Has IT made patient privacy a thing of the past?
Scott McNealy, former CEO of Sun Microsystems, might have sounded the alarm years ago when, in an article in Wired magazine, he called consumer privacy issues a “red herring” and advised us to get over the fact that we had “zero privacy.” His remarks got a lot of attention and were soon dismissed as the not-so-secret desire of an out-of-touch technology executive.
It’s hard for Americans to get over recent revelations about the National Security Agency, especially after details of its top-secret surveillance programs were leaked by the whistleblowing former employee Edward Snowden. Whether you consider Snowden, who has since gained political asylum in Russia, to be a hero or a traitor, his actions forced the NSA to acknowledge that it has been collecting emails and meta-data on the phone records of American citizens.
“According to HIPAA, your doctors, hospitals, insurers, data clearinghouses, and all the covered entities are the ones who decide,” Peel charged. “They make the decision as to when to use or disclose your information, not you.” — Deborah Peel, Patient Privacy Rights Foundation
The extent to which Americans have a right to privacy has been debated throughout our history, but the NSA revelations have resurrected the argument. The agency, backed by what some believe is a rubber-stamp court administering the Foreign Intelligence Surveillance Act (FISA), has been accused of excessive secrecy that makes congressional oversight difficult and citizen oversight all but impossible.
Since the NSA revelations came to light, there have been other bombshells that give Americans reason to believe the Fourth Amendment has been repealed. One report alleges the NSA is pressing Internet service providers like Microsoft, AOL, and Yahoo to provide the passwords of their customers. Thus far, the ISPs have resisted, but if they are forced to relent, the NSA could not only have access to Internet passwords but also to consumer email accounts and financial records.
Despite assurances from President Obama that the federal government is not listening to the phone conversations of American citizens, and despite his pledge to overhaul the NSA’s surveillance programs, many are beginning to wonder what in the name of George Orwell is going on here.
Peeling back privacy
With the need for national security clashing with the right to privacy, the NSA argues that the situation is not as sinister as critics make it sound, and the same might well be true of threats to medical privacy. Control of patient data is one of the sticking points of electronic health records because the health care providers who purchase those records from a vendor like Epic view them as proprietary, while patient rights advocates believe patients should control the records and the medical information contained within.
Deborah Peel, founder of the Patient Privacy Rights Foundation, is a Freudian psychoanalyst who practices in Texas. She got into the patient privacy movement because of her patients’ interest in medical privacy, and because the federal government eliminated a rule that gave patients the right to control their medical information.
Peel claims that a change to a privacy rule that was supposed to be part of the 1996 Health Insurance Portability and Accountability Act (HIPAA) has effectively prevented consumers from controlling the release of their medical information. The change, she says, came in 2002 during the George W. Bush administration, after the Department of Health and Human Services, under then-Secretary Tommy Thompson, was left with the task of writing administrative rules associated with the law. According to Peel, HHS replaced what had been a consent provision with regulatory permissions for covered entities — mainly health care providers — to use and disclose protected health information for the treatment of patients in health care operations.
“What that means is, according to HIPAA, your doctors, hospitals, insurers, data clearinghouses, and all the covered entities are the ones who decide,” Peel charged. “They make the decision as to when to use or disclose your information, not you.”
According to Peel, patient control was not administratively restored, as privacy advocates had hoped, in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, despite assurances from current HHS Secretary Kathleen Sebelius that a final omnibus rule issued in January of 2013 provides consumers with increased protection and control of personal health information.
In Peel’s view, the lack of patient control is more serious in the electronic age. In the paper records age, patient records were more likely to be kept in a finite number of places. Only one person at a time could look at a paper record, and in the event of abuse, those who viewed them could be tracked.
With the open architecture of health technology systems, records can now be viewed by more sets of eyes. Peel notes that a typical wired hospital has several hundred software applications dealing in some way with health information. Not only can hospital employees gain access to these records, IT vendors and their technology teams can get into the software to maintain them. “We have unknown and unnamed vendor employees — there are thousands of them who can get into the records as well,” she stated.
Peel supports an open-source program called DirectProject, which would provide patients with access to their medical records through secure email accounts.
In Peel’s view, this approach is preferable to what she called the “elaborate and bizarre governance structures” that are being set up for health information exchange. “They require complex legal agreements between organizations to share information, so they are expensive and they leave a lot of people out,” she charged. “We’re not going to have successful health information exchange without the patients sharing it.”
Peel contends that most major medical record software developers oppose patient control because many of them sell the data. She also believes patients — especially those with sensitive diseases and chronic conditions — should have the right to segment data on electronic health records. Segmentation allows patients to share only the parts of their records that apply to the specific requirements in a given episode of care.
Judith Faulkner, CEO of Epic Systems, called patient privacy an important issue that may seem simple on the surface but is actually quite complex. She noted that physicians review the record so they can give informed, safe care to the patient, and asserted that while control has been physician-centric in the past, it now is much more patient-centered.
