Friday, December 10, 2010

Don't Worry, the Feds Say Your Medical Information Will Be Kept Absolutely Private

With the planned burgeoning of health IT nationally and the formation of information "exchanges", ensuring information privacy, confidentiality and security become paramount. Systematic threats to medical privacy, confidentiality and security could do significant damage to our Republic.

Yet, according to Modernhealthcare.com in "Looking to loosen privacy rules in Calif." (Dec. 7, 2010):

The head of a federal privacy and security advisory committee and a lawyer for a prominent consumer affairs organization are scheduled to press California officials this week to revise that state's health information exchange (HIE) guidelines [which have strong opt-in consent requirements -ed.] to conform to less-stringent federal privacy recommendations.

Joseph Conn, author of the article relates:

Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology, a Washington think tank, and Mark Savage, a San Francisco-based lawyer for Consumers Union [McGraw is also an appointee to a prominent role in the federally charted HHS Health IT Policy Committee; see below - ed.], are to participate via telephone Thursday in a meeting of the California Privacy and Security Advisory Board [CalPSAB].

Here's the problem:

The CalPSAB advises the state's health secretary on healthcare privacy and security policy. Given the traditional leadership role that California plays in the healthcare industry, the board's recommendations could influence how patient consent is handled in electronic health information exchanges nationwide.

Why these recommendations? To satisfy the needs of the reckless rush to national health IT:

McGraw, a lawyer, is a member of the federally charted Health IT Policy Committee, created pursuant to the American Recovery and Reinvestment Act of 2009 to advise the Office of the National Coordinator for Health Information Technology at HHS. McGraw also serves on five work groups or subcommittees of the Health IT Policy Committee. She is chairwoman of its privacy and security workgroup and co-chairwoman of its privacy and security tiger team. [The name "tiger team" makes me wonder who's going to get mauled - ed.]

McGraw and Savage sent a letter Oct. 6 to California Health and Human Services Sec. S. Kimberly Belshe along with a copy of the tiger team's recommendations on privacy and security for health information exchange originally sent to ONC head David Blumenthal on Aug. 19. They also sent Belshe a 10-page "briefing paper" summarizing those recommendations and a follow-up letter Dec. 5.

The briefing paper urged California to "adopt a comprehensive framework of privacy protections such as that recommended by the tiger team." [I.e., that are less stringent than California's - ed.]

They threw a little fear into their recommendations:

The brief also warned that with the first stage of a federal IT incentive program beginning soon, without a consent policy in place, "California's privacy and security framework for patient health information cannot be completed." Furthermore, if that framework isn't completed, the brief asserted, "eligible providers cannot achieve the meaningful-use criteria and benefit from the substantial federal reimbursements."

In other words, "The feds have rushed you to such a point that you cannot possibly have enough time to seriously consider and put into place rigorous privacy regulation, so adopt our 'tiger team' recommendations (or you ain't gonna get money from the feds)."

This is not reassuring.

Among other issues, it seems another example, as in HITECH itself, of the Federal Government setting timelines and policies and using the "fear, uncertainty and doubt" (FUD) principle to manipulate and strong-arm the States into ceding their rights to regulate healthcare. Such Federal overreach seems to be common these days.

Only now, due to the nature of the data involved, this gets personal.

Listen to us, we're the Tiger Team!

Of course, there's always plausible deniability:

Officially, the ONC is not a party to the push by McGraw and Savage to leverage the federal tiger team's work in California, according to the ONC. Asked whether the ONC was aware of and supports the efforts of McGraw in California, spokeswoman Nancy Szemraj said, "We have no knowledge of this letter."

Again, not very reassuring or credible, considering:

1) as above, that McGraw and Savage sent a letter Oct. 6 to California Health and Human Services Sec. S. Kimberly Belshe along with a copy of the tiger team's recommendations on privacy and security for health information exchange originally sent to ONC head David Blumenthal on Aug. 19.

and:

2) McGraw's role on five work groups or subcommittees of the Health IT Policy Committee:

Health IT Policy Committee (A Federal Advisory Committee)

The Health IT Policy Committee will make recommendations to the National Coordinator for Health IT on a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information. The American Recovery and Reinvestment Act of 2009 (ARRA) provides that the Health IT Policy Committee shall at least make recommendations on standards, implementation specifications, and certifications criteria in eight specific areas.

