arrowProgramsarrowAdvocacyarrowMedical Privacy

Medical Privacy

July 31, 2012 - The U.S. Government Accountability Office issued a report stating that federal law should be updated to address the changing technology landscape. Read the report here


July 30, 2012 - Why We Need a Health Information Privacy Bill of Rights, by Jim Pyles

"One thing must be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever." So said a constitutional law professor who is our current president on the issuance by the White House of the Consumer Privacy Bill of Rights on February 23, 2012. The president was right. Read more...


July 16, 2012 - An interesting series of articles from the past few days illustrates the growing concern in the public and in Congress over the use of electronic information systems to invade information privacy.  These articles illustrate the growing demand for better health information privacy laws in the information age.

 In Vast Effort FDA Spied on E-Mails of Its Own ScientistsNew York Times (July 14, 2012)

This story has caused a lot of anger in Congress because the FDA was using electronic surveillance to spy on communications with members of Congress. Remember the line from President Obama’s cover memo to the Consumer Privacy Bill of Rights—“Citizens who feel protected from misuse of their personal information feel free to engage in commerce, to participate in the political process, or to seek needed health care.”  I guess the FDA scientists do not have that freedom.


That’s No Phone, That’s My Tracker, New York Times (July 13, 2012)

This story points out how cell phone carriers responded last year to 1.3 million requests last year for cell phone call data and many law enforcement agencies do not bother to obtain a warrant when seeking cell phone information. Modern cell phones also double as GPS tracking devices, so they can be used to track an individual’s activities. The article quotes the decision in U.S. v. Maynard, where the Court of Appeals for the D.C. Circuit found that the use by police of a tracking device without a warrant on a suspected drug dealer’s car violated his right to privacy under the 4th Amendment. While that case did not involve health information, the D.C. Circuit described the constitutional problem as follows: GPS data can reveal whether a person “is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.” That decision was subsequently affirmed 9-0 by the Supreme Court in U.S. v. Jones in which Justice Scalia found that a right to privacy against searches and seizures for certain information can be found in both the original intent of the 4th Amendment and a modern day reasonable expectation of privacy. Justice Sotomayor stated in a concurring opinion that electronic tracking could reveal “trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar, and on and on.”  (Citing a previously decided New York case.) So there is little doubt that the kind of electronic tracking that the courts found unconstitutional in these cases would be found unconstitutional if it involved tracking of health care information and activities (as was the case in Ferguson v. City of Charleston Hosp., a 2001 Supreme Court case finding unconstitutional the disclosure by a hospital to the police of drug testing information from women who did not give their consent for the health information to be used for law enforcement purposes).


More Demands on Cell Carriers in Surveillance, New York Times (July 8, 2012)

This story shows that warrants by federal and local police for wire taps have declined as they rely more on cell phone surveillance. It also states that the use of this type of electronic tracking which was already of uncertain legality was further “muddled” by the Supreme Court’s decision in U.S. v. Jones.  Congressman Markey who forced the practice into the open by requested information on cell phone tracking from the nine major carriers is quoted as saying he “never expected it to be this massive” and is concerned “that ‘digital dragnets’ threatened to compromise the privacy of many customers.


The End of Privacy, New York Times (July 14, 2012)

This NYT editorial states that “Cellphones, e-mail, and online social networking have come to rule daily life, but Congress has done nothing to update federal privacy laws to better protect digital communication. That inattention carries a heavy price.”  It states further that “Clearly, federal laws need to be revamped and brought into line with newer forms of surveillance.”


Report from James C. Pyles on the Standards and Implementation Framework Conference

April 11-13, 2012 - I attended the S&I (Standards and Implementation) Framework Conference in Alexandria, VA on behalf of the American Psychoanalytic Association. This was a conference sponsored by the HHS Office of the National Coordinator for Health Information to develop implementation methods for many of the provisions in the HITECH Act, including segmentation of sensitive health data within an electronic health information system. Over the two and a half days of the conference, I raised APsaA's concerns that patient information should not be used or disclosed without patient consent. There was general agreement that consent would be necessary for the disclosure of highly sensitive health information such as mental health and substance abuse information.

On the first day of the conference, several top officials from the Office of the National Coordinator stated that it would be important for implementation standards to adhere to basic principles and goals. Since they were not mentioned, I asked whether those principles and goals might be consistent with the Consumer Data Privacy Bill of Rights issued by the White House on February 23, 2012, particularly since an accompanying statement from the President said that those privacy principles were a foundation of our democracy and were more important now than ever before. The official at the podium to whom I asked that question became very nervous and said he would have to refer that question to others in attendance. In short, he simply evaded answering the question. 

