On top of everything else, the Sony data breach revealed employees’ sensitive health information: Top Sony executives saw lists of named employees who had costly medical treatments and saw detailed psychiatric treatment records of one employee’s son.
Like last year’s revelation by AOL’s CEO, it shows US corporations look at employees’ health information and costs. By ‘outing’ the fact that 2 of AOL’s 5,000 employees had premature infants whose treatment cost over $1 million each, the CEO violated the employees’ rights to health information privacy.
Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii. Current US technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system.
Do you trust your employer not to snoop in your personal health information? How can you trust your employer without a ‘chain of custody’ for your health data? There is no transparency or accountability for the sale or use of our health data, even though Congress gave us the right to obtain an “Accounting for Disclosures (A4D)” for disclosures of protected health data from EHRs in the 2009 stimulus bill (the regulations have yet to be written). And we have no complete map that tracks the millions of places US citizens’ health data flows. See: TheDataMap.
Long time (well very long time) readers of THCB will remember my extreme frustration with Patients Privacy Rights founder Deborah Peel who as far as I can tell spent the entire 2000s opposing electronic health data in general and commercial EMR vendors in particular. I even wrote a very critical piece about her and the people from the World Privacy Forum who I felt were fellow travelers back in 2008. And perhaps nothing annoyed me more than her consistently claiming that data exchange was illegal and that vendors were selling personally identified health data for marketing and related purposes to non-covered entities (which is illegal under HIPAA).
However, in recent years Deborah has teamed up with Adrian Gropper, whom I respect and seemed to change her tune from “all electronic data violates privacy and is therefore bad”, to “we can do health data in a way that safeguards privacy but achieves the efficiencies of care improvement via electronic data exchange”. But she never really came clean on all those claims about vendors selling personally identified health data, and in a semi-related thread on THCB last week, it all came back. Including some outrageous statements on the extent of, value of, and implications of selling personally identified health data. So I’ve decided to move all the relevant comments to this blog post and let the disagreement continue.
What started the conversation was a throwaway paragraph at the end of a comment I left in which I basically told Adrian to rewrite what he was saying in such a way that normal people could understand it. Here’s my last paragraph
As it is, this is not a helpful open letter, and it makes a bunch of aggressive claims against mostly teeny vendors who have historically been on the patients’ side in terms of accessing data. So Adrian, Deborah & PPR need to do a lot better. Or else they risk being excluded back to the fringes like they were in the days when Deborah & her allies at the World Privacy Forum were making ridiculous statements about the concept of data exchange.
The essence of controlling Ebola is surveillance. To accept surveillance, the population must trust the system responsible for surveillance. That simple fact is as true in Liberia as it is in the US. The problem is that health care surveillance has been privatized and interoperability is at the mercy of commerce.
Today I listened to the JASON Task Force meeting. The two hours were dedicated to a review of their report to be presented next week at a joint HIT Committee Meeting.
The draft report is well worth reading. Today’s discussion was almost exclusively on Recommendations 1 and 6. I can paraphrase the main theme of the discussion as “Interoperability moves at the speed of commerce and the commercial interests are not in any particular hurry – what can we do about it?”
Health information technology in the US is all about commerce. In a market that is wasting $1 Trillion per year in unwarranted and overpriced services, interoperability and transparency are a risk. Public health does not pay the bills for EHR vendors or their hospital customers.
Thanks to the flood of new data expected to enter the health field from all angles–patient sensors, public health requirements in Meaningful Use, records on providers released by the US government, previously suppressed clinical research to be published by pharmaceutical companies–the health field faces a fork in the road, one direction headed toward chaos and the other toward order.
The road toward chaos is forged by the providers’ and insurers’ appetites for categorizing us, marketing to us, and controlling our use of the health care system, abetted by lax regulation. The alternative road is toward a healthy data order where privacy is protected, records contain more reliable information, and research is supported or even initiated by cooperating patients.
This was my main take-away from a day of meetings and a panel held recently by Patient Privacy Rights, a non-profit for whom I have volunteered during the past three years. The organization itself has evolved greatly during that time, tempering much of the negativity in which it began and producing a stream of productive proposals for improving the collection and reuse of health data. One recent contribution consists of measuring and grading how closely technology systems, websites, and applications meet patients’ expectations to control and understand personal health data flows.
With sponsorship by Microsoft at their Innovation and Policy Center in Washington, DC, PPR offered a public panel on privacy–which was attended by 25 guests, a very good turnout for something publicized very modestly–to capitalize on current public discussions about government data collection, and (without taking a stand on what the NSA does) to alert people to the many “little NSAs” trying to get their hands on our personal health data.
It was a privilege and an eye-opener to be part of Friday’s panel, which was moderated by noted privacy expert Daniel Weitzner and included Dr. Deborah Peel (founder of PPR), Dr. Adrian Gropper (CTO of PPR), Latanya Sweeney of Harvard and MIT, journalist Sydney Brownstone of Fast Company, and me. Although this article incorporates much that I heard from the participants, it consists largely of my own opinions and observations.
Health reform activists and privacy mavens have been at loggerheads for years. Those touting health reform complain that an oversensitivity to privacy risks would hold back progress in treatments. Running in parallel but in the opposite direction, the privacy side argues that current policies are endangering patients and that the current rush to electronic records and health information exchange can make things worse.
It’s time to get past these arguments and find a common ground on which to institute policies that benefit patients. Luckily, the moment is here where we can do so. The common concern these two camps have for giving patients power and control can drive technological and policy solutions.
PPR has also held three Health Privacy Summits in Washington, DC, at the Georgetown Law Center, just a few blocks from the Capitol building. Although Congressional aides haven’t found their way to these conferences as we hoped (I am on the conference’s planning committee), they do draw a wide range of state and federal administrators along with technologists, lawyers, academics, patient advocates, and health care industry analysts. The most recent summit, held on June 5 and 6, found some ways to move forward on the data sharing vs. privacy stand-off in such areas as patient repositories, consent, anonymization, and data segmentation. It also highlighted how difficult these tasks are.
The small news is that I formally joined Patient Privacy Rightsas chief technology officer. I have been an extreme advocate for open data for years. For example, I’m a card-carrying member of the Personal Genome Project where I volunteer to post both my genome and most of my medical record. PPR, on the other hand, is well known for publicizing the harms of personal data releases. These two seemingly contradictory perspectives represent the matter-antimatter pair that can power the long march to health reform.
The value of personal medical data is what drives the world of healthcare and the key to health reform. The World Economic Forum says: “Personal data is becoming a new economic “asset class”, a valuable resource for the 21st century that will touch all aspects of society.” This “asset” is sought and cherished by institutions of all sorts. Massive health care organizations, research universities, pharmaceutical companies, and both state and federal regulators are eager to accumulate as much personal medical data as they can get and to invest their asset for maximum financial return. Are patient privacy rights just sand in the gears of progress?