Screening questions may seem benign, but may come with some unintended consequences. During a medical appointment last year, I asked…
Deborah Peel MD is founder of Patient Privacy Rights.
Give me some brief background about yourself and about Patient Privacy Rights.
I never expected to be leading this organization or ever even thought about that. In my younger days, I practiced full time as a psychiatrist and Freudian analyst for a very long time, until it became clear that things were happening in DC that would make effective mental healthcare impossible. Namely, that there were lots of different ideas being floated; for example, the Clinton healthcare initiative. There was a part of it that was going to require everyone’s data from every physician encounter be recorded in federal database.
Fast-forward to the HIPAA privacy rule. That’s what really convinced me of the need for a voice for consumers, because there really wasn’t any. What I’m talking about there is, of course, the change in 2002 that happened under everyone’s radar except for – and this is the is the laugh line – when the 3,000 Freudian psychoanalysts in the nation noticed that consent was eliminated.
In 2004, I started Patient Privacy Rights because there was no effective representation for the expectations and rights that the majority of Americans have for how the healthcare system is going to work. Namely, that people don’t get to see their information without consent. Since founding PPR in 2004, we’ve still been the national leading watchdog on the issues of patient control over information and even internationally. Our power has come because when we came to DC, the other people that were working on privacy, human rights, and civil rights recognized that because of my unique position as a physician and deep understanding of how data flows, that I knew what I was talking about.
We very quickly got a pretty amazing bipartisan coalition of over 50 organizations. That enabled us to put these issues and problems on the map.
We had some incredible successes in HITECH. Virtually all of the new consumer protections came from our group, including the ban on the sale of PHI, the accounting of disclosures, segmentation, the new requirement that if you pay out of pocket for treatment you should be able to block the flow of that data to health plans and health insurers. We were the ones that worked with Congressman Ed Markey on getting encryption, required stronger security protections, and worked with Senator Snow to get meaningful breach notice into the rules.
All of this work lead to the first-ever summit on the future of health privacy this past summer in DC. The videos and the entire meeting can be seen or streamed online.
If somebody said you had to choose between accepting healthcare IT as it is today or going back to purely paper-based systems, which would you choose?
We’ve never been in favor of going back to paper. Our position has always been there is tremendous technology for privacy and we can have far better control of our information if we implement smart, privacy-enhancing technologies and architectures.
We’ve never been in favor of going backwards, although I do have say, we now know about WikiLeaks and now because of the strong breach notice requirements, it’s appalling how abysmal the security is of electronic records. Actually, it’s looking a lot like paper records are far easier to keep from getting into the wrong hands because there’s only one of them and they’re locked up in a medical records department most of the time.
We wouldn’t make that choice. What we’ve always tried to do is promote systems that give everybody – except the data thieves and data miners – what they want.
I don’t detect any citizen groundswell about the state of healthcare privacy, just organizations doing an occasional biased survey that concludes that the public is extremely concerned or implies that they would be concerned if only they were informed. Is advocacy needed when there have been no events to get the public up in arms?
The public has two minds about this. All the polling shows that they are extremely sensitive about who controls their records and they believe that they should have the control. On one hand, that’s what they believe.
On the other hand, the polls also show they’re extremely concerned about breaches. Large majorities recognize that all these things are going to get broken into. There’s knowledge in some ways and fears about electronic systems. But the key thing is industry and the government have really not recognized how many people are, in Alan Westin’s words, “Health privacy intense.” He’s the guru of polling in health privacy.
At our summit, he presented 20 years of data. The slides are up there for anyone who wants to see. When the polling comes to views about privacy and control of information in the healthcare sector, his findings have been consistent over 20 years — 35 to 40% of the public is privacy-intensive about health information. About other information, it’s 25%. This is a really significant minority.
Even though the public is not yet marching on Washington with pitchforks — and obviously I’m saying that in a joking way — the issues about privacy are simply going to continue to grow. What the industry has really ignored — and I particularly know about because of the patients that I’ve treated for 37 years — is that people will act in ways that endanger their health in order to keep information private. Millions and millions of people. These are not good outcomes. The public knows that electronic systems are far less safe and secure than paper systems.
This is something that has to be faced. There will be people who will choose not to see doctors, who will omit information, who will ask doctors to change diagnoses, who will refuse to get tests, and so on. These are figures from the 2005 California HealthCare famous study that one in eight people does something to try to protect their privacy.
Even earlier figures from HHS in 2000 are troubling. They found that 600,000 Americans a year refuse to get early diagnosis and treatment for cancer because they know the information won’t stay private. Two million a year — or at least that year –refuse to get early treatment and diagnosis for serious mental illnesses for the same reasons. They know that the information won’t stay private. The same is true with millions of people that refuse to seek treatment for sexually transmitted diseases.