There were working sessions on using electronic health information for laboratory orders, transitions of care (from one care setting or provider to another), permitting electronic health systems to talk to each other, electronic submission of medical documentation, public health reporting and longitudinal coordination of care. I attended the sessions on segmentation of highly personal health information. Most of those in attendance were computer technicians, and there was much discussion about how to determine whether an individual had given consent for disclosure of certain information and not other information and disclosures to certain practitioners and not to others. All of the discussions took place around the example of the federal drug and alcohol abuse treatment laws which require written consent for the use and disclosure of health information. The premise of the working group was that if they could design an electronic health information system that would accommodate the requirements of the federal drug and alcohol abuse treatment laws, then it would be adequate for any information. I raised the point that psychotherapy information is every bit as sensitive as drug and alcohol abuse information and that the HITECH Act allows consent for the disclosure for any health information if the individual pays out or pocket. They agreed this capability had to be designed into the system.

After agreeing on the technical characteristics of an electronic information system that would accommodate the right of consent, they outlined the characteristics of several pilots to the test the system. I suggested that the pilots include feedback from patients with respect to whether they believed that the HIT system would protect their health privacy.   There was general agreement, but one gentleman from Blue Cross/Blue Shield objected that we should not mix patient views in with the technological issues. I responded that consent in the abstract was not very effective and that the consent should be "informed" which would mean that the patient would be informed of the risks of putting sensitive health information into and electronic system.

I had one exchange with a physician from Kaiser Health which was revealing. He said that the HIPPA Privacy Rule gave him the permission to disclose his patients' health information without their consent. I asked him if that meant he would disclose his patients' health information even over their objection. He said yes he would based on the authority in the HIPAA Privacy Rule. I asked him if he understood that the HIPAA Privacy Rule was only a federal floor of privacy protections and was never even intended as a "best practices" standard and that professional ethics precluded disclosing health information against the patient's wishes. He looked perplexed and said he would do it anyway.

By attending this conference and advocating APsaA's positions and concerns I believe the recommendations concerning segmentation will be much more privacy protective. It will continue to take careful monitoring and interventions to ensure that the segmentation provision is implemented in a manner that provides real privacy protection for sensitive health information. The S&I Framework work groups will be making recommendations to the HIT Standards Committee in the next 60 days.

The lack of basic privacy principles was quite apparent at this conference even after the opening remarks acknowledged how important such principles would be.

Electronic Health Records Lead to More Breaches

HIMSS, one of the most vigorous proponents of the adoption of electronic health records, has released a report of a study by a consulting firm that concludes that there has been "a steady rise in data breaches over the last six years, despite increasingly stringent regulatory activity surrounding reporting and auditing procedures, and heightened levels of compliance." 2012 HIMSS Analytics Report: Security of Patient Data (April 2012).

The report also found that "The mobility of patient data – made possible by new technologies and the proliferation of mobile devices in the workplace – is a leading factor in healthcare data breaches."

See also, EHRs: A Major Source of Patient Information Breaches Fierce EMR (April 12, 2012). These findings are consistent with the findings of the year-long study entitled The Financial Impact of Breached Protected Health Information, American National Standards Institute (March 5, 2012), available for download.

These reports and others show that electronic health information systems have increased the threats to health information privacy, are adding unanticipated costs to the health care delivery system, and have not reduced errors or improved the quality of health care as promised. EHRs do appear to make it possible to better coordinate health care outside of institutions.  This outcome is consistent with the prediction we made in the "Myths and Facts About Health IT" in 2009 when we urged a "reality-based" approach to the development of electronic information systems in which the vulnerabilities of such systems would be acknowledged and they would be grounded in the constitutional and ethical right to health information privacy.  A reality-based approach was not taken, and it now appears that the public must face the reality that much of their personal health information may be improperly disclosed.

March 9, 2012 - The Agency for Health Care Research and Quality (AHRQ) has issued a notice of its intention to try to determine why electronic health information systems often show "disappointing results". Here is a quote from notice 77 Fed. Reg. at 14,371 (March 9, 2012):

While much of the attention of health IT research and development had been directed at the technical issues of building and deploying health IT systems,there is growing consensus that deployment of health IT has often had disappointing results, and while technical challenges remain, there is a need for greater attention to sociotechnical issues and the problems of modeling workflow.

The implementation of health IT in practice is costly in time and effortand less is known about these issues in small- and medium-sized practices where the impact of improved or disrupted workflows may have especially significant consequences because of limited resources.

Read the full notice here.

See also, "AHRQ: 'Disappointing Results' Often Seen in Health IT Deployment", Modern Healthcare (March 9, 2012). AHRQ plans to study 18 small to medium sized physician practices over a period of 27 months at a cost to the Federal government of $793,456 and an annual cost to the practices of $96,100. Of course, these costs must be added to the cost of health IT.

