Thursday, October 29, 2009

Employers after DNA: GINA does not protect like you think.

See this CBS News article: Want A Job In Akron? Hand Over Your DNA

The idea that GINA protects genetic tests from being held or used by employers and insurers is wrong. Genetic tests ordered by your doctor at any other time--when you are NOT seeking a job or insurance--can be collected and used by your employer and insurer to make decisions about you.

Lobbyists for the insurance industry and employers got this massive loophole into the bill, eliminating the intended consumer protections. Instead GINA should have forbidden employers and insurers to ever collect or access genetic tests.

This is one of the key reasons we need Congress to restore OUR rights to control our personal health information, so WE can make sure employers and insurers do not get our genetic records. Genetic information is so sensitive it should ONLY be seen by health professionals directly involved in our treatment, or if we choose to participate in research and share it.

Monday, October 19, 2009

The Word Is Out: Do You Know Who Owns Your Health Records?

This WIRED article, Medical Records: Stored in the Cloud, Sold on the Open Market, is based on yesterday’s NYTimes story that closed by quoting Patient Privacy Rights.

It points out the 2 KEY ways that electronic health systems violate patient privacy:
• Health technology vendors sell patient records without consent
• It is impossible to de-identify health information, so promises that the data can’t be re-identified must to be verified by outside audits

The chart at the top of the story is from our website—it shows the millions: businesses and government agencies---that today can do whatever they want with our health records, including selling them for profit.

The ‘fix’ is that Congress must restore patients’ rights to control personal health information------this right has been the foundation of the healthcare system for 2,400 years.

No one else should own our health records and no one should have access to them without our consent.

Saturday, October 17, 2009

Re-Identification. From Netflix to Health Records.

Today’s NY Times story points out the FACT that is very easy to re-identify supposedly “de-identified” information. Singer starts with how the Netflix “de-identified” data base was proven to be re-identifiable and moves on to describe Latanya Sweeney’s famous re-identification of the medical records of Gov Weld.

See the NY Times Article: When 2+2 Equals a Privacy Question

Friday, October 9, 2009

Open Source Research

See the Government Health IT article: NCI to open research grid to cancer patient 'army'

Women desperate to cure breast cancer are contributing their sensitive personal health information to "an army" of researchers.

But there is no reason that these altruistic women have to risk their futures and their daughters' futures to find a cure.

It's possible to do research without risking their futures and their daughters' and granddaughters' futures by using privacy-protective technologies and robust informed electronic consent. But this project does NOT protect the privacy of these generous and well-intentioned women.

The women's data can be downloaded by "thousands of users"--all of whom make copies of their extremely sensitive, IDENTIFIABLE records. The records are identifiable so that the women can be contacted by researchers.

Some of the major things wrong with this picture:
1) The NCI system allows “researchers (to) form and maintain large breast cancer disease databases.” Is there any way to tell if the security is ironclad, state-of-the-art? No.
2) How many copies will researchers make? How many times will the data be replicated and backed-up across the world? No way to know.
3) What countries will copies of the records be kept in? No way to know.
4) How many and which researchers will download and keep their data? No way to know.
5) The researchers must sign agreements to protect and not sell the data, but there are no 'data police' to enforce those agreements. If there are no 'data police' watching this data, how do the women know it's safe? No way to know.
6) What if a woman does not approve of a particular study or researcher who has their data? Can a woman prevent any researcher from using her information? No.
7) How will the data be handled after the research study is complete? How will the women know if it is destroyed? No way to know.
8) How safe is research access via a web browser? No way to know

The severe flaws in this plan are obvious. Fearful women desperate for cures are being exploited by the government and the research industry that designed these systems to serve their needs, NOT the women's rights to privacy. Putting such sensitive data out into cyberspace KNOWING it can never be retrieved or destroyed is grossly irresponsible. Like Paris Hilton's sex video, this data will live forever in cyberspace, risking future jobs and opportunities of every child of every woman desperate for a cure.

The NCI could do this a better way---we can have research and privacy at the same time. But the privacy protective technologies that can enable both are not being used. Why not?????

See our testimony Sept 18th at the national HIT Policy Committee and the many letters from the Coalition for Patient Privacy to federal agencies and Congress describing how to do research while protecting privacy.

And NO--the Genetic Information Nondiscrimination Act (GINA) DOES NOT protect our genetic data. It allows insurers and employers to have our genetic data and it has no enforcement. Zero. And HIPAA has no protections for genetic data either--it allows others to control and use our data without consent.

The cost of contributing to research should not be that your female descendents are unemployable. Unless data is protected, we will have generations of people who cannot work because employers will not risk hiring anyone at risk of getting a disease.