AA ConsumerConsumer PerspectivePerspective onon HealthcareHealthcare PrivacyPrivacy Linda Ackerman PrivacyActivism Staff Counsel [email protected] www.privacyactivism.org Wanted:Wanted: DigitalDigital RalphRalph ““PrivacyPrivacy isis anan inherentinherent humanhuman right,right, andand aa requirementrequirement forfor maintainingmaintaining thethe humanhuman conditioncondition withwith dignitydignity andand respect.respect.”” ----BruceBruce SchneierSchneier ““TheThe EternalEternal ValueValue ofof PrivacyPrivacy”” http://www.wired.com/politics/security/ commentary/securitymatters/2006/05/70886 JeremyJeremy BenthamBentham’’ss PanopticonPanopticon HIPAA.HIPAA. .. .. PRIVACYPRIVACY RULERULE oror DISCLOSUREDISCLOSURE RULE?RULE? FinalFinal PrivacyPrivacy RuleRule----20022002 ““TheThe consentconsent provisionsprovisions……areare replacedreplaced withwith aa newnew provisionprovision……thatthat providesprovides regulatoryregulatory permissionpermission forfor coveredcovered entitiesentities toto useuse andand disclosedisclose protectedprotected healthhealth informationinformation forfor treatment,treatment, payment,payment, healthcarehealthcare operations.operations.”” ----6767 FederalFederal RegisterRegister 5321153211 GAOGAO Report,Report, ““HealthHealth InformationInformation Technology:Technology: EarlyEarly EffortsEfforts InitiatedInitiated ButBut ComprehensiveComprehensive PrivacyPrivacy ApproachApproach NeededNeeded forfor NationalNational StrategyStrategy”” ----FebruaryFebruary 1,1, 20072007 ““WithoutWithout aa clearlyclearly defineddefined approachapproach thatthat establishesestablishes milestonesmilestones forfor integratingintegrating itsits effortsefforts andand fullyfully addressesaddresses keykey privacyprivacy principlesprinciples andand thesethese challenges,challenges, itit isis likelylikely thatthat HHSHHS’’ss goalgoal toto safeguardsafeguard personalpersonal healthhealth informationinformation asas partpart ofof itsits nationalnational strategystrategy forfor healthhealth ITIT willwill notnot bebe met.met.”” NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006 HealthHealth informationinformation privacyprivacy isis thethe rightright toto controlcontrol thethe acquisition,acquisition, uses,uses, oror disclosuresdisclosures ofof identifiableidentifiable healthhealth data.data. InformationalInformational privacyprivacy isis aa corecore valuevalue ofof AmericanAmerican society.society. NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006 TrustTrust inin professionalprofessional ethicsethics andand establishedestablished healthhealth privacyprivacy andand confidentialityconfidentiality rulesrules encouragesencourages individualsindividuals toto shareshare informationinformation theythey wouldwould notnot wantwant publiclypublicly known.known. RetainRetain HIPAAHIPAA’’ss ““minimumminimum necessarynecessary”” standardstandard forfor informationinformation access,access, basedbased onon thethe rolerole andand statusstatus ofof thethe requester.requester. NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006 TheThe NHINNHIN shouldshould incorporateincorporate FairFair InformationInformation PracticesPractices regardingregarding collection,collection, use,use, noticenotice andand accessaccess toto information.information. HHSHHS shouldshould supportsupport legislativelegislative oror regulatoryregulatory measuresmeasures toto eliminateeliminate oror reducereduce thethe potentialpotential harmfulharmful discriminatorydiscriminatory effectseffects ofof personalpersonal healthhealth informationinformation disclosure.disclosure. NCVHSNCVHS PrivacyPrivacy andand SecuritySecurity RecommendationsRecommendations——JuneJune 20062006 EngageEngage thethe publicpublic inin thethe design,design, functioning,functioning, andand oversightoversight ofof thethe NHINNHIN byby appointingappointing meaningfulmeaningful numbersnumbers ofof consumersconsumers toto allall national,national, regional,regional, andand locallocal boardsboards governinggoverning thethe NHIN.NHIN. 20052005 WestinWestin Survey:Survey: ““HowHow thethe PublicPublic HealthHealth ViewsViews HealthHealth Care,Care, PrivacyPrivacy andand InformationInformation”” 65%65% ofof thosethose surveyedsurveyed wouldwould notnot disclosedisclose informationinformation toto theirtheir providerprovider becausebecause theythey worriedworried itit wouldwould gogo intointo computerizedcomputerized records.records. 20002000 CaliforniaCalifornia HealthCareHealthCare FoundationFoundation Survey:Survey: ““EthicsEthics SurveySurvey ofof ConsumerConsumer AttitudesAttitudes aboutabout HealthHealth WebWeb SitesSites”” 75%75% ofof AmericansAmericans areare concernedconcerned aboutabout thethe lossloss ofof medicalmedical privacyprivacy duedue toto thethe useuse ofof anan electronicelectronic healthhealth andand informationinformation system.system. 