Friday, September 8, 2017

Think Your Medical Records Are Private? Think Again After New Law Comes Into Effect

Image may contain: 1 person

When I arrived at UC Health for my prostate cryosurgery treatment on June 20th, one of the first questions asked was 'Would you be interested in allowing us to take DNA for medical research?'   Now, as much as I am foursquare for medical research, and want it to advance as far as possible, I am not willing to just willy-nilly hand out my DNA. But on reading of the emergence of new legislation concerning patient privacy rights in the WSJ a week ago, I am not at all sure it matters any more.

The article by Twila Brase ('Congress Has Exposed Patients' DNA To Prying Eyes') ought to make any reasonable person's skin crawl at the level of intrusion into citizens' lives. The particular law in question is The 21st Century Cures Act which "was hailed as the biggest healthcare reform since Obamcare".

Why is this?

We are informed that this legislation, passed by "unanimous consent" by both houses of congress last December (interesting the big legislative moves BOTH parties can agree on!)  increased the budget of the National Institutes of Health. It also "designated $3 billion for cancer research" - always a good thing - and "set $500 million alone for 2017 to address the opioid crisis". Again, so far, so good.

But before we go further, it's important to reference an earlier law which in many ways opened the doors to the excesses of the one under consideration. That is the Health Insurance Portability and Accountability Act of 1996.  That particular law from 21 years ago "allowed government funded researchers to collect and even share patients' medical and genetic information without their consent."

Yes, you read that correctly.

The 21st Century Cures Act  goes further by putatively creating an "information commons", i.e. a government regulated pool of data accessible to all health researchers, irrespective of background, training or motive. That means any half-cocked fool who slaps an "M.D." after his name, could conceivably snatch your medical data for god knows what purposes. It doesn't matter since the motive is immaterial.

As Ms. Brase writes, and with which I agree:

"Although speeding research is a noble goal, there's little evidence that patients are willing to sacrifice their privacy the way that the 21st Century Cures Act requires. A 2007 survey by the Institute of Medicine found that only 1 percent of Americans were willing to have their health information shared for research without their consent.  Yet the new law doesn't give patients in government funded research any method to opt out of data sharing."

Indeed, the author adds this new law "prohibits 'information blocking by health care providers."  That means the law essentially mandates that doctors and hospitals share data with government researchers.

What about precedents? Well, "federal courts have upheld forced data sharing because patients 'voluntarily' give personal health information to their doctors."  In fact, that is kind of cutting it close to the legal margins.  When a patient, like I've been with cancer, sees a doc - whether specialist or primary care- you are requested to sign forms pertaining to disclosure of your medical information for those that need to know. That doesn't mean we are giving carte blanche for every third party to know!  But that is how these courts have interpreted patients' signing of such forms. Think about that next time you're asked to sign one.

According to Ms. Brase:

"In theory, the data shared under the 21st Century Cures Act can't be traced back to individual people. It's stripped of direct identifiers like names, street addresses and Social Security numbers. But with big data virtually everything is traceable."

She then cites the case a few years ago when Harvard researchers examined about 600 anonymized profiles from a genome research project. The participants themselves had provided only odd pieces of information like sex, birth date and zip code. But the researchers were able to identify nearly half the subjects by name by comparing what they had against public records and voter data.

As Brase observes: "The same approach could work on medical records containing sensitive information about alcoholism, illegal drug use or sexual abuse."

If this 21st Century law was the only one to worry about, in terms of your medical record privacy, it would be bad enough. Especially as we learned yesterday of the massive data breach of Equifax and some 143 million credit records illegally accessed, including; addresses,  credit card and Social Security numbers. Make no mistake if n'er do wells can hack credit records they can get medical records as well.

Another law citizens need to watch out for is the 'Preserving Employee Wellness Programs Act' introduced in March by Rep. Virginia Foxx (R, NC)..  This law would give companies leverage to push genetic tests on their employees. Any one who tries to opt out would be subject to having their insurance premiums jacked up by as much as 50 percent. In other words, having a financial 'gun' pointed at their heads. 

With genetic test results at their disposal companies would then be free to cherry pick their employees, say avoiding hiring those at high risk of getting a serious illness like cancer or MS. Other workers already employed, if new tests disclose problems, could be given bad reviews or denied raises to either get them to quit or force their resignations.

Incredibly, while many have been obsessed with the NSA and its XKeyscore and MUSCULAR programs violating 4th amendment rights,  equally intrusive laws governing the health sector have been at work.  One is almost led to ask at this point why it is our congress critters can only unite in the spirit of bipartisanship to undermine citizens' privacy.

No comments: