The Health Care Blog

Comments

Excellent post. It's time soneone held Deborah Peel accountable for her unfounded and unhelpful rhetoric. She has managed to make herself the go-to person for dramatic (if false) quotes to buck up so-called news reports. It's just one more symptom of the prostrate status of journalism today. Writers and editors run her quotes without ever investigating whether there is anything behind them but bald assertions. That's not journalism---it's sheer laziness. Proves the point that the easiest person to sell a half-baked story to is a storyteller.

Peel fancies herself a crusader and has all the appurtenant failings. Going off half cocked is one of them. Let's hope that her 15 minutes of "fame" is over soon.

Posted by: Marian | Mar 13, 2008 3:50:15 AM

Good post Matt and like you, I've been on a similar crusade/rant to get people to start thinking beyond the simplistic view that all PHRs are bad, that all pose the risk of selling your data, etc., etc. Written on the topic myself a couple of times, but not quite to the extent as this. Hopefully, te press will get beyond the sensationalist journalism we have seen so far and really take an honest look at the issue.

Some points I'd like to add:
First, you and others mention HIPAA. It's tossed around like some rag doll at a kid's slumber party and too often put on a pedestal as to this is what PHR privacy should aspire to. But when one digs deeper into HIPAA, well, it does have some pretty big gaping privacy holes in it such as a consumer's medical records can be readily and easily shared among care providers, at their discretion without the consumer's knowledge. Now looking at a number of the better PHRs in the market, they are giving the consumer the right to determine as to who they wish to see their records. That's a lot tighter control on privacy than HIPAA.

And what about all that pharmacy/prescription data, albeit de-identified so to speak, that is already being shared - just ask Thompson, they'll sell you it. No one seems willing to talk about that - why not?

Where I do agree with Peel, to a limited extent, is that most PHR providers have done an absolutely crappy job of being upfront and honest with regards to their privacy and security policies. These policies are often difficult to read and understand and why the hell do most PHR vendors hide them at the bottom on their home page in ridiculously small font type? As an industry they brought it on themselves and don't even get me started on HON, or BBB or Verisign certifications which one sees thrown wily nilly all over the place. This industry has to get its act together and do a better job as an industry with regards to privacy - PERIOD!

Luckily, with Microsoft, Google and Dossia getting into the mix, the overall PHR industry privacy quality metric will improve. Just look at what Microsoft did recently is making public their T&C with partners as it pertains to privacy requiring that these partners have the same strict privacy guidelines as Microsoft. Have a post on this particular issue with a link to the MS T&C over on my site.

An important point you make is that consumers are willing to share information if they get something in return. Same will hold true for medical information. One need only look at a site such as PatientsLikeMe to see consumers share the deepest details of their medical history in the hopes of helping one another deal with the serious chronic illnesses that they, as a community are suffering with. That my friend speaks volumes to what privacy is and is not!

Again, great post Matt and glad to see that others share the same feeling as I on this red herring of an issue.

Posted by: John, Industry Analyst, Chilmark Research | Mar 13, 2008 7:06:12 AM

"You have zero privacy anyway. Get over it."
Scott McNealy, CEO Sun Microsystems 1998

Posted by: Doc99 | Mar 13, 2008 7:34:50 AM

Matthew,

I'm with you.

Is our energy truly best directed to worrying about 1) preventing a potential privacy violation or about 2) preventing getting killed or maimed in the health system due to lack of information technology and care providers having the right information at the right time?

#1 is a very valid, but mostly theoretical concern.

#2 is a very real problem affecting all of us today.

Vince

Posted by: Vince Kuraitis | Mar 13, 2008 10:14:00 AM

Good rant, Matt!

Speaking of privacy, has anyone checked out Google street view lately? If you live in a major city, there is a good chance you can see an up-close view of your house. Wonderful yet creepy.

Posted by: jd | Mar 16, 2008 6:13:20 PM

Matt,

You need to consider the following about HIPPA. The Bush admin repealed the HIPPA consent provision which required gaining a patient's consent before his or her medical informaion could be shared for "health care operations," and this is what opened the door to doctors, big Pharma, and other companies and entities being able to access a person's medical information.In your home of the UK, 60 percent of doctors have stated that they will refuse to upload patient’s medical records into the Connecting for Health database because it violates people's right to privacy. And this is in a nation with socialized medicine where the government employees reject the policy of their own government!

Here are the reasons I steadfastly oppose the Nationwide Health Information Network, RHIOs, and any other sort of national medical database. What would the impact be upon a person if a bank can review a person's medical history when applying for a loan, if that person has some challenging condition like MS? Would an employer hire someone upon review of their medical records indicating treatment for mental illness? What about insurance companies being able to access every doctors visit of a person in order to find a way to rescind their health insurance. Before developing EHRs, there needs to be a groundwork created that states the patient has the right to control access to his or her medical information and segregate that medical history as well. The government should never be in the business of forcing people to have computerized medical records against their will. This is why patients should be required to opt in and or opt out of RHIOs or the NHIN. Insurance companies, banks, and employers should be prohibited from accessing a patient's EHRs. At this point, one can develop EHRs that can offer the potential benefit without sacrificing their right to privacy as guaranteed by the 4th Amendment.

Posted by: Anonymous | Mar 17, 2008 3:53:53 PM

If you're a frequent flyer road warrior and find yourself on a gurney in some E.R. room in need of urgent medical attention while away from home, seems to me you would absolutely want the attending Doc or E.R. medic to have immediate access to your personal health information (PHI) so they could abide by the "due no harm" mantra. Whether your personal health info is stored in a CCR or EHR or PHR or some other portable appliance, so long as the Doc can instantly and accurately identify (you are you) and immediately find out what Meds you're taking and what Meds he should NOT administer, this is a must have for all of us.

