Categories

Tag: HIPAA

Hoarding Patient Data is a Lousy Business Strategy: 7 Reasons Why

By VINCE KURAITIS & LESLIE KELLY HALL

Vince Kuraitis

Leslie Kelly Hall

Among many healthcare providers, it’s been long-standing conventional wisdom (CW) that hoarding patient data is an effective business strategy to lock-in patients — “He who holds the data, wins”. However…we’ve never seen any evidence that this actually works…have you?

We’re here to challenge CW. In this article we’ll explore the rationale of “hoarding as business strategy”, review evidence suggesting it’s still prevalent, and suggest 7 reasons why we believe it’s a lousy business strategy:

  1. Data Hoarding Doesn’t Work — It Doesn’t Lock-In Patients or Build Affinity
  2. Convenience is King in Patient Selection of Providers
  3. Loyalty is Declining, Shopping is Increasing
  4. Providers Have a Decreasingly Small “Share” of Patient Data
  5. Providers Don’t Want to Become a Lightning Rod in the “Techlash” Backlash
  6. Hoarding Works Against Public Policy and the Law
  7. Providers, Don’t Fly Blind with Value-Based Care

Background

In the video below, Dr. Harlan Krumholz of Yale University School of Medicine capsulizes the rationale of hoarding as business strategy.

We encourage you to take a minute to listen to Dr. Krumholz, but if you’re in a hurry we’ve abstracted the most relevant portions of his comments:

“The leader of a very major healthcare system said this to me confidentially on the phone… ‘why would we want to make it easy for people to get their health data…we want to keep the patients with us so why wouldn’t we want to make it just a little more difficult for them to leave.’ …I couldn’t believe it a physician health care provider professional explaining to me the philosophy of that health system.”

Continue reading…

Ensuring that the 21st Century Cures Act Health IT Provisions Promotes Interoperability and Data Exchange

By KENNETH D. MANDL, MD; DAN GOTTLIEB;
JOSH C. MANDEL, MD

Josh Mandel

Kenneth Mandl

Dan Gottlieb

The opportunity has never been greater to, at long last, develop a flourishing health information economy based on apps which have full access to health system data–for both patients and populations–and liquid data that travels to where it is needed for care, management and population and public health. A provision in the 21st Century Cures Act could transform how patients and providers use health information technology. The 2016 law requires that certified health information technology products have an application programming interface (API) that allows health information to be accessed, exchanged, and used “without special effort” and that provides “access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.”

After nearly two years of regulatory work, an important rule on this issue is now pending at the Office of Management and Budget (OMB), typically a late stop before a proposed rule is issued for public comment. It is our hope that this rule will contain provisions to create capabilities for patients to obtain complete copies of their EHR data and for providers and patients to easily integrate apps (web, iOS and Android) with EHRs and other clinical systems.

Modern software systems use APIs to interact with each other and exchange data. APIs are fundamental to software made familiar to all consumers by Google, Apple, Microsoft, Facebook, and Amazon. APIs could also offer turnkey access to population health data in a standard format, and interoperable approaches to exchange and aggregate data across sites of care.

Continue reading…

Michelle Longmire, CEO Medable

I never ceased to be amazed by how smart young clinicians solve problems that they see. Michelle Longmire was in residency at Stanford working with colleagues building point solutions when she realized that what they needed was an easy platform on which to develop medical grade apps. Her company Medable was the result. Then she realized that the other big market was clinical researchers, who now have access to Apple’s ResearchKit, but need an easy way to build a study without using developers. I interviewed her recently and she built a study for me using Medable’s new Axon product.

Confusion over HIPAA Causes Grief in Orlando

Screen Shot 2016-06-14 at 6.20.58 PM

After the horrific shootings in the gay dance nightclub that killed 49 individuals, 53 survivors were rushed to surrounding hospitals.  In the hours that followed family members anxiously sought updates about their loved ones.  Yet, confusion over the privacy rules that govern health information prevented them from getting immediate access to what they surely needed to know. Confusion was not restricted to hospital staff.  Reporters and political officials alike were confused about what the law permitted.

