Patients are not being adequately informed about electronic patient records, says BMA

Patients don’t have enough information about electronic patient records and it is too hard for them to opt-out if they want to, the BMA said today (Monday 1 March 2010).

Following limited local piloting, patients’ summary care records1 are now going to be uploaded to a central database across England. Five Strategic Health Authorities recently announced they were speeding up their plans2. Anyone who does not want to have a Summary Care Record (SCR) has to opt out3 by informing their GP or by completing a form either downloaded from the internet or requested through an ‘0845’ national call centre.4

Security and Hacking, Real Fears

See the WSJ Article: New Epidemic Fears: Hackers

Securing health records in small doctor’s offices and clinics is not easy: small offices can’t afford Fort-Knox style data protection measures, like hiring security experts to make sure hackers aren’t getting into their systems. Even if electronic health records software includes encryption and other security features doesn’t mean those features will be turned on and used.

• Now, many privacy advocates are concerned the administration’s effort could end up making health information less secure. “If there isn’t a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.

• “As more information is shared, it is subjected to the weak-link effect.”

• Mr. Osteen’s efforts to safeguard information won’t be useful if smaller providers he shares it with haven’t made the same kind of security investments.”

UK Handing off their health records?

Federal Computer Week: U.K. mulls handing off national health records to Microsoft, Google

It will be interesting to see which one the UK chooses. Microsoft joined the bipartisan Coalition for Patient Privacy to urge Congress to restore consumer control over PHI in 2007. Google has not.

MS signed Coalition letters in 2007 and 2009, and agreed to support the Coalition’s tough privacy principles and health privacy rights in electronic systems. HealthVault was built to adhere to the Coalition’s stringent privacy principles. Open, public promises by major corporations are taken very seriously by federal regulatory agencies and consumer advocates.

The promises by the technology corporations that joined the Coalition are a rebuke to other HIT vendors and the data mining industry that will do anything to get their hands on PHI for all sorts of uses that patients would never agree to.

Today, the clearest sign of serious corporate commitment to health privacy rights is joining the Coalition for Patient Privacy and standing with consumers to build an ethical, legal HIT system—the only kind that will be trusted and succeed.

UK Handing off their health records?

Federal Computer Week:U.K. mulls handing off national health records to Microsoft, Google

It will be interesting to see which one the UK chooses. Microsoft joined the bipartisan Coalition for Patient Privacy to urge Congress to restore consumer control over PHI in 2007. Google has not.
MS signed Coalition letters in 2007 and 2009, and agreed to support the Coalition’s tough privacy principles and health privacy rights in electronic systems. HealthVault was built to adhere to the Coalition’s stringent privacy principles. Open, public promises by major corporations are taken very seriously by federal regulatory agencies and consumer advocates.

The promises by the technology corporations that joined the Coalition are a rebuke to other HIT vendors and the data mining industry that will do anything to get their hands on PHI for all sorts of uses that patients would never agree to.

Today, the clearest sign of serious corporate commitment to health privacy rights is joining the Coalition for Patient Privacy and standing with consumers to build an ethical, legal HIT system—the only kind that will be trusted and succeed.

The true problems in HIT

The experts quoted are correct that cost, interoperability, difficulty of use, work-flow disruption, and lack of proof of safety/effectivenss are good reasons not to spend $20 billion in HIT stimulus money on bad products (the equivalent of buying SUVs instead of hybrids and electric cars).

But Kibbe and Klepper should look beyond their own perspectives to consider the wider context and the real make-or-break issue: what must EHR systems have to ensure the public’s trust and willingness to use them?

Of course, doctors must be able to afford, easily use, and know that EHR systems actually work and are effective, but systemic failure is inevitable unless patients trust electronic systems. Today’s health IT systems and products are not even close to meeting the public’s expectations for control over personal data and and ironclad security.

From the consumer perspective, the worst defects in today’s EHR systems are:

1) Patients have no control over the use or disclosure of their personal health information in these systems.

2) Doctors, hospitals, labs, pharmacies, PBMs, insurers, data miners, data aggregators, etc, etc, and software vendors control the disclosure, use, and sale of the nation’s personal health information.

3) Most of today’s EHR technology is extremely primitive (20-30 years old) and does not comply with patients’ longstanding legal and ethical privacy rights:
•most EHRs do not have the functional capacity to segment sensitive records
•human-readable audit trails of disclosures are not required, so patients have no way to know who snooped in their records or where their personal health information has been sent or sold
•the security measures are abysmal. CIO magazine story from 2006 reported that all 850 EHR systems examined could easily be hacked: http://searchcio.techtarget.com/originalContent/0,289142,sid182_gci1273006,00.html

The most important reason not to buy $20 billion dollars worth of dinosaur EHR technology is that consumers will NEVER trust electronic health systems unless they control sensitive personal data and unless the systems have state-of-the-art security to prevent the frequent breaches, losses, and thefts of millions health records.