-- SS

Addendum Dec. 10, 2010:

This post generated a comment containing a significant logical fallacy, apparently from Harley Geiger, staff counsel of the CDT (Center for Democracy and Technology) which is one of the key actors mentioned in the Modern Healthcare story. The comment and my comment back can be seen in the comments section at this post.

If the comment was truly from Mr. Geiger, I would be even less confident than before that an organization whose staff counsel will not or cannot proffer a logically coherent argument will protect our precious freedoms.

-- SS

20 comments:

Harley Geiger said...

CDT and Consumers Union are not trying to change California health privacy rules. The "rules" aren't rules yet - CalPSAB is still considering them. We submitted a proposal to CalPSAB which we believe will strengthen patient privacy when the rules are in place.

CalPSAB is considering additional consent requirements to share data if it is electronic form, but not if it is exchanged via paper or fax. In our view, this does not target inappropriate data sharing, but instead punishes digital exchange as a medium and creates a disincentive for providers to adopt health IT for no real privacy gain.

The consent requirement at issue is whether consent should be required for electronic exchange as a medium. This is distinct from a consent requirement tied to the underlying data: our proposal would not change California's consent requirements for sensitive data categories.

We are skeptical that California law requires consent for electronic exchange (again, as a medium only). Rather than trying to "change" California law, we believe our proposal is consistent with current California law. There is no "loosening" taking place at all.

The suggestion that Deven McGraw is threatening to withhold federal money from California is completely absurd and offensive. She does not even have the power to do so. McGraw is not submitting this proposal to CalPSAB in her capacity as a Tiger Team member (and never suggests that she is doing so) but as part of her work with CDT. That is why ONC has "no knowledge" of the letter. (By the way, "Tiger Team" is a term commonly used to describe a team that tests privacy and security.)

This story is laden with inaccuracies and unwarranted innuendo. A simple 10 minute call to CDT would have averted both. We are more than willing to discuss our views and comments. You have a right to your conclusions, but it's very disappointing when you make up your own facts.

Harley Geiger, Center for Democracy & Technology

Live it or live with it said...

Don't you just love the new rallying words "Everyone is entitled to their own opinion, but not their own facts".

I have an oldie but goodie too "If it looks like duck, walks like a duck, and quacks like a duck, then it just may be a duck."

Roy M. Poses MD said...

For those who are not regular readers of this blog -

We have said repeatedly, we are not reporters. We comment on what is already in the public domain. In that role, we often comment on what has been written in reputable publications.

Dr Silverstein's original post commented on a post in Modern HealthCare's IT Everything blog. He made that abundantly clear, by providing the link, and making it obvious when he was quoting and when he was commenting on what he was quoting.

Harley Geiger apparently takes issue with some of the opinions stated in the IT Everything blog, about whether CDT's recommendation would "change" or "loosen" California's laws, which, of course, depends on how one interprets those laws.

Harley Geiger posted comments identical to the comments above on the IT Everything blog, thus apparently not making a distinction between that blog, and our blog's commentary on that blog.

Rick Johnson's comments above would have it both ways. He accused Dr Silverstein of "parroting," that is quoting the original blog, but then disallowed his right to comment on it, without having done original reporting himself. If no person could comment on any fact without having done the original research to establish that fact, it would be a pretty quiet world.

InformaticsMD said...

Harley Geiger said...

The suggestion that Deven McGraw is threatening to withhold federal money from California is completely absurd and offensive.

I was very clear in my posting where I wrote:

They threw a little fear into their recommendations:

The brief also warned that with the first stage of a federal IT incentive program beginning soon, without a consent policy in place, "California's privacy and security framework for patient health information cannot be completed." Furthermore, if that framework isn't completed, the brief asserted, "eligible providers cannot achieve the meaningful-use criteria and benefit from the substantial federal reimbursements
."

