Ariz. Legislature kills Real ID; critics point to hefty costs

Before I get to REAL ID, I want to correct a mistaken hyperlink I used last Thursday to the story on NPR about Jerry Brown's proposed medical records database for which I was interviewed. Here's the correct link to the California Report and about half way in to the 10 minute program on June 5th you'll find the segment and a clip from my interview. Or just click here: Listen (RealMedia stream) Download (MP3)

NOW TO REAL ID:

Another state - demonstrating the bipartisan red and blue nature of REAL ID opposition - has joined the coalition rejecting the feds attempt at creating a National ID Program. I of course am speaking of the liberty crushing REAL ID Act "passed" through congress without debate in 2005 as an amendment on a bill full of security recommendations stemming from the Sept. 11 terrorist attacks.

I suspect we all know how "the card" generally works, so let's get to Arizona! As we are all aware, there have been varying degrees of state opposition to the Act to date, with some hinting at opposition, others dragging their feet, and still others ratifying, in law, their non-compliance. Well, assuming Gov. Napolitano signs the bill, which all indications say she will, Arizona will become the 10th state to prohibit compliance with the federal program.

The Arizona Republic reports:

On a 51-1 final vote, House lawmakers sent Gov. Janet Napolitano their House Bill 2677, a measure barring the state from participating in the federal Real ID program. If Napolitano signs the bill, Arizona will become the 10th state to prohibit compliance with the federal program.

But the legislation's impact is negligible for the time being because Real ID isn't slated to take effect for at least another 18 months.

...

...critics have voiced concerns about hefty costs - to be borne by the states - to develop the IDs. Some opponents say the central databases needed increase the risk of identity theft and fear Real ID is a step toward a national identification card. Groups across the political spectrum - from the ACLU to the John Birch Society - have aligned against the federal program.

State compliance is voluntary, but individuals will be required to carry identification that meets Real ID standards to board commercial flights or enter federal buildings. The program's implementation has already been delayed until the end of 2009.

So to recap recent moves being made by various states - with Minnesota and Alaska leading the charge - let's go to the New American which just reported on this very question:

In May Minnesota and Alaska became the eighth and ninth states whose legislatures have rejected Real ID, joining Maine, Montana, New Hampshire, Oklahoma, South Carolina, and Washington. A dozen more states have approved resolutions calling for the costs of the Real ID program to be fully covered by Congress or the act repealed.

Minnesota’s Real ID resolution (HF3807) was clearly stated and uncompromising: “Section 1. Noncompliance With Real ID Act. The commissioner of public safety is prohibited from taking any action to implement or to plan for the implementation by this state of those sections of Public Law 109-13 known as the Real ID Act.” Both House and Senate passed this bill by veto-proof margins, 103-30 and 50-16 respectively.

Unfortunately, Governor Tim Pawlenty cleverly engineered a way to veto the bill and avoid an override vote. In the waning days of Minnesota’s legislative session, Pawlenty vetoed HF3807, then issued an executive order that would prevent full state compliance with the federal Real ID program before June 1, 2009 unless approved by the legislature. When the legislature met for the last time the next day, an attempt to override the veto was rejected with little discussion.

It was a different story in Alaska. Its resolution (SB202) stated, “A state agency may not expend funds solely for the purpose of implementing or aiding in the implementation of the requirements of the federal Real ID Act of 2005.” Although this resolution is not as bold and uncompromising as Minnesota’s was, it has the virtue of being passed into law through overwhelming votes of 39-1 and 19-1 in the House and Senate respectively, and through Governor Sarah Palin’s acquiescence when she failed to either sign or veto the bill in the mandatory 20-day period.

You can be sure I'll be keeping you up to speed on all the most important REAL ID related news for you right here.

Measure would let drugstores pass prescription information to bulk mailers

I must say that despite the disappointment of SB 1096 passing the Senate by a single vote last week, the continuing press attention on the bill does give reason to be hopeful.

As you may remember, SB 1096 (Calderon) - sponsored by a drug marketing firm currently being sued for privacy breaches - would allow the sharing of a patient's confidential medical information regarding prescription drugs among a pharmacy, third party corporations and pharmaceutical companies.

For more information on the bill see previous posts, beginning with this one.

Before I get to the article by consumer rights champion David Lazarus of the Los Angeles Times - which now faces an Assembly vote next week - I want to direct everyone to CFC's Action Alert opposing this bill. Tell your Assemblymember (and the Governor) to protect patient prescription records!!