These are not good things. If you look at the military, the Rand Corporation did a survey – I think the book was called Wounded Warriors — that the lack privacy in the military is one of the important reasons that people won’t get treated. There’s 150,000 Iraqi war vets with post-traumatic stress disorder and we have the highest rate of suicide in the military in 30 years. Actually, just this year, we turned the corner that more members of the military killed themselves than were killed by an enemy.
You’ve really, really got to take seriously the fact that people that desperately need help for illnesses and diseases that are very treatable are refusing to get them because the consequences of the information not staying private are too threatening. It’s about two things, mainly – jobs and reputation.
The survey measures their perception, but does their perception reflect reality?
What I’m talking about is the reality — the actual numbers of people who act. My point really is, yes, the polling is off the charts on what the public feels, but the data is in. It’s not just about feelings. It’s about actions people take to protect themselves and their families from job discrimination, reputational damage, insurance discrimination, and the rest.
But it still was self-reported, right?
Well, yes. These were figures from HHS surveys and from a California Healthcare survey.
As a psychiatrist, your privacy concerns are mostly related to discrimination with regard to employment issues or insurance. Going back to the public’s perception, are there enough occurrences where that’s actually happened that could not have happened with paper medical records?
This issue of discrimination and health information leaking out of the health system is not new because we have health IT. Literally, I learned about this when I hung out my shingle in 1977. The first week I was in practice, a couple of people came in and said, “If I pay you cash, will you keep my records private?”
I was blown away by that. I’d never heard of that in medical school or residency. Nobody talked about that, but these were people who had suffered harm. Again, jobs and reputation. So I said, “Well, sure.”
It’s a very significant issue. Many mental health professionals actually give patients Miranda warnings. If you use a third-party payer, anything you say and do can and will be used against you. Many health professionals will work with people to try to find a fee that they can afford so that they don’t have to have their futures or their children’s futures wrecked.
If patients were allowed to control who can see their medical information, would you be comfortable as a physician making treatment decisions based only on what they want you to see?
As a practical matter, patients still can and do control a lot of what we see and know. I trust what I hear from patients at least on a par, if not more, than what I find in medical records. The history is everything. People are going to withhold information or even lie about it if they don’t trust you. You have to earn patient trust. You get the best information when patients know that you’re really going to protect them and keep their information out of the hands of countless, endless third parties.
I think this is something that physicians and other health professionals – some, anyway – are not going to see coming. As everyone gets their electronic health record – and hospitals are going to get blamed for this too, not just physicians and the practitioners – when they begin to realize how far-flung their data is … that was another thing that came up at the Health Privacy Summit. There’s not even any kind of a data map that can show people all of the places their data goes. It doesn’t even exist. The data gets so far afield. When people see this, they’re going to blame the doctors and the hospitals. That’s not a good thing.
Decisions are made outside the practitioner’s control about who gets that data. At least some EMR vendors believe they own the patient data and can sell it even though that fact may not be clearly stated to patients.
We’ve been pretty actively pointing out that kind of thing. I’m not a lawyer, obviously, but doctors really don’t have a right to sell patient data. That’s one of the reasons we got a ban on the sale of health information into the stimulus bill. Obviously it hasn’t stopped the particular business model of so many electronic health record companies so far, but that was one of the reasons that our coalition worked to ban the sale of PHI without consent.
But as you see, what’s in the federal law and what turns up in regulations is not always the same. That’s a serious problem. I think those contracts will eventually be found to be illegal, just like many health insurers. You probably know about this. You used to get doctors to sign contracts with them with gag clauses, where they weren’t supposed to tell their patients about certain kinds of treatment alternatives. Of course those turned out to be illegal, but that didn’t stop the insurance industry from using them widely for a very long time.
People read about their financial information and Google searches being available to third parties. Do you think they are getting desensitized to the idea that privacy is something they should expect?
No. I think they’re getting more and more rabid about it. You’ve seen lots of pushback, not just in this country, but even more so in Europe, where they have much tougher data privacy and security protection. Google got bit on Buzz. Facebook ended up getting a lot of blowback from their users who believe that they have control over their information. A lot of the controls on Facebook and Google imply that.
I often talk about how people say young people don’t care about privacy. Wrong. I’ve got two teenagers. What’s the premise of Facebook? Some people are my friends and can see things, and others are not. If you want to think about it this way, it’s an early consent tool. You’re in, you’re out. That’s the new premise of Google Plus, that new circle of friends thing. You have different people that get to know different things about you.
