PATIENT PRIVACY RIGHTS BLOG

PPR's Blog Relocated

2011-02-21T11:42:00.000-06:00

Hello All:

The Patient Privacy Rights/Deborah C. Peel, MD blog has been relocated to our new website:
http://patientprivacyrights.org

You can follow the links there or go directly to the blog here:
http://patientprivacyrights.org/category/blog/

We apologize for neglecting to post this sooner and hope you will continue to follow us and support health information privacy.

Thank you

The got it wrong... AGAIN!

2009-12-31T15:21:00.001-06:00

See article: 'Meaningful Use' criteria released

Can you believe it? Doctors and hospitals that purchase electronic health records (EHRs) 'wired' for 'back-door' data mining will be paid to steal and use our sensitive health records without our permission!

The government and the massive health data mining industry won. Industry and the government’s plan to continue illegal and unethical data mining trumped Americans’ rights to health privacy.

The rules guarantee that employers, insurers, banks, and government will be able to use our sensitive health information---from prescriptions to DNA--- to discriminate against us in jobs, credit, and insurance.

Instead, the new interim rules for EHRs should reward the purchase and use of 'smart' EHRs with consent technologies so patients control who can see and use their health records.

The stimulus billions will be wasted because doctors and hospitals will be rewarded for using obsolete, unethical EHR 'clunkers'. Like the UK, the US will be forced to spend billions to correct a disastrously flawed national electronic health system that prevents patients from controlling their health records.

To understand the "meaningful use" criteria that SHOULD be required in EHRs, see the comments submitted to the Administration by the bipartisan Coalition for Patient Privacy, representing millions of Americans: http://www.patientprivacyrights.org/site/DocServer/LCoalition_to_HIT_PC_Meaningful_Use.pdf?docID=5681

When will the Administration and corporations get it? Privacy protections have to be tough and comprehensive if we want a national HIT system that consumers will trust and use.

To act, join www.patientprivacyrights.org to get e-alerts. Stop corporations and the government from using your sensitive health information for uses you would never agree to.

Facebook setting the standards for Health Care?

2009-12-14T10:34:00.001-06:00

No laws forced Facebook to add more consumer control to who sees what --- the public did. See story: Facebook privacy revisions 'sign post' for healthcare

This is EXACTLY what will happen to the health care system when Americans find out they have NO CONTROL over over who sees, uses, and snoops in their electronic health information.

Patient Privacy Rights' job is to make sure they learn as fast as possible.

Sign up at www.patientprivacyrights.org for our e-alerts so you can help!

Employers after DNA: GINA does not protect like you think.

2009-10-29T10:49:00.001-06:00

See this CBS News article: Want A Job In Akron? Hand Over Your DNA

The idea that GINA protects genetic tests from being held or used by employers and insurers is wrong. Genetic tests ordered by your doctor at any other time--when you are NOT seeking a job or insurance--can be collected and used by your employer and insurer to make decisions about you.

Lobbyists for the insurance industry and employers got this massive loophole into the bill, eliminating the intended consumer protections. Instead GINA should have forbidden employers and insurers to ever collect or access genetic tests.

This is one of the key reasons we need Congress to restore OUR rights to control our personal health information, so WE can make sure employers and insurers do not get our genetic records. Genetic information is so sensitive it should ONLY be seen by health professionals directly involved in our treatment, or if we choose to participate in research and share it.

The Word Is Out: Do You Know Who Owns Your Health Records?

2009-10-19T10:59:00.003-05:00

This WIRED article, Medical Records: Stored in the Cloud, Sold on the Open Market, is based on yesterday’s NYTimes story that closed by quoting Patient Privacy Rights.

It points out the 2 KEY ways that electronic health systems violate patient privacy:
• Health technology vendors sell patient records without consent
• It is impossible to de-identify health information, so promises that the data can’t be re-identified must to be verified by outside audits

The chart at the top of the story is from our website—it shows the millions: businesses and government agencies---that today can do whatever they want with our health records, including selling them for profit.

The ‘fix’ is that Congress must restore patients’ rights to control personal health information------this right has been the foundation of the healthcare system for 2,400 years.

No one else should own our health records and no one should have access to them without our consent.

Re-Identification. From Netflix to Health Records.

2009-10-17T09:53:00.000-05:00

Today’s NY Times story points out the FACT that is very easy to re-identify supposedly “de-identified” information. Singer starts with how the Netflix “de-identified” data base was proven to be re-identifiable and moves on to describe Latanya Sweeney’s famous re-identification of the medical records of Gov Weld.

See the NY Times Article: When 2+2 Equals a Privacy Question

Open Source Research

2009-10-09T10:58:00.002-05:00

See the Government Health IT article: NCI to open research grid to cancer patient 'army'

Women desperate to cure breast cancer are contributing their sensitive personal health information to "an army" of researchers.

But there is no reason that these altruistic women have to risk their futures and their daughters' futures to find a cure.

It's possible to do research without risking their futures and their daughters' and granddaughters' futures by using privacy-protective technologies and robust informed electronic consent. But this project does NOT protect the privacy of these generous and well-intentioned women.

The women's data can be downloaded by "thousands of users"--all of whom make copies of their extremely sensitive, IDENTIFIABLE records. The records are identifiable so that the women can be contacted by researchers.

Some of the major things wrong with this picture:
1) The NCI system allows “researchers (to) form and maintain large breast cancer disease databases.” Is there any way to tell if the security is ironclad, state-of-the-art? No.
2) How many copies will researchers make? How many times will the data be replicated and backed-up across the world? No way to know.
3) What countries will copies of the records be kept in? No way to know.
4) How many and which researchers will download and keep their data? No way to know.
5) The researchers must sign agreements to protect and not sell the data, but there are no 'data police' to enforce those agreements. If there are no 'data police' watching this data, how do the women know it's safe? No way to know.
6) What if a woman does not approve of a particular study or researcher who has their data? Can a woman prevent any researcher from using her information? No.
7) How will the data be handled after the research study is complete? How will the women know if it is destroyed? No way to know.
8) How safe is research access via a web browser? No way to know

The severe flaws in this plan are obvious. Fearful women desperate for cures are being exploited by the government and the research industry that designed these systems to serve their needs, NOT the women's rights to privacy. Putting such sensitive data out into cyberspace KNOWING it can never be retrieved or destroyed is grossly irresponsible. Like Paris Hilton's sex video, this data will live forever in cyberspace, risking future jobs and opportunities of every child of every woman desperate for a cure.

The NCI could do this a better way---we can have research and privacy at the same time. But the privacy protective technologies that can enable both are not being used. Why not?????

See our testimony Sept 18th at the national HIT Policy Committee and the many letters from the Coalition for Patient Privacy to federal agencies and Congress describing how to do research while protecting privacy.

And NO--the Genetic Information Nondiscrimination Act (GINA) DOES NOT protect our genetic data. It allows insurers and employers to have our genetic data and it has no enforcement. Zero. And HIPAA has no protections for genetic data either--it allows others to control and use our data without consent.

The cost of contributing to research should not be that your female descendents are unemployable. Unless data is protected, we will have generations of people who cannot work because employers will not risk hiring anyone at risk of getting a disease.

De-identified? Yeah, right.

2009-09-25T10:01:00.000-05:00

See these articles:
Netflix Contest Seen As Posing Privacy Risk
Netflix is about to commit a privacy Valdez with its customers' viewing data
AOL, Netflix and the end of open access to research data

Once again Netflix plans to violate the privacy of those who rate the movies they rent. Two University of Texas computer scientists demonstrated that the Netflix database of 500,000 with movie ratings could be re-identified, revealing sensitive political and sexual preferences of the actual people who rated movies. Netflix did not get the consent of renters to expose their ratings to the public or ot researchers.

