Wednesday, December 24, 2008

DoD does WHAT?

It is fascinating that the DoD clearly believes it owns and can use the personal health information of 12 million active duty military personnel for whatever purpose it decides. In this case, the DoD is paying a for-profit corporation to do research on active duty military personnel without their consent.

Maybe when you join the military you lose all privacy and Constitutional rights. I don’t know, I'm not a lawyer. If so, that is a steep price to pay to serve your country: losing all health privacy for yourself and your relatives forever. Do those who join the armed forces know they are signing up to become medical guinea pigs? Do they really understand the consequences for their futures and their families futures?

Many questions abound:

• Are the electronic records adequately secured? What a rich target: 12 million health records! What if enemies hack the privately held data base to learn about key military leaders?

• Will Phase Forward continue to use and sell the records for other purposes as HIPAA authorizes? Other data management corporations (such as Thomson Medstat) the government pays to perform fraud and waste audits obtain millions of health records that they later aggregate and sell to employers without anyone's consent.

• Furthermore--this is clearly medical research without informed consent. That is simply unethical and illegal. The US signed the Declaration of Helsinki after WW II because Nazis did human research without consent. Back then America recognized the need for informed consent before research takes place. Today, the codes of research and medical ethics still require patients to give informed consent before personal records can be used or disclosed. Why is this project not being done with informed consent when new 'smart' electronic consent tools could make it easy, cheap, and fast to obtain informed consent and explain all the risks and consequences?

Review this article from the Washington Post's Government Inc. Blog for more information:
Data Mining for DoD Health

Tuesday, December 9, 2008

Genomes: Behold or Beware

Patients whose physicians "collaborate" with genetic testing corporations should beware. Today, Navigenics and all genetic testing businesses can legally sell genomic data. There is no way to know which ones sell or use data without informed consent and which don't. Americans' personal health information is extremely valuable to corporate America. Genomic data requires extreme privacy protection because it can be used to harm not only an individual but all his/her relatives.

According to Navigenics, the personal data shared is "aggregated" and "de-linked" from "your account information", but Navigenics offers no proof that it cannot be re-identified.

As we learned from the NIH experience, it is very difficult to "de-identify" or "anonymize" genetic data. The NIH closed a public research data base of "de-identified" genetic data after researchers proved the data could be re-identified See: . Corporations that share "de-identified" or "anonymized" health data should be required to publish the algorithms that were used and prove the data cannot be re-identified.

Questions abound:
• How can anyone be sure that Navigenics protects the privacy of genomic tests without trusted external audits of their privacy practices and policies?

• Does Navigenics pay MDVIP's doctors a "kickback" for "collaborating" each time a patient gets genomic tests? Does MDVIP inform patients that it has a contract with Navigenics and what each doctor is paid?

• Who is being paid for "collaboration"? What exactly are the financial and contractual terms of "collaboration" between MDVIP and Navigenics?

• Do MDVIP's patients really understand the risks of using Navigenics to do the testing or the risks of letting Navigenics share their genomic data with unknown researchers and research organizations----that can put their data into public data respositories and publish it in studies? Or the security risks that a particular public respository can be hacked?

• Are MDVIP's patients coreced into taking Navigenics tests by their doctors? Most patients want to do what their doctors recommend. What is the consent process?

• Did MDVIP contractually sell or give their patients' genomic data or to Navigenics to own or sell? Should the public trust Navigenics, a for-profit corporation, when personal genomic data is a very valuable commodity?

• Should any for-profit collaboration "define the standards in which preventive genomic medicine will be integrated into patient care for decades to come"? No consumer health privacy expertise, assessment, or input was sought.

• There is not yet an operational, trusted, consumer-led privacy certification organization to audit genomic testing corporations to certify they don't sell genomic data and that consumers control sensitive personal genomic data in their data bases. In the absence of a trusted privacy certification organization, the privacy principles developed in 2007 by the bipartisan Coalition for Patient Privacy or the Code of Fair Information Practices could be used as guides for building a genomic testing and preventive healthcare system that consumers will trust and be willing to use.

• Would MDVIP's patients still feel "the experience (was) positive", "empowered rather than anxious", and "desire to change their lifestyles and more productively work with their physicians" if they knew their doctors were paid by Navigenics and their data was sold and/or put in public data repositories with unknown security and privacy protections?

This blog is in response to the article: Physician network to use genomic-based preventive healthcare

Wednesday, October 22, 2008

Response to: Will Technology Cure Health Care — Or Kill It?