David Lazarus writes:

Under legislation that quietly passed in the state Senate on May 29 and is making its way through the Assembly, drugstores would be free to share patients' prescription records with companies that specialize in bulk mailings.Money would change hands along with people's personal data, but, as you'll see, it's not exactly clear who's paying whom.

...

The reality, critics say, is that this is an effort by pharmaceutical companies to help ensure that patients stick with expensive name-brand drugs and not stray toward cheaper generic alternatives. They say it also could lead to privacy violations."Your private medical information is being transferred from one database to another," said Jerry Flanagan of Santa Monica-based Consumer Watchdog. "Once that genie's out of the bottle, it's very hard to get it back in."

...

SB 1096 is surprisingly murky when it comes to who is supposed to benefit from the legislation. The bill lists its "source" as Adheris Inc., which describes itself as "the leader in prescription-drug patient behavior modification."Adheris used to be known as Elensys Care Services Inc.

The company changed its name after it came to light in 1998 that CVS and other pharmacies were sending people's personal medical information to Elensys without their permission. A related lawsuit is pending.As Adheris, the company remains in the business of reminding people to take their meds. But critics such as Consumer Watchdog's Flanagan say Adheris' emphasis is on promoting name-brand drugs and keeping patients loyal to specific brands.

...

Calderon's bill appears to anticipate that mailings may be paid for by drug makers or companies such as Adheris and not just by drugstores. It says disclosure is required "if the written communication is paid for, in whole or in part, by a manufacturer, distributor or provider of a healthcare product or service."I pointed this out to Calderon."I'm not familiar with that," he replied. "I've never seen that part of the bill."This is his bill, remember.

SB 1096 would allow people to opt out at the pharmacy counter from receiving any mailings from Adheris. But it's unclear whether you could opt out from the company accessing your records. The bill says the opt-out covers "receiving a written communication from a pharmacy." It's silent on whether your private data would still be sent to Adheris' computers.

...

If the reminder mailings are so useful, why not just ask people to opt in? That way you'd be giving your permission upfront, rather than requiring people to cancel a service they may not have been aware of in the first place."The problem is that opt-in doesn't work," Calderon said, saying that other states have found that if you ask people to sign up for reminder programs, they usually decline. Tells the whole story, some might say.

...

Since 2002, Calderon has received at least $89,000 in contributions from drug companies and pharmacy chains, according to public records.

The Sac Bee also covered the bill today:

Privacy concerns have been raised about a bill moving through the California Legislature that would let pharmacies partner with drug companies to send out letters reminding patients to refill their prescriptions. Senate Bill 1096 by Sen. Ron Calderon, D-Montebello, is sponsored by a medical information company facing an invasion of privacy class-action suit that alleges some practices the legislation would make legal.

...

The main sponsor of SB 1096 is Adheris Inc., a Massachusetts company that has been named in class-action lawsuit in San Diego Superior Court.

The suit was filed on behalf of patients who allege their privacy was breached when they received letters from the company encouraging them to buy more medication or switch to an alternative prescription drug made by the same drug company.

Privacy advocates allege SB 1096 would open the door for pharmaceutical companies to promote their products in the guise of reminder letters.

"The bill sponsor is a marketing company employed by drug manufacturers to increase the sale of prescription drugs," Jerry Flannigan of Consumers Watchdog said in a prepared statement.

...

It also would let pharmaceutical companies pay for the mailings, but require pharmacies to disclose that if they were compensated for the mailings. "That's what this is about – allowing pharmacies to increase their marketing," said Jeffrey Krinsk, an attorney who is representing plaintiffs in the San Diego lawsuit.

I also highly suggest you check out this outstanding analysis by a blogger of the bill, who incidentally got contacted by Calderon's office himself to debate the issue (just as I got a call from an Adheris lobbyist for the same purpose).

I want to post a few choice clips from Brian Leubitz's piece here too, as he is actually put in the position of defending a quote I made in the Chronicle. More than that, is his clarity in regards to the various semantic tricks proponents of this bill are so proficient at utilizing:

I described the purchasers of this data as "pharmaceutical marketers." The accuracy of that description is incontrovertible; clearly the people buying this data can be fairly described as marketers. Mr. Rushing (Calderon's office) was quite keen on saying that the data wasn't going to the manufacturers but rather to these third party data brokers. Now, that might be true in practice, but there is no limitation in the bill as written which would stop the manufacturers from attaining this data to send these letters themselves.

