In the US, patient data privacy is an illusion

Harlan M Krumholz

Opinion

BMJ 2023;381:p1225

Here is an excerpt:

The regulation allows anyone involved in a patient’s care to access health information about them. It is based on the paternalistic assumption that for any healthcare provider or related associate to be able to provide care for a patient, unfettered access to all of that individual’s health records is required, regardless of the patient’s preference. This provision removes control from the patient’s hands for choices that should be theirs alone to make. For example, the pop-up covid testing service you may have used can claim to be an entity involved in your care and gain access to your data. This access can be bought through many for-profit companies. The urgent care centre you visited for your bruised ankle can access all your data. The team conducting your prenatal testing is considered involved in your care and can access your records. Health insurance companies can obtain all the records. And these are just a few examples.

Moreover, health systems legally transmit sensitive information with partners, affiliates, and vendors through Business Associate Agreements. But patients may not want their sensitive information disseminated—they may not want all their identified data transmitted to a third party through contracts that enable those companies to sell their personal information if the data are de-identified. And importantly, with all the advances in data science, effectively de-identifying detailed health information is almost impossible.

HIPAA confers ample latitude to these third parties. As a result, companies make massive profits from the sale of data. Some companies claim to be able to provide comprehensive health information on more than 300 million Americans—most of the American public—for a price. These companies' business models are legal, yet most patients remain in the dark about what may be happening to their data.

However, massive accumulations of medical data do have the potential to produce insights into medical problems and accelerate progress towards better outcomes. And many uses of a patient’s data, despite moving throughout the healthcare ecosystem without their knowledge, may nevertheless help advance new diagnostics and therapeutics. The critical questions surround the assumptions people should have about their health data and the disclosures that should be made before a patient speaks with a health professional. Should each person be notified before interacting with a healthcare provider about what may happen with the information they share or the data their tests reveal? Are there new technologies that could help patients regain control over their data?

Although no one would relish a return to paper records, that cumbersome system at least made it difficult for patients’ data to be made into a commodity. The digital transformation of healthcare data has enabled wonderous breakthroughs—but at the cost of our privacy. And as computational power and more clever means of moving and organising data emerge, the likelihood of permission-based privacy will recede even further.

The info is here.

"Without Her Consent" Harvard Allegedly Obtained Title IX Complainant’s Outside Psychotherapy Records, Absent Her Permission

Colleen Flaherty

Inside Higher Ed

Originally published 10 FEB 22

Here are two excerpts:

Harvard provided background information about how its dispute resolution office works, saying that it doesn’t contact a party’s medical care provider except when a party has indicated that the provider has relevant information that the party wants the office to consider. In that case, the office receives information from the care provider only with the party’s consent.

Multiple legal experts said Wednesday that this is the established protocol across higher education.

Asked for more details about what happened, Kilburn’s lawyer, Carolin Guentert, said that Kilburn’s therapist is a private provider unaffiliated with Harvard, and “we understand that ODR contacted Ms. Kilburn’s therapist and obtained the psychotherapy notes from her sessions with Ms. Kilburn, without first seeking Ms. Kilburn’s written consent as required under HIPAA,” the Health Insurance Portability and Accountability Act of 1996, which governs patient privacy.

Asked if Kilburn ever signed a privacy waiver with her therapist that would have granted the university access to her records, Guentert said Kilburn “has no recollection of signing such a waiver, nor has Harvard provided one to us.”

(cut)

Even more seriously, these experts said that Harvard would have had no right to obtain Kilburn’s mental health records from a third-party provider without her consent.

Andra J. Hutchins, a Massachusetts-based attorney who specializes in education law, said that therapy records are protected by psychotherapist-patient privilege (something akin to attorney-client privilege).

“Unless the school has an agreement with and a release from the student to provide access to those records or speak to the student’s therapist—which can be the case if a student is placed on involuntary leave due to a mental health issue—there should be no reason that a school would be able to obtain a student’s psychotherapy records,” she said.