As a Consumer, I want my personal health info on a system that is secure, accurate and readily available to those who need to take care of me.

Why else would so many prominent Health IT Vendors be building exactly such of solution. The Center for Health Information Technology highlights a few: http://www.centerforhit.org/x2022.xml

Posted by: Neil Ferree | Mar 24, 2008 9:05:24 AM

Re: your comments on PHR, privacy & Deborah Peel --

We'd like to draw your attention to substantial elements of misinformation and misinterpretation included in a note recently published in Healthcare IT News, on 3/21/08, titled “Patient privacy rights advocate attacks plans to mine medical records.”

Perlegen shares with Dr. Peel, the author of the note, the highest regard for maintaining patient privacy. We are actively working to protect that privacy in the context of realizing the substantial clinical benefits we all might expect from the advent of more personalized medicine.

Making personalized medicine a reality relies on the discovery and validation of genetic markers to help predict how individual patients might respond to specific medical treatments. Technology for genetic analysis is no longer the bottleneck, thanks to enormous advances in SNP genotyping and next-generation re-sequencing tools. Rather, it is the lack of clinically-appropriate, appropriately consented DNA sample sets that has effectively stymied this effort. Our collaboration for de-identified EMR access is designed to solve this bottleneck, in a way that is absolutely consistent with patient privacy and each individual’s right to self-determination.

To reiterate the point we made in our press release – Perlegen will never have access to the specific identity of any patient, nor will any patient’s DNA ever be collected, much less used, without their prior, written and fully-informed consent. That is the law, and Perlegen is firmly committed to following it in both letter and in spirit.

In fact, we will only have access to de-identified data fields, from which we can sort those case records covering patients from whom we believe a DNA sample might be useful in understanding their variable response to treatments they’ve already received. We then work through our EMR provider, who in turn works with both the medical facilities and physicians that treat those patients. Before those institutions re-identify any patient, the treating hospital or clinic must receive IRB approval for the study. Only at that point may patients be contacted and informed that preliminary review indicates they might be suitable for a study, and asked if they then consent to further review of their records by their physician.

If that treating physician, based on the allowed chart review, then concurs that the patient meets the study criteria, the physician may contact the patient to offer him or her the possibility of participating in the study, by providing a new and fully-consented DNA sample. The sample is then immediately de-identified, linked with the de-identified case record, and sent back to Perlegen for further analysis – thus, at no time does Perlegen ever have identifiable clinical information anywhere in its possession. We take these responsibilities seriously and have worked out what we believe is the minimum possible information set required to develop a potential genetic diagnostic test: correlation between a set of de-identified genetic markers and a set of de-identified clinical outcomes.

The FDA and the pharmaceutical industry have been under assault for years on the subject of drug safety and effectiveness, but they’ve had a limited set of tools with which to make progress in this important area. The genetic studies we’re conducting hold the promise to make significant improvements in this area, but only through rigorous scientific studies involving significant numbers of clinically-appropriate and fully-consented DNA samples from the right sets of patients. We firmly believe this use is appropriate, we’ve repeatedly verified that it is within HIPAA guidelines, is absolutely respectful of patients’ rights to privacy and self-determination, has solid safeguards in place for data management and information flow, and provides each treating hospital or clinic with direct inclusion in the process though site-specific IRB approvals, physician-guided sample collection, and – always – individual patient consents.

Thank you for your time and consideration.

Sincerely,

Bryan L. Walser, MD, JD
Chief Executive Officer
Perlegen Sciences, Inc.

Posted by: Bryan Walser, MD, JD | Mar 26, 2008 5:50:03 PM

Thank you for drawing our attention to the right focus. As you wrote, “the biggest problem with the United State’s health care system and its use of technology is not privacy violations. It is the inefficient use of data causing harm (and costs and poor quality care).” You managed to introduce common sense back into the discussion; the setting up of national health care information adds no additional risk to patient’s privacy rights than what actually exists now. The information uploaded to the system is a mere copy, not the original. In fact, what is uploaded can be de-identified, thus offering patient privacy protection. Naturally, a well-designed system will preserve consumers’ right to decide who gets access to the data. Perhaps, consumers or patients may specifically block insurance companies, financial institutions, and employers from accessing the information. This will address the concern that these business entities may use the information to deny insurance coverage, loans, or employment, which creates whole new classes of people who are unemployable, uninsured, and dependent on the government, as Dr. Deborah Peel of Patient Privacy Right Foundation claimed. I believe consumers will appreciate that with Microsoft, Google, and Dossia getting into the business; the overall PHR industry privacy quality will improve. The Health Insurance Portability and Accountability Act, written before any PHR vendors came into business, is not updated, but can be amended or modified to come up with a broader “covered party” definition, and to standardize patient privacy disclosure code for PHR vendors requiring the sale of data only in a de-identified format. We therefore should not use any loophole in HIPAA to deny the value of a national health information system. A consumer will share personal information if there is a return or benefit. A borrower gives up his/her social security number in the loan application and allows a bank to access his/her credit report. We provide our medical history, together with the social security number and other personal data in the purchase of a health insurance policy. As a traveling person, I want my personal health information on a system that is secure, accurate, and readily available to those who need to take care of me, especially in times of an emergency. What good is my personal privacy will do for me if I no longer exist to give meaning to it.

Posted by: DHL | Apr 14, 2008 11:20:34 PM

Post a comment

Name:

Email Address:

URL:

Remember personal info?

Comments: