IMS Health Files for IPO – Is It Legal?

On January 2nd, IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics.

  • IMS buys and aggregates sensitive “prescription and promotional” records, “electronic medical records,” “claims data,” “social media” and more to create “comprehensive,” “longitudinal” health records on “400 million” patients.
  • All purchases and subsequent sales of personal health records are hidden from patients.  Patients are not asked for informed consent or given meaningful notice.
  • IMS Health Holdings sells health data to “5,000 clients,” including the US Government.
  • Despite claims that the data sold is “anonymous”, computer science has long established that re-identification is easy.
  • See brief 3-page paper by Narayanan and Shmatikov at: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf)
  • See Prof. Sweeney’s paper on re-identifying patient data sold by states like WA at: http://thedatamap.org/risks.html
  • “Our solutions, which are designed to provide our clients access to our deep healthcare-specific subject matter expertise, take various forms, including information, tailored analytics, subscription software and expert services.” (from IMS Health Holding’s SEC filing)

 

Quotes from IMS Health Holding’s SEC filing:   “We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.”   IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.”

How can this business model be legal?  How can companies decide that US citizens’ personal health data is “proprietary data,” a corporate asset, and sell it?  If personal health data ‘belongs’ to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information.

Americans’ strongest rights to control personal information are our rights to control personal health information. We have constitutional rights to health information privacy which are not trumped by the 2001 elimination of the right of consent from HIPAA (see: http://patientprivacyrights.org/truth-hipaa/ ). HIPAA is the “floor” for privacy rights, not the ceiling. Strong state and federal laws, and medical ethics require consent before patient data is used or disclosed. 10 state constitutions grant residents a right to privacy, and other states constitutions have been interpreted as giving residents a right to privacy (like TX).

Surely FTC would regard the statement filed with the SEC as evidence of unfair and deceptive trade practices. US patients’ health data is being unfairly and deceptively bought and sold.  Can the SEC deny IMS Health the opportunity to offer an IPO, since its business model is predicated on hidden purchase and sale of Americans’ personal health data?

If we can’t control the use and sale of our most sensitive personal information, data about our minds and bodies, isn’t our right to privacy worthless?

deb

To view the full article published in Modern Healthcare visit:  IMS Health Files for IPO

 

A Family Consents to a Medical Gift, 62 Years Later

Should researchers control the use of everyone’s genomes?

It’s time for a national debate about when and how our genetic information should be used.  The healthcare industry and government are planning that our genomes will soon be part of our electronic health records, so that sensitive data can be used without patient consent. The cost of sequencing a genome will soon drop below $1,000.

But the debate about who should control the use of this unique, personal information must be informed by knowing/tracking the hidden flows of genetic data.

The next phase of theDataMap should track the use, sale, and disclosure of genetic information: from hospitals, labs, and genomic sequencing companies to private biobanks, etc, etc.

We cannot weigh risks vs. benefits of open access to genetic data when the risks are unknown.

States’ Hospital Data for Sale Puts Privacy in Jeopardy

Before speaking at the 3rd Annual Summit on the Future of Health Privacy, Jordan Robertson did extensive research with Latanya Sweeney, PhD and theDataMap.org team to expose a nationwide privacy problem. MANY states are selling de-identified hospital records, which can be easily re-identified by using your local newspaper. Using other publicly available information makes re-identification even easier.

From Jordan Robertson’s article in Bloomberg News: States’ Hospital Data for Sale Puts Privacy in Jeopardy

Hospitals in the U.S. pledge to keep a patient’s health background confidential. Yet states from Washington to New York are putting privacy at risk by selling records that can be used to link a person’s identity to medical conditions using public information.

Consider Ray Boylston, who went into diabetic shock while riding his motorcycle in rural Washington in 2011. He careened off the road and was thrown into the woods, an accident that was covered only briefly, in the local newspaper. Boylston disclosed his medical condition and history to a handful of loved ones and the hospital that treated him.

After Boylston’s discharge, Washington collected the paperwork of his week-long stay from Providence Sacred Heart Medical Center in Spokane and added it to a database of 650,000 hospitalizations for 2011 available for sale to researchers, companies and other members of the public. The data was supposed to remain anonymous. Yet because of state exemption from federal regulations governing discharge information, Boylston could be identified and his medical background exposed using only publicly available information.

Re: The Internet is a surveillance state

In response to the CNN article by Bruce Schneier: The Internet is a surveillance state

Bruce Schneier is wrong. Privacy is not over — the public is just now learning how invasive Internet technology, tech corporations, and government really are, and that they ACT to protect and maintain the US surveillance economy. When enough citizens tell Congress and the President to stop, this privacy disaster will stop.

