Posts Tagged ‘HIPAA’

doctor-computerProf. David Blumenthal, the new head of ONC, makes some disturbing comments regarding the Stimulus Bill, HIT and HITECH Act  in his article in the New England Journal of Medicine (NEJM). The article is not completely off-base as he does a very good job of describing the basics of the HITECH Act, its intentions and some of the very real challenges that the feds face in actually executing on the language of the Act.  But there are a couple of areas where Blumenthal’s interpretation of the Act raises concerns.

The first pertains to HITECH Act language regarding extension of HIPAA compliance to Google and Microsoft where he states:

It extends the privacy and security regulations of the Health Insurance Portability and Accountability Act to health information vendors not previously covered by the law, including businesses such as Google and Microsoft, when they partner with health care providers to create personal health records for patients.

At this time, neither Google or Microsoft provide the PHR to a hospital who then provides it to their customers.  Rather, the current model that both Google and Microsoft are using is one that supports portability of the consumer’s health record allowing the consumer to invoke an export of their records from the hospital to one of these Personal Health Systems (PHS), of course provided the hospital establishes a link to a PHS.  Our interpretation is that in this scenario, HIPAA does not extend to Google or Microsoft, as the consumer drives the transaction of data flow.  Hopefully, others in HHS will convince Blumenthal of this as well as otherwise, such HIPAA extensions may thwart portability and subsequently consumer engagement and ultimately control of their records.

The second Blumenthal comment that caught us off-guard pertained to the term “certified EHR” where he states:

ONCHIT currently contracts with a private organization, the Certification Commission for Health Information Technology, to certify EHRs as having the basic capabilities the federal government believes they need. But many certified EHRs are neither user-friendly nor designed to meet HITECH’s ambitious goal of improving quality and efficiency in the health care system. Tightening the certification process is a critical early challenge for ONCHIT.

While we certainly agree with Blumenthal that defining the critical terms of “certified EHR” and “meaningful use” is paramount and must be done quickly, yet judiciously, his views on certified EHR, as defined above are downright frightening for two reasons.

First, he condones the work of CCHIT as certifying the minimum capabilities for EHR.   Minimum capabilities?  If anything, those minimum capabilities are already restrictive in defining use of specific standards and models that do not provide the flexibility for true innovation.

What is even worse though, is that Blumenthal appears to want to extend certification requirements to “user-friendly” and defining how “quality and efficiency” will be embedded within an EHR.

User-friendly? There is simply no way you can certify such – end of story.  Let the market define what is user-friendly by what a doctor or hospital chooses to purchase.

Quality? Maybe, just maybe you can ask for the simplest of quality metrics to be recorded within the EHR, but highly doubt that is something you want to certify.  Would it not be better to simply verify quality actions supported as part of meaningful use reimbursement?

Efficiency? That is certainly not something you can certify and falls in the realm of implementation (process mapping/workflow) and training.  You can’t certify that!

Suggesting that we tighten the certification process is heading in the wrong direction.  Instead, we need to actually relax the certification process to encourage innovation in the HIT market allowing developers to create solutions that will truly provide value to their users while concurrently meeting the broader objectives of delivering better care and better outcomes.  Creating light certification criteria and focusing more on what outcomes we wish to see occur as a result of broad HIT adoption is where Blumenthal and his staff need to focus their energies.  To do otherwise will lead to a stifling of innovation, stalled HIT adoption among physicians and ultimately a poor investment of the tax payers’ dollars, which we can ill-afford.

Read Full Post »

img_0112Got back late last night after a relaxing (at least mentally) trip out West, first to give a Keynote presentation at LabInfoTech, and then onto Aspen, Colorado for some downhill skiing escapades and general romping in my old stomping grounds. (Spent most of my teenage years in Colorado Springs.)

Beautiful sunny days with temperatures on the mountain reaching 50+ degrees, that is scary warm for the mountains. Luckily, there was plenty of base so the rocks only appeared on the steepest and most skied runs. I managed to avoid all the rocks – my skis were thankful.

While I skied the three major mountains of Aspen Mountain, Snowmass and Highlands, it was Highlands where I spent the majority of my time.  A great mountain with breathtaking views that no camera can do justice and plenty of challenging runs.  The highlight of the whole trip was the 35min+ hike (in ski boots and skis on shoulder) up the ridge to the top of Highland Peak (~12,400ft) to ski the Highland Bowl.  Picture above is view from the top. Did the amazing drop down the face of the bowl.  One of those super steep runs where if you lose a ski, you’ll be walking a long time down to retrieve it.  What a thrill!

On to the Healthcare Front & Some Quick Notes

The Obama administration appointed Harvard Professor and policy wonk, David Blumenthal as the new head of ONC.  Had heard rumor back in November that like his Harvard compatriot, David Cutler, Blumenthal was destined for a high-ranking position in HHS.  This is a great appointment as the new responsibilities of ONC, as defined in the ARRA require a more visionary leader – Blumenthal fits that need.

