HIPAA Omnibus: Gaps In Privacy? Patient Advocate Deborah Peel Explains Her Concerns

While the HIPAA Omnibus Rule offers consumers some protections, it doesn't make it easier for patients to know where their data travels throughout the healthcare industry, says privacy advocate Deborah Peel, M.D.

However, a new project under way at Harvard University's Data Privacy Lab could help shed some light: Researchers are working to build out a health data map, which looks at where a patient's data travels as it moves from a HIPAA covered entity to business associates and down through various subcontractors, as well as other entities, Peel says.

"The idea is we truly do not know who has our health data or what they're doing with it," says Peel, founder and chair of Patient Privacy Rights, an advocacy group, in an interview with HealthcareInfoSecurity (transcript below).

At Harvard, Professor Latanya Sweeney, along with a team of students, are working to track down where that data flows.

On June 5, the team will introduce the first phase of its project at the third International Summit on the Future of Health Privacy in Washington, D.C.

"Any hospital may have 150 to 850 different software systems moving pieces of data," Peel says. "I bet if you ask your doctor or the president of the hospital board how many of those different vendors and contractors reuse or sell your data, they would have no clue. ... We need this kind of information so we can build systems that are worthy of our trust."

HIPAA Omnibus Critique

In the interview, Peel also:

  • Discusses why she believes the HIPAA Omnibus Rule doesn't go far enough in making sure that patients who pay cash for treatment can ensure that their health plans do not receive information about that treatment;
  • Explains why she wants the Department of Health and Human Services' Office for Civil Rights to issue guidance on how to protect patient data in cloud computing environments (see Cloud Computing: Security a Hurdle);
  • Discusses why it's important that HIPAA Omnibus clarifies that patients can obtain copies of their medical records.

In an effort to strengthen the control that patients have over health information privacy, Patient Privacy Rights also recently announced a "trust framework" that IT vendors and their clients can use to help measure whether systems comply with privacy principles (see: Privacy Framework: A Practical Tool?).

Advocating Privacy

MARIANNE MCGEE: Tell us very briefly about your organization and your role.

DEBORAH PEEL: I'm ... the leader of the Bipartisan Coalition for Patient Privacy. We're the largest organization trying to restore people's control over their electronic health records in the world. There are 12,000 members of Patient Privacy Rights. You can sign up online, and our whole mission is to make sure that each of you gets to decide who can see your most sensitive personal information, from prescription records to diagnoses to DNA, and you decide if they should have this information to treat you or for research. That's our whole mission - to work for you.

HIPAA Omnibus Rule: Pros

MCGEE: Tell us what you like about the HIPAA Omnibus Rule.

PEEL: There are some good things in it. ... The thing that we like the absolute best was the rule clearly affirms that states can pass laws that are tougher than HIPAA, and that's really, really good news because HIPAA is still so full of flaws and defects that we're very concerned that what's being built and what's being funded will not be trusted by the public.

There are some other good things that happened. Business associates are held to the same standards as covered entities, and so are their subcontractors ... or if you're acting like a subcontractor, whether or not you have a contract ... The problem is that so much of our health information is not handled by these people. It's handled even by further and further subcontractors of subcontractors. But this is very good news that it was clarified.

The other thing that we like a lot is that people finally are going to supposedly be able to download their data. We like very much that HHS OCR said that they can get the data in one or more designated record sets. In fact, they didn't decide, "Okay, you can only have a continuity of care record." This is really important because if you think about it, in the paper world, when you went to get a copy of your record, maybe you paid some low amount per page, but you get the whole thing. You did not get a designated record set or a summary or a CCR. You get to choose the format and you get to have I believe all of your information. That's common sense. That's what it was in the paper world. As a psychiatrist, I know - and some of you may - that there were some rare exceptions in many states, that rather than releasing entire psychiatric records, psychiatrists could provide a summary instead. There were some great things about it, but there were a lot of weak and worrisome things that are unfortunate.

Omnibus Rule: Cons

MCGEE: What are some of the things that you don't like about HIPAA Omnibus?

PEEL: The big thing is many of the protections that our coalition worked to get into it were effectively cut off at the knees in the regs. One of them is that if you pay for cash for something, you should be able to keep the information private. Apparently - and the rule's confusing - it's not incumbent on whoever you pay to not send the information, to continue to not send it or for them to not flag it in some way for all other downstream users. Somehow you the patient are supposed to go to anyone else who might get it and figure out how to control it yourself. This is ridiculous.

The point of the technology is so that you shouldn't have to hand-do everything. That was very disappointing. If you pay out of pocket, it's not clear at all, first of all, that the systems will be willing to design technology to honor that. I don't know who did this at OCR, but they say in there that the way to keep a prescription private - this is so laughable - is ask your doctor to write [a prescription] on a piece of paper and take it to the pharmacy. ... Do you actually think that if you do that [the pharmacy is] not going to enter that into their software system? I can't believe that's actually what they advise the public to do because pharmacies are not going to keep a paper system and an electronic system. It's just not going to happen. The stuff about not being able to keep something that you pay for private was not fixed in this rule, and that's a serious problem.

