Patient Trust in Confidentiality Affects Health Decisions

To view the full article by Pablo Valerio, please visit Enterprise Efficiency: Patient Trust in Confidentiality Affects Health Decisions

This article highlights a survey sponsored by FairWarning that looks at how “patient privacy considerations impact the actual delivery of healthcare” in the UK and US.

Key quotes from the story:

-“CIOs and healthcare providers need to ensure the best security, not only because it is the law, but because data breaches actually affect how honest a patient might be with a doctor and how quickly they will seek medical attention.”

-“It is not enough to comply with government regulations about data protection. If a data breach occurs patients are not going to check if the institution was following rules, they are going to blame their executives for allowing the breach to happen, regardless of the reasons.”

The survey, “UK: How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes; Trust in the confidentiality of medical records influences when, where, who and what kind of medical treatment is delivered to patients” cited in the article below compares attitudes about health information privacy in the UK and US.

Some key UK findings are:

-38.3 percent stated they have or would postpone seeking care for a sensitive medical condition due to privacy concerns

-More than half of patients stated that if they had a sensitive medical condition, they would withhold information from their care provider.

-Nearly 2 out of 5 stated they would postpone seeking care out of privacy concerns.

-45.1 percent would seek care outside of their community due to privacy concerns

-37 percent would travel… 30 miles or more, to avoid being treated at a hospital they did not trust

US vs UK patients:

-UK patients are almost twice as likely to withhold information from their care provider…if they had a poor record of protecting patient privacy.

-4 out of 10 UK patients versus nearly 3 out of 10 US patients … would put off seeking care … due to privacy concerns.

-97 percent of UK and US patients stated chief executives and healthcare providers have a legal and ethical responsibility to protect patients’ medical records from being breached.

Shoppers, Meet Your Scorekeeper

See the article in the NY Times at: Secret E-Scores Chart Consumers’ Buying Power

Let’s call this business what it really is: data theft, not scorekeeping. This great story by Natasha Singer is in the vein of the WSJ series: “What They Know”. There is no way to know if our e-scores, derived from 50,000+ pieces of personal information, are used only for shopping.

  • There is no proof that eBureau does what the CEO says. Unless eBureau reveals all the buyers of the scores or lets us see all the personal data they collect/steal about us there is no way to know if the scores are used to discriminate against us in key life opportunities.

Natasha Singer writes clearly about the business model of hidden data theft and hidden data mining that is used by so many Internet-based corporations.  She profiles Gordy Meyer, CEO of eBureau, who claims his company makes entirely legal use of millions of online and other personal, electronic clues.  He imagines we freely, consciously give personal data away to corporations like his to create instant, extremely detailed, deeply intimate real-life profiles of every one of us (which he sells at 3 to 75 cents/per profile).

When we simply LOOK or CLICK AROUND a website, we are not in any meaningful way giving consent to hidden data-thieving corporations to collect or use personal information. We are victims of unfair and deceptive trade practices and data theft.

The public simply has no concept that extremely detailed digital profiles are being collected used to discriminate against them:

  • Ebureau then adds several thousand details–like age, occupation, property value, length of residence, and retail history–from its data bases to each customer profile. From those raw data points, the system extrapolates up to 50,000 additional variables per person.”

What are the “several thousand details” eBureau adds?  Could they be details like your searches for information on treatment of melanoma? or STDS?  How do we know what the details are?  eBureau will not tell us.

The story closes with a quote from Frank Pasquale:

  • “I’m troubled by the idea that some people will essentially be seeing ads for subprime loans, vocational schools and payday loans,” Professor Pasquale says, “while others might be seeing ads for regular banks and colleges, and not know why.”

One of the worst parts of this story is that eBureau’s CEO makes assertions that cannot be verified:

  • there is no way to know what data is collected or what eBureau does with it
  • there is no way to know if eBureau “meets regulatory requirements” or “has put firewalls in place to separate data bases containing federally regulated data, , like credit or debt information used for purposes like risk management, from databases about consumers used to generate scores for marketing purposes.” because there is no outside auditing.

