Health IT Vendors Trafficking in Patient Data?

Of all of the risks regarding electronic health records, the largest is perhaps to privacy and confidentiality, and other civil liberties through the ability of information technology to rapidly duplicate and disseminate massive amounts of data.

This duplication and dissemination can be performed in a controlled manner for the betterment of patient and public health, but it can also occur in a harmful manner that serves the interests of others, often without meaningful informed consent by the patients (legal jargon on typical disclosure forms that almost nobody reads or understands does not fall into what I consider "meaningful").

This can occur in, for example, the stealing of computers and computer backup disks, tape etc., which seems to be a common occurrence in the news in recent years, or through corporate processes that carry inherent risk of abuse. Here is just one recent example of both data mismanagement and theft involving not patients (by chance) but physicians themselves:

Blue Cross: Thousands of doctors' computer data stolen

Wednesday, October 07, 2009

By Bill Toland, Pittsburgh Post-Gazette

Tens of thousands of doctors under contract with Pittsburgh's Highmark Inc. are being notified that their personal information, including Social Security numbers or tax ID numbers, may have been compromised when a laptop containing sensitive data was stolen from a Blue Cross-Blue Shield Association employee.

Physicians and specialists in western and central Pennsylvania are being notified of the breach this week, according to a Highmark spokesman. Across the country, the number of affected doctors is expected to reach the hundreds of thousands once a review of the theft is complete, said national Blue Cross-Blue Shield Association spokesman Jeff Smokler. The stolen computer did not contain patient information. [Simply due to luck -ed.]

The letter sent to Highmark providers said "a BCBSA employee [transferred] provider data information onto a personal laptop, in violation of BCBSA's established data security policies.

I have recently become aware of an example of purposeful corporate healthcare data trafficking that gives me pause.

Cerner’s LifeSciences traffics in patient data taken from the EMRs its company sells to healthcare organizations. See the document below. They advertise:

Cerner LifeSciences’ data warehouses and consulting services help you manage your R&D opportunity through Cerner’s analytical solutions. Through our data mining of our vast warehouse of electronic health records (EHRs), you can accelerate development processes and reduce business risks. Each year, new compounds debut new abilities or first-in-class molecules. Far more common are new compounds that target the same receptors as compounds already in the market ... This is when Cerner LifeSciences makes it possible to analyze anonymous, HIPAA-compliant, EHR-derived data for efficacy and safety.

Cerner apparently includes contract language with their HIT customers that allows them to traffic in "de-identified" patient data for sale to drug companies and others, getting the data essentially as a "value add" (to the HIT vendor, that is) from its healthcare IT customers. (The flyer below does not indicate pricing of healthcare data, but it's likely substantial.)

A major HIT vendor selling patient data to anyone who wants it. Click to enlarge. (Full copy is at this link in PDF format).

This practice raises numerous questions:

• Meaningful informed consent issues: as an example, of 1000 patients at one of the facilities using this vendor's HIT products, what percentage would be able to tell me they know their data is being trafficked to pharmaceutical companies and other organizations for profit?

• Healthcare data ownership and stewardship issues: who, exactly, extracts the data for aggregation and sale? Hospital employees properly trained and bonded (i.e., Healthcare Information Management professionals) regarding privacy of patient data? IT personnel lacking such credentials and experience? HIT vendor employees?

• De-identification issues: what processes are being used to de-identify data? Who is performing it? At some point before the data is de-identified, it is protected information in identifiable form. Is access to the data during de-identification audited in any way, and if so, by whom? If not, why not? (Also see article on re-identification below.)
  

• Legal issues: who is, by contract, liable for data breaches that occur in the transfer process?

• Fiduciary issues: as I expressed in my July 22, 2009 JAMA letter to the editor regarding "vendor hold harmless" and IT defects gag clauses, are hospital executives further violating their fiduciary responsibilities by signing HIT contracts that surrender ownership of patient data to third parties? (see my posts "JAMA letter: Health Care Information Technology, Hospital Responsibilities, and Joint Commission Standards" and "Inquiry to Joint Commission on points I raised in my JAMA letter on HIT" for more on those issues.

• Pharma integrity issues: with the many stories on this blog and others about ethically questionable pharma practices such as ghostwriting, manipulation of clinical research, suppression of research, pushing drugs on physicians and patients for unapproved off-label uses, etc., what are these organizations going to do with the data? Who will have access to it, and will their access be audited? Are they going to resell it? Might they try to re-identify data to locate individuals of interest? And so forth.
  

Serious consideration of these issues in vendor-led healthcare data trafficking becomes more imperative in the face of just how easy it is to "re-identify" data:

Ohm, Paul: "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization" (August 13, 2009). University of Colorado Law Legal Studies Research Paper No. 09-12. Available at SSRN: http://ssrn.com/abstract=1450006

Abstract:

Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.

Further, Cerner is digging deeper into the life sciences, licensing its "Discovere" system to clinical trials vendor such as Quintiles Transnational (link to story in Bizjournals.com):

Quintiles will use Cerner’s Web-based Discovere product, whose features include the ability to integrate data from study participants and site researchers and increase data quality by reducing transcription errors, the companies said in a release. A Cerner spokeswoman said the company isn’t disclosing financial terms of the deal.

