Long time (well very long time) readers of THCB will remember my extreme frustration with Patients Privacy Rights founder Deborah Peel who as far as I can tell spent the entire 2000s opposing electronic health data in general and commercial EMR vendors in particular. I even wrote a very critical piece about her and the people from the World Privacy Forum who I felt were fellow travelers back in 2008. And perhaps nothing annoyed me more than her consistently claiming that data exchange was illegal and that vendors were selling personally identified health data for marketing and related purposes to non-covered entities (which is illegal under HIPAA).
However, in recent years Deborah has teamed up with Adrian Gropper, whom I respect and seemed to change her tune from “all electronic data violates privacy and is therefore bad”, to “we can do health data in a way that safeguards privacy but achieves the efficiencies of care improvement via electronic data exchange”. But she never really came clean on all those claims about vendors selling personally identified health data, and in a semi-related thread on THCB last week, it all came back. Including some outrageous statements on the extent of, value of, and implications of selling personally identified health data. So I’ve decided to move all the relevant comments to this blog post and let the disagreement continue.
What started the conversation was a throwaway paragraph at the end of a comment I left in which I basically told Adrian to rewrite what he was saying in such a way that normal people could understand it. Here’s my last paragraph
As it is, this is not a helpful open letter, and it makes a bunch of aggressive claims against mostly teeny vendors who have historically been on the patients’ side in terms of accessing data. So Adrian, Deborah & PPR need to do a lot better. Or else they risk being excluded back to the fringes like they were in the days when Deborah & her allies at the World Privacy Forum were making ridiculous statements about the concept of data exchange.
Here’s Deborah’s first comment Continue reading “Is Deborah Peel up to her old tricks?”
Filed Under: THCB
Tagged: Deborah Peel, HIPAA, Matthew Holt, patient data, Patient Privacy Rights, Privacy
Nov 23, 2014
Dear ACO General Hospital:
Thanks for contacting me about my most recent blog post. I’m sorry to scare your administration about HIPAA information, but I am equally concerned about that and will always do my best to respect the privacy of my patients. At your request I hid even more of that information.
I know it’s kind of embarrassing to have that kind of thing made public, and I am overall grateful that you did not take it personally that I put the “transition of care” documents for all to see. My goal was not to embarrass or ridicule, it was to point out what our healthcare system is driving us all toward: replacing patient care with documentation. You are being encouraged by the system to produce those ridiculous documents, as they are part of the deal you accepted when you became “ACO General” in the first place.
Continue reading “Dear ACO General Hospital”
Filed Under: THCB
Tagged: ACOs, HIPAA, Rob Lamberts, Transition of Care
Nov 4, 2014
This story was co-published with NPR’s “Shots” blog.
In the name of patient privacy, a security guard at a hospital in Springfield, Missouri, threatened a mother with jail for trying to take a photograph of her own son. In the name of patient privacy , a Daytona Beach, Florida, nursing home said it couldn’t cooperate with police investigating allegations of a possible rape against one of its residents.
In the name of patient privacy, the U.S. Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing.When the federal Health Insurance Portability and Accountability Act passed in 1996, its laudable provisions included preventing patients’ medical information from being shared without their consent and other important privacy assurances.But as the litany of recent examples show, HIPAA, as the law is commonly known, is open to misinterpretation – and sometimes provides cover for health institutions that are protecting their own interests, not patients’.
“Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Deven McGraw, partner in the healthcare practice of Manatt, Phelps & Phillips and former director of the Health Privacy Project at the Center for Democracy & Technology.For example, McGraw said, a frequent health privacy complaint to the U.S. Department of Health and Human Services Office of Civil Rights is that health providers have denied patients access to their medical records, citing HIPAA. In fact, this is one of the law’s signature guarantees.”Often they’re told [by hospitals that] HIPAA doesn’t allow you to have your records, when the exact opposite is true,” McGraw said.
I’ve seen firsthand how HIPAA can be incorrectly invoked.
In 2005, when I was a reporter at the Los Angeles Times, I was asked to help cover a train derailment in Glendale, California, by trying to talk to injured patients at local hospitals. Some hospitals refused to help arrange any interviews, citing federal patient privacy laws. Other hospitals were far more accommodating, offering to contact patients and ask if they were willing to talk to a reporter. Some did. It seemed to me that the hospitals that cited HIPAA simply didn’t want to ask patients for permission.
Continue reading “Are Patient Privacy Laws Being Abused to Protect Medical Centers?”
Filed Under: OP-ED, THCB
Tagged: Charles Ornstein, Deven McGraw, HIPAA, Hospitals, LA Times, patient information, Privacy, VA
Jul 24, 2014
At his yearly CEO summit, noted VC Vinod Khoslaspoke with Google co-founders Sergey Brin and Larry Page (file under “King, Good To Be The”).
