Thursday, December 31, 2009

The got it wrong... AGAIN!

See article: 'Meaningful Use' criteria released

Can you believe it? Doctors and hospitals that purchase electronic health records (EHRs) 'wired' for 'back-door' data mining will be paid to steal and use our sensitive health records without our permission!

The government and the massive health data mining industry won. Industry and the government’s plan to continue illegal and unethical data mining trumped Americans’ rights to health privacy.

The rules guarantee that employers, insurers, banks, and government will be able to use our sensitive health information---from prescriptions to DNA--- to discriminate against us in jobs, credit, and insurance.

Instead, the new interim rules for EHRs should reward the purchase and use of 'smart' EHRs with consent technologies so patients control who can see and use their health records.

The stimulus billions will be wasted because doctors and hospitals will be rewarded for using obsolete, unethical EHR 'clunkers'. Like the UK, the US will be forced to spend billions to correct a disastrously flawed national electronic health system that prevents patients from controlling their health records.

To understand the "meaningful use" criteria that SHOULD be required in EHRs, see the comments submitted to the Administration by the bipartisan Coalition for Patient Privacy, representing millions of Americans: http://www.patientprivacyrights.org/site/DocServer/LCoalition_to_HIT_PC_Meaningful_Use.pdf?docID=5681

When will the Administration and corporations get it? Privacy protections have to be tough and comprehensive if we want a national HIT system that consumers will trust and use.

To act, join www.patientprivacyrights.org to get e-alerts. Stop corporations and the government from using your sensitive health information for uses you would never agree to.

Monday, December 14, 2009

Facebook setting the standards for Health Care?

No laws forced Facebook to add more consumer control to who sees what --- the public did. See story: Facebook privacy revisions 'sign post' for healthcare

This is EXACTLY what will happen to the health care system when Americans find out they have NO CONTROL over over who sees, uses, and snoops in their electronic health information.

Patient Privacy Rights' job is to make sure they learn as fast as possible.

Sign up at www.patientprivacyrights.org for our e-alerts so you can help!

Thursday, October 29, 2009

Employers after DNA: GINA does not protect like you think.

See this CBS News article: Want A Job In Akron? Hand Over Your DNA

The idea that GINA protects genetic tests from being held or used by employers and insurers is wrong. Genetic tests ordered by your doctor at any other time--when you are NOT seeking a job or insurance--can be collected and used by your employer and insurer to make decisions about you.

Lobbyists for the insurance industry and employers got this massive loophole into the bill, eliminating the intended consumer protections. Instead GINA should have forbidden employers and insurers to ever collect or access genetic tests.

This is one of the key reasons we need Congress to restore OUR rights to control our personal health information, so WE can make sure employers and insurers do not get our genetic records. Genetic information is so sensitive it should ONLY be seen by health professionals directly involved in our treatment, or if we choose to participate in research and share it.

Monday, October 19, 2009

The Word Is Out: Do You Know Who Owns Your Health Records?

This WIRED article, Medical Records: Stored in the Cloud, Sold on the Open Market, is based on yesterday’s NYTimes story that closed by quoting Patient Privacy Rights.

It points out the 2 KEY ways that electronic health systems violate patient privacy:
• Health technology vendors sell patient records without consent
• It is impossible to de-identify health information, so promises that the data can’t be re-identified must to be verified by outside audits

The chart at the top of the story is from our website—it shows the millions: businesses and government agencies---that today can do whatever they want with our health records, including selling them for profit.

The ‘fix’ is that Congress must restore patients’ rights to control personal health information------this right has been the foundation of the healthcare system for 2,400 years.

No one else should own our health records and no one should have access to them without our consent.

Saturday, October 17, 2009

Re-Identification. From Netflix to Health Records.

Today’s NY Times story points out the FACT that is very easy to re-identify supposedly “de-identified” information. Singer starts with how the Netflix “de-identified” data base was proven to be re-identifiable and moves on to describe Latanya Sweeney’s famous re-identification of the medical records of Gov Weld.

See the NY Times Article: When 2+2 Equals a Privacy Question

Friday, October 9, 2009

Open Source Research

See the Government Health IT article: NCI to open research grid to cancer patient 'army'

Women desperate to cure breast cancer are contributing their sensitive personal health information to "an army" of researchers.

But there is no reason that these altruistic women have to risk their futures and their daughters' futures to find a cure.

It's possible to do research without risking their futures and their daughters' and granddaughters' futures by using privacy-protective technologies and robust informed electronic consent. But this project does NOT protect the privacy of these generous and well-intentioned women.

The women's data can be downloaded by "thousands of users"--all of whom make copies of their extremely sensitive, IDENTIFIABLE records. The records are identifiable so that the women can be contacted by researchers.

Some of the major things wrong with this picture:
1) The NCI system allows “researchers (to) form and maintain large breast cancer disease databases.” Is there any way to tell if the security is ironclad, state-of-the-art? No.
2) How many copies will researchers make? How many times will the data be replicated and backed-up across the world? No way to know.
3) What countries will copies of the records be kept in? No way to know.
4) How many and which researchers will download and keep their data? No way to know.
5) The researchers must sign agreements to protect and not sell the data, but there are no 'data police' to enforce those agreements. If there are no 'data police' watching this data, how do the women know it's safe? No way to know.
6) What if a woman does not approve of a particular study or researcher who has their data? Can a woman prevent any researcher from using her information? No.
7) How will the data be handled after the research study is complete? How will the women know if it is destroyed? No way to know.
8) How safe is research access via a web browser? No way to know

The severe flaws in this plan are obvious. Fearful women desperate for cures are being exploited by the government and the research industry that designed these systems to serve their needs, NOT the women's rights to privacy. Putting such sensitive data out into cyberspace KNOWING it can never be retrieved or destroyed is grossly irresponsible. Like Paris Hilton's sex video, this data will live forever in cyberspace, risking future jobs and opportunities of every child of every woman desperate for a cure.