A Modern HealthcareIT article incorrectly mentioned that the Mayo Clinic had put on-hold any movement of consumer health data into HealthVault pending further interpretation of new HIPAA guidelines in the ARRA.  As it turns out (direct communication with Microsoft) no such thing has occurred and all is proceeding ahead, as planned.  While the author may have mis-quoted Mayo spokesperson, there is broader concern in the industry regarding the extension of HIPAA to “business associates” and what exactly defines a business associate.  The legislative language is unclear leaving many to wonder how the new HHS administration will ultimately define this term.  This could get tricky.

The small innovative EMR company, MIE (they are also parent of the PHR, NoMoreClipBoard) won a modest size deal with the Internet giant, Google to provide the EMR that will go into Google’s on-site clinics. Assume a big selling point was NMC’s existing relationship with Google Health.  Will be talking to NMC later and have the full story tomorrow.

There is also a new iPhone app, iTriage which looks interesting.  Developed by a couple of ER docs, iTriage resembles a mash-up, combining a symptom checker with doc finder and even has a relationship with Teladoc for immediate, on the phone assistance.  So far, the app is getting good reviews on the iTunes App Store and for a mere $0.99 for the app, looks like a good deal.  Hope to talk to the founders within and week and have more to report.

In closing…

No matter where my travels take me, there is always someone ( or many) I meet with a healthcare story of their own.  Aspen was no exception.

It continues to surprise me just how many struggle with the current, archaic method that we use to currently interact with the healthcare system and receive care.  When I tell them the type of research perform by Chilmark Research and the companies followed, there is almost universal awe and desire to use these new tools that are designed to assist consumers in managing their own health.  Rarely does the issue of privacy and security come up. Far more often is the desire to facilitate communication and manage simple transactional processes with the healthcare system.  There is a pressing demand for such solutions among those I come in contact with, but few know of the existance of these new applications and services, outside of WebMD.  Which raises the question: How will the small companies in the consumer HIT market gain the significant traction to become a truly global brand?

Read Full Post »

Shrinking Boundaries of Privacy

What happens when the grown child of an ill-legal immigrant (she has been in the US since toddler stage) goes to a health clinic, falsifies a Social Security number (borrowed from a friend) to receive pregnancy care?  Well, authorities, in searching through a health center’s electronic records, found the discrepancy and arrested her.  She is now facing a deportation hearing.

Yes, HIPAA does allow access to some forms of records for law enforcement, but this seems to be going too far.

Full story was broadcast yesterday on NPR.

Read Full Post »

While there has been no lack of security breaches in the healthcare sector, despite what many claim as the Holy Grail of privacy protection, HIPAA, there have been very few actual fines for HIPAA violations.  Like any regulation, if it is not enforced with actual penalties, than very little will be done to correct problems that exist today to insure the privacy and consumer health records are preserved.

Imagine my surprise when I saw this story that Providence Health out in Seattle would have to pay a fine for a number of security breahes that occured at their facilities.  Like most breaches of this kind, it took Providence far too long to let consumers know their privacy had been compromised.  To make matters worse, Providence first stated that the theft would be harmless as the stolen tapes that held the records were not easily readable.  A real case of foot in mouth when later, consumers started getting suspicious calls requesting social security numbers, credit card numbers and the like.

Quite a shameful state of affairs.

The fine levied against Providence was nary a slap on the wrist, despite the outlandish blunders on their part.  Granted, it was one of the first times that any HIPAA enforcement action of this type has ever been taken, but if HHS is indeed serious about stemming such privacy breaches, they have to make the penalties sting.  With Providence reporting revenue in 2005 of over $5.5B, the $100,000 fine represents a paltry sum indeed.  Doubt it will even show up in their financial reporting.

Healthcare institutions of all sizes have, by and large, poor processes and business practices to protect consumer health records.  This will continue until the fines and potential bad publicity exceed the costs to actually change existing practices.

Applying HIPAA to non-covered entities will not solve the issue of consumer privacy protection for new services such as PHRs or Personal Health Systems (PHSs).  What will address the problem is business risk.  If for example, Google had a privacy breach of Google Health, the bad publicity would be a huge blow to their efforts in this space.  Same is true for others such as WebMD, Revolution Health, Microsoft, etc.

What is needed and maybe something HHS should consider applying to HIPAA covered entities as well is something similar to what Markle recently published, a privacy framework as part of their Connecting for Health initiative.  The privacy framework not only discusses IT architecture and business process to insure security, but also addresses process by which consumers are notified if records are compromised.

