John Glaser, CIO of Partners Health Care, speaks with David Harlow about health IT and meaningful use in a $7.9 billion health system

What does a large health system CIO worry about if his system is already fully up to speed in the day-to-day use of EHRs?  Using them in ways that improve communication of information across a diverse group of clinicians, and that enable the integration of additional interesting and useful data as time goes on -- such as the integration of genetic testing data into the diagnostic and treatment logic built into the EHR.

John Glaser explains how Partners uses its EHR system to leverage knowledge for the benefit of patients, and describes some of the ways in which decision support systems are being used today and may be used in the future.  

Tools in place at Partners now:

[T]here is for example a monthly report put out on dozens and dozens of quality measures and they are coded red, yellow, green depending where we are relative to the national benchmarks and that . . . allows us to focus on areas that do need some attention.  In addition to that you can use the systems like CPOE or the EHR to introduce logic at the time of care, so to make sure that an order is a safe order or that an overdue health maintenance activity has been noted and followup is occurring.

...

[L]argely at this point focused on cancer . . . we do have decision support that says before you order this chemotherapeutic agent you should run this genetic test because that will tell you whether the agent will or will not be successful.  We do have a piece of software called the patient genome explorer which sits right beside the results viewer for chemistry results, and this allows you to look up genetic test results and understand the ramifications for the patient you are treating.

Glaser acknowledges the difficulties that may be faced by smaller provider organizations in gearing up to meet the meaningful use criteria related to EHR implementation, but notes that for him, there is no separate ROI calculation for implementation of these tools, saying

I mean, what’s the ROI of email? Beats me but, nonetheless, few of us could get through a day without it.  At other times the ROI is quite tangible because you could say golly, we are cutting real costs here or making real revenue.  At times the outcome is tangible - it may not always be expressible in terms of dollars.  You can, but that’s not the point. . . .  So I think we will see a return broadly speaking . . . .  I think at the end of the day it is one of those things which you say listen, this is a given.  It is hard to imagine that we would sit here today and say if ten years from now we ran our health care system on paper that would be okay or a good thing.

The Partners team has the luxury of being able to spend significant time on R&D, and Glaser says that

we do have some people who are looking at different techniques to be applied to putting a layer of logic on top of complex and idiosyncratic data coming in, and teasing out that sort of data. So, for example, if you know that there are, let’s say, 200 notes [in a patient's EHR, entered by a variety of clinicians] and that the patient is being seen by a cardiologist, you just have the system be able to identify that subset of notes that appear to have a bearing on the consultation in question and being able to categorize those notes for the doctor, so that he or she can say jeez, of the 200, there are five that are related to prior cardiac events, there are four that are related to what appear to be cardiac procedures . . . to help to filter through and surface that subset of note, or other data, which appears to be the most salient.  So we are learning.  We are trying a bunch of different techniques to figure out how to do that.

The audio file of my interview with John Glaser (about 25 minutes long) is available for download/podcast.  A full transcript is at the end of this post (and in the linked John Glaser, CIO, Partners Health Care, HealthBlawg interview transcript).

• Being John Glaser 11/10/09 (histalk2.com)

EMR/EHR vs. PHR, ad nauseam

Mainstream media still don't get it. Personal health records and electronic health records/electronic medical records are not the same thing. Yet, on the agenda for next month's annual Association of Health Care Journalists conference is a panel entitled "Personal electronic medical records: What will consumers need to know?"

The meeting is here in Chicago next month, but I already have plans to be out of town. I'm debating whether to change those plans to attend this meeting, because there are some sessions that could be of value to me. I may want to go just to be a voice for reporting on health IT. The lack of focus on health IT was what made me quit AHCJ four years ago.

Every time I see the phrase, "electronic personal health records," my blood boils. Last time was this Dec. 2, 2009, article in something called eSecurity Planet that erroneously said the federal stimulus was paying for "electronic personal health records." I used this story as an example for a yet-to-be published piece I've written for Reporting on Health, a project of the USC Annenberg School and California Endowment Health Journalism Fellowship.

For the record, I define an EHR as, at least in theory, a comprehensive digital collection of information about an individual’s health and medical status that encompasses multiple care settings. EMR means a record tied to a single facility or organization. The two phrases often are used interchangeably, and I think that's OK for now.

A PHR, to me, is a record that patients can view, update and control access to. It is a subset of an EHR, not a synonym.
Read more [Neil Versel's Healthcare IT Blog]

Missouri State Senator Wants Docs to Invade Patients’ Privacy

Meet Tom Dempsey, a threat to the privacy of women in Missouri. State Senator Dempsey recently introduced a bill, SB 792, that would have doctors invade their patients’ privacy and require doctors to try to give patients information that supports his religious agenda even if the patients do not want it. Emphasis added by [...]
Read more [Personal Health Information Privacy]

Enabling Smarter Healthcare

Enabling Smarter Healthcare.

The following is a guest post from Lonne Jaffe, Director, Public Sector Solutions, IBM Software

This Smarter Health video describes some of the benefits of connecting electronic medical record systems with each other and with other healthcare software systems. Technology like the IBM Health Integration Framework that brings all these systems together can enable a better patient experience, improve treatments, lower costs, and allow scientists to confidentially use data for disease research. That’s health information working together.

As healthcare software becomes more sophisticated, security and privacy remain a priority. IBM helps protect patient information and helps healthcare organizations comply with government privacy regulations while achieving the extraordinary benefits of smarter healthcare.

OCR Update on Issuance of HIPAA HITECH Rulemaking

Update from Office for Civil Rights (OCR) on issuance of the Notice of Proposed Rulemaking (NPRM) implementing changes to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH). Health care organizations and health lawyers have been anxiously awaiting rules implementing and interpreting the changes because the effective date for many of the HITECH requirements was February 17, 2010. Of particular interest has been whether or not health care organizations are required to amend business associate agreement.

The notice seems to indicate that the the date for compliance and enforcement may be delayed since it states that the NPRM "will provide specific information regarding the expected date of compliance and enforcement." However, covered entities and business associates need to weigh the risks of not complying with the new requirements while waiting for further clarification from OCR.

