ObamaCare and Health Record Privacy

The other day, I sent the following alert (between the two sets of five dashes a bit further down the page) to our Privacy and Security list. While some of you may have seen it there, I want to share it again for a very specific reason.

The reason is because I got flooded – deluged – with email comments about ObamaCare and the loss of privacy when it comes to our health records. Overwhelmingly, the folks who wrote me did so to let me know how upset they are with the federal government’s plan to share our records with so many government agencies.

In fact, out of all the email I received, only one individual felt the need to defend the government and to tell me I am wrong because the data that will be shared will not be able to be tracked back to specific citizens.

Friends, I do make mistakes from time to time. But this is not one of those times. I work very hard to be sure that the information I send you is accurate and that the conclusions I draw are based on facts – not conjecture or speculation.

So today I want to empower you with even more information about the reality that your health records are going to be shared between dozens of federal agencies and if the government decides to track a record back to you it can.

So first read the original alert I authored (between the two sets of five dashes) and then I’ll add some additional information after the second set of dashes.

—–

35 Agencies Will Get Your Health Records

As many of us feared and predicted about ObamaCare, it is true that your health records will be shared near and far when it comes to the federal government.

And of course the feds don’t want you to notice the latest news, so they’ve released it during the holiday season when folks have less time to pay attention to the news as they’re shopping for gifts and finishing end of year projects at work.

But you need to know this, so here it is.

The report you need to read, “Feds Plan for 35 Agencies to Help Collect, Share, Use Electronic Health Info,” is from The Weekly Standard.

While I encourage you to read the report, here are the most important details.

“This week, the Department of Health and Human Services (HHS) announced the release of the Federal Health IT Strategic Plan 2015-2020, which details the efforts of some 35 departments and agencies of the federal government and their roles in the plan to ‘advance the collection, sharing, and use of electronic health information to improve health care, individual and community health, and research.’”

What departments and agencies?

Check out this list:

• Administration for Children & Families
• Administration for Community Living
• Agency for Healthcare Research and Quality
• Centers for Disease Control and Prevention
• Centers for Medicare & Medicaid Services
• Department of Agriculture
• Department of Defense
• Department of Education
• Department of Justice and Bureau of Prisons
• Department of Labor
• Department of Veteran Affairs
• Federal Communications Commission
• Federal Health Architecture
• Federal Trade Commission
• Food and Drug Administration
• Health Resources and Services Administration
• HHS Assistant Secretary for Financial Resources
• HHS (Health and Human Services) Assistant Secretary for Health
• HHS Assistant Secretary for Legislation
• HHS Assistant Secretary for Planning and Evaluation
• HHS Assistant Secretary for Preparedness and Response
• HHS Office of the National Coordinator for Health Information Technology
• HHS Office for Civil Rights
• HHS Office of the Chief Information Officer
• HHS Office of the Chief Technology Officer
• HHS Office of the General Counsel
• HHS Office of Minority Health
• HHS Office of the Secretary
• Indian Health Services
• National Aeronautics and Space Administration
• National Institutes of Health
• National Institute of Standards and Technology
• National Science Foundation
• Networking and Information Technology Research and Development
• Office of Personnel Management
• Social Security Administration
• Substance Abuse and Mental Health Services Administration

By the way, The Weekly Standard counts 35 departments and agencies. I count 37 on the list.

But hey, any way you look at it, that’s an awful lots of federal agencies and federal employees who will have access to your health records.

I suspect this confirms what many of you knew would be one of the realities of ObamaCare, but there it is in black and white.

And, I suspect this is just the beginning.

As an information security expert, I can tell you that there is no way – NO WAY – that the feds will be able to keep your health records secure with that many federal agencies having some type of access.

The only questions are:

Should ObamaCare be repealed?

Can ObamaCare be repealed?

Let me know your thoughts by emailing me at [email protected]

Be safe, secure and free!

Rob Douglas – Former Washington DC Private Detective

—–

OK. That was the original alert I sent to tens of thousands of good citizens like you.

And, as I mentioned, I received a huge amount of email in response from folks who are upset about the way the federal government is sharing our health records.

