A Consumer Perspective on Health Care Privacy

AA ConsumerConsumer PerspectivePerspective onon HealthcareHealthcare PrivacyPrivacy

Linda Ackerman PrivacyActivism Staff Counsel [email protected] www.privacyactivism.org Wanted:Wanted: DigitalDigital RalphRalph ““PrivacyPrivacy isis anan inherentinherent humanhuman right,right, andand aa requirementrequirement forfor maintainingmaintaining thethe humanhuman conditioncondition withwith dignitydignity andand respect.respect.”” ----BruceBruce SchneierSchneier ““TheThe EternalEternal ValueValue ofof PrivacyPrivacy”” http://www.wired.com/politics/security/ commentary/securitymatters/2006/05/70886 JeremyJeremy BenthamBentham’’ss PanopticonPanopticon HIPAA.HIPAA. .. ..

PRIVACYPRIVACY RULERULE oror DISCLOSUREDISCLOSURE RULE?RULE? FinalFinal PrivacyPrivacy RuleRule----20022002

““TheThe consentconsent provisionsprovisions……areare replacedreplaced withwith aa newnew provisionprovision……thatthat providesprovides regulatoryregulatory permissionpermission forfor coveredcovered entitiesentities toto useuse andand disclosedisclose protectedprotected healthhealth informationinformation forfor treatment,treatment, payment,payment, healthcarehealthcare operations.operations.””

----6767 FederalFederal RegisterRegister 5321153211 GAOGAO Report,Report, ““HealthHealth InformationInformation Technology:Technology: EarlyEarly EffortsEfforts InitiatedInitiated ButBut ComprehensiveComprehensive PrivacyPrivacy ApproachApproach NeededNeeded forfor NationalNational StrategyStrategy”” ----FebruaryFebruary 1,1, 20072007

““WithoutWithout aa clearlyclearly defineddefined approachapproach thatthat establishesestablishes milestonesmilestones forfor integratingintegrating itsits effortsefforts andand fullyfully addressesaddresses keykey privacyprivacy principlesprinciples andand thesethese challenges,challenges, itit isis likelylikely thatthat HHSHHS’’ss goalgoal toto safeguardsafeguard personalpersonal healthhealth informationinformation asas partpart ofof itsits nationalnational strategystrategy forfor healthhealth ITIT willwill notnot bebe met.met.”” NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006

HealthHealth informationinformation privacyprivacy isis thethe rightright toto controlcontrol thethe acquisition,acquisition, uses,uses, oror disclosuresdisclosures ofof identifiableidentifiable healthhealth data.data. InformationalInformational privacyprivacy isis aa corecore valuevalue ofof AmericanAmerican society.society. NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006

TrustTrust inin professionalprofessional ethicsethics andand establishedestablished healthhealth privacyprivacy andand confidentialityconfidentiality rulesrules encouragesencourages individualsindividuals toto shareshare informationinformation theythey wouldwould notnot wantwant publiclypublicly known.known. RetainRetain HIPAAHIPAA’’ss ““minimumminimum necessarynecessary”” standardstandard forfor informationinformation access,access, basedbased onon thethe rolerole andand statusstatus ofof thethe requester.requester. NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006 TheThe NHINNHIN shouldshould incorporateincorporate FairFair InformationInformation PracticesPractices regardingregarding collection,collection, use,use, noticenotice andand accessaccess toto information.information. HHSHHS shouldshould supportsupport legislativelegislative oror regulatoryregulatory measuresmeasures toto eliminateeliminate oror reducereduce thethe potentialpotential harmfulharmful discriminatorydiscriminatory effectseffects ofof personalpersonal healthhealth informationinformation disclosure.disclosure. NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006 EngageEngage thethe publicpublic inin thethe design,design, functioning,functioning, andand oversightoversight ofof thethe NHINNHIN byby appointingappointing meaningfulmeaningful numbersnumbers ofof consumersconsumers toto allall national,national, regional,regional, andand locallocal boardsboards governinggoverning thethe NHIN.NHIN. 20052005 WestinWestin Survey:Survey: ““HowHow thethe PublicPublic HealthHealth ViewsViews HealthHealth Care,Care, PrivacyPrivacy andand InformationInformation””

65%65% ofof thosethose surveyedsurveyed wouldwould notnot disclosedisclose informationinformation toto theirtheir providerprovider becausebecause theythey worriedworried itit wouldwould gogo intointo computerizedcomputerized records.records. 20002000 CaliforniaCalifornia HealthCareHealthCare FoundationFoundation Survey:Survey: ““EthicsEthics SurveySurvey ofof ConsumerConsumer AttitudesAttitudes aboutabout HealthHealth WebWeb SitesSites””

