Wednesday, October 07, 2009

Health IT Vendors Trafficking in Patient Data?

Of all of the risks regarding electronic health records, the largest is perhaps to privacy and confidentiality, and other civil liberties through the ability of information technology to rapidly duplicate and disseminate massive amounts of data.

This duplication and dissemination can be performed in a controlled manner for the betterment of patient and public health, but it can also occur in a harmful manner that serves the interests of others, often without meaningful informed consent by the patients (legal jargon on typical disclosure forms that almost nobody reads or understands does not fall into what I consider "meaningful").

This can occur in, for example, the stealing of computers and computer backup disks, tape etc., which seems to be a common occurrence in the news in recent years, or through corporate processes that carry inherent risk of abuse. Here is just one recent example of both data mismanagement and theft involving not patients (by chance) but physicians themselves:

Blue Cross: Thousands of doctors' computer data stolen
Wednesday, October 07, 2009

Tens of thousands of doctors under contract with Pittsburgh's Highmark Inc. are being notified that their personal information, including Social Security numbers or tax ID numbers, may have been compromised when a laptop containing sensitive data was stolen from a Blue Cross-Blue Shield Association employee.

Physicians and specialists in western and central Pennsylvania are being notified of the breach this week, according to a Highmark spokesman. Across the country, the number of affected doctors is expected to reach the hundreds of thousands once a review of the theft is complete, said national Blue Cross-Blue Shield Association spokesman Jeff Smokler. The stolen computer did not contain patient information. [Simply due to luck -ed.]

The letter sent to Highmark providers said "a BCBSA employee [transferred] provider data information onto a personal laptop, in violation of BCBSA's established data security policies.

I have recently become aware of an example of purposeful corporate healthcare data trafficking that gives me pause.

Cerner’s LifeSciences traffics in patient data taken from the EMRs its company sells to healthcare organizations. See the document below. They advertise:

Cerner LifeSciences’ data warehouses and consulting services help you manage your R&D opportunity through Cerner’s analytical solutions. Through our data mining of our vast warehouse of electronic health records (EHRs), you can accelerate development processes and reduce business risks. Each year, new compounds debut new abilities or first-in-class molecules. Far more common are new compounds that target the same receptors as compounds already in the market ... This is when Cerner LifeSciences makes it possible to analyze anonymous, HIPAA-compliant, EHR-derived data for efficacy and safety.

Cerner apparently includes contract language with their HIT customers that allows them to traffic in "de-identified" patient data for sale to drug companies and others, getting the data essentially as a "value add" (to the HIT vendor, that is) from its healthcare IT customers. (The flyer below does not indicate pricing of healthcare data, but it's likely substantial.)

A major HIT vendor selling patient data to anyone who wants it. Click to enlarge. (Full copy is at this link in PDF format).

This practice raises numerous questions:

  • Meaningful informed consent issues: as an example, of 1000 patients at one of the facilities using this vendor's HIT products, what percentage would be able to tell me they know their data is being trafficked to pharmaceutical companies and other organizations for profit?
  • Healthcare data ownership and stewardship issues: who, exactly, extracts the data for aggregation and sale? Hospital employees properly trained and bonded (i.e., Healthcare Information Management professionals) regarding privacy of patient data? IT personnel lacking such credentials and experience? HIT vendor employees?
  • De-identification issues: what processes are being used to de-identify data? Who is performing it? At some point before the data is de-identified, it is protected information in identifiable form. Is access to the data during de-identification audited in any way, and if so, by whom? If not, why not? (Also see article on re-identification below.)
  • Legal issues: who is, by contract, liable for data breaches that occur in the transfer process?
  • Pharma integrity issues: with the many stories on this blog and others about ethically questionable pharma practices such as ghostwriting, manipulation of clinical research, suppression of research, pushing drugs on physicians and patients for unapproved off-label uses, etc., what are these organizations going to do with the data? Who will have access to it, and will their access be audited? Are they going to resell it? Might they try to re-identify data to locate individuals of interest? And so forth.

Serious consideration of these issues in vendor-led healthcare data trafficking becomes more imperative in the face of just how easy it is to "re-identify" data:

Ohm, Paul: "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization" (August 13, 2009). University of Colorado Law Legal Studies Research Paper No. 09-12. Available at SSRN:


Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.

Further, Cerner is digging deeper into the life sciences, licensing its "Discovere" system to clinical trials vendor such as Quintiles Transnational (link to story in

Quintiles will use Cerner’s Web-based Discovere product, whose features include the ability to integrate data from study participants and site researchers and increase data quality by reducing transcription errors, the companies said in a release. A Cerner spokeswoman said the company isn’t disclosing financial terms of the deal.

According to an entry at HISTalk, part of "Discovere" is the former First Genetic Trust technology that Cerner bought some time ago. Quintiles signed an agreement with Cerner back in 2001 and took an equity position in it. The Discovere modules include biobanking, research registries, public health investigator workflow, clinical trials management, and adverse event reporting.

Is Cerner also selling HIT-gleaned patient data to Quintiles and other CRO's (clinical research organizations)?

Other HIT vendors are sure to follow in Cerner's footsteps for competitive reasons, if not already doing so.

