THCB

Categories

Tag: Privacy

The ACO Rules & Privacy

23

By MARGALIT GUR-ARIE

One day before the first of April, HHS published the much anticipated rules defining the creation and operations of Accountable Care Organizations (ACO) spanning 429 pages of business regulation, analysis of various options available, proposed solutions and ways to measure and reward (punish) success (failure) in achieving HHS seemingly incompatible goals of providing better care for less money. I am fairly certain that health policy experts, health care economists and the multitude of industry stakeholders will be dissecting and analyzing the hefty document in great detail in the coming weeks. I started reading the document with an eye towards the ACO implications for HIT, which as expected are many, but something on page 108 made me stop in my tracks. HHS is proposing to share personally identifiable health information (PHI) contained in Medicare claims with ACO providers unless patients “opt-out”.

Beginning on page 108 and through 22 pages of tortured arguments, HHS makes the case for the legality and benefits of providing ACOs with PHI contained in Medicare claims, unless the patient actively withdraws consent for this type of transaction. The argument for the legality of claim data sharing rests on the nebulous HIPAA clause which allows disclosure of PHI for “health care operations” within a web of covered entities and business associates connecting the ACO with Medicare and other providers of health care services for a particular patient. HHS is proposing to make available four types of medical information to participating ACOs:Continue reading…

Who Owns Patient Data?

11

By DAVID HARLOW

Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.

The data privacy and security concerns surrounding the transfer of de-identified data are significant.  To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations.  However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.

Is this the basis of the lawsuit brought against Walgreens?  An objection to trafficking in health information that should remain private?  No.  The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data.Continue reading…

FTC Proposes New Safeguards for Online Privacy

3

By NAOMI FREUNDLICH

Yesterday the Federal Trade Commission proposed a broad framework for protecting consumer privacy both on the Web and offline. The framework is meant to help guide policymakers in crafting legislation to prevent the tracking and wholesale collection and sale of consumer information that is practiced by large online companies like Google, Mozilla, and Microsoft. Yesterday I wrote about health information “data mining;” (see post here) the collection and sale specifically of web user’s health data, including the conditions they suffer from, medications used and identification information like name, age, gender and even personal doctor. As the FTC notes in its proposal; “The more information that is known about a consumer, the more a company will pay to deliver a precisely-targeted advertisement to him.”

The FTC noted that current privacy efforts by most online companies were inadequate. Some did not alert consumers to the fact that data was being collected in the first place, others provided lengthy and incomprehensible warnings that most Web users ignore and others did offer the chance for individuals to block collection of their personal data, but this action has to be repeated at the beginning of every transaction.

Instead, the FTC framework proposes a “Do Not Track” option that consumers can chose to activate on their browsers. Similar to a “Do Not Call” list that prevents most (but not all) telemarketers from contacting you by phone, the “Do Not Track” option would prevent most data miners from surreptitiously collecting personal information online. The FTC says that the Do Not Call registry currently contains 200 million telephone numbers.

Continue reading…

Privacy Paradigms: From Consent to Reciprocal Transparency

2

By FRANK PASQUALE, JDFrank Pasquale

Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyright holders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.Continue reading…

Privacy Paradigms: From Consent to Reciprocal Transparency

1

By FRANK PASQUALE Frank Pasquale

Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyright holders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.Continue reading…

Privacy and Security of Patient Records: The Lesson of the Weakest Link

1

By DAID HARLOW

DHarlow headshot The Queen of Soul famously wailed about being a link in a chain of fools. Today’s lead story in the Boston Globe tells us about another sort of link in the chain — the weakest link in the chain of custody of patient records. In brief, a pathology billing service bought out by another service apparently dumped all records more that a year old in a town dump; a Globe photographer taking out his own trash noticed that the paper records (which he was looking at because he thought they ought to be recycled rather than dumped) had identifiable patient data and represented at least four hospitals from across Eastern Massachusetts. Clearly, these records ought to have been shredded or otherwise destroyed before disposal. Assuming they had some airtight contracts in place, the hospitals involved may well be looking to the seller of the billing service in this case to reimburse them for costs of:

  • identifying the patients involved in this data breach
  • notifying affected patients of the breach
  • providing credit monitoring services to affected patients
  • any damages incurred by patients
  • any fines incurred by the hospitals

Under the HITECH Act’s “Son of HIPAA” rules, the hospitals could be on the hook to the federales for up to $1.5 million in fines each as a result of this incident, and the state AG could get in on the action as well, filing suit on behalf of the affected Massachusetts residents and seeking to ensue that proper procedures are in place. There may also be a violation of the state data security law here as well. Massachusetts has a particularly stringent data security law on the books that took effect within the past year, and not all affected businesses have come into compliance. The AG may be on the prowl for a few high-profile cases, like this one, in which to levy substantial fines and convince the laggards that compliance would be more than worth their while.

The natural question to ask, given the facts of this case, is: What Would a Meaningful User Do?