...

...nowhere does the bill stop manufacturers from purchasing the data from pharmacies. In fact, the bill explicitly contemplates that "manufacturers and distributors" will be paying for these letters by requiring a disclosure on the letter.

Furthermore, I'm not sure having 3rd party data brokers like Adheris (aka Elansys ) having the data is really that much more comforting than having Merck or Eli Lilly having it. In effect, this bill would moot a court case brought against Adheris for doing this already. Retroactive immunity is in vogue these days I suppose. (Note: It's not clear that this would moot the court case, that would have to be resolved by the courts.)

...

But to the greater issue, that of privacy. Mr. Rushing makes the argument that 49 other states have this rule to allow sales of pharmaceutical records, and why is California the outlier? There is a simple response to this: Californians value their privacy. We have the toughest privacy laws in the nation, thank you, Representative Speier, precisely because we feel that data warehousers shouldn't have access to every morsel of information about us. As my mother always said, just because everybody else is doing it doesn't mean that we should too. We needn't join that race to the privacy floor that HIPAA provides. Our privacy laws are, and should be, a model for other states.

...

In fact, despite whatever arguments the National Association of Chain Drug Stores and the California Retailers Association makes on the policy arguments that this is substantially better for public health (Rushing gave me a $150bn figure for nationwide savings if everybody took their meds on schedule), the fact is that the risk involved in the sales of these records outweighs the benefits. We can already provide reminders without sales of medical records financed by manufacturers or distributors. Even the California Medical Association agrees that we needn't travel this risky ground in the name of possible results.

With all that said, let's join together and make sure members of the California Assembly understand that our medical records and our civil liberties are not for sale.

Billboards That Look Back

This article in the New York Times regarding billboards that actually "look" back at you and register a variety of your characteristics can be filed in the "that's really creepy" category of privacy related issues.

This reminds me of Minority Report with a dash of 1984 thrown in...and being that its news to me let's get to the meat of the article first:

They are equipping billboards with tiny cameras that gather details about passers-by — their gender, approximate age and how long they looked at the billboard. These details are transmitted to a central database.

...

The goal, these companies say, is to tailor a digital display to the person standing in front of it — to show one advertisement to a middle-aged white woman, for example, and a different one to a teenage Asian boy.

...

Although surveillance cameras have become commonplace in banks, stores and office buildings, their presence takes on a different meaning when they are meant to sell products rather than fight crime. So while the billboard technology may solve a problem for advertisers, it may also stumble over issues of public acceptance.

...

“I think a big part of why it’s accepted is that people don’t know about it,” said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a civil liberties group. “You could make them conspicuous,” he said of video cameras. “But nobody really wants to do that because the more people know about it, the more it may freak them out or they may attempt to avoid it.”

And the issue gets thornier: the companies that make these systems, like Quividi and TruMedia Technologies, say that with a slight technological addition, they could easily store pictures of people who look at their cameras.

The companies say they do not plan to do this, but Mr. Tien said he thought their intentions were beside the point. The companies are not currently storing video images, but they could if compelled by something like a court order, he said.

So there you have it, yet another "avenue" has been found by big business to market to us, watch us, and store information about us! I'm not going to make any public policy suggestions yet (I can safely say I oppose this concept however), but the worry, as hinted at by Lee Tien of EFF, the real fear here is not what these billboards are being used for right now (as creepy as it may be) but what they could be used for in the future (as in Government surveillance).

Click here to read the article in its entirety.

Jerry Brown's Rx for drug abuse: the Internet

For now it appears that Jerry Brown's plan to create an online prescription drug database to catch would be drug abusers and fraudsters isn't going to make a major media splash. As I discussed in detail yesterday, this database would be available to doctors, pharmacists, health workers, and even law enforcement.

I only found one major newspaper article on yesterday's announcement and press conference, but before I get to that, here's the link to KQED's segment on the database with a clip from my interview. Just go to the California Report and about half way in to the 10 minute program on June 5th you'll find the segment.

Or just click here: Listen (RealMedia stream) Download (MP3)

Since I talked about the issue for at least 10 minutes with KQED, I suggest you check out yesterday's post to get a more complete version of our organization's concerns about the program rather than just the one sentence soundbite in the clip.