Yet Netflix is moving ahead to release even MORE personal data for its next million-dollar contest. The major media (NYT's STeve Lohr for example) has NOT reported at all on how Netflix is violating movie renters' privacy, but instead trumpets the prizes paid to those who develop more accurate ways to predict which movies you will want to watch next.

The problem of re-identification is VERY serious for the healthcare system because health data is impossible to de-identify. It is so rich in detail that de-identification is almost impossible.

Today, the treasure trove of all Americans' sensitive health data is being endlessly used and disclosed without informed consent to millions of "covered entities" and "business associates" (and their millions of employees)--subjecting EVERY American to the theft, sale, and misuse of the most sensitive personal information that exists.

Who will hire you knowing all about your prescriptions, illnesses and genes?

Healthcare moving to Cloud Computing

2009-08-15T13:38:00.000-05:00

Joe Conn looks more deeply into the problems of 'cloud' computing for the storage, exchange, and analysis of health data. See his article in Modern Healthcare: 'Healthcare is slow to change' to cloud environment

Today there is not yet a trusted organization to certify the privacy of electronic health records systems, whether on servers or in clouds.

Until the privacy of health data can be assured first with trusted security certification and then with a separate stringent privacy certification (proving that patients control the use and disclosure of their sensitive records) Americans will not trust that their data is safe.

Proof that consumers control personal data in clouds will be essential for trust in health IT.

So far all we have are promises of security and privacy. We won't trust without verification .

Who is tracking YOU?

2009-08-12T11:43:00.000-05:00

On the Internet ALL your health searches about scary and stigmatizing illnesses, all searches or purchases of books on health, and all searches or purchases of medications and devices are tracked and sold.

It is impossible to search for health information privately via Google, etc.

Health websites take massive advantage of Americans' powerful expectations that ALL healthcare providers put their interests and their privacy first---expectations which come from the traditional doctor-patient relationship and the ethics that have governed Medicine for 2,400 years (derived from the Hippocratic Oath).

Americans are not yet ready to believe that every aspect of healthcare in the US is profit-driven, rather than driven by the ethical codes all health professionals swear to at graduation: the promises to "do no harm" and to "guard their secrets".

Americans are not yet ready to believe that Wall Street has taken over Medicine---and that instead of guaranteeing the strong health privacy rights Americans have under the law, Wall Street erases our rights to ensure shareholder profits.

View this story in the NY Times: Ads Follow Web Users, and Get More Personal

Security and Hacking, Real Fears

2009-08-04T14:03:00.001-05:00

See the WSJ Article: New Epidemic Fears: Hackers

Securing health records in small doctor's offices and clinics is not easy: small offices can't afford Fort-Knox style data protection measures, like hiring security experts to make sure hackers aren’t getting into their systems. Even if electronic health records software includes encryption and other security features doesn't mean those features will be turned on and used.

• Now, many privacy advocates are concerned the administration's effort could end up making health information less secure. "If there isn't a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong," says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.

• "As more information is shared, it is subjected to the weak-link effect."

• Mr. Osteen's efforts to safeguard information won't be useful if smaller providers he shares it with haven't made the same kind of security investments."

Bill O'Reilly is REALLY worried about the loss of his personal medical privacy...

2009-07-24T15:45:00.001-05:00

So much so that he repeatedly returned to the topic while debating health care reform last night.

See Editorial with Video

68% of Americans share his fears and "Have Little Confidence that Electronic Health Records Will Remain Confidential" (see: Past Meetings: 7/21/09, slide #3 of the "Privacy and Security Work Group: Recommendations" presentation on the HIT Standards Committee website at: http://healthit.hhs.gov/portal/server.ptopen=512&objID=1271&parentname=CommunityPage&parentid=2&mode=2&in_hi_userid=10741&cached=true

O'Reilly debated with a doctor who doesn't seem to know that we have no control over our personal electronic health records, the massive damage that already causes, and how much more we will all be harmed if the Administration does not stop health IT systems from violating our privacy. Patient control over personal health information must be built into every electronic system up front.

Republicans, Democrats, Libertarians, and the majority of Amercians REALLY care about health privacy. The national concensus is that we should control who sees our health records; which has been our legal and ethical right since the nation's founding. Restoring the right to control PHI in electronic health systems will quell fears that the majority has have about electronic systems.

Quotes from the story:

• O’Reilly demonstrated his primary fear – almost panic – over the assumption that his medical records may not be private any more if President Obama passes some version of his healthcare bill. But enough with the foreplay -- O’Reilly dived right into his main fear. “My health records which are now in the hands of my private physician . . . they’re gonna be in Washington, right, so every malady that I have is gonna be seen by people in Washington. I don’t want that, do you want that?”

• After a little back and forth on the issue, O’Reilly repeated, “On a computer disk in D.C. will be what’s wrong with me . . . based on my medical history. It makes me very, very nervous.” Yes, we noticed.

• O’Reilly, again, focused worriedly on the privacy issue. “Let me ask you this,” O’Reilly posited. “It worries me that my medical history and your medical history is now gonna be on a disk in Washington, D.C., rather than the confidentiality of a doctor-patient, which we have had in this country for decades – that’s gone.”

• “The data is going to go to a bank in Washington, D.C.,” O’Reilly fretted. “ . . . I’m talking about you, Dr. Marc Lemont Hill, having a condition . . . with his program, it goes to D.C. and the bureaucracy decides how to treat you, not your physician. Doesn’t that worry you?”

• “So you don’t mind having your condition – whatever it may be – leave your doctor’s office and go to D.C. . . ,” O’Reilly said.

• O’Reilly hammered the privacy issue, once again, saying, “It’s going to a database that can be accessed . . . okay, if you don’t mind it, I do, and that’s a big concern of mine. We don’t have any privacy as it is in this country . . . .”

• Hill pointed out the bigger issue than the privacy of medical records (to most Americans, but not to O’Reilly) is 50 million uninsured Americans – and said that President Obama addressed that in the press conference.

• But the biggest question of all – what’s O’Reilly’s medical condition? The one O’Reilly is terrified might fall into the hands of the government? Is it really so awful that O'Reilly (not usually one to worry about privacy) is willing to kill health care reform just to protect it?

Genetic Privacy Debate hits Major League Baseball

2009-07-22T09:11:00.000-05:00

The story highlights the use of DNA testing by 'employers'--Major League Baseball franchises. Baseball tests to verify the ages and identities of players from Latin America, but the test samples can also be used to detect familial genetic dieseases such as ALS (which Lou Gehrig had).

• “DNA contains a host of information about risks for future diseases that prospective employers might be interested in discovering and considering,” said Kathy Hudson, the director of the Genetics and Public Policy Center and an associate professor at Johns Hopkins University. “The point of GINA was to remove the temptation and prohibit employers from asking or receiving genetic information.”

The big problem is that the Genetic Information Non-Discrimination Act (GINA) does not stop employers or insurers from receiving or using genetic information. It isn’t enforceable.

Baseball players are not the only ones whose DNA and genetic tests can be used against them--the same thing can happen to all of us.

According to GINA, employers and insurers can't use genetic tests to discriminate against employees or enrollees in health plans, but there is no way to tell whether they do or not. Employers and insurers do not have to inform us if they have copies of our genetic or DNA records.

• Do you think an employer is going to tell you were passed over for a promotion based on your DNA?

GINA is toothless--it forbids bad behavior but there is no way to enforce it.

And Americans' genetic privacy is not protected by HIPAA. HIPAA makes it impossible for any of us to prevent OUR sensitive health information from being used by millions of 'covered entities' and 'business associates' for purposes we would never agree with--including using genetic tests to discriminate againts us.

Face Book users control who sees the personal information they post on their walls, but Americans can't control who sees their electronic health information. What's wrong with this picture?

The rules for spending $19 Billion on health IT are being written now. Now is the time we must press to restore control over OUR personal health data.

