I’m sure you get a lot of hate mail, especially from folks in my profession, so when you got this letter from me you probably assumed it was more of the same. Let me reassure you: I am not one of those docs. I do think patient privacy is important, and actually found you quite useful when facing unwanted probing questions from family members. I believe the only way for patients to really open up to docs like me is to have a culture of respect for privacy, and you are a large part of that trust I can enjoy. Yeah, there was trust before you were around, but that was before the internet, and before people used words like “social media,” and “data mining.”
But there have been things done in your name that I’ve recently come in contact with that make me conclude that either A: you are very much misunderstood, or B: you have a really dark side.
The latest news story to examine the issue of patient access to implantable cardiac defibrillator data (a variation on the theme of “gimme my damn data”) is an in-depth, Page One Wall Street Journal story featuring Society for Participatory Medicine members Amanda Hubbard and Hugo Campos. They have garnered attention in the past – one example is another piece on Hugo on the NPR Shots blog about six months back. The question posed by these individuals is simple — May I have access to the data collected and/or generated by the medical device implanted in my body? — but the responses to the question have been anything but. It is important to note that not every patient in Amanda’s or Hugo’s shoes would want the data in as detailed a format as they are seeking to obtain, and we should not impose the values of a data-hungry Quantified Self devotee on every similarly-situated patient. Different strokes for different folks.
The point is that if a patient wants access to this data he or she should be able to get it. What can a patient do with this data? For one thing: correlate activities with effects (one example given by Hugo is his correlation of having a drink of scotch with the onset of an arrhythmia — correlated through manual recordkeeping — which led him to give up scotch) and thereby have the ability to manage one’s condition more proactively.
We can get copies of our medical records from health care professionals and facilities within 30 days under HIPAA — and within a just a few days if our providers are meaningful users of certified electronic health records (it ought to be quicker than that … some day). In some states now, and in all states sometime soon (we hope), we can get copies of our lab results as soon as they are available to our clinicians.
A time-and-technology challenged FDA, proliferation of software-controlled medical devices in and outside of hospitals, and growth of hackers have resulted in medical technology that’s riddled with malware. Furthermore, lack of security built into the devices makes them ripe for hacking and malfeasance.
Scenario: a famous figure (say, a politician with an implantable defibrillator or young rock star with an insulin pump) becomes targeted by a hacker, who industriously virtually works his way into the ICD’s software and delivers the man a shock so strong it’s akin to electrocution.
Got the picture?
Welcome to the dark side of health IT and connected health. Without strong and consistently adopted security technology and policies, this scenario isn’t a wild card: it’s in the realm of possibility. This is not new-news: back in 2008, a research team figured out how to program a common pacemaker-defibrillator to transmit a “deadly 830-volt jolt,” according to Barnaby Jack, a security expert.
Who owns a patient’s health information?
·The patient to whom it refers?
·The health provider that created it?
·The IT specialist who has the greatest control over it?
The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.
All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.
Raising the question of ownership at all is a hash argument. What is a hash argument? Here’s how Julian Sanchez describes it:
Today’s Computerworld has a great article about the issues of mixing social media and healthcare.
As hospitals and clinics formulate social networking policies, there are three broad considerations.
1. Given HIPAA and HITECH privacy and breach rules, how can you best prevent the disclosure of protected healthcare information on insecure social media sites?
2. Given the distraction factor and productivity loss that can occur with social media, how can you best align the benefits of groupware communication while minimizing the negatives?
3. How can you reduce the security risks of malware embedded in games and other applications that are downloaded from social networking sites?
To date, Beth Israel Deaconess has focused on #1, ensuring that our employees do not post data to social networking sites in violation of state and federal laws.
We’ve not yet completed a policy covering #2, although several hospital sites and departments are discussing the issue.
We’re developing a pilot for #3, including blocks on selected websites, Facebook add-on applications, and personal email.
