I am surprised we've not seen more comments regarding the new FL law regarding patient data and offshore data storage…
HIStalk Interviews Deborah Peel MD, Founder, Patient Privacy Rights
Deborah Peel MD is founder of Patient Privacy Rights.
Give me some brief background about yourself and about Patient Privacy Rights.
I never expected to be leading this organization or ever even thought about that. In my younger days, I practiced full time as a psychiatrist and Freudian analyst for a very long time, until it became clear that things were happening in DC that would make effective mental healthcare impossible. Namely, that there were lots of different ideas being floated; for example, the Clinton healthcare initiative. There was a part of it that was going to require everyone’s data from every physician encounter be recorded in federal database.
Fast-forward to the HIPAA privacy rule. That’s what really convinced me of the need for a voice for consumers, because there really wasn’t any. What I’m talking about there is, of course, the change in 2002 that happened under everyone’s radar except for – and this is the is the laugh line – when the 3,000 Freudian psychoanalysts in the nation noticed that consent was eliminated.
In 2004, I started Patient Privacy Rights because there was no effective representation for the expectations and rights that the majority of Americans have for how the healthcare system is going to work. Namely, that people don’t get to see their information without consent. Since founding PPR in 2004, we’ve still been the national leading watchdog on the issues of patient control over information and even internationally. Our power has come because when we came to DC, the other people that were working on privacy, human rights, and civil rights recognized that because of my unique position as a physician and deep understanding of how data flows, that I knew what I was talking about.
We very quickly got a pretty amazing bipartisan coalition of over 50 organizations. That enabled us to put these issues and problems on the map.
We had some incredible successes in HITECH. Virtually all of the new consumer protections came from our group, including the ban on the sale of PHI, the accounting of disclosures, segmentation, the new requirement that if you pay out of pocket for treatment you should be able to block the flow of that data to health plans and health insurers. We were the ones that worked with Congressman Ed Markey on getting encryption, required stronger security protections, and worked with Senator Snow to get meaningful breach notice into the rules.
All of this work lead to the first-ever summit on the future of health privacy this past summer in DC. The videos and the entire meeting can be seen or streamed online.
If somebody said you had to choose between accepting healthcare IT as it is today or going back to purely paper-based systems, which would you choose?
We’ve never been in favor of going back to paper. Our position has always been there is tremendous technology for privacy and we can have far better control of our information if we implement smart, privacy-enhancing technologies and architectures.
We’ve never been in favor of going backwards, although I do have say, we now know about WikiLeaks and now because of the strong breach notice requirements, it’s appalling how abysmal the security is of electronic records. Actually, it’s looking a lot like paper records are far easier to keep from getting into the wrong hands because there’s only one of them and they’re locked up in a medical records department most of the time.
We wouldn’t make that choice. What we’ve always tried to do is promote systems that give everybody – except the data thieves and data miners – what they want.
I don’t detect any citizen groundswell about the state of healthcare privacy, just organizations doing an occasional biased survey that concludes that the public is extremely concerned or implies that they would be concerned if only they were informed. Is advocacy needed when there have been no events to get the public up in arms?
The public has two minds about this. All the polling shows that they are extremely sensitive about who controls their records and they believe that they should have the control. On one hand, that’s what they believe.
On the other hand, the polls also show they’re extremely concerned about breaches. Large majorities recognize that all these things are going to get broken into. There’s knowledge in some ways and fears about electronic systems. But the key thing is industry and the government have really not recognized how many people are, in Alan Westin’s words, “Health privacy intense.” He’s the guru of polling in health privacy.
At our summit, he presented 20 years of data. The slides are up there for anyone who wants to see. When the polling comes to views about privacy and control of information in the healthcare sector, his findings have been consistent over 20 years — 35 to 40% of the public is privacy-intensive about health information. About other information, it’s 25%. This is a really significant minority.
Even though the public is not yet marching on Washington with pitchforks — and obviously I’m saying that in a joking way — the issues about privacy are simply going to continue to grow. What the industry has really ignored — and I particularly know about because of the patients that I’ve treated for 37 years — is that people will act in ways that endanger their health in order to keep information private. Millions and millions of people. These are not good outcomes. The public knows that electronic systems are far less safe and secure than paper systems.
This is something that has to be faced. There will be people who will choose not to see doctors, who will omit information, who will ask doctors to change diagnoses, who will refuse to get tests, and so on. These are figures from the 2005 California HealthCare famous study that one in eight people does something to try to protect their privacy.
Even earlier figures from HHS in 2000 are troubling. They found that 600,000 Americans a year refuse to get early diagnosis and treatment for cancer because they know the information won’t stay private. Two million a year — or at least that year –refuse to get early treatment and diagnosis for serious mental illnesses for the same reasons. They know that the information won’t stay private. The same is true with millions of people that refuse to seek treatment for sexually transmitted diseases.
These are not good things. If you look at the military, the Rand Corporation did a survey – I think the book was called Wounded Warriors — that the lack privacy in the military is one of the important reasons that people won’t get treated. There’s 150,000 Iraqi war vets with post-traumatic stress disorder and we have the highest rate of suicide in the military in 30 years. Actually, just this year, we turned the corner that more members of the military killed themselves than were killed by an enemy.
You’ve really, really got to take seriously the fact that people that desperately need help for illnesses and diseases that are very treatable are refusing to get them because the consequences of the information not staying private are too threatening. It’s about two things, mainly – jobs and reputation.
The survey measures their perception, but does their perception reflect reality?
What I’m talking about is the reality — the actual numbers of people who act. My point really is, yes, the polling is off the charts on what the public feels, but the data is in. It’s not just about feelings. It’s about actions people take to protect themselves and their families from job discrimination, reputational damage, insurance discrimination, and the rest.
But it still was self-reported, right?
Well, yes. These were figures from HHS surveys and from a California Healthcare survey.
As a psychiatrist, your privacy concerns are mostly related to discrimination with regard to employment issues or insurance. Going back to the public’s perception, are there enough occurrences where that’s actually happened that could not have happened with paper medical records?
This issue of discrimination and health information leaking out of the health system is not new because we have health IT. Literally, I learned about this when I hung out my shingle in 1977. The first week I was in practice, a couple of people came in and said, “If I pay you cash, will you keep my records private?”
I was blown away by that. I’d never heard of that in medical school or residency. Nobody talked about that, but these were people who had suffered harm. Again, jobs and reputation. So I said, “Well, sure.”
It’s a very significant issue. Many mental health professionals actually give patients Miranda warnings. If you use a third-party payer, anything you say and do can and will be used against you. Many health professionals will work with people to try to find a fee that they can afford so that they don’t have to have their futures or their children’s futures wrecked.
If patients were allowed to control who can see their medical information, would you be comfortable as a physician making treatment decisions based only on what they want you to see?
As a practical matter, patients still can and do control a lot of what we see and know. I trust what I hear from patients at least on a par, if not more, than what I find in medical records. The history is everything. People are going to withhold information or even lie about it if they don’t trust you. You have to earn patient trust. You get the best information when patients know that you’re really going to protect them and keep their information out of the hands of countless, endless third parties.
I think this is something that physicians and other health professionals – some, anyway – are not going to see coming. As everyone gets their electronic health record – and hospitals are going to get blamed for this too, not just physicians and the practitioners – when they begin to realize how far-flung their data is … that was another thing that came up at the Health Privacy Summit. There’s not even any kind of a data map that can show people all of the places their data goes. It doesn’t even exist. The data gets so far afield. When people see this, they’re going to blame the doctors and the hospitals. That’s not a good thing.
Decisions are made outside the practitioner’s control about who gets that data. At least some EMR vendors believe they own the patient data and can sell it even though that fact may not be clearly stated to patients.
We’ve been pretty actively pointing out that kind of thing. I’m not a lawyer, obviously, but doctors really don’t have a right to sell patient data. That’s one of the reasons we got a ban on the sale of health information into the stimulus bill. Obviously it hasn’t stopped the particular business model of so many electronic health record companies so far, but that was one of the reasons that our coalition worked to ban the sale of PHI without consent.
