EHIP

The University of North Carolina at Chapel Hill on Friday began notifying about 163,000 women about the potential compromise of their Social Security numbers and other personal information after a hacker breached a system containing the data.

The breached server belonged to the UNC School of Medicine and contained information that was collected as part of a federally funded mammography research project.

Matt Mauro, chairman of the university's Department of Radiology said the breach was first discovered in July when a researcher reported problems accessing the system.

The sites that were sending the information to UNC have stopped doing so for the moment, while stronger precautions are implemented to prevent a similar breach in future, he said.

The reason that notifications have only just started going out is because UNC technology officials and an external forensic team have required time to piece together the extent of the compromise and to figure out exactly who may have been affected by it, Mauro said.

Automated summary from: Computer World

The announcement that Twitter will soon give users the option to disclose their physical whereabouts kindled debate over the role of location-based services (LBS) in social media and elicited criticism that the tools are an invasion of privacy.

Besides helping us track our location patterns or the nearest Starbucks (SBUX), these apps collect valuable data about our daily routines and the routines of those closest to us. They track personal tastes in food, fashion, and music so we can receive alerts and location-based notifications.

Yet as the space crowds with LBS players, the challenge will be to protect users' privacy, find ways to make marketing pitches relevant, and separate useful sites from also-rans.

Twitter plans to make its location services opt-in, also letting users choose whether to tell others where they are.

A related but more fundamental question: What happens to the data that are being collected about our whereabouts?

"The majority of [existing] apps are very centralized—they remain Internet-based, and the controls are with the company," says MIT researcher Nadav Aharony.

Automated summary from: Business Week

New rules governing consumer notification when the security of their health information is breached go into effect this week. But federal agencies won't enforce the rules for several more months.

A final rule from the Federal Trade Commission, published Aug. 25 and effective Sept. 24, requires vendors of personal health records--and entities that offer third-party PHRs--to notify consumers of data breaches. In the rule, the FTC noted the quick deadlines that were statutorily mandated and imposed a grace period on enforcement.

"Therefore, the Commission will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," according to the rule.

"During this initial time period--after this rule has taken effect but before an entity is subject to an enforcement action--the Commission expects regulated entities to come into full compliance with the final rule."

A separate rule for HIPAA-covered entities, the HHS interim final rule, was published on Aug. 24 with a Sept. 23 effective date. The rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.

Automated summary from: Health Data Management

In the autumn of 2007, Linda Avey and Anne Wojcicki launched the era of pop genetics by going live with 23andme, their DNA testing startup.

Now the 49-year-old Avey is stepping down from co-managing the Mountain View, Calif., company to launch a new venture that she says will connect the DNA-analysis platform developed by 23andme with the disease her father-in-law died from last year: Alzheimer's.

The idea for 23andme -- which refers to the 23 paired chromosomes in a human -- was vintage Silicon Valley: to create a new market for existing information that could be digitally organized and powered up by designing user-friendly software that delivers the data directly to you, for a fee.

In this case, the company would mine the thousands of genetic traits discovered by scientists and available on public-access databases -- DNA markers for everything from lung cancer and diabetes to lactose intolerance and a propensity to freckle -- and find those they considered most useful, compelling, and, in some cases, cool.

Two years ago, the commercialization of DNA by 23andme and others seemed to stun geneticists and the medical research community, despite years of scientists downloading genetic discoveries on public databases.

Leading geneticists called the information too preliminary to be relevant to individuals, while some worried that it might frighten patients who tested positive for a given disease and didn't understand that these tests provided risk factors, not a definitive yes or no. Ethicists and the American Civil Liberties Union fretted about the privacy questions inherent in companies holding this data.

One example of where direct-to-consumer genetics may be headed is Avey's new Alzheimer's venture.

"We want to leverage the research platform we built at 23andme to study families with a history of Alzheimer's," Avey says. "We want to use the web to create a research community."

Automated summary from: CNN

The new health care data breach notification law, which is set to go into effect Wednesday, has drawn harsh criticism from privacy advocates.

Late last month, the U.S. Department of Health and Human Services (HHS) issued an interim final rule requiring health care organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached. But privacy advocates contest a “harm threshold” provision of the interim final rule, which states that if a breach occurs, organizations should conduct a risk assessment and only need to issue breach notifications if they believe disclosure of the information “poses some harm to the individual.”

Harley Geiger, legal counsel at the Center for Democracy and Technology (CDT), told SCMagazineUS.com on Tuesday that Congress intended for the federal rule to incentivize proactive data protection measures, such as encryption. For example, if the data involved in a breach is rendered unusable by encryption, companies do not have to issue breach notifications, the interim final rule states.

But the harm threshold “cripples” any incentive to protect data, Geiger said.

“Ultimately this weakens patient privacy and the transparency of health care companies,” Geiger said.