75%75% ofof AmericansAmericans areare concernedconcerned aboutabout thethe lossloss ofof medicalmedical privacyprivacy duedue toto thethe useuse ofof anan electronicelectronic healthhealth andand informationinformation system.system. 20052005 HarrisHarris Survey:Survey: ““HowHow thethe PublicPublic SeesSees HealthHealth RecordsRecords andand anan EMREMR ProgramProgram”” 70%70% concernedconcerned oror veryvery concernedconcerned aboutabout medicalmedical informationinformation leaksleaks duedue toto weakweak securitysecurity 69%69% believedbelieved moremore informationinformation wouldwould bebe sharedshared withoutwithout theirtheir knowledgeknowledge 65%65% wouldnwouldn’’tt disclosedisclose informationinformation becausebecause ofof worriesworries aboutabout computerizedcomputerized recordsrecords 62%62% believebelieve existingexisting privacyprivacy rulesrules wouldwould bebe curtailedcurtailed inin thethe namename ofof efficiencyefficiency RespondentsRespondents evenlyevenly splitsplit onon whetherwhether benefitsbenefits outweighoutweigh thethe risksrisks (48%)(48%) oror risksrisks outweighoutweigh thethe benefitsbenefits (47%)(47%) LatestLatest HHS/NHINHHS/NHIN RFPRFP seeksseeks technologytechnology to:to:

ProvideProvide consumersconsumers withwith capabilitiescapabilities toto helphelp managemanage thethe flowflow ofof theirtheir informationinformation AllowAllow consumersconsumers toto identifyidentify andand managemanage locationslocations forfor storagestorage ofof theirtheir PHRsPHRs ManageManage consumerconsumer--controlledcontrolled providersproviders ofof carecare andand accessaccess permissionpermission informationinformation LatestLatest HHS/NHINHHS/NHIN RFPRFP seeksseeks technologytechnology to:to:

ManageManage consumerconsumer choiceschoices toto notnot participateparticipate inin networknetwork servicesservices GiveGive consumersconsumers accessaccess toto auditaudit logginglogging andand disclosuredisclosure informationinformation forfor PHRPHR andand HIEHIE datadata RouteRoute consumerconsumer requestsrequests forfor datadata correctionscorrections WWRD?WWRD? TopTop 1010 PrivacyPrivacy PracticesPractices

1010 ProvideProvide meaningfulmeaningful penaltiespenalties andand enforcementenforcement mechanismsmechanisms forfor privacyprivacy violationsviolations detecteddetected byby patients,patients, advocates,advocates, andand governmentgovernment regulators,regulators, includingincluding aa privateprivate rightright ofof action.action. TopTop 1010 PrivacyPrivacy PracticesPractices

PreservePreserve strongerstronger privacyprivacy protectionsprotections inin statestate laws.laws. InIn otherother words,words, nono federalfederal prepre--emptionemption ofof statestate laws.laws. TopTop 1010 PrivacyPrivacy PracticesPractices

88 PatientsPatients shouldshould bebe notifiednotified promptlypromptly ofof suspectedsuspected oror actualactual securitysecurity breaches,breaches, withoutwithout splittingsplitting hairshairs aboutabout whetherwhether oror notnot therethere isis aa riskrisk toto anan individualindividual fromfrom aa disclosuredisclosure——asas isis thethe casecase withwith thethe CaliforniaCalifornia breachbreach notificationnotification lawlaw (CA(CA CivilCivil CodeCode §§1798.29).1798.29). TopTop 1010 PrivacyPrivacy PracticesPractices

DisclosuresDisclosures ofof patientpatient informationinformation shouldshould bebe auditableauditable inin realreal time.time. TopTop 1010 PrivacyPrivacy PracticesPractices

66 EnsureEnsure thatthat personalpersonal medicalmedical informationinformation cannotcannot bebe usedused coercivelycoercively oror discriminatorilydiscriminatorily byby prohibitingprohibiting compelledcompelled disclosuredisclosure ofof suchsuch informationinformation toto obtainobtain employment,employment, insurance,insurance, credit,credit, oror admissionadmission toto schools,schools, unlessunless itit isis requiredrequired byby statute.statute. TopTop 1010 PrivacyPrivacy PracticesPractices

55 ProhibitProhibit secretsecret healthhealth databases.databases. RequireRequire allall existingexisting holdersholders ofof healthhealth informationinformation toto disclosedisclose whatwhat datadata theythey havehave toto thethe datadata subjects.subjects. TopTop 1010 PrivacyPrivacy PracticesPractices

44 HealthHealth informationinformation discloseddisclosed forfor oneone purposepurpose maymay notnot bebe usedused forfor anotheranother purposepurpose withoutwithout informedinformed consentconsent TopTop 1010 PrivacyPrivacy PracticesPractices

33 GiveGive consumersconsumers controlcontrol overover theirtheir medicalmedical informationinformation byby meansmeans ofof technologiestechnologies thatthat firmlyfirmly putsputs thethe rightright ofof consentconsent overover accessaccess toto thatthat informationinformation inin theirtheir hands.hands. TopTop 1010 PrivacyPrivacy PracticesPractices