The notice states:
OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.
Read more [Health Care Law Blog]

Patient Loses Privacy Claim Against Doctor

Jeff Gorman reports: A doctor did not violate a patient’s privacy by telling her case workers that she needed to stop taking prescription drugs, the Tennessee Court of Appeals ruled. Teresa Gard suffered a back injury on the job and sought treatment from Dr. Dennis Harris. However, Harris stopped seeing Gard after watching a surveillance video of her [...]
Read more [Personal Health Information Privacy]

Prescriptions found on street spark probe

Ontario’s privacy commissioner is investigating after thousands of medical prescriptions were found blowing around on a street in Gatineau last week. The prescriptions date from 1994, and they contained personal information about patients who used to be clients of what used to be Nelson Drugs on Main Street in Old Ottawa East. The prescriptions ended up on [...]
Read more [Personal Health Information Privacy]

AU: Heath identifier function creep threatens data privacy says Coalition

Kareen Dearne reports: The Senate Community Affairs committee has recommended passage of the controversial Healthcare Identifiers Bill, despite the minority Coalition members calling for amendments to ensure patient privacy and prevent personal identifiers being turned into a national identity regime. Last night, the committee recommended developing a plan to introduce the scheme over the next two years, [...]
Read more [Personal Health Information Privacy]

AU: Privacy dominates Senate e-health inquiry

Ben Grubb reports: Over the last two days a Senate inquiry has delved into the government’s plans to roll-out a 16-digit national healthcare identifier for the majority of Australians, with the main obstacle many parties saw to implementation still being privacy. The inquiry will hand in a report next week which will help inform debate in the [...]
Read more [Personal Health Information Privacy]

5 hospital workers get jobs back in privacy case

Chris Moran reports: Five of the 16 employees fired by the Harris County Hospital District in November after being accused of violating patient privacy laws have been reinstated. The firings were the fallout from October, when Dr. Stephanie Wuest, a first-year Baylor College of Medicine resident assigned to Ben Taub General Hospital, was shot in a grocery [...]
Read more [Personal Health Information Privacy]

(update) Pathologists sue ex-WDH employee fired over privacy breach

Adam D. Krauss updates us on developments related to allegations concerning a breach at Wentworth-Douglass Hospital (previous news stories here): The former Wentworth-Douglass Hospital pathologists who claimed the hospital retaliated against them over a patient privacy have sued an ex-WDH employee who was fired over the matter. In paperwork filed today at Strafford County Superior Court, Drs. [...]
Read more [Personal Health Information Privacy]

Marijuana Use by Seniors Increases; Medical Record Implications

There's no surprise in this news. People who began to use marijuana as their recreational drug of choice in the 1960's and 1970's have continued this habit as they age. This has lead to an emerging "drug problem" for seniors (see: Marijuana use by seniors goes up as boomers age). I use quotes here because I am not sure that a problem actually exists, but read on. Below is an excerpt from the article:

I personally don't make a major distinction between alcohol and marijuana use despite the fact that the latter habit, at least for recreational use, is illegal in most states. Given the admitted use of marijuana by 5.1% of adults in their 50s, several issues come to mind. For example, should marijuana use should be recorded in a patient's medical history along with alcohol use if the patient volunteers the information? I think that the answer to this question is probably yes. Given that many patients will either not volunteer such information or grossly underestimate their use of alcohol or marijuana, should physicians surreptitiously test for alcohol or recreational drugs use if they suspect that it is occurring? The answer to this second question, in most cases, is no. It's an inappropriate intrusion into patient privacy.

This discussion leads us to a final question. Clearly, excessive and long-term abuse of alcohol can lead to serious medical problems such as debilitating liver failure and death. For a patient who presents with bleeding esophageal varices, it's critical to determine the etiology for the end-stage liver scarring. I am not sufficiently knowledgeable about the long-term consequences of marijuana to know if it is associated with any chronic diseases. I searched the web for "chronic marijuana use" and "disease" and was underwhelmed with the results. I am therefore not convinced that there is a compelling reason to document marijuana use in the medical record even if the information is volunteered. To say that such patients are at risk for falls, as noted in the excerpt above, isn't saying much. This applies to most geriatric patients as does the chance of cognitive impairment. Some readers might want to take issue with this opinion.

links for 2010-03-09

• 3D graphics & reality fuse on the fly - University of Oxford 'Software developed at Oxford University is making it possible to fuse real and 3D computer-generated visuals on the fly. The Parallel Tracking and Mapping [PTAM] software is a camera-tracking system which maps the environment around you as seen through a camera and turns real world surfaces into platforms for virtual objects or characters without the need for pre-stored maps or tags.' (tags: visualization ubicomp augmented+reality)
• A special report on managing information: Data, data everywhere | The Economist ',,,the world contains an unimaginably vast amount of digital information which is getting ever vaster ever more rapidly. This makes it possible to do many things that previously could not be done: spot business trends, prevent diseases, combat crime and so on. Managed well, the data can be used to unlock new sources of economic value, provide fresh insights into science and hold governments to account. But they are also creating a host of new problems. Despite the abundance of tools to capture, process and share all this information—sensors, computers, mobile phones and the like—it already exceeds the available storage space (see chart 1). Moreover, ensuring data security and protecting privacy is becoming harder as the information multiplies and is shared ever more widely around the world. ' (tags: visualization consumer+health+search findability bioinformatics biomedical+informatics)
• Cinqueterre Travel Guide - Hotels, Restaurants, Sightseeing in Cinqueterre - New York Times Travel NY Times website section on the Cinque Terre, Italy. (tags: cinqueterre italy travel)

Privacy commissioner questions security of health records after doctors die

Jennifer Graham of the Canadian Press reports: Gary Dickson has seen abandoned medical records turn up in some pretty bizarre places in his time as Saskatchewan’s privacy commissioner – mouldy basements, drafty Quonset huts, vacant buildings. He argues that more needs to be done to protect sensitive, personal health information left behind when a doctor retires [...]
Read more [Personal Health Information Privacy]

Leveraging EMR Data to Develop Disease-Based Registries

This is my other presentation at HIMSS 2010. One of the real values of EMRs is the secondary use of the data for research. While respecting patient privacy, this kind of research can be rapidly developed from EMR data. We recommend the following steps:

1. define the cohort of patients you want to study/monitor
2. define the data elements you want included
3. review and verify data elements with subject matter experts
4. set up a regular interval to extract the data
5. generate some test queries to verify the process
6. monitor to use of the data (ongoing governance)

Our initial experience with a Chronic Kidney Disease registry has been a success. We recommend that research issues be considered in any purchase and implementation of an EMR.

