Yesterday’s Kaiser Daily Health Policy Report reported:
Lawmakers, patient-privacy and health care advocates, and information technology experts on Tuesday “debated … how Congress can strike a balance between accelerating the adoption of a nationwide system of electronic medical records while protecting patient privacy,” CongressDaily reports (Noyes, CongressDaily, 6/4). The House Energy and Commerce Subcommittee on Health hearing focused on a health IT bill drafted by Committee Chair John Dingell (D-Mich.) and ranking member Joe Barton (R-Texas). The bill would require the federal government to set software and hardware standards for health programs, such as Medicare, and assist providers in purchasing and establishing health IT systems (Wayne, CQ Today, 6/4). (Full story)
Having watched most of the hearings, I found myself occasionally shaking my head and wondering what it will take before some members of Congress realize that this is not about Congress finding a “balance” between privacy and a nationwide system of EMR. Suggesting that there even should be a “balance” indicates that the individual simply does not grasp the fundamental and nonnegotiable point that if Congress does not ensure privacy and security, a significant chunk of our society will simply not agree to nor sign on to the use of EMR, PHR, or digital storage of their data on any device connected to the internet.
Let’s stop wasting time talking about “balancing” privacy and interoperability and figure out how to adequately ensure privacy and security in a cost-effective way.
As both a healthcare professional and a privacy advocate, there are a few basic principles of healthcare in our country’s tradition and history that I think warrant repeating here:
1. Healthcare is predicated on confidentiality.
2. Healthcare requires informed consent.
3. The primary purpose of healthcare is the welfare of the individual and society, not the pocketbook of industries.
4. Those involved in healthcare are held accountable.
The challenge is to implement those fundamental principles into EMR and online systems.
Translating Confidentiality into Digital Health
The principle of confidentiality translates into the commitment to keeping an individual’s health information protected and private. But Congress, HHS, and the states have so far failed to achieve reasonable security for PHI in digital form. HHS has not fined a single entity for violation of the HIPAA Privacy Rule since its implementation in April 2003, and outcomes of any CMS/DOJ investigation of violations of HIPAA’s Security Rule are generally not shared with the public.
PHIprivacy.net provides chronologies of breaches that were reported in the media beginning with the implementation of HIPAA’s Privacy Rule in April 2003. Has Congress or the GAO analyzed the data in these chronologies to determine the patterns and areas in need of correction? I doubt it. Congress and the GAO have the power to require entities to submit more data on breaches, and to integrate those reports with what we have seen reported in the media and reports to the FTC. Why hasn’t that been done? Using other sites that are focused on financial fraud tends to underestimate the number and extent of breaches involving health-related information. Only PHIprivacy.net has tried to compile all media reports that include hacks, stolen laptops, improper disposal of paper records, and other types of breaches. Indeed, had the Kaiser representative on the panel been a reader of this site, he would have been able to answer Rep. Markey’s questions about post-2005 incidents (the answer is that there have been other incidents involving Kaiser involving stolen laptops in both 2006 and 2007).
In 2008 alone, we have seen some significant breaches involving health information. In April, this site’s parent site, PogoWasRight.org exposed two breaches involving WellPoint, Inc. that affected over 130,000 individuals and that appeared to involve millions of personally identifiable records. For all the public knows or was told, WellPoint may have exposed over 34,000,000 people’s records for over a year through their inadequate server security. But WellPoint did not answer questions, Congress did not investigate the incident so that it could learn what provisions it might need to incorporate in any new laws, and segments of the public are left wondering whether they can trust anybody with their health data. The fact that WellPoint — the country’s largest public health insurer — has had at least four breaches in less than two years involving unencrypted data — should make any member of Congress who suggests that privacy advocates are overreacting in our concerns blush.
Just this past week, we learned that some students at University of California – Irvine were the victims of the income tax refund fraud. After months of investigation, the source of the problem was linked to UnitedHealthcare, who provided health insurance for the 1,132 graduate students. UHC has not revealed any details about the breach, so again, we are left wondering what caused the security failure, and how many people might ultimately have been at risk.
Insurance companies are not the only source of concern, however. We have seen reports from government contractors such as SAIC where 900,000 people had their personal health information compromised due to security breaches.
In every sector, PHI is at risk, and once sensitive information is exposed on the web, there is no way to get it back with any assurance that it has not been duplicated and stored on servers elsewhere for use by criminals. Before Congress asks the public to trust our sensitive information to any system, show us that it will be kept secure and private.
During the hearings this week, Dr. Deborah Peel of PatientPrivacyRights.org recommended that any new legislation include a definition of privacy. I concur. Where I do not agree with her is in her apparent willingness to waive an individual cause of action. Congress erred by not including individual cause of action under HIPAA and it should correct that error now. Violation of a patient’s privacy or confidentiality deserves accountability and the patient should be able to have recourse in a court of law.
