Questions of Privacy

ModernHealthcare.com recently posted a great article about PPR’s Dr. Deborah Peel and her work.

A few key points from the article:

“In 2002, HHS redrafted the privacy rule of the Health Insurance Portability and Accountability Act, replacing its patient consent requirement for the sharing of most patient records with a new provision. The rewrite afforded ‘regulatory permission,’ according to the rule, for hospitals, physicians, insurance companies, pharmacies, claims clearinghouses and other HIPAA-covered entities to use and disclose patient data for treatment, payment and a long list of other healthcare operations without patient consent.”

“’Let’s face it,’ Peel says, ‘HHS is the agency that eliminated patient control over electronic medical records and has remained hostile to patients’ rights ever since.’”

“‘Where I’m coming from is, I’ve spent all this time in a profession with people being hurt,’ Peel says. ‘Starting in the 1970s, when I first let out my shingle, people came to me and said, if I paid you in cash, would you keep my records private. Now, we’ve got a situation where you don’t even know where all your records are. We don’t have a chain of custody for our data, or have a data map’ to track its location.”

Nearly Half of U.S. Adults Believe They Have Little To No Control Over Personal Info Companies Gather From Them While Online

To view the full article, please visit Nearly Half of U.S. Adults Believe They Have Little To No Control Over Personal Info Companies Gather From Them While Online.

No surprise, 80% of US adults do NOT want targeted ads. 24% think they have no control over information shared online.

How will US adults feel when they learn they have no control over sensitive electronic health information? Despite the new Omnibus Privacy Rule,  there is still no way we can stop our electronic health records from being disclosed or sold.  The only actions we can take are avoiding treatment altogether or seeking physicians who use paper records and paying for treatment ourselves. No one should be faced with such bad choices. There is no reason we should have to give up privacy to benefit from technology.

Today, the only way to prevent OUR health information from being disclosed or sold to hidden third parties is to avoid electronic health systems as much as possible. That puts us in a terrible situation, because technology could have been used to ensure our control over our health data. The stimulus billions can still be used to build trustworthy technology systems that ensure we control personal health information. Institutions, corporations, and government agencies should not control our records and should have to ask us for consent before using our them.

Quotes:

  • -“45% of U.S. adults feel that they have little (33%) or no (12%) control over the personal information companies gather while they are browsing the web or using online services such as photo sharing, travel, or gaming.”
  • -“many adults (24%) believe that they have little (19%) to no (5%) control over information that they intentionally share online”
  • -“one-in-five (20%) said that they only minimally understand (17%), or are totally confused (3%) when it comes to personal online protection”
  • -“When asked under what circumstances companies should be able to track individuals browsing the web or using online services, 60% say this should be allowed only after an individual specifically gives the company permission to do so.”
  • -“Just 20% of adults say that they want to receive personalized advertising based on their web browsing or online service use, while the large majority (80%) report that they did not wish to receive such ads.”

DNA records pose new privacy risks

To view the full article, please visit: DNA Records Pose New Privacy Risks

An article in the Boston Globe highlights the ease with which DNA records can be re-identified. According to the article, “Scientists at the Whitehead Institute for Biomedical Research showed how easily this sensitive health information could be ­revealed and possibly fall into the wrong hands. Identifying the supposedly anonymous research participants did not require fancy tools or expensive equipment: It took a single researcher with an Internet connection about three to seven hours per person.” Even truly anonymous data was not entirely safe from being re-identified. Yaniv Erlich”…decided to extend the technique to see if it would work with truly anonymous ­data. He began with 10 unidentified men whose DNA ­sequences had been analyzed and posted online as part of the federally funded 1,000 Genomes Project. The men were also part of a separate scientific study in which their family members had provided genetic samples. The samples and the donors’ relationships to one ­another were listed on a website and publicly available from a tissue repository.”

These findings are incredibly relevant because it is highly possible that “something a single researcher did in three to seven hours could easily be automated and used by companies or insurers to make predictions about a person’s risk for disease. ­Although the federal Genetic Information Nondiscrimination Act protects DNA from ­being used by health insurers and employers to discriminate against people”.

Jodie Foster & Privacy at the Golden Globes

In her acceptance speech for the Cecil B. DeMille award at the Golden Globes, Jodie Foster spoke briefly on the value of privacy. Her poignant words are a reminder not to take privacy for granted. If we don’t stand up and fight to preserve our rights to privacy, we will lose them..

“But seriously, if you had been a public figure from the time that you were a toddler, if you’d had to fight for a life that felt real and honest and normal against all odds, then maybe you too might value privacy above all else. Privacy. Someday, in the future, people will look back and remember how beautiful it once was.”

Clouds in healthcare should be viewed as ominous- Quotes from Dr. Deborah Peel

A recent article in FierceEMR written by Marla Durben Hirsch quotes Dr. Peel about the dangers of cloud technology being used in healthcare. Dr. Peel tells FierceEMR that “There’s a lot of ignorance regarding safety and privacy of these [cloud] technologies”.

Here are a few key quotes from the story:

“It’s surely no safe haven for patient information; to the contrary it is especially vulnerable to security breaches. A lot of EHR vendors that offer cloud-based EHR systems don’t take measures to keep patient data safe. Many of them don’t think they have to comply with HIPAA’s privacy and security rules, and many of their provider clients aren’t requiring their vendors to do so.” (Hirsch)

“Many providers have no idea where the vendor is hosting the providers’ patient data. It could be housed in a different state; or even outside of the country, leaving it even more vulnerable. ‘If the cloud vendor won’t tell you where the information is, walk out the door,’ Peel says.”

“Then there’s the problem of what happens to your data when your contract with the cloud vendor ends. Providers don’t pay attention to that when they sign their EHR contract, Peel warns.”

“‘The cloud can be a good place for health information if you have iron clad privacy and security protections,’ Peel says. ‘[But] people shouldn’t have to worry about their data wherever it’s held.'”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The quotes below are from an article written by Alex Ruoff in the Bloomberg Health IT Law and Industry Report.

“Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information. Cloud computing solutions are seen as ideal for small health practices as they do not require additional staff to manage information systems, Peel said.
Cloud computing for health care requires the storage of protected health information in the cloud—a shared electronic environment—typically managed outside the health care organization accessing or generating the data (see previous article).
Little is known about the security of data managed by cloud service providers, Nicolas Terry, co-director of the Hall Center for Law and Health at Indiana University, said. Many privacy advocates are concerned that cloud storage, because it often stores information on the internet, is not properly secured, Terry said. He pointed to the April 17 agreement between Phoenix Cardiac Surgery and HHS in which the surgery practice agreed to pay $100,000 to settle allegations it violated HIPAA Security Rules (see previous article).
Phoenix was using a cloud-based application to maintain protected health information that was available on the internet and had no privacy and security controls.

Demands for Guidance

Peel’s group, in the Dec. 19 letter, called for guidance “that highlights the lessons learned from the Phoenix Cardiac Surgery case while making clear that HIPAA does not prevent providers from moving to the cloud.”

Peel’s letter asked for:
• technical safeguards for cloud computing solutions, such as risk assessments of and auditing controls for cloud-based health information technologies;
• security standards that establish the use and disclosure of individually identifiable information stored on clouds; and
• requirements for cloud solution providers and covered entities to enter into a business associate agreement outlining the terms of use for health information managed by the cloud provider.”

Vast cache of Kaiser patient details was kept in private home

The excerpt below is from the LA Times article Vast cashe of Kaiser patient details was kept in private home by Chad Terhune. This shows both the negligence of Kaiser in caring for their patients, but also the lack of privacy and security that is frequently found in electronic health records.

“Federal and state officials are investigating whether healthcare giant Kaiser Permanente violated patient privacy in its work with an Indio couple who stored nearly 300,000 confidential hospital records for the company.

The California Department of Public Health has already determined that Kaiser “failed to safeguard all patients’ medical records” at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple’s document storage firm kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.

Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients’ names, Social Security numbers, dates of birth and treatment information stored on their home computers.

The state agency said it was awaiting more information from Kaiser on its “plan of correction” before considering any penalties.

