Re: Utah’s Medical Privacy Breach – Nearing 1 Million!

The Utah Dept of Health didn’t protect close to one million patients’ sensitive health data. Utah handles health information the way 80% of the US healthcare sector does: very poorly. Weak passwords and unencrypted health information are typical. Just last November, an SAIC/Tricare data breach of 4.9 million unencrypted records was reported.

The US healthcare industry has ignored federal law requiring encryption since 2005. Encryption is well-known to be the standard for protecting health data. But why do it if there is no enforcement and the cost of a fine or settlement is so low?

Instead of expanding electronic health records systems and exchanging millions more sensitive health records, the federal government should enforce the law and require the massive security flaws in existing health data systems be fixed. And whenever there are breaches, victims should have the technology tools to verify whether future claims are genuine to prevent medical ID theft and someone else’s record from receive credit monitoring for at least 3 years.

Learn more about the lack of health data privacy and security. Register to attend or watch the 2nd International Summit on the Future of Health Privacy, “Is there an American Health Privacy Crisis” on live streaming video at: http://www.healthprivacysummit.org

Health privacy issues can be resolved without obstructing care

See full article in FierceHealthIT: Health privacy issues can be resolved without obstructing care

Ken Terry writes about the big issues with patient privacy today and possible solutions.

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices.
Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.”

Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?

Re: Offense must be the new defense, RSA chief says

In response to the Government Security News (GSN.com) article: Offense must be the new defense, RSA chief says

From a major cybersecurity conference, “IT systems already are or will be compromised and security efforts must shift to detecting and mitigating compromises and protecting data in compromised systems.”

FLASH: Health data systems are just as compromised as those in every other sector of the economy and government, but it’s rarely mentioned. With the HIT and healthcare industries in denial, who will secure and protect the nation’s electronic health information?

At the same conference a solution was proposed, “the future of security and privacy in a world in which vulnerabilities and exploits are inevitable lies in protecting data through the use of metadata associated with policies that will let creators and owners control data.”

FYI: last year meta-tagging health data to protect privacy was proposed by the President’s Council of Advisors on Science and Technology (PCAST). PPR testified at the HIT Policy Committee in favor of meta-tagging health data. But the HIT and Healthcare lobbies killed it.

It’s back to business as usual: selling and using abysmal health IT systems and data exchanges without effective privacy or security protections — so healthcare corporations, hospitals, health plans, doctors, HIT companies, labs, pharmacies, etc can all use or sell our personal health data for discrimination and other purposes we would never agree to.

It’s time for Congress to support the Administration’s new Consumer Bill of Privacy Rights and put people in control of personal data online and in data systems by requiring robust, existing privacy and consent technologies or meta-tagging. Americans’ longstanding legal and ethical rights to health privacy must be restored so people are willing to participate in electronic health systems.

Without remedies now, “trust in our digital world is at risk.”

911 Broadcasts: A Privacy Invasion?

See the full article on GovInfoSecurity.com: 911 Broadcasts: A Privacy Invasion?

The extensive news media coverage of a 911 emergency call about actress Demi Moore is calling attention to an important issue: The need to protect privacy…

…Daniel Solove, professor at the George Washington University Law School, wrote in a blog that the release of 911 calls violates the constitutional right to privacy. He also argues that although 911 call centers are not HIPAA-regulated, like a hospital or a physician, they often provide healthcare advice.

Solove writes: “If the call from Demi Moore’s home had been to a hospital or a doctor or any other type of healthcare provider, public disclosure of the call would be forbidden. Why isn’t a 911 call seen in the same light?” And that, indeed, is a good question.

Deborah Peel M.D. of Patient Privacy Rights argues that release of a 911 tape or transcript should be considered a HIPAA violation because the 911 operators “are in effect working on behalf of hospitals and emergency centers as part of the patient’s treatment team.”

Peel highlights another risk involved in publicizing 911 calls: “If the public realizes that 911 calls can be made public, then anyone with a medical emergency they don’t want the information to be seen by the local media or read by everyone in the city or state will stop calling and risk their lives.”

A HIPAA Violation?

So why are audio tapes of 911 calls broadcast so commonly on TV? Well, technically, 911 services aren’t covered entities under HIPAA because they don’t directly deliver or bill for healthcare, says attorney Robert Belfort of Manatt, Phelps & Phillips LLP.

Re: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

In response to the Security Week article: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

The US is facing an unprecedented privacy crisis. The healthcare industry is extremely negligent about protecting data security and privacy (patient consent). At the same time 3/4 of the healthcare industry further risks patient privacy by selling or intending to sell data for secondary uses. Data theft and sales are driven in large part because, “Digitized health data is becoming one of the most highly valued assets in the health industry.”

  • Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers, and 38 percent or providers currently share information externally. Of those organizations that share data externally, only two in five pharmaceutical and life sciences companies (43 percent) and one in four insurers (25 percent) and providers (26 percent) have identified contractual, policy or legal restrictions on how the data can be used.
  • Most corporations using patient data lack an effective consent process, “Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients’ consent for how their information can be used.”

It’s a double whammy—not only is sensitive health information at high risk of misuse, sale, and breach INSIDE healthcare organizations, it’s also sold to OUTSIDE organizations that lack effective security and privacy measures.

  • “Nearly three quarters (74 percent) of healthcare organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.”

PriceWaterhouseCoopers surveyed 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies. Data security and privacy practices were abysmal despite new enforcement efforts by the Administration, and despite hundreds of major data breaches compromising the privacy of millions of Americans.

Why aren’t Congress and the public outraged that the privacy and security of health information is so bad? If the banking industry operated like this there would be MAJOR oversight hearings and new laws.