Over the past decade, I’ve seen a number of studies asking people whom they trust among various health care stakeholders. Nurses, pharmacists, and doctors always come out at the top. Beyond that:
·Trust of hospitals tends to be high (60–80%)
·Trust of health plans is at the bottom of the heap (10–20%)
Is this written in stone for the future? I don’t think so…and the dynamics for change are in motion. Please read on.
Here’s the emerging picture I’m seeing:
·Hospitals are dragging their feet in connecting you with your electronic health information.
·Health plans are highly motivated to connect you with your health information.
Hospitals Keeping You from Your Health Records
Yesterday the American Hospital Association released a 68 page letter commenting on proposed regs for Meaningful Use Stage 2. Putting aside my usual analytic tendencies, I’ll simply describe the letter as whiny, snivelly, “can’t do”, mean, and thick-headed.
The going rate for a compromised medical record seems to be $1000 (well, at least that’s the asking price) as seen in papers filed in the eleven class action lawsuits against Sutter Health following the theft of a desktop computer last fall. The computer contained unencrypted protected health information on about 4.24 million members. The eleven class action suits are likely to be consolidated for ease of handling by the courts.
For an outfit whose most recently reported year-end financials show just under $900 million in income on just over $9 billion in revenue, a $4.24 billion claim certainly qualifies as a big deal. The data breach claims against Sutter Health were filed last year following its self-reporting of the computer theft, and are in the news again due to the potential consolidation.
The company had reportedly begun to encrypt its data last year, starting with more vulnerable mobile devices, and moving on to desktop computers, but had not gotten to the desktop in question by the time of the breach. It remains to be seen how these facts end up affecting the final damages awarded in this case.
The poor quality and high cost of health care in the U.S. is well documented. The widespread adoption of electronic medical records—for purposes of improving quality and reducing costs—is key to reversing these trends. But federal privacy regulations do not set clear and consistent rules for access to health information to improve health care quality. Consequently, the regulations serve as a disincentive to robust analysis of information in medical records and may interfere with efforts to accelerate quality improvements. This essay further explains this disincentive and suggests a potential regulatory path forward.
The U.S. has dedicated approximately 47 billion dollars to improve individual and population health through the use of electronic medical records by health care providers and patients. Much of the funding for this initiative, enacted by Congress as part of the Health Information Technology for Economic and Clinical Health Act of 2009, will be used to reimburse physicians and hospitals for the costs of purchasing and implementing electronic medical record systems. The legislation also includes funding to establish infrastructure to enable health care providers to share a patient’s personal health information for treatment and care coordination purposes and for reporting to public health authorities.
Federal policymakers also intend for electronic medical records to be actively used as tools of health system reform. The legislation directs the U.S. Department of Health and Human Services to develop a “nationwide health information technology infrastructure” that improves health care quality, reduces medical errors and disparities, and reduces health care costs from inappropriate or duplicative care.The 2011-2015 Federal Health Information Technology Strategic Plan identifies improving population health, reduction of health care costs, and “achiev[ing] rapid learning” as key goals of federal health information technology initiatives.
No industry has adopted mobility faster than healthcare.
Doctors love their devices. 81% of physicians have smartphones. They also love their apps. 38% of them use medical apps daily. One-third use smartphones or tablets to access electronic medical records today, with another 20% expecting to start using them this year.
For instance, 200 doctors and nurses at Charite Berlin, one of Europe’s largest hospitals, are piloting SAP’s new Electronic Medical Record app on iPad.
The app allows medical providers to trade their clipboards for (electronic) tablets, which present them a clean dashboard that lets them drill down into data such as medical history, medications (and allergies), X-rays and vital signs. It pulls that data down from a speedy SAP Hana in-memory database.
“Why do you rob banks?”
“That’s where the money is.”
The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation. A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line. Why be active in on line social networks? That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more. Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids. In today’s wired society, on line social networking is the new word of mouth. Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.
Over half of Americans rely on the internet when looking for health care information. Many on line searches are conducted on behalf of another person. Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed. In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.