Read Full Post »

There has been a lot of talk about extending current HIPAA regulations to address non-covered entities, particularly PHR vendors. Many believe that this is what is needed to preserve consumer privacy. There was even an article last month in the New England Journal of Medicine by the creators of the Dossia platform, Indivo that unfortunately was taken out of context by some, including the New York Times, (but not all) which continued to fan the flames for an extension of HIPAA. And of course, as long as those flames keep burning brightly, the traditional stakeholders in the healthcare market (especially providers, and health plans) who are loathed to have the consumer take more direct, personal control of their records, can sit back and continue to directly manage the consumer relationship without any pesky intermediaries (e.g., independent PHR vendors).

But HIPAA really doesn’t provide the protection that many of the press, privacy pundits and others claim. For example how many consumers know that under HIPAA…

Health care entities are allowed, for fundraising activities, to release to business associates – without explicit individual authorization – certain demographic information, such as names, addresses and dates of treatment, but not information about health or health care.

Sure, they are not sharing medical records, but they could be sharing information that I happened to be admitted to their psychiatric clinic, (e.g., I went to MGH and ended up at McLeans) which I’m sure most would rather not share.

This clause was responsible for the data breached at UCLA Medical Center when they hired an outside firm to do a fund raising program. While having over 6,300 records exposed on the Internet was bad enough, what is even worse is that the breach was discovered on Oct. 9th but it was not until mid-April that UCLA thought: Hmmm, maybe we should contact all those people effected.

Six months to let someone know that their privacy has been breached! What’s up with that?

As I have written several times before, I am a strong advocate of consumer privacy of virtually any information that is personal, including medical records. I have also taken to task the PHR industry for their extremely poor record, as an industry, to develop clear standards (shall we even suggest a certification process) that will bring some consistency on privacy policies across this industry sector. So far, it seems to having fallen on deaf ears as the research we conducted for our upcoming PHR Report found consistency across the industry to be nonexistent.

With no prompting of my own, at least that I am aware, Microsoft’s HealthVault Group has been very clear on its privacy policies. They even went so far as to extend these privacy policies to all partners of HealthVault via their Terms & Conditions sheet. With some prompting, I was able to get Microsoft to go public with these terms. Recently, Sean Nolan, chief architect for HealthVault put up a post further defining Microsoft’s perspective/policy as it pertains to HIPAA. He also provides a link to a very good overview of HIPAA and HealthVault that was put together by the HealthVault team and Microsoft’s legal team for the development community.  All, very good proactive moves. Now, if I could only start seeing Google making similar pronouncements/announcements, and while I’m at it, how about Dossia as well. Neither of these two has been as proactive as Microsoft on the issue of privacy and the market really needs more unity here.

Getting back to HIPAA.

First-off, I am not against some federal oversight and policy direction as it pertains to personal health records.  Right now, it is a bit of the Wild West as consumer’s take on more responsibility for managing their records and turn to PHR solutions.  What I fear though is that taking a simplistic aproach, “let’s extend HIPAA to cover PHRs” will not solve the problem and truly protect the consumer.  As the UCLA case above so clearly demonstrates, HIPAA does not provide the privacy that most consumers will want for their PHRs.  Also, numerous reports and surveys have shown, that while consumers are concerned with privacy, they believe that benefits of digital records outweigh the risks.

So we are left with a situation where first, HIPAA clearly does not provide the type of protection that most consumers believe they are receiving and secondly, consumers are not adverse to sharing information, but it is they who wish to choose who sees such information and not some third party entity that makes that choice for them.

Simply extended existing HIPAA regulations to non-covered entities will not provide consumers with a sufficient level of privacy protection.  In fact, it may have the perverse effect of giving a consumer a false sense of security.

Extending HIPAA is NOT the answer.

The answer will lie outside of HIPAA  in a new policy construct that puts the consumer in more direct control of how their information is used via an “opt-in” process, e.g., “I chose who I wish to see my data and to what degree of granularity that data is shared.”  Yes, it will make many in the healthcare sector nervous, but they are going to have to get used to it as this market will increasingly become consumer-driven and those consumer’s will want more control.

On last point (minor detail)…

While I may wish to chose to whom I share my records with and at what level of granularity – that granularity issue is a sticky one.  You see, most vendors’ PHR solutions do not have the data management capabilities built-in to allow data tagging for sharing or sequestering record information at a granular level.  For most, you either share all the data in your PHR, or none of it.   PHR vendors need to “get-on-the-ball” and start building this capability into their solution.  And consumers, you need to start asking PHR vendors if their platform supports such capabilities.

Read Full Post »

Earlier today, I commented on Eli Lilly’s CEO request for greater adoption of HIT and subsequent sharing of aggregate, anonymous patient data to assist in identifying potential adverse drug events (ADE).

Well, low and behold the latest issue of Government Health IT reports that a recent study found current HIPAA rules is making it more cumbersome for researchers to do epidemiological studies.

Looks like it may be a long slog to achieve that Taurel’s vision.

Read Full Post »