Now, Mr. Geiger, your comment about my post where you accuse me of accusing Deven McGraw of threatening to withold money is a strawman argument, a tactic usually used by those who've already lost an argument.

You have lost credibility by posting such a strawman argument.

If we cannot agree to debate via the ground rules of logical argument (those at http://www.nizkor.org/features/fallacies/ suffice), then there are no grounds on which to reach any kind of meaningful understanding.

Please come back with a well thought out, reasonable comment that I can respond to.

Thank you.

-- SS

InformaticsMD said...

I would also add that "Live it or live with it said..." who made the 'ducks' comment is an anonymous individual who comments here periodically.

Anonymous said...

Rick Johnson’s comment is about a comment, not the post. When did Glen Beck come into the discussion? Come on now Rick, we have been down this road before, divert and association are old, very old, sales techniques. You need to get a new spiel.

Harley, just stop and think, paper takes people. You are not going to send patient information via paper without people being involved. Electronic dumps are easy; think the current situation with Wikileaks. There is built in safety when a large number of patient records are requested and someone has to process the paper.

My wife is about to retire after 30 years with State and local government, so don’t blow smoke about how one group does not know what another group is doing with all of the cross population that goes on in government. Also, the Federal compliance issue is old and over used. My question is: What vendor will get the contract?

The idea that anyone in your office would take a call and discuss this issue is laughable. Not going to happen.

Finally, using California as an example of good governance and best practices, given their current financial situation and inability to deal with any issue is absurd.

I am old and cranky, so if you guys are going to hack a post, do a good job of it. I am not a fan of Glen Beck, but the few shows I have seen open with “Do you own research.” You gentlemen may do well to take his advice.

Steve Lucas

InformaticsMD said...

NOTE Re: "Rick Johnson" said...

Ducks? That's your comeback... ducks?at simply swallow his garbage. Ducks... I don't f'ing believe you actually wrote that.

December 10, 2010 2:05:00 PM EST

'Rick Johnson' is a fake name for a frequent heckler or hecklers who frequent this blog, as detailed here: http://hcrenewal.blogspot.com/2010/01/more-on-perversity-in-hit-world.html.

His/their comment(s) using a number of different aliases come(s) from:

IP Address 173.76.163.# [Verizon, Boston area, http://ip-lookup.net/goto?l100.bstnma-vfttp-123.verizon-gni.net/]

Language English (U.S.)
en-us
Operating System Macintosh WinXP
Browser Safari 1.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Javascript version 1.5
Monitor
Resolution : 1440 x 900
Color Depth : 32 bits
Time of Visit Dec 10 2010 12:54:40 pm
Last Page View Dec 10 2010 1:37:39 pm
Visit Length 42 minutes 59 seconds
Page Views 2
Referring URL
Visit Entry Page http://hcrenewal.blogspot.com/
Visit Exit Page http://hcrenewal.blogspot.com/
Out Click 1 comments
https://www.blogger.com/comment.g?blogID=9551150&postID=6408828968119489909&isPopup=true
Time Zone UTC-5:00
Visitor's Time Dec 10 2010 12:54:40 pm
Visit Number 808,486

He was still lurking as of 2:33 PM EST:

Domain Name (Unknown)
IP Address 173.76.163.# (Unknown Organization)
ISP Unknown ISP
Location
Continent : Unknown
Country : Unknown
Lat/Long : unknown
Language English (U.S.)
en-us
Operating System Macintosh WinXP
Browser Safari 1.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Javascript version 1.5
Monitor
Resolution : 1440 x 900
Color Depth : 32 bits
Time of Visit Dec 10 2010 2:33:18 pm
Last Page View Dec 10 2010 2:33:25 pm
Visit Length 7 seconds
Page Views 1
Referring URL
Visit Entry Page http://hcrenewal.blogspot.com/
Visit Exit Page http://hcrenewal.blogspot.com/
Out Click 3 comments
https://www.blogger....9489909&isPopup=true
Time Zone UTC-5:00
Visitor's Time Dec 10 2010 2:33:18 pm
Visit Number 808,533

-- SS

Live it or live with it said...

