Health IT coordinator attacks rumors that spy agencies would tap into patient information network

Dr. David Blumenthal, national coordinator for health information technology, has strongly denied any plans to develop a national network that would transmit patients’ medical information to the Justice and Homeland Security departments…

…Rather than defusing concerns, privacy advocates said Blumenthal’s remarks only heightened questions about what role NIEM standards, and the law enforcement agencies that developed them, will play in a national health information network.

Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation, said she believes Blumenthal is well-intentioned in his aim to ensure patient information is not transmitted to law enforcement or intelligence agencies. But promises do not have the force of law, she noted.

NHIN won’t funnel information to CIA: Blumenthal

David Blumenthal, head of HHS’ Office of the National Coordinator for Health Information Technology, has denied allegations that a framework for selecting data transmission standards for the proposed national health information network would configure the system to afford federal control over patient data and funnel that information to federal agencies, including the CIA, Justice Department and National Security Agency.

Blumenthal’s remarks came more than three hours into the March 25 meeting of the Health IT Standards Committee. The committee is a federal panel created under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law, to advise the ONC on matters concerning health IT standards.

They got it wrong… AGAIN!

See article: ‘Meaningful Use’ criteria released

Can you believe it? Doctors and hospitals that purchase electronic health records (EHRs) ‘wired’ for ‘back-door’ data mining will be paid to steal and use our sensitive health records without our permission!

The government and the massive health data mining industry won. Industry and the government’s plan to continue illegal and unethical data mining trumped Americans’ rights to health privacy.

The rules guarantee that employers, insurers, banks, and government will be able to use our sensitive health information—from prescriptions to DNA— to discriminate against us in jobs, credit, and insurance.

Instead, the new interim rules for EHRs should reward the purchase and use of ‘smart’ EHRs with consent technologies so patients control who can see and use their health records.

The stimulus billions will be wasted because doctors and hospitals will be rewarded for using obsolete, unethical EHR ‘clunkers’. Like the UK, the US will be forced to spend billions to correct a disastrously flawed national electronic health system that prevents patients from controlling their health records.

To understand the “meaningful use” criteria that SHOULD be required in EHRs, see the comments submitted to the Administration by the bipartisan Coalition for Patient Privacy, representing millions of Americans: http://www.localhost:8888/pprold/media/Coalition_to_HIT_PC_Meaningful_Use.pdf

When will the Administration and corporations get it? Privacy protections have to be tough and comprehensive if we want a national HIT system that consumers will trust and use.

To act, join www.localhost:8888/pprold to get e-alerts. Stop corporations and the government from using your sensitive health information for uses you would never agree to.

Re-Identification. From Netflix to Health Records.

Today’s NY Times story points out the FACT that is very easy to re-identify supposedly “de-identified” information. Singer starts with how the Netflix “de-identified” data base was proven to be re-identifiable and moves on to describe Latanya Sweeney’s famous re-identification of the medical records of Gov Weld.

See the NY Times Article: When 2+2 Equals a Privacy Question

Bill O’Reilly is REALLY worried about the loss of his personal medical privacy…

So much so that he repeatedly returned to the topic while debating health care reform last night.

See Editorial with Video

68% of Americans share his fears and “Have Little Confidence that Electronic Health Records Will Remain Confidential” (see: Past Meetings: 7/21/09, slide #3 of the “Privacy and Security Work Group: Recommendations” presentation on the HIT Standards Committee website at: http://healthit.hhs.gov/portal/server.ptopen=512&objID=1271&parentname=CommunityPage&parentid=2&mode=2&in_hi_userid=10741&cached=true

O’Reilly debated with a doctor who doesn’t seem to know that we have no control over our personal electronic health records, the massive damage that already causes, and how much more we will all be harmed if the Administration does not stop health IT systems from violating our privacy. Patient control over personal health information must be built into every electronic system up front.

Republicans, Democrats, Libertarians, and the majority of Amercians REALLY care about health privacy. The national concensus is that we should control who sees our health records; which has been our legal and ethical right since the nation’s founding. Restoring the right to control PHI in electronic health systems will quell fears that the majority has have about electronic systems.

Quotes from the story:

• O’Reilly demonstrated his primary fear – almost panic – over the assumption that his medical records may not be private any more if President Obama passes some version of his healthcare bill. But enough with the foreplay — O’Reilly dived right into his main fear. “My health records which are now in the hands of my private physician . . . they’re gonna be in Washington, right, so every malady that I have is gonna be seen by people in Washington. I don’t want that, do you want that?”

• After a little back and forth on the issue, O’Reilly repeated, “On a computer disk in D.C. will be what’s wrong with me . . . based on my medical history. It makes me very, very nervous.” Yes, we noticed.

