Categories

Tag: HIPAA

Washington In Crisis: ONC Announces That It Will Not Tweet Or Respond to Tweets During Shutdown

The U.S. government shutdown continues to claim victims.

The latest is HealthIT.gov, the website designed to help doctors and hospitals make the transition to electronic and make better use of health information technology – a key component of Obamacare’s drive to transform healthcare.

The Health Information Technology Office of the National Coordinator posted a brief announcement on the site informing visitors to HealthIT.gov that “information … may not be up to date, transactions submitted via the website may not be processed and the agency may not be able to respond to inquiries until appropriations have been enacted.”

Officials also sent a tweet saying that the ONC regrets to inform us that while the shutdown continues it will “not tweet or respond to tweets.”

This struck THCBist as slightly odd.

After all, if you’re looking for an inexpensive way to communicate with the public in a pinch, Twitter seems like the perfect choice.  We get that government websites are ridiculously expensive things to run. Blogs are considerably cheaper.  Operating a Twitter account — on the other hand — is almost free.  Our brains were flooded with scenarios.  How much could the ONC possibly be spending on Twitter? And for that matter, didn’t the Department of Defense originally invent the Internet to allow for  emergency communication during times of national crisis? Doesn’t a fiscal insurrection by cranky Republicans qualify?

Fallout for the National Health IT Program

While federal officials have issued repeated assurances that the shutdown will not impact the Obamacare rollout, it does look as though there will be a fairly serious impact on the administration’s health IT program.  If HHS sticks to script, only 4 of 184 ONC employees will remain on duty during the shutdown. That makes it sound like activities are going to have to be scaled back just a bit.

If you’re counting on getting an incentive payment from the government for participation in the electronic medical records program, you may be in trouble — at least until the stalemate is settled.  Although ONC has not yet made an official statement,  presumably because the aforementioned Twitter channel has been disabled, leaving the agency unable to speak to or otherwise communicate with the public, going by the available information in the thirteen-page contingency plan drafted by strategists at HHS, it is unclear where the money will come from.

This could be bad news for electronic medical records vendors counting on the incentive program to drive sales as the Obamacare rollout gets officially underway.

Continue reading…

A Troubling Strategy at Health IT Week

Health IT Week demonstrated a double barrel strategy to segregate patient information from provider information. Providers already have the power to set prices and health IT plays the central role.

By rebranding HIPAA as “Meaningful Consent” and making patients second-class citizens in Meaningful Use Stage 2 interoperability, providers and regulators are working together to keep it that way.

Essential consumer protections such as price transparency or independent decision support are scarce in the US healthcare system. The journalists are shouting from the rooftops.

There’s  $1 Trillion (yes, $3,000 per person per year) of unwarranted and overpriced health services steering the Federal health IT bus with an information asymmetry strategy. Those of us that want to see universal coverage succeed need the information transparency tools to drive for changes.

Here’s how it works: The department of Health and Human Services (HHS) controls the health IT incentives and regulations. HIPAA applies to most licensed health services providers. Laboratories and devices are regulated by Medicare and the FDA.

Unlicensed services offered directly to patients, such as personal health records, web info sites and apps are regulated by the FTC. Separate regulatory domains facilitate the segregation of information and contribute to the lack of transparency by making patient-directed services use delayed and degraded information. This keeps independent advice from FTC-regulated service providers from illuminating the specific abuses.

The segregation of patient information from “provider” information is the current federal regulatory strategy. It’s even more so in the states. By making patients into second-class citizens, the providers can avoid open scrutiny, transparent pricing, and independent decision support.

Federal regulators then create a parallel system where information is delayed, diluted, and depreciated by lack of “authenticity”. This is promoted as “patient engagement”. For regulators, it’s a win-win solution: the providers support the regulation that enables their price fixing and many patient advocates get to swoon over patient engagement efforts.

The proof of this strategy became clear on the first day of Health IT Week – the Consumer Health IT Summit.

Continue reading…

Give Us Our Damn Lab Results!!

Two years ago, the Department of Health and Human Services released proposed regulations that would allow patients to obtain their clinical lab test results directly from the lab, rather than having to wait to receive the results from their health care provider.  CDT and other consumer groups enthusiastically supported this proposed rule at the time of its release.

Yet an Administration largely characterized by increasing patient access to health information seems inexplicably unable to close the deal on this important access initiative.  As a result, patients still must wait for their providers to contact them with test results.

Under the current regulations, known as the Clinical Laboratory Improvement Amendments (CLIA), laboratories are restricted from disclosing test results to patients directly.  Instead, labs can only send the test results to health care providers, people authorized to receive test results under state law or other labs. Only a handful of states permit labs to send patients test results directly, and some of these states require the provider’s permission before patients can have the results.  The HIPAA Privacy Rule reflects this restriction, exempting CLIA-regulated labs (which are the great majority of clinical labs) from patients’ existing right to access their health information.