Earlier this week another in a lengthening series of articles appeared in the New York Times reporting that research is showing that electronic health information systems do not save money, and may actually increase health care costs. "Digital Records May Not Cut Health Costs: Study Cautions", NYT (March 5, 2012).

The factual premise on which Congress based the expenditure of billions of dollars in the American Recovery and Reinvestment Act for bonuses to providers and practitioners who became "meaningful users" of health IT was that it would save 100,000 lives and $77 billion annually. There is growing evidence that this premise was inaccurate.  APsaA pointed out repeatedly that there was little evidentiary basis for these predictions.

March 5, 2012 - New Report Calls for Enhanced Security to Safeguard Protected Health Information

5-Step Method Provides Health Care Organizations with Tool to Estimate the Overall Potential Costs of a Data Breach

ANSI, The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance to Host Congressional Briefing Today; White House Cybersecurity Coordinator Howard Schmidt Invited to Speak at Press Conference

Washington, DC, March 5, 2012: With the release today of The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,health care organizations now have a new method to evaluate the “at risk” value of protected health information (PHI) that will enable them to make a business case for appropriate investments to better protect PHI. This report was created through the “PHI Project” – a collaboration of the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) – that involved a cross-section of more than 100 health care industry leaders from over 70 organizations. The report is available for free download at

Health Care System Depends on Patient Trust in Confidentiality and Security
The health care delivery system is founded upon trust – a trust that those receiving health information will keep it confidential and secure. This trust is now being tested as the health care industry moves to adopt electronic health records (EHR), access federal incentives, and facilitate better patient care. PHI is now more susceptible than ever to accidental or impermissible disclosure, loss, or theft. Health care organizations (providers, payers, and business associates) are not keeping pace with the growing risks of exposure as a result of EHR adoption, the increasing number of organizations handling PHI, and the growing rewards of PHI theft.

PHI Breaches Increasing with Far-Reaching Repercussions
PHI data breaches are growing in frequency and in magnitude with huge financial, legal/regulatory, operational, clinical, and reputational repercussions on the breached organization. The report provides CISOs, CIOs, IT security, privacy, and compliance personnel with information to help them better understand the potential risks and liabilities resulting from data breaches.

The 5-Step Method to Estimate Breach Costs and Needed Investments in PHI Security
Health care organizations reading this report can take immediate action using PHIve – the PHI Value Estimator – a 5-step method for assessing security risks and evaluating the “at risk” value of an organization’s PHI. This tool estimates overall potential data breach costs, and provides a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach occurrence.

“No organization can afford to ignore the potential consequences of a data breach,” said Rick Kam, president and co-founder of ID Experts, and chair of the PHI Project. “We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

“Health care is one of the most-breached industries,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Health care providers and supporting organizations don’t currently have sufficient security and privacy budgets, including adequate processes and resources, to protect sensitive patient data. This report will help them understand what they need to do to augment their efforts.”

Report Launch Events on March 5 and Free Webinar on March 21
Leaders from the PHI Project will host events on Monday, March 5, 2012, for Congressional representatives, staff, and the press to present the report and its findings. The first event will be held at the National Press Club in Washington, DC, at 10:00 a.m. ET. White House cybersecurity coordinator Howard A. Schmidt has been invited to open the press conference. The second event will be held on Capitol Hill in Rayburn B-340, at 12:30 p.m. ET. A free webinar with the authors will be held on Wednesday, March 21, 2012, at 2:00 p.m. ET to discuss details of the report and walk through immediate actions organizations can take. To register, please visit

Bringing Together a Cross-Section of Experts
The PHI Project brings together experts from across the industry: including health care providers, payers and insurers, other health care services organizations, data breach prevention and recovery firms, legal experts on privacy and security, and others, providing a range of perspectives. The initiative was made possible through the generous support of the following organizations: Clearwater Compliance LLC and DriveSavers Data Recovery, Inc. (premium sponsors); Affinion Security Center; Alvarez & Marsal; BKD, LLP; Booz Allen Hamilton; The Center for Identity Management and Information Protection at Utica College; Deluxe Corporation; Direct Computer Resources, Inc.; Europ Assistance USA; ID Experts; ManageEngine, a division of Zoho Corp; and Terra Verde Services (partner sponsors).