Stay tuned--sign up for our alerts and we'll tell you what you can do to save privacy.

UK Handing off their health records?

2009-07-06T12:12:00.000-05:00

Federal Computer Week: U.K. mulls handing off national health records to Microsoft, Google

It will be interesting to see which one the UK chooses. Microsoft joined the bipartisan Coalition for Patient Privacy to urge Congress to restore consumer control over PHI in 2007. Google has not.

MS signed Coalition letters in 2007 and 2009, and agreed to support the Coalition's tough privacy principles and health privacy rights in electronic systems. HealthVault was built to adhere to the Coalition's stringent privacy principles. Open, public promises by major corporations are taken very seriously by federal regulatory agencies and consumer advocates.

The promises by the technology corporations that joined the Coalition are a rebuke to other HIT vendors and the data mining industry that will do anything to get their hands on PHI for all sorts of uses that patients would never agree to.

Today, the clearest sign of serious corporate commitment to health privacy rights is joining the Coalition for Patient Privacy and standing with consumers to build an ethical, legal HIT system---the only kind that will be trusted and succeed.

On HealthDataRights.org and their Declaration

2009-06-23T10:13:00.003-05:00

HealthDataRights.org supports only ACCESS to personal health data--which is a no-brainer and a right Americans have always had. The stimulus bill makes clear that we all have the right to copies of our electronic health records because some providers have make them so hard to get.

But HealthDataRights does NOT support the most critical right of all: the right to CONTROL who can access and use our personal health data in electronic systems. They even claim "privacy" stops data flow and will stop research--which is a lie. Informed consent and control over our own data ensures it's there when we want it and ONLY for uses or research that we agree with.

HealthDataRights.org is a faux consumer rights organization, as revealed in their FAQs:

• "The organizers of HealthDataRights.org include doctors, researchers, software developers, writers, entrepreneurs, health economists, and many others who share a common goal of greater health data availability." TO WHOM WILL THE ENTIRE NATION'S DATA BE AVAILABLE? TO THE DATA MINING AND RESEARCH INDUSTRIES THAT WANT OPEN ACCESS TO OUR DATA FOR USES WE HAVE NO CONTROL OVER.

• "Some of us have seen clearly how restrictions on health data and medical records can lead to great pain and suffering—needlessly, in most cases." MILLIONS OF PATIENTS EVERY YEAR SEE CLEARLY HOW DANGEROUS HEALTHCARE IS WITHOUT PRIVACY AND DELAY OR REFUSE CARE, LEADING TO DEATHS FROM CANCER, PTSD, AND DEPRESSION---COSTING FAR MORE THAN IF TIMELY OR PREVENTIVE CARE WAS PRIVATE.

• "At the same time, we know that too often “privacy” is used as an inappropriate excuse to keep people from gaining access to their own health data and information, which they have every right under HIPAA and most state laws to view and access." CLAIMING PRIVACY AS AN EXCUSE NOT TO GIVE ACCESS TO PERSONAL HEALTH DATA IS WRONG OF COURSE, BUT WORSE AND FAR MORE DAMAGING IS EXPOSING HEALTH DATA TO THEFT, SALE, AND MISUSE BY MILLIONS OF HEALTH-RELATED BUSINESSES AND ALL GOVERNMENT AGENCIES.

• "Does this Declaration suggest people should have exclusive rights to their data?

"No, we are not suggesting that, although this is a thorny issue. Doctors need accurate information about their patients and are required by law to maintain this information. Labs are required to hold onto their test results for up to seven years. There are also health care organizations that use their patients’ or members’ data to suggest improvements to the care delivered to them, usually with a blanket permission signed by the patient at the initial visit and later forgotten. This is not necessarily a bad thing and may be very beneficial for patients, even though permission is not sought for each particular instance of that use. In addition, aggregated and anonymized, population data obviously is key to learning what is working for whom, what is cost effective for whom, and what is the best way to treat any condition for whom. We are supportive of organizations that are endeavoring to improve public health by learning from population data. An “exclusive right” could be read as contradictory to that. What we do affirm, strongly, is that people do have a right to their own data."

PATIENTS SHOULD HAVE EXCLUSIVE RIGHTS TO THEIR HEALTH DATA----EVEN NEWT GINGRICH SAYS AMERICANS SHOULD "OWN" THEIR PERSONAL HEALTH DATA.

THIS IS WHERE THEY STATE THAT THE RIGHT TO PRIVACY---THE BASIS OF THE HIPPOCRATIC OATH AND OUR STRONG EXISTING LEGAL RIGHTS TO PRIVACY---WOULD "BE CONTRADICTORY" TO PUBLIC HEALTH RESEARCH. PUBLIC HEALTH DATA IS COLLECTED BECAUSE OF LAWS THAT WERE DEBATED BEFORE BEING PASSED. BUT FUTURE "POPULATION HEALTH" RESEARCH USING ELECTRONIC HEALTH SYSTEMS WILL TAKE PLACE WITHOUT CONSENT BECAUSE EVERY ELECTRONIC HEALTH RECORD WILL BE "WIRED" FOR DATA MINING WITHOUT PATIENT KNOWLEDGE OR CONSENT. RESEARCH WITHOUT CONSENT VIOLATES MEDICAL ETHICS AND INTERNATIONAL TREATIES.

• Who is funding HealthDataRights.org?

HealthDataRights.org is entirely volunteer and has no funding. Any direct costs are being paid out of pocket by the individuals involved. THE INDIVIDUALS' NAMES ARE NOT LISTED.

You can see the story on HealthDataRights.org debut at: http://www.patientprivacyrights.org/site/News2?page=NewsArticle&id=9475&news_iv_ctrl=-1

But privacy is ALREADY gone!

2009-06-22T15:50:00.000-05:00

Refer to Wall Street Journal article: Is Government Health Care Constitutional?

The authors fear that Americans' health privacy rights will be eliminated by health reform if a proposed "public plan" evolves into "single payer".

They are too late, there is no privacy (the right to control personal information) in the US electronic health system ---EXCEPT for the strong new rights Congress added to the stimulus bill: the ban on sales of PHI, the right to segment sensitive records, and the right to limit disclosure of PHI to health plans for payment or HCO if treatment is paid for out-of-pocket.

Our strong existing ethical and legal privacy rights (a powerful national consensus arrived at over 200+ years) are being totally ignored by federal and state government and industry.

The authors clearly don't know that we have no health privacy today or that privacy advocates in the bipartisan Coalition for Patient Privacy (representing 10 million Americans) work to restore those rights.

In 2002, amendments to the HIPAA regulations granted new rights to corporations and government to use ALL health data without informed consent for purposes no one would ever agree to AND eliminated Americans' rights to give consent before our data is used. See: http://www.patientprivacyrights.org/site/PageServer?pagename=HIPAA_Intent_Vs_Reality . In 1999, the HIPAA statute granted law enforcement unfettered access to all electronic health records without informed consent or any judicial process.

Both Democratic and Republican Administrations and Congress have contributed to eliminating patients' rights to control personal health information. The ONC-Coordinated Federal Health IT Strategic Plan: 2008-2012, requires all EHRs to be "wired" for data mining and requires every citizen to have an EHR by 2014.
See: http://www.patientprivacyrights.org/site/DocServer/HITStrategicPlan08.pdf?docID=5161

The Federal Strategic Plan grants "back door" access to the nation's electronic records to government agencies; to the for-profit research industry for P4P, QI, population health, genetic research (personalized medicine), etc; and to the insurance industry to detect fraud (this is one of the most offensive and discriminatory measures planned--the last people patients want to have MORE access to sensitive health records are insurers and employers).

Key Quotes:

• The Supreme Court created the right to privacy in the 1960s

• the justices posited a constitutionally mandated zone of personal privacy that must remain free of government regulation, except in the most exceptional circumstances.