Towards the end of a wide-ranging conversation that encompassed driverless cars, flying wind turbines, and high-altitude balloons providing internet access, Khosla began to ask about health.
Specifically, Khosla wondered whether they could “imagine Google becoming a health company? Maybe a larger business than the search business or the media business?”
Their response, surprisingly, was basically, “no.” While glucose-sensing contact lenses might be “very cool,” in the words of Larry Page, Brin notes that,
“Generally, health is just so heavily regulated. It’s just a painful business to be in. It’s just not necessarily how I want to spend my time. Even though we do have some health projects, and we’ll be doing that to a certain extent. But I think the regulatory burden in the U.S. is so high that think it would dissuade a lot of entrepreneurs.”
“We have Calico, obviously, we did that with Art Levinson, which is pretty independent effort. Focuses on health and longevity. I’m really excited about that. I am really excited about the possibility of data also, to improve health. But that’s– I think what Sergey’s saying, it’s so heavily regulated. It’s a difficult area. I can give you an example. Imagine you had the ability to search people’s medical records in the U.S.. Any medical researcher can do it. Maybe they have the names removed. Maybe when the medical researcher searches your data, you get to see which researcher searched it and why. I imagine that would save 10,000 lives in the first year. Just that. That’s almost impossible to do because of HIPAA. I do worry that we regulate ourselves out of some really great possibilities that are certainly on the data-mining end.”
Khosla then asked a question about a use case involving one of my favorite portfolio companies of his, Ginger.io, related to the monitoring of a patient’s psychiatric state.
Responded Page, “I was talking to them about that last night. It was cool.”
That pretty much captures Brin and Page’s view of healthcare – fun to work on a few “cool” projects, but beyond that, the regulatory challenges are just too great to warrant serious investment.
Continue reading “Google Co-Founders: “Thanks, But No Thanks””
Filed Under: Tech
Tagged: Calico, Coolness, Google, HIPAA, Larry Page, Sergey Brin, Vinod Khosla
Jul 8, 2014
Today, ONC released a report on patient matching practices and to the casual reader it will look like a byzantine subject. It’s not.
You should care about patient matching, and you will.
It impacts your ability to coordinate care, purchase life and disability insurance, and maybe even your job. Through ID theft, it also impacts your safety and security. Patient matching’s most significant impact, however, could be to your pocketbook as it’s being used to fix prices and reduce competition in a high deductible insurance system that makes families subject up to $12,700 of out-of-pocket expenses every year.
Patient matching is the healthcare cousin of NSA surveillance.
Health IT’s watershed is when people finally realize that hospital privacy and security practices are unfair and we begin to demand consent, data minimization and transparency for our most intimate information. The practices suggested by Patient Privacy Rights are relatively simple and obvious and will be discussed toward the end of this article.
Health IT tries to be different from other IT sectors. There are many reasons for this, few of them are good reasons. Health IT practices are dictated by HIPAA, where the rest of IT is either FTC or the Fair Credit Reporting Act. Healthcare is mostly paid by third-party insurance and so the risks of fraud are different than in traditional markets.
Healthcare is delivered by strictly licensed professionals regulated differently than the institutions that purchase the Health IT. These are the major reasons for healthcare IT exceptionalism but they are not a good excuse for bad privacy and security practices, so this is about to change.
Health IT privacy and security are in tatters, and nowhere is it more evident than the “patient matching” discussion. Although HIPAA has some significant security features, it also eliminated a patient’s right to consent and Fair Information Practice.
Continue reading “What You Need to Know About Patient Matching and Your Privacy and What You Can Do About It”
Filed Under: THCB
Tagged: Adrian Gropper, cyber attacks, HIPAA, HIT, ONC, patient matching, Privacy
Feb 21, 2014
Today, academic medicine and health policy research resemble the automobile industry of the early 20th century — a large number of small shops developing unique products at high cost with no one achieving significant economies of scale or scope.
Academics, medical centers, and innovators often work independently or in small groups, with unconnected health datasets that provide incomplete pictures of the health statuses and health care practices of Americans.
Health care data needs a “Henry Ford” moment to move from a realm of unconnected and unwieldy data to a world of connected and matched data with a common support for licensing, legal, and computing infrastructure. Physicians, researchers, and policymakers should be able to access linked databases of medical records, claims, vital statistics, surveys, and other demographic data.