This existing regime has put patients at risk. A 2009 study published in the Archive of Internal Medicine indicated that providers failed to notify patients (or document notification) of abnormal test results more than 7 percent of the time. The National Coordinator for Health IT recently put the figure at 20 percent.  This failure rate is dangerous, as it could lead to more medical errors and missed opportunities for valuable early treatment.

The 2011 proposed regulations would modify CLIA to permit labs to send results directly to patients, and they would also modify the HIPAA Privacy Rule to give patients the right to access or receive their lab results.  Contrary state laws would be preempted.  Patients would have the ability to request their lab results in a particular form or format, as with their other health information; for example, patients could request a paper copy of their test results, or to have the results sent electronically to the their personal health records

Continue reading…

A New Way to Sue Health Care Professionals Using HIPAA?

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees.  While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened.  At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.

Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach.  The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.

Continue reading…

Should Doctors Keep Patients’ HIV Status a Secret?

At my infectious-diseases clinic in Southeast Washington, I work with some of the city’s most indigent patients. Some don’t have jobs, a home, a car or enough to eat. But recently, I saw a patient whose problem made these issues seem trivial.

Dealing with fatigue, a cough and a fever for several months, this woman in her 40s had been evaluated by four internists. They had tested her for a variety of conditions but not HIV. Each had recommended rest, two prescribed antibiotics, and one suggested an over-the-counter cough medicine. Experiencing no physical relief from these suggestions, the woman had decided to “lay down and die.”

However, after her longtime partner insisted she get medical help, she agreed to go to a hospital emergency room. After a rapid test, which she initially refused because she said she was not at risk for HIV, she learned that she was HIV-positive.

After that ER visit, she brought her partner, whom she credits with saving her life, to my clinic to be tested; she was concerned that she had transmitted the virus to him. He tested positive. About a week later, when he accompanied her to an appointment with me, I asked if he had been seen by a doctor to discuss treatment. He said no and indicated that he wanted to establish care in the clinic.

When I asked if he had ever been on HIV drugs, he gazed at the medication chart and pointed out his previous regimen, a cocktail that contained indinavir. Because I and many other doctors stopped prescribing this medication a decade ago, I knew he had been keeping his condition from her for years. He stopped talking and avoided my gaze. It was clear he knew that I had learned his secret. I had many questions for him; but this visit was for her.

It was not the right moment to dredge up this history and ask how he could keep his diagnosis hidden while watching his partner struggle with her health. I chose not to ask about his dishonesty, their relationship and whether they had used condoms to protect her from getting HIV. At this point, I needed to help her understand that, even though she felt weak and sick, the medications would soon make her feel better. And that, with the right treatment, she could still live a long life.

While talking with my patient about her treatment, my mind kept wandering back to her partner’s secret. Was it my role to admonish him in front of her, or would that make things worse? What would they say to each other when they got home? I wanted to discuss these questions, but did I have a right to insert my judgment into this situation? At a private visit with me two weeks later, she let me know that this was the moment she realized he’d been keeping his diagnosis from her for years.

As a physician, I am not allowed to reveal any medical information about my patients or their circumstances without their written permission. This confidentiality is sacred. But in this case, that constraint felt inappropriate and irresponsible.

Continue reading…

The IRS Scandal: Implications for HIPAA and the Affordable Care Act

As my head reels at the implications of the IRS scandal mushrooming in Washington, the IRS’s recently disclosed ability to access e-mails without warrant, the intricacy of the NSA PRISM wiretap techniques that includes their ability to acquire tech firms’ digital data, and even the Justice Department’s ability to secretly acquire telephone toll records from the Associated Press, I wonder (as a doctor) what all this means for the privacy protections afforded by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in our new era of mandated electronic medical records.  Are such privacy protections credible at all?

It doesn’t seem so.

Now it seems everyone’s health data is just as vulnerable to federal review as their Google search data.  This is not a small issue.  We have already seen that discovering “leaks” of personal health information has produced some very handsome rewards for the feds, so it is not beyond reason to think that HIPAA might also be a funding tool for our government health care administration disguised as a beneficent effort to protect the health care data of our populace.

But even more concerning is the role the IRS scandal has for America’s health care system.  After all, the Affordable Care Act is ultimately funded by the IRS by administering some 47 tax provisions.  These include the right to levy a penalty against businesses and individuals who don’t provide or acquire insurance and determining how to distribute annual subsidies to 18 million people who make less than $45,000 a year and thus qualify for subsidies in buying health coverage. In addition, the agency will collect taxes on medical devices and a surtax on people making more than $200,000 a year, as well as conducting compliance audits of tax-exempt hospitals.