• Taking key decisions away from patient and physician, or otherwise limiting their available choices, will render any new system constitutionally vulnerable.

• if over time, as many critics fear, a "public option" health insurance plan turns into what amounts to a single-payer system, the constitutional issues regarding treatment and reimbursement decisions will be manifold. The same will be true of a quasi-private system where the government claims a large role in defining acceptable health-insurance coverage and treatments. There will be all sorts of "undue burdens" on the rights of patients to receive the care they may want. Then the litigation will begin.

• In crafting the law, however, its White House and congressional sponsors must keep privacy -- that near absolute right to personal autonomy they have so often praised and promoted -- squarely before them. The only thing that is certain today is that the courts, and not Congress, will have the last word.

The authors tilt at the wrong windmill --not realizing they are too late: the privacy for health data in electronic systems is already GONE. We hope they will join us and work to RESTORE Americans' longstanding ethical and legal rights to health privacy--regardless of a "public plan" or whether it turns into "single payer".

Data-mining: Australia Just Calls It Something Else

2009-05-19T14:16:00.002-05:00

In Australia, the data mining industry pays doctors to sell patients' prescription records. In the US they pay pharmacies, hospitals, and PBMs. See Article.

A complaint to the Australian Privacy Commissioner was dismissed because the data miners claimed that patients and doctors were "de-identified". But it is very difficult to fully de-identify personal health data so that re-identification is impossible. If true, the industry should have offered proof that their methods actually work and that the data cannot be re-identified.

As in the US, the theft and sale of personal prescription records is rationalized with claims that it can be used to "provide valuable insight into healthcare trends-- including the spread of infectious diseases". The word that describes using data to provide "valuable insights" is "research". It happens to be both illegal and unethical to do research without informed consent.

HIMSS & Who is Promoting HIT in Stimulus Spending?

2009-05-17T11:44:00.001-05:00

This story tells how HIMSS and Harvard's Blackford Middleton promoted spending billions on health IT in the stimulus bill.

HIMSS and Blackford believe that health technology will be the silver bullet that enables healthcare reform and kills/slows higher costs. That may be possible, but is highly doubtful because the billions are such a bonanza for the health IT industry.

Will this be yet another example of the stimulus billions being used to prop up large corporations, but not to save individual patients who are sick?

Not only does most of health IT vendor industry NOT care about whether healthcare reform succeeds or not, they actively fought to weaken Americans' rights to privacy and security. By law, industry cares about maximizing revenue, not treating the sick.

So the BIG question is: will the government require all electronic health records systems to have the tough privacy and security measures the public expects and needs to trust these systems? Will the government require electonic health systems to build in our legal and ethical rights to privacy up front?

Most of the HIT industry lobbied to sell the same old dinosaur products and against privacy. The incumbents are very powerful and not interested in change OR IN OUR PRIVACY RIGHTS.

Financial System vs. Healthcare System

2009-05-12T14:25:00.000-05:00

The financial system is often lauded as being good at protecting Americans' sensitive financial and demographic data, but the evidence is not so clear. Heartland had a massive breach of credit card data in its system of sponsored banks. In addition to the $12.6 million in costs, it will also have to pay to "implement end-to-end encryption when payment data is sent from the merchant to the processor".

Will breaches of healthcare data cost any less? That is highly doubtful. The pain and exposure is far worse and there are NO remedies. The privacy of health data can never be recovered or restored. With identity theft you can eventually recover from the damage and restore your credit.

Plus its harder to protect electronic health data because there is SO MUCH MORE sensitive personal data than exists in financial systems. Payment and credit card data are just the start, everything is included in electronic health systems, from prescriptions to DNA.

And compared to the financial industry, the healthcare industry has millions more employees----of insurers, hospitals, pharmacies, data management and data warehousing corporations, HIT vendors, and even state and federal government agencies----who all have access to sensitive data.

See article "Heartland breach cost $12.6 million, CEO says"

First HIT Policy Committee Meeting on Stripping Privacy Away?

2009-05-11T15:06:00.000-05:00

No surprise the new HIT Policy committee is gearing up to eliminate privacy, i.e. patient control over personal health information, using the excuse that the entire nation's records are needed for biosurveillance and research without informed consent. See the quotes from Drs Calman and Clark. The title of the article says it all: "Committee studies public health, research".

The committee is dominated by industry appointees who will make sure the policies they come up with grant unfettered government and industry access to Americans' most sensitive personal data, from prescriptions to DNA.

What they don't get is they will lose the public's support and trust if they build a system where everyone's health records can be data mined for any research purpose. A Westin/Harris IOM poll found only 1% of the public would allow researchers unfettered access to their electronic medical records. The government and the research community are completely at odds with the public's rights to health privacy.

The reality is millions of Americans already refuse to participate in healthcare systems that harm them because they have no control over their medical records.

HHS noted in the Preamble to the HIPAA Privacy Rule that 600,000 Americans/year avoid early diagnosis and treatment for cancer because treatment records are not private private. Two million people/year with mental illness avoid diagnosis and treatment for the same reason: their records are not private. The Rand Corporation found that 150,000 Iraqi vets refuse treatment for PTSD because their treatment is not private, resulting in the highest rate of suicide in active duty military personnel in 30 years.

Can this commitee face reality when they have severe conflicts of interest and want the use of Americans' health data?

The lack of privacy drives millions away from healthcare. And the lack of privacy causes suffering and death--bad outcomes.

It looks like patients' and consumers' best hope for preserving their health privacy rights in electronic systems may be Gayle Harrell. She may be the only committee member who can face reality.

A Start to Securing PHI?

2009-05-06T11:07:00.000-05:00

Sometimes press releases for new products tell us far more about the risk of identity theft in electronic health systems than the mainstream press or trade journals.

Check out this zinger quote: "Most organizations don't even know where their PHI is." Why doesn’t the mainstream press tell the public that the health care organizations (like hospitals) have no idea where all their sensitive personal health data resides?

How about this: "The software (Identity Finder) automatically finds PHI such as social security numbers, medical record numbers, dates of birth, driver licenses, personal addresses, and other private data within files, e-mails, databases, websites, and system areas. Once found, the software makes it simple for users or administrators to permanently shred, scrub, or secure the information." Emails? Who sends drivers license numbers, SS#s, and Dates of Birth in emails? Clearly lots of healthcare organizations do.

We can only hope products like this sell.

See full article at http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/05-05-2009/0005019328&EDATE

Reducing Cost or Care? Orszag on HIT

2009-05-04T15:39:00.000-05:00

Fascinating 'insider' article on the budget process and the Orzag/Obama plan to reduce healthcare costs by building a health IT system 'wired' for data mining:
"At the core of both the stimulus bill and the Obama budget is Orszag’s belief that a government empowered with research on the most effective medical treatments can, using the proper incentives, persuade doctors to become more efficient health-care providers, thus saving billions of dollars. Obama is in effect betting his Presidency on Orszag’s thesis." (See Article)

"Orszag seems more right than wrong about how to bring down health-care costs, but the truth is that, while there is obviously a great deal of waste in the American medical system, nobody knows for certain whether Orszag’s plan—which is now Obama’s plan—will work."

The plan relies on building HIT infrastructure to obtain the data for "comparative effectiveness" research. Republicans question whether this research approach can reign in healthcare spending enough and also fear it will lead to "vast government intrusion into the doctor-patient relationship". And the plan relies on building an HIT system to data mine ALL data without informed consent.

