Post on 01-Oct-2020
PamLong,ColoradoHealthChoiceAlliance
ConsumerProtectionReviewofCIIS
• Consumerprotection
• Cost&Benefitanalysis
• Evidence-basedresearch
• Privacy&Security
• Legislativehistory
CasePresentation
ColoradoImmunizationInformationSystem(CIIS)isadatabasethattracksvaccineuptakeonindividuals.Itispromotedasaservicetothepublichealth.
Let’scompareittoadatabasethattracksthemaintenanceonavehicle.Bothvaccinesandvehiclesafetyarepublichealthissues.Wehavestandardsforvehiclesafetylikewehavestandardsforpublichealth.Forexample,youcannotdriveacarwithaflattireorinoperablelights.
WhatisCIIS?
ComparingConsumerProtectionAcrossIndustries
CIIS: Vaccine Tracking Auto Maintenance Program
You can opt-out, but not really You opt-in, leave at any time
State level data Local dealership of your choice
Funded by state, not doctors Paid for by private sector & consumers
Sensitive data shared with CORHIO Data not shared with other car dealerships
Poised to share data federally with CDC Data not shared with federal agency
Potential to violate FERPA No violation of federal privacy laws
Does not provide recalls or alerts on hot lots Provides recall notices & replacement parts
Includes coercive methods for uptake No coercion: your choice, your timeline
Newborn screening & genetic tests included No DMV involvement for compliance
1. Opt-outsystem2. Lackoftransparency3. Taxpayerfunding4. CORHIOsharing5. CDCfederaldatabase6. CircumventsFERPA7. Norecallnotifications8. CoercionInterventions9. Personaldatamining10. Beyondauthorityinstatute
Top10ConsumerConcernsofCIIS
WhenaskedwhyCIISisopt-out,Rep.DanPabon,HB16-1164responded,
“Becausenoonewouldopt-in.”
In2005,Eurocat,anetworkofpopulation- basedregistriesofcongenitalanomalies—birthdefects—inEurope,conductedasurveyonregistries’implementationofinformedconsent.Eightoftheregistrieshadusedconsentatonepoint.Oneregistryreportedadropinitsparticipationrate,notingthatithadreceived“lessthan10writtenconsentsintheentireyearinwhichopt-inconsentwasinstituted.”Thiswascomparedwith249peopleaddedtotheregistrytheyearbeforetheyintegratedconsent.Asaresult,theregistryeventuallydroppedtheconsentrequirement(opt-in)andofferedadissentoption(opt-out).Inshort,whenpeoplerefusedtocooperateoftheirownvolition,theregistryforcedthemin.
Whengivenachoice– whenconsentisrequiredpriortogovernmentaccess– membersofthepublicusuallychooseprivacy.
PatientPrivacyandPublicTrust:HowHealthSurveillanceSystemsAreUnderminingBothTwila Brase, President,Citizens’CouncilforHealthFreedom,August2013
https://www.cchfreedom.org/files/files/50%20States%20Databases%20Full%20Report.pdf
“Overthepast50years,theFDAhasreliedupon-andoftendeferredto- industryevenasoutsideexpertsandconsumersrepeatedlyraisedserioushealthconcernsabouttalcpowdersandcosmetics,aReutersinvestigationfound.”Acriminalinvestigationand$5billioninjuryverdictsagainstJohnson&Johnsonfoundcarcinogenicasbestosin11talc-basedproducts,includingJohnson’sBabyPowder,firstdetectedin1971.J&Jrecalled33,000bottles,voluntarily.TheFDA’swrittenreportstatedithasnopowertoensureproductsafetynorcanitforcecompaniestorecallproductswhenpotentialhazardsarediscovered. “Wearedependentonmanufacturerstotakestepstoensurethesafetyoftheirproducts,”theFDAsaid.
16,000lawsuitsarependingin2019.
FDAisnotsafetytesting&conductingproductrecalls
SpecialReport:PowderKeg- FDAbowedtoindustryfordecadesasalarmsweresoundedovertalc-ReutersDec.3,2019
https://www.reuters.com/article/us-usa-health-fda-tal-specialreport/powder-keg-fda-bowed-to-industry-for-decades-as-alarms-were-sounded-over-talc-idUSKBN1Y71DE
“VaccinesaretheonlyproductsintheU.S.thatdo
nothaveliability.Youcannotsueforinjuriesor
death.ButthatisonlyintheU.S.Aroundtheworld,
therearelawsuitsbecauseofseriousinjuriesand
deathsfromvaccines.InSpainoverGardasil. In
JapanoverGardasil. Theflushotwastakenoffthe
marketforunderfiveinAustraliaafterdeathsand
injury.Prevnar wasbannedinChina.Pfizer’s
vaccinationprogramwaskickedoutofthecountry.
