1. Will patients trust physicians in the Digital Age? It depends on EHRs, HIEs, and you November 3, 2011 Deborah C. Peel, MD (c) 2011, Patient Privacy Rights. All rights reserved

2. I.Today Americans have no privacy/control over electronic health information II. History of health privacy what happened to the right of consent consequences III.Americans’ expectations/ long-standing rights IV.Key problems high value of PHI (protected health information) government/Congress not protecting citizens public/industry/govt: misaligned interests

3. I. No privacy/control over personal information (health data, Internet, pictures, location)

4. IT EverythingIT Everything A witness to history in healthcare information technology. For now, trust no one on Internet privacy By Joe Conn FCC Chair Liebowitz: “One day you might be printing out a CDC fact sheet on alcoholism to help your son with a project for health class,” he said. “Or you order a box of your mother's favorite candy to take her when you go visit. You know you are a dutiful parent, but an employer could see a boozy job applicant. You know you're a thoughtful daughter. But a health insurer could see a destined diabetic.” http://www.modernhealthcare.com/article/20111020/blogs02/310209999#

5. IT EverythingIT Everything A witness to history in healthcare information technology. Ubiquitous “leakage” of personally identifiable information (pii) from one web site to another 113 (61%) of the 250 most popular websites leak user names or user IDs ‘trivial algorithms’ can identify 70%+ of individuals with “precision” via user names from Google, eBay and public profiles FTC and FCC: consumers should be able to “opt out” of online tracking Liebowitz: “opt-out” will be difficult but necessary

6. BUSINESS Physician texting provides quick communication -- and an easy way to violate HIPAA By Pamela Lewis Dolan Posted Oct 31, 2011Pamela Lewis Dolan Many physicians don’t encrypt ignorance or recipient can’t decrypt College of Healthcare Information Management Execs: 96.7% allow texting of orders 57.6% don’t use encryption pii (sex, Dx, adm date, room#, etc) violates HIPAA http://www.ama-assn.org/amednews/2011/10/31/bica1031.htm

7. THE WALL STREET JOURNAL SEPTEMBER 26, 2011 Health-Care Industry: Heal Thyself Safeguarding patient information is especially important. And especially difficult. By M. ERIC JOHNSONM. ERIC JOHNSON Is controlling costs toughest challenge facing the U.S. health-care industry? Is safeguarding patient data harder? health-care industry lags behind corporate world in adopting integrated systems for security applications and data spread throughout departments = plenty of opportunities for leaks small, unsophisticated players handle sensitive information without tools to protect it devices such as insulin pumps can be hacked to deliver lethal doses Take inventory. Consider access. Make the technology easy to use. Educate the doctors. http://online.wsj.com/article/SB10001424053111904716604576542380296355702.html?grcc=88888&mod=WSJ_hps_sections_health

8. NHS told to abandon delayed IT project £12.7bn computer scheme to create patient record system is to be scrapped after years of delays Denis CampbellDenis Campbell, Wednesday 21 September 2011 The NHS has spent billions of pounds on a computerised patient record and booking system, which has never worked properly. The £12.7bn National Programme for IT is being ended after years of delays, technical difficulties, contractual disputes and rising costs. http://www.guardian.co.uk/society/2011/sep/22/nhs-it-project-abandoned?INTCMP=SRCH

9. Americans expect privacy and security but….

10. II. History of US health privacy

11. 2,400 years of consensus on privacy reflected in law and ethics

12. Hippocrates “Whatsoever I shall see or hear of the lives of men or women which is not fitting to be spoken, I will keep inviolably secret.”

13. The ethical codes of all the health professions require informed consent before use or disclosures of personal health information. “Since the time of Hippocrates physicians have pledged to maintain the secrecy of information they learn about their patients, disclosing information only with the authorization or the patient or when necessary to protect an overriding public interest, such as public health. Comparable provisions are now contained in the codes of ethics of virtually all health professionals.” Report to HHS, NCVHS (June 22, 2006)

14. Privileges A physician-patient privilege is recognized in laws of 43 states and the District of Columbia. The State of Health Privacy, Health Privacy Project (2000) A psychotherapist-patient privilege is recognized in the laws of all 50 states and the District of Columbia. Jaffee v. Redmond, 116 S. Ct. 1923, 1929 (1996)

15. Common Law All 50 states and the District of Columbia recognize in tort law a common law or statutory right to privacy of personal information. HHS finding 65 Fed. Reg. at 82,464 Ten states have a right to privacy expressly recognized in their state constitutions.