Our problems with the plan:

1) Orzag/Obama want ALL health data without informed consent for research, which is unethical, illegal, and destroys patient trust in doctors.
2) Orzag/Obama do not seem to realize that compelling the use of all health data will INCREASE the number of Americans who avoid treatment altogether (already in the millions). Many Americans know that avoiding care is the only way to keep health data private.
3) Millions avoiding treatment means millions delay care or never get care, increasing bad outcomes, deaths, and costs.
4) But worst of all for proponents of research: they won't get the data needed to learn what works best unless they restore privacy and patient control over data. Researchers cannot get the results all of us want with missing and inaccurate data!
5) To find out what the most effective treatments are for many costly conditions we have to actually have all the data in our systems. Today millions of people with Depression and Addiction have NO data in the system because they pay for private care or attend AA or NA so NO data is ever generated.
6) It will be a tragedy never to find out what treatments are most effective---and a HUGE waste of the billions of stimulus dollars to build an HIT system without privacy.

Key Quotes from the article:

• The deficit spectre has loomed over every major debate. The most contentious issue has been health care.
• Orszag came to the debate with a third option, which combined Summers’s concern about deficits and Daschle’s insistence that Obama tackle health care this year. He argued that health-care reform is deficit reduction.
• At the core of both the stimulus bill and the Obama budget is Orszag’s belief that a government empowered with research on the most effective medical treatments can, using the proper incentives, persuade doctors to become more efficient health-care providers, thus saving billions of dollars. Obama is in effect betting his Presidency on Orszag’s thesis.
• Orszag, despite his image as a number-crunching technocrat, considers himself an activist.
• At Princeton, he wrote his senior thesis on the relationship between the Federal Reserve and Congress. One of his conclusions was that “it is clear that Congress suffers from a lack of understanding of even the most rudimentary economics.” Orszag’s paper won an award for the best thesis that year in international economics or politics.
• At the Congressional Budget Office, Orszag hired specialists in health-care economics and turned the institution into a clearinghouse of information about rising health-care costs. When I asked him whether he was an advocate for policies at a place that was supposed to be nonpartisan, he replied, “I would say I was activist.”
• Kent Conrad, the chairman of the Senate Budget Committee, has made eradicating the federal budget deficit his life’s work. He told me that he picked Orszag to run the C.B.O. in 2007, and repeatedly asked him to testify before his committee, because they shared a concern about long-term spending trends.
• If there was one aspect of the President’s budget that demonstrated Obama’s European sympathies, Ryan said, it was health care. More specifically, it was Orszag’s approach to curbing health-care costs. “He believes you need to set up this über-bureaucracy—the institute of comparative effectiveness—which we’ll put smart people in, and they will design the metrics and the processes on how medicine is to be practiced,” Ryan said. “And then the federal government will impose and enforce those processes. . . . It is precisely what they employ in England. It’s precisely what they employ in Canada.” Rather than celebrate Orszag’s attempt to rein in health-care spending, Ryan seemed horrified by it.
• Obama will spend the rest of this year fighting a war on two fronts. On one are Democrats protecting old-line economic interests: oil, gas, and coal companies; agribusiness; student-loan companies; and pharmaceutical companies and medical providers who fear that Orszag’s ideas for cutting health-care costs will hit them hard. On the other are institutional interests. Obama will be battling committee chairmen who oppose his Pell-grant reforms, and placating senators who resent his willingness to use a feature of the budget process known as “reconciliation,” which limits debate and prevents the use of a filibuster, to pass his health-care plan.
• Orszag’s job is to defend Obama’s budget on all fronts, but he will be most deeply engaged in health care. I asked him how he could be so sure that his ideas about how to reduce health-care costs would work, mentioning that I had been surprised to learn that Paul Ryan and other Republicans had seized on health-care cost controls as the issue they believed would bring down Obama’s health-care plan and, with it, they surely hoped, his Presidency. Specifically, they believed that Orszag’s obsession with “comparative effectiveness,” research about which treatment options work best for a given ailment, will lead to vast government intrusion into the doctor-patient relationship. The research, which received major funding in the stimulus legislation and which was also included in Obama’s budget, had assumed a sinister meaning on the right.
• Orszag dismissed the criticism as a caricature. “I don’t see how it interferes with the doctor-patient relationship to suggest that it would be better if your doctor had more information about what would work for you,” he said. “The best way of putting it is that your doctor shouldn’t have disincentives to give you the higher-quality care, which often happens now.” Far from a huge government bureaucracy, he proposes a simple adjustment of incentives: “You get paid more if the treatment has been shown to be effective and a little less if not.”
• Orszag seems more right than wrong about how to bring down health-care costs, but the truth is that, while there is obviously a great deal of waste in the American medical system, nobody knows for certain whether Orszag’s plan—which is now Obama’s plan—will work.
• As Orszag explained his ideas, I couldn’t help remembering an encounter I had with him one day in the hallway at O.M.B. I told him that I had read his Princeton undergraduate thesis. He looked at me and smiled a little sheepishly. He said that at some point after his arrival at graduate school, in London, he had had a sudden realization: that he had made a mistake, and the crucial formula that he had used in his thesis, the one that had won him the prize, was incorrect. “It was so innovative,” he said, “that it was wrong.”

More than just google

2009-04-29T16:05:00.001-05:00

In response to the Consumer Watch article: "U.S. Senate Records Reveal Google Inc. Lobbying Campaign On Personal Medical Records Law Despite Internet Giant's Denials"

This story is of interest because the public has no idea which corporations lobbied against their privacy rights in the stimulus bill or how much was spent overall to try to eliminate health privacy.

The focus on Google alone is misleading and actually distracts from the real work of informing the public about the major health-related industries that have long opposed Americans' privacy rights. The real question is which other industry giants that are not household names lobbied against privacy?

The total lobbying money spent by the massive secret health data mining industry, insurers, hospitals, and big Pharma to oppose Americans' rights to privacy far exceeds Google's lobbying expenses.

If we don’t know who all the culprits are, we can't stop them and restore privacy.

The most dangerous enemies of privacy are the ones we don’t know about.

Is not just celebs who need strong security and privacy for PHI

2009-04-02T08:51:00.002-06:00

'Smart' EHR software designed for security, privacy, and compliance with the law and ethics, would allow only those who have your informed consent to access your records. Staff and employees who carry out the orders of your attending physician could access your records under the informed consent you give your physician, by electronically affirming they are part of your treatment team. Instead of primitive, legacy EHR systems that allow 10,000 hospital staffers or employees access to your records, in a 'smart' EHR system only the 100 or so directly involved in your treatment could get into your PHI, preventing 9,900 snoopers' eyes from seeing anything.

Is not just celebs who need strong security and privacy for PHI--what about women whose abusers work for hospitals? What about all the minor local celebs? Do you want your nosy neighbor who is a clerk to be able to read your records?

Stepping up employee snooping via retroactive audits is EXTREMELY expensive (major hospitals have to have large technical staffs to be able to audits millions of accesses looking for those that should not have occurred). 'Smart' consent technologies exist. Retroactive audits for improper access are like looking for needles in a haystack UNLESS you are Nadya Suleman or some other celebrity whose EHR is being actively watched. Why not keep the horses from getting out of the barn in the first place?

Refer to COMPUTERWORLD story: "Kaiser fires 15 workers for snooping in octuplet mom's medical records".

RealAge sets new low...

2009-03-25T13:32:00.000-06:00

RealAge sets a new low for unscrupulous behavioral targeting to sell drugs.

Is the RealAge quiz an unfair and deceptive trade practice? Where is informed consent?

Do the 27 million who took the test to find out if they are younger or older than their "biological age" really know that they are giving detailed information so RealAge can market drugs to them?

RealAge illustrates a critical problem with almost all health-related websites: people are actually going there for help - they appear to offer services, so people expect that health websites follow medical ethics and protect their privacy. But they don't. Health websites are not altruistic and don't adhere to medical ethics or privacy rights. Health-related websites offering rating scales, searchers, or information about diseases and treatments are typically just as deceptive: they also are designed primarily to collect personal information for personally-targeted marketing or worse.