My bet is that a HUGE part of what is collected is information about our minds and bodies. We already know that personal health information is the most valuable digital information about each of us. Will purchasers of eBureau’s scores offer a credit card to anyone with cancer or Depression? Will we be able to qualify for loans to send our kids to college if we have genetic risks for breast cancer or heart disease?

Jailed Man Narrowly Escapes Fatal Error in EHR

To view the full article, please visit Nextgov.com: Jailed Man Narrowly Escapes Fatal Error in EHR

Problems with EHRs don’t happen only in jails—and many hospitals and clinics that  use EHR are prohibited from criticizing the products in public; ie many health technology vendors have ‘gag’ clauses in their contracts with users.  EHRs like this one can endanger patients’ lives and/or can be very difficult to use (many are NOT designed by clinicians who actually need to use them, can be very time consuming to use, make it hard to find needed information, etc, etc).

Attackers Demand Ransom After Encrypting Medical Center’s Server

To view the full article by John E. Dunn, please visit CIO: Attackers Demand Ransom After Encrypting Medical Center’s Server

What happens to patients when their doctors can’t get their records because thieves encrypted them? Federal law has required strong health data security protections since 2002, but 80% of hospitals and practices don’t encrypt patient data. If The Surgeons of Lake County had been following the law and encrypted their records, this attack could not have happened.

EHRs and Patient Privacy- An Oxymoron? Psychiatric Times Cover Story

A recent article in the Psychiatric Times based on the 2nd International Summit on the Future of Health Privacy describes the major problems with EHRs and the consequences of the misuse of this technology. The article quotes both Dr. Peel and Dr. Scott Monteith as well as “Julie” when describing the flaws of EHRs and HIEs. The article is available by subscription only through Psychiatric Times, but here are some highlights and quotes from the article:

“The escalating use of electronic health records (EHRs) and health information exchanges (HIEs) is fraught with unintended and sometimes dire consequences—including medical coding errors and breaches of psychiatric patients’ privacy and confidentiality, according to [Dr. Peel and Dr. Monteith] who scrutinize the field”

“At the recent Second Annual International Summit on the Future of Health Privacy, psychiatrist Scott Monteith, MD, Clinical Assistant Professor in the Departments of Psychiatry and Family Medicine at Michigan State University and a medical informaticist, relayed the experience of a patient who discovered that her EHR erroneously reported a history of inhalant abuse. In reality, she had a history of  “caffeine intoxication.” After much investigation, the problem was identified. The DSM-IV-TR code (305.90) is used for 4 different diagnoses, including caffeine(Drug information on caffeine) intoxication and inhalant abuse, but the EHR’s printout only made the inhalant abuse diagnosis visible. Although the error was reported to the EHR vendor, the problem persists after almost 2 years.

“‘It is impossible for consumers to weigh the risks and benefits of using health IT and data exchanges when they have no idea where their data flows, who is using it or the purpose of its use,’ wrote Peel, a psychiatrist and psychoanalyst.”

“…Peel emphasized the importance of patients being able to control access to sensitive personal health information. The open source consent technologies, she explained, have been used for more than 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on some 4 million people in more than 8 states.”

“…’Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows,” she wrote. “Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.'”

If you wish to view the full article by Arline Kaplan and are a subscriber of Psychiatric Times, it can be found at Electronic Health Records and Patient Privacy- An Oxymoron?

Abercrombie signs Hawaii patient privacy protection law

To view the full article in Bizjournals.com by Vanessa Van Voorhis, please visit Abercrombie signs Hawaii patient privacy protection law.

The people of Hawaii just lost their rights to health privacy. The Hawaiian legislature replaced all its far stronger health privacy laws with HIPAA.

Like most of the public, Hawaiian lawmakers believe HIPAA protects privacy, but it doesn’t.  It hasn’t for 10 years. The key privacy protection in HIPAA  was eliminated in 2002. The media  has never reported this.

  • President Bush put HIPAA in place when he took office. At first, HIPAA required that others had to ask for consent before using or disclosing our health information for treatment, payment, or healthcare operations.