The NCI could do this a better way---we can have research and privacy at the same time. But the privacy protective technologies that can enable both are not being used. Why not?????

See our testimony Sept 18th at the national HIT Policy Committee and the many letters from the Coalition for Patient Privacy to federal agencies and Congress describing how to do research while protecting privacy.

And NO--the Genetic Information Nondiscrimination Act (GINA) DOES NOT protect our genetic data. It allows insurers and employers to have our genetic data and it has no enforcement. Zero. And HIPAA has no protections for genetic data either--it allows others to control and use our data without consent.

The cost of contributing to research should not be that your female descendents are unemployable. Unless data is protected, we will have generations of people who cannot work because employers will not risk hiring anyone at risk of getting a disease.

Friday, September 25, 2009

De-identified? Yeah, right.

See these articles:
Netflix Contest Seen As Posing Privacy Risk
Netflix is about to commit a privacy Valdez with its customers' viewing data
AOL, Netflix and the end of open access to research data

Once again Netflix plans to violate the privacy of those who rate the movies they rent. Two University of Texas computer scientists demonstrated that the Netflix database of 500,000 with movie ratings could be re-identified, revealing sensitive political and sexual preferences of the actual people who rated movies. Netflix did not get the consent of renters to expose their ratings to the public or ot researchers.

Yet Netflix is moving ahead to release even MORE personal data for its next million-dollar contest. The major media (NYT's STeve Lohr for example) has NOT reported at all on how Netflix is violating movie renters' privacy, but instead trumpets the prizes paid to those who develop more accurate ways to predict which movies you will want to watch next.

The problem of re-identification is VERY serious for the healthcare system because health data is impossible to de-identify. It is so rich in detail that de-identification is almost impossible.

Today, the treasure trove of all Americans' sensitive health data is being endlessly used and disclosed without informed consent to millions of "covered entities" and "business associates" (and their millions of employees)--subjecting EVERY American to the theft, sale, and misuse of the most sensitive personal information that exists.

Who will hire you knowing all about your prescriptions, illnesses and genes?

Saturday, August 15, 2009

Healthcare moving to Cloud Computing

Joe Conn looks more deeply into the problems of 'cloud' computing for the storage, exchange, and analysis of health data. See his article in Modern Healthcare: 'Healthcare is slow to change' to cloud environment

Today there is not yet a trusted organization to certify the privacy of electronic health records systems, whether on servers or in clouds.

Until the privacy of health data can be assured first with trusted security certification and then with a separate stringent privacy certification (proving that patients control the use and disclosure of their sensitive records) Americans will not trust that their data is safe.

Proof that consumers control personal data in clouds will be essential for trust in health IT.

So far all we have are promises of security and privacy. We won't trust without verification .

Wednesday, August 12, 2009

Who is tracking YOU?

On the Internet ALL your health searches about scary and stigmatizing illnesses, all searches or purchases of books on health, and all searches or purchases of medications and devices are tracked and sold.

It is impossible to search for health information privately via Google, etc.

Health websites take massive advantage of Americans' powerful expectations that ALL healthcare providers put their interests and their privacy first---expectations which come from the traditional doctor-patient relationship and the ethics that have governed Medicine for 2,400 years (derived from the Hippocratic Oath).

Americans are not yet ready to believe that every aspect of healthcare in the US is profit-driven, rather than driven by the ethical codes all health professionals swear to at graduation: the promises to "do no harm" and to "guard their secrets".

Americans are not yet ready to believe that Wall Street has taken over Medicine---and that instead of guaranteeing the strong health privacy rights Americans have under the law, Wall Street erases our rights to ensure shareholder profits.

View this story in the NY Times: Ads Follow Web Users, and Get More Personal

Tuesday, August 4, 2009

Security and Hacking, Real Fears

See the WSJ Article: New Epidemic Fears: Hackers

Securing health records in small doctor's offices and clinics is not easy: small offices can't afford Fort-Knox style data protection measures, like hiring security experts to make sure hackers aren’t getting into their systems. Even if electronic health records software includes encryption and other security features doesn't mean those features will be turned on and used.

• Now, many privacy advocates are concerned the administration's effort could end up making health information less secure. "If there isn't a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong," says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.

• "As more information is shared, it is subjected to the weak-link effect."

• Mr. Osteen's efforts to safeguard information won't be useful if smaller providers he shares it with haven't made the same kind of security investments."

Friday, July 24, 2009

Bill O'Reilly is REALLY worried about the loss of his personal medical privacy...

So much so that he repeatedly returned to the topic while debating health care reform last night.

See Editorial with Video

68% of Americans share his fears and "Have Little Confidence that Electronic Health Records Will Remain Confidential" (see: Past Meetings: 7/21/09, slide #3 of the "Privacy and Security Work Group: Recommendations" presentation on the HIT Standards Committee website at: http://healthit.hhs.gov/portal/server.ptopen=512&objID=1271&parentname=CommunityPage&parentid=2&mode=2&in_hi_userid=10741&cached=true

O'Reilly debated with a doctor who doesn't seem to know that we have no control over our personal electronic health records, the massive damage that already causes, and how much more we will all be harmed if the Administration does not stop health IT systems from violating our privacy. Patient control over personal health information must be built into every electronic system up front.

Republicans, Democrats, Libertarians, and the majority of Amercians REALLY care about health privacy. The national concensus is that we should control who sees our health records; which has been our legal and ethical right since the nation's founding. Restoring the right to control PHI in electronic health systems will quell fears that the majority has have about electronic systems.

Quotes from the story:

• O’Reilly demonstrated his primary fear – almost panic – over the assumption that his medical records may not be private any more if President Obama passes some version of his healthcare bill. But enough with the foreplay -- O’Reilly dived right into his main fear. “My health records which are now in the hands of my private physician . . . they’re gonna be in Washington, right, so every malady that I have is gonna be seen by people in Washington. I don’t want that, do you want that?”

• After a little back and forth on the issue, O’Reilly repeated, “On a computer disk in D.C. will be what’s wrong with me . . . based on my medical history. It makes me very, very nervous.” Yes, we noticed.

• O’Reilly, again, focused worriedly on the privacy issue. “Let me ask you this,” O’Reilly posited. “It worries me that my medical history and your medical history is now gonna be on a disk in Washington, D.C., rather than the confidentiality of a doctor-patient, which we have had in this country for decades – that’s gone.”

• “The data is going to go to a bank in Washington, D.C.,” O’Reilly fretted. “ . . . I’m talking about you, Dr. Marc Lemont Hill, having a condition . . . with his program, it goes to D.C. and the bureaucracy decides how to treat you, not your physician. Doesn’t that worry you?”

• “So you don’t mind having your condition – whatever it may be – leave your doctor’s office and go to D.C. . . ,” O’Reilly said.

• O’Reilly hammered the privacy issue, once again, saying, “It’s going to a database that can be accessed . . . okay, if you don’t mind it, I do, and that’s a big concern of mine. We don’t have any privacy as it is in this country . . . .”

• Hill pointed out the bigger issue than the privacy of medical records (to most Americans, but not to O’Reilly) is 50 million uninsured Americans – and said that President Obama addressed that in the press conference.

• But the biggest question of all – what’s O’Reilly’s medical condition? The one O’Reilly is terrified might fall into the hands of the government? Is it really so awful that O'Reilly (not usually one to worry about privacy) is willing to kill health care reform just to protect it?

Wednesday, July 22, 2009

Genetic Privacy Debate hits Major League Baseball

The story highlights the use of DNA testing by 'employers'--Major League Baseball franchises. Baseball tests to verify the ages and identities of players from Latin America, but the test samples can also be used to detect familial genetic dieseases such as ALS (which Lou Gehrig had).

• “DNA contains a host of information about risks for future diseases that prospective employers might be interested in discovering and considering,” said Kathy Hudson, the director of the Genetics and Public Policy Center and an associate professor at Johns Hopkins University. “The point of GINA was to remove the temptation and prohibit employers from asking or receiving genetic information.”

The big problem is that the Genetic Information Non-Discrimination Act (GINA) does not stop employers or insurers from receiving or using genetic information. It isn’t enforceable.

Baseball players are not the only ones whose DNA and genetic tests can be used against them--the same thing can happen to all of us.

According to GINA, employers and insurers can't use genetic tests to discriminate against employees or enrollees in health plans, but there is no way to tell whether they do or not. Employers and insurers do not have to inform us if they have copies of our genetic or DNA records.

• Do you think an employer is going to tell you were passed over for a promotion based on your DNA?

GINA is toothless--it forbids bad behavior but there is no way to enforce it.

And Americans' genetic privacy is not protected by HIPAA. HIPAA makes it impossible for any of us to prevent OUR sensitive health information from being used by millions of 'covered entities' and 'business associates' for purposes we would never agree with--including using genetic tests to discriminate againts us.

Face Book users control who sees the personal information they post on their walls, but Americans can't control who sees their electronic health information. What's wrong with this picture?

The rules for spending $19 Billion on health IT are being written now. Now is the time we must press to restore control over OUR personal health data.

Stay tuned--sign up for our alerts and we'll tell you what you can do to save privacy.

Monday, July 6, 2009

UK Handing off their health records?

Federal Computer Week: U.K. mulls handing off national health records to Microsoft, Google

It will be interesting to see which one the UK chooses. Microsoft joined the bipartisan Coalition for Patient Privacy to urge Congress to restore consumer control over PHI in 2007. Google has not.

MS signed Coalition letters in 2007 and 2009, and agreed to support the Coalition's tough privacy principles and health privacy rights in electronic systems. HealthVault was built to adhere to the Coalition's stringent privacy principles. Open, public promises by major corporations are taken very seriously by federal regulatory agencies and consumer advocates.

The promises by the technology corporations that joined the Coalition are a rebuke to other HIT vendors and the data mining industry that will do anything to get their hands on PHI for all sorts of uses that patients would never agree to.

Today, the clearest sign of serious corporate commitment to health privacy rights is joining the Coalition for Patient Privacy and standing with consumers to build an ethical, legal HIT system---the only kind that will be trusted and succeed.

Tuesday, June 23, 2009

On HealthDataRights.org and their Declaration

HealthDataRights.org supports only ACCESS to personal health data--which is a no-brainer and a right Americans have always had. The stimulus bill makes clear that we all have the right to copies of our electronic health records because some providers have make them so hard to get.

But HealthDataRights does NOT support the most critical right of all: the right to CONTROL who can access and use our personal health data in electronic systems. They even claim "privacy" stops data flow and will stop research--which is a lie. Informed consent and control over our own data ensures it's there when we want it and ONLY for uses or research that we agree with.

HealthDataRights.org is a faux consumer rights organization, as revealed in their FAQs:

• "The organizers of HealthDataRights.org include doctors, researchers, software developers, writers, entrepreneurs, health economists, and many others who share a common goal of greater health data availability." TO WHOM WILL THE ENTIRE NATION'S DATA BE AVAILABLE? TO THE DATA MINING AND RESEARCH INDUSTRIES THAT WANT OPEN ACCESS TO OUR DATA FOR USES WE HAVE NO CONTROL OVER.

• "Some of us have seen clearly how restrictions on health data and medical records can lead to great pain and suffering—needlessly, in most cases." MILLIONS OF PATIENTS EVERY YEAR SEE CLEARLY HOW DANGEROUS HEALTHCARE IS WITHOUT PRIVACY AND DELAY OR REFUSE CARE, LEADING TO DEATHS FROM CANCER, PTSD, AND DEPRESSION---COSTING FAR MORE THAN IF TIMELY OR PREVENTIVE CARE WAS PRIVATE.

• "At the same time, we know that too often “privacy” is used as an inappropriate excuse to keep people from gaining access to their own health data and information, which they have every right under HIPAA and most state laws to view and access." CLAIMING PRIVACY AS AN EXCUSE NOT TO GIVE ACCESS TO PERSONAL HEALTH DATA IS WRONG OF COURSE, BUT WORSE AND FAR MORE DAMAGING IS EXPOSING HEALTH DATA TO THEFT, SALE, AND MISUSE BY MILLIONS OF HEALTH-RELATED BUSINESSES AND ALL GOVERNMENT AGENCIES.

• "Does this Declaration suggest people should have exclusive rights to their data?

"No, we are not suggesting that, although this is a thorny issue. Doctors need accurate information about their patients and are required by law to maintain this information. Labs are required to hold onto their test results for up to seven years. There are also health care organizations that use their patients’ or members’ data to suggest improvements to the care delivered to them, usually with a blanket permission signed by the patient at the initial visit and later forgotten. This is not necessarily a bad thing and may be very beneficial for patients, even though permission is not sought for each particular instance of that use. In addition, aggregated and anonymized, population data obviously is key to learning what is working for whom, what is cost effective for whom, and what is the best way to treat any condition for whom. We are supportive of organizations that are endeavoring to improve public health by learning from population data. An “exclusive right” could be read as contradictory to that. What we do affirm, strongly, is that people do have a right to their own data."

PATIENTS SHOULD HAVE EXCLUSIVE RIGHTS TO THEIR HEALTH DATA----EVEN NEWT GINGRICH SAYS AMERICANS SHOULD "OWN" THEIR PERSONAL HEALTH DATA.

THIS IS WHERE THEY STATE THAT THE RIGHT TO PRIVACY---THE BASIS OF THE HIPPOCRATIC OATH AND OUR STRONG EXISTING LEGAL RIGHTS TO PRIVACY---WOULD "BE CONTRADICTORY" TO PUBLIC HEALTH RESEARCH. PUBLIC HEALTH DATA IS COLLECTED BECAUSE OF LAWS THAT WERE DEBATED BEFORE BEING PASSED. BUT FUTURE "POPULATION HEALTH" RESEARCH USING ELECTRONIC HEALTH SYSTEMS WILL TAKE PLACE WITHOUT CONSENT BECAUSE EVERY ELECTRONIC HEALTH RECORD WILL BE "WIRED" FOR DATA MINING WITHOUT PATIENT KNOWLEDGE OR CONSENT. RESEARCH WITHOUT CONSENT VIOLATES MEDICAL ETHICS AND INTERNATIONAL TREATIES.

• Who is funding HealthDataRights.org?

HealthDataRights.org is entirely volunteer and has no funding. Any direct costs are being paid out of pocket by the individuals involved. THE INDIVIDUALS' NAMES ARE NOT LISTED.

You can see the story on HealthDataRights.org debut at: http://www.patientprivacyrights.org/site/News2?page=NewsArticle&id=9475&news_iv_ctrl=-1

Monday, June 22, 2009

But privacy is ALREADY gone!

Refer to Wall Street Journal article: Is Government Health Care Constitutional?

The authors fear that Americans' health privacy rights will be eliminated by health reform if a proposed "public plan" evolves into "single payer".

They are too late, there is no privacy (the right to control personal information) in the US electronic health system ---EXCEPT for the strong new rights Congress added to the stimulus bill: the ban on sales of PHI, the right to segment sensitive records, and the right to limit disclosure of PHI to health plans for payment or HCO if treatment is paid for out-of-pocket.

Our strong existing ethical and legal privacy rights (a powerful national consensus arrived at over 200+ years) are being totally ignored by federal and state government and industry.

The authors clearly don't know that we have no health privacy today or that privacy advocates in the bipartisan Coalition for Patient Privacy (representing 10 million Americans) work to restore those rights.

In 2002, amendments to the HIPAA regulations granted new rights to corporations and government to use ALL health data without informed consent for purposes no one would ever agree to AND eliminated Americans' rights to give consent before our data is used. See: http://www.patientprivacyrights.org/site/PageServer?pagename=HIPAA_Intent_Vs_Reality . In 1999, the HIPAA statute granted law enforcement unfettered access to all electronic health records without informed consent or any judicial process.

Both Democratic and Republican Administrations and Congress have contributed to eliminating patients' rights to control personal health information. The ONC-Coordinated Federal Health IT Strategic Plan: 2008-2012, requires all EHRs to be "wired" for data mining and requires every citizen to have an EHR by 2014.
See: http://www.patientprivacyrights.org/site/DocServer/HITStrategicPlan08.pdf?docID=5161

The Federal Strategic Plan grants "back door" access to the nation's electronic records to government agencies; to the for-profit research industry for P4P, QI, population health, genetic research (personalized medicine), etc; and to the insurance industry to detect fraud (this is one of the most offensive and discriminatory measures planned--the last people patients want to have MORE access to sensitive health records are insurers and employers).

Key Quotes:

• The Supreme Court created the right to privacy in the 1960s

• the justices posited a constitutionally mandated zone of personal privacy that must remain free of government regulation, except in the most exceptional circumstances.

• Taking key decisions away from patient and physician, or otherwise limiting their available choices, will render any new system constitutionally vulnerable.

• if over time, as many critics fear, a "public option" health insurance plan turns into what amounts to a single-payer system, the constitutional issues regarding treatment and reimbursement decisions will be manifold. The same will be true of a quasi-private system where the government claims a large role in defining acceptable health-insurance coverage and treatments. There will be all sorts of "undue burdens" on the rights of patients to receive the care they may want. Then the litigation will begin.

• In crafting the law, however, its White House and congressional sponsors must keep privacy -- that near absolute right to personal autonomy they have so often praised and promoted -- squarely before them. The only thing that is certain today is that the courts, and not Congress, will have the last word.

The authors tilt at the wrong windmill --not realizing they are too late: the privacy for health data in electronic systems is already GONE. We hope they will join us and work to RESTORE Americans' longstanding ethical and legal rights to health privacy--regardless of a "public plan" or whether it turns into "single payer".

Tuesday, May 19, 2009

Data-mining: Australia Just Calls It Something Else

In Australia, the data mining industry pays doctors to sell patients' prescription records. In the US they pay pharmacies, hospitals, and PBMs. See Article.

A complaint to the Australian Privacy Commissioner was dismissed because the data miners claimed that patients and doctors were "de-identified". But it is very difficult to fully de-identify personal health data so that re-identification is impossible. If true, the industry should have offered proof that their methods actually work and that the data cannot be re-identified.

As in the US, the theft and sale of personal prescription records is rationalized with claims that it can be used to "provide valuable insight into healthcare trends-- including the spread of infectious diseases". The word that describes using data to provide "valuable insights" is "research". It happens to be both illegal and unethical to do research without informed consent.

Sunday, May 17, 2009

HIMSS & Who is Promoting HIT in Stimulus Spending?

This story tells how HIMSS and Harvard's Blackford Middleton promoted spending billions on health IT in the stimulus bill.

HIMSS and Blackford believe that health technology will be the silver bullet that enables healthcare reform and kills/slows higher costs. That may be possible, but is highly doubtful because the billions are such a bonanza for the health IT industry.

Will this be yet another example of the stimulus billions being used to prop up large corporations, but not to save individual patients who are sick?

Not only does most of health IT vendor industry NOT care about whether healthcare reform succeeds or not, they actively fought to weaken Americans' rights to privacy and security. By law, industry cares about maximizing revenue, not treating the sick.

So the BIG question is: will the government require all electronic health records systems to have the tough privacy and security measures the public expects and needs to trust these systems? Will the government require electonic health systems to build in our legal and ethical rights to privacy up front?

Most of the HIT industry lobbied to sell the same old dinosaur products and against privacy. The incumbents are very powerful and not interested in change OR IN OUR PRIVACY RIGHTS.

Tuesday, May 12, 2009

Financial System vs. Healthcare System

The financial system is often lauded as being good at protecting Americans' sensitive financial and demographic data, but the evidence is not so clear. Heartland had a massive breach of credit card data in its system of sponsored banks. In addition to the $12.6 million in costs, it will also have to pay to "implement end-to-end encryption when payment data is sent from the merchant to the processor".

Will breaches of healthcare data cost any less? That is highly doubtful. The pain and exposure is far worse and there are NO remedies. The privacy of health data can never be recovered or restored. With identity theft you can eventually recover from the damage and restore your credit.

Plus its harder to protect electronic health data because there is SO MUCH MORE sensitive personal data than exists in financial systems. Payment and credit card data are just the start, everything is included in electronic health systems, from prescriptions to DNA.

And compared to the financial industry, the healthcare industry has millions more employees----of insurers, hospitals, pharmacies, data management and data warehousing corporations, HIT vendors, and even state and federal government agencies----who all have access to sensitive data.

See article "Heartland breach cost $12.6 million, CEO says"

Monday, May 11, 2009

First HIT Policy Committee Meeting on Stripping Privacy Away?

No surprise the new HIT Policy committee is gearing up to eliminate privacy, i.e. patient control over personal health information, using the excuse that the entire nation's records are needed for biosurveillance and research without informed consent. See the quotes from Drs Calman and Clark. The title of the article says it all: "Committee studies public health, research".

The committee is dominated by industry appointees who will make sure the policies they come up with grant unfettered government and industry access to Americans' most sensitive personal data, from prescriptions to DNA.

What they don't get is they will lose the public's support and trust if they build a system where everyone's health records can be data mined for any research purpose. A Westin/Harris IOM poll found only 1% of the public would allow researchers unfettered access to their electronic medical records. The government and the research community are completely at odds with the public's rights to health privacy.

The reality is millions of Americans already refuse to participate in healthcare systems that harm them because they have no control over their medical records.

HHS noted in the Preamble to the HIPAA Privacy Rule that 600,000 Americans/year avoid early diagnosis and treatment for cancer because treatment records are not private private. Two million people/year with mental illness avoid diagnosis and treatment for the same reason: their records are not private. The Rand Corporation found that 150,000 Iraqi vets refuse treatment for PTSD because their treatment is not private, resulting in the highest rate of suicide in active duty military personnel in 30 years.

Can this commitee face reality when they have severe conflicts of interest and want the use of Americans' health data?

The lack of privacy drives millions away from healthcare. And the lack of privacy causes suffering and death--bad outcomes.

It looks like patients' and consumers' best hope for preserving their health privacy rights in electronic systems may be Gayle Harrell. She may be the only committee member who can face reality.

Wednesday, May 6, 2009

A Start to Securing PHI?

Sometimes press releases for new products tell us far more about the risk of identity theft in electronic health systems than the mainstream press or trade journals.

Check out this zinger quote: "Most organizations don't even know where their PHI is." Why doesn’t the mainstream press tell the public that the health care organizations (like hospitals) have no idea where all their sensitive personal health data resides?

How about this: "The software (Identity Finder) automatically finds PHI such as social security numbers, medical record numbers, dates of birth, driver licenses, personal addresses, and other private data within files, e-mails, databases, websites, and system areas. Once found, the software makes it simple for users or administrators to permanently shred, scrub, or secure the information." Emails? Who sends drivers license numbers, SS#s, and Dates of Birth in emails? Clearly lots of healthcare organizations do.

