Categories

Tag: HIPAA

The New Bioterrorism? The Hacked Medical Device

A time-and-technology challenged FDA, proliferation of software-controlled medical devices in and outside of hospitals, and growth of hackers have resulted in medical technology that’s riddled with malware. Furthermore, lack of security built into the devices makes them ripe for hacking and malfeasance.

Scenario: a famous figure (say, a politician with an implantable defibrillator or young rock star with an insulin pump) becomes targeted by a hacker, who industriously virtually works his way into the ICD’s software and delivers the man a shock so strong it’s akin to electrocution.

Got the picture?

Welcome to the dark side of health IT and connected health. Without strong and consistently adopted security technology and policies, this scenario isn’t a wild card: it’s in the realm of possibility. This is not new-news: back in 2008, a research team figured out how to program a common pacemaker-defibrillator to transmit a “deadly 830-volt jolt,” according to Barnaby Jack, a security expert.

Continue reading…

Who Owns Patient Data?

Who owns a patient’s health information?

·The patient to whom it refers?
·The health provider that created it?
·The IT specialist who has the greatest control over it?

The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.

All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.

Raising the question of ownership at all is a hash argument. What is a hash argument? Here’s how Julian Sanchez describes it:

Continue reading…

Crafting a Social Media Policy

Today’s Computerworld has a great article about the issues of mixing social media and healthcare.

As hospitals and clinics formulate social networking policies, there are three broad considerations.

1.  Given HIPAA and HITECH privacy and breach rules, how can you best prevent the disclosure of protected healthcare information on insecure social media sites?

2.  Given the distraction factor and productivity loss that can occur with social media, how can you best align the benefits of groupware communication while minimizing the negatives?

3.  How can you reduce the security risks of malware embedded in games and other applications that are downloaded from social networking sites?

To date, Beth Israel Deaconess has focused on #1, ensuring that our employees do not post data to social networking sites in violation of state and federal laws.

We’ve not yet completed a  policy covering #2, although several hospital sites and departments are discussing the issue.

We’re developing a pilot for #3, including blocks on selected websites, Facebook add-on applications, and personal email.

Continue reading…

Hospitals or Health Plans: Who Do You Trust to “Connect” You with Your Health Records?

Over the past decade, I’ve seen a number of studies asking people whom they trust among various health care stakeholders. Nurses, pharmacists, and doctors always come out at the top.  Beyond that:

·Trust of hospitals tends to be high (60–80%)
·Trust of health plans is at the bottom of the heap (10–20%)

Is this written in stone for the future? I don’t think so…and the dynamics for change are in motion.  Please read on.

Here’s the emerging picture I’m seeing:

·Hospitals are dragging their feet in connecting you with your electronic health information.
·Health plans are highly motivated to connect you with your health information.

Hospitals Keeping You from Your Health Records

Yesterday the American Hospital Association released a 68 page letter commenting on proposed regs for Meaningful Use Stage 2. Putting aside my usual analytic tendencies, I’ll simply describe the letter as whiny, snivelly, “can’t do”, mean, and thick-headed.

Continue reading…

How Much Will a Data Breach Cost You?

The going rate for a compromised medical record seems to be $1000 (well, at least that’s the asking price) as seen in papers filed in the eleven class action lawsuits against Sutter Health following the theft of a desktop computer last fall.  The computer contained unencrypted protected health information on about 4.24 million members.  The eleven class action suits are likely to be consolidated for ease of handling by the courts.

For an outfit whose most recently reported year-end financials show just under $900 million in income on just over $9 billion in revenue, a $4.24 billion claim certainly qualifies as a big deal.  The data breach claims against Sutter Health were filed last year following its self-reporting of the computer theft, and are in the news again due to the potential consolidation.

The company had reportedly begun to encrypt its data last year, starting with more vulnerable mobile devices, and moving on to desktop computers, but had not gotten to the desktop in question by the time of the breach.  It remains to be seen how these facts end up affecting the final damages awarded in this case.

Continue reading…

Paving the Regulatory Road

The poor quality and high cost of health care in the U.S. is well documented. The widespread adoption of electronic medical records—for purposes of improving quality and reducing costs—is key to reversing these trends.[1] But federal privacy regulations do not set clear and consistent rules for access to health information to improve health care quality. Consequently, the regulations serve as a disincentive to robust analysis of information in medical records and may interfere with efforts to accelerate quality improvements. This essay further explains this disincentive and suggests a potential regulatory path forward.

