Junkfood Science: Action Alert — Privacy of your health information

November 03, 2007

Action Alert — Privacy of your health information

The Citizens’ Council on Health Care has issued an Action Alert that may be of interest to readers. The National Committee on Vital and Health Statistics has just submitted a Report to the Secretary of the U.S. Department of Health and Human Services with a proposed policy framework for how the government can collect, use and sell our electronic medical records. Specifically, it is purposing the sale and secondary use of our health data without our informed consent. According to this report, it’s all part of the government’s “vision of a nationwide health information network (NHIN).”

The NCVHS was authorized to advise the HHS and Congress on the administration of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 through Public Law 104-191. This report defines broader secondary uses for health data and standardizes them beyond HIPAA. Secondary use of health data includes everything other than primary use by healthcare providers for direct medical care, payment and healthcare operations. As this report notes, even “healthcare operations” is troublesomely broad and can include virtually anything, including compliance, benefit, clinical guideline development, case management, assessment and contacting healthcare providers and patients about treatment alternatives, and cost containment activities.

“There is optimism for the growing number of benefits that can be achieved through uses of health data enabled by health information technology (HIT) and health information exchange (HIE),” the report states. The creation of a comprehensive “national online health data system” will allow data mining and collection for “quality measurement, reporting and improvement” and research, as well as make “disease control and prevention more accurate, complete and rapidly accessible.”

“Public health databases are used for surveillance and to compile registries,” said the report, but “surveillance is extending in scope, such as to collect Hemoglobin A1c values with the intent to contact individuals directly about potential improvements in diabetes management” (as in New York). The “CDC is starting nationwide data collection efforts, such as BioSense, that involve contractual agreements” to third parties, the report exampled. The CDC’s adoption of name-based HIV reporting registries and surveillance systems is another example. Most consumers, however, are unaware of the required reporting and how their private information is used as a result of these large public health databases, said the report; and those who are, have been “using false names when seeing a caregiver to avoid consequences of reporting.”

Remember this past June when the Agency for Healthcare Research and Quality (AHRQ) issued an RFI for creating a public/private entity to oversee the sharing and aggregating of private and public data collected on citizens and its reporting? This report notes that a dichotomy had surfaced between those who wanted the database host to simultaneously stewart its usage, and those who felt a completely neutral body should be over stewardship. This report highlighted an interesting point that emerged during this process: “when any organization that is responsible for making use of personal health information, i.e., when serving as a data steward, is trusted, there is greater acceptance of the use of the health data.”

But, informed consumers who fully understand how their health information is and can be used might not be quite as accepting.

Currently, there is no protection for personal health information used by noncovered entities (all those other than healthcare payers, clearinghouses and providers), as well as who may sell and use de-identified information. In fact, the report emphasized, there are a number of groups who don’t have to comply with HIPAA, such as “providers who do not file claims electronically...or receive payment directly from individuals...; companies providing data transmission services...; personal health record services...; and other companies, such as life insurers, employers, schools and others. The report specifically exampled employer wellness programs and their websites a may be used by employers. The recommendations made in this report extends the access and use of our health information.

There is no standardization across various governmental agencies in protecting the privacy of health information used for research, according to this report. This report, noting that research can have “profound importance to the health of the nation,” allows expanded use of health information for research.

Especially unsettling were the arguments made in the report concerning secondary use of health information under the guise of “quality improvement.” The report said: “[I]f the data are adequately protected to address issues of individual privacy, individual informed consent should, in general, not be required.” They also observe that a process of “informed participation,” which they define as a process in “which institutions design quality improvement interventions and educate and engage patients about their obligations to help improve quality” will “allow the vast majority of quality improvement projects to go forward without triggering [a research-like informed consent process].”

The report itself is very difficult to read and to realize what they are actually proposing while protecting our privacy. CCHC president Twila Brase summarizes the key concerns being proposed, saying that they will:

· Allow Sale of Your Medical Data — Authorize sale of your ‘de-identified' but not ‘unidentifiable' medical data to “support the business model of NHIN" - the proposed online national health data system. This could include your genetic information—or DNA, which is always identifiable. (p 23)

· Limit Your Consent Rights — Define when you can consent to your data being accessed for a broad array of “secondary" uses and when you cannot, including uses such as government tracking and government access to your entire medical record. (p 22)

· Abolish and Prohibit Real Privacy Laws — Abolish the power of State legislatures to enact privacy laws that actually protect patient privacy (federal law now allows State law to trump the federal HIPAA “no privacy" rule) (p 30-31)

· Expand Access to Your Data — Force all organizations and websites with health data to abide with HIPAA, the federal “no-privacy" rule, thus giving them federal authority to share your data extensively without your consent. (FYI, the term ‘patient consent' does not exist in HIPAA) (p 30)

· Enable Tracking of You and Your Doctors — Specifically authorize your data to be used in a way that could harm you: in so-called “quality improvement" activities (eg. electronically tracking your doctor's treatment decisions and financially penalizing him or her less if your treatment doesn't follow one-size fits-all treatment directives.) (p 26)

· Enable Data-Mining, Patient Profiling and Data Linking — Expanding the definition of research to include "quality improvement"could re-define data-mining, profiling patients and doctors, and linking of your data across multiple databases as “research." The Feds allow [public health] research without your consent or knowledge. Only consent from a Institutional Review Board is required. (p 28)

The public has until this Tuesday, November 6, to submit their comments to Debbie M. Jackson, Senior Program Analyst at the National Center for Health Statistics, CDC. Here is her contact information:

3311 Toledo Road, Room 2339

Hyattsville, MD 20782

(301) 458-4614


The CCHC suggests comments along these lines:

I want a health care system I can trust. My medical record is mine. Anyone who wants access to my private data for any purpose must be required to get my informed, written consent. There should be no "secondary uses" without my consent.

Bookmark and Share