As far as investigations under Title IX (the federal law against gender-based discrimination in education) go, questions from the investigator seeking information about the student’s psychological records aren’t permitted unless the student has given written consent, Hutchins added. “Schools have to follow state and federal health-care privacy laws throughout the Title IX process. I can’t speculate as to how or why these records were released.”

Daniel Carter, president of Safety Advisors for Educational Campuses, said that “it is absolutely illegal and improper for an institution of higher education to obtain one of their students’ private therapy records from a third party. There’s no circumstance under which that is permissible without their consent.”

The info is here.

Five tips for transitioning your practice to telehealth

Rebecca Clay
American Psychological Association
Originally posted 19 June 20

When COVID-19 forced Boston private practitioner Luana Bessa, PhD, to take her practice Bela Luz Health online in March, she was worried about whether she could still have deep, meaningful connections with patients through a screen.

To her surprise, Bessa’s intimacy with patients increased instead of diminished. While she is still mindful of maintaining the therapeutic “frame,” it can be easier for everyday life to intrude on that frame while working virtually. But that’s OK, says Bessa. “I’ve had clients tell me, ‘It makes you more human when I see your cat jump on your lap,’” she laughs. “It has really enriched my relationships with some clients.”

Bessa and others recommend several ways to ensure that the transition to telehealth is a positive experience for both you and your patients.

Protect your practice’s financial health

Make sure your practice will be viable so that you continue serving patients over the long haul. If you have an office sitting idle, for example, see if your landlord will renegotiate or suspend lease payments, suggests Kimberly Y. Campbell, PhD, of Campbell Psychological Services, LLC, in Silver Spring, Maryland. Also renegotiate agreements with other vendors, such as parking lot owners, cleaning services, and the like.

And since patients can’t just hand you or your receptionist a credit card, you’ll need to set up an alternate payment system. Campbell turned to a credit card processing company called Clover. Other practitioners use the payment system that’s part of their electronic health record system. Natasha Holmes, PsyD, uses SimplePractice to handle payment for her Boston practice And Still We Rise, LLC. Although there’s a fee for processing payments, an integrated program makes payment as easy as clicking a button after a patient’s session and watching the payment show up at your bank the next day.

The info is here.

Lawmakers Push Again for Info on Google Collecting Patient Data

Rob Copeland

Wall Street Journal
Originally published 3 March 20

A bipartisan trio of U.S. senators pushed again for answers on Google’s controversial “Project Nightingale,” saying the search giant evaded requests for details on its far-reaching data tie-up with health giant Ascension.

The senators, in a letter Monday to St. Louis-based Ascension, said they were put off by the lack of substantive disclosure around the effort.

Project Nightingale was revealed in November in a series of Wall Street Journal articles that described Google’s then-secret engagement to collect and crunch the personal health information of millions of patients across 21 states.

Sens. Richard Blumenthal (D., Conn.), Bill Cassidy (R., La.), and Elizabeth Warren (D., Mass.) subsequently wrote to the Alphabet Inc. GOOG +1.35% unit seeking basic information about the program, including the number of patients involved, the data shared and who at Google had access.

The head of Google Health, Dr. David Feinberg, responded with a letter in December that largely stuck to generalities, according to correspondence reviewed by the Journal.

(cut)

Ascension earlier this year fired an employee who had reached out to media, lawmakers and regulators with concerns about Project Nightingale, a person familiar with the matter said. 

The employee, who described himself as a whistleblower, was told by Ascension higher-ups that he had shared information about the initiative that was intended to be secret, the person said.

Nick Ragone, a spokesman for Ascension—one of the U.S.’s largest health-care systems with 2,600 hospitals, doctors’ offices and other facilities—declined to say why the employee in question was fired. 

The info is here.

Hospitals Give Tech Giants Access to Detailed Medical Records

Melanie Evans
The Wall Street Journal
Originally published 20 Jan 20

Here is an excerpt:

Recent revelations that Alphabet Inc.’s Google is able to tap personally identifiable medical data about patients, reported by The Wall Street Journal, has raised concerns among lawmakers, patients and doctors about privacy.