About ANSI
The American National Standards Institute (ANSI) is a private non-profit organization whose mission is to enhance U.S. global competitiveness and the American quality of life by promoting, facilitating, and safeguarding the integrity of the voluntary standardization and conformity assessment system. The ANSI Identity Theft Prevention and Identity Management Standards Panel (IDSP) is a cross-sector coordinating body that facilitates the timely development, promulgation, and use of voluntary consensus standards and guidelines that will equip and assist the private sector, government, and consumers in minimizing the scope and scale of identity theft and fraud.

About the Shared Assessments Program
The Shared Assessments Program was created by leading financial institutions, the Big Four accounting firms, and key service providers to inject standardization, consistency, speed, efficiency, and cost savings into the service provider assessment process. Through membership and use of theShared Assessments tools (the Agreed Upon Procedures and the Standardized Information Gathering questionnaire), Shared Assessments offers outsourcers and their service providers a faster, more efficient, and less costly means of conducting rigorous assessments of controls for security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group, a strategic consulting company based in Santa Fe, New Mexico.

About the Internet Security Alliance (ISA)
The Internet Security Alliance is a multi-sector trade association established in collaboration with Carnegie Mellon University in 2000. ISA’s mission is to combine advanced technology with the pragmatic business needs of its members and help create effective public policy leading to a sustainable system of worldwide cybersecurity. ISA advocates a modernized social contract between industry and government creating market-based incentives to motivate enhanced security of cyber systems. ISA provides its members with a range of technical, business, and public policy services to assist them in fulfilling their mission.

March 28, 2011 – Testimony from the U.S. General Accounting Office (GAO) released on March 16 found that:

  • Pervasive and sustained cyber attacks “pose a potentially devastating impact on federal and
  • nonfederal systems and operations.”
  • Threats to critical federal infrastructure are “evolving and growing”.
  • Over the past 5 years, the number of security incidents experienced by federal agencies has increased 650%.
  • The Administration and Executive Branch have not yet fully implemented measures to address the threats.
  • Most of the 24 federal agencies had security weaknesses in five key control categories and serious and widespread information security control weaknesses were a government-wide material weakness.

Read the full report.

September 10, 2010 – HIPAA HITECH APsaA comments

October 23, 2009 - APsaA comments on Breach Notification for Unsecured Published Information regarding the HITECH Act.

Click here to read the letter.

July 31, 2009 - APsaA signs letter to Senators Henry Waxman and Joe Barton asking them to make sure that a patient's right to pay privately for health care services remains intact in the America's Afforable Health Choices Act.

Click here to read the letter.

July 28, 2009 - APsaA signs letter by the National Council on Problem Gambling in support of H.R. 2906, the Comprehensive Problem Gambling Act.

Click here to read the letter.

December 15, 2008 – Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

November 19, 2008 - A letter prepared by APsaA's legislative counsel James C. Pyles on the protection of electronif healthcare information states that the privacy arguments and analyses APsaA has been developing are having an effect.

Click here to read the letter.

October 29, 2007 - APsaA supports Mental Health Liaison Group letter to Senator Harking and Representative Obey which strongly urges them to reconcile a conference report of the FY 2008 Labor-HHSEducation Appropriations bill (HR 3043) that includes the higher Senate-passed funding levels for mental health services, supports and research.

Click here to read the letter.

July, 18 2007 - On July 18, the House Education and Labor Committee voted 33 to 9 in support of H.R. 1424, The Paul Wellstone Mental Health and Addiction Equity Act of 2007. The bill, introduced by Congressmen Patrick J. Kennedy (D-RI) and Jim Ramstad (R-MN), has bipartisan support of the majority of House Members with 268 cosponsors.

Click here for more information.

July 17, 2007 - APsaA signs Mental Health Liaison Group letter to Senate Majority Leader Read and Senate Minority Leader McConell expressing concern about the need for privacy and security of individual health records as the development of a national interoperable health information technology (HIT) infrastructure moves forward.

Click here to read the letter.

June 22, 2007 - In a letter to Chairman Kennedy and Senator Enzi of the Senate Health, Education,Labor & Pensions Committee, APsaA expresses concerns about the lack of protection of patient's right to health information privacy in the Wired for Health Care Information Act.

Click here to read the letter.

June 2007 - APsaA opposes the Wired for Health Care Quality Act and provides talking points in an effort to prevent the bill from passing.

Click here for more information.

November, 2007 - APsaA's comments on Enhanced Protections for Uses of Health Data: a Stewardship Framework for "Secondary Uses" of Electronically Collected and Transmitted Health Data.

Click here to read the document.

March 2007 - APsaA weighs in on the data security breach at WellPoint, one of the nation's largest health insurers.

Click here for more information.

February 14, 2007 - APsaA, along with 96 other organizations, supports the Mental Health Parity Act of 2007.

Click here for more information.

Earlier efforts

Click here for a summary of APsaA's 2006 legislative achievements.