Until the American public has PROOF electronic systems can be trusted, failure is inevitable. Why not build EHRs and the electronic health system right from the start, rather than spending billions later to rebuild?

Must we repeat the mistakes made in the UK? The NHS system was built without patient control over data. Billions of dollars and many years were wasted before the government realized that forcing patients into an electronic health system that shares data without consent doesn’t work.

View the full story referenced

DoD does WHAT?

It is fascinating that the DoD clearly believes it owns and can use the personal health information of 12 million active duty military personnel for whatever purpose it decides. In this case, the DoD is paying a for-profit corporation to do research on active duty military personnel without their consent.

Maybe when you join the military you lose all privacy and Constitutional rights. I don’t know, I’m not a lawyer. If so, that is a steep price to pay to serve your country: losing all health privacy for yourself and your relatives forever. Do those who join the armed forces know they are signing up to become medical guinea pigs? Do they really understand the consequences for their futures and their families futures?

Many questions abound:

• Are the electronic records adequately secured? What a rich target: 12 million health records! What if enemies hack the privately held data base to learn about key military leaders?

• Will Phase Forward continue to use and sell the records for other purposes as HIPAA authorizes? Other data management corporations (such as Thomson Medstat) the government pays to perform fraud and waste audits obtain millions of health records that they later aggregate and sell to employers without anyone’s consent.

• Furthermore–this is clearly medical research without informed consent. That is simply unethical and illegal. The US signed the Declaration of Helsinki after WW II because Nazis did human research without consent. Back then America recognized the need for informed consent before research takes place. Today, the codes of research and medical ethics still require patients to give informed consent before personal records can be used or disclosed. Why is this project not being done with informed consent when new ‘smart’ electronic consent tools could make it easy, cheap, and fast to obtain informed consent and explain all the risks and consequences?

Review this article from the Washington Post’s Government Inc. Blog for more information:
Data Mining for DoD Health

Electronic Health Records wired for abuse

“Oops! They did it to Britney again.” No, it’s not a song parody, but a reflection of the poor state of American health privacy – something Bay Staters should think about as their Legislature considers a bill to mandate Electronic Health Records (EHRs).

Staff members at UCLA’s Medical Center are under investigation over allegations staffers accessed Britney Spears’ medical records earlier this year. Sadly, this is not the first time individuals other than the paparazzi violated Spears’ privacy; staffers also took inappropriate peeks when her first child was born.

Most Americans think the Health Insurance Portability and Accountability Act (HIPAA) protects their privacy and that the HIPAA notice they sign at the doctor’s office lists all of their rights to privacy. In fact, that HIPAA notice lists the vast number of ways their private health information can be used, without asking and over objections.

HIPAA was originally intended to protect privacy. Regulators earlier in this decade rewrote the rule to sanction disclosure of medical information for treatment, payment or health care operations.

“Particularly troubling about HIPAA’s Privacy Rule is the governmental authorization for covered entities to use patients’ confidential information without their consent for health care operations that are unrelated to “payment or treatment,” writes Dr. Richard Sobel, senior research associate in the Program in Psychiatry and the Law at Harvard Medical School. Sobel explains that “health-care operations” can include using information for marketing purposes, which normally would require written consent.

Data-mining firms were given a gift by the rewriting of the HIPAA Privacy Rule. Data-mining firms can obtain information about your prescriptions, treatment for mental health and genetic predisposition to illnesses. That information can be passed on to credit firms, marketing firms and even prospective employers.


Patients need progress and privacy in this digital era. The only way to ensure we get both, and avoid the negative “celebrity treatment” Spears received, is to ensure the health IT bill signed by the governor fully recognizes the right of patient consent.

View the Full Story

The Health Record Paparazzi is Above the Law and In Bed With Congress

We learned today that all of us are a bit like George Clooney: the Health Record Paparazzi loves a celebrity, but it loves the average American just as well. Instead of intrusive cameras flashing and TMZ taping our every move, we have insurers, employers, hospitals, doctors, pharmacies, drug companies, marketers, creditors and banks digging around for our most personal, intimate information.

HIPAA protects no one, including movie stars. The HIPAA regulations were changed by a Bush appointee that defy the ancient doctor-patient promise that when a patient goes to their doctor, whatever they share will be kept private. No one can make that guarantee anymore. To see the fine print visit Patient Privacy Rights.

Over 4 million individuals and businesses can see and use our health records, without consent and over objections. HIPAA is so broad it is hard to imagine who doesn’t have a legal right to your most personal details.

The Health Record Paparazzi can be stopped — but only by an act of Congress. Right now, Congress is working on legislation that will open up your health records even more. Everyone will have control over your health information except the patient.

We must have federal legislation that guarantees our right to control our most personal information and requires meaningful, enforceable penalties for everyone who shares our information without consent.