Mercy Health Plan's Medical Data Security Breach Should Inform OCR's Harm Standard

A recent medical data security breach occurring in Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in Philadelphia lends support to removing the harm threshold written into the Interim Final Rule of HIPAA and the HITECH Act before promulgating the Final Rule. In August of 2009, the Office of Civil Rights (OCR) published the Interim Final Rule with request for comments on breach notification of protected health information (PHI), which set forth additional definitions and standards to relating to the Privacy Section. OCR is expected to issue the Final Rule by the end of this year or early next year.

When OCR published the Interim Final Rule last year, the media jumped on the inclusion of instructing the covered entity responsible for a breach of PHI to perform a risk assessment as a deciding factor of whether or not to disclose the breach to the individuals and the Department of Health and Human Services (HHS). Eight members of Congress expressed their concern by writing a letter to Kathleen Sebelius, noting that the American Recovery and Reinvestment Act (ARRA) that sets forth the statutory mandates relating to privacy of PHI does not include nor imply a harm standard and urged HHS to repeal or revise the harm threshold standard.

Section 13402 of the ARRA states that health care entities must notify the individual when there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of that information.” In order to decide whether a breach compromises the individual’s security or privacy, the Interim Final Rule set forth a risk assessment criteria and translated a “compromise” of security or privacy to mean a “significant risk of financial, reputational, or other harm” to the individual. Problematically, the covered entity is tasked with assessing the risk of harm to determine whether it meets the threshold for disclosing the breach to the individual and HHS. The Interim Final Rule states that the covered entity should consider to whom the information was disclosed, the type and amount of information, and whether the information contained materials relating to potentially stigmatizing health conditions.

The letter written on behalf of eight Congressional representatives clarified that Congress specifically excluded a threshold for harm when promulgating Section 13402. Furthermore, requiring mandatory disclosure serves as a powerful incentive to health care entities to enact strict privacy and security protections to decrease the likelihood of a breach even occurring.

The Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan (MHP) incident is only the latest in a long line of PHI breaches. In late October, the Philadelphia Inquirer reported that a computer flash drive belonging to Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan (MPH) was lost at a community health fair. The flash drive contained the medical record information of over 280,000 Pennsylvanian Medicaid recipients.

Donna Burtanger, Vice President of Communications at MHP, stated that company representatives were trying to use the health plan members’ PHI to personalize service at community health fairs. Burtanger offered the example of when a health plan member visits a church sponsored health fair, the insurance company representative can access the member’s medical record to schedule an appropriate screening test such as a mammogram.

As one article pointed out, MHP assumes that the patients under the plan would want company employees to have and access the patient’s full medical record or bring that sensitive health information into a less secure location such as a community health fair. This situation highlighted the vast discrepancy between how an insurance company and its members would view the risk-benefit calculation of permitting non-essential access of their sensitive medical information.

If a health insurance company such as MHP does not know when its members would not want their information shared, accessed, or transported, it likely would also face a disconnect when attempting to determine potential harm arising from a breach of its members’ PHI and whether that level of harm would require disclosure of the breach.

OCR should consider whether placing a level of discretion in the hands of health care entities given the knowledge of this difference will build the public’s trust of using electronic health information.

--Katherine Drabiak-Syed

Will Stronger Privacy Protections Result in Better Health Data? The Health Privacy Project Recommendations

The Health Privacy Project of the Center for Democracy & Technology (CDT) recently released a paper arguing for changes in how the HIPAA Privacy Rule protects "de-identified" health information. The recommendations grow from a one-day, CDT workshop held in September 2008. The Health Privacy Project makes the following eight recommendations:

1. Re-examine the Privacy Rule de-identification provisions (in particular, the safe harbor method for de-identification);
2. Strengthen accountability by requiring data use agreements;
3. Expand data anonymization options under the Privacy Rule;
4. Provide incentives to use less than fully identifiable data for certain purposes;
5. Provide support through “Centers of Excellence” in de-identification;
6. Require or encourage the use of limited access datasets and other technical solutions;
7. Require education and training of staff de-identifying data; and
8. Consider increasing public transparency regarding uses of de-identified data.

The Project argues that the HHS needs to re-examine the Privacy Rule "to ensure that the de-identification standard remains robust as re-identification becomes easier."

For readers struggling with the "Babel" of data privacy vocabulary (for example, what's the difference between "anonymous" and "anonymized"?), these recommendations may open the door to additional confusion, especially if #3 (above) means that additional categories of protected data are created. The Privacy Rule currently offers two categories data which are exempt from regulation: "de-identified" (presumed to be beyond the risk of re-identification and therefore not regulated) and not fully identifiable, "limited data sets" (incomplete data which includes some identifiers, for example: birth dates). While the Rule's current categories may seem simple, The Health Privacy Project notes that a "one-size-fits-all de-identification approach" does not, one the one hand, meet the diverse data needs of researchers and health providers, nor does it, on the other hand, provide sufficient protections in era of evolving data technologies.

