Posted on 05/27/2016 11:59:49 AM PDT by MarchonDC09122009
Precision Medicine Initiative and Data Security | whitehouse.gov (05/25/2016 White house decree)
https://www.whitehouse.gov/blog/2016/05/25/precision-medicine-initiative-and-data-security?mkt_tok=eyJpIjoiTVRFNE1Ua3laRGRqTlRZMyIsInQiOiJ1R1VHbTk3M2o5NmhHSFQrOHNYdXZKakE4OW1tWTJlSUszSThzbnRnRkNlSGZjK2VCREJGWG5xemdyanpIQUdLU3pJSjBHYTdZd2hPUERUdmliaVBMZjA3SjNUYVY2WUt2Z1pTS0xXdTNqcz0ifQ%3D%3D
Precision Medicine Initiative and Data Security May 25, 2016 at 3:00 PM ET by Secretary Sylvia Mathews Burwell, Lisa O. Monaco Twitter Facebook Email Summary: Today, we are pleased to release the final Data Security Policy Principles and Framework (Security Framework) for President Obama’s Precision Medicine Initiative (PMI).
“We’re going to make sure that protecting patient privacy is built into our efforts from day one.” - President Barack Obama, January 30th 2015
The health care system of the future is taking shape right now, and the foundation of that new system is health care data that is private, trusted and secure. Today, we are pleased to release the final Data Security Policy Principles and Framework (Security Framework) for President Obama’s Precision Medicine Initiative (PMI). The types, breadth, and sensitivity of the personal health, genetic, and environmental information that may be part of a precision medicine-type activity warrants careful attention and protection. Therefore, the Security Framework (modeled on the Administration’s Cybersecurity Framework) establishes security expectations for organizations who participate in PMI and provides a risk management approach to achieving those principles. To ensure that we are leading by example, Federal PMI agencies have committed to integrate the framework throughout all PMI activities.
On January 30, 2015, President Obama launched PMI to enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care. With new advances in medical research, our health care system can deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.
Since the launch of the initiative, researchers, technologists, and potential participants have shared their excitement for this vision. At the PMI Summit in February, the Administration announced over 40 major commitments from the private sector that will advance precision medicine, including commitments from seven major electronic health record (EHR) vendors to implement technology that allows patients to easily send their EHR data to the PMI cohort.
Our greatest asset in PMI is the data that participants contribute, and we want to make sure participants know that their data is protected. The Security Framework we are releasing today builds on the existing PMI Privacy and Trust Principles and ensures we put the security of participants’ information first.
We recognize that there is no “one-size-fits-all” approach to managing data security. This is why the Security Framework, which builds on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, is designed to be adaptable and responsive to the needs of multiple participating PMI groups, providing a broad framework for protecting participants’ data. Additionally, the Security Framework emphasizes transparency with participants, the public, and with other precision medicine organizations so that groups can learn from each other’s experiences and challenges. Organizations can use the framework to develop detailed implementation guidelines that address their specific data security needs. With this flexibility, we can make use of rapid evolutions in medicine, research and technology while still protecting participants’ information.
Finally, we are committed to helping organizations develop these tailored requirements. The Office of the National Coordinator for Health Information Technology and the Office for Civil Rights, in partnership with NIST, other Federal partners, and a broad set of stakeholders, will release a precision medicine-specific guide to the NIST Cybersecurity Framework by December 2016.
Today, our health care system is standing on the verge of unprecedented breakthroughs in the way we care for patients and treat disease. Thanks to President Obama’s Precision Medicine Initiative, we have a greater opportunity to make those breakthroughs a reality. And by protecting the health care data that powers those breakthroughs, we can make sure that every American is healthier and their health care data is secure.
Just learned about this.
Attorneys and data privacy policy analysts at IAPP, EPIC and EFF are assessing impact and issues.
On the surface this appears to establish guidelines for data security framework.
However, as we've become all too aware of previously, virtually everything this administration does and says, is far from the truth and stated intent.
Stay tuned.
Decree....now they are saying these are law?