Another major issue:

HIT vendors like this are devoting resources to profit from medical data, diverting resources from their core business. Might health IT vendors make better use of their resources, such as improving the core products they sell to hospitals and clinicians, avoiding the "mission hostile user experience" I wrote about in this eight part series?

Might they devote resources to solving problems that are affecting entire national health IT programs, instead of peddling data from the systems they have managed to implement to third parties?

From the UK's experiences as recorded in 2007 by the former head of their National Program for HIT in the NHS (NPfIT):

Richard Granger has said he was “ashamed of the quality of some of the systems put into the NHS by Connecting for Health suppliers”, singling Cerner out for criticism (link). Going further than he before in acknowledging the extent of failings of systems provided to some parts of the NHS - such as Milton Keynes – the Connecting for Health boss, said "Sometimes we put in stuff that I'm just ashamed of. Some of the stuff that Cerner has put in recently is appalling."

As recorded in Jan. 2009 by the UK House of Commons - Public Accounts Committee :

... Termination of Fujitsu's contract has caused uncertainty among Trusts in the South and new deployments have stopped. One option: have a choice of either Lorenzo or [Cerner] Millennium. There are, however, considerable problems with existing deployments of [Cerner] Millennium and serious concerns about the prospects for future deployments of Lorenzo.

... Programme not providing value for money at present because there have been few successful deployments of the [Cerner] Millennium system and none of Lorenzo in any Acute Trust. Trusts cannot be expected to take on the burden of deploying care records systems that do not work effectively … the Department should assess the financial case for allowing Trusts to put forward applications for central funding for alternative systems compatible with the objectives of the Programme.

Most recently, in the UK Cerner's Millennium product is blamed for the jump from 1,700 to 23,000 patients whose referrals don’t meet the 18-week target from referral to treatment at Barts and the London NHS trust.

Should HIT vendors be devoting resources to data peddling, instead of focusing on their core mission to produce usable HIT that can facilitate healthcare professionals in providing care?

Finally, as an added item of interest, our current healthcare "czar", Nancy-Ann DeParle was on the board of Cerner just prior to appointment in the current administration.

All of these issues considered, while I am not implying improprieties current or future, the possible permutations of problems in the resale of clinical data by HIT vendors potentially created by careless data stewardship, profit motive, conflict of interest, malevolent motives, etc. is endless.

If there ever were a scenario for civil liberties groups to explore, it's this one.

-- SS

addendum on HIT quality and COI issues: found this at HISTalk as well:

IT outsourcing puts MU Health at risk

An associate professor of pathology at University of Missouri criticizes his employer’s decision to outsource to Cerner … A simple Internet search turns up a plethora of complaints and reports of lawsuits regarding the effectiveness of Cerner’s software and, more important, its failure to provide requested support. The pattern of receiving untested software has been a recurring problem at this institution ...

... University Hospital’s success depends largely on the effectiveness of the people in information technology. In the past on two occasions, the billing was so flawed the hospital faced serious fiscal problems. The most recent one was in 2002, when the hospital’s viability was threatened. The major issue was the inability to produce accurate and timely billings, which cost the system millions of dollars. [where have I seen that before? How about: here (Yale) and here - ed.]

... The medical school’s administrative residency program is on probation and is undergoing critical review; a major factor is that the Cerner system is so cumbersome that resident training is compromised … Three years ago, the radiology department dropped a Cerner software program because it was seriously flawed.”

... [UM President] Forsee has several business and personal ties to the company (Cerner). Forsee and Cerner CEO Neal Patterson serve together on at least two boards of trustees, and online records indicate Forsee’s son-in-law, Brandon Bell, works for Cerner.”

If this all is true, I believe the problems with HIT in general are no better now, and probably worse, than when I started writing about such issues a decade ago.

I rest my case on whether the HIT vendors should focus on solving basic quality, usability and efficacy issues before peddling data ...

-- SS


Anonymous said...

Looking at today's Toronto Sun wee find another EMR disaster with the release of the audit report on Ontario's attempt at electronic medical records.

Auditor General delivers stinging rebuke
Auditor General Jim McCarter has delivered a stinging slap to the Dalton McGuinty government.

Health Minister David Caplan resigned this morning as a result of the findings.

The auditor's review of the government's failed attempts to deliver electronic health records found evidence of a "favoured firm" getting a choice contract, millions of dollars spent on consultants and questionable spending on a CEO bonus.

McCarter also noted in his report that despite McGuinty's call for an inquiry into the spending fiasco, government staff were not eager to share information with auditors.

"Normally we receive the full co-operation of ministry staff," he says in his report. "Unfortunately this was not the case for this audit."

Sole-sourced contracts were a significant focus in the report with findings that eHealth paid little heed to normal government procurement practices, instead handing out expensive contracts to the "favoured" firms.

"In essence, allegations were made that contracts were sole-sourced to a number of consulting firms or individuals consultants by the CEO of eHealth Ontario agency or her appointees," the report said. "Our work indicated that this was undoubtedly the case.

"Throughout the years, oversight of the HER initiative has not been effective," the report says.

If this rather large experiment does not strike fear in to the hearts of those attempting large scale EMR integration then they should really be questioned as to their conflicts.

Steve Lucas

Anonymous said...

Congratulations on the impressive acknowledgement in Forbes.

I become ill just thinking that a company will use health information on patients and sell it without the patients being given a right to refuse.

Repulsive with a capital "R".