We can only hope products like this sell.

See full article at http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/05-05-2009/0005019328&EDATE

Monday, May 4, 2009

Reducing Cost or Care? Orszag on HIT

Fascinating 'insider' article on the budget process and the Orzag/Obama plan to reduce healthcare costs by building a health IT system 'wired' for data mining:
"At the core of both the stimulus bill and the Obama budget is Orszag’s belief that a government empowered with research on the most effective medical treatments can, using the proper incentives, persuade doctors to become more efficient health-care providers, thus saving billions of dollars. Obama is in effect betting his Presidency on Orszag’s thesis." (See Article)

"Orszag seems more right than wrong about how to bring down health-care costs, but the truth is that, while there is obviously a great deal of waste in the American medical system, nobody knows for certain whether Orszag’s plan—which is now Obama’s plan—will work."

The plan relies on building HIT infrastructure to obtain the data for "comparative effectiveness" research. Republicans question whether this research approach can reign in healthcare spending enough and also fear it will lead to "vast government intrusion into the doctor-patient relationship". And the plan relies on building an HIT system to data mine ALL data without informed consent.

Our problems with the plan:

1) Orzag/Obama want ALL health data without informed consent for research, which is unethical, illegal, and destroys patient trust in doctors.
2) Orzag/Obama do not seem to realize that compelling the use of all health data will INCREASE the number of Americans who avoid treatment altogether (already in the millions). Many Americans know that avoiding care is the only way to keep health data private.
3) Millions avoiding treatment means millions delay care or never get care, increasing bad outcomes, deaths, and costs.
4) But worst of all for proponents of research: they won't get the data needed to learn what works best unless they restore privacy and patient control over data. Researchers cannot get the results all of us want with missing and inaccurate data!
5) To find out what the most effective treatments are for many costly conditions we have to actually have all the data in our systems. Today millions of people with Depression and Addiction have NO data in the system because they pay for private care or attend AA or NA so NO data is ever generated.
6) It will be a tragedy never to find out what treatments are most effective---and a HUGE waste of the billions of stimulus dollars to build an HIT system without privacy.

Key Quotes from the article:

• The deficit spectre has loomed over every major debate. The most contentious issue has been health care.
• Orszag came to the debate with a third option, which combined Summers’s concern about deficits and Daschle’s insistence that Obama tackle health care this year. He argued that health-care reform is deficit reduction.
• At the core of both the stimulus bill and the Obama budget is Orszag’s belief that a government empowered with research on the most effective medical treatments can, using the proper incentives, persuade doctors to become more efficient health-care providers, thus saving billions of dollars. Obama is in effect betting his Presidency on Orszag’s thesis.
• Orszag, despite his image as a number-crunching technocrat, considers himself an activist.
• At Princeton, he wrote his senior thesis on the relationship between the Federal Reserve and Congress. One of his conclusions was that “it is clear that Congress suffers from a lack of understanding of even the most rudimentary economics.” Orszag’s paper won an award for the best thesis that year in international economics or politics.
• At the Congressional Budget Office, Orszag hired specialists in health-care economics and turned the institution into a clearinghouse of information about rising health-care costs. When I asked him whether he was an advocate for policies at a place that was supposed to be nonpartisan, he replied, “I would say I was activist.”
• Kent Conrad, the chairman of the Senate Budget Committee, has made eradicating the federal budget deficit his life’s work. He told me that he picked Orszag to run the C.B.O. in 2007, and repeatedly asked him to testify before his committee, because they shared a concern about long-term spending trends.
• If there was one aspect of the President’s budget that demonstrated Obama’s European sympathies, Ryan said, it was health care. More specifically, it was Orszag’s approach to curbing health-care costs. “He believes you need to set up this über-bureaucracy—the institute of comparative effectiveness—which we’ll put smart people in, and they will design the metrics and the processes on how medicine is to be practiced,” Ryan said. “And then the federal government will impose and enforce those processes. . . . It is precisely what they employ in England. It’s precisely what they employ in Canada.” Rather than celebrate Orszag’s attempt to rein in health-care spending, Ryan seemed horrified by it.
• Obama will spend the rest of this year fighting a war on two fronts. On one are Democrats protecting old-line economic interests: oil, gas, and coal companies; agribusiness; student-loan companies; and pharmaceutical companies and medical providers who fear that Orszag’s ideas for cutting health-care costs will hit them hard. On the other are institutional interests. Obama will be battling committee chairmen who oppose his Pell-grant reforms, and placating senators who resent his willingness to use a feature of the budget process known as “reconciliation,” which limits debate and prevents the use of a filibuster, to pass his health-care plan.
• Orszag’s job is to defend Obama’s budget on all fronts, but he will be most deeply engaged in health care. I asked him how he could be so sure that his ideas about how to reduce health-care costs would work, mentioning that I had been surprised to learn that Paul Ryan and other Republicans had seized on health-care cost controls as the issue they believed would bring down Obama’s health-care plan and, with it, they surely hoped, his Presidency. Specifically, they believed that Orszag’s obsession with “comparative effectiveness,” research about which treatment options work best for a given ailment, will lead to vast government intrusion into the doctor-patient relationship. The research, which received major funding in the stimulus legislation and which was also included in Obama’s budget, had assumed a sinister meaning on the right.
• Orszag dismissed the criticism as a caricature. “I don’t see how it interferes with the doctor-patient relationship to suggest that it would be better if your doctor had more information about what would work for you,” he said. “The best way of putting it is that your doctor shouldn’t have disincentives to give you the higher-quality care, which often happens now.” Far from a huge government bureaucracy, he proposes a simple adjustment of incentives: “You get paid more if the treatment has been shown to be effective and a little less if not.”
• Orszag seems more right than wrong about how to bring down health-care costs, but the truth is that, while there is obviously a great deal of waste in the American medical system, nobody knows for certain whether Orszag’s plan—which is now Obama’s plan—will work.
• As Orszag explained his ideas, I couldn’t help remembering an encounter I had with him one day in the hallway at O.M.B. I told him that I had read his Princeton undergraduate thesis. He looked at me and smiled a little sheepishly. He said that at some point after his arrival at graduate school, in London, he had had a sudden realization: that he had made a mistake, and the crucial formula that he had used in his thesis, the one that had won him the prize, was incorrect. “It was so innovative,” he said, “that it was wrong.”