Sorry I created confusion. Although a fan of HCRenewal, I am no blogger.

Still however you say it, a suggestion that funding is contingent, influenced or even related on compliance or attributes in another area, is an off hand threat, even if unstated as such.

It's kind of like a prospective employer bringing up questions of age, sexual orientation, race or pregnancy status during an interview. The presumption is, if you mention it, it matters to the hiring process.

Moreso saying that the comment from someone was made not in their official capacity so it doesn't formally count is pretty much the same as is often decribed here as legal but not in keeping with the spirit of the law.

If ducks are offensive, I guess I could have said, "A rose by any other name would smell as sweet."

InformaticsMD said...

Live it or live with it said...

Still however you say it, a suggestion that funding is contingent, influenced or even related on compliance or attributes in another area, is an off hand threat, even if unstated as such.

While it might be construed that way by some, I look at it simply as an attempt to use the "FUD" principle (instilling fear, uncertainty and doubt) to affect the behavior of others. That is reflected in my post.

Perhaps I am being generous, but FUD is a common bureaucratic tactic which I've seen many times, for example, in my dealings with health IT bureaucrats.

I've also seen it from the highly militant labor union leaders I've worked with when I was practicing medicine in the occupational medicine dept. of a regional public transit authority years ago, although those folks also sometimes resorted to more overt threats. Such as banging fists on the table at union-medical meetings!

-- SS

InformaticsMD said...

Live it or live with it said:

If ducks are offensive, I guess I could have said, "A rose by any other name would smell as sweet."

Ducks are very inoffensive. In fact they're smart and cute.

The stream in my area park froze over earlier than usual a few days ago. Dozens of wild Mallard ducks used to being fed by people when in the water simply relocated to the park grounds!

They were even trying to see if Christmas ornaments hung on the bushes were edible, then followed me back to the lot after I fed them bread and checked cars out for taste as well!

See these pictures:

one two three

Scot

Anonymous said...

The risks to our privacy from electronic medical records out weigh any benefits, and once you give permission to send the records around, mistakes will be there forever to haunt you. I have recently become familiar with a physician who needed a colonoscopy. The GI doc listed occult blood in stool as the indication (in order to get paid and not have hospital bean counters ask questions. This erroneous diagnosis is now forever in many pages of the EHR, interfering with the cost of life insurance (the insurance broker sought all records).
The request to expunge the erroneous diagnosis has gone unheeded. Privacy laws must address the matter of errors in the record being sent around. This has implications for life.

Is it not despicable how easy it is to enter an erroneous diagnosis, and how difficult it is to correct an error in an electronic record?

Unknown said...

Ah, Steve, I was really digging your post and then you roll over and cough up the old canard of "[t]he idea that anyone in your office would take a call and discuss this issue is laughable. Not going to happen."

What?? You state that like it's an absolute. Have you ever tried calling? Obviously CDT talks to the press ALL THE TIME -- just do a quick Google search and it will prove that out.

But you know, I say call their bluff! I'm sure they have some kind of press person/communications person. Give that person a call and see if they blow you off. Report back; hell, you can hang up the phone if you it sounds like someone is actually going to talk to you.

I agree with 95% of all you said, Steve, now, get to me 100 percent

InformaticsMD said...

Dave said to our reader Steve:

Have you ever tried calling? Obviously CDT talks to the press ALL THE TIME

Dave [of unavailable Blogger profile, a.k.a., "ANONYMOUS"],

The staff counsel of this organization seemed not willing (or worst case, able, but I really don't believe that) to provide a logically coherent argument in his post here.

As of yet I have not received a reply to my pointing that out. Until that occurs, my confidence in the value of any "discussion" is quite low.

Finally, let me distill out the fundamental raison d'être of the blog post above this comment section:

Either a party believes in stringent medical data Security, privacy & confidentiality - which includes strong opt-out provisions for both capture and transmission of one's data outside the privacy of the doctor's office or hospital for purposes they cannot control or be entirely aware of - or one doesn't.

It would appear CDT is not keen on the latter.

As a Medical Informatics specialist and patient's rights advocate, I find that position untenable no matter what spin or legalistic veneer is placed on it.

Indeed, CDT staff counsel wrote ...

We are skeptical that California law requires consent for electronic exchange (again, as a medium only). Rather than trying to "change" California law, we believe our proposal is consistent with current California law. There is no "loosening" taking place at all.

instead of ...

We are working very hard to get opt-out provisions for elecronic exchage of data as well.

... which would meat my expectations of an organization called "Center for Democracy and Technology."

Finally, the statement about "punishing digital exchange as a medium and creates a disincentive for providers to adopt health IT" sounds almost commercial to me. It's patients who get punished by data abuses.

A "medium" cannot be "punished."

However, those who make money from the medium and from health IT [the benefits of which, to patients, is debatable in its present form, and the risks of which are unknown] can be.

-- SS

InformaticsMD said...

I also add that either we distinguish the exponentially increased risk to privacy and confidentiality of computerized health data vs. paper, or we don't.

Those who don't, or to whom the notion is foggy or blurred, should not be involved in technology.

Or should get a job with Wikileaks.

-- SS

Anonymous said...

Dave,

I am glad you liked 95% of my comment. You are correct in that I did not contact CDT.

What I did not mention is that my wife is an attorney/administrator in government dealing with massive amounts of computerized personal information and her repeated experience is that the public statements of many groups dealing with government agencies do not match their goals.

She has been deliberately excluded from resolving certain issues so that the “communications” department can handle those sensitive matters. My statement is based on her decades of experience.

I cannot improve on Scot’s statement.

Roy’s statement made it clear the function and nature of HCR.

I am pleased to see you did not try to discredit my entire comment by taking issue with one point. That is another very old sales technique that has outlived its usefulness.

My hope is that CDT may find the lively discussion on this, and other blogs, worth a public clarification.

Steve Lucas

InformaticsMD said...

Steve Lucas wrote:

I am pleased to see you did not try to discredit my entire comment by taking issue with one point. That is another very old sales technique that has outlived its usefulness.

Steve,

Your analysis of corporate sockpuppets running mayhem on blogs is quite accurate.

You'd left a comment about this at my post in Jan. of this year about perversity in the HIT vendor community, specifically the Meditech sockpuppet where you wrote:

--------------------
In reading this thread of comments I have to believe IT Guy is a salesperson. My only question is: Were you assigned this blog or did you choose it? We had this problem a number of years ago where a salesperson was assigned a number of blogs with the intent of using up valuable time in trying to discredit the postings.

In my very first sales class we learned to focus on irrelevant points, constantly shift the discussion, and generally try to distract criticism. I would say that HCR is creating heat for IT Guy’s employer and the industry in general.

I find it sad that a company would allow an employee to attack anyone in an open forum. IT Guy needs to check with his superiors to find out if they approve of this use of his time, and I hope he is not using a company computer, unless once again this attack is company sanctioned.

--------------------

We must have hit a chord again as the flak is heaviest when you're over target.

Along with a recent extremely rude communication thrown at me that, let's just say for the sake of politeness, disparaged minoritiy groups such as gays (although I am not a member of that group), we have been harassed the past few weeks from IP 173.76.163.# (Verizon in Boston Area) by someone on a Mac portable.

Via the Sitemeter logs, this person or person(s) logs in often and almost immediately outclicks to the various comment threads he or she or they have tried to disrupt. This occurs through the afternoon, evening and even into the wee hours.

Along with the aforementioned crude hate speech against minorities were these attempts at misdirection, topic shifting, and crass insults from just the past few days:

--------------------
Date: December 12, 2010 1:46 PM
How is [correcting errors in EMR] any different from a paper record?

Date: Sat, Dec 11, 2010 at 2:33 PM
Scot, I have bad news for you and your ongoing meltdown. Rick Johnson has nothing to do with me. I have no idea who that is.

Date: Thu, Dec 9, 2010 at 6:59 PM
Radiation therapy and alarm hazards were #1 and #2. When is your anti-radiation alarm hazard rant going to start?