The Journal also recently reported that Google has access to more records than first disclosed in a deal with the Mayo Clinic.

Mayo officials say the deal allows the Rochester, Minn., hospital system to share personal information, though it has no current plans to do so.

“It was not our intention to mislead the public,” said Cris Ross, Mayo’s chief information officer.

Dr. David Feinberg, head of Google Health, said Google is one of many companies with hospital agreements that allow the sharing of personally identifiable medical data to test products used in treatment and operations.

(cut)

Amazon, Google, IBM and Microsoft are vying for hospitals’ business in the cloud storage market in part by offering algorithms and technology features. To create and launch algorithms, tech companies are striking separate deals for access to medical-record data for research, development and product pilots.

The Health Insurance Portability and Accountability Act, or HIPAA, lets hospitals confidentially send data to business partners related to health insurance, medical devices and other services.

The law requires hospitals to notify patients about health-data uses, but they don’t have to ask for permission.

Data that can identify patients—including name and Social Security number—can’t be shared unless such records are needed for treatment, payment or hospital operations. Deals with tech companies to develop apps and algorithms can fall under these broad umbrellas. Hospitals aren’t required to notify patients of specific deals.

The info is here.

Colleges want freshmen to use mental health apps. But are they risking students’ privacy?

Deanna Paul
The New York Times
Originally posted 2 Jan 20

Here are two excepts:

TAO Connect is just one of dozens of mental health apps permeating college campuses in recent years. In addition to increasing the bandwidth of college counseling centers, the apps offer information and resources on mental health issues and wellness. But as student demand for mental health services grows, and more colleges turn to digital platforms, experts say universities must begin to consider their role as stewards of sensitive student information and the consequences of encouraging or mandating these technologies.

The rise in student wellness applications arrives as mental health problems among college students have dramatically increased. Three out of 5 U.S. college students experience overwhelming anxiety, and 2 in 5 students reported debilitating depression, according to a 2018 survey from the American College Health Association.

Even so, only about 15 percent of undergraduates seek help at a university counseling center. These apps have begun to fill students’ needs by providing ongoing access to traditional mental health services without barriers such as counselor availability or stigma.

(cut)

“If someone wants help, they don’t care how they get that help,” said Lynn E. Linde, chief knowledge and learning officer for the American Counseling Association. “They aren’t looking at whether this person is adequately credentialed and are they protecting my rights. They just want help immediately.”

Yet she worried that students may be giving up more information than they realize and about the level of coercion a school can exert by requiring students to accept terms of service they otherwise wouldn’t agree to.

“Millennials understand that with the use of their apps they’re giving up privacy rights. They don’t think to question it,” Linde said.

The info is here.

Former Patient Coordinator Pleads Guilty to Wrongfully Disclosing Health Information to Cause Harm

Department of Justice
U.S. Attorney’s Office
Western District of Pennsylvania
Originally posted March 6, 2019

A resident of Butler, Pennsylvania, pleaded guilty in federal court to a charge of wrongfully disclosing the health information of another individual, United States Attorney Scott W. Brady announced today.

Linda Sue Kalina, 61, pleaded guilty to one count before United States District Judge Arthur J. Schwab.

In connection with the guilty plea, the court was advised that Linda Sue Kalina worked, from March 7, 2016 through June 23, 2017, as a Patient Information Coordinator with UPMC and its affiliate, Tri Rivers Musculoskeletal Centers (TRMC) in Mars, Pennsylvania, and that during her employment, contrary to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) improperly accessed the individual health information of 111 UPMC patients who had never been provided services at TRMC. Specifically, on August 11, 2017, Kalina unlawfully disclosed personal gynecological health information related to two such patients, with the intent to cause those individuals embarrassment and mental distress.

Judge Schwab scheduled sentencing for June 25, 2019, at 10 a.m. The law provides for a total sentence of 10 years in prison, a fine of $250,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed is based upon the seriousness of the offense and the prior criminal history, if any, of the defendant. Kalina remains on bonding pending the sentencing hearing.