View the New York Times article Online Age Quiz Is a Window for Drug Makers.

Stimulating Health IT

2009-03-10T08:14:00.002-06:00

Health Affairs Briefing: Deborah Peel, MD, founder & chair of Patient Privacy Rights, represents consumers in a discussion of Health Information Technology and how to proceed with privacy. Learn more and find how you can attend.

From Sharing Music to Sharing Medical Records

2009-02-24T14:47:00.004-06:00

Scientific American gets it. Do you? View story here.

Dr. Eric Johnson's latest study is out. Our job is to inform the public and Congress, who are continually being falsely reassured that health IT systems are secure and private by spinmeisters for the insurance, hospital, drug, Health IT, and health data mining industries.

Industry's blatant false promises of security and privacy are something we have been urging FTC to investigate (as false and deceptive trade practices) and the new Administration should understand to ensure that the stimulus funds are not spent on primitive health technologies with abysmal security and no consumer control over PHI. We need 'smart' health IT, 'smart' human processes, and we need the health care industry to step up and use them, so we have trusted electronic systems and don’t waste the stimulus billions.

See Dr. Johnson's paper here.

The research examined samples of health-care data disclosures and search activity in peer-to-peer file sharing networks of the top 10 publicly traded health care firms (using Fortune Magazine's list) over a two-week period. More than 500 hospitals were represented in the 10 organizations. 3,328 files were collected for the study.

•"data losses in the healthcare sector continue at a dizzying pace"
•"Far worse than losing a laptop or storage device with patient data (Robenstein 2008), inadvertent disclosures on P2P networks allow many criminals access to the information, each with different levels of sophistication and ability to exploit the information."
•"Many of the documents were leaked by patients themselves. For example we found several patient-generated spreadsheets containing details of medical treatments and costs--likely for tax purposes."
•"we found a hospital-generated spreadsheet of personally identifiable information on recently-hired employees including social security numbers, contact information, job category, etc"
•"For a hospital system, we found two spreadsheet data bases that contained detailed information on over 20,000 patients including socials security numbers, contact information, and insurance information."
•"For a mental health center, we found patient psychiatric evaluations."

Where is the mainstream and trade journal reporting on this???

Identity Theft Through Your Health Records

2009-02-03T09:06:00.000-06:00

This post reflects on the article in the Denver Post: Uncovering the Identity Trade Business.

This story details identity theft by a Denver hospital employee. It is a single instance, but it shows how easy it is for any hospital employee, anywhere to steal patients' identities.

Hospitals will become a major source for identity theft because today's primitive, poorly designed health IT systems allow thousands of employees access to all patient information--including what's needed to steal identities. Not only can thousands of hospital employees see every patient's medical records (think George Clooney and Farah Fawcett--whose records were sold to the Enquirer), they can see and steal the demographic and financial information too.

For whatever reasons, the media has primarily reported on how wonderful electronic health systems are without explaining the severe risks they pose to privacy and the new problems they can create (errors, downtime, work flow obstacles, data sales, lack of interoperability, etc).

The health IT stimulus bill with $20B for HIT needs very strong consumer protections to ensure that the current 'norm' for hospital electronic health systems, ie badly designed, open access systems, is replaced by systems that only allow access to the few staff members the patient has given permission to see and use his/her electronic records. The current HIT bill does not require the use of consent management technologies to restore patient control over PHI.

Treasury Moves to Restrict Lobbyists From Influencing Bailout Program

2009-02-01T09:35:00.000-06:00

Will we see the same kind of problems the Treasury Dept has had when HHS allocates the 20 Billion in funds for HIT? Will HHS limit the massive health industry's lobbyists influence over how HIT funds are spent? Will HHS turn to real consumer coalitions like the Coalition for Patient Privacy for guidance instead of faux consumer, industry-funded trade organizations?

The dominant HIT industry lobby wants to ensure that Americans get primitive, legacy HIT products and systems, instead of innovative privacy-protective technologies.

If the stimulus dollars are used to purchase existing health IT products that don't restore consumers' rights to control the use and sale of personal health information, corporations will continue to "lock down" and own our personal health information. See Peter Neupert's comments:

• Peter Neupert of Microsoft recently wrote in a TechNet blog about the health IT industry: "The thing is, nobody can make good decisions without good data," Neupert wrote. "Unfortunately, too many in our industry use data 'lock-in' as a tactic to keep their customers captive. Policy makers' myopic focus on standards and certification does little but provide good air cover for this status quo. Our fundamental first step has to be to ensure data liquidity—making it easy for the data to move around and do some good for us all."

• The health IT industry's 'customers' are the large hospital chains, health plans, labs, pharmacies, PBMs, and other health-related corporations that collect, store, handle and sell Americans' personal health information from prescription records to DNA. They do not serve the public or have much regard for our legal and ethical rights to control personal health information.

The people who can't make good decisions without the data are patients and doctors! We have almost no access to our own electronic health information. That's our personal health data Neupert and Kibbe wrote about---and they make it clear that industry believes it owns our data.

The last thing Americans need is for the HIT stimulus funds be used to buy outdated, primitive technologies without meaningful or comprehensive privacy protections. That's a prescription for waste and failure. Will the initial consumer privacy protections in the stimulus be nullified by purchases of inferior, privacy-destructive technologies?

View the Washington Post Article: Treasury Moves to Restrict Lobbyists From Influencing Bailout Program

The true problems in HIT

2009-01-30T16:04:00.002-06:00

The experts quoted are correct that cost, interoperability, difficulty of use, work-flow disruption, and lack of proof of safety/effectivenss are good reasons not to spend $20 billion in HIT stimulus money on bad products (the equivalent of buying SUVs instead of hybrids and electric cars).

But Kibbe and Klepper should look beyond their own perspectives to consider the wider context and the real make-or-break issue: what must EHR systems have to ensure the public's trust and willingness to use them?

Of course, doctors must be able to afford, easily use, and know that EHR systems actually work and are effective, but systemic failure is inevitable unless patients trust electronic systems. Today's health IT systems and products are not even close to meeting the public's expectations for control over personal data and and ironclad security.

From the consumer perspective, the worst defects in today's EHR systems are:

1) Patients have no control over the use or disclosure of their personal health information in these systems.

2) Doctors, hospitals, labs, pharmacies, PBMs, insurers, data miners, data aggregators, etc, etc, and software vendors control the disclosure, use, and sale of the nation's personal health information.

3) Most of today's EHR technology is extremely primitive (20-30 years old) and does not comply with patients' longstanding legal and ethical privacy rights:
•most EHRs do not have the functional capacity to segment sensitive records
•human-readable audit trails of disclosures are not required, so patients have no way to know who snooped in their records or where their personal health information has been sent or sold
•the security measures are abysmal. CIO magazine story from 2006 reported that all 850 EHR systems examined could easily be hacked: http://searchcio.techtarget.com/originalContent/0,289142,sid182_gci1273006,00.html

The most important reason not to buy $20 billion dollars worth of dinosaur EHR technology is that consumers will NEVER trust electronic health systems unless they control sensitive personal data and unless the systems have state-of-the-art security to prevent the frequent breaches, losses, and thefts of millions health records.

Until the American public has PROOF electronic systems can be trusted, failure is inevitable. Why not build EHRs and the electronic health system right from the start, rather than spending billions later to rebuild?

Must we repeat the mistakes made in the UK? The NHS system was built without patient control over data. Billions of dollars and many years were wasted before the government realized that forcing patients into an electronic health system that shares data without consent doesn't work.

View the full story referenced

Pro-Privacy Will Continue to Grow

2009-01-27T12:03:00.000-06:00

More and more genuine consumer pro-privacy groups ---as opposed to privacy-lite, industry-supported, faux consumer organizations---are speaking out to restore privacy in electronic health systems. Support for privacy rights will build and build. There may be set-backs, but we cannot be stopped. See this recent article on Consumer Watchdog supporting patient privacy.

