New HIPAA rules need more clarification

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July…

…On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

Coalition Urges HHS To Restore Patient Control Over Access to Health Data NOW

On Monday, September 13th 2010, the Coalition for Patient Privacy sent in comments to HHS regarding Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act. Ensuring Americans’ control over health information is critical for quality health care and the success of health information technology (HIT). The Coalition applauds the efforts of the Department of Health and Human Services (HHS) to revise HIPAA. However, the Coalition also urges HHS to require use of robust electronic consent and segmentation tools to assure compliance with the consumer privacy and security protections in HITECH and existing rights in state and federal law and medical ethics.

View the proposed modifications to HIPAA
View the Full Comments from the Coalition for Patient Privacy
View the Press Release

What do we think of the new recommendations?

The Tiger team continues to make policy recommendations that clearly violate the law and the Administration’s new privacy policies. See story on release by Modern Healthcare.

Apparently they did not hear Secretary Sebelius announce a new “Administration-wide commitment to make sure no one has access to your personal information unless you want them to” on July 8th (see here).

Or hear Dr. Blumenthal say “we want to make sure it is possible for patients to have maximal control over PHI.” See: http://patientprivacyrights.org/2010/07/ppr-impressed-with-hhs-privacy-approach/

At the Consumer Choices Technologies Hearing on June 29th, one of the ‘granular consent’ technologies demonstrated has been exchanging behavioral health records on 4 million patients for over 10 years, in 9 states and 22 jurisdictions. Newer, more robust consent technologies showcased that day are also in use. See: http://nmr.rampard.com/hit/20100629/default.html

The Tiger team calls these privacy-enhancing technologies “looming” because they are not widely used. If the HIT Policy Committee recommends against technologies for robust consent and segmentation, as they did for “meaningful use” EHRs, they ensure the limited use of privacy-enhancing technologies, which can therefore continue to be described as “looming”. It’s a neat trick to recommend policy that perpetuates the status quo and violates our rights to health privacy. To create wide use of these technologies, they must be required in policy as well as the law.

HITECH in fact does require patient consent before PHI can be sold and states that private-pay patients should be able to prevent their data from flowing to insurers for payment and health care operations. And it is also a legal and ethical requirement to obtain informed consent before disclosures of sensitive health information in all 50 states. Therefore, robust electronic consents and segmentation are required by law today. Policies should match the law.

Instead, the recommendations from the Tiger team guarantee that the theft and sale of patient data will grow exponentially and data will flow unchecked by patient consent or segmentation through HIEs and the NHIN to even more thieving vendors and corporations. Americans’ jobs, credit, and reputations are being destroyed to improve corporate revenues. This sick, greedy transformation of the health care system cannot be hidden and will destroy trust in HIT, HIE, and in legitimate clinical, academic, and public health and population research.

Most HIT products and systems were not designed to comply with patients’ rights to control personal health information. And vendors won’t ever willingly update them, because selling patient data can be a far greater source of revenue than selling software or caring for sick people.

Back to the crucial question: how can the Tiger team recommend policy that violates existing law? Why don’t the Tiger Team and the HIT Policy Committee recommend that HIT vendors , CEs, and BAs COMPLY with state and federal privacy laws and protections and meet patients’ expectations?

The Tiger Team and HIT Policy Committee are both dominated by CEOs, employees, and beneficiaries of vendors or corporate for–profit “research” industries that want all OUR data without consent. Their fiduciary duties to stockholders explain their decisions to recommend policies that violate our privacy rights.

Today the health data theft/sale industry and corporate for-profit research industry are in charge of federal policy-making.

Their flawed business models, based on misleading shareholders and the public about what they really do, are fraudulent and deceptive trade practices.

The SEC brought Goldman Sachs to heel for misleading shareholders and the public about what their business model really was. The data theft and data sales industries and the corporate for-profit ‘research’ industry do exactly the same thing.

The entire US health care and HIT system will end up tarred and feathered and lose the public’s trust unless the health care and HIT corporations that protect privacy rights, and genuine clinical and academic researchers stand with patients to demand that patients control PHI.

