Health Care Reform: Let’s Not Forget Privacy And Data Security

See the full article at Forbes.com: Health Care Reform: Let’s Not Forget Privacy And Data Security

The Affordable Care Act poses many new threats to patient privacy due to an already over loaded health care system. The influx of new consumers in this market will cause much stress on the already insufficient data privacy infrastructure. Bob Gregg, guest writer for Forbes.com, explains the strains and consequences caused by this new legislation.

“The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.”

Mr. Gregg looked to Patient Privacy Rights’ own founder, Dr. Deborah Peel, to explain what kind of ramifications this act will have for patients and their data privacy.

“My friend, Dr. Deborah Peel, founder of Patient Privacy Rights, tells me that “patients have no control over who sees or sells personal health information. Our health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.” Thousands of people, including researchers and government agencies, she says, have easy access to this information.”

The article goes on to list the four major issues this new burden on the health care system will cause and how it will affect consumers. The bottom line, he says, is “…The Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.”

For even more information on how you can help keep patient data private visit our International Summit on the Future of Health Privacy website.

Re: Data-Mining in Doctor’s Office Helps Solve Medical Mysteries

The story concludes that “the benefits (of research) outweigh the (privacy) concerns”. But that statement was made by a hospital administrator, not by the patients whose data were used without consent. They weren’t asked or notified.

There are several problems with the idea that the benefits of doing research without consent outweigh the risks:

·       the lack of privacy and control over health information causes bad outcomes: when people realize that they cannot control health records, millions refuse diagnosis and treatment for cancer, depression, and sexually-transmitted diseases

·       there is no need to choose between respecting patients’ rights to privacy and doing research—it’s a false choice, consent technologies can enable people to easily choose and give automatic consents for research projects they support, or be contacted case-by-case for permission

·       there was no public debate about whether every American’s electronic health information should be used for research without consent

·       current electronic systems do not allow patients to control any uses of their health data—-why continue to use such badly-designed systems?

·       there are no “dangers of over notification” with today’s systems—in fact, patients get no notice at all when personal data is used for research

Americans have not agreed to a healthcare system that turns them into electronic guinea pigs.

Why not build patient-centered systems so we can make important decisions about ourselves, instead of hospital administrators and researchers choosing for us?  “Nothing about me without me.”

Crunch Two Data Sets, Call Me in the Morning

See full article in Bloomberg Businessweek Article

As hospitals are acquiring more and more digital patient data, they are quickly turning to “Big Data” tech companies with expertise in data-mining, which “has already led to some measurable improvements in patient care” according to hospital administration. However, patients are rarely notified when their records are being used in this way because the data is exempt from federal privacy protection due to their necessity for “quality improvement”. “People do not like to have researchers of any stripe using their electronic health records”, says Deborah Peel, MD of Patient Privacy Rights. “As a matter of respect and autonomy and patient-centeredness, patients want to be asked. When they are asked, by and large, they support this. It’s the not-being-asked stuff that’s really bad”. A breakdown in patient-physician trust about data privacy can cause huge problems with patient care arising from patients refusing to share all necessary information with physicians as a means to avoid exposure.

Texas Error Exposed Over 13 Million Voters’ Social Security Numbers

See the full article in DataBreaches.net: Texas Error Exposed over 13 Million Voters’ SSNs

This story shows it’s easy to disclose the social security numbers of 13 million people at once. The data came from Texas’ voter registration data base, which was attached to a court report, BUT security breaches of the personal health information of millions of patients is also very common (see recent Utah and BCBS of TN breaches). Today’s electronic systems enable many new ways to breach data security and expose personal information.

The story below is about a government employee who attached over 13 million SSNs to a report and sent it to a 3rd party without anyone else reviewing his/her actions before the data was disclosed.  Where should the bar be set for disclosing personally identifiable information in any report?  At 1 million records? At 100 million records?

Most of the US health care system lacks effective protocols and procedures to protect data security and to prevent inappropriate data release and data breaches. Health data privacy and security require comprehensive and meaningful protections. We have a long way to go. Vastly expanding health IT systems before these problems are solved is a prescription for more data

Health privacy issues can be resolved without obstructing care

See full article in FierceHealthIT: Health privacy issues can be resolved without obstructing care

Ken Terry writes about the big issues with patient privacy today and possible solutions.

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices.
Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.”

Re: Offense must be the new defense, RSA chief says

In response to the Government Security News (GSN.com) article: Offense must be the new defense, RSA chief says

From a major cybersecurity conference, “IT systems already are or will be compromised and security efforts must shift to detecting and mitigating compromises and protecting data in compromised systems.”

FLASH: Health data systems are just as compromised as those in every other sector of the economy and government, but it’s rarely mentioned. With the HIT and healthcare industries in denial, who will secure and protect the nation’s electronic health information?

At the same conference a solution was proposed, “the future of security and privacy in a world in which vulnerabilities and exploits are inevitable lies in protecting data through the use of metadata associated with policies that will let creators and owners control data.”

FYI: last year meta-tagging health data to protect privacy was proposed by the President’s Council of Advisors on Science and Technology (PCAST). PPR testified at the HIT Policy Committee in favor of meta-tagging health data. But the HIT and Healthcare lobbies killed it.

It’s back to business as usual: selling and using abysmal health IT systems and data exchanges without effective privacy or security protections — so healthcare corporations, hospitals, health plans, doctors, HIT companies, labs, pharmacies, etc can all use or sell our personal health data for discrimination and other purposes we would never agree to.