But people really do want control over who sees and uses their information. They feel this very strongly. VCs and other people have begun calling us up and asking what we think about things, because they realize there really are going to be markets for products and systems where people know that they can trust what happens with their information and it doesn’t go anywhere they don’t want it to go.
If you’re one of the good guys in the privacy and confidentiality debate in healthcare, who are some bad guys?
It’s not so easy. It’s not just good and bad.
First of all, there’s a vast number of people who are simply not informed, or they’re well-intentioned and they just don’t know what’s going on. There’s a lot of them. A lot of things happen for that reason.
I also think a lot of the reason we’re stuck with these data-leaking systems is because initially, a lot of the administrative kind of software was imported from other businesses. If you think about this, other businesses don’t have to respect individual privacy in the way that they healthcare system does.
In fact, the difference about healthcare from all other commercial areas — where as you say, we can’t seem to control our data at all – the strongest rights we have to control information are in healthcare. They come from the legacy of Hippocrates. The requirement to get consent is in every ethical code for health professionals from time immemorial. We have extremely strong rights to health privacy despite HIPAA.
One of the slides that I always show is a direct quote from the HIPAA regs that talk about HIPAA is intended to be a floor, and in no way to preempt best practices or stronger privacy protections in state law and medical ethics. Well, what happened to that? HIPAA was never intended to wipe out or preempt state law or anything else.
We’re seeing some movement some beginnings of more movement in ONC to begin to try to put in place the kind of technologies that are a matter of law, like the need to segment mental health and addiction information and certain other kinds of sensitive information — genetic, STDs and so forth. They’re finally starting to spend a little tiny bit of the $29 billion on the things that matter the most to the public.
Publicly visible, high-profile advocates tend to polarize people who either see them as selfless crusaders or shameless limelight seekers chasing personal gain. How do you see your image in healthcare and who agrees and who doesn’t agree with what you do?
In the beginning, I was cast as a very polarizing figure. Everyone saw me as trying to interrupt the $29 billion dollar gravy train, although it didn’t exist until recently. I had some active reporters essentially trying to attack me as a Luddite and stuff. These were people that didn’t even read or listen to what I was saying. It was polarizing in the beginning, but many people really are of good intent.
I think there is a much more mature understanding of the importance of privacy now, as evidenced by the list of top government officials that participated in the first summit on health privacy and the industry people that participated. We had a past chairman of HIMSS,. We had Lisa Gallagher, HIMSS privacy and security officer. Wes Rishel from Gartner was on the panel. We had top people from this nation, from outside of this nation. We had top government people, top industry people, and advocates and privacy experts in academics who were all taking the question seriously — can we build a system with privacy that’s effective and that works and is reasonable? Can it be done?
There were no catfights on the panels or anything, because everyone there believed this is really an important issue that needs to be addressed. I would say that summit is evidence of me being perceived as – I think at this point – less a polarizing figure than a convener for the people that really want to move this whole effort forward in an effective, responsible, thoughtful way that does not leave the public out and that incorporates what the public expects and what they have longstanding rights to.
Any concluding thoughts?
For me, what’s been really difficult has been the fact that even though the administration — both this one and the previous one — wanted to be inclusive and wanted to have public input, the kinds of financial commitment and staff commitment it takes to actually participate in these government private efforts does not allow the kind of input that’s needed from privacy advocates and experts and academics.
Just speaking for myself and getting back to your point about seeking the limelight for some kind of gain, I have to tell you that I’ve never taken a salary for this. In fact, my family and friends have sacrificed lots of money, lots of time, lots of their own personal efforts to me and to Patient Privacy Rights to enable this to happen. In terms of gain, for me, it’s an honor to work for the public, the people of this nation, for privacy. But in terms of any kind of financial gain, it’s certainly been exactly the opposite.
We are hoping to build on the momentum that started at the summit. We’re going to be putting together several work groups and we’re going to make this an annual event. Patient Privacy Rights is also going to create a new privacy brain trust with leaders in this country and internationally to weigh in on what we can to help move things forward in a constructive way. This nation needs a big counterweight to the many interests that want data without consent, including for-profit research entities, the government, those that sell data, and business analytics kinds of tools with patient data.
This nation and the world needs a group of experts who can provide the kind of credible information on those policy and technology to counter a lot of the one-sided infomercials that come from industry. There’s a real need to hear all sides, so people are coming together under the umbrella of the summit to be able to work together and to have an even more powerful voice than just Patient Privacy Rights and me. It’s a wonderful thing because it isn’t just me who cares about this.