Will Texans Own Their DNA?

Will Texans Own Their DNA?

Greg Abbott, candidate for Governor, thinks they should

 

On November 12th, Abbott released his “We the People Plan” for Texas. Clearly he’s heard from Texans who want tough new health data privacy protections.

 

Topping his list are four terrific privacy recommendations for health and genetic data:

  • “Recognize a property right in one’s own DNA.”
  • “Make state agencies, before selling database information, acquire the consent of any individual whose data is to be released.”
  • “Prohibit data resale and anonymous purchasing by third parties.”
  • “Prohibit the use of cross referencing techniques to identify individuals whose data is used as a larger set of information in an online data base.”

 

The Omnibus Privacy Rule operationalized the technology section of the stimulus bill. It also clarified that states can pass data privacy laws that are stronger than HIPAA (which is a very weak floor for data protections).

 

Texans would overwhelmingly support the new state data protection laws Abbott recommends . If elected, hopefully Abbott would also include strong penalties for violations. Contracts don’t enforce themselves. External auditing and proof of trustworthy practices should be required.

 

Is this the beginning of a national trend?  I think so.

 

The more the public learns about today’s health IT systems, the more they will reject health surveillance technologies that steal and sell sensitive personal health data.

Abbott’s Privacy Rights Proposals Draw Attention

“Attorney General Greg Abbott‘s support for more stringent privacy laws is getting some notice, as privacy rights activists say his proposals would lead to more protections for Texans. But concerns tied to the enforcement of the proposed policies are also being raised.”

To view the full article, please visit: Abbott’s Privacy Rights Proposals Draw Attention

 

Physician’s computers were stolen

See the full story from MySanAntonio.com: “Physician’s computers were stolen

“Five computers containing medical and personal information of more than 3,000 patients were stolen from a Stone Oak physician’s office in October.

Dr. Sudhir Gogu of the Stone Oak Urgent Care & Family Practice said the computers were stolen after an office door had been pried open sometime during the weekend of Oct. 22-23, according to the police report.

A San Antonio Police Department spokesman said in an email Wednesday that the computers have not been recovered and there have been no arrests…

…Dr. Deborah Peel, founder and chairman of Patient Privacy Rights, an organization focused on putting people in control of their electronic health information, called medical identity theft a dangerous crime.

“It typically costs the average victim at least $20,000, and health plans typically increase your premiums … or may even cancel your coverage,” Peel said.

Peel criticized the health industry for failing to taken data protection seriously.

“It’s estimated that 80 percent of hospitals don’t encrypt data,” she said. “Can you imagine if your banks didn’t encrypt and keep your financial information secure? We wouldn’t even let them be banks.””

Re: SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft

See article for reference from NextGov, “SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft,” by Bob Brewin.

We can expect to see many more lawsuits over breaches because most US health systems have abysmal data security and by design allow thousands of employees to access the sensitive health information of millions of patients. This immense scale of damage was simply impossible with paper systems.

Ironclad security is very difficult technically (think WikiLeaks) because health systems were architected to enable ‘open access’ by hundreds or thousands of employees to millions of sensitive health records.

Today, the only ‘barrier’ to health data access in the US are ‘pop-up’ screens that ask, “Do you have a right to access this patient’s information?’ This is hardly effective. Yes, of course, after-the-fact audit trails of access can be used to identify those who should not have seen a record. It is a very weak kind of data protection; in fact, today patients identify the majority of data breaches, not health IT systems.

When will the US get serious about building privacy-enhancing architectures where ONLY clinical staff or others who are directly involved in a patient’s care can access the patient’s data with informed consent. Systems that prevent access by MOST employees could prevent the vast majorities of data breaches and data thefts.

Using and building systems designed for privacy would be a FAR better use of the stimulus billions than how they are currently being spent: to buy and promote the use of HIT systems that cannot possibly protect health data from misuse and theft, and in fact is designed to spread health information to many unseen and unknown secondary corporate and government users.

Unsafe data in Texas

Last month, a Texas online news site, the Austin Bulldog, published a lengthy investigative report on the sale and gifting of patient-level hospital data by the Texas Department of State Health Services.

Reporter Suzanne Batchelor’s remarkable story found that if you’re a Texan, your healthcare data can be given away or sold without your consent. And the Health Insurance Portability and Accountability Act, the main federal health information privacy law, won’t—or can’t—protect you.

In Texas, the health services department gathers claims data from hospitals by law—providers can be fined as much as $10,000 if they don’t hand it over. But the department isn’t a so-called “covered entity” as defined by HIPAA. So, the state isn’t covered under the HIPAA privacy rule if it does anything that would be a violation if performed by a data-providing hospital…

…The state knows the public-use data file is vulnerable. A user’s manual (PDF) contains this caveat: “It may be possible in rare instances, through complex analysis and with outside information, to ascertain from the PUDF the identity of individual patients. Considerable harm could result if this were done.”

And TX isn’t the only state selling your information…

Texas is not the only state in the US selling or giving away sensitive hospital records to anyone who wants them; this is a devastating privacy problem every state must face.

See the Investigative Report done in Texas.

$39 billion dollars in stimulus funds will be used to build a nationwide health IT superhighway system, exponentially expanding the theft, sale, and use of the health information of all 300 million Americans. Texas will get $38 million to exchange Texans’ health data.

How much money will your state get? BEWARE the form of consent used for Health Information Exchange (HIE) in your state.

  • Each state sets up its own consent rules for HIE and industry is pressuring states to use the worst kind of consent: “opt-out”.
  • The state of NY is going to share EVERYONE’S health data unless they “opt-out”.
  • In AZ, the use of “opt-out” for health data exchange failed.
  • TX has yet to decide what kind of consent it will use for data exchange.

Its critical to insist that your state empowers you to SELECTIVELY disclose PARTS of your sensitive health data–NOT ALL OR NONE. No one should be forced to give up privacy to benefit from data exchange.

Great consent and segmentation technologies exist and should be required for all data exchange so we can exchange ONLY the information we want to disclose. (See video of the Consumer Choices Technology Hearing in DC where 7 consent and segmentation technologies were demonstrated LIVE: http://nmr.rampard.com/hit/20100629/default.html. See transcript of the Hearing and written testimony about the 7 privacy-enhancing technologies at: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=2833&PageID=19477#062910

Do you know whether YOUR state is selling or giving hospital data away? (SEE story here). Quotes from the story:

Buyers may order one of two versions of the hospital-patient files:

  • Research version — contains complete personal information including date of birth, age in years, and start and end dates of hospital care. To purchase data in the research file, applicants must describe their “research project,” identify themselves as one of 10 organization types (including university; managed care insurer; governmental entity, pharmaceutical, biotechnology or medical product firm; trade group or lobby; and research organization consultant), and select each data field they want. Each application is reviewed by a DSHS committee, which must approve it before the applicant can obtain the data.
  • De-identified version — For this version DSHS has removed some but not all personal information…DSHS removes the patient’s dates of admission and discharge from the hospital, but leaves in diagnoses, surgeries, and payment information. The patient’s gender and full zip code appear in most cases.
    A five-year age range is substituted for the patient’s exact age (some children’s ages appear in shorter ranges, such as “1-4,” “15-17″) and the street address is removed. Patient county, state, race and ethnicity are listed.

Texas officials imagine that simply taking names, parts of addresses, etc off our health data means that our records cannot be traced back to us. WRONG!

It is extremely easy it is to re-identify what they call “de-identified” information. Making health data IMPOSSIBLE to re-identify is extremely difficult; solutions which make it impossible to re-identify data have not been proposed.

Unless we build consumer control over personal health information into state and national health IT systems, we will destroy everyone’s privacy and ensure generations of discrimination.

This kind of wholesale giveaway of Americans’ sensitive health information is an extremely serious problem. States and the federal government must address this BEFORE expanding today’s privacy-destructive health IT systems and data exchanges. Once sensitive health and demographic data is exposed, it’s too late. It can never be made private again.

Federal funds for HIE should be used to buy MODERN, privacy-protective technologies in every state. Unless we act NOW, the stimulus money IN YOUR STATE will be used to exponentially facilitate health information exchange, and facilitate the systemic collection, theft, sale, and misuse of sensitive health information.