Major deficiencies in VCHA’s Primary Access Regional Information System – report

The Office of the Information & Privacy Commissioner of British Columbia has released its review of the electronic health information system set up by the Vancouver Coastal Health Authority known as the Primary Access Regional Information System (PARIS). From the Executive Summary: The electronic health record system at Vancouver Coastal Health Authority (“VCH”) known as the Primary [...]
Read more [Personal Health Information Privacy]

Kaiser official defends security practices for veterans health data

Alice Lipowicz reports: In the last several days, I have read a news article and a blog post that raise questions about Kaiser Permanente’s privacy and security policies regarding the medical records of its patients — including the records of about 450 veterans participating in a Kaiser/Veterans Affairs Department health data exchange pilot program in San [...]
Read more [Personal Health Information Privacy]

Second IEEE Workshop on Interdisciplinary Research on E-health Services and Systems

Call for papers
Second IEEE Workshop on
Interdisciplinary Research on E-health Services and Systems

IREHSS 2010
June 14, 2010: Montreal, QC Canada

PAPER SUBMISSION EXTENDED DEADLINE: 6 March, 2010
************************************************************
(Edited for length please see website)

In the last few years advances in wearable computing, bioengineering, wireless sensors networks, mobile devices and wireless communications have paved the way to new definitions of e-health systems, moving from original telemedicine systems to the integration of existent specialized medical technologies with pervasive technologies. However, even more work on this area is needed to obtain significant results in improving the Quality of Life of patients and reducing medical errors and costs. First of all, a strict interaction and cooperation among medical specialists and ICT experts is necessary to define correct requirements fore-health systems. Then, in order to effectively design and deploy reliable E-health systems, a strong cooperation among several diverse research areas of ICT is necessary (i.e., bioengineering, wearable sensors, wireless communications, data fusion and processing, decision support systems and others). This is fundamental to make E-health systems a reality, satisfying main requirements of reliability and effectiveness both all the involved perspectives perspective.

IREHSS aims to provide a forum for the interaction of experts belonging to these different research areas, from wearable computing and ubiquitous connectivity to context-awareness, sensor data fusion, artificial
intelligence, expert systems, databases, security and privacy. The main objective is to provide a forum for the interaction of these multiple areas as an important chance to discuss and understand what aspects have to be considered to provide effective E-health systems.

Authors are invited to submit papers presenting new research related to E-health, not published or currently under review for another workshop, conference, or journal.

Areas of interest include, but are not limited to:

• Wearable and Implantable sensors for healthcare
• Wireless communications in healthcare
• Service and device discovery
• Data fusion and context elaboration
• Privacy and security issues in healthcare
• Middleware for e-health
• Energy Efficiency in health monitoring
• Artificial intelligence and expert systems
• User interface, usability and acceptability of e-health systems
• Healthcare applications for clinicians
• Home monitoring and ambient assisted applications for healthcare
• Power Management and energy-efficient design in Wireless Body Area Networks
• System architecture and networking protocols for e-health systems
• Medical data analysis, measurements and management
• Modeling and performance evaluation
• Semantic Web in Healthcare
• Standards and frameworks

Lesson for Hospitals and Health Care Providers: Photos of Shark Bite Victim

Martin Memorial too mum: Hospital staff violated privacy of shark victim, an article from the Palm Beach Post. The article highlights the impact ubiquitous mobile devices with cameras are having on our society and the potential liability risks associated with the use/misuse of these devices by health care employees.

The article indicates that various hospital employees took photos of a shark bite victim when he arrived in the emergency room. The article discusses the action taken by the hospital in response to the incident. Another article indicates that the photos were emailed to others.

This type of situation is a nightmare for hospital administration, the privacy officer and legal counsel. The effort and investigation that likely went into figuring out who took photos, where those photos went and the procedure for recapturing/removing the photos from the various sources was time consuming and expensive (both in $$ and reputation) for the hospital.

As such, this incident provides a good example for training and reeducating health care employees on patient privacy issues. Health care employees and professionals must always remember to start from a framework of protecting the health and privacy of their patients. As the use of mobile devices with cameras and social media tools becomes more ingrained in our every day lives -- the ability for private information to be captured, transferred and spread in a viral fashion has become much easier. Caution must be used and this case highlights the importance of retraining staff and highlighting the importance of protecting your patient's privacy.

Read more [Health Care Law Blog]

File-Sharing Software Potential Threat to Health Privacy

The personal health and financial information stored in thousands of North American home computers may be vulnerable to theft through file-sharing software, according to a research study published online in the Journal of the American Medical Informatics Association. [...] El Emam’s CHEO team used popular file sharing software to gain access to documents they downloaded from a [...]
Read more [Personal Health Information Privacy]

Medical Files Left in Recycle Bins

Tisha Thompson reports: A visit to the doctor’s office is supposed to make you feel better, from a sore throat to wheezing and coughing. But some patients are now feeling sick to their stomachs after FOX 5 uncovered a serious threat to their privacy. This story started after a viewer contacted us concerned about what he found on [...]
Read more [Personal Health Information Privacy]

AU: Medicare privacy breaches ‘only the beginning’

Carly Laird reports: Revelations that Medicare employees are being investigated for spying on customers’ personal information have renewed fears from privacy advocates that healthcare staff cannot be trusted. As the Federal Government works to bring in a national identity scheme for patients, around 400 cases have emerged of unauthorised snooping on people’s private records over the past [...]
Read more [Personal Health Information Privacy]

HITECH Law Blog

A warm welcome to fellow AHLA member and health law blogger, Kathie McDonald-McClure.