Reference:

The Health Privacy Project, Center for Democracy & Technology. Encouraging the use of, and rethinking protections for de-identified (and “anonymized”) health data. Center for Democracy & Technology, June 2009. http://www.cdt.org/healthprivacy/20090625_deidentify.pdf

Related:

Knoppers BM, Saginur M. The Babel of genetic data terminology. Nat Biotechnol. 2005 Aug;23(8):925-7. PubMed PMID: 16082354.

Sharyl J. Nass, Laura A. Levit, and Lawrence O. Gostin, Editors; Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Institute of Medicine. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington, D.C.: Institute of Medicine, The National Academies Press, 2009. http://www.nap.edu/catalog.php?record_id=12458

Other Stories in the News

Your Genes Aren’t Covered for That: One Year Later, Gaps in Genetic Discrimination Legislation Reveal the Challenges Ahead. Susannah Baruch, Science Progress. June 29, 2009.

FDA’s Current Ability to Regulate Genetic Testing Is Problematic, FDLI-AAAS Colloquium Attendees Say. Food and Drug Law Institute (FDLI) and the American Association for the Advancement of Science (AAAS) [Press Release]. June 22, 2009. http://www.fdli.org/press/pressrelease/062209.pdf

New Comparative Effectiveness Bill Enhances Dx, Genomics Focus. Matt Jones, GenomeWeb. June 18, 2009.

The GINA Law: Consumer Protection in a New Era of Genetic Testing Research Report. N. Lee Rucker, M.S.P.H., AARP Public Policy Institute, May 2009. http://www.aarp.org/research/health/prevention/fs156_gina.html

-- J.O.

Medical Records, Insurance and Prediction: GINA Will Not Keep this Fox Out of the Henhouse

In a recent Washington Post article (4 August 2008), "Prescription Data Used to Access Consumers", Ellen Nakashima writes about the availability of medical records for data mining. Insurance companies have begun to use databases of prescription records to assess the risks of insuring individuals or when deciding to pay for a treatment. For example, a report could show that an "individual has been on the highest does of the cholesterol-reducing drug Zocor for 18 months" and an insurance company could determine that the patient has "a very high, near-intractable cholesterol problem … and could avoid a costly blood test". The article also points out that these records are more honest than many applicants for insurance and could reduce the cost of insurance while facilitating faster decision making. While HIPAA stipulates that patient consent must be acquired before these records can be accessed, "HIPAA does not give the Department of Health and Human Services the ability to directly investigate or hold accountable … pharmacy benefit managers". Nakashima reports that the increasing availability of electronic records will result in a market in which data mining organizations compete to sell the most complete and cheapest sources of patient data to insurers. Joy Pritts, of the Georgetown University Health Policy Institute observes that "Most people don't even know these organizations exist . . . ." Privacy consultant, Bob Gellman notes that "consumers will likely continue to have no real meaningful choices if they want insurance". Richard Dick, a database designer, suggests better privacy tools for consumers which would allow patients to be more specific when consenting to release medical information, "Otherwise … you have the fox in charge of the henhouse".

I want to know what incentives motivate patients to consent to release this information in the first place. I'm guessing that insurance coverage may depend upon consent; if so, is this real "consent"? – J.O.

The Best Predictive Health Ethics Blogs - May 2008

It was a busy month for predictive health news: the president signed GINA, Francis Collins announced his eminent retirement, bloggers reported from important conferences at Case Western and Cold Spring Harbor, and Google announced the debut of Google Health. These events, and others, are reflected in this month's edition of the best blogs on the ethical issues of predictive health.

Are you diseased? Pre-diseased? Potentially diseased? Greg Dahlmann, blog.bioethics.net. 6 May 2008.
In this insightful post, Dahlmann examines how predictive health is changing our concept of disease. When, exactly, does increased risk = illness? Dahlmann writes:

So we're moving from the concept of disease as a state of impaired function to it representing particular sets of probabilities. In the past you were sick when you had a heart attack. Today, you're sick -- or pre-sick, perhaps -- when you have high cholesterol. What about when it's possible to identify constellations of genes that significantly increase your chances of having high cholesterol, or a heart attack. Would that be considered a disease?

Also see Dahlmann's follow up post on "previvors": Blood Matters. Greg Dahlmann, blog.bioethics.net. 11 May 2008.

NHGRI Director Francis Collins to Step Down on August 1. Hsien-Hsien Lei, Eye on DNA. 28 May 2008.
Lei shares the news the Francis Collins will retire from his post this summer and that Alan E. Guttmacher will become acting director. Lei also some thoughts on Collins' book The Language of God.

In All Fairness. Fred Trotter, Fred Trotter: My life and thoughts, often about FOSS in medicine. 23 May 2008.
Following the news coverage on the release of Google Health, Fred Trotter weighs in on the privacy questions. Trotter argues that Google is not a health care provider and is, therefore, not covered by HIPAA. He writes:

Both Google Health and HealthVault are designed to make the process of dissemination of your health information to people you want them to be disseminated to easier. Are they doing that in a secure, privacy respecting way? Excellent question; fodder for further posts. Should they be covered by the same laws that cover your healthcare providers? No.

Workman's Compensation, Stereotypes and GATTACA. Steve Murphy, Gene Sherpas: Personalized Medicine and You. 10 May 2008.
Murphy addresses a few of the potential social consequences of predictive medicine, by examining the following scenario:

Young person goes to 23andME/Navigenics/ETC (They just may add this immediately)....gets predictive testing indicating that he is at a 300 fold increased risk of herniating a disc in his back. Avoids manual labor (plays video games all day) never herniates the disc. Did we do society a service?

23andMe, deCODEme and Navigenics at Cold Spring Harbor. Daniel MacArthur, Genetic Future. 9 May 2008.
MacArthur reports, first hand, from the "Biology of Genomes" meeting at Cold Spring Harbor. In addition to the big players in the consumer genomics movement, the speakers at the event included some ethics and policy experts, like Kathy Hudson from Johns Hopkins. Hudson, MacArthur notes, "responded to the problem of patients being given data of very limited predictive value with a very sensible solution: 'In the absence of demonstrable harm, the default should be to provide the information.'"

Genetic testing ethics - consent forms becoming incomprehensible. Elaine Warburton, Genetics and Health. 7 May 2008.
Warburton covers the Translating ELSI, Ethical Legal Social Implications of Human Genetics Research conference at Case Western University in Cleveland. In this entry she reports on Laura Beskow's comments regarding informed consent and the attitudes and concerns of research participants. Also see Warburton's related coverage of pediatric research ethics discussions at the conference in her post: Genetic Ethics - testing and storing our kids’ DNA. Genetics and Health. 7 May 2008.

The FDA ditches the Declaration of Helsinki. Stuart Rennie, Global Bioethics Blog. 6 May 2008.
Stuart Rennie of Global Bioethics Blog examines the implications of the FDA's decision to abandon the Declaration of Helsinki. While Rennie focuses on the potential impact of this decision on US research overseas, and not specifically on predictive health research, this decision may have far reaching consequences on clinical trials of any sort. Rennie concludes with the following verdict: "the decision would seem to encourage pharmaceutical companies to cut ethical corners when working abroad".

GINA Series: Irrational Bureaucratic Risk Abhorrence [Page 1]. Andrew Yates, Think Gene. 24 May 2008.
This is the first post of a (thus far) four part series on GINA. Each post begins with the introduction:

Recently, President Bush signed GINA, the Genetic Information Nondiscrimination Act, into law. GINA makes it illegal for employers or health insurers to discriminate based on genetics. Virtually the entire genetics community has lauds this legislation, yet few have written why it's wrong that employers and services review objective facts to make decisions. … “It’s not fair…” but why?

The Puzzling Consensus in Favor of the Genetic Information Nondiscrimination Act. Eric Posner, The University of Chicago Law School Faculty Blog. 6 May 2008.
In what may be the most influential post covered in this edition of the best predictive health ethics blogs, Chicago Law professor Eric Posner examines the GINA and asks some compelling questions:

Should the insurance company be permitted to offer the cheap insurance policy only to people who obtain a doctor's certification that a genetic test shows that they belong to the low-risk group? If you think that insurers should be able to discriminate on the basis of visible markers and on the basis of simple doctors' tests for the presence of dangerous diseases, then you should think they should be able to discriminate on the basis of genetic tests. There is no morally relevant distinction between looking at a person's blood for the evidence of infection and looking at his DNA for evidence of susceptibility to a disease. ... The only explanation for the enthusiasm for GINA is that there is an inchoate feeling among people that there is something wrong with the way the insurance market operates.

Medical Genetics Is Not Eugenics. Gabriella Coleman ("biella"), What Sorts of People. 16 May 2008.
Coleman responds to Ruth Cowan’s article in The Chronicle of Higher Education, “Medical Genetics Is Not Eugenics”. Although Cowan sees little value in thinking about the similarities of modern medical genetics and the mid-century eugenics movement, Coleman cautions:

Even if, as [Cowan] rightly states that genetic testing is oriented primarily toward easing human suffering, genetic testing is still entangled with fraught ethical questions about what types of life we value, what is acceptable human life, and what is not—the very sorts of questions central to eugenics.