Continue reading…

The Circle of Trust

26

By MARGALIT GUR-ARIE

Picture 24 Every day millions of Americans and billions of people around the globe are routinely accepting colorful pieces of paper in return for their labor and placing those hard earned possessions in modern glass buildings whose owners they do not know. It took a few hundred years to change how business transactions are conducted, but today, there is very little apprehension about depositing one’s wealth in a bank. Public trust in both the government issued paper and the financial institution’s ability to safely store the increasingly virtual representation of buying power had to be painstakingly created and watchfully maintained.

When people, for one reason or another, lose trust in government paper or banks, the entire financial system fails miserably. Public trust is a prerequisite to any national monetary system and public trust is a very delicate thing. Nations create laws and regulations around financial institutions specifically aimed at building public trust. 

People have to trust that paper and its virtual counterpart can be exchanged for goods and they need to trust that banks, while safely storing their funds, will always make them available to their rightful owner on demand. Banks have a legal and fiduciary responsibility to take good care of your possessions, thus very few folks feel the need to store their family jewels in a strong box under their floor boards.

Continue reading…

RFID Tags for Nurses. Then Everybody?

2

By FRANK J. PASQUALE

Pasquale

The recent City of Ontario v. Quon decision has had a mixed reception among privacy advocates. Though many are disappointed that employees’ privacy rights have once again been narrowed, some have discerned helpful dicta in the case. However, I worry that, whatever the drift of thought among swing justices, economic imperatives and cultural shifts will mean a lot less privacy in the workplace of the future. Health care in particular offers a few interesting bellwethers.

As an opinion piece by Theresa Brown explains, maintaining proper staffing levels in hospitals is becoming increasingly difficult. Surveillance systems are offering one way to address the problem; work can be performed more intensively and efficiently as it is recorded and studied. But such monitoring has many troubling implications, according to Torin Monahan (in his excellent book, Surveillance in a Time of Insecurity):

The tracking of people [via Radio Frequency Identification Tags] represents a . . . mechanism of surveillance and social control in hospital settings. This includes the tagging of patients and hospital staff. . . . When administrators demand the tagging of nurses themselves, the level of surveillance can become oppressive. . . . [because nurses face] labor intensification, job insecurity, undesired scrutiny, and privacy loss. . . . To date, such efforts at top-down micromanagement of staff by means of RFID have met with resistance. . . . One desired feature for nurses and others is an ‘off’ switch on each RFID badge so that they can take breaks without subjecting themselves to remote tracking. (122)

Like the “nannycam” employed by many a wary parent, the nurse-cam may be seen as a way to protect the vulnerable. It may also increase the accuracy of evidence in malpractice cases. On the other hand, inserting a tireless electronic eye to monitor what is already an extremely stressful job may create many unintended consequences, or deter people from going into nursing altogether. Even advocates of pervasive surveillance recognize these difficulties.Continue reading…

Do Physicians Have a Right to Privacy?

20

By MARGALIT GUR-ARIE 

As we move to Electronic Health Records (EHR), the debates over security and privacy are becoming more frequent and more poignant. We of course have HIPAA laws on the books and ONC has a Tiger team assembled to recommend privacy and security policies to Secretary Sebelius. CIOs and entire IT departments are all focused on protecting the privacy of patients and their Personal Health Information (PHI). This is, of course, as it should be, but how about privacy of those taking care of patients? Do physicians have a right to privacy too?

As EHRs become more prevalent and interconnected, increasing amounts of clinical and administrative data will be flowing out of doctors’ offices and into the great beyond. Most of this data is indeed patient data, but some of it could be combined, sliced and diced to derive pretty extensive information about doctors. For example, and in no particular order:

  • Prescribing patterns – Prescription data has been collected and sold to pharmaceutical companies for decades. EHRs will make this much easier to accomplish and the data will become richer and more granular, since it will contain the exact nature of the visit where a particular drug was prescribed or discontinued, including physician notes on the subject. Of course, such information finding its way to public websites would present a novel difficulty if, say, we can look up Dr. X and see that she wrote 30 prescriptions for contraceptives last month, half of which were for girls under 16 years of age.Continue reading…

Healthcare’s Privacy Problem (Hint: It’s Not What You Think It Is )

16

By LYGEIA RICCARDI

Picture 27 I recently applied for life insurance. The broker, whom I’ve never met, asked about my health history. “So you’ve just had a baby,” he began. I asked him how he knew. “You’re on Twitter.”

In the last couple of years concerns about the privacy of online health information have grown, as health care finally catches up to other sectors in its use of information technology (IT). The Stimulus package will pump $19.2 billion into healthcare IT, especially electronic medical records for doctors.

While technology can make your medical records safer in some ways than they’d be in a paper chart (using encryption, fire walls, audit trails, etc.), the fact is, no system is totally fail-safe. And when screw-ups happen, technology tends to super-size them. Continue reading…