Holes in the fence?

This story, by Joseph Conn with Modern Healthcare, quotes Patient Privacy Rights, Dr. Blumenthal the National Coordinator for Health IT, and many others, all calling for meaningful consent and privacy.

See these great quotes from Alan Westin:

  • the removal of consent from HIPAA by federal rulemakers in 2002 “left us high and dry,” but with the improvements to HIPAA in the stimulus law, “I think the raw materials for excellence are there.”
  • Privacy protection will depend again on HHS rulemakers, however, he says. (A proposed privacy rule addressing HIPAA modifications from the stimulus law was released by HHS in July, but a final rule is pending.) If it’s not addressed, Westin says, don’t be surprised if there is consumer backlash.
  • “I think we’re at a pivotal moment,” Westin says, given the massive inflows of federal IT subsidies about to begin. “Just imagine a lawsuit as a class action with all the people who would otherwise be swept into a network saying, ‘I did not give my consent,’ and asking the court to intervene.”
  • he sees “a dangerous trend” developing in healthcare IT in which patients are regarded as “inert data elements, not conscious persons” who have the right to make informed choices regarding “how their health information is used beyond the direct care settings.”
  • “You have to have privacy orienting systems at the design,” he says. “If the plumbing all gets in, it’s going to be very costly to tear it down and change it.”

Below are a few sections of the article. To see the full article, follow this link to Modern Healthcare.

Is the primary federal privacy law up to the task of protecting patient information in the 21st century?

It’s a question we put to opinion leaders in the legal, research, policy, ethics, provider and technology fields within the healthcare privacy community. It comes as hospitals and office-based physicians ramp up adoption of electronic health-record systems and join information exchanges to qualify for their share of the $27 billion in federal information technology subsidy payments available under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law…

…A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”

Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.

“You can’t draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn’t fit the realities of today. It’s based on an anachronistic view of the healthcare system, as if it’s totally separate from everything else in business and in life, and if technology has taught us anything, it’s that that’s not effective.”

Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don’t say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”

Unsafe data in Texas

Last month, a Texas online news site, the Austin Bulldog, published a lengthy investigative report on the sale and gifting of patient-level hospital data by the Texas Department of State Health Services.

Reporter Suzanne Batchelor’s remarkable story found that if you’re a Texan, your healthcare data can be given away or sold without your consent. And the Health Insurance Portability and Accountability Act, the main federal health information privacy law, won’t—or can’t—protect you.

In Texas, the health services department gathers claims data from hospitals by law—providers can be fined as much as $10,000 if they don’t hand it over. But the department isn’t a so-called “covered entity” as defined by HIPAA. So, the state isn’t covered under the HIPAA privacy rule if it does anything that would be a violation if performed by a data-providing hospital…

…The state knows the public-use data file is vulnerable. A user’s manual (PDF) contains this caveat: “It may be possible in rare instances, through complex analysis and with outside information, to ascertain from the PUDF the identity of individual patients. Considerable harm could result if this were done.”

And TX isn’t the only state selling your information…

Texas is not the only state in the US selling or giving away sensitive hospital records to anyone who wants them; this is a devastating privacy problem every state must face.

See the Investigative Report done in Texas.

$39 billion dollars in stimulus funds will be used to build a nationwide health IT superhighway system, exponentially expanding the theft, sale, and use of the health information of all 300 million Americans. Texas will get $38 million to exchange Texans’ health data.

How much money will your state get? BEWARE the form of consent used for Health Information Exchange (HIE) in your state.

  • Each state sets up its own consent rules for HIE and industry is pressuring states to use the worst kind of consent: “opt-out”.
  • The state of NY is going to share EVERYONE’S health data unless they “opt-out”.
  • In AZ, the use of “opt-out” for health data exchange failed.
  • TX has yet to decide what kind of consent it will use for data exchange.

Its critical to insist that your state empowers you to SELECTIVELY disclose PARTS of your sensitive health data–NOT ALL OR NONE. No one should be forced to give up privacy to benefit from data exchange.

Great consent and segmentation technologies exist and should be required for all data exchange so we can exchange ONLY the information we want to disclose. (See video of the Consumer Choices Technology Hearing in DC where 7 consent and segmentation technologies were demonstrated LIVE: http://nmr.rampard.com/hit/20100629/default.html. See transcript of the Hearing and written testimony about the 7 privacy-enhancing technologies at: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2833&PageID=19477#062910

Do you know whether YOUR state is selling or giving hospital data away? (SEE story here). Quotes from the story:

Buyers may order one of two versions of the hospital-patient files:

  • Research version — contains complete personal information including date of birth, age in years, and start and end dates of hospital care. To purchase data in the research file, applicants must describe their “research project,” identify themselves as one of 10 organization types (including university; managed care insurer; governmental entity, pharmaceutical, biotechnology or medical product firm; trade group or lobby; and research organization consultant), and select each data field they want. Each application is reviewed by a DSHS committee, which must approve it before the applicant can obtain the data.
  • De-identified version — For this version DSHS has removed some but not all personal information…DSHS removes the patient’s dates of admission and discharge from the hospital, but leaves in diagnoses, surgeries, and payment information. The patient’s gender and full zip code appear in most cases.
    A five-year age range is substituted for the patient’s exact age (some children’s ages appear in shorter ranges, such as “1-4,” “15-17″) and the street address is removed. Patient county, state, race and ethnicity are listed.

Texas officials imagine that simply taking names, parts of addresses, etc off our health data means that our records cannot be traced back to us. WRONG!

It is extremely easy it is to re-identify what they call “de-identified” information. Making health data IMPOSSIBLE to re-identify is extremely difficult; solutions which make it impossible to re-identify data have not been proposed.

Unless we build consumer control over personal health information into state and national health IT systems, we will destroy everyone’s privacy and ensure generations of discrimination.

This kind of wholesale giveaway of Americans’ sensitive health information is an extremely serious problem. States and the federal government must address this BEFORE expanding today’s privacy-destructive health IT systems and data exchanges. Once sensitive health and demographic data is exposed, it’s too late. It can never be made private again.

Federal funds for HIE should be used to buy MODERN, privacy-protective technologies in every state. Unless we act NOW, the stimulus money IN YOUR STATE will be used to exponentially facilitate health information exchange, and facilitate the systemic collection, theft, sale, and misuse of sensitive health information.