AOL, Netflix and the end of open access to research data

The authors of the Netflix de-anonymization study contacted me to point out that they originally published a draft of their results a mere two weeks after Netflix released its dataset. Netflix has known about their study for over a year.

Over the past year, there have been a number of high-profile incidents in which sensitive user data was accidentally revealed to the Internet at large. As a result, I believe that high-tech companies will never again share anonymized data on their users with academic researchers, at least not without requiring contracts and nondisclosure agreements. For the users and privacy advocates, this is probably a good thing. However, for researchers, the scientific community, and Internet users who want cool new technologies, this is almost certainly a change for the worse.

In 2006, Netflix released over 100 million movie ratings made by 500,000 subscribers to their online DVD rental service. The company then offered $1 million to anyone who could improve the company’s system of DVD recommendation. In order to protect its customers’ privacy, Netflix anonymized the data set by removing any personal details.

Researchers announced this week that they were able to de-anonymize the data, by comparing the Netflix data against publicly available ratings on the Internet Movie Database (IMDB). Whoops.

{This story demonstrates the incredible ease of re-identifying anonymized data. Consider the implications for the nation’s treasure trove of health data: anonymized or de-identified health records are clearly not safe either. Electronic health records contain far more pieces of identifiable information than Netflix ratings, making them far easier to re-identify.  Netflix released over 100 million movie ratings made by 500,000 subscribers to their online DVD rental service. The researchers gave an example about what they could learn by re-identifying the data of one Netflix user: ‘First, we can immediately find his political orientation based on his strong opinions about “Power and Terror: Noam Chomsky in Our Times” and “Fahrenheit 9/11.” Strong guesses about his religious views can be made based on his ratings on “Jesus of Nazareth” and “The Gospel of John”. He did not like “Super Size Me” at all; perhaps this implies something about his physical size? Both items that we found with predominantly gay themes, “Bent” and “Queer as folk” were rated one star out of five. He is a cultish follower of “Mystery Science Theater 3000”. This is far from all we found about this one person, but having made our point, we will spare the reader further lurid details.’ See Bill Yasnoff’s blog about Netflix—-he argues that the ease of re-identification of health data is why we need health trusts. If we consent, research can be done safely inside the health trust and we don’t have to risk releasing sensitive data.~Dr. Deborah Peel, Patient Privacy Rights}

Microsoft launches HealthVault – platform for the people

Microsoft today launched a new technology platform it bills as the answer to how consumers can best get a handle on their healthcare information and share it.

Called Microsoft HealthVault, the technology not only has the support of healthcare providers, patient activists and device manufacturers, it also passes muster with one of the industry’s toughest privacy rights advocate Deborah Peel, MD, founder of the Patient Privacy Rights Foundation, one of 50 organizations that comprise the Coalition for Patient Privacy.

The company also unveiled a new search engine called Microsoft HealthVault Search.

The promise of HealthVault is that it will bring the health and technology industries together to create new applications, services and connected devices, said Peter Neupert, corporate vice president of Microsoft’s Health Solutions Group. People will be empowered to monitor anything from weight loss to diabetes, he said.

“People are concerned to find themselves at the center of the healthcare ecosystem today,” Neupert said, because they must navigate a complex web of disconnected interactions between providers, hospitals, insurance companies and even government agencies. Neupert added. “Our focus is simple: to empower people to lead healthy lives.”

Doctors Rated but Can’t Get a Second Opinion

After 26 years of a successful medical practice, Alan Berkenwald took for granted that he had a good reputation. But last month he was told he didn’t measure up — by a new computerized rating system.
A patient said an insurance company had added $10 to the cost of seeing Berkenwald instead of other physicians in his western Massachusetts town because the system had demoted him to its Tier 2 for quality.
“Who did you kill?” the man asked sardonically, Berkenwald recalled.
In the quest to control spiraling costs, insurance companies and employers are looking more closely than ever at how physicians perform, using computers, mountains of health claims and billing data and sophisticated software. Such data-driven surveillance offers the prospect of using incentives to steer patients to care that is both effective and sensibly priced.
It also raises questions about the line between responsible oversight and outright meddling in the relationship between caregivers and their patients. And it shows how people such as Berkenwald are at risk of losing control of their reputations as corporations and other organizations mine electronic data to draw conclusions about them and post them online.
{This is another example of technology causing unforeseen and harmful consequences. We would never permit a drug or medical procedure to be used unless it was first proven safe and effective for human use. Why isn’t technology tested to be sure it is safe and accurate before it can used on doctors and patients? A representative of UnitedHealth Group said that “our focus is really on transparency”. Why not require insurers to be “transparent” and publish how often they deny claims for treatment, how often they reverse denials of claims for treatment, how often they retroactively deny claims already approved and paid, and the percentage of health premiums that pay for overhead (like executive salaries and administrative expenses) instead of paying for sick people to get needed medical treatment? ~ Dr. Deborah Peel, Patient Privacy Rights}