  • “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and healthcare operations.”  67 Fed. Reg. 53,183

That means millions of people who work at hospitals, doctors offices, labs, health plans, data clearinghouse, government agencies, pharmacies and other places that hold health records (“covered entities”) decide when to use and disclose them, not us.

This new law is a privacy disaster for Hawaiians. They will suffer:

  • loss of the privacy of sensitive information about their minds, bodies, and genes
  • generations of discrimination
  • embarrassment and loss of reputation
  • job, credit, and insurance discrimination
  • ID theft
  • medical ID theft (where others use their health insurance to pay for treatment or for insurance fraud)

The Changing Landscape – The Impact to Patients’ Privacy

Both President Bush and President Obama agree that every American should have an electronic health record by 2014. Congress agrees too and has poured $27 billion into digitizing the healthcare system.  Using data instead of paper records, technology tools can analyze mountains of health information to understand what treatments work best for each of us, improve quality, facilitate research, and lower costs. Strong support for electronic health records systems and health data exchanges is bipartisan.

But the systems being funded have major, potentially fatal design flaws which are NOT being addressed by either party:

-Patients have no control over who sees or sells sensitive personal health information.

-Comprehensive, effective data security measures are not in use; 80% of health data is not even encrypted.

-Health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.

-Hundreds of thousands of employees of corporations, third parties inside and outside the healthcare system, researchers, and government agencies can easily obtain and use our personal health information, from prescription records to DNA to diagnoses.

-There is no “chain of custody” for our electronic health data.

The consequences of the lack of meaningful and comprehensive privacy and security protections for sensitive health data are alarming. Over 20 million patients have been victims of health data breaches – these numbers will only increase. Millions of patients each year are victims of medical ID theft, which is much harder to discover and much more costly than ID theft. Such easy access to health data by thousands of third parties is causing an explosion of healthcare fraud (see FBI press release on $100M Armenian-American Fraud ring: http://www.fbi.gov/newyork/press-releases/2010/nyfo101310.htm). Equally alarming, this lack of privacy can cause bad health outcomes, millions of people every year avoid treatment because they know their health data is not private:

-HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779

-HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777

-Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

-The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns. “Invisible Wounds of War”, The RAND Corp., p.436 (2008). Lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.

Public distrust in electronic health systems and the government will only deepen unless these major design flaws are addressed.

The President’s Consumer Privacy Bill of Rights shows he knows that trust in the Internet and electronic systems must be assured. The same principles that will ensure online trust must also be built into the healthcare system — starting with Principle #1:

“Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

See the full article at ProPublica.org: How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

Sobering.  Silicon Valley decides what privacy rights we have online, in clouds, in electronic health systems, in apps, on social media, and on mobile devices. Our fundamental Constitutional rights to privacy—to control personal information about our lives, minds, and bodies—is defended by lone grad students, European Data Commissioners, a few small privacy advocacy organizations, the FTC, and a handful of whistleblowers.

A PREDICTION: Selling intimate cyber-profiles will end when the public discovers that NOTHING about their minds and bodies is private.

The lack of control over sensitive health data will be the nation’s wake-up call to rein in Silicon Valley and restore the right to be ‘let alone’. See: Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis J., dissenting).

  • Cyber-profiles of our minds and bodies contain far more sensitive information than mothers, lovers, friends, Rorschach tests, or psychoanalysts could ever reveal.
  • “If you are not paying for it, you’re not the customer; you’re the product being sold”, see Andrew Lewis at: http://www.metafilter.com/user/15556.
  • 35-40% of us are “Health Privacy Intense”—-a very large minority; see Westin’s keynote slides from the 1st International Summit on the Future of Health Privacy:http://tiny.cc/9alvgw

THE TIPPING POINT will be when the public discovers that electronic health systems facilitate cyber-theft, data mining, data sales, ‘research’ without consent, and allow thousands of strangers to snoop in millions of patient records (think George Clooney and more: http://www.foxnews.com/story/0,2933,348988,00.html).

Health data is the most sensitive personal information on Earth. Everything from prescription records to DNA to diagnoses are HOT BUTTONS.