I just ran across her blog, HITECH Law Blog. She focuses the blog on health information technology, privacy and security and the blog was named after the HITECH Act. Looks like a great addition to the health law blogosphere.

Ms. McDonald-McClure is a member of the Health Care Services Team at Wyatt Tarrant & Combs, LLP in Louisville, KY.
Read more [Health Care Law Blog]

New HIPAA rules shine light on remote access controls

The new rules on HIPAA breach notification, which became enforceable Feb. 17, and the related, tougher penalties for privacy and security violations, mean healthcare organizations and business associates alike need to be more vigilant about data security. A common source of data breaches, and an area where hospitals need to tighten up security, some experts say, is remote access to networks.

"There is spotty, inconsistent application [of remote-access controls], especially when using personally owned computers," John Parmigiani, a security consultant who wrote the proposed HIPAA security rule, tells AIS Health's Report on Patient Privacy.

"I have had clients compliant with regards to remote access, but they are in a minority," adds Sean Lee, a senior auditor for HIPAA consulting firm Apgar and Associates. "The biggest mistake I see people making is transmitting PHI unencrypted over an open network," such as the Internet.

Covenant Health, Knoxville, Tenn., is addressing security by being selective about who is granted remote access. Those who are approved are limited in the type of data they can view remotely and receive a fob that generates a one-time password each time they log on to the network. Remote users are prohibited from downloading or printing data sent over the network, except in limited circumstances.

For more strategies to safeguard data for remote access:
- read this Report on Patient Privacy story

Related Articles:
Survey: Business associates not prepared for new HIPAA breach notification rules
Connecting hospitals and physicians
A new focus on ID security

Check Those Business Associate Contracts

Many covered entities have not yet updated their business associate contracts to reflect new privacy and security provisions under the HITECH Act, according to Mary Rita Hyland, vice president of government relations at The SSI Group Inc., a claims clearinghouse and revenue cycle management software vendor.

GE healthymagination.com ad depicts discomfort with loss of privacy

Aha! I’ve been waiting to find this on the Internet and thanks to MesoRx, I’ve found it: I agree with Millard Baker completely. Every time I see that ad run on TV I wonder if GE realizes that it’s ad backfires somewhat. Yes, it demonstrates the virtue of having one’s medical records available [...]
Read more [Personal Health Information Privacy]

FL: Hospital report out on shark victim photos

Bryan Garner reports: Martin Memorial completed an internal investigation regarding a privacy breach involving Stephen Schafer, a victim of a fatal shark attack on Feb. 3. [...] Martin Memorial officials received a tip that hospital employees and possibly others took cell phone pictures of Schafer’s dead body and mailed them to others in violation of his privacy rights. [...]
Read more [Personal Health Information Privacy]

Feds Seek Input to Develop Privacy Guidance

The Department of Health and Human Services' Office for Civil Rights will host a workshop on March 8-9 to solicit input as it develops guidance for de-identification of protected health information.

Ninth Circuit addresses “actual damages” under the Privacy Act

I posted this yesterday to PogoWasRight.org but then it dawned on me today that since this involved medical information, I should have posted it here, too: A new ruling from the Ninth Circuit in Cooper v. FAA addresses the meaning of “actual damages” in the Privacy Act. The case arose when federal agencies shared information [...]
Read more [Personal Health Information Privacy]

Ca: Alarming breach in privacy investigated at London school

An armload of personal documents — health records and criminal record checks among them — was found carelessly tossed out by a private vocational school in London, an alarming breach of security, the school’s director says. The bulk of the documents included criminal record checks, transcripts, diplomas, doctors’ notes, immunization and vaccination forms, health card numbers [...]
Read more [Personal Health Information Privacy]

Ca: Health records held for fee after doctor quits

Saskatchewan’s privacy commissioner and the province are investigating a Regina woman’s complaint that she’s being forced to pay to access her health records after they were shipped out of province when her doctor closed her medical practice. [...] A Docudavit spokesperson told CBC News that the doctor did the right thing by shipping the records away so [...]
Read more [Personal Health Information Privacy]

HIPAA enforcement: Business Associate Agreement rulemaking needed first - time to plan ahead

After learning of comments on HIPAA enforcement made by a member of the HHS OCR legal staff at an ABA meeting on health care issues, I contacted him directly.  Adam Greene confirmed that HITECH Act changes to HIPAA rules regarding business associate agreements will be implemented through standard notice and comment rulemaking, noting that this has been OCR's public take on the issue.  Thus, a notice of proposed rulemaking will be published "shortly," followed by promulgation of a final rule after a comment period.  Even thought the statute calls for the BAA provisions to be effective this month, they clearly will not be.  The breach notification and penalty provisions are already the subject of an interim final rule, so they are in effect. 

As I wrote several months ago,

"business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Health care providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

Thanks to Bob Coffield for pointing to the post on the ABA meeting and raising the question.

I urge all covered entitites and business associates to take heed of these new requirements and begin planning now for implementation of the soon-to-be-released regulations.  Don't sit back and end up being made an example of by OCR (e.g., with a million-dollar fine) or by a state attorney general.  Contact the HealthBlawger now.

Charlie Sheen’s Wife In New Rehab, Plans Suit

Brooke Mueller, Charlie Sheen’s wife, is in a new rehab facility and she plans to sue the one she just left for allegedly violating her privacy … TMZ has learned. Brooke’s lawyer, Yale Galanter, tells TMZ, “Brooke was forced to leave The Canyon rehab facility because of the security breach.” As TMZ first reported, someone from [...]
Read more [Personal Health Information Privacy]

NZ: Hospital sacks employee over accessing files

Greer McDonald reports: A Hutt Hospital employee has been fired for accessing patient files without legitimate reasons. A report prepared for Hutt Valley District Health Board revealed three staff members at the hospital were investigated for potential privacy breaches in October and December. Acting chief executive Michael Hundleby said two breaches were upheld while in the third [...]
Read more [Personal Health Information Privacy]

AIS Report on Patient Privacy: Analysis of Willful Neglect Under HITECH

Recently I was interviewed for a story focused on the changes to the HIPAA civil penalty enforcement under the HITECH Act.

