The going rate for a compromised medical record seems to be $1000 (well, at least that’s the asking price) as seen in papers filed in the eleven class action lawsuits against Sutter Health following the theft of a desktop computer last fall. The computer contained unencrypted protected health information on about 4.24 million members. The eleven class action suits are likely to be consolidated for ease of handling by the courts.
For an outfit whose most recently reported year-end financials show just under $900 million in income on just over $9 billion in revenue, a $4.24 billion claim certainly qualifies as a big deal. The data breach claims against Sutter Health were filed last year following its self-reporting of the computer theft, and are in the news again due to the potential consolidation.
The company had reportedly begun to encrypt its data last year, starting with more vulnerable mobile devices, and moving on to desktop computers, but had not gotten to the desktop in question by the time of the breach. It remains to be seen how these facts end up affecting the final damages awarded in this case.
The poor quality and high cost of health care in the U.S. is well documented. The widespread adoption of electronic medical records—for purposes of improving quality and reducing costs—is key to reversing these trends. But federal privacy regulations do not set clear and consistent rules for access to health information to improve health care quality. Consequently, the regulations serve as a disincentive to robust analysis of information in medical records and may interfere with efforts to accelerate quality improvements. This essay further explains this disincentive and suggests a potential regulatory path forward.
The U.S. has dedicated approximately 47 billion dollars to improve individual and population health through the use of electronic medical records by health care providers and patients. Much of the funding for this initiative, enacted by Congress as part of the Health Information Technology for Economic and Clinical Health Act of 2009, will be used to reimburse physicians and hospitals for the costs of purchasing and implementing electronic medical record systems. The legislation also includes funding to establish infrastructure to enable health care providers to share a patient’s personal health information for treatment and care coordination purposes and for reporting to public health authorities.
Federal policymakers also intend for electronic medical records to be actively used as tools of health system reform. The legislation directs the U.S. Department of Health and Human Services to develop a “nationwide health information technology infrastructure” that improves health care quality, reduces medical errors and disparities, and reduces health care costs from inappropriate or duplicative care.The 2011-2015 Federal Health Information Technology Strategic Plan identifies improving population health, reduction of health care costs, and “achiev[ing] rapid learning” as key goals of federal health information technology initiatives.
The app allows medical providers to trade their clipboards for (electronic) tablets, which present them a clean dashboard that lets them drill down into data such as medical history, medications (and allergies), X-rays and vital signs. It pulls that data down from a speedy SAP Hana in-memory database.
The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation. A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line. Why be active in on line social networks? That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more. Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids. In today’s wired society, on line social networking is the new word of mouth. Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.
Over half of Americans rely on the internet when looking for health care information. Many on line searches are conducted on behalf of another person. Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed. In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.
Last week we filed a class action complaint on behalf of the patients of a New York dentist, Stacy Makhnevich, over a form agreement that she imposes on all new patients to try to suppress any online comments on her work that she finds disagreeable. In the form, Makhnevich promises not to evade HIPAA’s patient privacy protection in return for patients’ commitment not to disparage her, not to post any comments about her publicly; if the patient writes anything about the dentist, the patient assigns the copyright in those comments to Makhnevich. Relying on the form, Makhnevich sent one of her patients invoices purporting to bill him a daily hundred-dollar fine for having posted comments about her on Internet review web sites.
The copyright assignment aspect of the agreement is especially dastardly. It is intended to enable the dentist to send a DMCA takedown notice to the host of any web site where the criticism is posted. Because the DMCA protects site hosts from liability for copyright infringement, but only if they act expeditiously to remove infringing material once they receive notice of its presence on their servers, hosts generally respond like Pavlov’s dog to such notices. In theory, copyright could be asserted regardless of whether a comment is true or false, and regardless of whether it is an opinion that is constitutionally protected from libel claims; copyright can also be used as a basis for seeking awards of statutory damages even if there are no real damages.
On September 14, HHS released for comment draft lab results regulations that will, if finalized, effectively bathe the Achilles’ heel of health data in the River Styx of ¡data liberación! All lab results will be made available to patients, just like all other health data. (See the HHS presser and YouTube video from the recent consumer health summit. Todd Park, HHS CTO, is also the chief activist for what he calls ¡data liberación!)
Forgive me for mixing my metaphors (or whatever it is I just did), but even though there are just a couple dozen words of regulations at issue here, this is a big deal.
When HIPAA established a federal right for each individual to obtain a copy of his or her health records, in paper or electronic format, there were a couple of types of records called out as specifically exempt from this general rule of data liberation, in the HIPAA Privacy Rule, 45 CFR § 164.524(a)(1): psychotherapy notes, information compiled for use in an administrative or court proceeding, and lab results from what is known as a CLIA lab or a CLIA-exempt lab (including “reference labs,” as in your specimens get referred there by the lab that collects them, or freestanding labs that a patient may be referred to for a test; these are not the labs that are in-house at many doctors’ offices, hospitals and other health care facilities — the in-house labs are part of the “parent” provider organization and their results are part of the parents’ health records already subject to HIPAA).Continue reading…
Personal data privacy once again has taken front stage in Sorrel v. IMS Health, Inc. Vermont passed the Vermont Confidentiality of Prescription Information Law that allows doctors which prescribe drugs to patients, to decide whether pharmacies can sell their prescription drug prescription records. IMS Health as well as other health information companies contested the law, arguing that the law poses a restriction on commercial speech as access to such information helps pharmaceutical companies market their drugs effectively to doctors. The Supreme Court is now tasked with determining the constitutionality of the restriction on access to prescription information with regards to our First Amendment. 
However, this post is focused on the secondary effects asserted in amici curiae briefs supporting the petitioners of allowing companies to purchase such information, specifically the concern of data privacy and patient re-identification.  Under the Health Information Portability and Accountability Act (HIPAA), personal health information is de-identified by your local pharmacy prior to such information being shared with any third party. By de-identifying the data, your personal data cannot, it is believed, be linked or traced back to you. De-identifying your health information is a way for covered entities to share your information without your consent or authorization and in accordance with the law. The information once shared is completely anonymized. After the transfer to a third party, like IMS Health, your information is solely data of zeros and ones that translate to dates of dispensing and drug names. No longer does your prescription record list your name or month or day of birth. Continue reading…
In recent years many health care providers and managers have told me, time and again, that the health care world is accustomed to managing confidential patient information, and therefore doesn’t need much in the way of social media training and policy development. This week brings news that should make those folks sit up and take notice. A physician in Rhode Island, who was fired for a Facebook faux pas, has now been fined by the state medical board as well. The physician posted a little too much information on Facebook — information about a patient that, combined with other publicly available information, allowed third parties to identify the patient. The details of the story are available here and here.
The key takeaway from this story — and the Johnny-come-lately approach to health care social media taken by the Rhode Island hospital in question and the Boston teaching hospital that the Boston Globe turned to for comment — is that prevention is the best medicine.
Facebook and other social media are a fact of life, and cannot be ignored by health care providers and organizations. They can even be used as a force for good. As one example, take note of the recently-announced initiative by my colleague, Dr. Val, to start up a peer-reviewed tweetstream, @HealthyRT. At he very least, health care providers and organizations should be monitoring social media for mentions so that they can reach out, as may be necessary, to address health care and public relations issues.Continue reading…
One day before the first of April, HHS published the much anticipated rules defining the creation and operations of Accountable Care Organizations (ACO) spanning 429 pages of business regulation, analysis of various options available, proposed solutions and ways to measure and reward (punish) success (failure) in achieving HHS seemingly incompatible goals of providing better care for less money. I am fairly certain that health policy experts, health care economists and the multitude of industry stakeholders will be dissecting and analyzing the hefty document in great detail in the coming weeks. I started reading the document with an eye towards the ACO implications for HIT, which as expected are many, but something on page 108 made me stop in my tracks. HHS is proposing to share personally identifiable health information (PHI) contained in Medicare claims with ACO providers unless patients “opt-out”.
Beginning on page 108 and through 22 pages of tortured arguments, HHS makes the case for the legality and benefits of providing ACOs with PHI contained in Medicare claims, unless the patient actively withdraws consent for this type of transaction. The argument for the legality of claim data sharing rests on the nebulous HIPAA clause which allows disclosure of PHI for “health care operations” within a web of covered entities and business associates connecting the ACO with Medicare and other providers of health care services for a particular patient. HHS is proposing to make available four types of medical information to participating ACOs:Continue reading…
The Health 2.0 movement has seen incredible growth recently, with new tools and services continuously being released. Of course, Health 2.0 developers face a number of challenges when it comes to getting providers and patients to adopt new tools, including integrating into a health system that is still mostly paper-based. Another serious obstacle facing developers is how to interpret and, where appropriate, comply with the HIPAA privacy and security regulations.
Questions abound when it comes to Health 2.0 and HIPAA, and it’s vital we get them answered, both for the sake of protecting users’ privacy and to ensure people are able to experience the full benefits of innovative Health 2.0 tools. We can’t afford to see the public’s trust in new health information technology put at risk, nor can we afford to have innovation stifled.
To help solve this problem, the Center for Democracy & Technology (CDT) has launched a crowdsourcing project to determine the most vexing Health 2.0/HIPAA questions.
Once CDT has received your questions, we’ll use them to urge the Office of Civil Rights, which enforces HIPAA, to provide clarification. We’ll accept questions until Feb. 11, 2011, so please weigh in soon, and ask others to do the same.