Up until now all medicine as been imprecise, but now that the government is running the show it is suddenly precise!
I used to write ad copy. “Precision” is just a term of art, and when used in the context of government, oxymoronic.
Health privacy analysis:
This privacy framework appears to be an Opposite-of-its-name Trojan Horse from the White house and good for nothing collaborating legislators.
This finding report was released a week before the 05/25/16 Whitehouse privacy framework.
Attorney’s and policy analysts are still combing thru the latest document.
Key concerns, below.
Big ones**:
“the Privacy Act’s disclosure provisions allow agencies considerable authority to disclose records subject to the Act and to define new categories of disclosures at any time through new rules.
**In particular, the Act allows many types of disclosure to foreign, national, state, and local law enforcement agencies with few procedural prerequisites. **
We do not yet know what disclosure authority will apply to PMI records or even if they are subject to the Privacy Act. (See Appendix C.)
**Patients who share their health records and biospecimens with the PMI could lose the ability to claim a physician-patient privilege in unrelated judicial proceedings.”
New WPF Report – The Precision Medicine Initiative and Privacy: Will Any Legal Protections Apply? | World Privacy Forum
World Privacy Forum
Hot Topics
Medical Identity Theft
Health Privacy
Biometrics
Mobile Privacy
Patient’s Guide to HIPAA
Congressional Testimony
New WPF Report – The Precision Medicine Initiative and Privacy: Will Any Legal Protections Apply?
PMI_cover_02_hi-res
The report, The Precision Medicine Initative and Privacy: Will Any Legal Protections Apply? was published May 18, 2016.
Report Authors: Robert Gellman and Pam Dixon.
You are at the report main page, where you can download the report in PDF format.
Report Links:
Download Full Report (PDF, 27 pages).
Read the Report Brief Summary, Findings, and Recommendations, below
—-
Brief Summary of Report
This report reviews privacy law applicable to the Precision Medicine Initiative (PMI), and the large medical information and biospecimen database at its center. Precision medicine approaches to disease seek to incorporate individual variability in genes, environment, and lifestyle in research to eventually reach the goal of maximizing treatment effectiveness for individuals. The PMI will include a robust genetic research component. The HIPAA health privacy rule and its protections for individuals will not apply to PMI research activities. Other privacy laws may apply, such as the Privacy Act of 1974, but there is uncertainty regarding if or how this and other laws apply. The PMI offers a set of privacy guidelines, but the guidelines lack detail and fail to address underlying legal requirements and protections.
The key privacy concerns raised by the PMI are the lack of applicable law to govern its collection and use of individuals’ health data, the potential waiver of the patient-physician legal privilege that can shield data from disclosure through litigation, and the possibility of law enforcement access to patient records held in the PMI. Before it launches, the PMI needs to clarify the legal and administrative privacy protections that apply to its activities. People who volunteer their medical data and biospecimens must be told what specific legal protections apply and do not apply.
About the Authors
Robert Gellman is a privacy and information policy consultant in Washington DC. (www.bobgellman.com.) He has written extensively on health, de-identification, Fair Information Practices, and other privacy topics. Pam Dixon is the founder and Executive Director of the World Privacy Forum. She is the author of eight books, hundreds of articles, and numerous privacy studies, including her landmark Medical Identity Theft study. She has testified before Congress on consumer privacy issues as well as before federal agencies. Dixon and Gellman’s writing collaborations include the seminal report on predictive algorithms, The Scoring of America, and numerous well-regarded privacy-focused research, articles, and policy analyses. They co-authored a reference book on privacy, Online Privacy: A Reference Handbook, (ABC-CLIO 2011) and most recently a chapter on privacy regulation and law in Enforcing Privacy: Regulatory, Legal, and Technological Approaches, (Springer Nature, 2016.)
About the World Privacy Forum
The World Privacy Forum is a non-profit public interest research and consumer education group that focuses on the research and analysis of privacy-related issues. Founded in 2003, the Forum publishes significant privacy research and policy studies on health privacy, privacy self-regulation, financial privacy and identity issues, biometrics, and data broker privacy practices among other issues. www.worldprivacyforum.org.