It’s time for Congress to support the Administration’s new Consumer Bill of Privacy Rights and put people in control of personal data online and in data systems by requiring robust, existing privacy and consent technologies or meta-tagging. Americans’ longstanding legal and ethical rights to health privacy must be restored so people are willing to participate in electronic health systems.

Without remedies now, “trust in our digital world is at risk.”

The road to electronic health records is lined with data thieves

The following is a guest post by Reuters contributor Constance Gustke. The opinions expressed are her own. See the full article at http://blogs.reuters.com/reuters-money/2011/08/05/the-road-to-electronic-health-records-is-lined-with-data-thieves/

“The future of your personal health information involves gigantic Internet-driven databases that connect you to doctors, health information and services no matter where you are and what time it is.

With a big push from President Obama, who wants secure electronic health records for every American by 2014, many health insurance companies, hospitals, private practices and pharmacies are already delivering some patient portals using these records as a backbone.

It’s the future of medicine, says Dr. Raymond Casciari, chief medical officer at St. Joseph Hospital in Orange, California, but for now, he adds, “We’re still in the dark ages.”

The portal approach is intended to be beneficial, letting you share key medical data instantly with your family and consult with specialists on another continent. It’s supposed to lower healthcare costs and provide better services. But the data being stored is sensitive and so far it isn’t very secure, say experts. So it’s important to know how your medical information is being shared and managed, especially as access explodes.

Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights, is dubious about patient medical privacy on portals. She believes that data breaches can have harmful effects, including medical discrimination. “Today, we can’t see who uses our electronic records,” she warns. “And they can be back-door mined.”…”

The Case for Informed Consent

Austin, TX — Patient Privacy Rights (PPR), the nation’s leading health privacy watchdog released a white paper entitled, “The Case for Consent: Why it is Critical to Honor What Patients Expect: for Health Care, Health IT and Privacy.” The paper is designed to be a primer on health privacy and argues that the primary stakeholder in health care, the patient, must retain control over their personal health information. The white paper is available online at http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf.

The white paper tackles the arguments made that patient control is too technically difficult, is too expensive, or is too complex, among others. In fact, robust privacy-enhancing technologies are in use now that ensure both progress and privacy. Technology can enable control over personal health information today and likely simplify our systems and lower costs.

“Patients know what they want,” says Patient Privacy Rights’ founder, Deborah Peel, MD. “It is a mistake to design health IT in a paternalistic manner — assuming a corporation, vendor, provider or government agency knows what is best for each individual patient.”

View the white paper: The Case for Informed Consent

WSJ Exposes Web Tracking Truths

This story should prompt a flood of investigative reporting about the secret, highly lucrative data theft and mining industries. And health information is THE most valuable personal information of all.

“Consumer tracking is the foundation of an online advertising economy that racked up $23 billion in ad spending last year.”

The story shows that the data theft and data mining industries are selling real-time access to specific people—a FAR more intrusive practice than buying a location on a webpage:

“These profiles of individuals, constantly refreshed, are bought and sold on stock-market-like exchanges that have sprung up in the past 18 months.”

“Advertisers once primarily bought ads on specific Web pages—a car ad on a car site. Now, advertisers are paying a premium to follow people around the Internet, wherever they go, with highly specific marketing messages.”

And, of course, sensitive health information is being stolen too:

“On Encyclopaedia Britannica Inc.’s dictionary website Merriam-Webster.com, one tracking file from Healthline Networks Inc., an ad network, scans the page a user is viewing and targets ads related to what it sees there. So, for example, a person looking up depression-related words could see Healthline ads for depression treatments on that page—and on subsequent pages viewed on other sites.”

“Healthline says it doesn’t let advertisers track users around the Internet who have viewed sensitive topics such as HIV/AIDS, sexually transmitted diseases, eating disorders and impotence. The company does let advertisers track people with bipolar disorder, overactive bladder and anxiety, according to its marketing materials.”

Ubiquitous surveillance and data theft is used to track and discriminate against every American in real time. Ads are NOT innocuous and helpful:

“We’re driving people down different lanes of the highway,” Mr. Cheyney says.

“Some financial companies are starting to use this formula to show entirely different pages to visitors, based on assumptions about their income and education levels.”

“Life-insurance site AccuquoteLife.com, a unit of Byron Udell & Associates Inc., last month tested a system showing visitors it determined to be suburban, college-educated baby-boomers a default policy of $2 million to $3 million, says Accuquote executive Sean Cheyney. A rural, working-class senior citizen might see a default policy for $250,000, he says.”

Only exposure and public outrage over the deeply invasive secret data theft and data mining industries will shut them down. And it’s important to know that the government is one of the biggest customers of these stolen data profiles.

See the Wall Street Journal Article: The Web’s New Gold Mine: Your Secrets

PPR on article: What ‘Patient-Centered’ Should Mean…

It is extremely helpful that the nominee to head of one of the largest federal agencies, the Centers for Medicare and Medicaid (CMS), stated he believes medical records should belong to patients.

You will be intrigued by Don Berwick’s terrific and very personal article titled “What ‘Patient-Centered’ Should Mean: Confessions Of An Extremist, A seasoned clinician and expert fears the loss of his humanity if he should become a patient.” He is a highly respected physician and scholar. Key quotes:

  • “Medical records would belong to patients. Clinicians, rather than patients, would need to have permission to gain access to them.”
  • “My proposed definition of “patient-centered care” is this: The experience (to the extent the informed, individual patient desires it) of transparency, individualization, recognition, respect, dignity, and choice in all matters, without exception, related to one’s person, circumstances, and relationships in health care . . .”