Officials at the U.S. Department of Health and Human Services began looking into Kaiser’s conduct last year after receiving a complaint from the Deans about the healthcare provider’s handling of patient data, letters from the agency show. Kaiser said it hadn’t been contacted by federal regulators, and a Health and Human Services spokesman declined to comment.”

Health Care, the Cloud, and Privacy, Jan. 7 Panel

Health Care, the Cloud, and Privacy

Phoenix Park Hotel
520 North Capitol Street, NW | Washington, DC 20001
Georgian Room
Monday, January 7, 2013 | 12:00 p.m. ET

On behalf of Patient Privacy Rights (PPR), you are invited to attend a panel discussion on health care system privacy challenges posed by cloud computing. The one-hour discussion, “Health Care, the Cloud, and Privacy,” will be held on Monday, January 7, 2013 at the Phoenix Park Hotel in Washington, D.C. Boxed lunches will be provided.

With technological innovations that promise better efficiency and lower cost, one of the most anticipated developments is how industry and regulators will respond. That question today is focused intently on cloud computing and the implications for corporations with electronic systems containing sensitive consumer health data. Who is handling patient data? How do HIPAA and other health privacy laws and rights function in the cloud? What can policymakers do to better protect our sensitive medical data?

Our distinguished panel will feature:

Joy Pritts
Chief Privacy Officer
Office of the National Coordinator for Health IT
U.S. Department of Health and Human Services

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights (PPR)

Nicolas P. Terry
Hall Render Professor of Law
Indiana University Robert H. McKinney School of Law

Lillie Coney
Associate Director
Electronic Privacy Information Center (EPIC)

Please RSVP to Jenna Alsayegh at jalsayegh@deweysquare.com.

We hope to see you there!

And there is more:
View the Invitation as a PDF
View the Press Release

PPR also sent a letter to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) that urges for more comprehensive guidance on securing patient data in “the cloud.” With the healthcare industry moving their records to electronic databases, PPR sees a number of issues associated with cloud computing services, including compliance with existing healthcare privacy laws like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, stronger state and federal health information privacy laws, medical ethics, and Americans’ rights to health information privacy. View the letter here.

Dr. Deborah Peel chosen as one of the ‘Top 10 Influencers of Health InfoSec’

Patient Privacy Rights’ very own Dr. Deborah Peel was chosen as one of the ‘Top 10 Influencers of Health InfoSec”. This honor is given by HealthcareInfoSecurity “to acknowledge leaders who are playing a critical role in shaping the way healthcare organizations approach information security and privacy”.

Dr. Deborah Peel was deemed an “outspoken champion of national patient privacy concerns since 1993. As leader of the advocacy group Patient Privacy Rights, Peel often takes controversial positions on key issues, but she has proven successful in drawing attention to important patient privacy matters. She has testified before Congressional committees on genetic data privacy and medical record privacy.”

From Top 10 Influencers of Health InfoSec:

“Each of these top 10 Influencers makes a substantial impact. Their influence ranges from shaping national health data security and privacy regulations to providing real-life breach prevention insights and leading grass-root efforts to help patients deal with data privacy threats.

Our selections include some of the nation’s most recognized leaders in health information technology. But they also include a few individuals who aren’t in the national spotlight, yet are influential nonetheless.

As electronic health records become ubiquitous, and more information is shared via health information exchanges, the nation needs leaders who are willing to take bold action to ensure patient information is protected.

Our editors chose these individuals for the influence they’ve had over the last year, as well as the impact we expect them to have in 2013 and beyond.”

Patient privacy group (PPR) asks HHS for HIPAA cloud guidance

Government HealthIT recently wrote an article about Dr. Peel’s of Patient Privacy Rights’ letter to the HHS Office for Civil Rights pushing for security guidelines, standards, and enforcements for cloud technology being used in healthcare.

Here are a few key points highlighted in the article:

“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.

“Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed ‘if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.’”

“Patient Privacy Rights, a group founded in 2006, is encouraging HHS to adopt guidelines that highlight ‘the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.'”

“In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. ‘HHS and HIPAA guidance in this area, to date, is limited,’ Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.”