As for today's article in the Los Angeles Times, it was short and sweet. with no real discussion of the myriad of issues we should be discussing (and will in the coming weeks and months I'm sure). Here are a few highlights:

State Atty. Gen. Jerry Brown unveiled a plan Wednesday to provide doctors and pharmacists with almost instant Internet access to patient prescription drug histories to help prevent so-called doctor shopping and other abuses of pharmaceuticals.

...

Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, called the online access "a classic double-edged sword.""Obviously there is a good reason for it, but there could be significant privacy abuses that could end up harming individuals," Givens said, adding that patents should have access to their drug histories to ensure accuracy.

There is no more respected expert on this issue than Beth Givens - who I personally consulted on this issue yesterday. As more details on this program become available, you can be sure I'll be looking to groups like the Privacy Rights Clearinghouse and the World Privacy Forum for advice and expertise.

AG's office announces online drug database

I thought this program - and today's announcement of it by Attorney General Jerry Brown - raises a whole slew of privacy concerns that need to be addressed. Thankfully I got to make these concerns known to KQED today too, so listen for the California Report's coverage at 9 minutes after the hour, each hour, tomorrow morning.

The new database, to be funded privately, and in fact, it was Kaiser itself that funded the feasibility study of the program, would "allow doctors and pharmacists to immediately access a database of more than 86 million drug prescriptions. All prescriptions filled for schedule II, III and IV drugs – including powerful painkillers like morphine, hydro-codone and codeine – would be instantly available."

Its being sold as a way of cracking down on drug abusers, meaning law enforcement will also have access to your records...but they haven't said how this access would be approved or denied.
Before I comment more, here's some clips from the San Diego Union Tribune:

...his office plans to place the state's prescription-tracking database on a secure Web site that health-care providers can log onto to obtain the information instantly. The move is intended to make it tougher for patients to go from doctor to doctor and fill multiple prescriptions.

...

Under Brown's proposal, the Troy and Alana Pack Foundation would fund the database's implementation costs, with the state Department of Justice absorbing maintenance costs.

...

Jerry Flanagan of the Foundation for Taxpayer and Consumer Rights, a consumer advocacy group based in Santa Monica, warned that in establishing such a database efforts would need to be made to ensure patient information isn't released to identity thieves or unwanted marketers. “Nationally, the push to put records online has evolved faster than the concern to make them private,” said Flanagan.

The San Jose Mercury News sheds some more light on the issue:

It will cost about $3 million to develop and operate the program for three years, according to a 2007 feasibility study paid for in part by Kaiser Permanente. Funds have not yet been identified, but supporters are hopeful health care providers and insurers will foot the bill. Nationally, prescription drug fraud costs insurers as much as $72 billion a year, according to a 2007 study by the Coalition Against Insurance Fraud.

...

Kathy Ellis of the Department of Justice said details about law enforcement access to California's system have yet to be worked out. Access likely will be granted on a case-by-case basis to prevent "fishing" in the system, she said. "They'd have to identify what their need is. I don't see a patrol officer having a direct need for that information."

It is important that enforcers not rely on numbers when looking at suspected abuse cases, said Sherry Green, executive director of the National Alliance for Model State Drug Laws.

"Even if something looks outside the traditional range, that doesn't in and of itself mean that something's wrong," said Green. "Prescription monitoring officials can't make those kinds of health determinations — all they can do is make a recommendation that something needs to be scrutinized more."

In Maine, civil libertarians fought the development of drug-monitoring. An online system, launched in 2006 in response to the state's OxyContin epidemic, has "an arm's-reach relationship with law enforcement," said program director Daniel Eccher. Investigators can't access records without a subpoena.

I guess the obvious point is that if such a program is to be implemented we must ask ourselves whether the possible pitfalls of allowing our private prescription records to be so easily accessed outweighs the claimed benefits of "stopping drug abusers"?

By the least, any such database must include the strongest of safeguards to ensure a patient's private information is protected from identity thieves, overzealous law enforcement, or unwanted marketers.

Some suggestions might include: Legislation that puts into law, a stringent, ironclad privacy policy for this database and its maintenance.

For instance, there should be an electronic audit trail examined regularly ANYONE who has accessed your file and consumer's should have access to these (as in their) medical records and to that electronic audit trail so they knew who's been snooping around.

I also am skeptical anytime the "war on drugs" is used to rationalize the increasing deterioration of our right to privacy. Since this whole program was pushed by the insurance industry (and who paid for the feasibility study), and is going to be funded by private sources, we should wonder whether industry profits and government power is the real end goal here?