The article, Willful Neglect Is Difficult to Pin Down, but Can Result in Enormous HIPAA Penalties, appears in the Report on Patient Privacy: Practical News and Strategies for Complying with HIPAA, Volume 10, Number 2 February 2010 published by Atalantic Information Services, Inc. (AIS). The article discusses the definition and interpretation of "willful neglect" under the HIPAA penalty provisions. Health care privacy officers should find this article helpful in better understanding their role and responsibility in overseeing privacy compliance efforts.

The full story was reprinted on AIS Health Business Daily website.
Read more [Health Care Law Blog]

Pritts Named ONC Privacy Officer

Joy Pritts, an assistant research professor at Georgetown University's Health Policy Institute, has been named chief privacy officer in the Office of the National Coordinator for Health Information Technology.

New Model BA Agreement Available

The North Carolina Healthcare Information and Communications Alliance has released a revised model of its Business Associate Agreement that reflects changes in the HIPAA privacy and security rules under the HITECH Act within the American Recovery and Reinvestment Act.

Obama budget calls for more funding for ONC, comparative effectiveness

The Office of the National Coordinator for Health Information Technology would get a $17 million funding boost, to a total of $78 million, under the Obama administration's budget proposal for fiscal year 2011. This includes $4 million for ONC to "to identify consumer perspectives on consumer e-health tools and the development of patient decision aids; anticipate and mitigate unintended consequences of the electronic exchange of health information; and support state governments as they implement their HITECH grants," InformationWeek reports.

In total, the White House is asking Congress for $110 million in funding to bolster health IT policy coordination and research across federal agencies as part of an $81.3 billion budget request for the Department of Health and Human Services. Other proposed HHS funding for health IT includes $32 million for the Agency for Healthcare Research and Quality for patient safety initiatives, $1.6 million in the Office for Civil Rights to establish "regional privacy advisors" and $1 million "for independent evaluation of EHR adoption and economic factors influencing health IT" within the Office of the Assistant Secretary for Planning and Evaluation.

Also included in the proposed HHS budget is an additional $286 million for comparative effectiveness research, on top of the $1.1 billion allocated over three years as part of the American Recovery and Reinvestment Act, which Obama signed into law a year ago next week.

Meanwhile, the departments of Defense and Veterans Affairs stand to receive $2.8 billion for health IT next fiscal year under the proposed federal budget.

For more:
- read this Healthcare IT News story
- see InformationWeek's take on this news
- check out this NextGov piece on DoD and VA health IT funding
- have a look at this Computerworld article on general federal health IT spending

Related Articles:
Medicare, Medicaid are 2011 budget gorillas at HHS
CMS looks to EHR data to combat waste and fraud
Comparative effectiveness looks like a real game-changer

IBM to purchase Initiate Systems

IBM, which long ago abandoned plans to develop an electronic medical record, is making a deeper push into health information exchange by agreeing to acquire Initiate Systems. Privately held Initiate produces software to manage data integrity and create master patient indices for the purpose of sharing electronic health information.

Terms of the deal were not disclosed, though the two companies say they have been collaborating for about five years.

"This is all about growth and synergy," Arvind Krishna, general manager of information management at IBM, said, according to the Chicago Sun-Times. Initiate's president and CEO, Bill Conroy, said that "IBM's vision meets ours to get to [a global] scale quickly."

A master patient index is a subset of a general IT function called master data management, and InfoWeek reports that several IBM competitors have been beefing up their MDM offerings recently. Initiate Systems offers a "strong and proven" platform for data integration and "best-in-class data de-duplication, security and privacy," one analyst wrote, according to InfoWeek.

For details:
- read this IBM press release
- see this InfoWorld story for a broader perspective
- take a look at this Chicago Sun-Times piece for a local angle on Initiate Systems

Related Articles:
Rural La. hospitals launch HIE
IBM offers $2B in financing for federal HIT projects
SPOTLIGHT: IBM creates health analytics center

HIPAA Harm Threshold Works, Say Providers

Dom Nicastro reports: HHS’ “harm threshold” standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security. At the 18th annual National HIPAA Summit Friday, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community [...]
Read more [Personal Health Information Privacy]

HHS promises transparency, but only after getting caught

A lot has been made about President Obama's repeated promises to run the most transparent administration this country has ever seen. Obviously, the administration still has a lot of work to do.

The Office of the National Coordinator for Health Information Technology last week announced that it would be making public the deliberations of the various workgroups of the Health IT Policy Committee and the Health IT Standards Committee. In a press release, ONC said it would webcast all workgroup meetings at http://healthit.hhs.gov. "In addition, audio files [.mp3] of [HIT Policy Committee and HIT Standards Committee] meetings and the workgroup meetings will be available on the ONC website within 24 to 48 hours following the conclusion of each meeting. A draft transcript of the meetings will be available within 5 to 8 business days," ONC says.

Meanwhile, CMS announced that it would make public the comments it receives about the proposed rules for "meaningful use" of health IT. (CMIO has a nice summary of comments through last Wednesday.)

Great stuff, right? Open government is good. The problem is, this sudden transparency seems to be a direct response to the Policy Committee's workgroup on privacy and security being caught by another publication holding a closed-door meeting Dec. 8, the very same day the White House issued a directive on open government. For weeks, the administration stonewalled the reporter in his attempts to find out why the meetings were closed.

A follow-up story about federal officials standing firm ran on Dec. 23. That happened to be the same day ONC chief Dr. David Blumenthal, who oversees the committees in question, wrote on his blog about a "commitment to transparency." Ah, the irony.

