Re: “You for Sale, A Data Giant is mapping, and Sharing, the Consumer Genome”

Below comment in response to the New York Times article “You for Sale, A Data Giant is Mapping, and Sharing, the Consumer Genome.”

Acxiom is the poster-child for why tough new laws are needed to protect personal information on the Internet, in electronic systems, and on cell phones ASAP. No data should be collected about Americans without prior meaningful, informed consent.

Natasha Singer’s story is a must read to understand how the use of personal data threaten people’s jobs, reputations, and future opportunities. The information is analyzed and sold to those who want detailed real-time profiles of who we are, including the health of our minds and bodies. Data analytics enable Acxiom to create and sell far more intimate, detailed personality and behavioral portraits than our own mothers or analysts might know about us (and would never share).

Most people have never heard of Acxiom or other hidden data users. Today, most Americans have no idea that personal data is used by thousands of corporations and government agencies to make decisions about whether they will receive jobs or benefits.

Even though the hidden data mining industry began by using personal information to improve marketing and advertising, Acxiom proves that the kind and amounts amount of identifiable data being collected are simply unacceptable. As for the collection of health information, the data mining industry is clearly violating Americans’ very strong legal, Constitutional, and ethical rights to control and keep personal health data private. To the public, this is theft of personal health information.

On June 6th at the 2nd International Summit on the Future of Health Privacy, Professor Latanya Sweeney of the Harvard Data Privacy Lab along with Patient Privacy Rights introduced theDataMap.org. This project will enable citizens and whistleblowers to help create a detailed picture/map of where sensitive personal health information flows, from prescription records, to DNA, to diagnoses. Without a ‘chain of custody’ for our identifiable health data, it’s impossible to know who uses our data or why. A ‘chain of custody’ for personal health data could show us whether potential employers or banks had bought or received our health data, learn about the many ways the federal government uses health data as described in the Federal Health Information Technology Strategic Plans, and see the names of for-profit and public research and public health institutions that use personal health data.

Health data has long been used to discriminate against people for jobs, insurance, and credit. This fact is so well known that every year tens of millions of us refuse to get early diagnoses and treatment for cancer, depression, and sexually transmitted diseases. Hidden data flow causes bad health outcomes; treatment delays can be deadly. We need the same kind of control/consent over the use of electronic health data that we have always had for paper medical records.

US Internet and electronic systems have made us the most intimately surveilled people in the Free World. In Europe, strong laws and privacy-enhancing technologies prevent hidden data collection and data flow, so everyone benefits from technology and harms are avoided.

European standards for the collection of personal data were created after WW II, when data were used to decide who would die. Europeans consequently passed the world’s toughest data privacy laws, preventing personal data from being collected or used without consent.

Europe also established regional Data Privacy Commissioners to defend citizens’ rights to control the collection and use of personal information and ensure data accuracy. The US needs them too.

Unless we know where trillions of bytes of our personal data flow, who uses it and why, we cannot weigh the benefits and risks of using the Internet, electronic systems, or cell phones. It’s time for Congress to end the massive hidden flows of personal data.

Targeted attacks cost companies an average of $200k

See the full article at SC Magazine: Targeted attacks cost companies an average of $200k

It always costs more to repair than to prevent. The curious thing is that federal law mandated basic security protections in HIPAA, but industry never bothered because the law was never enforced.

Here we are 12 years after the HIPAA Privacy Rule was implemented:

· the Coalition for Patient Privacy got MUCH tougher security rules and enforcement into HITECH

· breaches are rampant

· 80% of hospitals still don’t encrypt data

What’s wrong with this picture? Register for the 2nd International Summit on the Future of Health Privacy June 6-7 in Washington, DC–attending or watching via live streamingvideo is free: http://tiny.cc/p4fqew Security technologies are critical for privacy—see top US computer scientists discuss “ideal” technologies for health data privacy and security.

Re: Data-Mining in Doctor’s Office Helps Solve Medical Mysteries

The story concludes that “the benefits (of research) outweigh the (privacy) concerns”. But that statement was made by a hospital administrator, not by the patients whose data were used without consent. They weren’t asked or notified.

There are several problems with the idea that the benefits of doing research without consent outweigh the risks:

·       the lack of privacy and control over health information causes bad outcomes: when people realize that they cannot control health records, millions refuse diagnosis and treatment for cancer, depression, and sexually-transmitted diseases

·       there is no need to choose between respecting patients’ rights to privacy and doing research—it’s a false choice, consent technologies can enable people to easily choose and give automatic consents for research projects they support, or be contacted case-by-case for permission

·       there was no public debate about whether every American’s electronic health information should be used for research without consent

·       current electronic systems do not allow patients to control any uses of their health data—-why continue to use such badly-designed systems?

·       there are no “dangers of over notification” with today’s systems—in fact, patients get no notice at all when personal data is used for research

Americans have not agreed to a healthcare system that turns them into electronic guinea pigs.