16. Constitutional protections “In fact, the constitutionally protected right to privacy of highly personal information is so well established that no reasonable person could be unaware of it.” Sterling v. Borough of Minersville, 232 F.3d 190, 198 (3rd Cir. 2000).

17. "The right to be let alone is the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the [Constitution].” Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis dissenting)

18. What does ‘privacy’ mean? The NCVHS defined health information privacy as “an individual’s right to control the acquisition, uses, or disclosures of his or her identifiable health data”. (June 2006, NCVHS Report to Sec. Leavitt, definition originally from the IOM)

19. privacy = control

20. security ≠ privacy

21. Security Privacy = how many keys?

22. President Bush implemented the HIPAA “Privacy Rule” which recognized the “right of consent”. HHS wrote these regulations. 65 Fed. Reg. 82,462 HHS amended the HIPAA “Privacy Rule”, eliminating the right of consent. 67 Fed. Reg. 53,183 Congress passed HIPAA, but did not pass a federal medical privacy statute, so the Dept. of Health and Human Services (HHS) was required to develop regulations that specified patients’ rights to health privacy. Public Law 104-191 1996 2001 2002 “… the Secretary of Health and Human Services shall submit to [Congress]…detailed recommendations on standards with respect to the privacy of individually identifiable health information.” “….a covered health care provider must obtain the individual’s consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations.” “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, healthcare operations.” HIPAA regs eliminate consent and privacy

24. III. Americans’ expectations/rights to health information privacy

25. 10.3 million Americans expect privacy and security The bipartisan Coalition for Patient Privacy, 2011 AIDS Action Just Health American Association of People with Disabilities Multiracial Activist American Association of Practicing Psychiatrists Microsoft Corporation Inc. American Chiropractic Association National Center for Transgender Equality American Civil Liberties Union The National Center for Mental Health Prof. & Consumers American Conservative Union National Whistleblower Center American Psychoanalytic Association National Workrights Institute Association of American Physicians and Surgeons Natural Solutions Foundation Bazelon Center for Mental Health Law New Grady Coalition Bob Barr (former Congressman R-GA) Pain Relief Network Citizens for Health Patient Privacy Rights Foundation Citizen Outreach Project Privacy Activism Clinical Social Work Association Privacy Rights Now Coalition Consumer Action Private Citizen, Inc. Consumers for Health Care Choices Republican Liberty Caucus Cyber Privacy Project Student Health Integrity Project Doctors for Open Government TexPIRG Ethics in Government Group Thoughtful House Center for Autism Fairfax County Privacy Council Tolven, Inc. Family Research Council Tradition, Family, Property, Inc. Free Congress Foundation Universata, Inc. Georgians for Open Government U.S. Bill of Rights Foundation Gun Owners of America You Take Control, Inc. Health Administration Responsibility Project, Inc.

26. what patients say about privacy

27. PPR Zogby poll 2000 adults’ views on privacy August 2010 http://patientprivacyrights.org/patient-privacy-poll/

33. AHRQ: 2009 20 focus groups expect control A majority want to “own” their health data, and to decide what goes into and who has access to their medical records. (AHRQ p. 6) A majority believe their medical data is “no one else’s business” and should not be shared without their permission….not about sensitive data but “a matter of principle”. (AHRQ p. 18)

34. no support for general rules that apply to all consumers consumers should exert control over their own health information individually, rather than collectively. (AHRQ p. 29) AHRQ Publication No. 09-0081-EF “Final Report: Consumer Engagement in Developing Electronic Health Information Systems” Prepared by: Westat, (July 2009) http://healthit.ahrq.gov/portal/server.pt/gateway/PTARGS_0_1248_888520_0_0_18/09-0081-EF.pdf AHRQ: 2009 20 focus groups expect control

35. U.S. divides into three groups: --The Privacy Intense ….. about 35-40% -- The Privacy Pragmatic ……………. about 50-55% -- The Privacy Unconcerned ……….. about 10-15% http://patientprivacyrights.org/wp-content/uploads/2011/06/AFW-SUMMIT-6-13-11.pdf

36. who are the Privacy Intense? distrust govt and business IT worry about 2ndary use of PHI don’t want research access without consent, strongest concern is discrimination want legal controls and strong enforcement Privacy Intense in general consumer privacy areas are about 25%, health privacy raises this to 35-40%

37. IV. Key problems/ consequences

38. patients risk health to protect privacy

39. refuse diagnosis and treatment HHS estimated that 586,000 Americans did not seek earlier cancer treatment due to privacy concerns. 65 Fed. Reg. at 82,779 HHS estimated that 2,000,000 Americans did not seek treatment for mental illness due to privacy concerns. 65 Fed. Reg. at 82,777 Millions of young Americans suffering from sexually transmitted diseases do not seek treatment due to privacy concerns. 65 Fed. Reg. at 82,778

40. The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns The lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years “Invisible Wounds of War”, the RAND Corp., p. 436, (2008) refuse diagnosis and treatment

41. The California Health Care Foundation found that 1 in 8 Americans have put their health at risk because of privacy concerns: Avoid seeing their regular doctor Ask doctor to alter diagnosis Pay for a test out-of-pocket Avoid tests http://patientprivacyrights.org/2005/11/national-consumer-health-privacy-survey-2005 / act to protect privacy

42. Americans expect privacy and control but….

43. huge market for health data + theft and sale of health data → health data mining industry

44. Where did this slide come from ? The Medical Information Bureau website. The MBI sells claims/health data to insurers and employers.

45. 35% of Fortune 500 companies admit to using medical records for hiring and promotions 65 Fed. Reg. 82,467.

46. 2011: Top Fortune 500 Companies health data mining industry 6 General Electric (GE Centricity EHR/HIT systems,General Electric sells clinical data) revenue 151B 15 McKesson (sells Rx data) revenue 108BMcKesson 18 IBM (sells health data) revenue 100B 19 Cardinal Health (drug distributor) revenue 99B 21 CVS Caremark (sells Rx data) revenue 96B up from 65B in 2010 22 United Health Group (sells data thru Ingenix, its data management and IT unit, whose revenues increased more than 25%. http://money.cnn.com/magazines/fortune/fortune500/2011/full_list/

47. 2011: Top Fortune 500 Health Care: Pharmacy and Other Services (health data mining industry) Health Care: Pharmacy and Other Services Rank Company/500 rank Revenues($ billions) 1 Medco Health Solutions #34 66 (sells Rx data)Medco Health Solutions 2 Express Scripts #55 (up from 96) 25 (sells Rx data)Express Scripts 3 Quest Diagnostics #320 7.3 (sells lab data)Quest Diagnostics “transforms millions of test results into valuable information products” http://www.questdiagnostics.com/brand/careers/index.html#services 4 Omnicare #371 6.1 (sells data???)Omnicare (leading Rx provider for seniors)“we capture a tremendous amount of data”..combines data with outcomes algorithm technology 5 Lab Corp. of America #447 4.7 (sells lab data??)Lab Corp. of America http://money.cnn.com/magazines/fortune/fortune500/2011/industries/224/index.html

48. research loophole allows sale of data from EHRs, PHRs, claims data, lab data, prescriptions, health searches, state data, newborn bloodspots, etc, etc

49. Clinical Data Services The CDS Advantage Disease Counts in Database Hypertension 2,284,249 Hyperlipidemia 2,212,629 Depression 1,185,828 Cardiovascular Disease 1,004,214 GERD 984,864 Diabetes 922,169 Asthma 750,963 Osteoarthritis 602,043 COPD 319,310 ADD/ADHD/HKD 188,424 Rheumatoid Arthritis 85,757 Alzheimer's 35,790 Parkinson's 22,017 Note: Data reported as of February 28th, 2010 Codified Medical Problems Prescriptions/Historical Meds Patient Allergies, Medical Orders and Events Vital Signs and Physical Findings Lab Values https://www2.gehealthcare.com/portal/site/usen/menuitem.b399d8492e44a6765c09cbd5 8c829330/?vgnextoid=ae0f4fb9efff5210VgnVCM100000382b3903RCRD&fromChannel= 7e0f4fb9efff5210VgnVCM100000382b3903____

51. Kansas City Business Journal Cerner finds a treasure in data mining by Mike Sherry Staff WriterMike Sherry The North Kansas City-based health care information technology company, known mostly for the health-record software sold to hospitals and clinics, is leveraging the billions of anonymous patient records it has at its disposal as marketable information to pharmaceutical companies and researchers. Included in Cerner’s data warehouse are 1.2 billion lab results. It also has smaller numbers of medication orders and other data. The company collects the information through data-sharing agreements with roughly 125 of its software clients. Cerner is not violating the ban on sales because of the “research” exception http://www.bizjournals.com/kansascity/stories/2009/06/01/story5.html?b=1243828800^1835382

52. EMR vendor to share patient data with genetics research firm 3/20/2008 by Richard Pizzi “Perlegen Sciences, Inc., a company exploring the clinical application of genetic research, plans to collaborate with an undisclosed electronic medical records vendor to identify and develop genetic markers that predict how patients are likely to respond to specific medical treatments. Under the terms of the agreement, Perlegen, based in Mountain View, Calif., will have exclusive access to the EMR vendor's database of U.S. records for the purpose of assessing and selecting patients from whom appropriate genetic samples could be collected.”