Let's hope last week's announcements really mean the process of awarding some $20 billion in federal subsidies for health IT really will be transparent and not just empty political rhetoric. Let's also hope that HHS isn't hiding anything else from us. And let's celebrate the power of the press to keep politicians honest. - Neil

SPOTLIGHT: Tougher penalties for HIPAA violations

Federal civil monetary penalties for HIPAA privacy and security breaches are about to go up, to as high as $1.5 million, thanks to provisions in the HITECH section of the American Recovery and Reinvestment Act. The new rules take effect Feb. 17, the first anniversary of the passage of the stimulus legislation. Under the new rules, penalties will vary based on whether or not the violation was willful. Fines for willful neglect will start at $10,000, compared to $100 for more benign cases. FierceHealthcare

HIPAA complaints decreased significantly in 2009

Dennis Melamed provides monthly HIPAA complaint statistics based reports by the HHS Office for Civil Rights (OCR). It seems that not only did breach reports in general decline in 2009 relative to 2008, but privacy and security complaints to HHS also declined. Melamed reports: OCR received 7,116 complaints in 2009, a sharp decline from the [...]
Read more [Personal Health Information Privacy]

Group Therapy

Here’s an example of where patients knowingly give up privacy in exchange for more information that can help them in their struggles… Ronnie Bachman reports: The day that Dave deBronkart learned he had Stage 4 kidney cancer, his doctor handed him a prescription slip. On it, he’d scribbled ACOR.org. Within 11 minutes of submitting his first post [...]
Read more [Personal Health Information Privacy]

The Cost of Fear | Why Docs Don't Embrace Technology (Dr. Rob)

I recently read a post on Dr. Rob's Musings of a Distractibel Mind blog on the barriers to adoption among primary care providers and their consultants. I found it very insightful. It opens with a description of an interaction between Dr. Rob and a consultant, in which he offers to exchange information via email and met with silence followed by a polite refusal. He goes on:

This is a typical reaction I get from my colleagues when suggest using the new-fangled communication tool called email.  The palms sweat, the speech stumbles, and the awkwardness is thick in the air.  It’s as if I am suggesting they join me in an evil conspiracy, or as if I am asking them to join my technology nerd cult.  There is a culture of fear in our healthcare system; it’s a wall against change, a current of stubbornness, a root of suspicion that looks at anything from the outside as a danger.  Instead of embracing technology, doctors see it as a tool in the hands of others intent on controlling them.  They see it as a collar on their neck that they only wear because others are stronger than them.

via distractible.org

Email, Fax, and HIPAA

Comments on the blog suggested that the objections might be based in part on security concerns. The consultant may prefer fax over email as a better way to protect patient privacy.

Sadly, many folks think that faxes are somehow encrypted and therefore secure, but they are not. Their advantage over email in this respect is that faxes contain image data, which would be harder to mine for useful information than the plain text of most email. Transmitting HIPAA PHI in either is a violation of the HIPAA Security and Privacy Rules.

There are ways of encrypting both fax and email transmissions. The former requires a commercial product of some sort, the latter either a commercial solution or arcane and cumbersome freeware technologies.

It seems like a better approach would be a shared system that uses HTTPS for all communication. GMail can do this, and HTTPS is now GMail's default transport layer for its user interface, but whether or not communication with any remote mail system is secure is situation-dependent and opaque to the sender and receiver. It is unclear whether the GMail databases are HIPAA Security compliant. Our Health System uses Groupwise for internal communications, which is encrypted both in transport and storage, with all storage maintained inside the data centers and behind the firewalls of the covered entity.

PHR systems like Google Health and Microsoft HealthVault offer another alternative. In both cases the information is "owned" by the patient, who must grant access explicitly to others; all inter-system communication over public channels is encrypted. DOD's MiCARE system (http://bit.ly/dlz2iW) interfaces with both PHRs, providing relatively painless and secure sharing of health information between and among primary, secondary, and tertiary care providers, consulting clinicians, and non-clinical care providers. The only catch is that the patient must trust the MiCARE system to identify, authenticate and authorize external systems that need to read from or write to the PHR.

Whether Google Health and HealthVault are truly secure is an open question. I have found no explicit assertion from either that their back-end databases are encrypted, though both employ extensive physical and administrative controls at their data centers. Not providing any details of their technical controls (e.g. encryption of databases) is probably wise, since any information at all would be potentially useful to hackers. Still, an assertion that the back-end database are encrypted would be appreciated by patients and by liability-sensitive providers accessing their systems.

The Real Issue

All that said, the most substantive objections to the use of email in the minds of healthcare providers are probably social and psychological rather than legal or technical. Use of email may be perceived as a slippery slope to being lured or compelled into more extensive IT adoption. Primary care physicians in particular are late adopters of technology, and with the lack of emphasis on usability in many systems currently available, it is difficult to blame them for their reluctance in this regard.

I recently sat through a vituperative diatribe from a family physician whose employer adopted one of the major EMR provider's systems over a year ago, and she stated that the system actively interfered with her ability to provide care. Her objections were multiple, but most prominent were twofold.

First, the system demanded excessive navigation due to inflexible and poorly designed user experience design and information architecture, leading to severe reduction of direct contact with the patient and broken concentration. Second, the system overwhelmed her with prompts and reminders she had long since determined were irrelevant for a given patient. The system provided no way to suppress them, which she was told was due to liability issues.

Another physician I overheard in the YMCA locker room was lamenting the fact that computerization had led to a requirement that he spend more than half of what had previously been his lamentably small amount of free time on nights and weekends updating the EMR. This was in his view better than attempting to use the EMR system in situ.

I know there are many success stories in primary care EMR adoption. Dr. Rob is one of them, and I personally know of a number of others, including my own family physician. The Federal initiative to computerize primary care is laudable, even though the road ahead will be rocky for some time to come.

Hopefully the systems that end up dominating the primary care EMR marketplace will succeed based on usability, quality, and workflow flexibility rather than on company name. The enterprise-system vendor offerings in the primary care arena tend to be dumbed-down, check-the-box knockoffs whose designers seem oblivious to the unique and highly variable requirements of primary care clinics and practices. Which vendor(s) will succeed, and on what basis, and with what ultimate effect on the public health, only time will tell.