20052005 HarrisHarris Survey:Survey: ““HowHow thethe PublicPublic SeesSees HealthHealth RecordsRecords andand anan EMREMR ProgramProgram”” 70%70% concernedconcerned oror veryvery concernedconcerned aboutabout medicalmedical informationinformation leaksleaks duedue toto weakweak securitysecurity 69%69% believedbelieved moremore informationinformation wouldwould bebe sharedshared withoutwithout theirtheir knowledgeknowledge 65%65% wouldnwouldn’’tt disclosedisclose informationinformation becausebecause ofof worriesworries aboutabout computerizedcomputerized recordsrecords 62%62% believebelieve existingexisting privacyprivacy rulesrules wouldwould bebe curtailedcurtailed inin thethe namename ofof efficiencyefficiency RespondentsRespondents evenlyevenly splitsplit onon whetherwhether benefitsbenefits outweighoutweigh thethe risksrisks (48%)(48%) oror risksrisks outweighoutweigh thethe benefitsbenefits (47%)(47%) LatestLatest HHS/NHINHHS/NHIN RFPRFP seeksseeks technologytechnology to:to: ProvideProvide consumersconsumers withwith capabilitiescapabilities toto helphelp managemanage thethe flowflow ofof theirtheir informationinformation AllowAllow consumersconsumers toto identifyidentify andand managemanage locationslocations forfor storagestorage ofof theirtheir PHRsPHRs ManageManage consumerconsumer--controlledcontrolled providersproviders ofof carecare andand accessaccess permissionpermission informationinformation LatestLatest HHS/NHINHHS/NHIN RFPRFP seeksseeks technologytechnology to:to: ManageManage consumerconsumer choiceschoices toto notnot participateparticipate inin networknetwork servicesservices GiveGive consumersconsumers accessaccess toto auditaudit logginglogging andand disclosuredisclosure informationinformation forfor PHRPHR andand HIEHIE datadata RouteRoute consumerconsumer requestsrequests forfor datadata correctionscorrections WWRD?WWRD? TopTop 1010 PrivacyPrivacy PracticesPractices 1010 ProvideProvide meaningfulmeaningful penaltiespenalties andand enforcementenforcement mechanismsmechanisms forfor privacyprivacy violationsviolations detecteddetected byby patients,patients, advocates,advocates, andand governmentgovernment regulators,regulators, includingincluding aa privateprivate rightright ofof action.action. TopTop 1010 PrivacyPrivacy PracticesPractices 99 PreservePreserve strongerstronger privacyprivacy protectionsprotections inin statestate laws.laws. InIn otherother words,words, nono federalfederal prepre--emptionemption ofof statestate laws.laws. TopTop 1010 PrivacyPrivacy PracticesPractices 88 PatientsPatients shouldshould bebe notifiednotified promptlypromptly ofof suspectedsuspected oror actualactual securitysecurity breaches,breaches, withoutwithout splittingsplitting hairshairs aboutabout whetherwhether oror notnot therethere isis aa riskrisk toto anan individualindividual fromfrom aa disclosuredisclosure——asas isis thethe casecase withwith thethe CaliforniaCalifornia breachbreach notificationnotification lawlaw (CA(CA CivilCivil CodeCode §§1798.29).1798.29). TopTop 1010 PrivacyPrivacy PracticesPractices 77 DisclosuresDisclosures ofof patientpatient informationinformation shouldshould bebe auditableauditable inin realreal time.time. TopTop 1010 PrivacyPrivacy PracticesPractices 66 EnsureEnsure thatthat personalpersonal medicalmedical informationinformation cannotcannot bebe usedused coercivelycoercively oror discriminatorilydiscriminatorily byby prohibitingprohibiting compelledcompelled disclosuredisclosure ofof suchsuch informationinformation toto obtainobtain employment,employment, insurance,insurance, credit,credit, oror admissionadmission toto schools,schools, unlessunless itit isis requiredrequired byby statute.statute. TopTop 1010 PrivacyPrivacy PracticesPractices 55 ProhibitProhibit secretsecret healthhealth databases.databases. RequireRequire allall existingexisting holdersholders ofof healthhealth informationinformation toto disclosedisclose whatwhat datadata theythey havehave toto thethe datadata subjects.subjects. TopTop 1010 PrivacyPrivacy PracticesPractices 44 HealthHealth informationinformation discloseddisclosed forfor oneone purposepurpose maymay notnot bebe usedused forfor anotheranother purposepurpose withoutwithout informedinformed consentconsent TopTop 1010 PrivacyPrivacy PracticesPractices 33 GiveGive consumersconsumers controlcontrol overover theirtheir medicalmedical informationinformation byby meansmeans ofof technologiestechnologies thatthat firmlyfirmly putsputs thethe rightright ofof consentconsent overover accessaccess toto thatthat informationinformation