Wednesday, April 29, 2009

More than just google

In response to the Consumer Watch article: "U.S. Senate Records Reveal Google Inc. Lobbying Campaign On Personal Medical Records Law Despite Internet Giant's Denials"

This story is of interest because the public has no idea which corporations lobbied against their privacy rights in the stimulus bill or how much was spent overall to try to eliminate health privacy.

The focus on Google alone is misleading and actually distracts from the real work of informing the public about the major health-related industries that have long opposed Americans' privacy rights. The real question is which other industry giants that are not household names lobbied against privacy?

The total lobbying money spent by the massive secret health data mining industry, insurers, hospitals, and big Pharma to oppose Americans' rights to privacy far exceeds Google's lobbying expenses.

If we don’t know who all the culprits are, we can't stop them and restore privacy.

The most dangerous enemies of privacy are the ones we don’t know about.

Thursday, April 2, 2009

Is not just celebs who need strong security and privacy for PHI

'Smart' EHR software designed for security, privacy, and compliance with the law and ethics, would allow only those who have your informed consent to access your records. Staff and employees who carry out the orders of your attending physician could access your records under the informed consent you give your physician, by electronically affirming they are part of your treatment team. Instead of primitive, legacy EHR systems that allow 10,000 hospital staffers or employees access to your records, in a 'smart' EHR system only the 100 or so directly involved in your treatment could get into your PHI, preventing 9,900 snoopers' eyes from seeing anything.

Is not just celebs who need strong security and privacy for PHI--what about women whose abusers work for hospitals? What about all the minor local celebs? Do you want your nosy neighbor who is a clerk to be able to read your records?

Stepping up employee snooping via retroactive audits is EXTREMELY expensive (major hospitals have to have large technical staffs to be able to audits millions of accesses looking for those that should not have occurred). 'Smart' consent technologies exist. Retroactive audits for improper access are like looking for needles in a haystack UNLESS you are Nadya Suleman or some other celebrity whose EHR is being actively watched. Why not keep the horses from getting out of the barn in the first place?

Refer to COMPUTERWORLD story: "Kaiser fires 15 workers for snooping in octuplet mom's medical records".

Wednesday, March 25, 2009

RealAge sets new low...

RealAge sets a new low for unscrupulous behavioral targeting to sell drugs.

Is the RealAge quiz an unfair and deceptive trade practice? Where is informed consent?

Do the 27 million who took the test to find out if they are younger or older than their "biological age" really know that they are giving detailed information so RealAge can market drugs to them?

RealAge illustrates a critical problem with almost all health-related websites: people are actually going there for help - they appear to offer services, so people expect that health websites follow medical ethics and protect their privacy. But they don't. Health websites are not altruistic and don't adhere to medical ethics or privacy rights. Health-related websites offering rating scales, searchers, or information about diseases and treatments are typically just as deceptive: they also are designed primarily to collect personal information for personally-targeted marketing or worse.

View the New York Times article Online Age Quiz Is a Window for Drug Makers.

Tuesday, March 10, 2009

Stimulating Health IT

Health Affairs Briefing: Deborah Peel, MD, founder & chair of Patient Privacy Rights, represents consumers in a discussion of Health Information Technology and how to proceed with privacy. Learn more and find how you can attend.

Tuesday, February 24, 2009

From Sharing Music to Sharing Medical Records

Scientific American gets it. Do you? View story here.

Dr. Eric Johnson's latest study is out. Our job is to inform the public and Congress, who are continually being falsely reassured that health IT systems are secure and private by spinmeisters for the insurance, hospital, drug, Health IT, and health data mining industries.

Industry's blatant false promises of security and privacy are something we have been urging FTC to investigate (as false and deceptive trade practices) and the new Administration should understand to ensure that the stimulus funds are not spent on primitive health technologies with abysmal security and no consumer control over PHI. We need 'smart' health IT, 'smart' human processes, and we need the health care industry to step up and use them, so we have trusted electronic systems and don’t waste the stimulus billions.

See Dr. Johnson's paper here.

The research examined samples of health-care data disclosures and search activity in peer-to-peer file sharing networks of the top 10 publicly traded health care firms (using Fortune Magazine's list) over a two-week period. More than 500 hospitals were represented in the 10 organizations. 3,328 files were collected for the study.

•"data losses in the healthcare sector continue at a dizzying pace"
•"Far worse than losing a laptop or storage device with patient data (Robenstein 2008), inadvertent disclosures on P2P networks allow many criminals access to the information, each with different levels of sophistication and ability to exploit the information."
•"Many of the documents were leaked by patients themselves. For example we found several patient-generated spreadsheets containing details of medical treatments and costs--likely for tax purposes."
•"we found a hospital-generated spreadsheet of personally identifiable information on recently-hired employees including social security numbers, contact information, job category, etc"
•"For a hospital system, we found two spreadsheet data bases that contained detailed information on over 20,000 patients including socials security numbers, contact information, and insurance information."
•"For a mental health center, we found patient psychiatric evaluations."

Where is the mainstream and trade journal reporting on this???

Tuesday, February 3, 2009

Identity Theft Through Your Health Records

This post reflects on the article in the Denver Post: Uncovering the Identity Trade Business.

This story details identity theft by a Denver hospital employee. It is a single instance, but it shows how easy it is for any hospital employee, anywhere to steal patients' identities.

