Does Government Surveillance Pose a Threat to PHI?
By Lisa A. Eramo
For The Record
Vol. 25 No. 15 P. 18
Recent actions by the National Security Agency have raised concerns about the safety of patient records.
When news broke that the US government planned to collect millions of phone records pursuant to a top-secret court order, public outcry was loud and clear.
The court order, issued in April, required Verizon to turn over phone metadata for a three-month period ending on July 19 to the National Security Agency (NSA). The metadata applied to all calls made within the United States as well as from the United States to abroad. It included session-identifying information such as originating and terminating number, the duration of each call, telephone calling card numbers, trunk identifiers, International Mobile Subscriber Identity numbers, and comprehensive communication routing information. Metadata do not include the actual content of the calls, though. Verizon was required to turn over all records for this time period regardless of whether the NSA suspected suspicious activity.
The Center for Constitutional Rights, a nonprofit legal and educational organization committed to the creative use of law as a positive force for social change, said in a press release that the court order is “the broadest surveillance order to ever have been issued: it requires no level of suspicion and applies to all Verizon subscribers anywhere in the U.S. It also contains a gag order prohibiting Verizon from disclosing information about the order to anyone other than their counsel.”
In the wake of increased government surveillance to protect public safety, many HIM professionals are left wondering what can be done to protect patient privacy. Does the Verizon court order pose a particular threat to protected health information (PHI)? If so, how? What, if anything, can HIM professionals do to protect patient data and educate consumers?
The Sanctity of Privacy
“When it comes to terrorism, most people would agree that the government should see some information to protect us,” says Deborah C. Peel, MD, president of Patient Privacy Rights. “The question is what. What should they see? Should they see everyone’s phone records? Is that really necessary? Our government has currently undertaken the broadest and most intrusive digital surveillance of any nation in the Western world. Europeans and the world’s other democracies don’t permit the collection of personal data about citizens without consent.”
Peel founded Patient Privacy Rights in 2004 after she began working as a psychiatrist in the late 1970s. “I learned from my patients that they would not come for treatment or take medications they needed if their personal information didn’t stay private,” she recalls. “It’s a disaster when people avoid health care because the system violates their privacy.”
Experts agree that even metadata from phone conversations can be revealing, particularly when it relates to personal health care and the health services that someone may be receiving. “What you have here is the ability to know who the person has called,” says Twila Brase, RN, president and cofounder of the Citizens’ Council for Health Freedom. “Whomever you have called, it says something. It says something that you may not want other people to know.”
For example, if a phone record indicates that an individual repeatedly calls a cancer institute, you might surmise that the individual or someone he or she knows has cancer. If an individual calls a mental health clinic, you might surmise that he or she has a mental illness. The same could be said for just about any diagnosis or treatment.
If improperly accessed or breached, this information can damage reputations or be used to exploit vulnerabilities, Peel says. With cancer diagnoses in particular, individuals may feel the need to try to hide the information from their employer. “They know that if the head of their department knows that they have a disease that requires a lot of treatment, they might not get the next plum assignment or a promotion,” she says. “Knowledge about your health can affect how people treat you.”
Real or perceived privacy violations can have other implications as well. “When decisions about disclosing health information are made for us by hospital systems and institutions, then people end up doing things that are terrible for their health, like avoiding treatment altogether, delaying it, or lying about diagnoses, family history, or medications,” Peel says, adding that millions of patients are unwilling to participate in health care systems that don’t protect them or their information.
Are phone metadata considered PHI? Not exactly, says Brian Dean, CIPP, audit and compliance manager at SecureState, an information security consulting firm. Only data originating from a covered entity or one of its business associates are considered PHI and subject to HIPAA. For example, metadata about a call that a physician places to another physician for consultation are considered PHI because they originate with a physician (ie, a covered entity), he says.
“By definition, if health information comes from a covered entity and is personally identifiable, then it is [PHI],” Dean says. “How meaningful is it? That’s always a tough question. There are a lot of correlation algorithms that can take seemingly disparate data and make meaningful use of it.”
Even without the algorithms, data easily can be linked to individual identities. Latanya Sweeney, PhD, director and founder of the Data Privacy Lab at Harvard University, found that few characteristics are needed to uniquely identify a person. Her research led her to discover that 87% of the US population could be uniquely identified by their five-digit zip code, gender, and date of birth alone.
Brase says collecting phone call metadata allows the government to easily and efficiently pursue people of interest, including potential terrorist suspects. “If a person of interest lives in a major city, which clinic are they going to and how will you figure that out especially if they use cash?” she says. Tracking metadata allows the NSA to surmise potential providers from whom this individual may receive care and then approach those providers to access information.