FrancejustpulledRotavirus offtheirscheduleafter
infantdeathsandinjuries.”
Othercountrieshavevaccinerecalls,butnotintheUS
BigPharmaandBigProfits:TheMultibillionDollarVaccineMarket
NewReportsays“VaccineMarket”Worth$61Billionby2020
https://www.globalresearch.ca/big-pharma-and-big-profits-the-multibillion-dollar-vaccine-market/5503945
• Homevisitorsassessclients'vaccinationstatus,discusstheimportanceofrecommendedvaccinations,andeitherprovidevaccinationstoclientsintheirhomesorreferthemtootherservices.Homevisitsmaybeconductedbyvaccinationproviders(e.g.,nurses)orothers(e.g.,socialworkers,communityhealthworkers).
• Interventionsmaybedirectedtoeveryoneinadesignatedpopulation(e.g.,low-incomesinglemothers),ortothosewhohavenotrespondedtootherinterventionefforts,suchasclientreminderandrecallsystems.
Coercion– HomeVisits
https://www.thecommunityguide.org/findings/vaccination-programs-home-visits-increase-vaccination-rates
CIIScosts
$1.5Million/peryearfromtheColoradostatebudget
+CDCGrant$720,000in2011+CDCGrant$799,957in2012+CUDenver/AHRQgrant$55,000annuallysince2011+ColoradoHealthFoundation$26,000(notacompletefundinglist)
• Vaccinesforallages• Insurancesource• Language• Employmentinformation*• Medicalhomeinformation• Schoolenrollment• Targetinginterventions
CIISDataCollection
https://teamvaccine.com/2019/07/31/how-does-the-colorado-immunization-information-system-ciis-benefit-colorados-public-health-efforts/
CIISDataasofFeb.2019• 6.1millionpeople• 91%ofColoradans• 1468practices
CDPHEBrief:Immunizations,exemptions,andvaccinehesitancy
Primaryuse• Dataatthecountylevel(%ofimmunizationrates)
Targeting• Hep A• Pregnantwomen*• Medicaidpopulations• Recall:ages9-12months,ages19-35months,HPVvaccine
RecentUseofData
https://thehighwire.com/flu-shot-pushed-on-pregnant-women-despite-unanswered-safety-risks/
https://teamvaccine.com/2019/07/31/how-does-the-colorado-immunization-information-system-ciis-benefit-colorados-public-health-efforts/
• Medicaid• HCPF• WIC• School-basedhealthcenters• RefugeeHealth• ChildFatalityPreventionSystem• VaccinesforChildren
SharingofCIISData
https://teamvaccine.com/2019/07/31/how-does-the-colorado-immunization-information-system-ciis-benefit-colorados-public-health-efforts/
No“Confidentiality”betweendoctorandpatient
• Theindividualorparent/guardianoftheindividual
• Theindividual’shealthcareprovider
• Aschool,childcarecenteroruniversitywheretheindividualisenrolled
• Amanagedcareorganizationorhealthinsurerwheretheindividualisenrolled
• Hospitals
• Personsorentitieswhohaveanagreementorresearchcontractwiththestateforimmunizations
• TheColoradoDepartmentofHealthCarePolicyandFinancingforindividualseligibleforMedicaid
• Medicalandepidemiologicalinformationcanbereleasedinamannersothatnoindividualpersoncanbeidentified
• Totheextentnecessaryforthetreatment,control,investigation,andpreventionofvaccinepreventablediseasesintheminimumamountnecessary
HIPAAnotice:Apermissionslipforthegovernmentto
disclosemedicalinformationwithouttransparency
• ColoradoAAP1• ColoradoAAFP1• Schoolsandchildcarecenters1• MeaningfulUse:$1.5BillionEHRIncentiveProgramrenamed“PromotingInteroperability”2
IncentivesandRecruitmenttouseCIIS
1. https://teamvaccine.com/2019/07/31/how-does-the-colorado-immunization-information-system-ciis-benefit-colorados-public-health-efforts/
2. https://www.cdc.gov/vaccines/programs/iis/meaningful-use/index.html
• DuplicateandFragmentedrecords• Noprocesstoinactivatepeoplewhohavemovedongoneelsewhere(MOGE)• Schools&daycaresarerequiredtoreportmoreaccurateinfectiousdiseasewithcurrentlyenrolledstudents
• Countyleveldataisnotaccurate
Accuracy
https://www.colorado.gov/pacific/cdphe/ciiscountylevel
PerColorado’s2012ImmunizationInformationSystemAnnualReporttotheCDC:• 66percentofenrolledpublicprovidersitesreporteddatatoCIISfromJuly1– December31,2012• 41percentofenrolledprivateprovidersitesreporteddatatoCIISfromJuly1– December31,2012• 76percentofenrolledVFCprovidersites(regardlessofprivate/publicdesignation)reporteddatatoCIISfromJuly1–
December31,2012
https://www.sos.state.co.us/CCR/GenerateRulePdf.do?ruleVersionId=8099&fileName=6%20CCR%201009-1
Datainthevaccinationregistryonlyagreedwithdatain
thechild’smedicalrecordin
59percentofcasesexamined.
PatientPrivacyandPublicTrust:HowHealthSurveillanceSystemsAreUnderminingBoth,2013
Thestateisrequiredtoimplementevidence-basedprograms.ResearchdoesNOTsupportthatCIISimprovespublichealth.• A2015EconomicReviewofIIS(Pateletal)foundnoactualbenefittopublichealthmeasuredbyreducedmorbidityandmortality,atthecostof$2.4millionto$7milliondollarsoverfiveyearstothestate.Across-sectionalstudyconductedintheUnitedStates,evaluatedtheassociationbetweenpracticeuseofanIISandlikelihoodofchildrenbeingup-to-date.1
• A2015SystematicReviewofIIS(Groometal)foundthatIIShadnoperformancemeasuresordeliverablesforpublichealth,andpracticesusingIISdidnothavesignificantlyhighervaccinationratesthanthosepracticesnotusinganIIS.2
IsCIISEvidenceBased?
1. https://journals.lww.com/jphmp/Fulltext/2015/05000/Economic_Review_of_Immunization_Information.4.aspx2. https://www.thecommunityguide.org/sites/default/files/publications/vpd-jphpm-evrev-IIS.pdf
• ElectronicHealthRecordshavebetterHIPAAprivacythanCIIS(RememberthelonglistofagenciesCIISsharesdatawith?)
• HIPAAappliestoCIIS,butallowssharingwithoutknowledgeorconsent.
• Notrueoptout.– “AllinformationisaboutanoptedoutindividualispurgedfromtheCIISdatabaseexcept:firstname,lastname,gender,dateofbirth,city,county,stateandzipcode.”– LynnTrefren,CDPHE
• PersonallyIdentifyingInformation(PII)
• FERPAprivacyprotectionsonlyapplytopublicallyfundedschools
PrivacyConcerns
“Utilizationofthefunctionalityishinderedby
theburdensomerequirementofhavingto
enrollstudentsoneatatimewithinthesystem.”
-HeatherRothDeputyImmunizationBranch
ChiefatCDPHE
TheGovernor’sOfficeofInformationTechnology(OIT)hostsandmanagesCDPHE’sthreeinformationsystemsthatwereunderreviewduringa2017audit.
Thefindings:
1. ThethreeinformationsystemsdidnotcomplywithmultipleColoradoInformationSecurityPolicy(CISP)andOITCyberPolicyrequirements,anddidnotcomplywithseveralbestpracticerecommendations.
2. SecuritycontrolsimplementedforthesethreesystemsdidnotcomplywithallStatepolicyrequirementsandneedtoberemediatedtoensuretheprotectionoftheconfidentiality,integrity,andavailabilityofthesesystemsandthedatatheymaintain.
3. Dataprotection:WeidentifiedcontrolweaknessesindicatingOITwasnotfullycompliantwithsomerequirementsrelatedtodataprotection.
SecurityConcerns
4. CDPHEITpoliciesareoutofdate.Twenty-twoofthesampleof24CDPHEagency-wideITpoliciesweexaminedhadnotbeenreviewedorupdatedbyCDPHEmanagementinoveroneyear,anddidnotinclude,explicitlyorbyreference,currentCISPandOITCyberPolicyrequirements.
5. InformationSystemSecuritySoftware:WeidentifiedcontrolweaknessesindicatingOITwasnotfullycompliantwithsomerequirementsrelatedtosystemsecurityplans.
6. HB1288required 25-4-910. (1) THEDEPARTMENTOFPUBLICHEALTHANDENVIRONMENT,INCONSULTATIONWITHOTHERSTATEDEPARTMENTS,SHALLESTABLISHAJOINTPOLICYONIMMUNIZATIONDATACOLLECTIONANDSHARING. Howeverthatneverhappened.
https://leg.colorado.gov/sites/default/files/documents/audits/1676p_-_cdphe-it.pdfhttp://www.leg.state.co.us/clics/clics2014a/csl.nsf/fsbillcont3/94D61307D2B5926387257C360075EBCB?open&file=1288_enr.pdf
1. OITmanagementstatedthatitdoesnothavesufficientresourcestofullymanageallCDPHEapplications.
2. OITmanagementrepresentedthatOITdoesnothavesufficientprogramlevelknowledgetomanageallitfunctions.
3. OITlacksformalizedprocessestoimplementCISPSandHIPAArequirements.
4. CDPHEmanagementstatedthatitwasnotawarethatagency-widepolicyandproceduresmustadheretocurrentCISP.
5. CDPHEpoliciesandproceduresarenotperiodicallyreviewed.
SecurityConcerns– WhyDidTheseProblemsOccur?
Theauditoragrees,asnotedwithinthebodyofthisreport,thatCDPHEmaintainsitisnotrequiredtoadheretoHIPAA,butreiteratesthattheagencyendeavorstomaintainHIPAAcompliance inpracticegiventhesensitivenatureofthedateentrustedtotheagency.Therefore,thesensitivedatainCDPHEsystemsareatanincreasedrisktoexposurethatviolatesHIPAArequirementsifformalizedprocessesdonotincludeHIPAArequirements.Additionally,itshouldbenotedthattheGovernor’sOfficeofInformationTechnologyagreedtotherecommendationtomaketechnicaldatabasechangestomeetHIPAArequirementsasnotedintheresponseforrecommendation7aoftheconfidentialreport.
https://leg.colorado.gov/sites/default/files/documents/audits/1676p_-_cdphe-it.pdf
LegislativeTimeline
1992HB1208Trackingsystemcreatedforinfantsupto24months.Grantfunded.
1998HB1210Addednewplacesinformationcouldbegatheredfromforthetrackingsystem.
2000HB1023Governorvetoesopt-outbyfamiliesonthebasisofreligion.
2001HB1134Expandedtoallagesofchildrenandstudents.Addedopt-outforallages.Cannotdirectlycontactparents.Noticeofopt-outtoparents.FederalFunding.
2005SB05-87AllowsdirectcontactofparentsbyCDPHEorcontractor.RequiresreviewofimplementationtoevaluatetheeffectofCIISonCOimmunizationranking.
2007HB1347Expandedtrackingsystemtoincludeadults.Removedperformancereview.StateGeneralFundsallocatedtoCIIS.
2014HB1288Aggregatevaccineschooldata
2016HB1164CreatedexemptionformswithlargeamountsofPII.Failedtobecomelaw.
SurveillanceorCoercion?“Concernshaveincluded:• Thecollectionanduseofthedatabyhealthofficials;• thecreationoflistsofthosewhorefusevaccinations;• Theuseofclinicvaccinationratestoscoretheperformanceofdoctors;
• Theuseofsuchscorestofinanciallypenalizedoctors;andthepotentialrefusalofhealthplanstocoveranunvaccinatedorunder-vaccinatedindividual.”
PatientPrivacyandPublicTrust:HowHealthSurveillanceSystemsAreUnderminingBoth,2013
StrengthCIISservesvaccineproviderswithhighlyindividualizeddatafortargetedsales,inventory,reordering.
“CIISenjoysstrongsupportamongColoradovaccineproviders.”CIISEnvironmentalScan,2013,page6
WeaknessCIIShasnoconsumerprotectionfunctions.
CIIScostsmillionsofdollarsforredundantdatacollectedinaggregateatschoolswithbetteraccuracy&privacy.
OpportunitiesIIShasunderutilizedfunctions(section12)toidentifypatients&providerswhoreceivedarecalledvaccine,andfunctions(section13)fortraining,access,andsupportforinvestigatingreactionswithintheVaccineAdverseReactionsSystem(VAERS).ItislikelytheIncentivesfunction(section18)isindirectconflictwithreportingreactions.
ThreatsCIISisasecuritythreattosensitivedata&hascoerciveinterventionsfortargetingpeople.
“Confidentially”claimsareusedinamisleadingway,andmostpeoplewouldnotoptin.
PatientPrivacyandPublicTrust:HowHealthSurveillanceSystemsAreUnderminingBoth,2013
SWOTAnalysis
Thankyou.