This is not the first time that HIPAA related confusion affected a gay patient: in 2010 President Obama took steps to address anti-gay discrimination when Janice Langbehn was denied visitation and updates about her partner’s condition in a Florida hospital. 

Rules under the Health Insurance Portability and Accountability Act (HIPAA) generally prohibit release of patient information without their explicit consent.  The CEO of the Orlando Regional Medical Center reportedly asked Orlando Mayor Buddy Dyer for a HIPAA “waiver” so that the victims’ loved ones could be informed of their condition.  The Mayor sought such a waiver from the White House. 

Numerous news outlets reported that the mayor had received his waiver.  One outlet called this waiver “unique.”   By declaring a “national emergency,” it explained, “President Barack Obama and Secretary of Health and Human Services Sylvia Mathews Burwell made it easier for family and friends to gain quicker access to information—the right move in such a circumstance.

Continue reading…

Anthem Was Right Not to Encrypt

Optimized-FredTrotterThe Internet is abuzz criticizing Anthem for not encrypting its patient records. Anthem has been hacked, for those not paying attention.

Anthem was right, and the Internet is wrong. Or at least, Anthem should be “presumed innocent” on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions.

Most lay people, clinicians and apparently, reporters, simply do not understand when encryption is helpful. They presume that encrypted records are always more secure than unencrypted records, which is simplistic and untrue.

Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.

When someone uses a gun to threaten a person into handing over both the car and the car keys needed to make that care useless, no one says “well that car manufacturer needs to invest in more secure keys”.

In general, systems that rely on keys to protect assets are useless once the bad guy gets ahold of the keys. Apparently, whoever hacked Anthem was able to crack the system open enough to gain “programmer access”. Without knowing precisely what that means, it is fair to assume that even in a given system implementing “encryption-at-rest”, the programmers have the keys. Typically it is the programmer that hands out the keys.

Most of the time, hackers seek to “go around” encryption. Suggesting that we use more encryption or suggesting that we should use it differently is only useful when “going around it” is not simple. In this case, that is what happened.

Continue reading…

NATE: Making Choices Easier

Aron SeibYou have the choice to get your health information anywhere and any way you want –according to the Office of Civil Rights with some limitations. Today, more and more uses of health information are being presented to consumers as innovators recognize our demand for health related applications. Unfortunately, there is a dilemma. Over the past ten years a lot of things have changed – more and more providers are using technology to improve how they deliver care and, once that care is delivered, how they share information with other caregivers that see the patient. Sadly, other things are still pretty much as they were in the 19th Century, including how patients get access to information about themselves held by their provider.

The release of the National Association for Trusted Exchange’s (NATE) Blue Button for Consumers (NBB4C) Trust Bundle is aimed at simplifying interoperability between the healthcare delivery system and the consumer, enabling you to decide how to use your health information.

NATE is an association focused on enabling trusted exchange among organizations and individuals with differing regulatory environments and exchange preferences. With beginnings back in 2012, NATE emerged from a pilot project supported by the Office of the National Coordinator for Health Information Technology (ONC). NATE was incorporated as a not-for-profit organization on May 1, 2012 in the District of Columbia. NATE has been operating Trust Bundles in production since November 2012 and recently took over administration of the Blue Button Consumer Trust Bundles.  Working with a broad set of stakeholders through multiple task forces, crowdsourcing and a call for public comment, NATE announced the first release of NATE’s Blue Button for Consumers (NBB4C) Trust Bundle February 4th at the ONC’s Annual meeting.Continue reading…

Privacy and Security and the Internet of Things

Screen Shot 2015-02-03 at 8.28.53 AM

In the future, everything will be connected.

That future is almost here.

Over a year ago, the Federal Trade Commission held an Internet of Thingsworkshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.

As in the case of the HITECH Act’s attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report — and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) — seeks to increase the public’s confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum — I can’t define it, but I know it when I see it (see Justice Stewart’s timeless concurring opinion in Jacobellis v. Ohio).

To anyone actively involved in data privacy and security, the recommendations seem frighteningly basic:

build security into devices at the outset, rather than as an afterthought in the design process;

train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;

ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;

when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;

consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;

monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely;

notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

Continue reading…

An Open Letter to the People Who Brought Us HIPAA

flying cadeuciiOver the last five years, the United States has undergone more significant changes to its health care system perhaps since Medicare and Medicaid were introduced in the 1960s. The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the Patient Protection and Affordable Care Act of 2010 have paved the way for tremendous changes to our system’s information backbone and aim to provide more Americans access to health care.