Legislation calls for healthcare IT trusts

A bill introduced in the House today would create healthcare information technology trusts. Rep. Dennis Moore, a Democrat who represents the Third District in Kansas, introduced the legislation that would establish a nationwide health information technology network. Under the Independent Health Record Trust Act, individuals would have the option of submitting their medical records to be managed electronically by health record trusts. In turn, these trusts would ensure the security, confidentiality and privacy of the medical information.
“Health information technology has the potential to dramatically improve the quality of healthcare for all Americans by significantly reducing medical errors, reducing wasteful administrative costs, and ensuring that appropriate and accurate information is available for medical decisions,” Moore said. “I believe that there is no better way to transition the medical community from paper-based medical records than by adopting independent health record trusts.”
Rep. Paul Ryan, a Republican representing the First District in Wisconsin, and 33 bipartisan colleagues joined Moore in introducing the bill in the House.
Moore said the bill has garnered the support of a large coalition of healthcare and public policy organizations, including the Progressive Policy Institute, Patient Safety Institute, Patient Privacy Rights, National Alliance of Hispanic Health and the Heritage Foundation.
“This act is truly historic,” Deborah Peel, MD, founder and chair of Patient Privacy Rights, said. “It marks the very first time that Congress has recognized the need to develop new laws to protect and strengthen Americans’ long-standing Constitutional rights and liberties in the digital age.”
{The Independent Health Record Trust Act will create the first and only data bank for medical records that cannot be data mined, because patients control all access to their records. This is historic—it is the first piece of federal legislation that establishes a safe and private patient-controlled data bank and establishes a federal right to health privacy. Unfortunately, the bipartisan legislation recently introduced in the Senate does not contain privacy protections, despite what this story reports. ~ Dr. Deborah Peel, Patient Privacy Rights

Senate Wants Med Data High-Tech, Portable

People could carry their medical records around their necks or on key chains through technology being encouraged in a bill passed Friday by the Senate.

“When they go to the doctor’s office they won’t have to take that little clipboard and figure out whatever it is that they can remember about their health,” said Sen. Mike Enzi, R-Wyo.

The Wired for Health Care Quality Act encourages the Health and Human Services Department to form a public-private partnership to identify ways to streamline the health care system’s information technology. Hospitals and other health care providers could apply for grants to help them implement new technologies.

A system that makes patient records available instantly also would reduce medical errors, said Sen. Edward Kennedy, D-Mass., one of the bill’s nearly 40 sponsors.

It would “bring a health care system really into the modern century through information and technology,” Kennedy told reporters. “This can have a profound impact in terms of saving lives.”

The bill passed the Senate on a voice vote. The House is considering two similar measures.

Dr. Deborah Peel, president of the watchdog group Patient Privacy Rights, complained that the bill doesn’t include enough protections to keep personal information out of the hands of people who shouldn’t have it — such as employers, who could use it to discriminate against employees and potential hires.

“There’s no recognition of every American’s fundamental right to make a decision as to who can see medical information about them,” she said. “The point is that patients want to be asked.”

Peel said patients should be allowed to “segment” their information — or request that some of it not be made electronic or that certain electronic files be shared only with a few people.

Kennedy and Enzi said their bill provides plenty of built-in protections.

About 10,000 Americans have already made their health records electronic and accessible anywhere via the Internet with a free online service. And 60 people have had computer chips implanted into their arms to provide access to their electronic medial records, according VeriChip Corp., a Delray Beach, Fla., company that received Food and Drug Administration approval last year to market the chips.

Doctors have been slow to join the digital revolution. A RAND Corp. study published this year found that as of 2002 only between 10 percent and 16.4 percent of the nation’s physicians had adopted electronic medical record technology.

Sens. Debbie Stabenow, D-Mich., and Olympia Snowe, R-Maine, have their own legislation that would provide $4 billion in grants and tax incentives for health care providers to invest in digitalizing health information.

“We recognized all along that once the system is recognized for its value the … funding will have to be put in place,” Enzi said. “Until you have a system that works you can’t do that.”

The bills are S. 1418 and S. 1227.

Bush says technology will improve health care at Cleveland event

It was one of those cryptic messages physician’s offices are famous for: Your blood tests have uncovered a problem; please make an appointment to see the doctor.

But it would be two weeks before Patty McGinley’s doctor_Dr. Bob Juhasz of the Cleveland Clinic’s Willoughby Hills Family Health Center_would be able to see her.

A phone call to the office revealed that her cholesterol was the problem. But how high was it? Was McGinley, as she put it, “a little unhealthy or a lot?”

Seated next to President Bush at a forum at the Cleveland Clinic Thursday, McGinley talked about her dilemma and its resolution.

“I’m a worrier,” the 48-year-old Concord Township woman said. “I felt pretty helpless and concerned.”

Then she got an e-mail message from the Cleveland Clinic that included a link to her electronic medical records. In the message were not just her test results, but charts that showed where her results fell in relation to normal ranges of cholesterol and triglycerides.

“I went from feeling helpless to being in complete control,” she said. “It really empowered me.”

That’s what Bush wanted to hear. And he hopes millions more Americans will be able to say the same thing in the coming decade, as the health-care industry embraces technology to become more efficient, bring down costs and deliver better, safer care.

“Information is a liberating tool,” he told the invited crowd of doctors and medical professionals, adding that information technology “can save money and save lives.”

Bush used Thursday’s event to push other parts of his health-care platform: medical savings accounts; tort reform; getting generic drugs to the marketplace more quickly and allowing small businesses in different states to band together to offer insurance to workers.

But the focus of the event was technology.

Dr. David Brailer, Bush’s national health information technology coordinator, said the goal in the next 10 years is to have every doctor use a computer to record and read patients’ medical records, to order tests, to write prescriptions and to view images, such as X-rays or CT scans.

The real challenge, Brailer said, is creating connections between different – sometimes rival – hospitals, so that if people find themselves in an emergency room in a different city, their medical records will be readily available to doctors who have never seen them before.

That will improve safety, said Dr. Martin Harris, the Clinic’s chief information officer.

“A patient will never have to worry about receiving the wrong dose or an inappropriate medication simply because someone couldn’t read the handwriting on a piece of paper,” Harris said.

Bush chose the Cleveland Clinic to push his technology message because of the wide range of its electronic medical records. But Akron, Ohio, hospitals are doing some of the same things.

Both Akron General Medical Center and Summa Health System have systems that allow doctors to view patients’ charts electronically.

At Akron General, doctors are beginning to carry tablet-sized computers from room to room.

