Categories

Tag: HIPAA

Health Data Outside HIPAA: The Wild West of Unprotected Personal Data

Deven McGraw
Vince Kuraitis

By VINCE KURAITIS and DEVEN McGRAW

This post is part of the series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?”

“…the average patient will, in his or her lifetime, generate about 2,750 times more data related to social and environmental influences than to clinical factors”

McKinsey analysis

The McKinsey “2,750 times” statistic is a pretty good proxy for the amount of your personal health data that is NOT protected by HIPAA and currently is broadly unprotected from sharing and use by third parties.

However, there is bipartisan legislation in front of Congress that offers expanded privacy protection for your personal health data. Senators Klobuchar & Murkowski have introduced the “Protecting Personal Health Data Act” (S.1842). The Act would extend protection to much personal health data that is currently not already protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996). 

In this essay, we will look in the rear-view mirror to see how HIPAA has provided substantial protections for personal clinical data — but with boundaries. We’ll also take a look out the windshield — the Wild West of unprotected health data.

Then in a separate post, we’ll describe and comment on the pending “Protect Personal Health Data Act”.

Continue reading…

A National Patient Identifier: Should You Care?

By ADRIAN GROPPER, MD

The rather esoteric issue of a national patient identifier has come to light as a difference between two major heath care bills making their way through the House and the Senate.

The bills are linked to outrage over surprise medical bills but they have major implications over how the underlying health care costs will be controlled through competitive insurance and regulatory price-setting schemes. This Brookings comment to the Senate HELP Committee bill summarizes some of the issues.

Who Cares?

Those in favor of a national patient identifier are mostly hospitals and data brokers, along with their suppliers. More support is discussed here. The opposition is mostly on the basis of privacyand libertarian perspective. A more general opposition discussion of the Senate bill is here.

Although obscure, national patient identifier standards can help clarify the role of government in the debate over how to reduce the unusual health care costs and disparities in the U.S. system. What follows is a brief analysis of the complexities of patient identifiers and their role relative to health records and health policy.

Continue reading…

ONC’s Proposed Rule is a Breakthrough in Patient Empowerment

By ADRIAN GROPPER

Imagine solving wicked problems of patient matching, consent, and a patient-centered longitudinal health record while also enabling a world of new healthcare services for patients and physicians to use. The long-awaited Notice of Proposed Rulemaking (NPRM) on information blocking from the Office of the National Coordinator for Health Information Technology (ONC) promises nothing less.

Having data automatically follow the patient is a laudable goal but difficult for reasons of privacy, security, and institutional workflow. The privacy issues are clear if you use surveillance as the mechanism to follow the patient. Do patients know they’re under surveillance? By whom? Is there one surveillance agency or are there dozens in real-world practice? Can a patient choose who does the surveillance and which health encounters, including behavioral health, social relationships, location, and finance are excluded from the surveillance?

The security issues are pretty obvious if one uses the National Institutes of Standards and Technology (NIST) definition of security versus privacy: Security breaches, as opposed to privacy breaches, are unintentional — typically the result of hacks or bugs in the system. Institutional workflow issues also pose a major difficulty due to the risk of taking responsibility for information coming into a practice from uncontrolled sources. Whose job is it to validate incoming information and potentially alter the workflow? Can this step be automated with acceptable risk?

It’s not hard to see how surveillance as the basis for health information sharing would be contentious and risk the trust that’s fundamental to both individual and public health. Nowhere is this more apparent than in the various legislative efforts currently underway to expand HIPAA to include behavioral health and social determinants of health, preempt state privacy laws, grant data brokers HIPAA Covered Entity status, and limit transparency of how personal data is privately used for “predictive analytics”, machine learning, and artificial intelligence.

Continue reading…

HIPAA RFI Comments: Patient Privacy Rights

Deborah C. Peel
Adrian Gropper

By ADRIAN GROPPER and DEBORAH C. PEEL

Among other rich nations, US healthcare stands out as both exceptionally privatized and exceptionally expensive. And taken overall, we have the worst health outcomes among the Western Democracies.