Similarly, if we really wanted to reduce drug dependency perhaps we should focus on fully funding our schools, offering first class drug counseling and rehabilitation services, and stopping the advertising of prescription drugs on television every night?

It goes without saying too, that government could also abuse this system. We're opening a Pandora's Box to say the least...and since this kind of data sharing and storage is a likely fact of life in our future, then we better be vigilant in protecting our privacy from those who might seek to benefit from it at our expense.

Google asked to add home page link to privacy policies

Just to briefly follow up on yesterday's post regarding Google's refusal (to date) to provide a home page link to their privacy policy - as required by California law - here's an article in Computerworld on the subject.

Also of news, we at the Consumer Federation of California have joined this coalition, signing on to a letter urging Google's CEO to reconsider its privacy policy and include that one, little hyperlink!

Jaikumar Vijayan reports:

In the latest indication of the growing unease in some quarters over Google Inc.'s privacy policies, a coalition of advocacy groups is asking the search company to provide a direct link to its privacy policies on its home page.

Executives from the Privacy Rights Clearinghouse, the World Privacy Forum, Consumer Action, the Electronic Frontier Foundation, the American Civil Liberties Union of Northern California and the Consumer Federation of California today sent a letter to Google CEO Eric Schmidt expressing their concern over the company's failure to post a home page link to its privacy policy. In their letter, the groups called Google's reluctance to post the link on its home page "alarming."

...

Google's refusal to do so also sets it apart from other popular Web sites that routinely put such links on their home pages...

...

The California law that requires company's to post prominent home page links to their privacy policies was specifically designed to give consumers easy, one-click access to the information, said Pam Dixon, executive director of the World Privacy Forum.

As a company that collects and stores a range of information, including health care data, it is important for Google comply with the law, Dixon said. "It is a very straightforward, very simple law in many ways. It is something that most businesses provide for anyhow," she said.

Click here for the rest of the article.

California Privacy Chief Says Google Should Improve Disclosure

It appears that one of the key "battle fronts" in the fight to protect privacy in the information age will be within the health industry. Whether its protecting your private prescription drug records from third party drug marketing and pharmaceutical companies or storing your most private health information in new products like Google Health (which doesn't have to abide by the same privacy protection rules as does government).

I have discussed in the past the privacy risks involved in using Google Health, but now in California, privacy advocates are up in arms about another aspect the product...it doesn't provide a link to its own privacy policy on its home page.

The problem is that the California Online Privacy Protection Act of 2003 requires the operator of a commercial Web site that collects personal information about users to “conspicuously post its privacy policy on its Web site.” As a reporter asked in the New York Times, "How conspicuously? The site needs to link to the policy “located on the homepage or first significant page after entering the Web site...

"Privacy experts say Google is under the microscope because it collects and retains so much information about so many people."

“It wouldn’t be a big privacy issue if it wasn’t Google saying everyone else may be doing this but we don’t need to,” said Marc Rotenberg, the director of the Electronic Privacy Information Center.

The New York Times Reports:

Ms. McNabb was blunt in her assessment that, on this matter, Google should be doing a lot more. “Our recommendation is, make information about how personal information is used available very easily for people. That’s why our recommendation is, link to the privacy policy from the home page.”

...

Ms. McNabb said her office is going to reach out to Google in order to discuss the matter and press its recommendation. In the past, the office contacted Google about its service that allows users to look up the name and address of people based on their phone numbers. Google responded by making it easier for people to remove their numbers from this system.

EPIC, the Privacy Rights Clearinghouse, and the WorldPrivacy Forum are mobilizing the public to demand Google make these necessary changes.

Their request reads:

"If you have been following the recent news about Googleand the California privacy law, you'll know that there isa real concern that Google is not doing what just about every other commercial web site does -- link to a privacy policy on its homepage. "

The essential argument states:

"California law requires the operator of a commercial web site to conspicuously post its privacy policy on its Web site. The straightforward reading of that law is that Google must place the wordprivacy on the Google.com web page linked to its privacy policy.

Moreover, just about every major company that operates a web site places a link to its privacy policy on its homepage. While we do not believe that a privacy policy is a guarantee of privacy protection, it does represent a commitment by a commercial web site to inform users about the company's privacy practices.

Google's reluctance to post a link to its privacy policy on its homepageis alarming. We urge you to comply with the California Online PrivacyProtection Act and the widespread practice for commercial web sites assoon as possible."

More to come I'm sure...