• O’Reilly, again, focused worriedly on the privacy issue. “Let me ask you this,” O’Reilly posited. “It worries me that my medical history and your medical history is now gonna be on a disk in Washington, D.C., rather than the confidentiality of a doctor-patient, which we have had in this country for decades – that’s gone.”

• “The data is going to go to a bank in Washington, D.C.,” O’Reilly fretted. “ . . . I’m talking about you, Dr. Marc Lemont Hill, having a condition . . . with his program, it goes to D.C. and the bureaucracy decides how to treat you, not your physician. Doesn’t that worry you?”

• “So you don’t mind having your condition – whatever it may be – leave your doctor’s office and go to D.C. . . ,” O’Reilly said.

• O’Reilly hammered the privacy issue, once again, saying, “It’s going to a database that can be accessed . . . okay, if you don’t mind it, I do, and that’s a big concern of mine. We don’t have any privacy as it is in this country . . . .”

• Hill pointed out the bigger issue than the privacy of medical records (to most Americans, but not to O’Reilly) is 50 million uninsured Americans – and said that President Obama addressed that in the press conference.

• But the biggest question of all – what’s O’Reilly’s medical condition? The one O’Reilly is terrified might fall into the hands of the government? Is it really so awful that O’Reilly (not usually one to worry about privacy) is willing to kill health care reform just to protect it?

On HealthDataRights.org and their Declaration

HealthDataRights.org supports only ACCESS to personal health data–which is a no-brainer and a right Americans have always had. The stimulus bill makes clear that we all have the right to copies of our electronic health records because some providers have make them so hard to get.

But HealthDataRights does NOT support the most critical right of all: the right to CONTROL who can access and use our personal health data in electronic systems. They even claim “privacy” stops data flow and will stop research–which is a lie. Informed consent and control over our own data ensures it’s there when we want it and ONLY for uses or research that we agree with.

HealthDataRights.org is a faux consumer rights organization, as revealed in their FAQs:

• “The organizers of HealthDataRights.org include doctors, researchers, software developers, writers, entrepreneurs, health economists, and many others who share a common goal of greater health data availability.” TO WHOM WILL THE ENTIRE NATION’S DATA BE AVAILABLE? TO THE DATA MINING AND RESEARCH INDUSTRIES THAT WANT OPEN ACCESS TO OUR DATA FOR USES WE HAVE NO CONTROL OVER.

• “Some of us have seen clearly how restrictions on health data and medical records can lead to great pain and suffering—needlessly, in most cases.” MILLIONS OF PATIENTS EVERY YEAR SEE CLEARLY HOW DANGEROUS HEALTHCARE IS WITHOUT PRIVACY AND DELAY OR REFUSE CARE, LEADING TO DEATHS FROM CANCER, PTSD, AND DEPRESSION—COSTING FAR MORE THAN IF TIMELY OR PREVENTIVE CARE WAS PRIVATE.

• “At the same time, we know that too often “privacy” is used as an inappropriate excuse to keep people from gaining access to their own health data and information, which they have every right under HIPAA and most state laws to view and access.” CLAIMING PRIVACY AS AN EXCUSE NOT TO GIVE ACCESS TO PERSONAL HEALTH DATA IS WRONG OF COURSE, BUT WORSE AND FAR MORE DAMAGING IS EXPOSING HEALTH DATA TO THEFT, SALE, AND MISUSE BY MILLIONS OF HEALTH-RELATED BUSINESSES AND ALL GOVERNMENT AGENCIES.

• “Does this Declaration suggest people should have exclusive rights to their data?

“No, we are not suggesting that, although this is a thorny issue. Doctors need accurate information about their patients and are required by law to maintain this information. Labs are required to hold onto their test results for up to seven years. There are also health care organizations that use their patients’ or members’ data to suggest improvements to the care delivered to them, usually with a blanket permission signed by the patient at the initial visit and later forgotten. This is not necessarily a bad thing and may be very beneficial for patients, even though permission is not sought for each particular instance of that use. In addition, aggregated and anonymized, population data obviously is key to learning what is working for whom, what is cost effective for whom, and what is the best way to treat any condition for whom. We are supportive of organizations that are endeavoring to improve public health by learning from population data. An “exclusive right” could be read as contradictory to that. What we do affirm, strongly, is that people do have a right to their own data.”

PATIENTS SHOULD HAVE EXCLUSIVE RIGHTS TO THEIR HEALTH DATA—-EVEN NEWT GINGRICH SAYS AMERICANS SHOULD “OWN” THEIR PERSONAL HEALTH DATA.