But most patients aren’t terrorists nor do they pose a threat to society. Still, the reality is that if patients choose to participate in today’s health care system in any form, they have no power to control the collection of personal health data. As Big Data concepts gain a foothold in the health care marketplace, massive data collection is only going to be encouraged more. “When you have data on someone, it’s a piece of power. It’s a threat that hangs there,” Brase says. “The majority of people don’t understand the amount of surveillance they’re under in the health care system.”
Does the NSA care enough about patient data to mine them? That remains to be seen, says Richard L. Kam, CIPP, president and cofounder of ID Experts. The bigger concern is what happens if data are breached.
Kam recalls a 2011 data breach that exposed the health information of as many as 4.9 million TRICARE patients. The incident garnered headlines, but one important aspect flew under the radar. “What the bigger concern was—and what really didn’t come out in the news—was that the data in that data set included vaccinations and other medical services that veterans received,” Kam says. “So if you’re someone who wanted to do something bad to the United States—and you knew what diseases our veterans were vaccinated against—it becomes a national safety issue.”
According to Peel, government surveillance in general is more problematic than the Verizon court order. “Consumers need to be informed not just about the metadata about phones that’s getting collected but about the fact that the entire US health IT system was built for surveillance—hidden, snooping, and use of all of our health information, from DNA to diagnoses to prescription records, without our consent,” she says. “We can’t even evaluate the risks and harms because we don’t know all the places where our health information flows, who is using it, or why.”
Dean agrees: “Everybody has the concern because here’s big government grabbing lots of data and doing surveillance, but they’re doing it covertly.”
Experts agree that the Verizon court order raises several questions that may have HIM implications and advise HIM professionals to pay attention to the situation. For example, because Verizon and the NSA are not considered covered entities, to which—if any—breach requirements would they be subject if a data breach occurred?
Most agencies perform risk assessments to determine when breach notification is necessary, Kam says. “They’re doing the right thing in many cases, but will the NSA notify if it has a breach? I’m not sure,” he says.
Another question is how the NSA is using the information. Although HIPAA allows for broad disclosures of health information without consent or specific notice for law enforcement and public safety purposes, Dean says there is no guarantee that the government isn’t using the information for other reasons as well. “Without some watch guard organization looking to see what they’re doing, who’s to say that they’re not doing other things with the data?” he asks. “You could start to take a lot of data, put it together, and really piece together what we as US citizens do.”
Brase says these questions are unsettling, particularly when physicians and patients increasingly are using smartphones to download information and access EMRs. As a result, HIM professionals must be aware of the risks.
How HIM Professionals Can Help
Hospitals certainly can’t circumvent court orders, but they can take steps to ensure data protection for routine collection and use. First, ensure that all data, including metadata, in the EMR are encrypted, Dean says.
The court order also should remind providers to revisit data collection and retention strategies. “If you don’t need it, don’t collect it,” says Dean, who also suggests that hospitals abide by retention cycles and try to dispose of unnecessary information.
With health care data scattered, management becomes more difficult. “There are so many databases that contain health information. We don’t know where they are or who has them,” Peel says. “Our best guess is that there’s hundreds or thousands of places where data is held.”
She says HIM can take steps to understand the bigger implications of data flow and access into and out of the EMR. Learning about HIPAA exceptions and the potential implications of government and corporate access to health care data allows HIM professionals to become patient advocates. “There are many heroes at all levels of companies and institutions,” she says. “They can have a real effect on what a hospital, clinic, or data exchange does.”
Patient education is crucial. Dean says HIM professionals should educate patients about how to protect health data in general regardless of whether that information originates from the facility itself. “It’s the right thing to do for your patients,” he says. “You build that loyalty and trust, and they’re more likely to stay with you.”
Kam agrees, stating that consumers must understand that any device they use—including their phones—potentially is subject to data tracking and surveillance. Providers should remind patients of this and make sure they understand the implications if those data are released, he adds.
Let patients know that the NSA may have access to their phone records, including access to any calls placed to or from a provider, Brase says. “In that way, it could start to push Congress to make changes in what NSA or Verizon can do,” she says. “Until the public rises up, Congress won’t do anything.”
HIM should advocate for patients to fully understand the implications of data exchange across platforms, Peel says. “Patients should be informed that the risks and harms of data exchange are unknown because there is no chain of custody for protected health information,” she notes. “Neither patients nor covered entities can obtain a complete list of all the subcontractors of business associates or a list of their subcontractors’ subcontractors, etc.”
Peel says the outrage over the court order may serve as a wake-up call for consumers to begin questioning what entities have access to their health information and why. “Maybe this will be the tipping point where people learn about the complete destruction to their rights to control personal information,” she says.
— Lisa A. Eramo is a freelance writer and editor in Cranston, Rhode Island, who specializes in HIM, medical coding, and health care regulatory topics.
Editor’s Note: To view the Verizon court order originally obtained and published by The Guardian, visit www.theguardian.com/world/interactive/2013/jun/06/verizon-telephone-data-court-order.