According to an entry at HISTalk, part of "Discovere" is the former First Genetic Trust technology that Cerner bought some time ago. Quintiles signed an agreement with Cerner back in 2001 and took an equity position in it. The Discovere modules include biobanking, research registries, public health investigator workflow, clinical trials management, and adverse event reporting.

Is Cerner also selling HIT-gleaned patient data to Quintiles and other CRO's (clinical research organizations)?

Other HIT vendors are sure to follow in Cerner's footsteps for competitive reasons, if not already doing so.

Another major issue:

HIT vendors like this are devoting resources to profit from medical data, diverting resources from their core business. Might health IT vendors make better use of their resources, such as improving the core products they sell to hospitals and clinicians, avoiding the "mission hostile user experience" I wrote about in this eight part series?

Might they devote resources to solving problems that are affecting entire national health IT programs, instead of peddling data from the systems they have managed to implement to third parties?

From the UK's experiences as recorded in 2007 by the former head of their National Program for HIT in the NHS (NPfIT):

Richard Granger has said he was “ashamed of the quality of some of the systems put into the NHS by Connecting for Health suppliers”, singling Cerner out for criticism (link). Going further than he before in acknowledging the extent of failings of systems provided to some parts of the NHS - such as Milton Keynes – the Connecting for Health boss, said "Sometimes we put in stuff that I'm just ashamed of. Some of the stuff that Cerner has put in recently is appalling."

As recorded in Jan. 2009 by the UK House of Commons - Public Accounts Committee :

... Termination of Fujitsu's contract has caused uncertainty among Trusts in the South and new deployments have stopped. One option: have a choice of either Lorenzo or [Cerner] Millennium. There are, however, considerable problems with existing deployments of [Cerner] Millennium and serious concerns about the prospects for future deployments of Lorenzo.

... Programme not providing value for money at present because there have been few successful deployments of the [Cerner] Millennium system and none of Lorenzo in any Acute Trust. Trusts cannot be expected to take on the burden of deploying care records systems that do not work effectively … the Department should assess the financial case for allowing Trusts to put forward applications for central funding for alternative systems compatible with the objectives of the Programme.

Most recently, in the UK Cerner's Millennium product is blamed for the jump from 1,700 to 23,000 patients whose referrals don’t meet the 18-week target from referral to treatment at Barts and the London NHS trust.

Should HIT vendors be devoting resources to data peddling, instead of focusing on their core mission to produce usable HIT that can facilitate healthcare professionals in providing care?

Finally, as an added item of interest, our current healthcare "czar", Nancy-Ann DeParle was on the board of Cerner just prior to appointment in the current administration.

All of these issues considered, while I am not implying improprieties current or future, the possible permutations of problems in the resale of clinical data by HIT vendors potentially created by careless data stewardship, profit motive, conflict of interest, malevolent motives, etc. is endless.

If there ever were a scenario for civil liberties groups to explore, it's this one.

-- SS

addendum on HIT quality and COI issues: found this at HISTalk as well:

IT outsourcing puts MU Health at risk

An associate professor of pathology at University of Missouri criticizes his employer’s decision to outsource to Cerner … A simple Internet search turns up a plethora of complaints and reports of lawsuits regarding the effectiveness of Cerner’s software and, more important, its failure to provide requested support. The pattern of receiving untested software has been a recurring problem at this institution ...

... University Hospital’s success depends largely on the effectiveness of the people in information technology. In the past on two occasions, the billing was so flawed the hospital faced serious fiscal problems. The most recent one was in 2002, when the hospital’s viability was threatened. The major issue was the inability to produce accurate and timely billings, which cost the system millions of dollars. [where have I seen that before? How about: here (Yale) and here - ed.]

... The medical school’s administrative residency program is on probation and is undergoing critical review; a major factor is that the Cerner system is so cumbersome that resident training is compromised … Three years ago, the radiology department dropped a Cerner software program because it was seriously flawed.”

... [UM President] Forsee has several business and personal ties to the company (Cerner). Forsee and Cerner CEO Neal Patterson serve together on at least two boards of trustees, and online records indicate Forsee’s son-in-law, Brandon Bell, works for Cerner.”

If this all is true, I believe the problems with HIT in general are no better now, and probably worse, than when I started writing about such issues a decade ago.

I rest my case on whether the HIT vendors should focus on solving basic quality, usability and efficacy issues before peddling data ...

-- SS

Cannot Get Away From Medical Information Errors, Continued

In "This informaticist can't escape clinical IT issues even on personal business", I observed that I encountered HIT informational issues even in my own family matters, when least expecting them. I've had a few incidents since then, generally each time I've taken relatives to the hospital as a medical advocate.

It seems every time I step into a hospital as a medical advocate such issues arise, whether they be complaints from staff about IT, my mother being prescribed an IV antibiotic in the ED that an hour before I'd told the intake nurse she was severely allergic to, that fact being dutifully entered into the EHR - or as in the case below, outright errors regarding surgical procedures.