53. claims data is sold

54. What is BHI® (Blue Health Intelligence)? shares critical health information with employers premier health intelligence resource BHI sets the new standard for healthcare data aggregation, reporting and analysis Size and Value of data for sale 1) longitudinal data on 54 million BCBS members [without consent] 2) reporting not only by MSA, industry and product type, but by Diagnosis Related Groups (DRGs) code, age group and gender [allows re-identification] How does BHI ensure the privacy and security of members’ healthcare information? 1) adheres to HIPAA regs = no consent for use and sale of data 2) Use a system-generated identifier, allowing longitudinal analysis [allows re-identification] 3) fully de-identified in accordance with HIPAA [17 identifiers removed, still allows re- identification of.04%] http://www.bcbs.com/innovations/bhi/bhi-faqs-1-12-09.pdf

55. Health Research Data for the Real World: the MarketScan Data Bases David M. Adamson, PhD Stella Chang, MPH Leigh G. Hanson, MS, MBA Research and Pharmaceutical Division Thomson Medstat, now THOMSON REUTERS January 2006 KEY QUOTE: “Data from individual patients are integrated from all providers of care, maintaining all healthcare utilization and cost record connections at the patient level.

56. Medicare and Medicaid data for sale “at the patient level”

57. Personal health information is for sale Thomson Medstat

58. prescription records are sold

59. Businessweek July 23, 2008: “They Know What's in Your Medicine Cabinet, How insurance companies dig up applicants' prescriptions—and use them to deny coverage" http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm?chan=magazine+channel_in+depth http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm?chan=magazine+channel_in+depth

60. states sell DNA and hospital records

61. DNA Deception by Emily Ramshaw February 22, 2010Emily Ramshaw “nine years' worth of e-mails and internal documents on the Department of State Health Services’ newborn blood screening program reveals the transfer of hundreds of infant blood spots to an Armed Forces lab to build a national and, someday, international mitochondrial DNA (mtDNA) registry”--- it turns out newborn bloodspots were being sold by DSHS and TX A&M for researchDepartment of State Health Services

62. Austin Bulldog Hospital Patient Privacy Sacrificed as State Agency Sells or Gives Away Data Technology Used by For-Profit Companies Strips Away Inadequate Layers of Security by Suzanne Batchelor http://www.theaustinbulldog.org/index.php/Main -Articles/Main- Articles/department-of-state-health-services.html DSHS collects, sells, and gives away inpatient hospital data without consent for: public-health, medical research, trade groups, lobbyists, businesses, anonymous downloaders

63. physicians allow use of PHI for comparative effectiveness research without consent

64. Distributed Ambulatory Research in Therapeutics Network extracts “de-identified” Critical Care Record (CCR) from EHRs of 400K patients treated by 500 primary care docs patient consent not obtained –research uses physician consent instead physicians prompted to obtain specific information during patient visits 2 nd study on Depression needs 2.4 M patients, will add a RHIO 8 DARTNet orgs/EHR vendor Medical Clinic of North Texas NextGen® WellMed Medical Group (TX) SmartClinic® Tiena Health (TX) Allscripts Professional® Wilmington Health Asso. Allscripts Professional® University of Colorado Allscripts Enterprise® University of Minnesota Allscripts Enterprise® Cranford Family Medicine (AK) e-MDs® Family Health Center of Joplin e-MDs® http://www.effectivehealthcare.ahrq.gov/index.cfm/search-for- guides-reviews-andreports/ ?pageaction= Displayproduct&productID=151 Patient info available via DARTNet but not through claims data Medication allergies Reason for appointment Family history Findings (BP, weight, height, etc.) Social history (alcohol and tobacco use, etc.) Laboratory orders and results Prescribed medications Past medical history Date of onset of disease Referrals Provider-level data Practice-level data Data collected/prompted for collection at point of care DARTNet

65. weak security breaches, data theft & data sales

66. Steady Bleed: State of HealthCare Data Breaches Study reveals patient data breaches continue - month after month - at an alarming rate. 200-bed hospital 24/mo 20-clinic physician practice 29/mo UK major teaching hospital 129/mo Top 50 U.S. Health System 125/mo http://www.informationweek.com/blog/main/archives/2010/09/steady_bleed_st.html Sep 19, 2010

