Dissent, over at PHIPrivacy.net, posted a link to Hello GovernmentCare, Goodbye Personal Privacy by Warner Todd Huston today.  The subtitle to the piece is, “A vote for Obamacare is a vote to give away your personal, private medical information.” 

In addition to the increased risk of medical identity theft that the rush to government controlled health care and the mandate for electronic health records will bring as previously noted on this blog, there are significant privacy issues that are not currently being addressed sufficiently.  Huston’s piece examines a portion of that concern.  Here’s the start of the commentary:

Do you want your government to know that you have bowel troubles? Do you mind if the president can discover if you have erectile disfunction? Would you be out of sorts if your local Congressman could discover if you’d had an abortion? How about if your state comptroller’s office or your governor could discover if you’d had breast implants? Well, a vote for Obamacare is a vote to give away your personal, private, maybe embarrassing medical information.

Do you think this is a silly claim? Well, don’t. In the newly released Obamacare plan, section 3102 titled “Financial Integrity” makes provision for state and federal governments to be able to investigate any medical care provider at any time. This provision gives government the right to look at any record that a doctor has in his files and that means your private medical information. Worse, they may do so without court approval, without a warrant, with no cause stated.

Please read the full piece and think about the path this country is headed down when the government takes over health care.

The Federal Trade Commission announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached.

The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Among other things, the Recovery Act recognizes that there are new types of Web-based entities that collect or handle consumers’ sensitive health information. Some of these entities offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information. Others provide online applications through which consumers can track and manage different kinds of information in their personal health records. For example, consumers can connect a device such as a pedometer to their computers and upload miles traveled, heart rate, and other data into their personal health records. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained.

To address these issues, the Recovery Act requires the Department of Health and Human Services to conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. This study and report must be completed by February 2010. In the interim, the Act requires the Commission to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached. The proposed rule the Commission is announcing today is the first step in implementing this requirement.

In keeping with the Recovery Act, the proposed rule requires vendors of personal health records and related entities to provide notice to consumers following a breach. The proposed rule also stipulates that if a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

The Commission vote approving issuance of the Federal Register notice was 4-0. The notice will be published in the Federal Register shortly, and is available now on the FTC’s Web site as a link to this press release. Public comments are being accepted through June 1, 2009, after which the Commission will issue a final interim rule. To file a public comment, please click on the following link: https://secure.commentworks.com//ftc-healthbreachnotification and follow the instructions at that site.

Text of the Federal Register Notice.

For more see the FTC’s web site.

Under his recently unveiled fiscal stimulus plan, President Obama seeks to invest up to US$20 Billion in federal funds to achieve widespread deployment of Electronic Medical Records (EMRs). A principal reason for his initiative is to improve our nation’s health care system by reducing long term costs and increasing effectiveness of our health outlays. So what exactly is an Electronic Medical Record and what does this new direction mean for security and privacy professionals?

See the full story at Computerworld.com.

The Institute for Health Freedom (IHF) is warning the public that the economic stimulus bill mandates the federal government to plan for each American to use “an” electronic health record (EHR) by 2014 — without opt-out or patient-consent provisions. This is a very serious breach of privacy and one I would hope will be overturned with time. Seems as though the government decided to not come up with a comprehensive plan but instead made sure that no matter what it is everyone will have to be a part of it. This would open up your complete medical records to over 600,000 healthcare providers, payment processors, and government health agencies without your consent. And no, HIPAA will not protect you from this. This kind of pervasive access to anyone’s health records screams of privacy and security concerns.

See the full report at NetworkWorld.com.

Your E-Health Records:

As part of the stimulus package, $20 billion will be pumped into the health care system to accelerate the use of electronic health records. The goal is both to improve the quality and lower the costs of care by replacing cumbersome paper records with electronic records that can be easily stored and swiftly transmitted.

The idea is sound, but it also raises important questions about how to ensure the privacy of patients. Fortunately, the legislation would impose sensible privacy protections despite attempts by business lobbyists to weaken the safeguards.