At Summa, doctors can check lab results and place prescription orders via a computer system that scans for allergies and drug interactions. Summa doctors soon will be able to access X-rays, CT scans and MRIs via wireless computer.

Sue Heiser, director of health information management at Akron General Medical Center, said the federal government’s role in this needs to go beyond a presidential event. The federal government must establish a standardized system that all hospitals can follow, she said, and there needs to be some government money behind it.

“These systems are not cheap,” she said.

In the budget he will send Congress next month, Bush will propose spending $125 million to test computerization of health records. That’s more than twice what is being spent in this budget year that ends Sept. 30.

Estimates have placed national costs as high as $276 billion over 10 years to equip hospitals with the necessary equipment.

Savings have been estimated at between $24 billion and $76 billion a year.

The issue of computerized medical records often leads to questions about privacy, but Harris, the Clinic information officer, said technology will actually improve privacy.

“If you left a medical record on paper in a room, how will you know who saw it? You can’t know,” he said. “When it’s in electronic form, when anyone logs on to the system, we know. We know who they are. We know where they are. We know what they were looking at and we keep a log of all that information.”

© 2005, Akron Beacon Journal (Akron, Ohio)

Distributed by Knight Ridder/Tribune Information Services.

Testimony of Dr. Alan F. Westin, Professor of Public Law & Government Emeritus, Columbia University, and Director of the Program on Information Technology, Health Records, and Privacy

INTRODUCTION

Good morning. My name is Alan Westin. I am Professor of Public Law & Government Emeritus, Columbia University, and Director of the Program on Information Technology, Health Records, and Privacy, a new activity of the non-profit Center for Social and Legal Research, which I head. I will describe the new program later in my testimony.

Issues of health care, technology, and privacy have been one focus of my research, writing, and advocacy for over forty years. A summary of my work in this area appears as Appendix One in this document.

I was asked to appear today to discuss current public attitudes toward health care and privacy, especially in the context of information technology applications and programs to develop a national Electronic Medical Record (EMR) system. I am very glad to see this topic of public attitudes included in the Advisory Committee’s two days of discussions. I am convinced that how the public sees the privacy risks and responding actions in any EMR system will be absolutely critical to this program’s success – or will be a major factor in its failure.

To address these issues, and to assist the Advisory Committee and HHS, my Program collaborated with Harris Interactive to place a set of exploratory questions on a representative national survey by telephone that Harris Interactive conducted this month, between February 8-13. The top line results and my analysis of their implications are being publicly released at this hearing, and will also be published in The Harris Poll.* In about two weeks, our Program will publish a full survey report, with demographic and factor analyses that should be quite useful.

Our telephone survey had 1,012 respondents. The national sample was weighted to be demographically representative of the public 18 years of age or older. This represents approximately 214 million adults. The sampling error is plus or minus 3%. (The questionnaire we used and the top line results we obtained appear as Appendix Two to this testimony.)

——————————————————————————-

Our Program and I are most appreciative of the contribution of David Krane of Harris Interactive to this survey and, as always, to the Harris Poll Chairman, Humphrey Taylor.

THE AMERICAN PUBLIC AND HEALTH-CARE PRIVACY: A BASELINE

SUMMARY

Our Program is aware of fourteen published national studies dealing in whole or in major parts with issues of health information privacy. We have summarized these in our Program’s first publication – How the Public Views Health Privacy: Survey Findings from 1978 to 2005. This is available free on the Program’s web site, at www.pandab.org

Before describing our February 2005 survey results relating to the Electronic Medical Records program, it is helpful to lay in the core findings of past health privacy surveys. In summary:

  • Surveys show consumers rate personal health information and financial information the two most sensitive types of consumer personal information
  • Persons with chronic and especially genetically-based health conditions express sharp concerns about circulation and use of their health status to deny them important consumer opportunities and benefits
  • Consumers also express concerns about privacy and security in the current move to greater collection and use of medical records electronically
  • While 80% of online consumers go to health sites for information, they express high concerns about privacy and security in their surfing
  • Because of their privacy concerns, many consumers using health information web sites do not share their personal data, and take full advantage of these sites
  • Consumers also express fears that their health information might be accessed or used improperly to commit identity thefts (Sources and details for these topline views are in the Program?s paper referenced above.)

With these well-established majority public views as a starting point, we turn to our new February 2005 health privacy survey.

OUR 2005 SURVEY RESULTS

How the Public Sees Handling of Personal Health Information in the Health Care System Today

We were able to use a trend question from 1993 to probe the public’s views on this issue, so that we could have a pre- and post-HIPAA reading.

In the 1993 national survey on “Health Information Privacy” that Harris and I conducted, we asked respondents whether they believed that a list of health system participants had “disclosed your personal medical information in a way that you felt was improper?”

Over a fourth of the public – 27% – then representing 50 million adults, said they elieved one or more of the listed persons or organizations had disclosed their personal medical information improperly. Specifically:

A doctor who has treated you or a family member……………………. 7%

A clinic or hospital that treated you or a family member …………… 11

Your employer or a family member’s employer ……………………….. 9

A health insurance company …………………………………………………… 15

A public health agency …………………………………………………………… 10

When we repeated this question in 2005, we asked about improperly-considered release by these same persons or organizations “in the past three years.” We recorded a dramatic drop in public perceptions of such improperly handled personal medical information.

In 2005, only 14% of the public – almost in half from 1993 – now believe their personal medical information has been released improperly. (While substantially lower than the 1993 results, it should be noted that this still represents 30 million adults in the current U.S. population).

The results in 2005 were down across each of the five categories, as follows:

A doctor who has treated you or a family member……………………. 5%

A clinic or hospital that treated you or a family member …………… 8

Your employer or a family member’s employer ……………………….. 5

A health insurance company …………………………………………………… 8

A public health agency …………………………………………………………… 5

This drop from 27% to 14% of the public may well represent effects with the public from the HIPAA Privacy Rule rollout since April 2003. We tested that in our next set of questions.