On one hand, regulators are reluctant to limit private corporate action lest we reduce innovation and patient choice and promote moral hazards. On the other hand, a privatized marketplace for services requires transparency of costs and quality and a minimum of economic externalities that privatize profit and socialize costs.

For over two decades, the HIPAA law and regulations have dominated the way personal health data is used and abused to manipulate physician practice and increase costs. During these decades, digital technology has brought marvels of innovation and competition to markets as diverse as travel and publishing while healthcare technology is burning out physicians and driving patients to bankruptcy.

Continue reading…

Hoarding Patient Data is a Lousy Business Strategy: 7 Reasons Why

Leslie Kelly Hall
Vince Kuraitis

By VINCE KURAITIS & LESLIE KELLY HALL

Among many healthcare providers, it’s been long-standing conventional wisdom (CW) that hoarding patient data is an effective business strategy to lock-in patients — “He who holds the data, wins”. However…we’ve never seen any evidence that this actually works…have you?

We’re here to challenge CW. In this article we’ll explore the rationale of “hoarding as business strategy”, review evidence suggesting it’s still prevalent, and suggest 7 reasons why we believe it’s a lousy business strategy:

  1. Data Hoarding Doesn’t Work — It Doesn’t Lock-In Patients or Build Affinity
  2. Convenience is King in Patient Selection of Providers
  3. Loyalty is Declining, Shopping is Increasing
  4. Providers Have a Decreasingly Small “Share” of Patient Data
  5. Providers Don’t Want to Become a Lightning Rod in the “Techlash” Backlash
  6. Hoarding Works Against Public Policy and the Law
  7. Providers, Don’t Fly Blind with Value-Based Care

Background

In the video below, Dr. Harlan Krumholz of Yale University School of Medicine capsulizes the rationale of hoarding as business strategy.

We encourage you to take a minute to listen to Dr. Krumholz, but if you’re in a hurry we’ve abstracted the most relevant portions of his comments:

“The leader of a very major healthcare system said this to me confidentially on the phone… ‘why would we want to make it easy for people to get their health data…we want to keep the patients with us so why wouldn’t we want to make it just a little more difficult for them to leave.’ …I couldn’t believe it a physician health care provider professional explaining to me the philosophy of that health system.”

Continue reading…

Ensuring that the 21st Century Cures Act Health IT Provisions Promotes Interoperability and Data Exchange

Dan Gottlieb MPA
Josh C. Mandel MD
Kenneth D. Mandl MD

By KENNETH D. MANDL, MD; DAN GOTTLIEB MPA;
JOSH C. MANDEL, MD

The opportunity has never been greater to, at long last, develop a flourishing health information economy based on apps which have full access to health system data–for both patients and populations–and liquid data that travels to where it is needed for care, management and population and public health. A provision in the 21st Century Cures Act could transform how patients and providers use health information technology. The 2016 law requires that certified health information technology products have an application programming interface (API) that allows health information to be accessed, exchanged, and used “without special effort” and that provides “access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.”

After nearly two years of regulatory work, an important rule on this issue is now pending at the Office of Management and Budget (OMB), typically a late stop before a proposed rule is issued for public comment. It is our hope that this rule will contain provisions to create capabilities for patients to obtain complete copies of their EHR data and for providers and patients to easily integrate apps (web, iOS and Android) with EHRs and other clinical systems.

Modern software systems use APIs to interact with each other and exchange data. APIs are fundamental to software made familiar to all consumers by Google, Apple, Microsoft, Facebook, and Amazon. APIs could also offer turnkey access to population health data in a standard format, and interoperable approaches to exchange and aggregate data across sites of care.