Sign the ‘Do Not Disclose’ petition at http://patientprivacyrights.org/do-not-disclose/ and demand your rights to health privacy be enforced.

Health IT group drafts privacy recommendations

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government’s electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS…

According to the tiger team’s draft document posted on the HIT Policy Committee’s website, the team’s recommendations are based on “fair information practices,” a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

“All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information,” according to the tiger team proposal.

HHS quietly withdraws HIPAA breach-notification rule

Following a firestorm of criticism from privacy advocates who say federal officials gave too much leeway to healthcare organizations that inadvertently disclose protected health information, HHS has without fanfare withdrawn its HIPAA “breach notification” final rule that had been submitted to the White House for budgetary approval.

The move was “to allow for further consideration, given the department’s experience to date in administering the regulations,” the HHS Office for Civil Rights posted on its website late Wednesday. “This is a complex issue and the administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur,” OCR explained…

…The decision thrilled the Patient Privacy Rights Foundation, headed by noted privacy watchdog Dr. Deborah Peel, which had been adamantly opposed to the so-called “harm standard.”

See the PPR Press Release supporting this decision.

HHS proposes stronger privacy protections under HIPAA

Proposed changes to the HIPAA privacy regulations would expand patients’ rights to access their information and restrict certain types of disclosures of protected health information to health plans, according to InformationWeek.

“We want to make sure it is possible for patients to have maximal control over PHI,” national health IT coordinator Dr. David Blumenthal said at an HHS press conference. The statement–and the proposal itself–thrilled healthcare privacy hawk Dr. Deborah Peel. Her organization, the Patient Privacy Rights Foundation, put out a statement strongly in favor of the changes, saying that the proposed rule “signaled a clear policy change in the Obama administration, strengthening consumer rights to health privacy.”

To learn more:
- read the proposed rule issued by HHS on July 8
- read this Computerworld article via Businessweek
- take a look at CMIO’s article
- read the InformationWeek story
- see this AHIMA press release
- check out this statement from the Patient Privacy Rights Foundation, which includes a video of the HHS press conference

Attention doctors and vendors: Selling patient data without informed consent is now a federal crime

This post appeared as a guest blog in EHR Watch and in Healthcare IT News.

Another misguided, uninformed EHR vendor will discount the price of EHR software for doctors willing to sell patient data! According to CEO Jonathan Bush, “Athena might be able to halve the amount that physicians pay to use its EHR.”

Great business plan: Entice doctors to violate the law and the Hippocratic Oath.

See story on Athenahealth.

How is it possible to be so unaware of what the public wants? The public doesn’t want anything new or earth-shattering, just restoration of their rights to control who can see and use their medical records in electronic systems.

Not only is the practice of selling patient data an unethical PR/”optics” nightmare, but new consumer protections in the stimulus bill require that patients give informed consent before their protected health information can be sold. Violators are breaking a federal law.

The problem is that health information is an extremely valuable commodity, so people are always trying to use it without consent. Patients’ rights never seem to interfere with these business schemes.

More quotes from the story:

  • “Athena’s EHR customers who opt to share their patients’ data with other providers would pay a discounted rate to use Athena’s health record software.”
  • “Athena would be able to make money with the patient data by charging, say, a hospital a small fee to access a patient’s insurance and medical information from Athena’s network.”
  • “Caritas Christi [Health Care] initially launched Athena’s billing software and service in October and then revealed in January that it decided to offer the company’s EHR to physicians.”

How many patients would agree to sell their health records to help their doctor’s bottom line AND at the same time put their jobs, credit, and insurability at risk?

What will Athena’s informed consent for the sale of health patients health data look like? Will Athena lay out all the risks of harm? Will Athena lay out the fact that once the personal health data is sold, the buyer can re-sell it endlessly to even more users? Will Athena caution patients that once privacy is lost or SOLD, it can never be restored?

Many vendors do not realize that the lack of privacy and lack of trust is a major barrier to patients seeking healthcare. HHS reports 600,000 people a year refuse to get early diagnosis and treatment for cancer because they know the information won’t stay private, another 2,000,000 refuse early diagnosis and treatment for mental illness for the same reasons.