The real reason privacy will win is simple and practical: electronic systems will never be trusted or work unless consumers control personal health information.

In the words of Justice Brandeis: "The right to be let alone is the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the [Constitution].” Justice Brandeis 1928.
Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis J., dissenting).

Brandeis dissented from the conventional wisdom of his time. Today we are the dissenters from the CW of our time, but like Brandeis' dissent, ours will prevail.

DoD does WHAT?

2008-12-24T16:20:00.003-06:00

It is fascinating that the DoD clearly believes it owns and can use the personal health information of 12 million active duty military personnel for whatever purpose it decides. In this case, the DoD is paying a for-profit corporation to do research on active duty military personnel without their consent.

Maybe when you join the military you lose all privacy and Constitutional rights. I don’t know, I'm not a lawyer. If so, that is a steep price to pay to serve your country: losing all health privacy for yourself and your relatives forever. Do those who join the armed forces know they are signing up to become medical guinea pigs? Do they really understand the consequences for their futures and their families futures?

Many questions abound:

• Are the electronic records adequately secured? What a rich target: 12 million health records! What if enemies hack the privately held data base to learn about key military leaders?

• Will Phase Forward continue to use and sell the records for other purposes as HIPAA authorizes? Other data management corporations (such as Thomson Medstat) the government pays to perform fraud and waste audits obtain millions of health records that they later aggregate and sell to employers without anyone's consent.

• Furthermore--this is clearly medical research without informed consent. That is simply unethical and illegal. The US signed the Declaration of Helsinki after WW II because Nazis did human research without consent. Back then America recognized the need for informed consent before research takes place. Today, the codes of research and medical ethics still require patients to give informed consent before personal records can be used or disclosed. Why is this project not being done with informed consent when new 'smart' electronic consent tools could make it easy, cheap, and fast to obtain informed consent and explain all the risks and consequences?

Review this article from the Washington Post's Government Inc. Blog for more information:
Data Mining for DoD Health

Genomes: Behold or Beware

2008-12-09T13:18:00.001-06:00

Patients whose physicians "collaborate" with genetic testing corporations should beware. Today, Navigenics and all genetic testing businesses can legally sell genomic data. There is no way to know which ones sell or use data without informed consent and which don't. Americans' personal health information is extremely valuable to corporate America. Genomic data requires extreme privacy protection because it can be used to harm not only an individual but all his/her relatives.

According to Navigenics, the personal data shared is "aggregated" and "de-linked" from "your account information", but Navigenics offers no proof that it cannot be re-identified.

As we learned from the NIH experience, it is very difficult to "de-identify" or "anonymize" genetic data. The NIH closed a public research data base of "de-identified" genetic data after researchers proved the data could be re-identified See: . Corporations that share "de-identified" or "anonymized" health data should be required to publish the algorithms that were used and prove the data cannot be re-identified.

Questions abound:
• How can anyone be sure that Navigenics protects the privacy of genomic tests without trusted external audits of their privacy practices and policies?

• Does Navigenics pay MDVIP's doctors a "kickback" for "collaborating" each time a patient gets genomic tests? Does MDVIP inform patients that it has a contract with Navigenics and what each doctor is paid?

• Who is being paid for "collaboration"? What exactly are the financial and contractual terms of "collaboration" between MDVIP and Navigenics?

• Do MDVIP's patients really understand the risks of using Navigenics to do the testing or the risks of letting Navigenics share their genomic data with unknown researchers and research organizations----that can put their data into public data respositories and publish it in studies? Or the security risks that a particular public respository can be hacked?

• Are MDVIP's patients coreced into taking Navigenics tests by their doctors? Most patients want to do what their doctors recommend. What is the consent process?

• Did MDVIP contractually sell or give their patients' genomic data or to Navigenics to own or sell? Should the public trust Navigenics, a for-profit corporation, when personal genomic data is a very valuable commodity?

• Should any for-profit collaboration "define the standards in which preventive genomic medicine will be integrated into patient care for decades to come"? No consumer health privacy expertise, assessment, or input was sought.

• There is not yet an operational, trusted, consumer-led privacy certification organization to audit genomic testing corporations to certify they don't sell genomic data and that consumers control sensitive personal genomic data in their data bases. In the absence of a trusted privacy certification organization, the privacy principles developed in 2007 by the bipartisan Coalition for Patient Privacy or the Code of Fair Information Practices could be used as guides for building a genomic testing and preventive healthcare system that consumers will trust and be willing to use.

• Would MDVIP's patients still feel "the experience (was) positive", "empowered rather than anxious", and "desire to change their lifestyles and more productively work with their physicians" if they knew their doctors were paid by Navigenics and their data was sold and/or put in public data repositories with unknown security and privacy protections?

This blog is in response to the article: Physician network to use genomic-based preventive healthcare

Response to: Will Technology Cure Health Care — Or Kill It?

2008-10-22T13:28:00.001-05:00

Giving your genome to a for-profit corporation for testing today is a very dangerous act for the following reasons:

1) Americans NO longer have the right to health privacy! Today, your rights to health privacy in electronic health systems are nil. You have no control over personal electronic health information. Federal bureaucrats eliminated our rights to control the use and disclosures of personal health information in electronic systems in 2002. The media has not reported on this drastic elimination of every Americans’ privacy rights. See HIPAA's Intent v. Reality.

2) Once you reveal your genome, you will never be able to delete it from the private corporation’s data bases or make it private again. Why on earth would you pay someone to take and use the most personal health data that exists about you and your family for whatever purposes they choose? Think about Paris Hilton’s sex video, once it was out in cyberspace, it can never be private again. It will live for millenia on the Internet.

3) Why pay a private corporation like 23andMe or any other for-profit genetic testing lab to take your extremely valuable and sensitive personal health data and give it to them as a CORPORATE asset—to sell, to disclose to researchers for studies you might not want to be part of, to sell as an asset to employers or insurers or financial institutions, or even to sell to the US Government as part of the data profiles they are building on every American in Fusion Centers.

4) The legal duties of coporations are to stockholders, not to patients or people who buy genetic tests. Genetic testing labs like 23andMe can be bought by Google or the Bank of America or to a business that sells employers genetic snapshots of future employees’ potential illnesses. Even if you trust a genetic lab—-you have no control over whether that corporation is sold to another corporation that you would never want to own your DNA.

5) Today’s health IT systems are notoriously insecure and hackable. An industry study of 850 electronic health records systems found ALL of them could easily be hacked. See Article.

What assurances do you have that the lab’s database is secure enough to prevent your genome or genetic tests from being stolen?

6) It is crtical to understand that giving ownerhsip of a personal asset like your DNA or genome to a corporation is a very bad idea. Not only do you put your future opportunities at risk, you endanger your entire family’s futures at the same time.

As a practicing physician who has spent over 30 years listening to patients whose sensitve medical records were used against them by employers or used to humiliate them or harm them in public, I am very well aware of how personal health information is used to harm people and ruin lives. I founded Patient Privacy Rights because health information should never be used except to help you get well or for research WITH your informed consent. No one should be denied a job or a promotion because of fears about their future health.

Because of the lack of privacy, 600,000 people refuse to seek treatment or early diagnosis for cancer and 2,000,000 refuse treatment for mental illness. 150,000 Iraqi vets refuse treatment for PTSD because they fear their treatment will not be private. The result is the highest rate of suicide among active duty military in 30 years. The lack of health privacy kills.

Current law is just not enough to protect health privacy. GINA is not enough. We need Congress to restore our longstanding Constitutional, legal, and ethical rights to control personal health information. Without that right firmly re-established in Federal law, giving ANYONE your sensitive genomic or health information is a very bad idea.