Still, I received an email from a gentleman who felt I was being “alarmist” because he’s been part of a university study for an extended period of time and they anonymize his records by labeling them with a code instead of his name. Therefore, he (and, in truth, many other unwitting citizens) is comfortable with his data being shared as long as it doesn’t go beyond identifying him with demographic data like age, sex, race, city and state.

In short, he clearly believes his health and medical record can be used for scientific study and his privacy preserved because he has been “deidentified.”

But, as we should all know as free-thinking adults, there is what can be done and what is actually being done.

So yes, in theory, a law could be passed and a system could be designed that would prevent the government from identifying you from the health records they are going to collect under the authority of Obamacare.

Those records could be anonymized and deidentified.

But is that the current state of the law? Will it be impossible for a federal agency or employee or agent to know who a specific health record belongs to?

I think not.

I believe the government will remain able – both legally and procedurally – to identify the individual citizen who is associated with a so-called anonymized or deidentified health record.

But don’t base your assessment on my thoughts and beliefs.

Instead, let’s look at an article that specifically addresses the question and the underlying work of those who fight the government over privacy issues every day.

The article, “38 Government Agencies to Collect, Share American’s Electronic Health Records,” was published this week by Network World. While the article says much of what I said in my original alert about this topic, at the end it adds a reference to a report co-written by Jim Dempsey from the Center for Democracy and Technology – a private organization that fights the government over privacy issues.

[As an aside, I know Dempsey personally and have testified about privacy issues alongside him before Congress on more than one occasion. Jim is one of the strongest advocates for individual freedom and privacy in the U.S. and has been fighting the good fight for many, many years.]

That report, “Privacy as an Enabler, Not an Impediment: Building Trust into Health Information Exchange,” examines many public and private policy and legal issues that impede our ability as citizens to keep our health and medical records private.

Among those issues is a key section that is relevant to the issue of so-called anonymized and deidentified health records now that so many government agencies and employees will have access to our health records.

The section is titled, appropriately enough, “Deidentification,” and states:

“HIPAA’s (the federal healthcare privacy law) protections do not extend to “deidentified” health information. Thus, coveredentities may provide deidentified data to third parties for uses such as research and business intelligence without regard to HIPAA. In turn, these entities may use these data as they wish, subject only to the terms of any applicable contractual provisions (or state laws that might apply). If a third party then reidentifies these data—for example, by using information in its possession or available in a public database—the reidentified personal health information would not be subject to HIPAA. It could be used for any purpose unless the entity holding the reidentified data was a covered entity.” [emphasis added]

And then this:

“A number of researchers have documented how easy it is to reidentify deidentified data. The U.S. Department of Health and Human Services (HHS) should revisit the current deidentification standard in the Privacy Rule (in particular, the so-called safe harbor that deems data to be deidentified if they are stripped of particular data points), to ensure that it continues to present minimal risk of reidentification. At the same time, HHS and Congress should work together to ensure that recipients of these anonymized data are accountable if the information is reidentified.” [emphasis added]

Bottom line: While the federal government may state that our health records will be “deidentified” from us as individuals, it is a well-known and documented fact that it is “easy” to “reidentify” “deidentified data.”

In short, the federal government will have the ability to track medical data back to a specific individual and it appears that currently it would not be illegal under HIPPA if that happens.

OK, I apologize for the length of this week’s advisory. But, I always want you to have the information you need to combat those who spread false information.

In this case, anyone who says the more than three dozen federal agencies that will have access to American’s health records will not be able to identify individual citizens from those records because of anonymizing and deidentification procedures is incorrect.

It has been proven that deidentified records can easily be reidentified.

Feel free to share your comments and thoughts with me at[email protected]

Be safe, secure and free!

Rob Douglas – Former Washington DC Private Detective

PS – While I focused today on the reality that deidentified records can easily be reidentified, if you review the rest of “Privacy as an Enabler, Not an Impediment: Building Trust into Health Information Exchange,” you’ll see that there are many other legitimate and documentable concerns when it comes to the privacy and security of our health records now that they are being digitalized and shared.