Continue reading…

Michelle Longmire, CEO Medable

I never ceased to be amazed by how smart young clinicians solve problems that they see. Michelle Longmire was in residency at Stanford working with colleagues building point solutions when she realized that what they needed was an easy platform on which to develop medical grade apps. Her company Medable was the result. Then she realized that the other big market was clinical researchers, who now have access to Apple’s ResearchKit, but need an easy way to build a study without using developers. I interviewed her recently and she built a study for me using Medable’s new Axon product.

Confusion over HIPAA Causes Grief in Orlando

Screen Shot 2016-06-14 at 6.20.58 PM

After the horrific shootings in the gay dance nightclub that killed 49 individuals, 53 survivors were rushed to surrounding hospitals.  In the hours that followed family members anxiously sought updates about their loved ones.  Yet, confusion over the privacy rules that govern health information prevented them from getting immediate access to what they surely needed to know. Confusion was not restricted to hospital staff.  Reporters and political officials alike were confused about what the law permitted.

This is not the first time that HIPAA related confusion affected a gay patient: in 2010 President Obama took steps to address anti-gay discrimination when Janice Langbehn was denied visitation and updates about her partner’s condition in a Florida hospital. 

Rules under the Health Insurance Portability and Accountability Act (HIPAA) generally prohibit release of patient information without their explicit consent.  The CEO of the Orlando Regional Medical Center reportedly asked Orlando Mayor Buddy Dyer for a HIPAA “waiver” so that the victims’ loved ones could be informed of their condition.  The Mayor sought such a waiver from the White House. 

Numerous news outlets reported that the mayor had received his waiver.  One outlet called this waiver “unique.”   By declaring a “national emergency,” it explained, “President Barack Obama and Secretary of Health and Human Services Sylvia Mathews Burwell made it easier for family and friends to gain quicker access to information—the right move in such a circumstance.

Continue reading…

Anthem Was Right Not to Encrypt

Optimized-FredTrotterThe Internet is abuzz criticizing Anthem for not encrypting its patient records. Anthem has been hacked, for those not paying attention.

Anthem was right, and the Internet is wrong. Or at least, Anthem should be “presumed innocent” on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions.

Most lay people, clinicians and apparently, reporters, simply do not understand when encryption is helpful. They presume that encrypted records are always more secure than unencrypted records, which is simplistic and untrue.

Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.

When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care useless, no one says “well that car manufacturer needs to invest in more secure keys”.

In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys.

Most of the time, hackers seek to “go around” encryption. Suggesting that we use more encryption or suggesting that we should use it differently is only useful when “going around it” is not simple. In this case, that is what happened.

Continue reading…

NATE: Making Choices Easier

Aron SeibYou have the choice to get your health information anywhere and any way you want –according to the Office of Civil Rights with some limitations. Today, more and more uses of health information are being presented to consumers as innovators recognize our demand for health related applications. Unfortunately, there is a dilemma. Over the past ten years a lot of things have changed – more and more providers are using technology to improve how they deliver care and, once that care is delivered, how they share information with other caregivers that see the patient. Sadly, other things are still pretty much as they were in the 19th Century, including how patients get access to information about themselves held by their provider.

The release of the National Association for Trusted Exchange’s (NATE) Blue Button for Consumers (NBB4C) Trust Bundle is aimed at simplifying interoperability between the healthcare delivery system and the consumer, enabling you to decide how to use your health information.

NATE is an association focused on enabling trusted exchange among organizations and individuals with differing regulatory environments and exchange preferences. With beginnings back in 2012, NATE emerged from a pilot project supported by the Office of the National Coordinator for Health Information Technology (ONC). NATE was incorporated as a not-for-profit organization on May 1, 2012 in the District of Columbia. NATE has been operating Trust Bundles in production since November 2012 and recently took over administration of the Blue Button Consumer Trust Bundles.  Working with a broad set of stakeholders through multiple task forces, crowdsourcing and a call for public comment, NATE announced the first release of NATE’s Blue Button for Consumers (NBB4C) Trust Bundle February 4th at the ONC’s Annual meeting.Continue reading…

Registration

Forgotten Password?