consumer protection review of ciis · 2020. 6. 30. · comparing consumer protection across...

PamLong,ColoradoHealthChoiceAlliance

ConsumerProtectionReviewofCIIS

• Consumerprotection

• Cost&Benefitanalysis

• Evidence-basedresearch

• Privacy&Security

• Legislativehistory

CasePresentation

ColoradoImmunizationInformationSystem(CIIS)isadatabasethattracksvaccineuptakeonindividuals.Itispromotedasaservicetothepublichealth.

Let’scompareittoadatabasethattracksthemaintenanceonavehicle.Bothvaccinesandvehiclesafetyarepublichealthissues.Wehavestandardsforvehiclesafetylikewehavestandardsforpublichealth.Forexample,youcannotdriveacarwithaflattireorinoperablelights.

WhatisCIIS?

ComparingConsumerProtectionAcrossIndustries

CIIS: Vaccine Tracking Auto Maintenance Program

You can opt-out, but not really You opt-in, leave at any time

State level data Local dealership of your choice

Funded by state, not doctors Paid for by private sector & consumers

Sensitive data shared with CORHIO Data not shared with other car dealerships

Poised to share data federally with CDC Data not shared with federal agency

Potential to violate FERPA No violation of federal privacy laws

Does not provide recalls or alerts on hot lots Provides recall notices & replacement parts

Includes coercive methods for uptake No coercion: your choice, your timeline

Newborn screening & genetic tests included No DMV involvement for compliance

1. Opt-outsystem2. Lackoftransparency3. Taxpayerfunding4. CORHIOsharing5. CDCfederaldatabase6. CircumventsFERPA7. Norecallnotifications8. CoercionInterventions9. Personaldatamining10. Beyondauthorityinstatute

Top10ConsumerConcernsofCIIS

WhenaskedwhyCIISisopt-out,Rep.DanPabon,HB16-1164responded,

“Becausenoonewouldopt-in.”

In2005,Eurocat,anetworkofpopulation- basedregistriesofcongenitalanomalies—birthdefects—inEurope,conductedasurveyonregistries’implementationofinformedconsent.Eightoftheregistrieshadusedconsentatonepoint.Oneregistryreportedadropinitsparticipationrate,notingthatithadreceived“lessthan10writtenconsentsintheentireyearinwhichopt-inconsentwasinstituted.”Thiswascomparedwith249peopleaddedtotheregistrytheyearbeforetheyintegratedconsent.Asaresult,theregistryeventuallydroppedtheconsentrequirement(opt-in)andofferedadissentoption(opt-out).Inshort,whenpeoplerefusedtocooperateoftheirownvolition,theregistryforcedthemin.

Whengivenachoice– whenconsentisrequiredpriortogovernmentaccess– membersofthepublicusuallychooseprivacy.

PatientPrivacyandPublicTrust:HowHealthSurveillanceSystemsAreUnderminingBothTwila Brase, President,Citizens’CouncilforHealthFreedom,August2013

https://www.cchfreedom.org/files/files/50%20States%20Databases%20Full%20Report.pdf

“Overthepast50years,theFDAhasreliedupon-andoftendeferredto- industryevenasoutsideexpertsandconsumersrepeatedlyraisedserioushealthconcernsabouttalcpowdersandcosmetics,aReutersinvestigationfound.”Acriminalinvestigationand$5billioninjuryverdictsagainstJohnson&Johnsonfoundcarcinogenicasbestosin11talc-basedproducts,includingJohnson’sBabyPowder,firstdetectedin1971.J&Jrecalled33,000bottles,voluntarily.TheFDA’swrittenreportstatedithasnopowertoensureproductsafetynorcanitforcecompaniestorecallproductswhenpotentialhazardsarediscovered. “Wearedependentonmanufacturerstotakestepstoensurethesafetyoftheirproducts,”theFDAsaid.

16,000lawsuitsarependingin2019.

FDAisnotsafetytesting&conductingproductrecalls

SpecialReport:PowderKeg- FDAbowedtoindustryfordecadesasalarmsweresoundedovertalc-ReutersDec.3,2019

https://www.reuters.com/article/us-usa-health-fda-tal-specialreport/powder-keg-fda-bowed-to-industry-for-decades-as-alarms-were-sounded-over-talc-idUSKBN1Y71DE

“VaccinesaretheonlyproductsintheU.S.thatdo

nothaveliability.Youcannotsueforinjuriesor

death.ButthatisonlyintheU.S.Aroundtheworld,

therearelawsuitsbecauseofseriousinjuriesand

deathsfromvaccines.InSpainoverGardasil. In

JapanoverGardasil. Theflushotwastakenoffthe

marketforunderfiveinAustraliaafterdeathsand

injury.Prevnar wasbannedinChina.Pfizer’s

vaccinationprogramwaskickedoutofthecountry.