“A dozen years ago or more, it was not uncommon for specialists to have their own patient records,” she explained. “If you saw a dermatologist and a urologist and a cardiologist, they may each have had a chart on you. Thus it was very physician-centric, and too often mistakes were made because the different physicians didn’t have the whole picture.”
Now, the electronic patient record keeps a patient chart that is shared, as appropriate, by all who are authorized to care for the patient. “In many cases, the patient can now access the same chart and can even secure email to the physicians on errors, omissions, additions, etc.,” Faulkner explained. “Often, the patient can download information and take it to another place. This makes it much more patient-controlled now compared to what it used to be.”
Regarding the segmentation of data, Faulkner believes patient records are necessarily “leaky,” meaning that if a patient has a particular problem, it may be threaded throughout so many parts of the record that physicians, who are typically good at inference, can still figure it out even if the obvious things, like diagnosis and medications, are removed.
As an example, Faulkner cited the electronic medical record of a hypothetical diabetes patient. It might contain data points like a “problem list,” allergies to medications, lab test results, lab orders, the makeup of the care team, the occurrence of yearly eye and foot exams, comments by primary care physicians and specialists, the history of office visits leading up to diagnosis, and much more that indicates to the alert physician that the patient is diabetic.
“The point is that there are many things that the computer cannot figure out that the physician who received the information can see,” Faulkner says. “We don’t want the patient surprised by information she thinks is hidden, and the data segmentation approach — i.e., not transmitting certain data elements — is not thorough enough and is therefore untrustworthy.”
Instead, Faulkner says the patient who wants information hidden has several reliable choices: 1) opt out of interoperability, 2) request that redacted information be transmitted by paper, or 3) request the physician to write a summary that the patient reviews before it goes out.
“Data segmentation, not transmitting important data, can kill people,” Faulkner asserted. “If a patient shows up at an emergency department and an incomplete medications record — hiding certain drugs that the patient is on — is transmitted to a physician who trusts it, then the physician may unknowingly give the patient a medication that can cause a fatal interaction.”
Epic’s interoperability system, known as Care Everywhere, transmits about 1 million patient records a month from one health system to another across the U.S. “Our experience is that approximately 1% of the patients opt out of sharing their information,” Faulkner noted. “These people can then rely on old-fashioned paper-based transmission, or they can work with their doctor to create a sharable summary that’s acceptable to both.”
As far as selling patient records, Faulkner says Epic absolutely does not engage in this practice.
What’s a consumer to do?
Besides HIPAA, there are only two other laws that provide a measure of consumer protection: Banks are required to safeguard depositor accounts under the Gramm-Leach-Bliley Act, and credit card holders have some measure of protection through the Payment Card Industry (PIC) regulations. However, they are not foolproof, as law enforcement entities can gain access to your financial information when conducting a crime investigation, and the credit bureau system has access to financial records for the purpose of evaluating creditworthiness.
“Even though these laws are in place, there are other countervailing laws that allow the government, for example, to be able to get these records if they can show they have probable cause,” said Melinda Giftos, an attorney with Whyte Hirschboeck Dudek. “They’re going to be able to pull that information even though there is a law that says it’s supposed to be confidential. These laws are not ironclad.”
Banks are routinely audited on their security policies and capabilities by the state Department of Financial Institutions and federal agencies like the Federal Deposit Insurance Corp. and the Federal Reserve. Banks also hire private companies to conduct penetration tests to evaluate the strength of firewalls and other protections.
“There is an element here that is extremely crucial, and that is reputational risk,” says Jim Tubbs, president and CEO of the State Bank of Cross Plains. “Certainly if there is an element of our customer base that was breached, the critical reputational risk, which is extremely difficult to measure, is something that’s extremely important to me as well as to my management team.”
Consumers might soon have a variety of software applications to protect personal consumer information, according to William Merrick, marketing coordinator for SOLOMO Technology in Madison. The move to put consumers in control of information collected about them is driven in part by concern that the NSA revelations could severely affect the growth of online retail. The World Economic Forum estimates that lack of trust in how personal data is used could erode online retail sales by as much as $1 billion by 2016.
Merrick said companies like SOLOMO are working to develop digital identity platforms that enable consumers to decide what personal data to share, and SOLOMO is taking it one step further by providing consumers the option of revoking an opt-in. He says consumers will eventually win this battle with “big data” companies, which he claims are indifferent, even hostile, to the concept.
“Once these platforms become better understood, I think some really exciting technologies are going to come,” Merrick predicted, “and it’s going to relieve a lot of tension in the digital commerce ecosystem.”
Giftos noted that not every government agency appears to be working against consumers. She said the Obama administration has issued a Consumer Bill of Rights, urging more transparency by companies that are gathering consumer information. In addition, the Federal Trade Commission has been pushing the business community to self-regulate by putting in place stronger mechanisms to educate consumers about the type of information being tracked and stored about them.
“They are trying to push so that companies are being more transparent about what they’re doing, which is interesting to me because if you look at that sector, it’s just the opposite of the example with the NSA,” Giftos said. “It’s kind of interesting to see the two different arenas play out.”
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.