Check out our website. You can sign up for e-alerts about health privacy in the Digital Age. If we are able to restore control over our personal digital health information, then we have a powerful model for building personal control over ALL our personal electronic data (financial, email, phone records, purchases, etc). If you do not fight for your privacy rights, who will?

If EVERYTHING about you is for sale and can be seen by everyone, will you continue to have your precious liberties and freedoms?

See Original Article

Missing Laptop Keeps Firm From Registering New Fliers -- by Joseph Galante

2008-08-06T11:59:00.001-05:00

Verified Identity Pass (Clear), a firm that specializes in keeping fliers sensitive personal information secure, doesn't encrypt data and had a laptop stolen. Do you think your sensitive health information is any safer in the healthcare system? ….Remember the stolen NIH laptop that had unencrypted data? What about your local hospital? Will your local hospital do a better job than UCLA Medical Center in keeping snoops out of your records?

Here's what Verified Identity Pass says about security and privacy. They had an audit by Ernst and Young, but apparently it didn’t mean much:

Clear's Commitment to Privacy

"Since our founding in 2003, we have been committed to the privacy and security rights of our members. We have created an exhaustive privacy and data security program and we will always clearly communicate any changes to that program with members.

We are committed to the transparency of our privacy practices and that's why we have instituted open, independent checks on our privacy promises, including an independent and public security and privacy audit, the appointment of an independent privacy ombudsman, and an unprecedented Clear Identity Theft Warranty.

In June, 2007, Ernst & Young LLP concluded a comprehensive, independent audit of our privacy policies and practices. This was the first ever independent privacy audit conducted for a national registered traveler program."

View Full Article

Equipment losses still plague VA: GAO report -- by Joseph Conn

2008-08-06T11:53:00.002-05:00

This is powerful story because the expert quoted points out that most organizations do not bother to account for lost or stolen equipment that costs less than $2,000. That means laptops and PDAs. Worse---these organizations have NO IDEA whose data was even on the mobile devices, so they cannot notify anyone! Makes you feel REALLY safe.

This should be highly relevant to Congress--as it drafts requirements for encrypting data and breach notification.

View Full Article

Job 1 for the AHIC successor? -- by Nancy Ferris

2008-07-30T11:55:00.000-05:00

Notice how the for-profit research industry wants access "baked" into all EHRs up front for research uses, to avoid getting individuals' consents.

They call this a "value case" for the nation's electronic health system. What great Lakoffian re-framing and propaganda. How do you argue against "value"?

It’s a "value" alright, just not a "value" for patients, because it sets up a system that is both unethical (no consent) and illegal (violates Amercians' longstanding rights to privacy).

The story says the research industry wants open access to "de-identified" data, but that is NOT what they tell Congress or the regulators. They say they must have access to longitudinal data, which CANNOT be de-identified, because most research cannot be conducted using de-identified data.

The new AHIC 2 will be industry-driven and industry-paid for, with so-called "standards" being devised to meet the needs of corporations, not to adhere to the laws and ethics that governed the healthcare until the '90's and the advent of electronic systems for health data.

Today there are 'smart' technology solutions to make consent easy, cheap, understandable, and instantaneous (see the consents on HealthVault by application partners for a preview of how simple and clear and specific consents can be). Electronic consents can be interactive and actually explain things, rather than be densely written in legalese so no one understands them.

Why continue to use the kind of privacy-violating blanket coerced consents that were necessary in the paper health system? 'Smart' technologies can do a far better job. Using robust consent management tools, we can obtain valid and easy-to-understand specific, time-limited, and cheap consents from millions instantaneously.

View Full Article

Military health forum envisions clinical analytics -- by Peter Buxbaum

2008-04-02T11:57:00.001-06:00

David Winn is right, when you sign up for the military, you have to do whatever they say.

The problem is that the Administration and the federal government has the same thing in mind for every American--no control over access to PHI.

The payers think they own our PHI and should be able to do whatever they want with it--even though it's both illegal and unethical. That is why industry is pressing Congress to pass an HIT bill without consumer control over access to PHI. BUT---people will lie or not participate in electronic health systems if their data is used without consent---which means we will never get the kind of research we want because the data analyzed will be incomplete and flawed.

Americans just want to be asked for consent for research and be sure that HIT systems are safe and secure.

View Full Article

Electronic Health Records wired for abuse

2008-03-29T12:47:00.001-06:00

“Oops! They did it to Britney again.” No, it’s not a song parody, but a reflection of the poor state of American health privacy - something Bay Staters should think about as their Legislature considers a bill to mandate Electronic Health Records (EHRs).

Staff members at UCLA’s Medical Center are under investigation over allegations staffers accessed Britney Spears’ medical records earlier this year. Sadly, this is not the first time individuals other than the paparazzi violated Spears’ privacy; staffers also took inappropriate peeks when her first child was born.

...

Most Americans think the Health Insurance Portability and Accountability Act (HIPAA) protects their privacy and that the HIPAA notice they sign at the doctor’s office lists all of their rights to privacy. In fact, that HIPAA notice lists the vast number of ways their private health information can be used, without asking and over objections.

HIPAA was originally intended to protect privacy. Regulators earlier in this decade rewrote the rule to sanction disclosure of medical information for treatment, payment or health care operations.

“Particularly troubling about HIPAA’s Privacy Rule is the governmental authorization for covered entities to use patients’ confidential information without their consent for health care operations that are unrelated to “payment or treatment,” writes Dr. Richard Sobel, senior research associate in the Program in Psychiatry and the Law at Harvard Medical School. Sobel explains that “health-care operations” can include using information for marketing purposes, which normally would require written consent.

Data-mining firms were given a gift by the rewriting of the HIPAA Privacy Rule. Data-mining firms can obtain information about your prescriptions, treatment for mental health and genetic predisposition to illnesses. That information can be passed on to credit firms, marketing firms and even prospective employers.

...

Patients need progress and privacy in this digital era. The only way to ensure we get both, and avoid the negative “celebrity treatment” Spears received, is to ensure the health IT bill signed by the governor fully recognizes the right of patient consent.

View the Full Story

Privacy concerns mount amid the 'microchipping of America': Businesses seek patents on more applications for RFID

2008-02-11T13:35:00.000-06:00

RFID chips are being used more and more in health care. Today the main use proposed is to track whether you receive "authentic" or "fake" medications. The US pharmaceutical industry wants to track whether or not we take and refill brand-name medications. But this is a huge intrusion into the relationship we have with our doctors. If you don't want to take a medication for whatever reason: side-effects, costs, fears, feeling it does not work, etc------the person to discuss this with is your doctor, not a drug company! There are many valid reasons to change or stop medications. The only people qualified to decide whether you should stay on a particular medication or not are you and your doctor.

View Article

The Health Record Paparazzi is Above the Law and In Bed With Congress

2007-10-11T13:37:00.001-05:00

We learned today that all of us are a bit like George Clooney: the Health Record Paparazzi loves a celebrity, but it loves the average American just as well. Instead of intrusive cameras flashing and TMZ taping our every move, we have insurers, employers, hospitals, doctors, pharmacies, drug companies, marketers, creditors and banks digging around for our most personal, intimate information.

HIPAA protects no one, including movie stars. The HIPAA regulations were changed by a Bush appointee that defy the ancient doctor-patient promise that when a patient goes to their doctor, whatever they share will be kept private. No one can make that guarantee anymore. To see the fine print visit Patient Privacy Rights.

Over 4 million individuals and businesses can see and use our health records, without consent and over objections. HIPAA is so broad it is hard to imagine who doesn’t have a legal right to your most personal details.

The Health Record Paparazzi can be stopped -- but only by an act of Congress. Right now, Congress is working on legislation that will open up your health records even more. Everyone will have control over your health information except the patient.

We must have federal legislation that guarantees our right to control our most personal information and requires meaningful, enforceable penalties for everyone who shares our information without consent.