But as you see, what’s in the federal law and what turns up in regulations is not always the same. That’s a serious problem. I think those contracts will eventually be found to be illegal, just like many health insurers. You probably know about this. You used to get doctors to sign contracts with them with gag clauses, where they weren’t supposed to tell their patients about certain kinds of treatment alternatives. Of course those turned out to be illegal, but that didn’t stop the insurance industry from using them widely for a very long time.
People read about their financial information and Google searches being available to third parties. Do you think they are getting desensitized to the idea that privacy is something they should expect?
No. I think they’re getting more and more rabid about it. You’ve seen lots of pushback, not just in this country, but even more so in Europe, where they have much tougher data privacy and security protection. Google got bit on Buzz. Facebook ended up getting a lot of blowback from their users who believe that they have control over their information. A lot of the controls on Facebook and Google imply that.
I often talk about how people say young people don’t care about privacy. Wrong. I’ve got two teenagers. What’s the premise of Facebook? Some people are my friends and can see things, and others are not. If you want to think about it this way, it’s an early consent tool. You’re in, you’re out. That’s the new premise of Google Plus, that new circle of friends thing. You have different people that get to know different things about you.
But people really do want control over who sees and uses their information. They feel this very strongly. VCs and other people have begun calling us up and asking what we think about things, because they realize there really are going to be markets for products and systems where people know that they can trust what happens with their information and it doesn’t go anywhere they don’t want it to go.
If you’re one of the good guys in the privacy and confidentiality debate in healthcare, who are some bad guys?
It’s not so easy. It’s not just good and bad.
First of all, there’s a vast number of people who are simply not informed, or they’re well-intentioned and they just don’t know what’s going on. There’s a lot of them. A lot of things happen for that reason.
I also think a lot of the reason we’re stuck with these data-leaking systems is because initially, a lot of the administrative kind of software was imported from other businesses. If you think about this, other businesses don’t have to respect individual privacy in the way that they healthcare system does.
In fact, the difference about healthcare from all other commercial areas — where as you say, we can’t seem to control our data at all – the strongest rights we have to control information are in healthcare. They come from the legacy of Hippocrates. The requirement to get consent is in every ethical code for health professionals from time immemorial. We have extremely strong rights to health privacy despite HIPAA.
One of the slides that I always show is a direct quote from the HIPAA regs that talk about HIPAA is intended to be a floor, and in no way to preempt best practices or stronger privacy protections in state law and medical ethics. Well, what happened to that? HIPAA was never intended to wipe out or preempt state law or anything else.
We’re seeing some movement some beginnings of more movement in ONC to begin to try to put in place the kind of technologies that are a matter of law, like the need to segment mental health and addiction information and certain other kinds of sensitive information — genetic, STDs and so forth. They’re finally starting to spend a little tiny bit of the $29 billion on the things that matter the most to the public.
Publicly visible, high-profile advocates tend to polarize people who either see them as selfless crusaders or shameless limelight seekers chasing personal gain. How do you see your image in healthcare and who agrees and who doesn’t agree with what you do?
In the beginning, I was cast as a very polarizing figure. Everyone saw me as trying to interrupt the $29 billion dollar gravy train, although it didn’t exist until recently. I had some active reporters essentially trying to attack me as a Luddite and stuff. These were people that didn’t even read or listen to what I was saying. It was polarizing in the beginning, but many people really are of good intent.
I think there is a much more mature understanding of the importance of privacy now, as evidenced by the list of top government officials that participated in the first summit on health privacy and the industry people that participated. We had a past chairman of HIMSS,. We had Lisa Gallagher, HIMSS privacy and security officer. Wes Rishel from Gartner was on the panel. We had top people from this nation, from outside of this nation. We had top government people, top industry people, and advocates and privacy experts in academics who were all taking the question seriously — can we build a system with privacy that’s effective and that works and is reasonable? Can it be done?
There were no catfights on the panels or anything, because everyone there believed this is really an important issue that needs to be addressed. I would say that summit is evidence of me being perceived as – I think at this point – less a polarizing figure than a convener for the people that really want to move this whole effort forward in an effective, responsible, thoughtful way that does not leave the public out and that incorporates what the public expects and what they have longstanding rights to.
Any concluding thoughts?
For me, what’s been really difficult has been the fact that even though the administration — both this one and the previous one — wanted to be inclusive and wanted to have public input, the kinds of financial commitment and staff commitment it takes to actually participate in these government private efforts does not allow the kind of input that’s needed from privacy advocates and experts and academics.
Just speaking for myself and getting back to your point about seeking the limelight for some kind of gain, I have to tell you that I’ve never taken a salary for this. In fact, my family and friends have sacrificed lots of money, lots of time, lots of their own personal efforts to me and to Patient Privacy Rights to enable this to happen. In terms of gain, for me, it’s an honor to work for the public, the people of this nation, for privacy. But in terms of any kind of financial gain, it’s certainly been exactly the opposite.
We are hoping to build on the momentum that started at the summit. We’re going to be putting together several work groups and we’re going to make this an annual event. Patient Privacy Rights is also going to create a new privacy brain trust with leaders in this country and internationally to weigh in on what we can to help move things forward in a constructive way. This nation needs a big counterweight to the many interests that want data without consent, including for-profit research entities, the government, those that sell data, and business analytics kinds of tools with patient data.
This nation and the world needs a group of experts who can provide the kind of credible information on those policy and technology to counter a lot of the one-sided infomercials that come from industry. There’s a real need to hear all sides, so people are coming together under the umbrella of the summit to be able to work together and to have an even more powerful voice than just Patient Privacy Rights and me. It’s a wonderful thing because it isn’t just me who cares about this.
No comments from this crowd @ 24hrs…peel and privacy have jumped the shark.
Great interview. Once again, Debbie shows she’s anything but the “nut” many have tried to call her. She’d honest, intelligent, thoughtful and rightfully concerned.
To provide clear cut medical care (which is still an art as medicines and treatement plans affect each patient differently) citizens will not be at liberty decide if they can or cannot disclose full information to their providers. If they need the best treatment plans they cannot hide such information from their health care providers. It is how this information is abused by big related parties is the source of outrage.
Debbie seems to be doing what is morally and legaly right – protecting citizens of this country from big business which owns wallstreet and the government. The state of this nation’s healthcare has everything to do with big insurance companies using incorrect and illegal business policies to sell high deductible insurance without full disclosures, among other things, then telling them that providers and hospitals will provide care free of charge for these insuranc premium payments. Simultaneusly these same companies use all sorts of denials to deny the remainder payments (after the huge deductible the invariably goes unpaid) to any health care provider who at this very minute is not able to effectively unionize and protect themselves….because they are scrambling to provide patient care and at the same time cover their huge malpractice and overhead costs which now includes poor emr technologies that physicians have no choice but to implement out of their own pockets…..
In addition, insurance and big companies want all possible health records of patients so that they can on the other end cherry pick their patient pool. This is not going to go away as along as big business not only not pay any taxes but pay “lobbying” fees to big government that is getting bigger to take care of their interests.
I feel sorry for the next generation of not only providers but citizens of this country who will get adversely impacted with the quality of care under nationalized health care which in turn will be run by big business again…medicare and similar government taxes given by all citizens subcontracted to any and all big insurance companies who again will own big government. It is said that some of these insurance companies oval offices in DC are even bigger than the White house.
What Debbie is doing is right. Somebody has to talk for our citizens and protect them from big business and big government.
I got to say that it’s hilarious that Deborah Peel is now the self appointed view of moderation and managed con several others into joining her. Is she now going to comment and redress some of the many (to be kind) potentially misleading comments she’s made in the past. Quoting myself from last year, here’s just a few in a reply I made to her on THCB–in which by the way she was going after the person who is current the ONC’s main Consumer representative. My piece below:-
I have no problem with Deborah Peel or anyone else engaging in a rational debate about the best way to get patients control over their data, and to promote solutions that use technology to enhance that control and improve privacy solutions in the current IT infrastructure.