Assistant United States Attorney Carolyn J. Bloch is prosecuting this case on behalf of the government.

The Federal Bureau of Investigation conducted the investigation that led to the prosecution of Kalina.

State Supreme Court Establishes Right To Sue Over Medical Record Breaches

Edmund H. Mahony
Hartford Courant
Originally published January 10, 2018

The state Supreme Court established Thursday that patients in Connecticut have the right to sue doctors and other health care providers for the unauthorized and negligent disclosure of their confidential medical records.

The majority decision creates new state law and adds Connecticut to a growing number of states that allow patients to sue for damages over the release of private records by their physicians. Courts in Connecticut have held previously — as have courts elsewhere — that private suits were blocked by federal law under the 1996 Health Insurance Portability and Accountability Act or HIPAA law.

HIPAA laws establish procedures to protect medical records and empower government to impose civil and criminal penalties for violation. But HIPAA does not permit private suits to collect damages for unauthorized disclosures.

“Finally we have a remedy in Connecticut that recognizes that there is a duty of confidentiality, the breach of which can lead to compensation for damages,” said attorney Bruce L. Elstein of Trumbull, whose client, Emily Byrne, sued over an unauthorized release of her medical history.

The article is here.

The Privacy Delusions Of Genetic Testing

Peter Pitts

Forbes

Originally posted February 15, 2017

Here is an excerpt:

The problem starts with the Health Insurance Portability and Accountability Act (HIPAA), a 1996 federal law that allows medical companies to share and sell patient data if it has been "anonymized," or scrubbed of any obvious identifying characteristics.

The Portability Act was passed when genetic testing was just a distant dream on the horizon of personalized medicine. But today, that loophole has proven to be a cash cow. For instance, 23andMe has sold access to its database to at least 13 outside pharmaceutical firms. One buyer, Genentech, ponied up a cool $10 million for the genetic profiles of people suffering from Parkinson's. AncestryDNA, another popular personal genetics company, recently announced a lucrative data-sharing partnership with the biotech company Calico.

The article is here.

Dissed by Unhappy Patients? Here's What to Do

by Roger Sergel
Senior Executive Editor
MedPage Today Video
Originally posted January 04, 2017

Mental illness: Families cut out of care

Liz Szabo
USA TODAY
Originally posted April 14, 2016

Here is an excerpt:

The federal law, called the Health Insurance Portability and Accountability Act, or HIPAA, forbids health providers from disclosing a patient’s medical information without consent.

Unlike patients with physical conditions, people with serious mental illness often need help making decisions and taking care of themselves, because their illness impairs their judgement, says Jeffrey Lieberman,chairman of psychiatry at the Columbia University College of Physicians and Surgeons and director of the New York State Psychiatric Institute. In some cases, patients may not even realize they’re sick.

Excluding families can have a devastating impact on patients like these, Lieberman says.

Many health providers don’t understand what HIPAA actually allows them to say. As a result, they often shut families out, even in circumstances in which they’re legally allowed to share information, says Ron Manderscheid, executive director of the National Association of County Behavioral Health and Developmental Disability Directors.

The article is here.

Senate Unanimous in Bill Protecting Student Medical Records

By Chris Gray
The Lund Report
Originally posted February 16, 2016

Here is an excerpt:

Senate Bill 1558 allows university or college health centers, mental health centers and counseling centers to share patient medical information with someone at the university only if they have the right to access that information off-campus -- a high legal bar.

“Students will have the same expectation of privacy on-campus as off-campus,” said Sen. Sara Gelser, D-Corvallis, the bill’s chief sponsor.

She told The Lund Report that the bill was necessary because campus health records can sometimes be classified as student records under the Family Educational Rights and Privacy Act, and not protected under the more ironclad medical privacy law, the Health Information Portability and Accountability Act, or HIPAA. And whereas HIPAA medical records come with them a strong guarantee of privacy, FERPA student records can be viewed by university administrators in certain circumstances.

The article is here.