The problems about genetic information are much the same. The rules are actually unenforceable and confusing to people. There's an attempt to distinguish between manifested disease and not manifested diseases, and it's really ridiculous. ... But the problem is when genetic information is in your health record and you're an insured, it's in your health record. You have no way of knowing what they use it for or why. The protections are really not there for genetic information, and that's a big disappointment.

Our other huge disappointment is the use of people's electronic records for research continues to be supported by the administration and by the Office for Civil Rights. In fact, access to protected health information without meaningful informed consent is greatly expanded. This is a total misreading of the public's wishes and wills. The American public does not support data use unless they're asked. If they're asked in a meaningful way, Americans are incredibly altruistic and they want benefits of research. They do not want hidden and secret research, and ... I think legitimate researchers are going to end up getting punished because they seem unaware that the research loophole enables tremendous commercialization of data. These are some of the worst problems.

I just have to mention a few other things. One of them is 50 years after you're dead, your records are open. You don't have a choice. What were they thinking? [Is] there a lobby of historians that want to know? This is nuts. You have descendents. As we all know, as our genetic information gets widely collected and used; it is in private bio banks and the rest. Releasing the health records of your grandmother or whatever is going to have implications for all of her descendents. It's really hard to understand what was going through the heads of the people that wrote this stuff. The lack of clear understanding of what the public wants is really a shame. It's really a shame.

There's one other thing that's unfortunate. A business associate has to keep a list of all of their subcontractors. But the covered entity and the patient will never know who all of these downstream users of their data are. This is also a huge mistake. Even though the covered entities hire the business associates, the business associates don't have to report to them who the subcontractors are. Things start to get opaque very, very quickly, and it's the subcontractors ... that are part of where the hidden data flows are. That's why - I'm ... excited about our Patient Privacy Rights project with Harvard, the Data Privacy Lab and Professor Latanya Sweeney, to build out the health data map. Wouldn't it be interesting if we could argue about all these things and make policy based on knowing where our data actually goes?

Health Data Map

MCGEE: Tell us a little bit about that health data map. What is that?

PEEL: The idea is we truly do not know who has our health data or what they're doing with it. We really don't know. After President Bush took office, HHS and his administration reopened the privacy rule, and they eliminated the requirement that you give consent before your data is used for treatment, payment or healthcare operation. That means that everything from your solo doctor to Hospital Corporation of America to the pharmacy, everyone else who's a covered entity, they decide - not you. They decide when your data will be disclosed or sold. You have no say in it. You can't refuse. And worse than that, there's no chain of custody. We have no idea where our data goes. Latanya has got all these Harvard students that are budding scientists, analysts and researchers, and they're going to start to track down where data flows.

For example, any hospital may have 150 to 850 different software systems moving pieces of data. I bet if you ask your doctor or the president of the hospital board how many of those different vendors and contractors reuse or sell your data, they would have no clue. The common place where you go for healthcare, we don't even know what they do with the data or where it flows. We need this kind of information so we can build systems that are worthy of our trust.

MCGEE: What's the status of that project?

PEEL: They're going to be ... introducing the first phase on June 5 at the Third International Summit on Health Privacy in Washington, D.C., and this will be video live stream for those that can't come. They're going to kick off the project, and hopefully we'll get more people from the public that will contribute information that they know about hidden data flows. By the way, we're not just accepting somebody's word that X sends data to Y or B sells data to C. There's going to have to be actual proof of the transfer of the information. It's going to be fact-based.

Cloud Computing Concerns

MCGEE: You've also advocated for the Office for Civil Rights to issue guidance about protecting health data on cloud computing environments. What are your concerns? What would you like to see OCR do?

PEEL: We had a great meeting with [OCR director] Leon Rodriguez. I hope that OCR will listen to us to start with some simple, basic guidelines because health data is being put into cloud providers that have not even signed a business associate agreement. This is a burgeoning business, the cloud. No one knows what that means. It's actually puzzling that no one knows what that means. What are clouds anyway? They're a bunch of servers and they're somewhere. It ought to be possible for us to know what kind of security they have and what the standards are of security. We asked them about things like that.

But the first thing is if you're in the business of using health data, you must have a business associate agreement. ... We think that we need a lot more than that because we think that security has to be at least state-of-the-art and [meet] the standards as best we know them. But we've got to start with the business associate agreement. ... OCR knows that there's confusion out there, by the way. They really do. He [Rodriguez] is really trying hard to begin to enforce the rules. Great. It's about time. What is this, 10 years or so with no enforcement? He's very sensitive to the need to protect data, and he knows that if they put out some clear statements it will be a big help.

Around the Network