With paper records the opportunities for breaches are limited to over-the-shoulder glimpses or the occasional lost or stolen files. But when records are kept and transferred electronically, the potential for abuse can become as vast as the Internet.

See the full editorial at The New York Times.

DMX ‘Didn’t Mean to Commit Identity Fraud’:

Embattled rapper DMX “had no intention” of committing identity fraud after checking into an Arizona hospital under a false name last year. He simply wanted to avoid attracting more attention than necessary, according to a former manager.

The Party Up (Up In Here) star, whose real name is Earl Simmons, went to Scottsdale Mayo Clinic last April to receive treatment for pneumonia.

However, he was later charged with theft and taking the identity of another after using the alias Troy Jones and leaving before settling the $7,500 medical bill.

But his close pal and former road manager Mark ‘Po’ Dean, who accompanied DMX to the hospital and gave nurses the fake name, insists the crimes weren’t committed on purpose.

See the full report at 13wham.com.

Woman Sought for Medical Identity Theft:

Authorities are looking for a 27-year-old Milford woman who has been using another woman’s identity since June 2005 to obtain jobs and medical benefits.

Warrants have been issued for the arrest of Virdiana Hernandez, charging her with 45 counts of of identity theft and forgery, said Milford police spokesman Detective Dwight Young.

Hernandez may also be using the names of Katrina Casteel or Yurdiana Hernandez, Young said.

Milford police were recently contacted by a 29-year-old out-of-state woman saying the she had just discovered that Hernandez had been using her identity since 2005.

Hernandez, who is about 5′4″ tall, weighs about 150 pounds and has brown eyes and black hair, is known to frequent Milford, Millsboro and Georgetown.

See the full report at DelawareOnline.com.

HHS Must Lead Medical Identity Theft Fight:

Medical identity theft poses a serious challenge for providers, who are increasingly finding that both outsiders and employees may steal patients’ financial and insurance information. However, a new report suggests that providers shouldn’t try to handle the issue alone, and suggests that the federal government should lead these efforts instead.

The report, which was funded by HHS and prepared by Booz Allen Hamilton, argues that the federal government should take medical identity theft as seriously as the interoperability, governance and privacy/security issue concerns already on the table. After all, the authors note, medical identity theft poses not only financial risks to patients, but can also harm their health, as compromised records could contain inaccurate health information.

See the full report at: FierceHealthIT.

Hacker Breached Medical Records:

A 39-year-old man who hacked into a private computer and tampered with another person’s health records will spend 28 months in prison.

A federal jury convicted Bradley Reeves Forsythe, 53 Ducky Lane, on Sept. 5 of intentionally accessing a computer without authorization to cause damage.

Forsythe was sentenced Jan. 9 in U.S. District Court in Memphis. He is to serve 28 months in a federal prison, followed by two years of supervised release. He also was ordered to pay a special assessment of $100 and restitution totalling $2,175.04 to an insurance company and to Smothers’ Eye Clinic.

See the full report at StateGazette.com.

Report Raises Red Flag On Medical ID Theft:

Most everyone knows of someone who has been a victim of identity theft, whether through a stolen credit card or worse. But few people are aware of the risk and extent of medical identity theft, according to a new report commissioned by the U.S. Department of Health and Human Services (HHS).

The HHS report, which was published last week, is the third stage in the former Bush administration’s Identity Theft Task Force project and comes at a time when the new administration is calling for moving medical records online as part of an effort to lower healthcare costs. But with those cost efficiencies and conveniences come increased risk of hacked or stolen medical records, security experts say.

The HHS report says the government should spearhead medical ID theft prevention and awareness efforts (including policy), with a public-private task force that analyzes how financial identity theft cases are handled to see if what can be adapted for medical ID theft, which the report defines as the “misuse of an individual” personally identifiable information (PII), such as name, date of birth, social security number (SSN), or insurance policy number to obtain or bill for medical services or medical goods.”

The result: Medical records become inaccurate, victims lose money, the healthcare system loses money, and patient care could be compromised.

See the full story at Dark Reading.