Experience With HIPAA Privacy Notices

We informed respondents that “a Federal Health Privacy Regulation (called the HIPAA rule) has required all health care organizations to give patients a privacy notice explaining how the organization will collect and use the patient?s health information, how it will keep the information secure, how patients can get access to their own health records, correct any errors, and control most disclosures of their information to people outside the health care system.” We then asked: “Have you ever received one of these HIPAA health privacy notices?”

Given the ubiquity of HIPAA privacy notices – handed out by every doctor, dentist, clinic, hospital, pharmacy, health insurer, etc. – I had anticipated a yes response from well over 90% of respondents. I assumed that persons away studying in Tibet since April 2003 would be the kind of respondents who would say no.

I was wrong.

A third of the American public – 32%, representing 68 million adults – said they had never received a HIPAA privacy notice (and only 1% chose to say Not Sure). This is both a surprising and disturbing result, since it seems sure that most of these persons did have a Privacy Notice given to them since April 2003. Obviously, they do not recall the paperwork as the Privacy Notice we described.

Two-thirds of the public – 67% – recalled that they had received a HIPAA notice, representing 148 million adults.

Confidence in Medical Record Handling Post-HIPAA

We followed up by asking respondents who remembered getting a HIPAA privacy notice personally – two thirds of the public - this question:

“Based on your experiences and what you may have heard, how much has this federal privacy regulation and the Privacy Notices affected your confidence that your personal medical information is being handled today in what you feel is the proper way?”

Two-thirds of the public (67%) said their confidence had been increased. Of these, however, only 23% said their confidence had been increased “a great deal,” while a much larger 44% chose “only somewhat.” Thirteen percent said “not very much” and 18% “not at all.”

EMR ? Levels of Public Awareness

With the questions just reported as a foundation, we moved on to probe public attitudes toward the EMR program. We first described what we called Electronic Medical Records - EMR:

“The Federal Government has called for medical and health care organizations to work with technology firms to create a nationwide system of patient Electronic Medical Records over the next few years. The goal is to improve the effectiveness of patient care, lessen medical errors, and reduce the costs of paper handling. Have you read or heard anything about this program?”

Our survey was conducted after President Bush had described the EMR program in his State of the Union message in January, and had also gone out to the Midwest in early February in several public meetings outlining and promoting EMR. However, since this remains a rather specialized issue, not directly affecting consumers now, and not generating much public debate, I assumed knowledge would be low.

This time I was right.

Less than a third of the public – only 29% - said they had read or heard about a national EMR program. This represents 62 million adults, and a quick look at our demographic data showed that these were, predictably, primarily the better-educated, higher-income, technology-using members of the public.

EMR: Privacy and Security Concerns

Having laid a foundation about EMR, we posed the following multi-part question to respondents:

“Here are some things that some people have said might happen under such a patient Electronic Medical Record system. How concerned are you [about each item read] – very concerned, somewhat concerned, not very concerned, or not concerned at all?”

The following list was used in a randomized order, with these results:

Table One: The Public’s Privacy and Security Concerns in an EMR System

ITEM Concerned (very + somewhat) + Very Concerned

Sensitive personal medical-record information might be leaked because of weak data security 70% (concerned) + 38% (very concerned)

There could be more sharing of your medical information without your knowledge 69%+ 42%

Strong enough data security will not be installed in the new computer system 69% + 34%

Computerization could increase rather than decrease medical errors 65% + 29%

Some people will not disclose sensitive but necessary information to doctors and other health care providers, because of worries that it will go into computerized records 65% + 29%

The existing federal health privacy rules protecting patient information will be reduced in the name of efficiency 62%+ 28%

Some observers of our survey may feel that respondents given a list of potential concerns in any program are likely to say that they share such feelings. This is not the record in most social-issue surveys and especially in privacy surveys over the past four decades.

In other consumer, citizen, and employee privacy surveys, including health privacy surveys, the public majority has demonstrated an ability to modulate its expressed concerns depending on its perceptions of the issues. In other words, when a list of potential privacy problems is offered to survey respondents, the American public majority can usually sort them out in a pretty sophisticated way – reflecting the public’s actual mood and perceptions on social issues, and not controlled by a general pro-privacy or anti-government or anti-business orientation.

This is proved in dozens of privacy surveys where concern levels expressed by respondents run the gamut from heavy to light to non-existent, depending on the public?s sense of the services offered, the privacy or anti-discrimination interests at stake, and how respondents believe a given program or process will be conducted.

Here, a solid two-thirds of the current American public – in a range from 62-70% -say they share the concerns of “some people” about adverse privacy and data security results taking place in the operations of an Electronic Medical Record system. And, those saying they are Very Concerned ranged from 28 to 42%.

These views are obviously shaped by general public awareness about the high incidence of identity thefts, a constant media “drip-drip” of stories about leakage or disclosure of personal consumer data from organizational databases, and accounts of hackers penetrating business and government web sites to steal personally identifying consumer files.

With these larger privacy-violation and data insecurity trends in the background, I believe our six-topic list represents the core of the privacy concerns that two-thirds of the public will be looking at – and want to have successfully addressed – before most Americans will be comfortable with an EMR system.

How the Public Divides on the Benefits and Privacy Risks of an EMR System

It is commonplace in surveys of this kind, after describing a new program and then measuring various concerns about it, to pose a “tie-breaker” question. This asks, essentially, taking into account supposed benefits of some business or government program or action and also the risks to privacy or other social value you may see, where do you come out on the program’s acceptability to you?

Our tie-breaker question on EMR was framed as follows:

“Supporters of the new patient Electronic Medical Record system say that strong privacy and data security regulations will be applied. Critics worry that these will not be applied or will not be sufficient. Overall, do you feel that the expected benefits to patients and society of this patient Electronic Medical Record system outweigh potential risks to privacy, or do you feel that the privacy risks outweigh the expected benefits?”

(The two alternatives were rotated in presentation to respondents to avoid presentation bias.)

And the winner was….. NO ONE.

The public divides equally on this fundamental question – 48% saying the benefits outweigh risks to privacy and 47% saying the privacy risks outweigh the expected benefits. The deciding 4% said they just weren’t sure.

What I draw from this key question is that half the American public does not feel today that an EMR program is worth the risks to privacy that they perceive as accompanying this development.

That is the reality that program advocates will need to consider, respond to, and overcome by a range of laws, rules, practices, technology arrangements, privacy promotions, and positive patient experiences – if EMRs are to win majority public support and high patient participation.

Segmenting the Public on EMR Privacy Concerns

In privacy surveys since 1991, I have created various segmentations of the public on consumer, citizen, and employee privacy issues. The goal is to ask sets of questions that tap basic orientations and preferences of respondents and, on most issues in a given area of privacy (health, financial, anti-terrorist powers, etc.) will identify High, Medium, and Low Privacy Concern segments of the public.

If the segmentation is sound, the total respondents will scale in their answers to the substantive policy issues involved in that area. The High respondents will express the sharpest privacy concerns, reject competing values, call for legal interventions, etc., while the Medium and Low respondents will each record less intense or little to no concerns.

We can then look at the demographic characteristics of each segment, and gain some insights into the underlying bases of each position.

We created our EMR Privacy Concern Segmentation from responses to the six isssues posed in the previous question discussed. Our units were:

Concern chosen in 5 or 6 statements…….High EMR Privacy Concern………………. 56%

Concern chosen in 3 or 4 statements…… Medium EMR Privacy Concern ………….16%

Concern chosen in 1 or 2 statements…… Low EMR Privacy Concern ………………..14%

Concern not chosen in any statement….. Not Concerned About EMR Privacy…….14%

The most obvious and important thing to note is that a solid majority of the American public today is in the High EMR Privacy Concern camp, representing a whopping 120 million adults. In comparison, only 35% of the public is in the High Privacy camp when it comes to overall consumer privacy issues.

Since we just received these survey data this past weekend, I am not able to present as yet the demographics on this segmentation, or on the populations represented in other questions. Our Program will prepare such a detailed report and issue it in approximately two weeks.

Empowering Patients From the Outset

We considered it important to see how the public felt about the role that patients might play directly in any EMR system, not as passive subjects but as technologicallyaided participants. Our question was:

“Since most adults now use computers, the new patient Electronic Medical Record system could arrange ways for consumers to track their own personal information in the new system and exercise the privacy rights they were promised. How important do you think it is that such individual consumer tools be incorporated in the new patient Electronic Medical Record system from the start?”

More than eight out of ten respondents – 82% - rated such consumer empowerment as important, and 45% of these considered it Very Important. Only 17% did not see this as important, with 1% not sure.

I view this result as a powerful, publicly-derived Privacy Design Specification for any national EMR system. It is a design approach that will be ignored, put off until a later time, or rejected as unworkable at the peril of any EMR system?s entire future.

CONCLUSIONS AND RECOMMENDATIONS

I start my judgments with the belief that further computerization of health information and a national program to create an electronic medical records network is both inevitable and – potentially – a very good thing for patients, the health care system, and American society.

I also believe that such a program has far greater chances to be successful in this decade than ever before. We should remember that earlier health-information computerization programs – in the 1970s, 1980s, and 1990s - failed badly or made only marginal improvements in the health care system, at enormous outlays of money and effort. This was essentially, I believe, for two reasons: (1) because large majorities of health care practitioners were not ready – or able – to embrace the technology tools offered and (2) because of weaknesses in the software and system technologies at those points in time.

It is only now, when this generation of health care practitioners is comfortable with information technology – from their cell phones and laptops to their use of databases and comfort in using medical and genetic research data – that greater computerization has the chance to succeed on the front lines of health service.

And it is only now that powerful new database and data mining technologies, along with data linkage techniques, may provide the bang for the buck that is needed to justify electronic medical records processes and networks.

Also, the EMR program is, fortunately, not one in which predominant business or government interests are in direct opposition to the main consumer and privacy advocacy communities, as is sometimes the case in privacy debates. Leaders in the health care community, health researchers, health data service providers, and government health programs have expressed concerns that strong privacy standards be installed, and are ready to help assure that patient privacy interests are protected – indeed advanced – in any EMR system. Of course, some privacy issues will divide the players in EMR debates, and finding ways to create privacy-enhancing solutions for those challenges will be critical.

Having said that, I return to the main theme from our new survey. If a national EMR program is to get anywhere with the American public – and through their views with the Congress and state legislators asked to appropriate the big bucks for EMR projects — the half of the American public that believes the privacy risks outweigh the benefits will have to be persuaded.

This will not be done by the President or HHS executives just saying that, of course, the privacy of your personal information will be protected (although such assurances are very welcome).

What is required, I submit, is an active, well-funded, and impressively staffed program to bring Privacy By Design into the EMR program NOW. This should parallel the excellent ELSI (Ethical, Legal and Social Issues) Program that Congress funded as part of the Human Genome Project, jointly administered by NIH and the Department of Energy.