THIS IS WHERE THEY STATE THAT THE RIGHT TO PRIVACY—THE BASIS OF THE HIPPOCRATIC OATH AND OUR STRONG EXISTING LEGAL RIGHTS TO PRIVACY—WOULD “BE CONTRADICTORY” TO PUBLIC HEALTH RESEARCH. PUBLIC HEALTH DATA IS COLLECTED BECAUSE OF LAWS THAT WERE DEBATED BEFORE BEING PASSED. BUT FUTURE “POPULATION HEALTH” RESEARCH USING ELECTRONIC HEALTH SYSTEMS WILL TAKE PLACE WITHOUT CONSENT BECAUSE EVERY ELECTRONIC HEALTH RECORD WILL BE “WIRED” FOR DATA MINING WITHOUT PATIENT KNOWLEDGE OR CONSENT. RESEARCH WITHOUT CONSENT VIOLATES MEDICAL ETHICS AND INTERNATIONAL TREATIES.

• Who is funding HealthDataRights.org?

HealthDataRights.org is entirely volunteer and has no funding. Any direct costs are being paid out of pocket by the individuals involved. THE INDIVIDUALS’ NAMES ARE NOT LISTED.

You can see the story on HealthDataRights.org debut at:http://www.localhost:8888/pprold/site/News2?page=NewsArticle&id=9475&news_iv_ctrl=-1

From Sharing Music to Sharing Medical Records

Scientific American gets it. Do you? View story here.

Dr. Eric Johnson’s latest study is out. Our job is to inform the public and Congress, who are continually being falsely reassured that health IT systems are secure and private by spinmeisters for the insurance, hospital, drug, Health IT, and health data mining industries.

Industry’s blatant false promises of security and privacy are something we have been urging FTC to investigate (as false and deceptive trade practices) and the new Administration should understand to ensure that the stimulus funds are not spent on primitive health technologies with abysmal security and no consumer control over PHI. We need ‘smart’ health IT, ‘smart’ human processes, and we need the health care industry to step up and use them, so we have trusted electronic systems and don’t waste the stimulus billions.

See Dr. Johnson’s paper here.

The research examined samples of health-care data disclosures and search activity in peer-to-peer file sharing networks of the top 10 publicly traded health care firms (using Fortune Magazine’s list) over a two-week period. More than 500 hospitals were represented in the 10 organizations. 3,328 files were collected for the study.

•”data losses in the healthcare sector continue at a dizzying pace”
•”Far worse than losing a laptop or storage device with patient data (Robenstein 2008), inadvertent disclosures on P2P networks allow many criminals access to the information, each with different levels of sophistication and ability to exploit the information.”
•”Many of the documents were leaked by patients themselves. For example we found several patient-generated spreadsheets containing details of medical treatments and costs–likely for tax purposes.”
•”we found a hospital-generated spreadsheet of personally identifiable information on recently-hired employees including social security numbers, contact information, job category, etc”
•”For a hospital system, we found two spreadsheet data bases that contained detailed information on over 20,000 patients including socials security numbers, contact information, and insurance information.”
•”For a mental health center, we found patient psychiatric evaluations.”

Where is the mainstream and trade journal reporting on this???

Identity Theft Through Your Health Records

This post reflects on the article in the Denver Post: Uncovering the Identity Trade Business.

This story details identity theft by a Denver hospital employee. It is a single instance, but it shows how easy it is for any hospital employee, anywhere to steal patients’ identities.

Hospitals will become a major source for identity theft because today’s primitive, poorly designed health IT systems allow thousands of employees access to all patient information–including what’s needed to steal identities. Not only can thousands of hospital employees see every patient’s medical records (think George Clooney and Farah Fawcett–whose records were sold to the Enquirer), they can see and steal the demographic and financial information too.

For whatever reasons, the media has primarily reported on how wonderful electronic health systems are without explaining the severe risks they pose to privacy and the new problems they can create (errors, downtime, work flow obstacles, data sales, lack of interoperability, etc).

The health IT stimulus bill with $20B for HIT needs very strong consumer protections to ensure that the current ‘norm’ for hospital electronic health systems, ie badly designed, open access systems, is replaced by systems that only allow access to the few staff members the patient has given permission to see and use his/her electronic records. The current HIT bill does not require the use of consent management technologies to restore patient control over PHI.

DNA profiles blocked from public access

The National Institutes of Health quietly blocked public access to databases of patient DNA profiles after learning of a study that found the genetic information may not be as anonymous as previously believed, The Times has learned.

Institute officials took the unusual step Monday and removed two databases on its public website. The databases contained the genetic information of more than 60,000 cooperating patients. Scientists began posting the information publicly eight months ago to help further medical research.