easy to disclose the social security numbers of 13 million people at once. The data came from Texas’ voter registration data base, which was attached to a court report, BUT security breaches of the personal health information of millions of patients is also very common (see recent Utah and BCBS of TN breaches). Today’s electronic systems enable many new ways to breach data security and expose personal information.

The story below is about a government employee who attached over 13 million SSNs to a report and sent it to a 3rd party without anyone else reviewing his/her actions before the data was disclosed.  Where should the bar be set for disclosing personally identifiable information in any report?  At 1 million records? At 100 million records?

Most of the US health care system lacks effective protocols and procedures to protect data security and to prevent inappropriate data release and data breaches. Health data privacy and security require comprehensive and meaningful protections. We have a long way to go. Vastly expanding health IT systems before these problems are solved is a prescription for more data

Ex-Vernal officer accused of using state database to commit burglary for prescription drugs

See full story in the Salt Lake City Deseret News.

“VERNAL — Two Vernal residents say they intend to sue the state of Utah and the city of Vernal, claiming that a police detective improperly accessed a prescription drug database and used the information he obtained to steal painkillers from them…

That system is the Utah Controlled Substance Database, according to Walker, which was first created in 1995 and then expanded two years ago. It collects and tracks all information on prescription drugs dispensed by pharmacies in Utah. Its use is restricted to doctors, pharmacists and law enforcement officers for the purpose of identifying patients or doctors who might be overusing, over-prescribing or abusing prescription drugs.

Police can access the database by providing an active case number, and they are supposed to have probable cause before accessing an individual’s prescription information.

Former Vernal police detective Ben M. Murray ignored those requirements when he looked up Smithey and Holmes’ information and went to their home several times in 2011, Walker said.

“The officer used that system freely and was able to track these individuals and figure out when they got their prescriptions, how many pills they had,” the attorney said. “He comes in gun, badge, uniform (and) tells them he’s there for a ‘pill count’ and … while they’re talking and distracted, he’s grabbing pills and putting them in his pocket.””

Patient ID information stolen at Memorial hospitals

See full story in the SunSentinel: Patient ID information stolen at Memorial hospitals

“Patients of Memorial hospitals in south Broward County had their identities stolen by employees who wanted to use the information to make money filing phony tax returns, Memorial officials said Thursday.

Two employees have been fired and are under criminal investigation by federal agents for improperly gaining access to the patients’ information, said Kerting Baldwin, a spokeswoman for tax-assisted Memorial Healthcare System, parent of five Memorial hospitals.

Memorial sent letters Thursday to about 9,500 patients whose identities may have been exposed by the two employees. Baldwin could not say how many of the 9,500 identities were stolen or whether any of them were misused to file false tax returns.”