Continue reading…

Datapalooza Report on Data Economics and a Call for Reciprocity

Uwe Reinhardt said it perfectly in a Tuesday plenary but I can only paraphrase his point: “health information is a public good that brings more wealth the more people use it.” Or, as Doc Searls puts it: personal data is worth more the more it is used. Datapalooza is certainly the largest meeting of the year focused on health data, and our Health and Human Services data liberation army was in full regalia. My assessment is: so far, so good but, as always, each data liberation maneuver also reveals the next fortified position just ahead. This post will highlight reciprocity as a new challenge to the data economy.

The economic value of health data is immense. Without our data it’s simply impossible to independently measure quality, get independent second opinions or control family health expenses. The US is wasting $750 Billion per year on health care which boils down to $3,000 per year that each man, woman and child is flushing down the drain.

Data liberation is a battle in the cloud and on the ground. In the cloud, we have waves of data releases from massive federal data arsenals. These are the essential roadmap or graph to guide our health policy decisions. I will say no more about this because I expect Fred Trotter (who is doing an amazing job of leading in this space) will cover the anonymous and statistical aspects of the data economy. Data in the cloud provides the basis for clinical decision support.
Continue reading…

Box Picking Up Where Google Health Left Off

You probably saw some of the headlines last week where Box announced that is supporting HIPAA and HITECH compliance, signing Business Associate Agreements, (BAAs) and integrating with several platform app partners such as  Doximity, drchronoTigerText, and Medigram to help seed its new healthcare ecosystem.  I also announced that I was formally advising Box on their healthcare strategy.

I was drawn to Box because of all the lessons I learned at Google building a consumer-directed, personal health record (PHR), Google Health. Google Health allowed you to securely store, organize and share all of your medical records online and control where your data went and how it was managed. It was unlike the other PHRs in the industry that were tethered to the provider or payor or part of an Electronic Health Record (EHR) system.

Sound good? Well, it was in theory. The big issue with Google Health was aggregating your data from the disparate sources that stored data on you.  We had to create a ton of point-to-point integrations with large health insurance companies, academic medical centers, hospitals, medical practices and retail pharmacy chains. All of these providers and payors were covered entities in the world of HIPAA and were required to verify a patient’s identity before releasing any data to them electronically. It was a very bumpy user experience for even the most super-charged, IT savvy consumer.

Continue reading…

What Does HIPAA Have to Do With Gun Control? Maybe More Than You Think.


There aren’t many who would quibble with an argument that those with severe mental illness—specifically, individuals “who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity. or otherwise have been [legally judged] to have a severe mental condition that results in the individuals presenting a danger to themselves or others“—should not be able to purchase firearms. Right? Right.

Making that law isn’t actually the trouble (expanding background checks is, of course, a different story). It’s already law, and has been on the books for awhile. The trouble is enforcing it.

The federal government maintains the National Instant Criminal Background Check System (NICS), a database of people who are federally prohibited from purchasing guns, including felons, people convicted of domestic violence, and individuals who meet the extreme mental illness criteria above. Except:

Federal law does not require State agencies to report to the NICS the identities of individuals who are prohibited by Federal law from purchasing firearms, and not all states report complete information to the NICS.

To recap: We have federal criteria that prohibits certain individuals from buying firearms. The feds maintain a database of known individuals for background checks (which take 30 seconds, per the regulation). But states aren’t required to offer the names of “prohibitors” to the database.

Continue reading…

“Did You Take Care of Tsarnaev?”

I am affiliated with the institution where Dzhokhar Tsarnaev is currently hospitalized.  I am friends with people who have treated him.  I’m trying to stay away from those people; I would be unable to help asking them about him.  They might be unable to help talking about him.    There has been a flurry of emails and red-letter warnings cautioning people here not to talk about Mr. Tsarnaev or look him up on the EMR (Electronic Medical Record) system.  Despite this there have been leaks of information and photos from various sources.  It is virtually impossible to keep people from asking about him and talking about him.  Curiosity is human nature.  When human nature comes up against morals and laws, human nature will win a good percentage of the time.  The question is:  given what he has done, does this 19-year-old still have his right to privacy?

The answer, of course, is yes.  The American Medical Association includes patient confidentiality in it’s ethical guidelines:

“…the purpose of a physicians ethical duty to maintain patient confidentiality is to allow the patient to feel free to make a full and frank disclosure of information…with the knowledge that the physician will protect the confidential nature of the information disclosed.”

Threre are legal guidelines as well, most notably with the Health Insurance Portability and Accountability Act, or HIPAA.  This law was originally passed in 1996 to improve the efficiency and effectiveness of the health care system, allow people to switch jobs without losing their health insurance, and impose some rules on electronic medical information. Congress incorporated into HIPAA provisions that mandate the adoption of  the Federal privacy protections for health information.  The “simplified” administrative document for the privacy and security portions of HIPAA is 80 pages long.  Basically your health information cannot be shared with ANYONE. Of course, there are exceptions to HIPAA. Continue reading…

Registration

Forgotten Password?