67. Department of Justice Press Release For Immediate Release United States Attorney's Office October 13, 2010 Manhattan U.S. Attorney Charges 44 Members and Associates of an Armenian-American Organized Crime Enterprise with $100 Million Medicare Fraud

68. Cybercrime—data purchasers seeks data to file false medical claims: RSA White Paper: Cybercrime and the Healthcare Industry

69. Cybercrime—data sellers post seeks buyers for > 6,500 medical records RSA White Paper: Cybercrime and the Healthcare Industry

70. Americans expect privacy and control but….

71. Health IT systems/data exchanges “Wild West”—physicians may share PHI only for treatment, BUT receivers sell and disclose PHI 2 ndary use of sensitive health information is the norm no data map: data flows inside and outside US HIPAA “research” and “public health” loopholes allow wide use of PHI/data mining for “research”, profit and discrimination no transparency/accountability complex HIT systems – One hospital = 200+ HIT systems/software/vendors abysmal security

72. govt, research & industry – want access to data and oppose consent – oppose privacy-enhancing technologies – huge investments in legacy systems legal gaps/weaknesses in privacy protections no Congressional oversight limited federal agency oversight, except FTC & HHS (now auditing/penalizing) Key problems for the public

73. PHI = most valuable pii HIT gold rush: $27-29B for HIT vendors patients/physicians are misinformed/hold conflicting beliefs: – assume data privacy despite breaches – believe doctors can protect data YET huge majorities distrust HIT – told privacy is the key obstacle to “data liquidity”---YET consent = instant data flow Key problems for public

74. DANGEROUS TIMES govt and industry now use the words ‘privacy’ and ‘trust’ BUT are not implementing meaningful and comprehensive policies and privacy-enhancing HIT public can’t easily participate at federal level ie, privacy experts, academics, advocates Today’s policies and HIT violates existing law & public expectations

75. conclusion: current law and HIPAA are inadequate to protect privacy

76. Americans’ strongest individual rights to control personal information are for health information--- if we lose privacy rights in healthcare will we ever gain information privacy in the online commercial environment?

77. solutions

78. Patient-centered HIT systems 1. universal online consent tools--benefits dynamic, not static fine-grained decisions, like online banking "Bill Pay" -automatic rules (like monthly payments), or case-by-case ability to share selectively (in accord with laws, rights, expectations) no need to update consents in many locations no need for MPI or single patient ID independent audit trails of all uses and disclosures via use of authentication and authorization systems (employees have unique access codes and can see selected data)

79. (c) 2007-2010, Private Access, Inc. All rights reserved. (Reprinted with permission).

80. Patient-centered HIT system 2. health banks--benefits ironclad security and architecture today there is no place w/ a complete and accurate copy of our health records patients control access and use of PHI only patients can collect complete and accurate PHI ‘safe’ research without risk of exposing data like census bureau: run research queries on individual data unlike census bureau, no research without consent sensitive data is NOT released no need for MPI or UPIN (single ID)---patients have separate ID at each location = better privacy protections (stolen data has less value)

81. Clinical Encounter Health Record Bank Clinician EHR System Encounter Data Entered in EHR Encounter data sent to Health Record Bank Patient Permission? NO DATA NOT SENT YES Optional payment Clinician’s Bank Secure patient health data files Health Record Bank Patient data delivered to Clinician Clinician Inquiry

82. Patient-centered HIT systems 3. other systems--benefits decentralized consents with centralized control. In this situation, patients can make local data sharing decisions at the time and place of service, but have a universal portal to update or change consents as needed an NHIN that works likes a patient file cabinet. In this situation, all patient information goes to a common location for the patient, and the patient can make decisions about sharing at that storage location

83. in the meantime……

84. what you can do now use EHRs with segmentation (e-MDs) press vendors for consent & segmentation press hospitals for privacy & security give “Miranda” warnings stand with patients sign “Do Not Disclose” petition volunteer/support PPR

85. Deborah C. Peel, MD Founder and Chair (O) 512-732-0033 dpeelmd@patientprivacyrights.org www.patientprivacyrights.org dpeelmd@patientprivacyrights.org www.patientprivacyrights.org (c) 2011, Patient Privacy Rights. All rights reserved

86. HIPAA “Research loophole” The term “research” is defined at 45 C.F.R. 164.501 as “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Information is not PHI and not subject to the HIPAA Privacy Rule if it id “de-identified” as provided in 45 C.F.R. 164.514(b). An organization can use a “limited data set” for research if they strip out certain identifiers and enter into a “data use agreement” under 164.514(e). But stronger laws and ethics trump HIPAA