But one often-overlooked segment of our health care system has been letting us down. Patients’ access to their own medical information remains limited. The HIPAA Privacy Rule grants individuals the right to copies of their own medical records, but it comes at a noteworthy cost—health care providers are allowed to charge patients a fee for each record request. As explained on the Department of Health and Human Services’ website, “the Privacy Rule permits the covered entity to impose reasonable, cost-based fees.”

HIPAA is a federal regulation, so the states have each imposed guidelines outlining their own interpretations of “reasonable.” Ideally, the price of a record request would remain relatively constant—after all, the cost of producing these records does not differ significantly from state to state. But in reality, the cost of requesting one’s medical record is not only unreasonably expensive; it is also inconsistent, costing dramatically different amounts based on local regulation.Continue reading…

Black Turtlenecks, Data Fiends and Code. An Interview with John Halamka

John Halamka-Google Glass

Of the nearly 100 people I interviewed for my upcoming book, John Halmaka was one of the most fascinating. Halamka is CIO of Beth Israel Deaconess Medical Center and a national leader in health IT policy. He also runs a family farm, on which he raises ducks, alpacas and llamas. His penchant for black mock turtlenecks, along with his brilliance and quirkiness, raise inevitable comparisons to Steve Jobs. I interviewed him in Boston on August 12, 2014.

Our conversation was very wide ranging, but I was particularly struck by what Halamka had to say about federal privacy regulations and HIPAA, and their impact on his job as CIO. Let’s start with that.

Halamka: Not long ago, one of our physicians went into an Apple store and bought a laptop. He returned to his office, plugged it in, and synched his e-mail. He then left for a meeting. When he came back, the laptop was gone. We looked at the video footage and saw that a known felon had entered the building, grabbed the laptop, and fled. We found him, and he was arrested.

Now, what is the likelihood that this drug fiend stole the device because he had identity theft in mind? That would be zero. But the case has now exceeded $500,000 in legal fees, forensic work, and investigations. We are close to signing a settlement agreement where we basically say, “It wasn’t our fault but here’s a set of actions Beth Israel will put in place so that no doctor is ever allowed again to bring a device into our environment and download patient data to it.”

Continue reading…

Is Deborah Peel up to her old tricks?

Long time (well very long time) readers of THCB will remember my extreme frustration with Patients Privacyflying cadeucii Rights founder Deborah Peel who as far as I can tell spent the entire 2000s opposing electronic health data in general and commercial EMR vendors in particular. I even wrote a very critical piece about her and the people from the World Privacy Forum who I felt were fellow travelers back in 2008. And perhaps nothing annoyed me more than her consistently claiming that data exchange was illegal and that vendors were selling personally identified health data for marketing and related purposes to non-covered entities (which is illegal under HIPAA).

However, in recent years Deborah has teamed up with Adrian Gropper, whom I respect and seemed to change her tune from “all electronic data violates privacy and is therefore bad”, to “we can do health data in a way that safeguards privacy but achieves the efficiencies of care improvement via electronic data exchange”. But she never really came clean on all those claims about vendors selling personally identified health data, and in a semi-related thread on THCB last week, it all came back. Including some outrageous statements on the extent of, value of, and implications of selling personally identified health data. So I’ve decided to move all the relevant comments to this blog post and let the disagreement continue.

What started the conversation was a throwaway paragraph at the end of a comment I left in which I basically told Adrian to rewrite what he was saying in such a way that normal people could understand it. Here’s my last paragraph

As it is, this is not a helpful open letter, and it makes a bunch of aggressive claims against mostly teeny vendors who have historically been on the patients’ side in terms of accessing data. So Adrian, Deborah & PPR need to do a lot better. Or else they risk being excluded back to the fringes like they were in the days when Deborah & her allies at the World Privacy Forum were making ridiculous statements about the concept of data exchange.

Here’s Deborah’s first commentContinue reading…

Registration

Forgotten Password?