The idea that today’s electronic healthcare systems and data exchanges safeguard health data is simply wrong. Clearly federal and state oversight and penalties for failure to protect the most sensitive personal data on earth need to be increased.

HIStalk Interviews Deborah Peel MD, Founder, Patient Privacy Rights

Give me some brief background about yourself and about Patient Privacy Rights.

I never expected to be leading this organization or ever even thought about that. In my younger days, I practiced full time as a psychiatrist and Freudian analyst for a very long time, until it became clear that things were happening in DC that would make effective mental healthcare impossible. Namely, that there were lots of different ideas being floated; for example, the Clinton healthcare initiative. There was a part of it that was going to require everyone’s data from every physician encounter be recorded in federal database.

Fast-forward to the HIPAA privacy rule. That’s what really convinced me of the need for a voice for consumers, because there really wasn’t any. What I’m talking about there is, of course, the change in 2002 that happened under everyone’s radar except for – and this is the is the laugh line – when the 3,000 Freudian psychoanalysts in the nation noticed that consent was eliminated.

In 2004, I started Patient Privacy Rights because there was no effective representation for the expectations and rights that the majority of Americans have for how the healthcare system is going to work. Namely, that people don’t get to see their information without consent. Since founding PPR in 2004, we’ve still been the national leading watchdog on the issues of patient control over information and even internationally. Our power has come because when we came to DC, the other people that were working on privacy, human rights, and civil rights recognized that because of my unique position as a physician and deep understanding of how data flows, that I knew what I was talking about.

We very quickly got a pretty amazing bipartisan coalition of over 50 organizations. That enabled us to put these issues and problems on the map.

We had some incredible successes in HITECH. Virtually all of the new consumer protections came from our group, including the ban on the sale of PHI, the accounting of disclosures, segmentation, the new requirement that if you pay out of pocket for treatment you should be able to block the flow of that data to health plans and health insurers. We were the ones that worked with Congressman Ed Markey on getting encryption, required stronger security protections, and worked with Senator Snow to get meaningful breach notice into the rules.

All of this work lead to the first-ever summit on the future of health privacy this past summer in DC. The videos and the entire meeting can be seen or streamed online at www.healthprivacysummit.org.

If somebody said you had to choose between accepting healthcare IT as it is today or going back to purely paper-based systems, which would you choose?

We’ve never been in favor of going back to paper…

Stanford medical records posted on public website, now removed

Below is part of the story published by MercuryNews.com, quoting Dr. Deborah Peel, founder of Patient Privacy Rights.

“The electronic medical records of 20,000 Stanford Hospital emergency room patients, including names and diagnostic codes, were posted on a commercial website, the hospital disclosed Thursday.

Personal information about patients seen between March 1 and Aug. 31, 2009, has been removed from the website and an investigation is under way, according to Stanford Hospital spokesman Gary Migdol.

But the startling breach — caused by a vendor’s subcontractor, who has assumed responsibility — raises questions about the privacy of medical information as it passes through many hands.

In one instance, it revealed a psychiatric diagnosis of a Santa Clara patient.

The released information also included medical record numbers, hospital account numbers, billing charges and emergency room admission and discharge dates. Credit card and Social Security numbers were not included…

…Americans expect doctors and hospitals to use their records only with consent, said Dr. Deborah C. Peel, founder of the watchdog group Patient Privacy Rights, “not to give them to legions of contractors and strangers. Existing regulations are just not strong enough to protect Americans’ sensitive health information. Today’s electronic health systems are not safe or trustworthy.””

Stanford Hospital investigating how patient data ended up on homework help website

A key conclusion from the audience of experts at the first summit on the future of health privacy was HIPAA has not been effective at protecting patient privacy. Jaikumar Vijayan quoted Deborah C. Peel, MD, founder and chair of Patient Privacy Rights, on the problems with HIPAA and the need to restore patient control over health information in this story. See videos of the summit at: www.healthprivacysummit.org

“Stanford University Hospital in Palo Alto, Calif. is investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up publicly available for nearly one year on a homework help site for students.

The spreadsheet first became available on the site last September as an attachment to a question supposedly posed by a student on Student of Fortune, a website that lets students solicit help with their homework for a fee. The question sought help on how the medical data in the attachment could be presented as a bar graph, The New York Times reported on Thursday.

A Stanford Hospital & Clinics representative told Computerworld in a statement that the hospital discovered the file on August 22, and took action to see it was removed within 24 hours.

“A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information,” the statement said…

The breach shows yet again how ineffective HIPAA has been in getting organizations that handle healthcare data, to take better care of it, said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation .

Much of the problems stem from the indiscriminate sharing of sensitive personal information among “legions of secondary users”, she said. The average hospital has between 200 and 300 outside vendors and partners with access to patient data, Peel said.

“We do not have an effective federal health privacy law. HIPAA was gutted in 2002 when control over who can see and use patient data for all routine uses was eliminated,” she said.

The only way to really get a grip on the problem is to allow patients to exert more control over who has access to their data. “Data should be used for a single purpose after the patient gives consent such as consent to use the data to pay a claim or send to a consultant.”

“Consent should be obtained for any secondary or new uses of data,” she said. All organizations that handle health data, including third parties should be certified to adhere to the highest standards of data security, Peel said.

Patient Data Posted Online in Major Breach of Privacy

This New York Times article by Kevin Sack outlines the key findings by experts at the Health Privacy Sumit: There are SERIOUS flaws in electronic health records when it comes to privacy, and these need to be addressed NOW.

“A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.”