To do this, the health care community must bring disparate health data together, maintaining the highest standards of security to protect confidential and sensitive data, and deal with the myriad legal issues associated with data acquisition, licensing, record matching, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Just as the Model-T revolutionized car production and, by extension, transit, the creation of smart health data enclaves will revolutionize care delivery, health policy, and health care research. We propose to facilitate these enclaves through a governance structure know as a digital rights manager (DRM).
The concept of a DRM is common in the entertainment (The American Society of Composers, Authors and Publishers or ASCAP would be an example) and legal industries. If successful, DRMs would be a vital component of a data-enhanced health care industry.
Giving birth to change. The data enhanced health care industry is coming, but it needs a midwife.There has been explosive growth in the use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Outside the physician’s office, disease registries, medical associations, insurers, government agencies, and laboratories have also been gathering digital pieces of information on the health status, care regimes, and health care costs of Americans.
However, little to none of these data have been integrated, and most remain siloed within provider groups, health plans, or government offices.
Continue reading “Could Digital Rights Management Solve Healthcare’s Data Crisis?”
Filed Under: Tech, THCB
Tagged: Amanda Frost, Big Data, Carolina Herrera, data enclaves, David Newman, digital rights manager (DRM), EHRs, HIPAA, HIT, Stephen Parente
Jan 27, 2014
While there has been much focus lately on the ways in which ObamaCare is chilling the growth of private business, we should not overlook the continuing deleterious effects of the one surviving relic of HillaryCare, the Health Insurance Portability and Accountability Act (HIPAA). Quietly, September 23 came and went as the compliance effective date for a new rule, expanding the reach of HIPAA, and likely driving many smaller players out of the health care industry.
Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information, referred to as protected health information, or PHI. It requires health care providers, known as “covered entities,” and their vendors, contractors, and agents with access to PHI, known as “business associates,” to comply with certain privacy standards under its “Privacy Rule,” and with certain security standards under its “Security Rule,” in order to protect sensitive health information that is held or transferred in electronic form.
Over the past decade, equipped with the noble aim of protecting our privacy, HIPAA has successfully demonstrated the power of the law of unintended consequences. Improved protection of PHI has been marginal. However, HIPAA has impeded communication among physicians, reduced physician time devoted to patient care, and deterred medical research. And all at an enormous cost of compliance. While estimates vary widely, the cost of compliance for many providers has been in the millions.
Now, rather than take heed, the government has decided to double down through expansion. Under the Health Information and Technology for Economic and Clinical Health Act (HITECH), a corollary of HIPAA, promulgated to create incentives to facilitate the development of healthcare information technology, the government has sought to update the requirements of HIPAA in light of the changing dynamics of technology and health practices, increasing the safeguards and obligations of health care providers and their business associates.
Continue reading “Another Law Raising the Cost of Health Care”
Filed Under: OP-ED, THCB
Tagged: HHS, HIPAA, HIPAA Omnibus Rule, HIT, HITECH Act, Josh Tenzer, Patient privacy
Nov 21, 2013
Thanks to the flood of new data expected to enter the health field from all angles–patient sensors, public health requirements in Meaningful Use, records on providers released by the US government, previously suppressed clinical research to be published by pharmaceutical companies–the health field faces a fork in the road, one direction headed toward chaos and the other toward order.
The road toward chaos is forged by the providers’ and insurers’ appetites for categorizing us, marketing to us, and controlling our use of the health care system, abetted by lax regulation. The alternative road is toward a healthy data order where privacy is protected, records contain more reliable information, and research is supported or even initiated by cooperating patients.
This was my main take-away from a day of meetings and a panel held recently by Patient Privacy Rights, a non-profit for whom I have volunteered during the past three years. The organization itself has evolved greatly during that time, tempering much of the negativity in which it began and producing a stream of productive proposals for improving the collection and reuse of health data. One recent contribution consists of measuring and grading how closely technology systems, websites, and applications meet patients’ expectations to control and understand personal health data flows.
With sponsorship by Microsoft at their Innovation and Policy Center in Washington, DC, PPR offered a public panel on privacy–which was attended by 25 guests, a very good turnout for something publicized very modestly–to capitalize on current public discussions about government data collection, and (without taking a stand on what the NSA does) to alert people to the many “little NSAs” trying to get their hands on our personal health data.
It was a privilege and an eye-opener to be part of Friday’s panel, which was moderated by noted privacy expert Daniel Weitzner and included Dr. Deborah Peel (founder of PPR), Dr. Adrian Gropper (CTO of PPR), Latanya Sweeney of Harvard and MIT, journalist Sydney Brownstone of Fast Company, and me. Although this article incorporates much that I heard from the participants, it consists largely of my own opinions and observations.