Giving your genome to a for-profit corporation for testing today is a very dangerous act for the following reasons:

1) Americans NO longer have the right to health privacy! Today, your rights to health privacy in electronic health systems are nil. You have no control over personal electronic health information. Federal bureaucrats eliminated our rights to control the use and disclosures of personal health information in electronic systems in 2002. The media has not reported on this drastic elimination of every Americans’ privacy rights. See HIPAA's Intent v. Reality.

2) Once you reveal your genome, you will never be able to delete it from the private corporation’s data bases or make it private again. Why on earth would you pay someone to take and use the most personal health data that exists about you and your family for whatever purposes they choose? Think about Paris Hilton’s sex video, once it was out in cyberspace, it can never be private again. It will live for millenia on the Internet.

3) Why pay a private corporation like 23andMe or any other for-profit genetic testing lab to take your extremely valuable and sensitive personal health data and give it to them as a CORPORATE asset—to sell, to disclose to researchers for studies you might not want to be part of, to sell as an asset to employers or insurers or financial institutions, or even to sell to the US Government as part of the data profiles they are building on every American in Fusion Centers.

4) The legal duties of coporations are to stockholders, not to patients or people who buy genetic tests. Genetic testing labs like 23andMe can be bought by Google or the Bank of America or to a business that sells employers genetic snapshots of future employees’ potential illnesses. Even if you trust a genetic lab—-you have no control over whether that corporation is sold to another corporation that you would never want to own your DNA.

5) Today’s health IT systems are notoriously insecure and hackable. An industry study of 850 electronic health records systems found ALL of them could easily be hacked. See Article.

What assurances do you have that the lab’s database is secure enough to prevent your genome or genetic tests from being stolen?

6) It is crtical to understand that giving ownerhsip of a personal asset like your DNA or genome to a corporation is a very bad idea. Not only do you put your future opportunities at risk, you endanger your entire family’s futures at the same time.

As a practicing physician who has spent over 30 years listening to patients whose sensitve medical records were used against them by employers or used to humiliate them or harm them in public, I am very well aware of how personal health information is used to harm people and ruin lives. I founded Patient Privacy Rights because health information should never be used except to help you get well or for research WITH your informed consent. No one should be denied a job or a promotion because of fears about their future health.

Because of the lack of privacy, 600,000 people refuse to seek treatment or early diagnosis for cancer and 2,000,000 refuse treatment for mental illness. 150,000 Iraqi vets refuse treatment for PTSD because they fear their treatment will not be private. The result is the highest rate of suicide among active duty military in 30 years. The lack of health privacy kills.

Current law is just not enough to protect health privacy. GINA is not enough. We need Congress to restore our longstanding Constitutional, legal, and ethical rights to control personal health information. Without that right firmly re-established in Federal law, giving ANYONE your sensitive genomic or health information is a very bad idea.

Check out our website. You can sign up for e-alerts about health privacy in the Digital Age. If we are able to restore control over our personal digital health information, then we have a powerful model for building personal control over ALL our personal electronic data (financial, email, phone records, purchases, etc). If you do not fight for your privacy rights, who will?

If EVERYTHING about you is for sale and can be seen by everyone, will you continue to have your precious liberties and freedoms?

See Original Article

Wednesday, August 6, 2008

Missing Laptop Keeps Firm From Registering New Fliers -- by Joseph Galante

Verified Identity Pass (Clear), a firm that specializes in keeping fliers sensitive personal information secure, doesn't encrypt data and had a laptop stolen. Do you think your sensitive health information is any safer in the healthcare system? ….Remember the stolen NIH laptop that had unencrypted data? What about your local hospital? Will your local hospital do a better job than UCLA Medical Center in keeping snoops out of your records?

Here's what Verified Identity Pass says about security and privacy. They had an audit by Ernst and Young, but apparently it didn’t mean much:

Clear's Commitment to Privacy

"Since our founding in 2003, we have been committed to the privacy and security rights of our members. We have created an exhaustive privacy and data security program and we will always clearly communicate any changes to that program with members.

We are committed to the transparency of our privacy practices and that's why we have instituted open, independent checks on our privacy promises, including an independent and public security and privacy audit, the appointment of an independent privacy ombudsman, and an unprecedented Clear Identity Theft Warranty.

In June, 2007, Ernst & Young LLP concluded a comprehensive, independent audit of our privacy policies and practices. This was the first ever independent privacy audit conducted for a national registered traveler program."

View Full Article

Equipment losses still plague VA: GAO report -- by Joseph Conn

This is powerful story because the expert quoted points out that most organizations do not bother to account for lost or stolen equipment that costs less than $2,000. That means laptops and PDAs. Worse---these organizations have NO IDEA whose data was even on the mobile devices, so they cannot notify anyone! Makes you feel REALLY safe.

This should be highly relevant to Congress--as it drafts requirements for encrypting data and breach notification.