Privacy questioned after Weyburn woman receives inmate’s psych file by mistake

Pamela Cowan reports: It isn’t the first time confidential patient information has ended up in the wrong hands via e-mail — but Saskatchewan’s privacy commissioner says safeguards can be low-tech and simple. He was commenting after the office of his federal counterpart launched an investigation into how a Weyburn woman received a detailed and confidential psychiatric assessment [...]
Read more [Personal Health Information Privacy]

Data Privacy Day 2010

Today is Data Privacy Day. I’ve covered a number of events going on over on PogoWasRight.org, but I thought I would use today to mention an aspect of PHI privacy that I haven’t really blogged about here before: emailing your doctor. As a healthcare provider, I understand that my patients like the convenience of [...]
Read more [Personal Health Information Privacy]

Apple Daily: Breach of professional ethics

Y. L. Kao reports: A medical doctor in Taichung recently pubished an article that detailed information about a male-to-female sex reassignment surgical operation performed on Taiwan entertainer Li Ching. The doctor, who mentioned Li’s name in the article in a medical association journal, has been strongly criticized for an infringement of patient privacy. Divulging personal health information is [...]
Read more [Personal Health Information Privacy]

Siemens Brings HealthVault to Europe

Today, Siemens announced that it has struck a deal with Microsoft to create a German instance of the HealthVault platform to serve the citizens of Germany.  In a deal similar to the one that Microsoft struck with Canadian telecom, Telus, Siemens IT Solutions and Services (SIS) will re-purpose the base HealthVault platform to meet Germany’s legal framework for Personal Health Information (PHI) and seek German partners to create a rich ecosystem of data providers (insurers, providers) and apps/services to serve this market.

After a joint briefing with Microsoft and Siemens as well as interviews with three German software firms, SAP (one of the world’s largest enterprise software companies), ICW (healthcare IT infrastructure & PHR solutions) and careon (case/disease mgmt & PHR solutions), here is the scoop:

The Skinny:

Siemens SIS is 35,000 employees strong operating in 40 countries.  Siemens SIS serves a wide range of industries, from manufacturing, to finance and of course healthcare, which is one of its smaller markets, albeit showing strong growth.  In addition to a deep presence in Germany, Siemens SIS provides services to number of other countries’ national healthcare programs – leading one to conclude that Germany may be just the first foray/country that this partnership will seek to serve.

This is an exclusive license between Microsoft and Siemens to serve the German market and both companies stated that this is a very long-term contract as it will takes years to develop, deploy and gain traction.  Terms of agreement were not disclosed, but both companies will share in revenue generated.

Target market/business model is to sell the HealthVault service to potential sponsors that have a desire to improve care and disease management.  Likely candidates include payers and employers.  Hospitals are also a potential target market.

Service will go live in second half of 2010 and include the entire HealthVault platform, including Connection Center for biometric devices.  Existing HealthVault ecosystem partners with solutions pertinent to the German market will be included and Siemens is currently in discussions with many eHealth companies in Germany to on-board them as well upon formal launch of the platform later this year.

Agreement does not include Siemens’ healthcare software business (e.g. Soarian) or medical device (e.g., imaging systems).  This may come later, but nothing appears to be on the roadmap today.

This deal/opportunity is being driven by many of the same market changes occurring elsewhere (e.g., aging population, rising healthcare costs, etc.), and the migration from provider-centric care to consumer-centric care.

Impressions, Prospects, Challenges:

The German companies interviewed thought that Microsoft made a savvy move in partnering with Siemens as Siemens is a well-known and trusted brand in the German market, whereas they reported that there is some public distrust of the Microsoft.  Siemens, with its extensive experience in the German healthcare market, one interviewee put Siemens’ HIT market share at 33% of German hospital market, is also well-versed in the strict and highly regulated PHI privacy laws, which will assist in the creation of a secure, regulatory compliant platform to serve this market.  Siemens also has a reputation to uphold and will be quite cautious in insuring the privacy and security of citizens’ PHI.

The deal also comes at a time of much turmoil in the German healthcare sector, particularly at the highest levels of government with the recent appointment of a new Health Minister, Philipp Rosler, who in one of his first acts, placed a moratorium on the German roll-out of eHealth cards and the entire “Connector” program upon which these healthcards were to be based.  Siemens, a one-time participant in the Connector program announced it would withdraw from the Connector program in September 2009 (note: Siemens started talking to Microsoft one month prior to pulling out of Connector – coincidence? Unlikely.).

According to those interviewed in Germany, the Connector program, despite enormous sums spent (estimates put it at ~$2.25B) was doomed from the start as it was “politically not doable” due to its top-down strategy (sounds like the US’s own NHIN), inability to move rapidly in response to market changes and extreme reluctance of physicians to support open transparency and exchange of patient records across Connector.  Similar to the US and the challenges RHIOs face, German physicians fear data liquidity of PHI may lead to loss of control of the relationship (he/she who owns the data, owns the relationship) and subsequently, potential loss of business.  Physicians reportedly also did not want to be burdened with the cost of card readers and on-ramping to Connector

In Germany, all citizens have a right to obtain copies of their medical records and most payers provide incentives to physicians to encourage them to provide records to their patients.  In practice, however, the German software companies Chilmark interviewed universally stated that most consumers do not bother asking for their records and due to the aforementioned issues/concerns regarding transparency, few physicians encourage it.  Therefore, Germany also shares with the US a PHR market today that is very immature and requiring a significant amount of consumer education and physician adoption/engagement.  Siemens has a long road ahead.

Another challenge is Siemens’ lackluster track record in the consumer market.  Sure, they have made forays into consumer goods (e.g., phones) but by and large, this is a B2B company, not a B2C.  Granted, the intent of Siemens is to “sell” the HealthVault platform and its services to payers, employers and providers (a B2B model), but Siemens will need to think like a consumer to insure that this HealthVault instance serves the need(s) of the average German or risk failure.

