Tag: Privacy

HEALTH 2.0: Getting the PHR, Privacy and Deborah Peel issue off my chest

I’m a card carrying member of the ACLU. I oppose the Patriot Act. And I absolutely oppose the current Administration’s decision to ignore the FISA law that already bends over backwards to help the government spy on Americans whom it suspects of criminal activity. I’m also appalled when I read stories like this one—in which the FBI has been illegally abusing its power by issuing “National Security letters” willy nilly.

I say all this because it’s now a couple of weeks since Google announced it’s health initiative and during that time we held the second Health 2.0 conference. And all the mainstream press can write about is the potential for privacy violations in online health sites, and PHRs, whether it’s been in the San Diego Union Tribune, ZDNET, USA Today or Modern Healthcare.

So even this balanced article in the Washington Post leads with Deborah Peel from Patient Privacy Rights and you have to wade through her incendiary rhetoric before you get to some sense from John Rother, while David Kibbe’s rational applauding of electronic health records only appears towards the end. Here’s what Peel says:

Many online PHR firms share information with data-mining companies, which then sell it to insurers and other interested parties, Peel said.

Well I’m still waiting to see the proof about this. Essentially she’s saying that consumers’ identifiable data is being sold and used against them, and so PHRs are bad.

Much data is of course sold in health care, but as far as I’m aware it’s all de-idenitifed. Whether PHR companies are systematically selling data is unclear. Whether they are selling identifiable data (the thing HIPAA bans and everyone agrees is a bad idea) I severely doubt.

And the problem is that this type of allegation gets the conversation completely off track. The biggest problem with the US health care system and its use of technology is not privacy violations. It’s inefficient use of data causing harm (and costs and poor quality care).

I am getting more than a little annoyed with this focus on the wrong thing. As my commenter JD paraphrased in my earlier piece on the topic (5th comment down here), do the Deborah Peels of the world not use bank accounts or credit cards? Do they not buy houses or have credit scores? Do they not know about what is already known about them in the real world? People understand this data flow and they accept it because it brings them a return that they value. And the same will be true for health information—if health information technology produces valuable results

So what are the nay-sayers going on about? Well I actually suffered and read the World Privacy Forum report on PHRs by Robert Gellman. It’s a hash of conjecture with its main complaint being that HIPAA doesn’t explicitly cover PHRs. Well, no shit Sherlock. HIPAA passed in 1996. It was actually was prepared years earlier and it’s about the automated transactions that existed then. No one had heard of a PHR in 1995, so why should the law cover them? What will happen is that PHRs will start being provided by covered entities and will be under the aegis of HIPAA (in this country at least—it’s called the “World” privacy forum but in reading the report Gellman only has heard of one country apparently).

But even if PHRs are not covered by HIPAA, what are the terrible consequences? Well let’s see. I’ve taken a few excerpts from the report. In the first Gellman says:

Regardless of the PHR’s policy on marketing disclosures, advertising can provide a method for a consumer’s health information to escape into marketing files. Marketers already have millions of names of consumers categorized by specific diseases and diagnoses. Most of the information comes from consumers who provided it in response to “consumer surveys” or through other stealthy methods for collecting health information for marketing use. Health records maintained by health care providers have been unavailable to marketers directly, but commercial PHRs operated outside of HIPAA offer marketers the promise of more and better health information from consumers.

So the problem is not PHRs. It’s consumer surveys taken over the years by marketers. But let’s blame PHRs because they might potentially be used for the same thing.

But hang on, if I’m a transparent PHR vendor won’t I drive out the scummy guys who are secretly selling data which will be used to harm their customers? And aren’t Microsoft and Google and many others being transparent about that? Yes they are, and why won’t consumers vote with their data?

Continue reading…

More on Google and the Cleveland Clinic

For a start, as I said in my last post  and many times, and at least one of these commenters has written at length, the benefits of sharing health data in clinical situations massively outweigh the risk. So that should be the focus of the discussion.

I am NOT saying that there shouldn’t be privacy protections and there is no reason in my mind why, for all HIPAA’s flaws, it cannot be extended to PHR providers as covered entities.

However, as far as I can tell nothing that is happening here violates HIPAA. Showing you keyword based advertising may not to everyone’s taste, but it does not mean your private health data is being transferred to anyone. And presumably your data will only end up in these services if you give them permission to accept it, which will include consent to provide whatever services and advertising you’ll see.

And that’s assuming that either company does advertising based on records rather than search terms (which is Google make that 98% of their money).

But exactly where are Microsoft and Google suggesting that they’re going to be selling private identified data? Nowhere. Microsoft has bent over backwards to demonstrate that they have no intention of allowing themselves or anyone else to access your health records without permission. And Google will likely do the same when it announces its plans officially.

Continue reading…

Google, the Cleveland Clinic and the Privacy Zealots

So Modern Healthcare‘s Joseph Conn has a whole page to write about the Cleveland Clinic and he writes just about HIPAA and the fact that this pilot is not going to be covered by it. Writing in the San Francisco Chronicle Victoria Colliver talks about not a lot more, but at least she has someone stating the bleedingly bloody obvious—

"If it’s made convenient
enough and easy enough, people will be no more concerned about privacy
with these systems than they are with their financial information," he
said. "Far more people die because health information is not released
or difficult to get … than anybody’s ever been harmed because the
information has been inadvertently released."

OK so it was me she quoted, but someone needs to give Deborah Peel
and whoever the hell the World Privacy Forum is
a big shake. I say this
as a card-carrying member of the ACLU and Amnesty International who is
deeply concerned about anyone’s private information and what use is
made of it.

And the shake is, if a government overhears your private information
illegally (or quasi-legally) it can use that information to take away
your freedom and worse. So the standard for their ability to access
that information should be an awful lot higher than it is in virtually
every country—including this one.

If a private corporation unwittingly lets slip your private health
data, or even uses some aspect of it knowingly to target you for
marketing, the chances of you suffering much from it are very, very low.

These are vastly different things, and conflating the two does not help in the least.

Continue reading…


Forgotten Password?