Key Findings:
Medical record data and biospecimen data that consumers donate to the PMI are not covered by the core federal health privacy law while in the hands of the PMI. The health privacy rule issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA) does not apply to the PMI and will not apply to most research activities conducted using information available from the PMI.
Consumers may have no formal legal right to obtain their own information from the PMI unless a US government agency administers the PMI, something that is not expected. The Privacy Act of 1974, which provides citizens with the ability to review data collected about them by a government agency, applies only if a federal agency operates the PMI. We do not yet know with certainty if a federal agency will operate any part of the PMI. However, if a federal agency operates the PMI, the Privacy Act’s disclosure provisions allow agencies considerable authority to disclose records subject to the Act and to define new categories of disclosures at any time through new rules. In particular, the Act allows many types of disclosure to foreign, national, state, and local law enforcement agencies with few procedural prerequisites. We do not yet know what disclosure authority will apply to PMI records or even if they are subject to the Privacy Act. (See Appendix C.)
Patients who share their health records and biospecimens with the PMI could lose the ability to claim a physician-patient privilege in unrelated judicial proceedings.
A limited amount of patient records shared with PMI may be protected from subsequent disclosure if 42 C.F.R. Part 2 (rules governing substance abuse records) applied to the records at their original source. If so, records disclosed to the PMI from health care providers subject to the substance abuse privacy rules would retain their confidentiality if disclosed to the PMI. This may be the only existing privacy law applicable to the PMI, although it would cover few of the health records in the PMI.
Certificates of confidentiality for research activities available through the Department of Health and Human Services may offer some legal protections for research records, but there are many uncertainties about the scope and value of the certificates. There are known limitations about the protections this would offer.
When volunteers enroll in the PMI, they donate a great deal of personal information in the form of medical records and biospecimens. However, cell phone data monitoring, social media monitoring, sensor monitoring and other real-time monitoring are under discussion. How the privacy of the real time systems will be handled is an unknown. Further administrative records about volunteers – as opposed to health information – may be extensive and presents their own privacy concerns. Administrative records may include contact information, identification numbers, employment and educational history, location data, and more.
Key Recommendations:
The PMI needs to detail its structure and organization with clarity so that the privacy protections or lack of privacy protections for its records can be assessed. The public needs to know what institutions will maintain information in the PMI and where they are located. The PMI must explain how privacy laws, if any, will apply to it. The privacy and security standards issued so far do not answer the questions about what legal protections will apply.
The PMI should not begin soliciting information or biospecimens from or about individuals until it clearly describes the applicable privacy protections. The description should include potential uses and disclosures of PMI information for law enforcement and national security purposes. The description of applicable privacy rules should cover health records, administrative records, and any real-time monitoring from mobile or other devices. Volunteers should be told expressly if HIPAA does not apply to the PMI.
The E-Government Act of 2002 requires federal agencies to conduct a Privacy Impact Assessment before they develop or procure information technology systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public.[1] We have not seen a PIA for the PMI. There is an immediate need for a PIA that includes an opportunity for public comment and debate.
If the Privacy Act of 1974 applies to PMI or any significant part of it, then the National Institutes of Health should publish a system of records notice and allow adequate time for public comment.
If the Privacy Act of 1974 does not apply to the PMI, then it is possible that no health privacy or other privacy law will apply to most data and biospecimens. As a result, patient data could be vulnerable to a host of unrelated public and private demands and activities. If so, then PMI may need its own privacy law in place before it starts.
Obama invents the lock for the file cabinet.
MSM is astonished no one ever thought of this....
This Whitehouse release only addresses data security*, Not data privacy.
Judging from the OPM military personnel data breach, and State Dept oversight of national security emails on Hillary’s private email server, we can all breath a sigh of relief. The gov’t has your back and assures our security.
Not.
The World Privacy Forum finding criticism still stands.