The public is just beginning to WAKE UP. Today is the start of privacy in the Digital Age in the US, not the end.

It’s a lie that people happily give up privacy for “targeted ads” — tech giants like Google, Facebook, etc. have PREVENTED us from having apps and tools that enable privacy (ie, our right TO control personal information online). We have NO choices because government and the data mining industry have prevented us from having meaningful choices.

Signs of intelligent life in the Universe:

  • Attend or watch the 3rd International Summit on the Future of Health Privacy (its free). The EU Data Protection Supervisor will keynote and so will the US Chief Technology Officer—-the stark differences between US and EU data protections will be discussed—register at: http://www.healthprivacysummit.org/d/vcq3vz/4W
  • SnapChat—millions of free downloads of an app that shows people want technology that gives THEM control over their data: single use of info (a picture in this case) and the ability to delete info. See: http://patientprivacyrights.org/2013/02/snapchat-and-the-erasable-future-of-social-media/
  • A recent Pew Research Center study found smartphone users are taking action to protect their privacy:
  • The default for Microsoft’s Windows 8 browser is ‘Do Not Track’
    • Microsoft’s Chief Privacy Officer Brendon Lynch said a recent company study of computer users in the United States and Europe concluded that 75 percent wanted Microsoft to turn on the Do Not Track mechanism. “Consumers want and expect strong privacy protection to be built into Microsoft products and services.”
    • See more in the New York Times article: Do Not Track? Advertisers Say ‘Don’t Tread on Us’

DONATE to help Latanya Sweeney and Patient Privacy Rights build a health data map—-we MUST prove that thousands of hidden data users are stealing, using , and selling our personal health data: http://patientprivacyrights.org/donate/

SEE Latanya describe thedataMap at: http://patientprivacyrights.org/thedatamap/
This is the beginning of privacy, the war has just begun.

HIPAA Omnibus: Gaps In Privacy? — Interview with Deborah C. Peel, MD

Although the HIPAA Omnibus Rule is a step in the right direction for protecting health information, the regulation still leaves large privacy gaps, says patient advocate Deborah Peel, M.D.

HIPAA Omnibus finally affirmed that states can pass laws that are tougher than HIPAA, and that’s really good news because HIPAA is so full of flaws and defects that we are concerned that what is being built and funded will not be trusted by the pubic,” Peel says in an interview with HealthcareInfoSecurity during the 2013 HIMSS Conference.

Listen to this interview and read the full article here.

theDataMap™

theDataMap™ is an online portal for documenting flows of personal data. The goal is to produce a detailed description of personal data flows in the United States.

A comprehensive data map will encourage new uses of personal data, help innovators find new data sources, and educate the public and inform policy makers on data sharing practices so society can act responsibly to reap benefits from sharing while addressing risks for harm. To accomplish this goal, the portal engages members of the public in a game-like environment to report and vet reports of personal data sharing. More…

Members of the public sign-up to be Data Detectives and then work with other Data Detectives to report and vet data sharing arrangements found on the Internet. Data Detectives are responsible for content on theDataMap™.

See the debut of theDataMap™ from the “Celebration of Privacy” during the 2nd International Summit on the Future of Health Privacy here:

Re: Open data is not a panacea

Regarding the story on MathBabe.org titled Open data is not a panacea

This story is a much-needed tonic to the heavy industry and government spin promoting ONLY the benefits of “open data” without mentioning the harms.

Quotes from the story:

  • When important data goes public, the edge goes to the most sophisticated data engineer, not the general public. The Goldman Sachs’s of the world will always know how to make use of “freely available to everyone” data before the average guy.
  • If there’s one thing I learned working in finance, it’s not to be naive about how information will be used. You’ve got to learn to think like an asshole to really see what to worry about.
  • So, if you’re giving me information on where public schools need help, I’m going to imagine using that information to cut off credit for people who live nearby. If you tell me where environmental complaints are being served, I’m going to draw a map and see where they aren’t being served so I can take my questionable business practices there.

Patient Privacy Rights’ goal is a major overhaul of U.S. health technology systems, so your health data is NOT OPEN DATA. Your health data should only be “open” and used with your knowledge and informed consent for purposes you agree with, like treatment and research. It will take a major overhaul for the public to trust health IT systems.

Why does Patient Privacy Rights advocate for personal control over health information and against “open data”? Answer:

For reasons that are NOT apparent, the healthcare industry shuns learning from computer scientists, mathematicians, and privacy experts about the harms and risks posed by today’s poorly designed “open” healthcare technology systems, the Internet, and the “surveillance economy”.

The health care industry and government shun facts like:

YOU can help build a data map so industry and government are forced to stop pretending that the health information of every person in the US is safe, secure, and private. Donate at: http://patientprivacyrights.org/donate/