22 ApplyApply thethe rightright toto privacyprivacy toto ALLALL healthhealth informationinformation regardlessregardless ofof thethe source,source, thethe formform itit isis in,in, oror whowho handleshandles it.it. TopTop 1010 PrivacyPrivacy PracticesPractices 11 RecognizeRecognize aa rightright toto thethe privacyprivacy ofof medicalmedical information,information, asas defineddefined inin thethe JuneJune 22,22, 20062006 ReportReport ofof thethe NCVHSNCVHS toto HHSHHS SecretarySecretary Leavitt:Leavitt: ““HealthHealth informationinformation privacyprivacy isis anan individualindividual’’ss rightright toto controlcontrol thethe acquisition,acquisition, uses,uses, oror disclosuresdisclosures ofof hishis oror herher identifiableidentifiable healthhealth data.data.”” References & Resources HIPAA HIPAA Privacy Rule: 45 CFR 160, 164 Summary of the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacysummary.pdf CRM Today, “Health Industry Insights Survey Reveals Consumers are Unaware of Government's Electronic Health Records Initiative,” February 13, 2006; http://www.crm2day.com/news/crm/117351.php . “A recent survey of 1095 consumers, conducted by IDC's [International Data CorporCorporatation]ion] Health Industry Insights, reveals a significant number of respondents (70%) are unaware of ththee U.S. government's initiative to make ElectronicElectronic Health Records (EHRs) available to citizens by 2014.” Consumer Reports, “The new threat to your medical privacy,” March 2006; http://www.consumerreports.org/cro/health-fitness/health-care/electronic-medical-records- 306/overview/index.htm. A brief, cautionary report on the privacy risks of a National Health Information Network and the privacy lacunae of HIPAA. The Electronic Privacy Information Center’s (EPIC) Medical Privacy page: http://www.epic.org/privacy/medical/ PRIVACY AND SECURITY CalOHI and CalRHIO, “Privacy and Security Solutions for Interoperable Health Information Exchange,” submitted to the Research TriangleTriangle Institute, March 30, 2007; http://www.calrhio.org/crweb-files/docs- privacy/FAASR_03302007_Final.pdf Government Accountability Office, “Health Information Technology: Early Efforts Initiated But Comprehensive Privacy Approach NeNeedededed for National Strategy.” GAO-07-400T, February 1, 2007; http://www.gao.gov/new.items/d07400t.pdf “How the Public Sees Health Records and an EMR Program,” Harris Interactive survey conducted for The Program on Information TechnoTechnollogy,ogy, Health Records and Privacy, study # 23283, February 16, 2005; http://laico.org/v2020resource/files/Healthtopline.pdf NCVHS Subcommittee on PrPrivacyivacy andand ConfidentiaConfidentiality,lity, Letter to Secretary Leavitt titled, “Recommendations re Privacy and Confidentiality in the NHIN.” June 22, 2006; http://www.ncvhs.hhhttp://www.ncvhs.hhs.gov/060622lt.htms.gov/060622lt.htm TOP 10 Health Record Security Breaches in 2006: http://www.aishealth.com/Compliance/Hipaa/RPP_2006_Security_Breaches.html “Warnings Over Privacy of U.S. Health Network,” Robert Pear, NY Times, February 18, 2007; http://www.nytimes.com/2007/02/18/washington/18health.html?ex=1180324800 &en=b458411426a6558f&ei=5070 References & Resources

MISCELLANEOUS “Electronic Health Record Use and thethe Quality of Ambulatory Care in the United States,” by Jeffrey A. Linder, MD, MPH; Jun Ma, MD, RD, PhD; David W. Bates, MD, MSc; Blackford Middleton, MD, MPH, MSc; Randall S. Stafford, MD, PhD, Archives of Internal Medicine, 2007;167:1400-1405; http://archinte.ama-assn.org/cgi/content/short/167/13/1400. Report concluding that, “As implemented, EHRs were not associated with betterbetter quality ambulatory care.” “Electronic Health Records Don’t Aid Patient Care: Study of 1.8 billion doctor visits showed no real advantage over paper files,” Reuters, July 9, 2007; http://www.msnbc.msn.com/id/19684970/ “The Eternal Value of Privacy,” by Bruce Schneier, Wired News, May 18, 2006; http://www.schneier.com/essay-114.html “The Surveillance-Industrial Complex: How the American Government is Conscripting Businesses and Individuals in the Construction of a Surveillance Society,” by Jay Stanley, ACLU, August 9, 2004; http://www.aclu.org/safefree/resources/18512res20040809.html. Report on relationships between government and business that are “privatizing” surveillance through recruitment of companies (like the telcos facilitating NSA communications surveillance) or use of commercial data and data mining.