Tag: Privacy

Tune Into The Kroll Webcast On The Security of Patient Data – Brian Klepper

Apr 22, 2008

By Brian Klepper

Exclusive to THCB: A couple weeks ago I pointed to a new study, commissioned by Kroll Fraud Solutions and conducted by HIMSS Analytics, that makes startlingly clear the gap between what most health systems are doing to comply with HIPAA, and what they need to do to actually safeguard the patient data in their possession.Tomorrow, Wednesday, April 23rd at 2PM EST, and again next Tuesday, April 29th at 2PM, EST, you’re invited to a 40 minute Webcast, moderated by Yours Truly, that goes through the issues. Jennifer Horowitz, the investigator from HIMSS Analytics, Lisa Gallagher, HIMSS Senior Director of Privacy and Security and Brian Lapidus, Kroll’s COO, will talk about how health care executives typically perceive the issue and how they report their own awareness and preparedness, in stark contrast to the threat and what happens when a breach actually occurs. I was a bystander in this energetic discussion, but it was an eye-opener for me.

If you’re at all involved in managing health system security or if you’re simply interested in the deeper realities of what’s necessary to protect patient data, this one’s a must. Join us for this revealing and important Webinar. Click here to get the study report and to register.

Medical Privacy: The Challenge of Behavioral Ad Targeting in Healthcare

Apr 16, 2008• 4

By Jane Sarasohn-Kahn

The latest
piece in the medical privacy jigsaw puzzle is online behavioral
advertising.

Last week, the Federal Trade Commission
(FTC) received comments from the Network Advertising
Initiative NAI
on the agency’s proposed principles for OBA. As part
of this filing, the NAI has published in draft its own
approach to behavioral ad targeting in health, included in the Self-Regulatory Code of Conduct for
Online Behavioral
Advertising

Online
behavioral advertising OBA
is the process whereby the online consumer’s search behavior is
analyzed across multiple websites and then categorized for use in
advertising online.

NAI’s members are reputed to cover 95% of
the online advertising market. NAI’s
membership includes 24/7 Real Media, Acerno, Advertising.com (an AOL company),
AlmondNet,
Atlas (a Microsoft company), BlueLithium (a Yahoo! Company), Doubleclick
(a Google company), Media6degrees, Mindset Media, Revenue Science, Safecount,
Specific Media, Tacoda (an AOL company), and
Yahoo!. Furthermore, NAI is
processing membership applications from Undertone Networks, Google and
Microsoft.

Toward the end
of the NAI’s
Code you will find a section called, "The need for common understanding
by industry," in which the NAI
lists the "minimum restricted and sensitive consumer segments" that
online advertisers should avoid targeting.

The Security of Patient Data

Apr 8, 2008• 3

By Brian Klepper

EXCLUSIVE TO THCB: HIMSS Analytics, the research arm of the powerful, thoughtful and highly regarded Health Information Management Systems Society, has published a sobering study, Security of Patient Data – see here – that highlights the gap between hospital patient data security practices and the reality of impacts if a breach occurs. The report, commissioned by Kroll Fraud Solutions, should be a splash of cold water to health care executives in all settings with responsibility for patient data. A link to the Executive Summary has been placed at the bottom of this post.

In the wake of several recent incidents involving breaches of celebrity records, what’s fascinating about the study is that the executives interviewed claimed a very high familiarity with HIPAA rules; they averaged 6.53 (on a 7 point scale) and 75 percent of those interviewed gave themselves a 7. The report attributes the high sense of HIPAA knowledge with the current rounds of HIPAA compliance audits and the penalties for non-compliance that have resulted in some cases.

A Different Right to Privacy

Mar 19, 2008• 9

By Eric Novack

Given Matthew’s quite visceral response to some complaints that broad-based, government-encouraged (mandated, I suspect), electronic medical records I am interested in both his and THCB readers’ thoughts on the Bangor Daily News editorial staff’s approach to health care reform.

They suggest that transparency is the key – "lawmakers should require health providers and insurance companies to report all of their costs to the public."

HEALTH 2.0: Getting the PHR, Privacy and Deborah Peel issue off my chest

Mar 13, 2008• 14

By Matthew Holt

I’m a card carrying member of the ACLU. I oppose the Patriot Act. And I absolutely oppose the current Administration’s decision to ignore the FISA law that already bends over backwards to help the government spy on Americans whom it suspects of criminal activity. I’m also appalled when I read stories like this one—in which the FBI has been illegally abusing its power by issuing “National Security letters” willy nilly.

I say all this because it’s now a couple of weeks since Google announced it’s health initiative and during that time we held the second Health 2.0 conference. And all the mainstream press can write about is the potential for privacy violations in online health sites, and PHRs, whether it’s been in the San Diego Union Tribune, ZDNET, USA Today or Modern Healthcare.

So even this balanced article in the Washington Post leads with Deborah Peel from Patient Privacy Rights and you have to wade through her incendiary rhetoric before you get to some sense from John Rother, while David Kibbe’s rational applauding of electronic health records only appears towards the end. Here’s what Peel says:

Many online PHR firms share information with data-mining companies, which then sell it to insurers and other interested parties, Peel said.