Automated summary from: SC Magazine

Want to put your doctor's stethoscope in a twist? Ask them to hand over a complete copy of your medical records. Then watch as they nervously demur, citing state laws, cost, and fuzzy hospital policies.

Jamie Heywood wants those obstacles legislated out of existence so we can access our own health data almost as easily as ordering a pizza. And he hopes consumers will in turn share that data with one another via online communities such as PatientsLikeMe, which he cofounded in 2004.

PatientsLikeMe allows people with chronic diseases to create public profiles listing their symptoms, medications, and other details long deemed too sensitive to share.

The declaration's third tenet, in particular, is bound to vex secretive doctors and hospitals: "We the people have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost."

Heywood admits that there may be pitfalls---the prospect, for example, that employers could weed out workers with rare diseases. But by his estimate, tens of thousands of lives are lost each year because health data doesn't flow freely.

Automated summary from: Wired

Apple iPhone users worried about swine flu will be pleased to learn: there's an app for that.

The new application, Outbreaks Near Me, lets users keep track of swine flu outbreaks in their vicinity almost in real time.
It also lets people inform other users of new flu cases near them.

Outbreaks Near Me uses data from HealthMap, a website developed by Dr John Brownstein of the Children's Hospital Boston and Clark Freifeld of the Massachusetts Institute of Technology. The site scans through reports from the US Centres for Disease Control, news outlets, blogs and Twitter for information on outbreaks of diseases worldwide.

The makers are not ready to claim that the new app will reduce disease in the long run. Mr Freifeld says: "We think that having more information and being more informed is better than...when you don't know what is happening.”

Hannah Gould at the Centers for Disease Control said: "I think that in general HealthMap and this new iPhone app make public health surveillance data more user-friendly.”

Automated summary from: Telegraph

A new survey of medical-school deans finds that unprofessional conduct on blogs and social-networking sites is common among medical students. Although med students fully understand patient-confidentiality laws and are indoctrinated in the high ethical standards to which their white-coated profession is held, many of them still use Facebook, YouTube, Twitter, Flickr and other sites to depict and discuss lewd behavior and sexual misconduct, make discriminatory statements and discuss patient cases in violation of confidentiality laws, according to the survey, which was published this week in the Journal of the American Medical Association.

"I didn't expect to find so many incidents of unprofessional conduct," says Dr. Katherine Chretien, medicine-clerkship director at the Washington, D.C., Veterans Administration hospital and the lead author of the study.

Many students feel they are entitled to post what they wish on their personal profiles, maintaining that the information is in fact personal and not subject to the same policies and guidelines that govern their professional behavior on campus.

Although discussing their experiences online may be allowed, students must be made aware that identifying information is not limited to patients' names and that divulging other characteristics and details often violates patient-privacy laws.

Automated summary from: TIME

One way in which universities commercialize research that their faculty do is create spin-off companies. A commercialization model that is relatively common is for the university to acquire all of the Intellectual Property Rights (IPR) from the faculty, create a a company where the faculty has/have the majority of equity, and allow the company to use the IPR under a license. Once the company reaches certain milestones the university assigns the IPR to the company (i.e., the company will actually own the IPR). This makes sense in that the university would not want to assign the IP to a company until there is sufficient evidence that the company is viable and will become a going concern. Meeting the milestones addresses that concern.

The Canada Revenue Agency, through its decisions and my discussions with them, has decided that such companies are actually franchises of the university (a la McDonald's) and should therefore be treated that way. This has implications for obtaining tax credits for university spin-offs. This approach will clearly have a dampening effect on innovation in Canada, at least under the scenario I described above. For anyone who has run a start-up, it is clear that these tax credits are important. It seems a bit strange given that supporting innovation is a key aim of the federal and provincial governments !

Meanwhile, if you are in the neighborhood please come over for our special McDeid with extra cheese, and we'll throw in the fries on the house.

Deborah Peel, founder and chair of the Patients Privacy Rights group, and Deven McGraw, director of health privacy at the Center for Democracy and Technology, presented their views before the Health IT Policy Committee on the role of patient choice and control in protecting personal health information.

Consumers will trust health information systems only if they can be assured that their data is confidential, Peel said.

“Privacy and consumer control over personal health information is the easiest, cheapest and most efficient enabler of health information exchange,” she said.

Peel believes patients should actively consent to every request to share their data, and that technology – even cell phones – could help them do that.

In contrast, McGraw said that while it is natural to want to control over one’s own information, in practice the reliance on patient consent resulted in weaker privacy.

“It relieves the holder of the data from establishing privacy protections,” she said.

Instead there needs to be a comprehensive set of rules or approaches that all organizations involved with the exchange of health data must follow, McGraw said.

Automated summary from: Government Health IT