One of PatientPrivacyRight.org’s recurring themes is that our health information is being data mined beyond our worst nightmares and that most people have no idea who has custody of their information or how it is being used for commercial gain. Certainly, the more entities that have custody of our health information, the greater the risk of a privacy and security breach. But even putting that serious concern aside for the moment, patients’ identifiable health information should not be sold or exchanged with any commercial entity who is not involved in the provision of care or processing of payment for care without the patient’s informed and opt-in consent.
Industries and organizations routinely push back hard against informed and opt-in consent. They may try to rationalize their pushback on the basis of promoting patient care, but the reality is that most uses are not patient care. This needs to stop. Patients should be able to sign a consent form that clearly specifies the nature of parties with whom information may be shared without further request for signed consent (e.g., laboratories to whom samples may be sent, payment processors, other doctors the patient is referred to if the patient wants the referral, etc.). But the consent stops there and does not transfer down the chain of custody — or should stop there for non-treatment purposes — and if those parties want to be able to do anything else with the data or information, they should be required to obtain the written and informed opt-in consent of the patient.
If businesses do not want to ask for consent for fear that patients will say “no,” then that is precisely why Congress must insist that patients be asked. It is inexcusable that Congress should cave in to industry pressure on this point. Informed and opt-in consent will inspire patient trust in the system and better protect the privacy and security of the data.
EMR and Networked Health Must be Patient-Centric
Historically, businesses have had the money to lobby Congress while grassroots or patient rights organizations lack the means to level the playing field. In her presentation, Dr. Peel spoke of her experiences as a psychiatrist and the reluctance of patients to seek mental health or to have any trail of mental health care in their records. She also spoke of returning wounded warriors who may be reluctant to seek care for fear of stigma or the treatment becoming a part of their record that will be available to too many or accidentally exposed in a security breach.
My professional experience mirrors Dr. Peel’s. As a mental health professional, I must deal daily with the fears of patients who do not want their insurance carriers to have sensitive information about them. Their only recourse is to pay directly and not submit claims for reimbursement. Once the insurance company has the information, the patients know that there is a real risk that it may be used against their interests at some point or it will wind up exposed in Google or in the hands of hackers who may use the information for medical ID theft or garden variety fraud or ID theft.
While networked care has the potential to serve many people well, it will not serve people who cannot trust the system.
Disclosure and Notification
During the hearings, it was suggested that the proposed threshold for notification and disclosure was too low. The panel of experts agreed. I disagree. Again, as an issue of trust, if someone has custody of your PHI and loses it or has it stolen, then it is incumbent that the patient be notified. It should not be up to the party who lost the data to determine the risk to the individual, because the issue is not just risk of ID theft, financial fraud, or embarrassment. The issue is trust between the patient and provider and the best way to promote trust is to say that whenever there is an incident, the patient will be notified.
In the alternative, Congress could simply mandate giving patients the choice about whether they would want to be notified. Initial informed consent forms could include a provision in the patient’s primary language that says, “If …., then do you want to be informed, and if yes, how do you want to be notified — by mail, phone, or email?”
As part of a national initiative, Congress should also include two additional provisions:
1. Any covered entity who experiences a breach must post a notice on its web site, with a prominent link from the home page of the site showing site visitors where they can read any such notices, and
2. All entities who experience a breach should be required to report it to HHS, who should then post a link to the notification on a special web site that consumers and the public can check.
I realize that businesses and entities will not want to do these things. No one likes to admit publicly that they had a problem. But if all entities were held to the same standard, consumers and patients would be in a better position to determine who should be trusted and who shouldn’t.
There was no discussion of outsourcing during the hearings this week, but how will Congress ensure privacy and security and accountability if covered entities outsource to companies outside of U.S. law? Just this past week, we learned that an outsource in India for an American marketing firm stole the firm’s data after the firm canceled their contract. They then sold it off to the company’s rivals. Many of the firm’s mail lists included medically related lists, such as those on particular medications or with particular diagnoses. Who is going to be responsible here?
Fix HIPAA or Torch It?
During the hearings, the question was raised as to whether to try to fix HIPAA or just start over? Dr. Peel indicated her willingness to work on fixing it. But to fix HIPAA requires a major overhaul that would expand the definition of covered entities to include any entity in possession of certain types of information, and it would require inclusion of notification and disclosure provisions that are vastly stronger than the current provisions. Under the existing rules, there is simply no requirement to notify patients of a breach. There is an obligation to mitigate harm, but not to notify. That is wholly unacceptable. There is also no individual cause of action for a willful privacy violation, and that, too, is unacceptable. It is hard to find what is “right” about HIPAA for the digital age in which we live. It is time to move on.