A common and somewhat unique aspect to EHR vendor contracts is that the EHR vendor lays claim to the data entered into their system. Rob and I, who co-authored this post, have worked in many industries as analysts. Nowhere, in our collective experience, have we seen such a thing. Manufacturers, retailers, financial institutions, etc. would never think of relinquishing their data to their enterprise software vendor of choice.
It confounds us as to why healthcare organizations let their vendors of choice get away with this and frankly, in this day of increasing concerns about patient privacy, why is this practice allowed in the first place?
The Office of the National Coordinator for Health Information Technology (ONC) released a report this summer defining EHR contract terms and lending some advice on what should and should not be in your EHR vendor’s contract.
The ONC recommendations are good but incomplete and come from a legal perspective.
As we approach the 3-5 year anniversary of the beginning of the upsurge in EHR purchasing via the HITECH Act, cracks are beginning to show. Roughly a third of healthcare organizations are now looking to replace their EHR. To assist HCO clients we wrote an article published in our recent October Monthly Update for CAS clients expanding on some of the points made by the ONC, and adding a few more critical considerations for HCOs trying to lower EHR costs and reduce risk.
The one item in many EHR contracts that is most troubling is the notion the patient data HCOs enter into their EHR is becomes the property in whole, or in-part, of the EHR vendor.
It’s Your Data. Act Like it.
Prior to the internet-age the concept that any data input into software either on the desktop, on-premise or in the cloud (AKA hosted or time sharing) was not owned entirely by the users was unheard of. But with the emergence of search engines and social media, the rights to data have slowly eroded away from the user in favor of the software/service provider.
Facebook is notorious for making subtle changes to its data privacy agreements that raise the ire of privacy rights advocates.
Continue reading “Whose Data Is It Anyway?”
Filed Under: Tech, THCB
Tagged: business of healthcare, Chilmark Research, Data, EHR, EHR vendors, John Moore, Privacy, Robert Tholomeier
Nov 20, 2013
Two years ago, the Department of Health and Human Services released proposed regulations that would allow patients to obtain their clinical lab test results directly from the lab, rather than having to wait to receive the results from their health care provider. CDT and other consumer groups enthusiastically supported this proposed rule at the time of its release.
Yet an Administration largely characterized by increasing patient access to health information seems inexplicably unable to close the deal on this important access initiative. As a result, patients still must wait for their providers to contact them with test results.
Under the current regulations, known as the Clinical Laboratory Improvement Amendments (CLIA), laboratories are restricted from disclosing test results to patients directly. Instead, labs can only send the test results to health care providers, people authorized to receive test results under state law or other labs. Only a handful of states permit labs to send patients test results directly, and some of these states require the provider’s permission before patients can have the results. The HIPAA Privacy Rule reflects this restriction, exempting CLIA-regulated labs (which are the great majority of clinical labs) from patients’ existing right to access their health information.
This existing regime has put patients at risk. A 2009 study published in the Archive of Internal Medicine indicated that providers failed to notify patients (or document notification) of abnormal test results more than 7 percent of the time. The National Coordinator for Health IT recently put the figure at 20 percent. This failure rate is dangerous, as it could lead to more medical errors and missed opportunities for valuable early treatment.
The 2011 proposed regulations would modify CLIA to permit labs to send results directly to patients, and they would also modify the HIPAA Privacy Rule to give patients the right to access or receive their lab results. Contrary state laws would be preempted. Patients would have the ability to request their lab results in a particular form or format, as with their other health information; for example, patients could request a paper copy of their test results, or to have the results sent electronically to the their personal health records
Continue reading “Give Us Our Damn Lab Results!!”
Filed Under: OP-ED, THCB
Tagged: Alice Leiter, Center For Democracy and Technology, CLIA, Deven McGraw, HHS, HIPAA, Privacy, Test Results
Sep 15, 2013
Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees. While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.
The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.
The ex did not appreciate this, and told the Walgreens pharmacy about what happened. At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.
Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach. The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.
As I said above, it may not sound like a big deal, but it potentially is.
Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.
Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.
Continue reading “A New Way to Sue Health Care Professionals Using HIPAA?”
Filed Under: Tech
Tagged: clinicians, HIPAA, HIPAA violations, Malpractice, Patients, Privacy, Walgreens
Sep 6, 2013
Secrecy breeds suspicion. The role of secrecy in health care is practically non-existent so when we see examples of secrecy, as in the operational details of the Federal Data Services Hub, we get the recent outcry from a range of politicians and journalists waving privacy flags. For Patient Privacy Rights, this is a teachable moment relative to both advocates and detractors of the Affordable Care Act.
There’s a clear parallel between the recent concerns around NSA communications surveillance and health care surveillance under the ACA. Some surveillance is justified, to combat terrorism and fraud respectively, but unwarranted secrecy breeds suspicion and may not help our civil society.
“The Hub” is described by the government as:
“For all marketplaces, CMS [the Centers for Medicare and Medicaid Services] is also building a tool called the Data Services Hub to help with verifying applicant information used to determine eligibility for enrollment in qualified health plans and insurance affordability programs. The hub will provide one connection to the common federal data sources (including but not limited to SSA, IRS, DHS) needed to verify consumer application information for income, citizenship, immigration status, access to minimum essential coverage, etc.
CMS has completed the technical design, and reference architecture for this work, is establishing a cross-agency security framework as well as the protocols for connectivity, and has begun testing the hub. The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information. Protecting the privacy of individuals remains the highest priority of CMS.”
Here’s where the secrecy comes in: I tried to find out some specific information about the Hub. Technical or policy details that would enable one to apply Fair Information Practice Principles? Some open evidence of privacy by design? Some evidence of participation by privacy experts? I got nothing. Where’s Mr. Snowden when we need him?
Continue reading “The Federal Health Data Services Hub Hubbub”
Filed Under: Tech, THCB
Tagged: Adrian Gropper, data breaches, Federal Data Services Hub, HHS, NSA, Patient privacy, Privacy, The Affordable Care Act
Aug 15, 2013
Recently officials at Oregon Health Sciences University discovered that residents in several departments were storing patient information on Google Drive, and had been doing so for the past two years. They treated this discovery as a breach of privacy and notified 3000 patients about the incident.
While I don’t condone the storage of patient information on unapproved services like Gmail or Google Drive, this incident pretty much highlights the sorry state of information systems within the hospital and the unfulfilled need by physicians for tools that facilitate workflow and patient care.
It says something that the Oregon residents felt compelled to take such a drastic action. I don’t know what punishment – if any – those responsible were given by administrators for their “crimes.” I’ll leave it to readers to make up their own minds about the wisdom of the unauthorized workaround and the appropriateness of any punishment. But I do know that the message the incident sends is a very clear one.
We’re screwing this up. There is really no earthly reason why it should be any more difficult to share a patient record than it is to share a Word doc, a Powerpoint or yes, even a cloud-based Google Drive spreadsheet.
Why the Breach Happened
What’s going on here? Let’s say I admit a patient to the hospital. Our friend was hospitalized here just last month, and like many patients, he has dementia or is poorly educated, and does not know the names of the medications he takes. Unfortunately, I don’t have the ability to see what he takes or how he was treated during the prior admission because the records in the computer are there for documentation’s sake and don’t contain any meaningful information. This is clearly a problem for me.
Therefore I will spend time calling outside facilities to gather information and repeat several tests and imaging procedures.
Medical care has become a team sport, and residents have developed systems for keeping track of their patients and communicating to other physicians. It takes some time to think about and process each patient that comes in, to consolidate all the information. Ultimately, I need to boil that information down to a five-minute description on the patient, their problems, the status of their current admission, and what needs to happen before they go home. We do this in the form of a signout document.
Figure: The signout document has four to five columns and includes the To Do list for each patient.
The EMR does not have a good way to store information in this format, and additionally I have no way of editing this in real-time to communicate with my
coworkers what still needs to be done. That’s why residents were storing their signouts in Google Drive.