My problem is with anyone telling lies.
Exhibit A: http://www.washingtonpost.com/wp-dyn/content/story/2008/03/10/ST2008031001828.html?sid=ST2008031001828
“Many online PHR firms share information with data-mining companies, which then sell it to insurers and other interested parties, Peel said.”
In this article and numerous other places Peel’s claimed that technology companies are routinely selling identified data when I believe that they are selling de-identified data for research purposes–and when even if they could re-identify the data they are contractually banned from doing so. I’ve asked here and elsewhere for any proof of this happening; never seen it
Exhibit B: Just a few weeks ago on HISTalk, this is how Peel described athenahealth’s plans to allow patient data to be shared between local doctors and hospitals: “misguided, uninformed EHR vendor will discount the price of EHR software for doctors willing to sell their patients’ data!”
Of course it was nothing of the sort; athena’s nascent plan was to help move data between facilities just in the way that (for instance) the Indiana and Utah health information networks have done for a long time, and Kaiser Permanente’s docs and hospitals already do–and by the way something that is in the nation’s plans for meaningful use in Phase 1 (albeit that it wont actually have to be done until stage 2 other than with dummy data). If her description of what was being planned wasn’t a lie, well it was certainly stretching the truth.
Which brings us to Exhibit C: her interview on the KTVU show that Lygeia quotes in which she said: “Anything that’s in there, any information that’s in there, can and will be used against you in the future…” and, “This is a nightmare. It’s nothing we’ve ever seen before in medicine.”
Now we don’t know the exact question she was asked but it’s logical that it was about Practice Fusion’s plans to sell de-identified data as that was the topic of the report. Again, unless they are morons (and whatever you think of their business model they’re not that) the folks at Practice Fusion will both de-identify the data and limit contractually the ability of the people they sell it to do either re-identify the data or sell it for other purposes. And of course it’s not “nothing we’ve ever seen in medicine” — studies have been done on de-identified data for decades, and also on identified data (albeit usually under the fig leaf of IRB approval).
And to remind you of my trawl through Deborah Peel’s organization’s hall of shame of misuses of patient data, almost every instance was either an accident with PAPER records or illegal behavior, and not one included re-identification of de-identified data.
http://www.thehealthcareblog.com/the_health_care_blog/2008/03/health-20-get-1.html (it’s near the bottom)
Deborah Peel may have a serious point to make about changing the way that the law and privacy controls work in health IT both now and in the future, but she sure seems to be on a crusade attacking anyone trying to use IT to improve the process of health care and research. And that attack seems to involve telling what look to me to be lies.
In addition, it’s not selling data per se that’s damaging, it’s the consequences of any data release that are potentially damaging, and by far the most data is currently released legally and “voluntarily” by patients applying for health insurance in the individual market–where they endure discrimination and real negative consequences. I have not heard one word from Deborah Peel about trying to eliminate those activities by insurers (which hopefully will be abolished under PPACA) but she is for sure on record as opposing the Clinton Health plan which tried to do exactly the same thing.
So here’s my offer to Deborah. I’m not calling you a name this time; I’m offering you as much space as you like on THCB to:
1) a) reply to my accusations that you deliberately misrepresented the truth in the three cases I’ve discussed above
b) Give any other proof of complicity in illegal bad behavior in identified data sales and uses by any other technology company/provider system
2) Actually state your case for what you’d like to happen in regards to privacy and identity management in the new electronic health infrastructure–and have a rational debate with those of us who believe that there’s huge potential benefit from the spread of electronic data transfer among health care providers and patients.
3) Tell us what kind of a health insurance/payer system you would favor–and why that would ensure that there was no need to discriminate against people based on health status.
Deborah, if we can get you to the point of rational debate over options, I’m happy to calm my attack dog nature. But if you’re not and dumb members of the mainstream press are prepared to allow you to say what you’ve been saying unchallenged, I’m not going to keep quiet.