The way the PMI is written, every US gov’t agency as well as US and foreign law enforcement agencies will have access to your health data, and bio-medical genetic information.
You also lose expectations of physician-patient privacy.
Your personal Healthcare information is already bought, sold and shared among 8000+ Healthcare related organizations for “research” purposes.
Look at Harvard Medical’s: thedatamap.org to see the extent of who shares what about you in what’s become a Two Billion dollar healthcare data broker business.
BTW: you have No guarantee that your Healthcare data is anonymized.
Furthermore, Obola’s 09/15/2015 Behavioral Health Executive Order has created an interagency behavioral health database for all citizens.
Happy goldfish bowl.
my favourite example of “precision” is a weight scale that reads to 3 decimal places, but is way off actual weight.
As my dad would say: “precision without accuracy”.
Link for the *05/25/2016 Precision Medicine Initiative Data Security Executive Action:
http://go.wh.gov/SwrzZj
* this data security measure does not address serious privacy issues pertaining to the scope limitation for the collection, use and sharing of citizen personal healthcare data.
And related gov’t developments posing a threat to citizen privacy:
Sep 15, 2015 ... “Adopting the insights of behavioral science will help bring our ... The Executive Order directs Federal agencies to identify programs in which applying .... To assist individuals and families with obtaining health insurance, SBST ...
FACT SHEET: New Executive Actions to Reduce ... - The White House
https://www.whitehouse.gov/the-press-office/2016/01/0... Proxy Highlight
Jan 4, 2016 ... FACT SHEET: New Executive Actions to Reduce Gun Violence and Make ... Increase mental health treatment and reporting to the background check system. .... In order to improve public safety, we need to do more to ensure ...
FACT SHEET: President Obama Announces New Executive Actions ...
https://www.whitehouse.gov/the-press-office/2014/08/2... Proxy Highlight
Aug 26, 2014 ... The new mental health executive actions will fall under the following six categories: ... In addition, the White House announced that this fall it will host the ... goals set out in the “Principles of Excellence” (POE) Executive Order.
Fact Sheet: President Obama Signs Executive Order to Improve ...
https://www.whitehouse.gov/the-press-office/2012/08/3... Proxy Highlight
Aug 31, 2012 ... The White House ... Signs Executive Order to Improve Access to Mental Health Services for ... The Executive Order signed by President Obama
Brilliant analogy!
RE: “my favourite example of “precision” is a weight scale that reads to 3 decimal places, but is way off actual weight.
As my dad would say: “precision without accuracy”.
I fear this is just part 1 of a large number of memorial weekend news dumps....
I came across something similar. A colleague asked me which would be more accurate, a pH strip or a pH meter. I said a pH meter.
Thing is, pH strips are manufactured to do what they do while a pH meter depends on the quality of its calibration, which in the hands of the unskilled, can be way off.
He said something about the scientific calculators just coming on to the market as giving a false belief in providing greater results or being “inaccurate to eight decimal places.”
Your fears are justified based on Obola’s many previous underhanded deceptive tactics.
RE: “I fear this is just part 1 of a large number of memorial weekend news dumps...”
Politically self-serving boilerplate.
Reads like a Soviet proclamation.
Key factors
1) Government bureaucracy is slow. Technology is fast. Government bureaucracy will never be able to do anything but follow the leader and nip at its heels. .... Unless government goes for a police state on the tech side.
2) Government bureaucracy wants access to the personal data (PHI, PII) that security is intended to protect. Government bureaucracy does not see it as a double standard that they can view PHI, PII that they don’t think others should view.
3) As the government bureaucracy grows, the inefficiency of the IT shops that interface with the government grows. UHC, IBM, HP, etal will increase their costs and pass them along to CMS and other government agencies, including the many states that contract with state government for Medicaid, etc.
4) As Federal bureaucracy grows, State bureaucracy and overhead costs for Medicaid will grow.
Doctor Lysenko will run the show...
calculator disease is: correct answer to 8 decimal places, but order of magnitude wrong.
Precision agitprop.
“Precision medicine” sounds better than “less medicine”...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.