Your health records are supposed to be private. They aren’t.

By Charles Ornstein
The Washington Post
December 30, 2015

Here is an excerpt:

In each story, a common theme emerged: HIPAA wasn’t working the way we expect. And the agency charged with enforcing it, the HHS office for civil rights, wasn’t taking aggressive action against those who violated the law.

We all know HIPAA, whether we recognize the acronym or not. It’s what requires us to stand behind a line, away from other customers, at the pharmacy counter or when checking in at the doctor’s office. It is the reason we get privacy declaration forms to sign whenever we visit a new medical provider. It is used to scare health-care workers, telling them that if they improperly disclose others’ information, they could pay a steep fine or even go to jail.

But in reality, it is a toothless tiger. Unless you’re famous, most hospitals and clinics don’t keep tabs on who looks at your records if you don’t complain. And even though the civil rights office can impose large fines, it rarely does: It received nearly 18,000 complaints in 2014 but took only six formal actions that year. A recent report from the HHS inspector general said the office wasn’t keeping track of repeat offenders, much less doing anything about them.

The story is here.

New Jersey Psychology Practice Revealed Patients’ Mental Disorders in Debt Lawsuits

By Charles Ornstein
ProPublica, Dec. 23, 2015

When a New Jersey lawyer named Philip received legal papers last year informing him that his former psychologist’s practice was suing him over an unpaid bill, he was initially upset they could not work out a payment arrangement outside of court.

It was only later, Philip said in an interview, that he scanned the papers again and realized something else: The psychology group to which he’d confided his innermost feelings had included his mental health diagnosis and treatments he received in publicly filed court documents.

The greatest fear of many patients receiving therapy services is that somehow the details of their private struggles will be revealed publicly. Philip, who requested his last name not be used to protect his privacy, said he felt “betrayed” by his psychologist. He worried that his legal adversaries would find the information and try to use it against him in court.

“It turned my life upside down,” he said.

The article is here.

When Students Become Patients, Privacy Suffers

By Charles Ornstein
ProPublica
Originally published October 23, 2015

Here is an excerpt:

Yale Health’s website informs parents that they cannot access their child’s health information without a signed written consent form. Andrea said she does not recall signing that document. When she recently asked to see any such form, she said, she was told by the counseling center’s chief that there was none. “Most of what happened while I was in the hospital happened without my knowing it,” she said. “I got an update every day or two about where my life was going.”

Andrea’s case is a vivid demonstration of how weaknesses in state and federal laws — and the often-conflicting motives of students, parents, and college officials — have left patient privacy vulnerable when students receive medical treatment on campus.

Universities walk a fine line when providing that treatment or mental-health services to students. If campus officials don’t know what’s going on or disclose too little, they risk being blamed if a student harms himself, herself, or others. If they pry too deeply, they may be accused of invading privacy, thereby discouraging students from seeking treatment.

The entire article is here.

The Devil is in the Details: How Patients' Mental Health Data is at Risk

By Farai Chideya
The Intercept
Aug. 21 2015

Here is an excerpt:

If the effort to blend the efficiency of technology with patients’ privacy needs has backfired in general health care (see “Medical Privacy Under Threat”), it is causing particular emotional and financial wounds in the world of mental health, where even a well-managed diagnosis can become a job-threatening stigma. HIPAA laws, long assumed by patients to protect their privacy, only apply in certain circumstances to certain entities. There’s a raging debate over how to regulate the new privacy issues around employee assistance plans and workplace wellness incentives. And the issue of how and when to track mental health patients has even become an issue at the U.S.-Canada border. Citing the high numbers of Americans who have experienced sexual abuse, major depression, or substance abuse, Dr. Deborah Peel, a psychiatrist who founded Patient Privacy Rights, a research and advocacy group, says, “You cannot force people to cough up information when it’s not private. They will hide it. How can we accept an electronic records system that drives people away from being open and honest?”

The entire article is here.

Emerging Ethical Threats to Client Privacy in Cloud Communication and Data Storage.