Sharing Patient Health Records: Wisconsin Assembly Bill 793

On February 11 legislators in Wisconsin introduced Assembly Bill 793 [PDF – 25.7 KB], which proposes to reduce restrictions on redisclosures of patient health records in particular circumstances to facilitate electronic sharing of information. Wisconsin’s current law (WI ST 51.30) closely follows requirements set forth in HIPAA such as allowing the patient to authorize the disclosure of health records only after the patient is informed of the following: to whom the records will be sent, for what purpose will they be disclosed, and for what length of time the authorization is effective. The current law also requires recording what records are released and to whom they are released, creating a documentation trail.

AB 793 Section 10(b) would modify these restrictions and allow a covered entity to redisclose a patient’s health care record for a purpose for which a release is “otherwise permitted,” such as: if a patient previously has agreed to its release [see Section 9(4)(b)(1)]. Non-covered entities may redisclose [per Section 10(c)] the patient’s record subject to more qualifications, such as redisclosure for a purpose for which the patient health care record was initially received. Read in conjunction with Section 10(c), Section 10(b) would allow a covered entity to redisclose a patient’s health record in more circumstances without that patient’s consent.

As reported by the Wisconsin Technology Network, the Wisconsin Department of Health and Family Services (WDHFS) Secretary, Kevin Hayden, maintains that AB 793 does not apply to disclosures covered under HIPAA. In general, HIPAA requires a patient to consent to the release of protected health information for treatment purposes by the receiving hospital and would extend this release, for example, if the patient is transferred for continuing treatment (45 CFR 164.502). Compiling and transferring patient records for other purposes (such as research or database compilation) not related to the patient’s treatment plan or administrative health care operations generally requires a patient authorization. A valid authorization (45 CFR 164.508) contains, among other elements: to whom the information will be disclosed, the purpose of the disclosure, and the individual’s right to revoke the authorization.

If the purpose of HIPAA is read to limit the release of patient records with exceptions to facilitate present treatment, then in most instances medical records must be explicitly released by the patient for use by other individuals by means of an authorization. If the patient does authorize additional use of his records, HIPAA envisions that the patient can track the release of that record with some accountability. WDHFS seems to modify how they interpret HIPAA’s requirements as AB 793 would eliminate the requirement to obtain consent to disclose the patient’s record as well as eliminating documentation of these disclosures.

It is uncertain how WDHFS and the drafters of AB 793 are interpreting HIPAA coverage, whether their interpretation relies on assuming a patient’s singular consent is sufficient, or they plan to add measures to ensure compliance if the bill is implemented. Do they contemplate “treatment” in terms of all foreseeable future treatment? Is this framework something more state legislatures should adopt to increase the ability to retrieve patient records?

If WDHFS’s further discussion of AB 793 does in fact comply with HIPAA’s requirements, this move toward compiling health records could increase the efficiency of health care for the state’s residents. In order to ensure compliance, WDHFS may need to place additional restrictions to their records system or change the substance of patients’ initial consent. - Katherine Drabiak

HIPSA: The Health Information Privacy and Security Act of 2007

Revising HIPAA
Yesterday, July 18, 2007, Senators Leahy and Kennedy introduced legislation to revise HIPAA. Although Section 215 makes disclosure exceptions for “Law Enforcement, National Security, and Intelligence”, the new bill would tighten HIPAA loopholes. The bill “requires that any health information intended to be used for medi[c]al research first be stripped of personally identifying information to protect an individual’s privacy”. Senator Leahy's website provides a copy of the statement and a summary of the legislation: http://leahy.senate.gov/press/200707/071807c.html

Additional Excerpts from Leahy’s Statement:

Our bill also requires that patients be notified of a data security breach involving their health information within 15 days of discovery of the breach. ....

[O]ur bill addresses the growing fear of many Americans that they will not be able to obtain important health information about a parent or child in situations involving a medical emergency, because of confusion about the requirements of current health privacy laws. ....

The bill also establishes a national office of health information privacy within the Department of Health and Human Services to aid American consumers in learning about their health privacy rights. ....

The bill makes it a federal crime to knowingly and intentionally disclose or use sensitive health information without an individual’s consent. Violators of this provision are subject to a criminal penalty of up to $500,000 and up to 10 years in prison, if the violation is committed with the intent to sell or use sensitive health information for economic gain.

To read the full statement and a summary of the legislation: Visit Sen. Leahy's press release at: http://leahy.senate.gov/press/200707/071807c.html

Related Press:
Sen. Leahy cites “Keeping Patients’ Details Private, Even From Kin”. July 3, 2007, The New York Times.

Also see: “Senators introduce stringent health records privacy bill”. Government Health IT, July 18, 2007.