Why not build patient-centered systems so we can make important decisions about ourselves, instead of hospital administrators and researchers choosing for us?  “Nothing about me without me.”

Report: HIEs failing at true interoperability

See a summary of the report by Mike Miliard at GovHeathITHIEs failing at true interoperability

· Healthcare organizations “must unlock the patient data in EHR silos of hospitals and affiliates to better coordinate and improve quality of care delivered. Health Information Exchange technology is the enabler.”

· Until EHR vendors incorporate a shared set of standards, HIEs will remain in a state of stunted development, said Moore: “Across the board, legacy systems fail to support true interoperability, and vendors are doing little to remedy this situation.”

· The report will also look to the future as to how this [Health Information Exchange or HIE] market will grow and evolve over the next several years as meaningful use requirements take hold, healthcare reform brings forth changes in reimbursement models, access to health data moves to mobile platforms and the consumer takes on a larger role.”
The quotes above show that the health technology industry and the government are beginning to face key facts:

· Data silos endanger patient health and safety: obviously we need our doctors to see relevant parts of our medical records held by other doctors/hospitals.

Electronic Health Records companies, hospitals, and the many other corporations that hold our electronic health information want to continue to “own”, control, and sell our personal health data. They built this system of “silos” that PREVENT data exchange (also called “interoperability”).  Corporations fiduciary duties to make profits for shareholders trump exchanging health information to save patients’ lives and reduce costs!

· Consumers = patients. If we say so, our health records must be shared with our physicians or other health professionals. This is matter of law.

No matter which corporations or health professionals hold our electronic health data, we are entitled to electronic copies. If you say your health data should be sent to another physician or health professional, the data holder must send it. ONLY individual patients or “consumers” have clear rights to control personal health information and have it sent to the other physicians and health professionals who are treating them.

· HIEs, data exchanges where patients have no meaningful control over who can copy and use their health information, are not the answer.

How “Direct” exchange works (via the “Direct Project”): a participant (like our physicians) can send secure, encrypted health information directly to a known, trusted recipient over the Internet. Unlike the case with HIEs, personal health information can’t be “pulled” from the 10, 20, or 100 places that hold our health records. Using the “Direct” method, someone has to decide to send one patient’s data to another person.

We [“consumers”] are the ONLY ones who can quickly, easily, and legally get and “exchange” our own health records at will. Hippocrates Oath, the foundation of the physician-patient relationship, states that sensitive health information should ONLY be shared with the patient’s consent.  Data exchanges like the Direct Project

The only way electronic health systems can work and earn the public’s trust is if data flows are controlled by patients, with very rare legal exceptions.

The Depressing State of HIEs

See the full article at Hospital EMR and EHR: The Depressing State of HIEs

Yes, the state of Health Information Exchanges (HIEs) in the US is depressing, because many don’t work well for patients or doctors. They enable hundreds or thousands of strangers who work for hospitals, insurers, health IT companies, etc to exchange, use, or sell our sensitive medical records without our consent.

The safe way to exchange health information is to use secure email and patient consent, this is called the “Direct Project”. See: http://directproject.org/ . It enables us to share our health information between two health professionals and email physicians. The Direct Project enables “participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.”

Patient Privacy Rights (PPR) endorses the “Direct Project” as the ONLY legal, ethical, and secure way for sensitive patient information to be exchanged.  The public will not trust HIEs or national data exchange models unless patients control the disclosures of their sensitive health records.

A quote from the story below shows financial interests of Accountable Care Organizations (ACOs) can trump patients’ interests: “Some ACO providers are now blocking access to their data so competitors can’t get to it”—-that means doctors who are not part of the ACO but who treat ACO patients can’t see their test results and treatment records–even when these patients want them to have that information.

Some ACOs and other businesses view HIEs as vehicles to get more patient data, rather than as a means to serve patients’ needs for care coordination, to avoid duplicate tests, to ensure better treatment, or enable them to give consent for research use of their data.

Many corporations and businesses that HOLD patient data imagine they own it, so they use and sell it without patient consent. US law and medical ethics still require meaningful, informed patient consent before physicians or data holders can disclose anyone’s health information. “HIPAA compliance” actually does NOT get data holders off the hook for asking patients for consent before disclosing data. According to the HIPAA Privacy Rule, it’s “the floor” for data privacy protection, not the ceiling. 67 Fed. Reg. at 53,212 (August 14, 2002).  HIEs designed to further business interests over patients’ interests will continue to fail, because the public will not support them.

It turns out that the only person who can easily, cheaply, and legally make patient data flow for all the right reasons (treatment, research), to all the right all the people (a specific doctor or researcher) at the right time is YOU.