By Samuel D. Lustgarten
Professional Psychology: Research and Practice, Apr 27 , 2015. http://dx.doi.org/10.1037/pro0000018

Abstract

In June 2013, Edward Snowden released top-secret intelligence documents that detailed a domestic U.S. spying apparatus. This article reviews and contends that current APA ethics and record-keeping guidelines, the Health Insurance Portability and Accountability Act, and the Health Information Technology for Economic and Clinical Health Act do not adequately account for this new information and other emerging threats to client confidentiality. As psychologists bear the responsibility for being informed, protecting and maintaining client records, and preventing breaches, it is vital that the field establish specific best practices and present regular security updates to colleagues.

Here is an excerpt:

Unfortunately, on top of data-mining practices, most cloud storage and communication providers do not provide adequate information about data-retention policies. Google's Drive cloud storage service for personal users (not Google Apps) offers no specific data-retention policy (Google, 2014c). This amorphous data-retention policy stands in contrast to APA's (2007) record-keeping guidelines, which suggest that client records and data may be destroyed after 7 years in the absence of superseding legal requirements. It also calls into question a practitioner's ability to maintain and provide confidentiality and proper informed consent when using certain corporate providers. Moreover, it is questionable whether practitioners could ever believe that records had been deleted if the cloud provider did not clearly and publicly state its data-retention standards.

The entire article is here.

Ethical Implications of Patients and Families Secretly Recording Conversations With Physicians

By Michelle Rodriguez, Jason Morrow, and Ali Seifi
JAMA.
Published online March 12, 2015. doi:10.1001/jama.2015.2424

Here are two excerpts:

Recording conversations could be beneficial for patients. Patients do not always understand or recall all the information provided during visits to physicians.  Recordings could potentially improve accuracy, adherence, and personal engagement by providing opportunities to review conversations at other times, from the comfort of home, and in conjunction with other family members or caregivers.

(cut)

Not all possible uses of these recorded conversations are beneficial to patients and physicians. Patients or family members who disagree with the advice of their physicians or who are upset with their physicians for whatever reason can easily take comments from these recordings out of context and, with a few keystrokes, disseminate them via social media. Patients can conceivably record conversations with the specific intent of establishing the grounds for a lawsuit or gathering material with which to manipulate a physician.

The entire article is here.

Who Is the Client and Who Controls Release of Records in a Forensic Evaluation?

By Bruce Borkosky
Psychological Injury and Law
August 2014
DOI: 10.1007/s12207-014-9199-6

Abstract

Forensic psychologists often refuse to release evaluation records, especially to the evaluee. One justification for this practice is based on the ethical positions that the referral source “is the client” and “controls release of records” (also found in the Specialty Guidelines for Forensic Psychology). To determine whether these ethical positions are shared by the field of forensic mental health, official documents from forensic mental health organizations were used as a proxy for these views. Thirty-four supporting arguments for either position were identified from the literature; it was postulated that official documents would support both positions and utilize supporting arguments. Fifty-four official documents were discovered, and qualitative analysis was used to construct a 17-category model of official views. Neither position was supported by a majority of documents, and few of the supporting arguments were utilized by supportive documents. The positions are unsupported because official documents espouse a wide diversity of views, there are a number of logical flaws in supporting arguments, and even official APA documents hold conflicting views. Ethical arguments are advanced for contrary positions, and the referral-source-control of records release is contrary to law. A more ethical view is that the psychologist may have multiple, possibly conflicting responsibilities to multiple entities; the psychologist’s roles and responsibilities should be clarified with each entity using an informed consent process. Psychologists should release records at the behest of the evaluee, lest they be subject to licensing discipline, Health Insurance Portability and Accountability Act (HIPAA) complaints, and/or civil sanctions. Recommendations are offered for psychologists, future ethics codes and professional practice guidelines, and test security practices.

The entire article is here.

Fourth HIPAA breach for Kaiser

By Erin McCann
Healthcare IT News
Originally published April 7, 2014

Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12.

The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data.

The entire story is here.