Date: Wed, Dec 8, 2010 at 7:20 PM
That's pretty funny. Unlike you, I deal with issues like that every day. I was just wondering if you realized that your blog post is a massive pantload. The fact that you're not even attempting to add any substance to your bullshit leads me to believe that you're well aware that it's just bullshit. If you're wondering why HIT vendors aren't looking to you for ideas (for which you threatened to "go Galt"), it's probably because they don't like to pay for bullshit.

Date: Sun, Dec 5, 2010 at 1:38 PM
Good thing for you that they're all deadly, right? It's very disturbing that someone as ignorant as you is employed by a major university.

--------------------

This is quite a pitiful situation.

In any case, further comments from this IP and profile will be deleted.

InformaticsMD said...

I note an interesting 8:52 AM Dec. 13 "hit" on the blog with outclick directly to this comments section of this post, via a Mac running the now-familiar Macintosh WinXP and Safari 1.3.

-----------------------

Domain Name (Unknown)
IP Address 12.11.157.# (Medical Information Technology)
ISP AT&T WorldNet Services
Location
Continent : North America
Country : United States (Facts)
State : Massachusetts
City : Milford
Lat/Long : 42.1544, -71.521 (Map)
Language English (U.S.)
en-us
Operating System Macintosh WinXP
Browser Safari 1.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5
Javascript version 1.5
Monitor
Resolution : 1024 x 768
Color Depth : 32 bits
Time of Visit Dec 13 2010 8:52:40 am
Last Page View Dec 13 2010 8:53:36 am
Visit Length 56 seconds
Page Views 1
Referring URL
Visit Entry Page http://hcrenewal.blogspot.com/
Visit Exit Page http://hcrenewal.blogspot.com/
Out Click 16 comments
https://www.blogger.com/comment.g?blogID=9551150&postID=6408828968119489909&isPopup=true
Time Zone UTC-5:00
Visitor's Time Dec 13 2010 8:52:40 am
Visit Number 809,460

InformaticsMD said...

Another interesting hit from Meditech, along the same pattern as the other hits from the private Massachusetts ISP.


Domain Name (Unknown)
IP Address 12.11.157.# (Medical Information Technology)
ISP AT&T WorldNet Services
Location
Continent : North America
Country : United States (Facts)
State : Massachusetts
City : Milford
Lat/Long : 42.1544, -71.521 (Map)
Language English (U.S.)
en-us
Operating System Macintosh WinXP
Browser Safari 1.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5
Javascript version 1.5
Monitor
Resolution : 1024 x 768
Color Depth : 32 bits
Time of Visit Dec 13 2010 9:53:56 am
Last Page View Dec 13 2010 10:52:59 am
Visit Length 59 minutes 3 seconds
Page Views 4
Referring URL
Visit Entry Page http://hcrenewal.blogspot.com/
Visit Exit Page http://hcrenewal.blogspot.com/
Out Click 18 comments
https://www.blogger.com/comment.g?blogID=9551150&postID=6408828968119489909&isPopup=true
Time Zone UTC-5:00
Visitor's Time Dec 13 2010 9:53:56 am
Visit Number 809,476

Anonymous said...

The dangers of these devices are widespread and this blog is heroic in bringing these issues to the fore.

The companies irresponsibly selling these devices ought to be worried.

And they are, leading to the posts above.

Criminal charges may be in the offing, especially when patients die because of devices that are being sold in violation of the F D and C Act.

InformaticsMD said...

Anonymous December 13, 2010 11:37:00 AM EST wrote:

The dangers of these devices are widespread and this blog is heroic in bringing these issues to the fore.

Not really heroic. It's simply a civic duty. Someone has to do it.

Also, pre-informatics I'd worked with militant labor unions in a regional transit authority, and I learned a great deal from them in how not to fall into the "learned helplessness" trap. Put another way, they "unlearned" me of that.

It was not all abusive. I did get some respect from them as my cousin had been, let's just say, a high ranking Teamster.

I also can mention that I found the sockpuppet's comments especially offensive, considering the grave injuries my mother suffered in May due in large part to EMR deficiencies, of which he/she was aware, and her present incapacitation requiring 24x7 care, some of which I am providing.

-- SS