Microsoft may also find Siemens difficult to work with as this is a very large, complex organization with a myriad of interests in countless markets.  For example, SAP and Siemens spent tens of millions of Euros on a failed effort to more closely integrate the Siemens Soarian platform to SAP’s ERP platform via SAP’s Web Services platform, NetWeaver.  Will Microsoft run into a similar problem?  There is always that chance, though in this case less likely as this is not about tying two disparate systems and data architectures together, but more about providing an open platform (data repository) for a citizen’s PHI.  In Germany, HL7, V2.x is widely used and will likely be the standard by which clinical data will be imported into HealthVault.

While SAP does not have a direct play in the consumer eHealth market, both careon and ICW do.  careon and ICW welcome the announcement for they see it bringing much greater visibility to the market for consumer control of PHI and the tools to do such.  In the case of ICW, which has had its own intentions to be the “platform of choice” to serve the German market (they have an extensive capability to directly import biometric data from numerous devices – directly competing with HealthVault’s Connection Center), they certainly see this as a competitive threat, but claim that much like the car rental market, consumers/businesses like having a choice and they intend to be that second option.  For careon, this move by Siemens is warmly welcomed and they hope to become one of the leading ecosystem partners.  Currently, careon, through its solution suite, provides case management services for some 1.2M German citizens.  careon sees many opportunities to further leverage and extend their service offerings through a platform such as HealthVault.

The Wrap:

Microsoft is clearly the leader in the Personal Health Platform (PHP) market with Google Health fading into the distance. (Note: hard to compare HealthVault to Dossia as they each have very distinctive and not readily comparable operating models).

That is not to say that Microsoft is handsomely and profitably capitalizing on these initiatives.  The market in the US has been extremely slow to take off, their Canadian partner Telus has yet to formally launch the Canadian instance of HealthVault, Telus Health Space and as outlined above, the roll-out in Germany will have its share of challenges.  Gaining traction to support such initiatives requires patient money and it appears that to date, the head honchos at Microsoft have been willing to give Microsoft’s Health Solutions Group (HSG) a fairly long leash and the necessary resources to build-out this business.

But to be truly successful, Microsoft and its partners will need to look more closely at what consumers actually wish to do with their PHI, how they wish to interact with the healthcare system of their respective country and what are the dominant, valued services consumers seek. If one looks to success stories like Kaiser-Permanente’s MyChart, US consumers want transactional services (see their labs, make appointments, have eConsults, etc.) and today, none of these are readily supported on any of these PHPs.  What other transactional services might consumers use? We’ll leave that to Microsoft and its partners to figure out as each country will have its own nuances.

And let us not forget the sponsors (payers, employers & providers) who may offer the HealthVault service to their respective constiuents.  These are the target markets for Siemens and Siemens’ ability to accurately price the service and demonstrate value to a sponsor is far from a done deal.  Proof points will be necessary and as we all know, proof points are extremely hard to come by in a new market/service offering requiring more an act of faith on the part of a sponsor than clear demonstrable metrics of return on investment.  In tight economic times such as these where companies are risk adverse, this is a bold leap by Siemens and Chilmark will watch this roll-out carefully.

Major HIPAA Breach in Las Vegas Hospital Investigated by FBI

There have always been rumors circulating in the hospitals where I have worked that unnamed clinical personnel were on the payroll of the medical malpractice lawyers in town. They would phone the firm whenever they learned that various types of trauma patient have been admitted to the hospital or when some medical error had occurred or been detected. Attorneys from the firm would then visit the patient and drop a business card. Obviously a very serious breach of hospital and patient confidentiality, if these rumors were true. Better documented, however, is the fact that most breaches of patient confidentiality that occur in hospitals are inside jobs.The are committed by hospital employees who have ready access to patients' physical or electronic medical records, at least in the units where they work. I recently came across an a article about a serious HIPAA breach at University Medical Center, Las Vegas, where an investigation by the FBI is now underway. Below is an excerpt from it (see: UMC admits to prolonged patient privacy leak):

University Medical Center officials said Monday that personal information of traffic accident victims was likely leaked from its trauma center for more than three months, and stopped only after the Las Vegas Sun told the hospital about the breach. The hospital’s statement was the first acknowledgment that the leak of patient data was more widespread than it had previously said, and closer in time to what the Sun had reported.The breach had apparently been going on for months....The FBI is investigating because such leaks of patient data would violate the Health Insurance Portability and Accountability Act, better known as HIPAA, a federal law that guards patient privacy in health care facilities. UMC waited almost a month to notify patients about the leak of their personal information, and that of people who accompanied patients to the trauma center. UMC is offering the victims free credit monitoring services for a year, although there have not been any reports that the data have been misused....A source in the medical community had provided the newspaper with the documents. The source is several degrees removed from the leak at UMC and did not know exactly where the documents came from....Congress recently increased the penalties for HIPAA violations. A person who violates a patient’s privacy with the intent to sell information can be fined up to $250,000 and imprisoned for up to 10 years. The FBI launched an investigation into the leaks after the Sun told hospital officials Nov.19 that it had come in possession of “face sheets,” the cover sheets that contain personal information about each case, such as Social Security numbers, birth dates and accident details and injuries sustained....

A few aspects of this case strike me as being quite odd. The first is that the hospital personnel waited a month to notify the patients about the security breach. I am sure that their excuse is that they were investigating the incident but this strikes me as too long a wait. The second is that the newspaper information source is described as being "several degrees removed from the leak at UMC and did not know exactly where the documents came from." My guess, on the basis of this hint, is that it may be disgruntled employee of a local law firm who was poking around in some locked files. The third point is that the hospital is offering the "victims" free credit monitoring services for a year. This strikes me as a slightly disingenuous move on the part of the hospital executives. Certainly credit card fraud is on the mind of many consumers and patients these days. However, there are many easier ways for criminals to get their hands on social security numbers than pilfering face sheets of medical records. My sense is that whoever was behind this crime had a more lucrative goal in mind than buying video game at the local Wal-Mart through identity theft. Make note of the fact that the hospital information leaks occurred in the hospital trauma center.