The U.S. has dedicated approximately 47 billion dollars to improve individual and population health through the use of electronic medical records by health care providers and patients.[2] Much of the funding for this initiative, enacted by Congress as part of the Health Information Technology for Economic and Clinical Health Act of 2009, will be used to reimburse physicians and hospitals for the costs of purchasing and implementing electronic medical record systems. The legislation also includes funding to establish infrastructure to enable health care providers to share a patient’s personal health information for treatment and care coordination purposes and for reporting to public health authorities.

Federal policymakers also intend for electronic medical records to be actively used as tools of health system reform. The legislation directs the U.S. Department of Health and Human Services to develop a “nationwide health information technology infrastructure” that improves health care quality, reduces medical errors and disparities, and reduces health care costs from inappropriate or duplicative care.[3]The 2011-2015 Federal Health Information Technology Strategic Plan identifies improving population health, reduction of health care costs, and “achiev[ing] rapid learning” as key goals of federal health information technology initiatives.[4]

Continue reading…

How Healthcare’s Embrace of Mobility has Turned Dangerous


No industry has adopted mobility faster than healthcare.

Doctors love their devices. 81% of physicians have smartphones. They also love their apps. 38% of them use medical apps daily. One-third use smartphones or tablets to access electronic medical records today, with another 20% expecting to start using them this year.

For instance, 200 doctors and nurses at Charite Berlin, one of Europe’s largest hospitals, are piloting SAP’s new Electronic Medical Record app on iPad.

The app allows medical providers to trade their clipboards for (electronic) tablets, which present them a clean dashboard that lets them drill down into data such as medical history, medications (and allergies), X-rays and vital signs. It pulls that data down from a speedy SAP Hana in-memory database.

Continue reading…

Health Care Social Media – How to Engage Online Without Getting into Trouble

“Why do you rob banks?”

“That’s where the money is.”

The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation.  A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line.  Why be active in on line social networks?  That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more.  Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids.  In today’s wired society, on line social networking is the new word of mouth.  Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.

Over half of Americans rely on the internet when looking for health care information.  Many on line searches are conducted on behalf of another person.  Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed.  In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.

Continue reading…

Medical Injustice – Contracts That Suppress Patient Comments About Their Doctors or Dentists


Last week we filed a class action complaint on behalf of the patients of a New York dentist, Stacy Makhnevich, over a form agreement that she imposes on all new patients to try to suppress any online comments on her work that she finds disagreeable.  In the form, Makhnevich promises not to evade HIPAA’s patient privacy protection in return for patients’ commitment not to disparage her, not to post any comments about her publicly; if the patient writes anything about the dentist, the patient assigns the copyright in those comments to Makhnevich.   Relying on the form, Makhnevich sent one of her patients invoices purporting to bill him a daily hundred-dollar fine for having posted comments about her on Internet review web sites.

The copyright assignment aspect of the agreement is especially dastardly.  It is intended to enable the dentist to send a DMCA takedown notice to the host of any web site where the criticism is posted.  Because the DMCA protects site hosts from liability for copyright infringement, but only if they act expeditiously to remove infringing material once they receive notice of its presence on their servers, hosts generally respond like Pavlov’s dog to such notices.  In theory, copyright could be asserted regardless of whether a comment is true or false, and regardless of whether it is an opinion that is constitutionally protected from libel claims; copyright can also be used as a basis for seeking awards of statutory damages even if there are no real damages.

Continue reading…

Lab Results For All!

On September 14, HHS released for comment draft lab results regulations that will, if finalized, effectively bathe the Achilles’ heel of health data in the River Styx of ¡data liberación! All lab results will be made available to patients, just like all other health data.  (See the HHS presser and YouTube video from the recent consumer health summit.  Todd Park, HHS CTO, is also the chief activist for what he calls ¡data liberación!)

Forgive me for mixing my metaphors (or whatever it is I just did), but even though there are just a couple dozen words of regulations at issue here, this is a big deal.

When HIPAA established a federal right for each individual to obtain a copy of his or her health records, in paper or electronic format, there were a couple of types of records called out as specifically exempt from this general rule of data liberation, in the HIPAA Privacy Rule45 CFR § 164.524(a)(1): psychotherapy notes, information compiled for use in an administrative or court proceeding, and lab results from what is known as a CLIA lab or a CLIA-exempt lab (including  “reference labs,” as in your specimens get referred there by the lab that collects them, or freestanding labs that a patient may be referred to for a test; these are not the labs that are in-house at many doctors’ offices, hospitals and other health care facilities — the in-house labs are part of the “parent” provider organization and their results are part of the parents’ health records already subject to HIPAA).Continue reading…

Registration

Forgotten Password?