Well I’m still waiting to see the proof about this. Essentially she’s saying that consumers’ identifiable data is being sold and used against them, and so PHRs are bad.

Much data is of course sold in health care, but as far as I’m aware it’s all de-idenitifed. Whether PHR companies are systematically selling data is unclear. Whether they are selling identifiable data (the thing HIPAA bans and everyone agrees is a bad idea) I severely doubt.

And the problem is that this type of allegation gets the conversation completely off track. The biggest problem with the US health care system and its use of technology is not privacy violations. It’s inefficient use of data causing harm (and costs and poor quality care).

I am getting more than a little annoyed with this focus on the wrong thing. As my commenter JD paraphrased in my earlier piece on the topic (5^th comment down here), do the Deborah Peels of the world not use bank accounts or credit cards? Do they not buy houses or have credit scores? Do they not know about what is already known about them in the real world? People understand this data flow and they accept it because it brings them a return that they value. And the same will be true for health information—if health information technology produces valuable results

So what are the nay-sayers going on about? Well I actually suffered and read the World Privacy Forum report on PHRs by Robert Gellman. It’s a hash of conjecture with its main complaint being that HIPAA doesn’t explicitly cover PHRs. Well, no shit Sherlock. HIPAA passed in 1996. It was actually was prepared years earlier and it’s about the automated transactions that existed then. No one had heard of a PHR in 1995, so why should the law cover them? What will happen is that PHRs will start being provided by covered entities and will be under the aegis of HIPAA (in this country at least—it’s called the “World” privacy forum but in reading the report Gellman only has heard of one country apparently).

But even if PHRs are not covered by HIPAA, what are the terrible consequences? Well let’s see. I’ve taken a few excerpts from the report. In the first Gellman says:

Regardless of the PHR’s policy on marketing disclosures, advertising can provide a method for a consumer’s health information to escape into marketing files. Marketers already have millions of names of consumers categorized by specific diseases and diagnoses. Most of the information comes from consumers who provided it in response to “consumer surveys” or through other stealthy methods for collecting health information for marketing use. Health records maintained by health care providers have been unavailable to marketers directly, but commercial PHRs operated outside of HIPAA offer marketers the promise of more and better health information from consumers.

So the problem is not PHRs. It’s consumer surveys taken over the years by marketers. But let’s blame PHRs because they might potentially be used for the same thing.

But hang on, if I’m a transparent PHR vendor won’t I drive out the scummy guys who are secretly selling data which will be used to harm their customers? And aren’t Microsoft and Google and many others being transparent about that? Yes they are, and why won’t consumers vote with their data?

More on Google and the Cleveland Clinic

Feb 25, 2008• 24

For a start, as I said in my last post and many times, and at least one of these commenters has written at length, the benefits of sharing health data in clinical situations massively outweigh the risk. So that should be the focus of the discussion.

I am NOT saying that there shouldn’t be privacy protections and there is no reason in my mind why, for all HIPAA’s flaws, it cannot be extended to PHR providers as covered entities.

However, as far as I can tell nothing that is happening here violates HIPAA. Showing you keyword based advertising may not to everyone’s taste, but it does not mean your private health data is being transferred to anyone. And presumably your data will only end up in these services if you give them permission to accept it, which will include consent to provide whatever services and advertising you’ll see.

And that’s assuming that either company does advertising based on records rather than search terms (which is Google make that 98% of their money).

But exactly where are Microsoft and Google suggesting that they’re going to be selling private identified data? Nowhere. Microsoft has bent over backwards to demonstrate that they have no intention of allowing themselves or anyone else to access your health records without permission. And Google will likely do the same when it announces its plans officially.

Google, the Cleveland Clinic and the Privacy Zealots

Feb 24, 2008• 8

So Modern Healthcare‘s Joseph Conn has a whole page to write about the Cleveland Clinic and he writes just about HIPAA and the fact that this pilot is not going to be covered by it. Writing in the San Francisco Chronicle Victoria Colliver talks about not a lot more, but at least she has someone stating the bleedingly bloody obvious—

"If it’s made convenient
enough and easy enough, people will be no more concerned about privacy
with these systems than they are with their financial information," he
said. "Far more people die because health information is not released
or difficult to get … than anybody’s ever been harmed because the
information has been inadvertently released."

OK so it was me she quoted, but someone needs to give Deborah Peel
and whoever the hell the World Privacy Forum is a big shake. I say this
as a card-carrying member of the ACLU and Amnesty International who is
deeply concerned about anyone’s private information and what use is
made of it.

And the shake is, if a government overhears your private information
illegally (or quasi-legally) it can use that information to take away
your freedom and worse. So the standard for their ability to access
that information should be an awful lot higher than it is in virtually
every country—including this one.

If a private corporation unwittingly lets slip your private health
data, or even uses some aspect of it knowingly to target you for
marketing, the chances of you suffering much from it are very, very low.

These are vastly different things, and conflating the two does not help in the least.