If you wonder what patients expect from electronic health systems, check out my slides (PDF) from a recent Health Innovation conference at the UT McCombs Business School.

Deborah C. Peel, MD
Founder and Chair
Patient Privacy Rights

Dr. Peel Testifies before Texas Public Health Committee

On Tuesday, May 11th, 2010 Patient Privacy Rights’ founder and chair testified before the Texas Public Health Committee on Health IT moving forward. Her presentation,“Patient Expectations for Health IT: Control over Health Records Privacy Solutions for HIE” is available here.  The agenda for the hearing is below as well as a link to a video of the hearing. The video provided is in the .ram format, and will play in RealPlayer and other limited mediums.

Video of the Public Health Committee Hearing

View a PDF of our briefing
View a PDF of our presentation
View the additional slides on Data Mining

Hearing Purpose: Determine how the state can best coordinate efforts to streamline health care delivery with health information technology (HIT). Identify areas in state law that affect the adoption and use of HIT. Recommend statutory changes as necessary.

Panels:

A. Overview and Update: Forming Frameworks and Consensus

Mr. Stephen Palmer: Director, Office of e-Health Coordination, Health and Human Services Commission
Mr. Manfred Sternberg: President, Texas Health Service Authority

B. Providers and Stakeholders: Updates and Ideas

Mr. Rob Thomas: CEO of Columbus Community Hospital, TORCH
Dr. Karen Van Wagner: Executive Director, North Texas Specialty Physicians Board Member, Sandlot, LLC
Mr. Ed Marx: CIO of Texas Health Resources
Dr. Robert W. Warren: Pediatric Rheumatologist, Texas Medical Association and the Texas Pediatric Society

C. Privacy Concerns: The Issue of Consent

Dr. Dave Wanser: Visiting Fellow at the LBJ School of Public Affairs at the University of Texas at Austin
Dr. Deborah Peel: Founder and Chair of Patient Privacy Rights

D. Workforce Planning: Future Potential Needs for Texas

Mrs. Sue Biedermann MSHP, RHIA, FAHIMA: Chair, HIM Program, Texas State University
Dr. Jack Smith: Dean of the School of Health Information Science, The University of Texas Health Science Center at Houston


E.
Public Comment

AthenaHealth Paying Dearly to Take on Larger Rivals

Athenahealth is a high-flier in the Boston business community, led by the outspoken and forceful Jonathan Bush. Bush, however, openly admits that his Watertown, MA-based company (NASDAQ:ATHN) is relatively unknown outside of local business and technology circles—including among most U.S. physicians. Athena has been ramping up efforts to raise its profile among doctors, the target audience for its Internet-enabled billing and electronic health records services. Yet the company has been criticized for the relatively high price of the push…

…To compete with larger firms in the EHR game, Athena has been trying to allay the concerns of many physicians that they will ultimately end up losing money by deploying the records systems. Bush says that Athena might be able to halve the amount that physicians pay to use its EHR if they participate in what is now a nascent effort at the company called “AthenaCommunity.” Athena’s EHR customers who opt to share their patients’ data with other providers would pay a discounted rate to use Athena’s health record software. Athena would be able to make money with the patient data by charging, say, a hospital a small fee to access a patient’s insurance and medical information from Athena’s network. For a hospital’s part, this might be cheaper than paying its own staff to gather a patient’s information through standard intake procedures. Hallock, Athena’s spokesman, says the community is in development and is slated to launch later this year.

Health IT coordinator attacks rumors that spy agencies would tap into patient information network

Dr. David Blumenthal, national coordinator for health information technology, has strongly denied any plans to develop a national network that would transmit patients’ medical information to the Justice and Homeland Security departments…

…Rather than defusing concerns, privacy advocates said Blumenthal’s remarks only heightened questions about what role NIEM standards, and the law enforcement agencies that developed them, will play in a national health information network.

Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation, said she believes Blumenthal is well-intentioned in his aim to ensure patient information is not transmitted to law enforcement or intelligence agencies. But promises do not have the force of law, she noted.