Tag: Data

Who Owns Patient Data?

Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.

The data privacy and security concerns surrounding the transfer of de-identified data are significant.  To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations.  However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.

Is this the basis of the lawsuit brought against Walgreens?  An objection to trafficking in health information that should remain private?  No.  The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data.Continue reading…

Freeing the Data

I’m keynoting this year’s Intersystems Global Conference on the topic of “Freeing the Data” from the transactional systems we use today such as Enterprise Resource Planning (ERP), Customer Relationship Management (CRM),  Electronic Health Records (EHR), etc.  As I’ve prepared my speech,  I’ve given a lot of thought to the evolving data needs we have in our enterprises.

In healthcare and in many other industries, it’s increasingly common for users to ask IT for tools and resources to look beyond the data we enter during the course of our daily work.   For one patient, I know the diagnosis, but what treatments were given to the last 1000 similar patients.  I know the sales today, but how do they vary over the week, the month, and the year?   Can I predict future resource needs before they happen?

In the past, such analysis typically relied on structured data, exported from transactional systems into data marts using Extract/Transform/Load (ETL) utilities, followed by analysis with Online Analytical Processing (OLAP) or Business Intelligence (BI) tools.

In a world filled with highly scalable web search engines,  increasingly capable natural language processing technologies, and practical examples of artificial intelligence/pattern recognition (think of IBM’s Jeopardy-savvy Watson as a sophisticated data mining tool), there are novel approaches to freeing the data that go beyond a single database with pre-defined hypercube rollups.   Here are my top 10 trends to watch as we increasingly free data from transactional systems.Continue reading…

Data Mining Case Reaches the Supreme Court

Twenty years ago, IMS Health got the idea to purchase prescription records from pharmacies, license physician information from the AMA’s Physician Masterfile, and link the two databases so as to create something new and different: prescriber-level data (PLD).

It was a brilliant idea. Almost immediately, pharmaceutical and device companies, government analysts and public health officials began lining up to buy raw PLD and/or the reports that IMS created from it.

And with good reason. By applying statistical tools to analyze PLD (a technique known in the vernacular as “Data Mining”) IMS and the purchasers of its data could obtain fresh insight into many topics of interest. These include prescribing pattern variations across regions, where and when influenza outbreaks occur, how physicians respond to these outbreaks and hundreds of others. Drug makers found PLD information to be particularly helpful. With it, they could refine marketing pitches and improve sales force efficiency, among other things.

Since those early days, the scope of the data compiled by IMS and other PLD providers has expanded to a point where it is truly breathtaking. The AMA Masterfile includes current and historical data on 880,000 physicians. IMS and similar companies collect information on more than 70% of all prescriptions filled in the US. SDI Health, another PLD provider, has billing information from 100% of inpatient and outpatient activity at 500 hospitals dating back to 2002. Their databases are large enough to detect national trends and withstand the most exquisite stratification analyses. Furthermore, PLD providers have perfected ways to exclude information from their databases that could be used to identify patients, so the data comply with HIPAA and other privacy-protecting laws.

Continue reading…

Cyber Insurance

Insurance exists to cover a wide range of potential business risks. Cyber insurance is worth considering as companies increase their presence, business practices and data storage online. In fact, Cyber insurance is not just for companies conducting transactions online (e.g., online retailers).

It is valuable to any company who has critical systems or sensitive data, which is almost every business. While it is possible to have insurance that covers damage to your servers and other computer equipment, it is almost certain the insurance only covers the physical damage to the hardware, itself, and not the valuable data housed within. In fact, insurance policies regularly state that the policy is limited to the replacement costs of the hardware and not the data.  This means that in the event a hacker gains access to your systems and disrupts operations, standard insurance coverage will probably offer little or no protection unless hardware is actually damaged.

The costs associated with restoring lost or damaged data, sending breach notifications to consumers, and other potential liability under each state’s breach notification statues can be astronomical. Cyber insurance can help cover some of the costs of a data breach, including the expense of sending notification to affected individuals, public relations, fines, penalties, responding to regulators and any subsequent litigation by affected individuals. The potential for attacks and breaches is growing exponentially as more and more businesses move operations to the cloud. Moreover, attacks do not necessarily derive from an outsider. Data breaches have resulted from careless, frustrated and vengeful employees who often attempt to profit from someone else’s information. Depending on the policy, Cyber insurance can offer protection from hackers, viruses, data breaches, denial of service attacks, and copyright, trademark, and website content infringement.

Continue reading…

Healthcare Messages Over the Internet: The Direct Project

The Direct Project announced today the completion of its open-source connectivity-enabling  software and the start of a series of pilots that will be demonstrating directed secure messaging for healthcare stakeholders over the internet.  The Direct Project specifies a simple, secure, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.

Also announced:

  1. A new name – the Direct Project was previously known as NHIN Direct
  2. An NHIN University course, The Direct Project – Where We Are Today, to be presented by Arien Malec, November 29 at 1 PM ET, sponsored by the National eHealth Collaborative
  3. An extensive list of HIT vendors (20+) that have announced plans to leverage the Direct Project for message transport in connection with their solutions and services
  4. Presentations at the HIT Standards Committee on Tuesday November 30 where three or more vendors will be announcing their support for the Direct Project.
  5. A thorough documentation library including a Direct Project Overview
  6. Best practice guidance for directed messaging based on the policy work of the Privacy and Security Tiger team
  7. A new web site at
  8. A new hashtag #directproject for following the Direct Project on twitter.