Such a Privacy by Design Working Group for EMR should apply the tested wisdom and methodologies of privacy analysis, privacy policy-making, and privacy policy implementation and oversight that emerged in the 1970s and has had many successes since. It must pursue five main tasks:

1. Conduct Continuing EMR Privacy Risk and Threat Assessments – to identify the predictable pressures on patient privacy both from within the health care setting and from the many industries and governmental functions that claim access to identified health information for their programs. While data security is involved – representing the way that organizations keep their promises of privacy and confidentiality – it is the privacy risks that this Design Group needs to focus on. And, this assessment is not a one-time, but continuous, function to be based on case studies of operating EMR programs and reviews of each major new function being developed.

2. Design and Propose New Privacy Laws and Regulations to Accompany EMR Roll-Outs. The HIPAA Privacy Rules provide a good foundation but it will require laws and regulations tailored to the new EMR networks and systems.

3. Identify System Design Elements That Would Enhance Rather than Defeat Privacy Interests. A single integrated national patient record system, overseen by the federal government, no matter how benignly, would represent a privacy disaster. From the start, I believe, an EMR program should be designed to be decentralized but linked, with interoperable technologies, and with rigorous procedures for tracking personal information uses and movements in support of privacy rule observance.

4. Identify and test anonymization techniques to enable both advanced medical research and data-analysis services. From the start, EMR systems need to develop the identification filters and maskers that will enable researchers and data analysts to access anonymized health record sources. Surveys have shown the public to be very nervous about researcher access to their medical records, and this calls for powerful anonymizing processes to be installed, verified, and communicated to the public from the start, not retrofitted.

5. Identify and Test Procedures to Empower Individual Patients to Access the EMR Systems Directly, to Assert Their Privacy Rights and Carry Out Their Individual Privacy Choices. This will, inevitably, require techniques for secure identification of patients seeking direct access to the system, and probably a biometric ID. Properly administered, I view a patient and/or citizen biometric as inevitable by the end of this decade, since I cannot envisage empowering patients in the EMR systems without secure identification.

These activities might be initiated now, through a private non-profit association, and attached to the Regional EMR projects that have been organized. Both government and private funding should support such a Privacy by Design organization.

Finally, I believe that there needs to be an independent EMR Privacy Board, appointed soon, with a continuing problem-identification, investigative, and standards recommending assignment. If privacy is just a subset of a larger EMR Standards Body, its proposals will almost surely be vetoed more than they will be minded.

Many more issues and activities of such an EMR Privacy By Design working group could be described. But my central point has been made. Without an active, wellfunded and impressively-staffed EMR Privacy by Design function, privacy issues will be addressed too little and too late by EMR proponents – and at great risk to their important and promising idea.

OUR NEW PROGRAM ON INFORMATION TECHNOLOGY, HEALTH RECORDS, AND PRIVACY

The survey I have reported here is one of the first activities of our new Program, officially created in January, 2005. It was formed by our Center for Social and Legal Research (which was itself created as a non-profit think tank in 1985 to explore technology-society relationships) because we see the re-shaping of the nation’s health care system through advanced technology applications as one of the most important developments of the next two decades.

We outline this in a White Paper that will be available free in about two weeks at the Program’s Home Page and library, which can be found at www.pandab.org. The paper is titled Computers, Health Records, and Citizen Rights in the Twenty First Century, co-authored by myself and the Program’s Associate Director, Vivian van Gelder.

Our Program plans to conduct six main activities, all centered on the privacy aspects of these explorations:

· Conduct Continuing Public Opinion Surveys of the public and various leadership groups, with Harris Interactive as our privacy partner.

· Conduct Empirical Case Studies of the privacy experiences in emerging health information technology experiments and programs.

· Develop Legal and Policy Analyses of the privacy, confidentiality, subject access, and due process aspects of a national or decentralized-model EMR system.

· Track the privacy rules and experiences in EMR projects of other democratic nations.

· Publish White Papers and Reports, and a Quarterly Electronic Newsletter

· Organize Seminars and Conferences on Program Themes

As already noted, we have opened a Home Page and library at www.pandab.org.

We invite everyone interested in following our work and receiving our products to register at the Program site – under its strong privacy policies, of course – and to share your thoughts and reactions with us.

Our staff and contact information are on the next page.

I would welcome questions and discussions from the Committee, and appreciate the opportunity to share our survey findings with this audience.

Program on Information Technology, Health Records, and Privacy

An Activity of the Center for Social and Legal Research

Director:

Dr. Alan F. Westin, LLB, PhD

Professor of Public Law & Government Emeritus, Columbia University

Associate Director

Vivian van Gelder, LLB

Counsel

Robert R. Belair, LLB

Legal Staff

John Haley, LLB

Lyle Himmel, LLB

Kevin Coy, LLB

Program Administrator

Lorrie Sherwood

Communication Director

Irene Oujo

Research and Editorial

Natalie Kochmar

Christie Lawrence

Administrative Assistant

Julie Previzi

Webmaster

Hillary Sherwood

Survey Organization

Harris Interactive

Contacts: Mail: Suite 414, Two University Plaza, Hackensack, N.J. 07601

Tel. (201) 996-1154 Fax (201) 996-1883 email: ctrslr@aol.com

Dr. Westin’s direct email: alanrp@aol.com

__________________________________________________________________________

Appendix One

Dr. Alan F. Westin

Director, Program on Information Technology, Health Records and Privacy

Dr. Alan F. Westin is Professor of Public Law and Government Emeritus at Columbia University, where he taught for 37 years. He is the founder of the Center for Social & Legal Research and President of its Privacy & American Business activity. Dr. Westin is the author or editor of 26 books on constitutional law, civil liberties, American politics, and privacy, and has been listed in Who’s Who in America for three decades.