Only you can tell an ACO to send your data to an outside clinician —- and the ACO must send it, whether it gives competitors an advantage or not. Only you can make your data “fluid”, because patients are the only people with clear, longstanding Constitutional, legal, and ethical rights to disclose personal health information.

In PPR’s recent comments about building a Nationwide Health Information Network (NwHIN), we urged the Office of the National Coordinator for Health IT (ONC) to address the fatal privacy and security flaws in current systems and state and federal data exchanges. We urged ONC to certify that HIEs and data exchanges protect privacy by verifying that only patients decide when/where personal data flows.  “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy. See: http://tiny.cc/e1v0gw for more information.

Texas Error Exposed Over 13 Million Voters’ Social Security Numbers

See the full article in DataBreaches.net: Texas Error Exposed over 13 Million Voters’ SSNs

This story shows it’s easy to disclose the social security numbers of 13 million people at once. The data came from Texas’ voter registration data base, which was attached to a court report, BUT security breaches of the personal health information of millions of patients is also very common (see recent Utah and BCBS of TN breaches). Today’s electronic systems enable many new ways to breach data security and expose personal information.

The story below is about a government employee who attached over 13 million SSNs to a report and sent it to a 3rd party without anyone else reviewing his/her actions before the data was disclosed.  Where should the bar be set for disclosing personally identifiable information in any report?  At 1 million records? At 100 million records?

Most of the US health care system lacks effective protocols and procedures to protect data security and to prevent inappropriate data release and data breaches. Health data privacy and security require comprehensive and meaningful protections. We have a long way to go. Vastly expanding health IT systems before these problems are solved is a prescription for more data

Debt Collector Is Faulted for Tough Tactics in Hospitals

See full story in the New York Times: Debt Collector Is Faulted for Tough Tactics in Hospitals

“Hospital patients waiting in an emergency room or convalescing after surgery are being confronted by an unexpected visitor: a debt collector at bedside.

This and other aggressive tactics by one of the nation’s largest collectors of medical debts, Accretive Health, were revealed on Tuesday by the Minnesota attorney general, raising concerns that such practices have become common at hospitals across the country…

To patients, the debt collectors may look indistinguishable from hospital employees, may demand they pay outstanding bills and may discourage them from seeking emergency care at all, even using scripts like those in collection boiler rooms, according to the documents and employees interviewed by The New York Times.

In some cases, the company’s workers had access to health information while persuading patients to pay overdue bills, possibly in violation of federal privacy laws, the documents indicate.”

Health records lost, stolen or revealed online

From the Chicago Tribune Article: Health records lost, stolen or revealed online

“Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.

Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.

One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation’s health program for military members, their families and retirees.

Some breaches have resulted in personal information being revealed online. The names and diagnosis codes of almost 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., were posted on a commercial website for nearly a year before it was discovered in September and taken down…

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, a consumer group, would like to see more help for those whose information is breached and tougher punishment for those responsible. The BlueCross BlueShield of Tennessee settlement amounted to “roughly a dollar per breach record, which is nothing,” she said.

Ex-Vernal officer accused of using state database to commit burglary for prescription drugs

See full story in the Salt Lake City Deseret News.

“VERNAL — Two Vernal residents say they intend to sue the state of Utah and the city of Vernal, claiming that a police detective improperly accessed a prescription drug database and used the information he obtained to steal painkillers from them…

That system is the Utah Controlled Substance Database, according to Walker, which was first created in 1995 and then expanded two years ago. It collects and tracks all information on prescription drugs dispensed by pharmacies in Utah. Its use is restricted to doctors, pharmacists and law enforcement officers for the purpose of identifying patients or doctors who might be overusing, over-prescribing or abusing prescription drugs.

Police can access the database by providing an active case number, and they are supposed to have probable cause before accessing an individual’s prescription information.

Former Vernal police detective Ben M. Murray ignored those requirements when he looked up Smithey and Holmes’ information and went to their home several times in 2011, Walker said.

“The officer used that system freely and was able to track these individuals and figure out when they got their prescriptions, how many pills they had,” the attorney said. “He comes in gun, badge, uniform (and) tells them he’s there for a ‘pill count’ and … while they’re talking and distracted, he’s grabbing pills and putting them in his pocket.””

Patient ID information stolen at Memorial hospitals

See full story in the SunSentinel: Patient ID information stolen at Memorial hospitals

“Patients of Memorial hospitals in south Broward County had their identities stolen by employees who wanted to use the information to make money filing phony tax returns, Memorial officials said Thursday.

Two employees have been fired and are under criminal investigation by federal agents for improperly gaining access to the patients’ information, said Kerting Baldwin, a spokeswoman for tax-assisted Memorial Healthcare System, parent of five Memorial hospitals.

Memorial sent letters Thursday to about 9,500 patients whose identities may have been exposed by the two employees. Baldwin could not say how many of the 9,500 identities were stolen or whether any of them were misused to file false tax returns.”