What providers need here is simple data management. We need to store and access this list from different computers. We need the ability to enter a subset of those data using a custom form, and the ability to print subsets of those data to create a To Do lists, rounding sheets, or progress notes. Continue reading “What the Recent Data Breach Says About the State of Health IT”
Filed Under: Tech, THCB
Tagged: Data, David Do, HIT, OHSU, Privacy
Aug 11, 2013
Patients who search on free health-related websites for information related to a medical condition may have the health information they provide leaked to third party tracking entities through code on those websites, according to a research letter by Marco D. Huesch, M.B.B.S., Ph.D., of the University of Southern California, Los Angeles.
The research letter was recently published in JAMA Internal Medicine entitled “Privacy Threats When Seeking Online Health Information” and looked at how 20 health-related websites track visitors, ranging from the sites of the National Institutes of Health to the health news section of The New York Times online. Thirteen of the sites had at least one potentially worrisome tracker, according to the analysis performed by Dr. Huesch.
He also found evidence that health search terms he tried — herpes, cancer and depression — were shared by seven sites with outside companies. According to the paper:
“A patient who searches on a “free” health-related website for information related to “herpes” should be able to assume that the inquiry is anonymous. If not anonymous, the information knowingly or unknowingly disclosed by the patient should not be divulged to others.
Unfortunately, neither assumption may be true. Anonymity is threatened by the visible Internet address of the patient’s computer or the often unique configuration of the patient’s web browser. Confidentiality is threatened by the leakage of information to third parties through code on websites (eg, iframes, conversion pixels, social media plug-ins) or implanted on patients’ computers (eg, cookies, beacons).”
Dr. Huesch says that he was inspired to investigate this area by the archive of coverage on the topic by The Wall Street Journal on how the technology and market for your online information work. The most recent piece in this series is on Facebook privacy settings and some of the risks associated with “Graph Search.” This entire series is very good and worth the read.
Continue reading “Caveat Online Health Information Emptor?”
Filed Under: THCB, The Insider's Guide To Health Care
Tagged: Brian Ahier, DIY medicine, Graph Search, Health Data, health-related websites, Marco Huesch, Patients, Privacy
Jul 10, 2013
The sharing of patient information in the US is out of whack — we lean far too much toward hoarding information vs. sharing it. While care providers have an explicit duty to protect patient confidentiality and privacy, two things are missing:
- the explicit recognition of a corollary duty to share patient information with other providers when doing so is the patient’s interests, and
- a recognition that there is potential tension between the duty to protect patient confidentiality/privacy and the duty to share — with minimal guidance on how to resolve the tension.
In this essay we’ll discuss:
1. A recent recognition in the UK
2. The need for an explicit duty to share patient information in the US
Continue reading “A Duty to Share Patient Information”
Filed Under: THCB
Tagged: confidentiality, Consumer-driven health care, Data, Healthwise, Leslie Kelly Hall, Patients, Privacy, The Caldecott Review, Vince Kuraitis
May 8, 2013
As the instigators of the OpenNotes initiative, we are thrilled that OpenNotes is being adopted by the VA. Prompted by Dr. Kernisan’s thoughtful post , the ensuing lively discussion, and our experiment with 100 primary care physicians and 20,000 of their patients ), we thought it useful to offer some observations drawing both on our experiences as clinicians and on ongoing conversations with clinicians and patients.
First and foremost, we don’t have “answers” for Dr. Kernisan. Our hope is to contribute to new approaches to these sticky questions over time. And, remember that patients’ right to review their records is by no means new. Since 1996, virtually all patients have had the right to access their full medical records. What’s new is that OpenNotes takes down barriers such as filling out forms and charging per page, while actively inviting far more patients to exercise this right in an easier and accessible way.
We think of open visit notes as a new medicine, designed like all therapies to help more than it hurts. But every medicine is inevitably accompanied by relative and absolute contraindications, and it’s useful to remember that it’s up to the medical and patient community to learn to take a medicine wisely as it becomes more widely available. A few specific thoughts:
Dementia and diminished physical capacity:
When a clinician notices symptoms or signs of dementia, chances are the patient and/or family has already been worrying about this for some time. Is it safe for the patient to live alone? What about driving? How and when could things get worse? They may actually be relieved when the doctor brings up these topics and articulates the issues in a note. Moreover, their worst fears may prove unfounded, and reading that in a note can be reassuring. But we need to consider the words we write so we don’t rush to label a condition as “Alzheimer’s.” Being descriptive is often better and more helpful than assigning one word definitions. In itself, OpenNotes reminds the health professional to choose words wisely. That doesn’t have to mean more work, but we believe it can certainly mean better notes that can be more easily understood by the patient. We urge colleagues to stay away from “The patient denies…,” or “refuses,” or “is SOB.”