Professor Westin’s first major books on privacy – Privacy and Freedom, published in 1967, followed by Databanks in a Free Society 1972 (for the National Academy of Sciences) – are considered seminal works on privacy. Each correctly predicted how advances in data surveillance of the mid-1960s and new computer and telecommunication applications of the 70s would affect American organizations that keep records about consumers, employees, and citizens, from hospitals, health and life insurers, credit bureaus, banks to colleges, police, and welfare agencies. Both books called for creating new laws, new organizational policies, and continuous new technology privacy assessments in the governmental, business, and non-profit areas, if basic privacy values and rights were to be preserved in an increasingly information-technology driven world.

Dr. Westin is a leading authority on consumer-privacy public opinion surveys, and in understanding and interpreting the privacy attitudes of the American consumer. He has worked with Louis Harris & Associates (now Harris Interactive) and Opinion Research Corporation on over 50 national surveys since 1978 exploring consumer privacy issues.

He has created privacy indices, which are universally used and quoted. His reports on consumer privacy concerns and attitudes have been featured in the New York Times, Wall Street Journal, Consumer Reports, and dozens of other national publications, and he is a frequent commentator about consumer privacy on national television and radio.

Dr. Westin was the principal expert witness in the enactment of the first two national privacy laws in the United States – the Fair Credit Reporting Act of 1970, providing consumer rights in the credit-bureau industry, and the Federal Privacy Act of 1974. Over the past forty years, he has been a member of U.S. federal and state government privacy commissions; an expert witness before legislative committees and regulatory agencies; and a privacy consultant to many U.S. federal, state, and local government agencies, such as, at the federal level, the Census Bureau, Social Security Administration, General Services Agency, Department of Commerce, and Office of Technology Assessment.

Dr. Westin has also advised many consumer-product companies, including IBM, American Express, Citicorp, Bell Atlantic, Empire Blue Cross and Blue Shield, Equifax, Microsoft, Chrysler, and Prudential Insurance, on privacy governance and policies within their companies as they effect their consumer-business relationships.

Health Information Privacy Activities

Since the mid-1960s, Professor Westin has maintained a continuing special interest in medical confidentiality and health-information-systems privacy issues.

A comprehensive field study of computerization trends and health information was led by Dr. Westin for the U.S. National Bureau of Standards between 1974-76, and produced Westin?s report on Computers, Health Records, and Citizen Rights (1976). The Privacy Code this report recommended was sent by NBS to every hospital in the U.S., and served as a model for hundreds of hospital and health institutions. The NBS Report was the leading empirical study of how computer use in the late 1960′s and early 1970′s was affecting the three main zones of health information use – direct care, payment and quality-assurance, and social uses of medical data.

Between 1978 and the early 1980s, he served as Research Director of the National Commission on Confidentiality of Health Records, a national association composed of the major health-care provider, payer, and quality-care associations in the United States.

During this period, he spoke frequently on privacy and health information issues at national conventions or special meetings of the American Medical Association, Health Insurance Association, American Medical Records Association, American Orthopsychiatric Association, American Psychiatric Association, and many other health professional groups.

Dr. Westin has been a featured speaker at the U.S. Department of Health and Human Services Privacy Task Force Conference on Medical Records and Privacy (February 1993); a reviewer of reports on privacy for the National Institute of Medicine (on emerging regional health data systems), the Journal of the American Medical Association, and for the U.S. Office of Technology Assessment (on privacy and the computerized medical record).

Dr. Westin was the privacy advisor to an award-winning 1994 Public Television Special Documentary on “Privacy and Health in the American Workplace.” Dr. Westin drafted a national corporate-employee and human resources executives survey conducted by Louis Harris and Associates for use on this program, covering employee health and privacy issues in depth.

In 1993, he served as the academic advisor for a national public and leaders Harris survey on “Health Information Privacy.” Results from this survey were released at a national conference in Washington, D.C. in November 1993, at which Dr. Westin spoke, cosponsored by the U.S. Office of Consumer Affairs, the American Health Information Management Association, and Equifax Inc.

Also in 1993-95, Dr. Westin served as Principal Investigator on a 15-month project on privacy issues in the uses of genetic testing and genetic-test applications, funded by the U.S. Department of Energy for the Human Genome Project and its ELSI Program (Ethical, Legal and Social Issues). In 1997-99, he led a study of future uses of genetic testing in the Life Insurance Industry, commissioned from the Center for Social and Legal Research by State Farm Insurance Company.

Over the past three years, Dr. Westin has led discussions of the HIPAA Privacy Rules at many national conferences. He has been a privacy consultant to several major pharmaceutical companies, from Eli Lilly, Glaxo Welcome and Smith Kline to Merck.

He was also privacy consultant to Empire Blue Cross, Blue Shield; State Farm Insurance; and Mutual of Omaha. Dr. Westin also led a Global HR Privacy Policy Development project of Privacy & American Business, covering trans-border personnel data flows of multi-national firms that involved the worldwide handling of medical and health data by those companies.

In January 2005, Dr. Westin created the Program on Information Technology, Health Records and Privacy. Its first activity is the release of a new survey in February 2005,

“How the Public Sees Health Records and an Electronic Medical Record Program,” for which Dr. Westin served as Academic Advisor.

Dr. Westin views the re-shaping of the nation’s health care system through advanced technology applications as one of the most important technology-society developments of the next two decades. It will be a priority of the new Program to help insure that privacy interests and patient empowerment are embedded in any new Electronic Medical Record systems — from the start.

+++++++++++++++++++++++++++

Appendix Two

HARRIS INTERACTIVE, INC.

161 SIXTH AVENUE

NEW YORK, NEW YORK 10013

February 16, 2005

PROGRAM ON INFORMATION TECHNOLOGY, HEALTH RECORDS AND PRIVACY CENTER FOR SOCIAL & LEGAL RESEARCH

TOPLINE RESULTS

DATASHEETED QUESTIONNAIRE

Study No. 23283

Field Period: February 8 – 13, 2005

Sample: 1,012 adults aged 18 or over

Methodology

Harris Interactive conducted this survey by telephone within the United States between February 8 and 13, 2005 among a nationwide cross section of 1,012 adults (ages 18 and over). Figures for age, sex, race, education, number of adults, number of voice/telephone lines in the household, region and size of place were weighted where necessary to align them with their actual proportions in the population.