Hospitals will become a major source for identity theft because today's primitive, poorly designed health IT systems allow thousands of employees access to all patient information--including what's needed to steal identities. Not only can thousands of hospital employees see every patient's medical records (think George Clooney and Farah Fawcett--whose records were sold to the Enquirer), they can see and steal the demographic and financial information too.

For whatever reasons, the media has primarily reported on how wonderful electronic health systems are without explaining the severe risks they pose to privacy and the new problems they can create (errors, downtime, work flow obstacles, data sales, lack of interoperability, etc).

The health IT stimulus bill with $20B for HIT needs very strong consumer protections to ensure that the current 'norm' for hospital electronic health systems, ie badly designed, open access systems, is replaced by systems that only allow access to the few staff members the patient has given permission to see and use his/her electronic records. The current HIT bill does not require the use of consent management technologies to restore patient control over PHI.

Sunday, February 1, 2009

Treasury Moves to Restrict Lobbyists From Influencing Bailout Program

Will we see the same kind of problems the Treasury Dept has had when HHS allocates the 20 Billion in funds for HIT? Will HHS limit the massive health industry's lobbyists influence over how HIT funds are spent? Will HHS turn to real consumer coalitions like the Coalition for Patient Privacy for guidance instead of faux consumer, industry-funded trade organizations?

The dominant HIT industry lobby wants to ensure that Americans get primitive, legacy HIT products and systems, instead of innovative privacy-protective technologies.

If the stimulus dollars are used to purchase existing health IT products that don't restore consumers' rights to control the use and sale of personal health information, corporations will continue to "lock down" and own our personal health information. See Peter Neupert's comments:

Peter Neupert of Microsoft recently wrote in a TechNet blog about the health IT industry: "The thing is, nobody can make good decisions without good data," Neupert wrote. "Unfortunately, too many in our industry use data 'lock-in' as a tactic to keep their customers captive. Policy makers' myopic focus on standards and certification does little but provide good air cover for this status quo. Our fundamental first step has to be to ensure data liquidity—making it easy for the data to move around and do some good for us all."

• The health IT industry's 'customers' are the large hospital chains, health plans, labs, pharmacies, PBMs, and other health-related corporations that collect, store, handle and sell Americans' personal health information from prescription records to DNA. They do not serve the public or have much regard for our legal and ethical rights to control personal health information.

The people who can't make good decisions without the data are patients and doctors! We have almost no access to our own electronic health information. That's our personal health data Neupert and Kibbe wrote about---and they make it clear that industry believes it owns our data.

The last thing Americans need is for the HIT stimulus funds be used to buy outdated, primitive technologies without meaningful or comprehensive privacy protections. That's a prescription for waste and failure. Will the initial consumer privacy protections in the stimulus be nullified by purchases of inferior, privacy-destructive technologies?

View the Washington Post Article: Treasury Moves to Restrict Lobbyists From Influencing Bailout Program

Friday, January 30, 2009

The true problems in HIT

The experts quoted are correct that cost, interoperability, difficulty of use, work-flow disruption, and lack of proof of safety/effectivenss are good reasons not to spend $20 billion in HIT stimulus money on bad products (the equivalent of buying SUVs instead of hybrids and electric cars).

But Kibbe and Klepper should look beyond their own perspectives to consider the wider context and the real make-or-break issue: what must EHR systems have to ensure the public's trust and willingness to use them?

Of course, doctors must be able to afford, easily use, and know that EHR systems actually work and are effective, but systemic failure is inevitable unless patients trust electronic systems. Today's health IT systems and products are not even close to meeting the public's expectations for control over personal data and and ironclad security.

From the consumer perspective, the worst defects in today's EHR systems are:

1) Patients have no control over the use or disclosure of their personal health information in these systems.

2) Doctors, hospitals, labs, pharmacies, PBMs, insurers, data miners, data aggregators, etc, etc, and software vendors control the disclosure, use, and sale of the nation's personal health information.

3) Most of today's EHR technology is extremely primitive (20-30 years old) and does not comply with patients' longstanding legal and ethical privacy rights:
•most EHRs do not have the functional capacity to segment sensitive records
•human-readable audit trails of disclosures are not required, so patients have no way to know who snooped in their records or where their personal health information has been sent or sold
•the security measures are abysmal. CIO magazine story from 2006 reported that all 850 EHR systems examined could easily be hacked: http://searchcio.techtarget.com/originalContent/0,289142,sid182_gci1273006,00.html

The most important reason not to buy $20 billion dollars worth of dinosaur EHR technology is that consumers will NEVER trust electronic health systems unless they control sensitive personal data and unless the systems have state-of-the-art security to prevent the frequent breaches, losses, and thefts of millions health records.

Until the American public has PROOF electronic systems can be trusted, failure is inevitable. Why not build EHRs and the electronic health system right from the start, rather than spending billions later to rebuild?

Must we repeat the mistakes made in the UK? The NHS system was built without patient control over data. Billions of dollars and many years were wasted before the government realized that forcing patients into an electronic health system that shares data without consent doesn't work.

View the full story referenced

Tuesday, January 27, 2009

Pro-Privacy Will Continue to Grow

More and more genuine consumer pro-privacy groups ---as opposed to privacy-lite, industry-supported, faux consumer organizations---are speaking out to restore privacy in electronic health systems. Support for privacy rights will build and build. There may be set-backs, but we cannot be stopped. See this recent article on Consumer Watchdog supporting patient privacy.

The real reason privacy will win is simple and practical: electronic systems will never be trusted or work unless consumers control personal health information.

In the words of Justice Brandeis: "The right to be let alone is the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the [Constitution].” Justice Brandeis 1928.
Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis J., dissenting).

Brandeis dissented from the conventional wisdom of his time. Today we are the dissenters from the CW of our time, but like Brandeis' dissent, ours will prevail.