Abuse or diversion of drugs, possible substance abuse, or unhealthy alcohol use:
These subjects are always tough, and what to write down has been an issue for clinicians long before they worried about open records. Over the course of our experiment in primary care, we have heard stories from patients about changing their attitudes and behavior after reading a note and “seeing in black and white” what their doctors were most worried about. Though substance abuse may seem like a particularly sensitive topic, at least one doctor in our study is convinced that some of his patients in trouble with drugs or medications did better as a result of reading his notes. And while some patients may reject our spoken (or unspoken) thoughts that we document in notes, experience to date makes us believe that more patients will be helped than hurt, and that it is worth the tradeoff.
Continue reading “OpenNotes: Drilling Down to Assure a Healthy Evolution”
Filed Under: THCB
Tagged: Electronic Medical Records, Harvard Medical School, OpenNotes, Privacy, Robert Wood Johnson, Tom Delbanco, Transparency
Jan 27, 2013
In a time of EHR naysayers, mean-spirited election year politics, and press misinterpretation (ONC and CMS do not intend to relax patient engagement provisions), it’s important that we all send a unified message about our progress on the national priorities we’ve developed by consensus.
1. Query-based exchange – every country in the world that I’ve advised (Japan, China, New Zealand, Scotland/UK, Norway, Sweden, Canada, and Singapore) has started with push-based exchange,replacing paper and fax machines with standards-based technology and policy. Once “push” is done and builds confidence with stakeholders, “pull” or query-response exchange is the obvious next step. Although there are gaps to be filled, we can and should make progress on this next phase of exchange. The naysayers need to realize that there is a process for advancing interoperability and we’ll all working as fast as we can. Query-based exchange will be built on top of the foundation created by Meaningful Use Stage 1 and 2.
2. Billing - although several reports have linked EHRs to billing fraud/abuse and the recent OIG survey seeks to explore the connection between EHR implementation and increased reimbursement, the real issue is that EHRs, when implemented properly, can enhance clinical documentation. The work of the next two years as we prepare for ICD-10 is to embrace emerging natural language processing technologies and structured data entry to create highly reproducible/auditable clinical documentation that supports the billing process. Meaningful Use Stage 1 and 2 have added content and vocabulary standards that will ensure future documentation is much more codified.
3. Safety – some have argued that electronic health records introduce new errors and safety concerns. Although it is true that bad software implemented badly can cause harm, the vast majority of certified EHR technology enhances workflow and reduces error. Meaningful Use Stage 1 and 2 enhance medication accuracy and create a foundation for improved decision support. The HealtheDecisions initiative will bring us guidelines/protocols that add substantial safety to today’s EHRs.
Continue reading “State of the EHR Nation”
Filed Under: Electronic Health Records
Tagged: Meaningful Use Stage 2, Medicare, ONC, Patient Safety, Privacy, Query-based Exchange
Nov 6, 2012
Because nearly one billion users produce a lot of data, Facebook has had a hand in publishing more than 30 research papers since 2009, including research (.pdf) that may link social-networking activity and loneliness.
But outside researchers have been unable to validate those studies because Facebook refused to release the underlying raw data, citing the need to protect users’ privacy. Now Facebook is considering changes to its policy. Nature News reports:
Facebook is now exploring a plan that could allow external researchers to check its work in future by inspecting the data sets and methods used to produce a particular study. A paper currently submitted to a journal could prove to be a test case, after the journal said that allowing third-party academics the opportunity to verify the findings was a condition of publication.
Continue reading “Facebook May Grant Researchers Access to Study Data”
Filed Under: Uncategorized
Tagged: Data, Facebook, Privacy, Social Media
Jul 27, 2012