Continue reading “Chaos and Order: An Update From Patient Privacy Rights”
Filed Under: Uncategorized
Tagged: Adrian Gropper, Andy Oram, Big Data, HIEs, HIPAA, Hospitals, Meaningful Consent, Patient privacy, Patient Privacy Rights
Oct 16, 2013
The shutdown could not stop the rollout of the state and federal exchanges.
That’s because the Obama administration, sensing a political fight in the offing with Republicans, wisely prepaid the bill for the insurance exchanges and other key components of the rollout.
On the other hand, the fiscal standoff is having a very real impact on the infrastructure that supports healthcare across the United States. Agencies from the Centers for Disease and Control to the National Institutes of Health have seen their money turned off. Others have seen their staffing levels sharply reduced with non-essential employees furloughed.
It doesn’t take a wild imagination to imagine potential deadly consequences if something goes wrong. If for example, flu season strikes early or a drug recall is needed. Much of the pain will be felt over time. As the shutdown drags on, you can expect problems that are brewing under the surface to become much more visible …
Here’s a review of what’s happening:
Centers For Disease Control and Prevention
Funding for monitoring of disease outbreaks turned off. Lab operations sharply scaled back. 24/7 operations center to remain online. With some scientists predicting a severe 2013-2014 flu season, this is cause for concern …
National Institutes For Health
Enrollment in new clinical trials suspended, impacting thousands of patients suffering from serious diseases. No action on grant proposals. Minimal support for ongoing protocols.
Food and Drug Administration
Food safety inspections sharply cut back. Monitoring of imports eliminated. Oversight of production facilities curtailed, again potentially an issue with flu season on the way.The good news? Because drug approvals are funded by industry “user-fees” FDA approvals of new drugs will continue.
Centers For Medicare and Medicaid Services
Key ACA related operations intact. The bad news for docs and patients – claims and payment processing expected to continue but with slower service than usual. With purse strings tight, this is likely to become more of a problem as shutdown drags on. In the unlikely event that a shutdown continues for more than a month, the impact on physician practices could be much more serious.
Continue reading “How the Federal Government Shutdown Is Hurting Healthcare: Agency by Agency”
Filed Under: ACA Database, Uncategorized
Tagged: ACA Database, CDC, Clinical Trials, FDA, Food Safety, HIPAA, NIH, ONC, THCBist, The ACA
Oct 2, 2013
The U.S. government shutdown continues to claim victims.
The latest is HealthIT.gov, the website designed to help doctors and hospitals make the transition to electronic and make better use of health information technology – a key component of Obamacare’s drive to transform healthcare.
The Health Information Technology Office of the National Coordinator posted a brief announcement on the site informing visitors to HealthIT.gov that “information … may not be up to date, transactions submitted via the website may not be processed and the agency may not be able to respond to inquiries until appropriations have been enacted.”
Officials also sent a tweet saying that the ONC regrets to inform us that while the shutdown continues it will “not tweet or respond to tweets.”
This struck THCBist as slightly odd.
After all, if you’re looking for an inexpensive way to communicate with the public in a pinch, Twitter seems like the perfect choice. We get that government websites are ridiculously expensive things to run. Blogs are considerably cheaper. Operating a Twitter account — on the other hand — is almost free. Our brains were flooded with scenarios. How much could the ONC possibly be spending on Twitter? And for that matter, didn’t the Department of Defense originally invent the Internet to allow for emergency communication during times of national crisis? Doesn’t a fiscal insurrection by cranky Republicans qualify?
Fallout for the National Health IT Program
While federal officials have issued repeated assurances that the shutdown will not impact the Obamacare rollout, it does look as though there will be a fairly serious impact on the administration’s health IT program. If HHS sticks to script, only 4 of 184 ONC employees will remain on duty during the shutdown. That makes it sound like activities are going to have to be scaled back just a bit.
If you’re counting on getting an incentive payment from the government for participation in the electronic medical records program, you may be in trouble — at least until the stalemate is settled. Although ONC has not yet made an official statement, presumably because the aforementioned Twitter channel has been disabled, leaving the agency unable to speak to or otherwise communicate with the public, going by the available information in the thirteen-page contingency plan drafted by strategists at HHS, it is unclear where the money will come from.
This could be bad news for electronic medical records vendors counting on the incentive program to drive sales as the Obamacare rollout gets officially underway.
Continue reading “Washington In Crisis: ONC Announces That It Will Not Tweet Or Respond to Tweets During Shutdown”
Filed Under: ACA Database, Tech, THCB
Tagged: ACA Database, Data, EHR, government shutdown, HHS, HIPAA, HIT, ONC, public health messaging, THCBist, The ACA
Oct 1, 2013