Either medical information errors follow me around, or they are more common than I realize, because I just spent a few days as a medical advocate for a very long and dear friend.

She had a suspicious thyroid nodule found at the time of exam for excision of a small breast carcinoma. She was set to have a thyroidectomy at a major NYC hospital with relatively advanced HIT capabilities and large endowments from very wealthy contributors, whose paintings hang in the lobbies (and where some high level informatics professionals are involved in clinical IT projects).

When I arrived the evening prior to surgery, my friend showed me her pre-op instructions. They were printed out in a neat and organized fashion, and she'd shown me the calcium supplements she'd purchased as the instructions advised.

"Calcium supplements?", I asked...

The computer form, properly labeled with her name and ID and the name of the nurse practitioner she'd seen for preop evaluation, was quite improperly entitled "Preoperative instructions to patients undergoing parathyroidectomy."

First thing I did in the morning was insist on seeing the surgeon in person. I wanted zero chance for error. Fortunately, the surgeon was familiar with her case and knew this was an error. Suppose, however, the surgeon was not so knowledgeable about the patient, or unavailable, or called away for some emergency and someone else filling in?

I do not know if the error was simple human error by the NP or someone prior who'd performed data entry, a wrong selection due to a mission hostile user interface in the setting of overwork, a computer error due to some cross-link between (to non biomedical personnel) two similar-sounding terms - parathyroid vs. thyroid - or some other cause.

Needless to say, if this error had resulted in an unnecessary and injurious parathyroidectomy and necessity for followup thyroidectomy on a postoperative area, and had been as a result of IT problems either totally or partially , it is likely the vendor would have been "held harmless" and the defect nondisclosed to other organizations.

(Anecdotally, on going to the bathroom, I also noted a group of residents on rounds energetically discussing what "template" was the correct one in which to enter patient data of some type. When I rounded years ago, I remember discussing medical issues...)

While I agree the likelihood of major IT contribution to this error was low, this was a reminder of just how problematic healthcare quality can be, even with advanced IT.

I think the solution is not to see IT as a panacea, and maintain adequate human involvement (with humans not overburdened feeding the bureaucratic machine) in safety issues.

-- SS

A Wide Web of Healthcare Data: He Who Controls The Data, Controls the Playing Field

In posts such as here and here, it's become apparent that "Evidence Based Medicine" (EBM), while perhaps reasonable in theory, is probably unreasonable in practice with the ethics of healthcare in 2008.

One cannot have evidence based rules for anything, let alone healthcare, if the evidence is tainted.

Think clinical research and the drivers of "publish or perish" are the only domains where this evidentiary taint can occur?

Think again.

From a medical colleague, a talented ER physician:

Did anyone see that Wolters Kluwer (a leading multidomestic multimedia company with corporate office in Amsterdam) plans to buy electronic medical platform Up-To-Date?

Correct me if I am off track on the issue of the "full-circle web" of information exchange - an exchange that starts with the sanctity of the private physician patient relationship.

OK, I have a private relationship with my patient, but the perverse laws say that our relationship and the information ‘collected’ is no longer sacred. It may be used without consent under the guise of 'Treatment, Payment or Healthcare Operations' (TPO).

From the Miller School of Medicine Privacy & Data Protection project glossary:

HIPAA bundles a large number of functions into the term "health care operations." This expansive list is important for many reasons, most notably because HIPAA requires no permission from patients for uses and disclosures of protected health information (PHI) for "treatment, payment or health care operations (TPO)."

Covered entities may obtain a consent for TPO-related uses and disclosures, but the practice is optional under HIPAA. (It may nonetheless be required by state law.)

Additionally, the prescription information ‘exception’ from that sensitive relationship is fair game for the data-miners to sell to Pharmacy Benefit Managers (PBMs) and the like.

The so-called ‘Publishing’ company, Wolters Kluwer, who by the way unashamedly writes friend of the court briefs supporting the data merchants and miners (e.g., Amicus Briefs supporting the plaintiffs; IMS and Verispan), is now buying one of the most widely used point of care "Evidence based medicine" tools, Up-to-date.  This is a software application for physicians to practice ‘evidence’ base medicine.

Verispan is a subdiary of one of the largest EHR vendors, McKesson. Without sounding like a nut-case full of crazy conspiracies ...

Is not this bizarre web not only destroying the trust between the patient and the physician, but additionally eroding the trust of what actually is ‘evidence’ based medicine?

I thought the rigor of science was supposed to be the driver and best influence of my decision making process for my patients, not the pull of ‘Pharma and Friends’ puppet stings.

I guess as a physician I am just marginalized to an assembly-line worker for big Pharma.

As an aside:

1. the direct to patient(consumer) marketing expenditures of Pharma – est. $30 billion / year.
2. the entire NIH budget $28 bil/yr.

So, it seems, evidence based medicine is not only threatened by commercial taint of clinical trials and research, it's also potentially threatened by the drivers and behaviors of the Data Merchant component of the healthcare IT ecosystem.

Who polices them, I ask?

-- SS