View Full Article

Wednesday, July 30, 2008

Job 1 for the AHIC successor? -- by Nancy Ferris

Notice how the for-profit research industry wants access "baked" into all EHRs up front for research uses, to avoid getting individuals' consents.

They call this a "value case" for the nation's electronic health system. What great Lakoffian re-framing and propaganda. How do you argue against "value"?

It’s a "value" alright, just not a "value" for patients, because it sets up a system that is both unethical (no consent) and illegal (violates Amercians' longstanding rights to privacy).

The story says the research industry wants open access to "de-identified" data, but that is NOT what they tell Congress or the regulators. They say they must have access to longitudinal data, which CANNOT be de-identified, because most research cannot be conducted using de-identified data.

The new AHIC 2 will be industry-driven and industry-paid for, with so-called "standards" being devised to meet the needs of corporations, not to adhere to the laws and ethics that governed the healthcare until the '90's and the advent of electronic systems for health data.

Today there are 'smart' technology solutions to make consent easy, cheap, understandable, and instantaneous (see the consents on HealthVault by application partners for a preview of how simple and clear and specific consents can be). Electronic consents can be interactive and actually explain things, rather than be densely written in legalese so no one understands them.

Why continue to use the kind of privacy-violating blanket coerced consents that were necessary in the paper health system? 'Smart' technologies can do a far better job. Using robust consent management tools, we can obtain valid and easy-to-understand specific, time-limited, and cheap consents from millions instantaneously.

View Full Article

Wednesday, April 2, 2008

Military health forum envisions clinical analytics -- by Peter Buxbaum

David Winn is right, when you sign up for the military, you have to do whatever they say.

The problem is that the Administration and the federal government has the same thing in mind for every American--no control over access to PHI.

The payers think they own our PHI and should be able to do whatever they want with it--even though it's both illegal and unethical. That is why industry is pressing Congress to pass an HIT bill without consumer control over access to PHI. BUT---people will lie or not participate in electronic health systems if their data is used without consent---which means we will never get the kind of research we want because the data analyzed will be incomplete and flawed.

Americans just want to be asked for consent for research and be sure that HIT systems are safe and secure.

View Full Article

Saturday, March 29, 2008

Electronic Health Records wired for abuse

“Oops! They did it to Britney again.” No, it’s not a song parody, but a reflection of the poor state of American health privacy - something Bay Staters should think about as their Legislature considers a bill to mandate Electronic Health Records (EHRs).

Staff members at UCLA’s Medical Center are under investigation over allegations staffers accessed Britney Spears’ medical records earlier this year. Sadly, this is not the first time individuals other than the paparazzi violated Spears’ privacy; staffers also took inappropriate peeks when her first child was born.

...

Most Americans think the Health Insurance Portability and Accountability Act (HIPAA) protects their privacy and that the HIPAA notice they sign at the doctor’s office lists all of their rights to privacy. In fact, that HIPAA notice lists the vast number of ways their private health information can be used, without asking and over objections.

HIPAA was originally intended to protect privacy. Regulators earlier in this decade rewrote the rule to sanction disclosure of medical information for treatment, payment or health care operations.

“Particularly troubling about HIPAA’s Privacy Rule is the governmental authorization for covered entities to use patients’ confidential information without their consent for health care operations that are unrelated to “payment or treatment,” writes Dr. Richard Sobel, senior research associate in the Program in Psychiatry and the Law at Harvard Medical School. Sobel explains that “health-care operations” can include using information for marketing purposes, which normally would require written consent.

Data-mining firms were given a gift by the rewriting of the HIPAA Privacy Rule. Data-mining firms can obtain information about your prescriptions, treatment for mental health and genetic predisposition to illnesses. That information can be passed on to credit firms, marketing firms and even prospective employers.

...

Patients need progress and privacy in this digital era. The only way to ensure we get both, and avoid the negative “celebrity treatment” Spears received, is to ensure the health IT bill signed by the governor fully recognizes the right of patient consent.

View the Full Story

Monday, February 11, 2008

Privacy concerns mount amid the 'microchipping of America': Businesses seek patents on more applications for RFID

RFID chips are being used more and more in health care. Today the main use proposed is to track whether you receive "authentic" or "fake" medications. The US pharmaceutical industry wants to track whether or not we take and refill brand-name medications. But this is a huge intrusion into the relationship we have with our doctors. If you don't want to take a medication for whatever reason: side-effects, costs, fears, feeling it does not work, etc------the person to discuss this with is your doctor, not a drug company! There are many valid reasons to change or stop medications. The only people qualified to decide whether you should stay on a particular medication or not are you and your doctor.

View Article