FrancejustpulledRotavirus offtheirscheduleafter

infantdeathsandinjuries.”

Othercountrieshavevaccinerecalls,butnotintheUS

BigPharmaandBigProfits:TheMultibillionDollarVaccineMarket

NewReportsays“VaccineMarket”Worth$61Billionby2020

https://www.globalresearch.ca/big-pharma-and-big-profits-the-multibillion-dollar-vaccine-market/5503945

• Homevisitorsassessclients'vaccinationstatus,discusstheimportanceofrecommendedvaccinations,andeitherprovidevaccinationstoclientsintheirhomesorreferthemtootherservices.Homevisitsmaybeconductedbyvaccinationproviders(e.g.,nurses)orothers(e.g.,socialworkers,communityhealthworkers).

• Interventionsmaybedirectedtoeveryoneinadesignatedpopulation(e.g.,low-incomesinglemothers),ortothosewhohavenotrespondedtootherinterventionefforts,suchasclientreminderandrecallsystems.

Coercion– HomeVisits

https://www.thecommunityguide.org/findings/vaccination-programs-home-visits-increase-vaccination-rates

CIIScosts

$1.5Million/peryearfromtheColoradostatebudget

+CDCGrant$720,000in2011+CDCGrant$799,957in2012+CUDenver/AHRQgrant$55,000annuallysince2011+ColoradoHealthFoundation$26,000(notacompletefundinglist)

• Vaccinesforallages• Insurancesource• Language• Employmentinformation*• Medicalhomeinformation• Schoolenrollment• Targetinginterventions

CIISDataCollection

https://teamvaccine.com/2019/07/31/how-does-the-colorado-immunization-information-system-ciis-benefit-colorados-public-health-efforts/

CIISDataasofFeb.2019• 6.1millionpeople• 91%ofColoradans• 1468practices

CDPHEBrief:Immunizations,exemptions,andvaccinehesitancy

Primaryuse• Dataatthecountylevel(%ofimmunizationrates)

Targeting• Hep A• Pregnantwomen*• Medicaidpopulations• Recall:ages9-12months,ages19-35months,HPVvaccine

RecentUseofData

https://thehighwire.com/flu-shot-pushed-on-pregnant-women-despite-unanswered-safety-risks/


• Medicaid• HCPF• WIC• School-basedhealthcenters• RefugeeHealth• ChildFatalityPreventionSystem• VaccinesforChildren

SharingofCIISData


No“Confidentiality”betweendoctorandpatient

• Theindividualorparent/guardianoftheindividual

• Theindividual’shealthcareprovider

• Aschool,childcarecenteroruniversitywheretheindividualisenrolled

• Amanagedcareorganizationorhealthinsurerwheretheindividualisenrolled

• Hospitals

• Personsorentitieswhohaveanagreementorresearchcontractwiththestateforimmunizations

• TheColoradoDepartmentofHealthCarePolicyandFinancingforindividualseligibleforMedicaid

• Medicalandepidemiologicalinformationcanbereleasedinamannersothatnoindividualpersoncanbeidentified

• Totheextentnecessaryforthetreatment,control,investigation,andpreventionofvaccinepreventablediseasesintheminimumamountnecessary

HIPAAnotice:Apermissionslipforthegovernmentto

disclosemedicalinformationwithouttransparency

• ColoradoAAP1• ColoradoAAFP1• Schoolsandchildcarecenters1• MeaningfulUse:$1.5BillionEHRIncentiveProgramrenamed“PromotingInteroperability”2

IncentivesandRecruitmenttouseCIIS

1. https://teamvaccine.com/2019/07/31/how-does-the-colorado-immunization-information-system-ciis-benefit-colorados-public-health-efforts/

2. https://www.cdc.gov/vaccines/programs/iis/meaningful-use/index.html

• DuplicateandFragmentedrecords• Noprocesstoinactivatepeoplewhohavemovedongoneelsewhere(MOGE)• Schools&daycaresarerequiredtoreportmoreaccurateinfectiousdiseasewithcurrentlyenrolledstudents

• Countyleveldataisnotaccurate

Accuracy

https://www.colorado.gov/pacific/cdphe/ciiscountylevel

PerColorado’s2012ImmunizationInformationSystemAnnualReporttotheCDC:• 66percentofenrolledpublicprovidersitesreporteddatatoCIISfromJuly1– December31,2012• 41percentofenrolledprivateprovidersitesreporteddatatoCIISfromJuly1– December31,2012• 76percentofenrolledVFCprovidersites(regardlessofprivate/publicdesignation)reporteddatatoCIISfromJuly1–

December31,2012

https://www.sos.state.co.us/CCR/GenerateRulePdf.do?ruleVersionId=8099&fileName=6%20CCR%201009-1

Datainthevaccinationregistryonlyagreedwithdatain

thechild’smedicalrecordin

59percentofcasesexamined.

PatientPrivacyandPublicTrust:HowHealthSurveillanceSystemsAreUnderminingBoth,2013

Thestateisrequiredtoimplementevidence-basedprograms.ResearchdoesNOTsupportthatCIISimprovespublichealth.• A2015EconomicReviewofIIS(Pateletal)foundnoactualbenefittopublichealthmeasuredbyreducedmorbidityandmortality,atthecostof$2.4millionto$7milliondollarsoverfiveyearstothestate.Across-sectionalstudyconductedintheUnitedStates,evaluatedtheassociationbetweenpracticeuseofanIISandlikelihoodofchildrenbeingup-to-date.1

• A2015SystematicReviewofIIS(Groometal)foundthatIIShadnoperformancemeasuresordeliverablesforpublichealth,andpracticesusingIISdidnothavesignificantlyhighervaccinationratesthanthosepracticesnotusinganIIS.2

IsCIISEvidenceBased?

1. https://journals.lww.com/jphmp/Fulltext/2015/05000/Economic_Review_of_Immunization_Information.4.aspx2. https://www.thecommunityguide.org/sites/default/files/publications/vpd-jphpm-evrev-IIS.pdf

• ElectronicHealthRecordshavebetterHIPAAprivacythanCIIS(RememberthelonglistofagenciesCIISsharesdatawith?)

• HIPAAappliestoCIIS,butallowssharingwithoutknowledgeorconsent.

• Notrueoptout.– “AllinformationisaboutanoptedoutindividualispurgedfromtheCIISdatabaseexcept:firstname,lastname,gender,dateofbirth,city,county,stateandzipcode.”– LynnTrefren,CDPHE

• PersonallyIdentifyingInformation(PII)

• FERPAprivacyprotectionsonlyapplytopublicallyfundedschools

PrivacyConcerns

“Utilizationofthefunctionalityishinderedby

theburdensomerequirementofhavingto

enrollstudentsoneatatimewithinthesystem.”

-HeatherRothDeputyImmunizationBranch

ChiefatCDPHE

TheGovernor’sOfficeofInformationTechnology(OIT)hostsandmanagesCDPHE’sthreeinformationsystemsthatwereunderreviewduringa2017audit.

Thefindings:

1. ThethreeinformationsystemsdidnotcomplywithmultipleColoradoInformationSecurityPolicy(CISP)andOITCyberPolicyrequirements,anddidnotcomplywithseveralbestpracticerecommendations.

2. SecuritycontrolsimplementedforthesethreesystemsdidnotcomplywithallStatepolicyrequirementsandneedtoberemediatedtoensuretheprotectionoftheconfidentiality,integrity,andavailabilityofthesesystemsandthedatatheymaintain.

3. Dataprotection:WeidentifiedcontrolweaknessesindicatingOITwasnotfullycompliantwithsomerequirementsrelatedtodataprotection.

SecurityConcerns

4. CDPHEITpoliciesareoutofdate.Twenty-twoofthesampleof24CDPHEagency-wideITpoliciesweexaminedhadnotbeenreviewedorupdatedbyCDPHEmanagementinoveroneyear,anddidnotinclude,explicitlyorbyreference,currentCISPandOITCyberPolicyrequirements.

5. InformationSystemSecuritySoftware:WeidentifiedcontrolweaknessesindicatingOITwasnotfullycompliantwithsomerequirementsrelatedtosystemsecurityplans.

6. HB1288required 25-4-910. (1) THEDEPARTMENTOFPUBLICHEALTHANDENVIRONMENT,INCONSULTATIONWITHOTHERSTATEDEPARTMENTS,SHALLESTABLISHAJOINTPOLICYONIMMUNIZATIONDATACOLLECTIONANDSHARING. Howeverthatneverhappened.

https://leg.colorado.gov/sites/default/files/documents/audits/1676p_-_cdphe-it.pdfhttp://www.leg.state.co.us/clics/clics2014a/csl.nsf/fsbillcont3/94D61307D2B5926387257C360075EBCB?open&file=1288_enr.pdf

1. OITmanagementstatedthatitdoesnothavesufficientresourcestofullymanageallCDPHEapplications.

2. OITmanagementrepresentedthatOITdoesnothavesufficientprogramlevelknowledgetomanageallitfunctions.

3. OITlacksformalizedprocessestoimplementCISPSandHIPAArequirements.

4. CDPHEmanagementstatedthatitwasnotawarethatagency-widepolicyandproceduresmustadheretocurrentCISP.

5. CDPHEpoliciesandproceduresarenotperiodicallyreviewed.

SecurityConcerns– WhyDidTheseProblemsOccur?

Theauditoragrees,asnotedwithinthebodyofthisreport,thatCDPHEmaintainsitisnotrequiredtoadheretoHIPAA,butreiteratesthattheagencyendeavorstomaintainHIPAAcompliance inpracticegiventhesensitivenatureofthedateentrustedtotheagency.Therefore,thesensitivedatainCDPHEsystemsareatanincreasedrisktoexposurethatviolatesHIPAArequirementsifformalizedprocessesdonotincludeHIPAArequirements.Additionally,itshouldbenotedthattheGovernor’sOfficeofInformationTechnologyagreedtotherecommendationtomaketechnicaldatabasechangestomeetHIPAArequirementsasnotedintheresponseforrecommendation7aoftheconfidentialreport.

https://leg.colorado.gov/sites/default/files/documents/audits/1676p_-_cdphe-it.pdf

LegislativeTimeline

1992HB1208Trackingsystemcreatedforinfantsupto24months.Grantfunded.

1998HB1210Addednewplacesinformationcouldbegatheredfromforthetrackingsystem.

2000HB1023Governorvetoesopt-outbyfamiliesonthebasisofreligion.

2001HB1134Expandedtoallagesofchildrenandstudents.Addedopt-outforallages.Cannotdirectlycontactparents.Noticeofopt-outtoparents.FederalFunding.

2005SB05-87AllowsdirectcontactofparentsbyCDPHEorcontractor.RequiresreviewofimplementationtoevaluatetheeffectofCIISonCOimmunizationranking.

2007HB1347Expandedtrackingsystemtoincludeadults.Removedperformancereview.StateGeneralFundsallocatedtoCIIS.

2014HB1288Aggregatevaccineschooldata

2016HB1164CreatedexemptionformswithlargeamountsofPII.Failedtobecomelaw.

SurveillanceorCoercion?“Concernshaveincluded:• Thecollectionanduseofthedatabyhealthofficials;• thecreationoflistsofthosewhorefusevaccinations;• Theuseofclinicvaccinationratestoscoretheperformanceofdoctors;

• Theuseofsuchscorestofinanciallypenalizedoctors;andthepotentialrefusalofhealthplanstocoveranunvaccinatedorunder-vaccinatedindividual.”


StrengthCIISservesvaccineproviderswithhighlyindividualizeddatafortargetedsales,inventory,reordering.

“CIISenjoysstrongsupportamongColoradovaccineproviders.”CIISEnvironmentalScan,2013,page6

WeaknessCIIShasnoconsumerprotectionfunctions.

CIIScostsmillionsofdollarsforredundantdatacollectedinaggregateatschoolswithbetteraccuracy&privacy.

OpportunitiesIIShasunderutilizedfunctions(section12)toidentifypatients&providerswhoreceivedarecalledvaccine,andfunctions(section13)fortraining,access,andsupportforinvestigatingreactionswithintheVaccineAdverseReactionsSystem(VAERS).ItislikelytheIncentivesfunction(section18)isindirectconflictwithreportingreactions.

ThreatsCIISisasecuritythreattosensitivedata&hascoerciveinterventionsfortargetingpeople.

“Confidentially”claimsareusedinamisleadingway,andmostpeoplewouldnotoptin.


SWOTAnalysis

Thankyou.

consumer protection review of ciis · 2020. 6. 30. · comparing consumer protection across...

Documents