Instead of enabling patients to decide which physicians or researchers they want to see their health records, corporate and government data holders decide who can use and sell Americans’ sensitive health data—-upending centuries of law and ethics based on the Hippocratic Oath, which requires physicians to ask consent before disclosing any information.

ACC privacy breach victim ‘felt suicidal’

See the full article at Radio New Zealand: ACC privacy breach victim ‘felt suicidal’

This story is about a the effects of a data breach on New Zealand woman with very sensitive information in her electronic health records.

Like “Julie” who told the story of how her mental health records were exposed throughout Partners Healthcare system, the New Zealand woman is also a victim of sexual abuse. The New Zealand corporation holding her data sent it to someone else along with information on thousands of other people.

Similar to the experiences reported by US victims of health data breaches, the response to her data breach was underwhelming and irrelevant to the resulting damages: ie, emotional damage, loss of trust in the data holder, and no compensation for future ID theft or medical ID theft. No assurances or remediation were offered against future use or sale of her information, even though it often takes years to discover ID theft and medical ID theft. She was offered $250 as compensation, and the data holding corporation stated the amount was  “based on the extent of the breach and the level of harm or potential harm associated with it, as well as the client’s individual circumstances.” Clearly an inadequate, insensitive response.

Apparently inadequate, ineffective, insensitive responses to data breaches occur across the globe.

In the US, there is no “chain of custody” for any sensitive personal information and no way to control who gets it.  There is no way to track or prevent the flow of health information to hidden data users and thieves. BUT, you can help by adding to the map of hidden flows at theDataMap.org. US patients can’t weigh the risks vs. benefits of using electronic health systems without knowing who has copies of personal health records, from prescription records to DNA to diagnoses. WE don’t know if it is sold as intimate health profiles, used for ‘research’ or ‘data analytics’, for fraud, for extortion, or for ID or medical ID theft, etc, etc.

In the US, few Congressional leaders fight to restore patient control over health data and to ensure data security. Most in Congress votes for the hidden data mining industry against the public interest and against patients’ rights to health information privacy. Two leaders, the co-chairs of the House Privacy Caucus, Representatives Barton and Markey, received “Louis D. Brandeis Privacy Awards” at the 2nd International Summit on the Future of Health Privacy in Washington, DC on June 6th. See: www.healthprivacysummit.org or http://tiny.cc/nrhkgw for the agenda. The video of the Celebration of Privacy will soon be posted there.

Electronic health information is THE most valuable personal information on Earth—and US corporations and government see and use it without our knowledge or consent to make decisions about us. Tell Congress to put you in control over who can see your sensitive electronic health information—-to protect your job, reputation, and your children’s futures.

2-part story on “Julie” who spoke at the 2nd International Summit on the Future of Health Privacy

See the stories written by Joe Conn at ModernHealthcare.com: ‘Julie’ learns that privacy is more illusion than reality & How ‘Julie’ got a big surprise about medical records privacy

These stories matter for many reasons, not the least of which is that Partners is switching to Epic EHRs and Epic’s CEO has openly opposed data segmentation for years. She claims it’s impossible, too expensive, can’t be done, etc. Partners is about to spend hundreds of millions of dollars on a failed electronic health records system.

The claim that data segmentation cannot be done is incorrect. One example is the open source consent technologies used for over 12 years by many state mental health departments to exchange sensitive mental health and substance abuse data on over 4 million people in over 8 states (the states belong to the NDIIC). Further, the state of MA has very strong laws that require consent for the disclosure of mental health information (actually all 50 states do too).

Why would Partners’ choose a product that fails to protect patient privacy in a such a major way? This will prevent trust in doctors, hospitals, and worst—in ALL electronic systems. Millions of patients/year refuse to seek treatment when they know they cannot control where their data flows. Any HIE or EHR that cannot selectively share data with the patient’s meaningful consent, withhold data without consent, AND withhold erroneous data is a failed system or technology. The refusal of certain health IT companies to build technologies that comply with the law and what patients expect shows very poor judgment.