The Direct Project is the collaborative and voluntary work of a group of healthcare stakeholders representing more than 50 provider, state, HIE and HIT vendor organizations.  Over 200 participants have contributed to the project.  It’s rapid progress, transparency, and community consensus approach have established it as a model of how to drive innovation at a national level.

What is The Direct Project?

Today, communication of health information among providers and patients is most often achieved by sending paper through the mail or via fax. The Direct Project seeks to benefit patients and providers by improving the transport of health information, making it faster, more secure, and less expensive. The Direct Project will facilitate “direct” communication patterns with an eye toward approaching more advanced levels of interoperability than simple paper can provide.

Continue reading…

Patrick Soon-Shiong – Role in a World of “Data Liberacion”

SUBTEXT: In the DC panel debate on the Role of “Data Liberacion” Executive Chairman of Abraxis Health, Patrick Soon-Shiong, commented on how coordination and exchange of health data can improve healthcare and have a direct impact on individuals. He also talked about how his “realizing of the American Dream” enabled him to  contributes to this through the non-profit organization the Health Transformation Institute.

Back to Basics: Toward a Core Set of Relevant and Portable Personal Health Information


In the cacophony of health IT issues, products, and goals that compete every day for our attention, it is easy to lose sight of the profound value that could come from the universal availability of a simple core set of relevant and portable personal health information in digital format.

If everyone in the country who wanted one, and if every doctor or nurse taking care of a patient needing one, had access to a digitally formatted set of current health data about the person in question, we as a country would benefit at many levels.  I am talking about basic information — such as demographics, a problem and diagnosis list, a list of medications, allergies, recent vital signs (blood pressure, weight, etc.), and information about the most recent health care encounters. Individuals would get more continuous care and better coordinated care decisions.  Payers would pay for fewer duplicated or unnecessary tests and procedures.  Doctors would face less risk of error when making decisions in the ER.  Researchers would give us better feedback on populations of patients, e.g. those with diabetes, to improve care and care processes.  And the whole of society would benefit from a real-time, steadily enhanced knowledge database about what works to promote wellness, health, and to lower health care costs.Continue reading…

Change The Rules and Get Your Labs

In 1999 Caresoft developed a consumer web portal called the Daily Apple.  The Daily Apple wasn’t all that unique or different than other health portals, until in May of 2000 they began helping consumers download their lab test results from Quest Diagnostics. Now THAT was different! A portal aggregating real clinical data on behalf of consumers, with the potential to drive personalized health information, recommendations, and alerts to the individual. “Looks like your exercise and your diet are keeping your blood sugar under good control. Great Job!” and “Your liver enzymes are elevated, which might be due to your Lipitor. You should talk with your doctor.” Now that’s information a person can use! But sometimes even the best ideas suffer from poor market timing. It was only 19 months later, in December, 2001, that the service was discontinued. Many of us on the outside wondered why such a seemingly unique and valuable service would be disabled. But whether it was the lawyers, the doctors, or the business model, timing wasn’t right.

Only a couple years later, in 2003, the Office of Civil Rights at HHS wrote the HIPAA Privacy Rule regulations, allowing consumers to access a copy of their own protected health information. But they carved out lab data as a special case. Lab data (or data governed under the Clinical Laboratory Improvement Amendments, or CLIA), was to be governed under CMS regulations that stated that lab test results could only be delivered to “Authorized Persons”, defined as “an individual authorized under state law to order tests or receive test results, or both.”Continue reading…

Op-Ed: Forward thinking health plans? Look for the guys with the white hats

Picture 18

The public noise about health care reform has painted the parties involved in broad brush strokes that tell  consumers which in the fray are the good guys and bad guys. News reports have for so long vilified health insurers that they’re overlooking the forward thinkers who are actively seeking the white hat role and using their heft for real and positive change.

With the near-term incentives to spur adoption of EMRs and subsequent implementation of clinical decision support to make those EMRs “meaningful”, health plans have a perfect opportunity to improve their value. I already see that happening with our health plan customers who have used additional means to improve their populations’ health, such as personal health records, disease management, and other strategic initiatives.Continue reading…

A Declaration of Health Data Rights

THCB & Health 2.0 are happy to be a small part of a very important declaration, made today by a mix of patients, physicians, technologists and concerned citizens. It’s a Declaration of Health Data Rights, and it’s extremely important because access to usable data is a very pressing problem in the health care system, and one that we have the opportunity to solve if we bake the concept into regulation and practice now, as electronic health data becomes more pervasive. Here’s the declaration:

In an era when technology allows personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. We the people:

  • Have the right to our own health data
  • Have the right to know the source of each health data element
  • Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; If data exist in computable form, they must be made available in that form
  • Have the right to share our health data with others as we see fit
These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

More information about how you can support this declaration, how it was created, a FAQ and what you can do to get involved is all at


Forgotten Password?