In theory, with a probability sample of this size, one can say with 95 percent certainty that the results for the total sample have a sampling error precision of plus or minus 3 percentage points of what they would be if the entire U.S. adult population had been polled with complete accuracy. Statistical precision for the smaller samples is plus or minus 5 percentage points.

Unfortunately, there are several other possible sources of error in all polls or surveys that are probably more serious than theoretical calculations of sampling error. They include refusals to be interviewed (nonresponse), question wording and question order, interviewer bias, weighting by demographic control data and screening (e.g., for likely voters). It is impossible to quantify the errors that may result from these factors.

Notes on reading the results

The percentage of respondents has been included for each item. An asterisk (*) signifies a value of less than one-half percent. A dash represents a value of zero. Percentages may not always add up to 100% because of computer rounding or the acceptance of multiple answers from respondents answering that question.

© 2005 Harris Interactive, Inc.

SECTION 650: HEALTH PRIVACY QUESTIONS [WESTIN]

BASE: ALL RESPONDENTS

Q650 [1] In the past three years, do you believe that [Insert each item] has disclosed your personal medical information in a way that you felt was improper, or not? [RANDOMIZE]

Q651 1 2 8 9

Yes, No, Not Sure (v), Decline to Answer (v)

1 A doctor who has treated you or a family member 5 94 1 *

2 A clinic or hospital that treated you or a family member 8 91 1 *

3 Your employer or a family member?s employer 5 94 1 *

4 A health insurance company 8 90 1 *

5 A public health agency 5 93 2 *

NET 14%

BASE: ALL RESPONDENTS

Q655 [2] Since 2000, a Federal Health Privacy Regulation (called the HIPAA Rule) has required all health care organizations to give patients a privacy notice explaining how the organization will collect and use the patient’s health information, how it will keep the information secure, how patients can get access to their own health records, correct any errors, and control most disclosures of their information to people outside the health care system. Have you ever received one of these HIPAA health privacy notices?

1 Yes 67%

2 No 32%

8 Not sure (v) 1%

9 Decline to answer (v) -

BASE: HAVE RECEIVED HIPAA PRIVACY NOTICES (Q655/1)

Q670 [3] Based on your experiences and what you may have heard, how much has this federal privacy regulation and the Privacy Notices affected your confidence that your personal medical information is being handled today in what you feel is a proper way? Has it increased your confidence???

1 A Great Deal 23%

2 Somewhat 44%

3 Not Very Much 13%

4 Not At All 18%

8 Not sure (v) 1%

9 Decline to answer (v) *

BASE: ALL RESPONDENTS

Q675 [4] The Federal Government has called for medical and health-care organizations to work with technology firms to create a nationwide system of patient Electronic Medical Records over the next few years. The goal is to improve the effectiveness of patient care, lessen medical errors, and reduce the high costs of paper handling. Have you read or heard anything about this program?

1 Yes 29%

2 No 71%

8 Not sure (v) -

9 Decline to answer (v) -

BASE: ALL RESPONDENTS

Q685 [6] Here are some things that some people have said might happen under such a patient Electronic Medical Record system. How concerned are you that (READ EACH ITEM) ? very concerned, somewhat concerned, not very concerned, or not concerned at all?

Q686 1 2 3 4 8 9 [RANDOMIZE] Very Concerned, Not Very Concerned, Somewhat Concerned, Not Concerned at all, Not Sure, Decline

% % % % %

1 Computerization could increase rather than decrease medical errors 29 36 22 13 1 -

2 Sensitive personal medical-record information might be leaked because of weak data security 38 32 16 13 1 -

3 There could be more sharing of your medical information without your knowledge 42 27 18 13 * -

4 Some people will not disclose sensitive but necessary information doctors and other health care providers, because of worries that it will go into computerized records 29 36 20 13 1 -

5 Strong enough data security will not be installed in the new computer system 34 35 18 12 1 *

6 The existing federal health privacy rules protecting patient information will be reduced in the name of efficiency 28 34 23 14 1 *

Privacy Concerns Segmentation

High 56%

Moderate 16%

Low 14%

Very Low 14%

BASE: ALL RESPONDENTS

Q690 [7] Supporters of the new patient Electronic Medical Record system say that strong privacy and data security regulations will be applied. Critics worry that these will not be applied or will not be sufficient.

Overall, do you feel that the expected benefits TO PATIENTS AND SOCIETY of this patient Electronic Medical Record system outweigh potential risks to privacy, or do you feel that the privacy risks outweigh the expected benefits? [PROGRAMMER NOTE: ROTATE THE EXPECTED BENEFITS OUTWEIGH

POTENTIAL RISKS AND PRIVACY RISKS OUTWEIGH EXPECTED BENEFITS]

1 Benefits outweigh risks to privacy 48%

2 Privacy risks outweigh the expected benefits 47%

8 Not sure (v) 4%

9 Decline to answer (v) 1%

BASE: ALL RESPONDENTS

Q695 [8] Since most adults now use computers, the new patient Electronic Medical Record system could arrange ways for consumers to track their own personal information in the new system and exercise the privacy rights they were promised. How important do you think it is that such individual consumer tools be incorporated in the new patient Electronic Medical Record System from the start? Is it…?

1 Very Important 45%

2 Somewhat Important 37%

3 Not Very Important 11%

4 Not Important at all 6%

8 Not sure (v) 1%

9 Decline to answer (v) *