A time-and-technology challenged FDA, proliferation of software-controlled medical devices in and outside of hospitals, and growth of hackers have resulted in medical technology that’s riddled with malware. Furthermore, lack of security built into the devices makes them ripe for hacking and malfeasance.
Scenario: a famous figure (say, a politician with an implantable defibrillator or young rock star with an insulin pump) becomes targeted by a hacker, who industriously virtually works his way into the ICD’s software and delivers the man a shock so strong it’s akin to electrocution.
Got the picture?
Welcome to the dark side of health IT and connected health. Without strong and consistently adopted security technology and policies, this scenario isn’t a wild card: it’s in the realm of possibility. This is not new-news: back in 2008, a research team figured out how to program a common pacemaker-defibrillator to transmit a “deadly 830-volt jolt,” according to Barnaby Jack, a security expert.
·The patient to whom it refers?
·The health provider that created it?
·The IT specialist who has the greatest control over it?
The notion of ownership is inadequate for health information. For instance, no one has an absolute right to destroy health information. But we all understand what it means to own an automobile: You can drive the car you own into a tree or into the ocean if you want to. No one has the legal right to do things like that to a “master copy” of health information.
All of the groups above have a complex series of rights and responsibilities relating to health information that should never be trivialized into ownership.
Over the past decade, I’ve seen a number of studies asking people whom they trust among various health care stakeholders. Nurses, pharmacists, and doctors always come out at the top. Beyond that:
·Trust of hospitals tends to be high (60–80%)
·Trust of health plans is at the bottom of the heap (10–20%)
Is this written in stone for the future? I don’t think so…and the dynamics for change are in motion. Please read on.
Here’s the emerging picture I’m seeing:
·Hospitals are dragging their feet in connecting you with your electronic health information.
·Health plans are highly motivated to connect you with your health information.
Hospitals Keeping You from Your Health Records
Yesterday the American Hospital Association released a 68 page letter commenting on proposed regs for Meaningful Use Stage 2. Putting aside my usual analytic tendencies, I’ll simply describe the letter as whiny, snivelly, “can’t do”, mean, and thick-headed.
The going rate for a compromised medical record seems to be $1000 (well, at least that’s the asking price) as seen in papers filed in the eleven class action lawsuits against Sutter Health following the theft of a desktop computer last fall. The computer contained unencrypted protected health information on about 4.24 million members. The eleven class action suits are likely to be consolidated for ease of handling by the courts.
For an outfit whose most recently reported year-end financials show just under $900 million in income on just over $9 billion in revenue, a $4.24 billion claim certainly qualifies as a big deal. The data breach claims against Sutter Health were filed last year following its self-reporting of the computer theft, and are in the news again due to the potential consolidation.
The company had reportedly begun to encrypt its data last year, starting with more vulnerable mobile devices, and moving on to desktop computers, but had not gotten to the desktop in question by the time of the breach. It remains to be seen how these facts end up affecting the final damages awarded in this case.
The poor quality and high cost of health care in the U.S. is well documented. The widespread adoption of electronic medical records—for purposes of improving quality and reducing costs—is key to reversing these trends. But federal privacy regulations do not set clear and consistent rules for access to health information to improve health care quality. Consequently, the regulations serve as a disincentive to robust analysis of information in medical records and may interfere with efforts to accelerate quality improvements. This essay further explains this disincentive and suggests a potential regulatory path forward.
The U.S. has dedicated approximately 47 billion dollars to improve individual and population health through the use of electronic medical records by health care providers and patients. Much of the funding for this initiative, enacted by Congress as part of the Health Information Technology for Economic and Clinical Health Act of 2009, will be used to reimburse physicians and hospitals for the costs of purchasing and implementing electronic medical record systems. The legislation also includes funding to establish infrastructure to enable health care providers to share a patient’s personal health information for treatment and care coordination purposes and for reporting to public health authorities.
Federal policymakers also intend for electronic medical records to be actively used as tools of health system reform. The legislation directs the U.S. Department of Health and Human Services to develop a “nationwide health information technology infrastructure” that improves health care quality, reduces medical errors and disparities, and reduces health care costs from inappropriate or duplicative care.The 2011-2015 Federal Health Information Technology Strategic Plan identifies improving population health, reduction of health care costs, and “achiev[ing] rapid learning” as key goals of federal health information technology initiatives.
The app allows medical providers to trade their clipboards for (electronic) tablets, which present them a clean dashboard that lets them drill down into data such as medical history, medications (and allergies), X-rays and vital signs. It pulls that data down from a speedy SAP Hana in-memory database.
The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation. A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line. Why be active in on line social networks? That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more. Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids. In today’s wired society, on line social networking is the new word of mouth. Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.
Over half of Americans rely on the internet when looking for health care information. Many on line searches are conducted on behalf of another person. Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed. In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.
Last week we filed a class action complaint on behalf of the patients of a New York dentist, Stacy Makhnevich, over a form agreement that she imposes on all new patients to try to suppress any online comments on her work that she finds disagreeable. In the form, Makhnevich promises not to evade HIPAA’s patient privacy protection in return for patients’ commitment not to disparage her, not to post any comments about her publicly; if the patient writes anything about the dentist, the patient assigns the copyright in those comments to Makhnevich. Relying on the form, Makhnevich sent one of her patients invoices purporting to bill him a daily hundred-dollar fine for having posted comments about her on Internet review web sites.
The copyright assignment aspect of the agreement is especially dastardly. It is intended to enable the dentist to send a DMCA takedown notice to the host of any web site where the criticism is posted. Because the DMCA protects site hosts from liability for copyright infringement, but only if they act expeditiously to remove infringing material once they receive notice of its presence on their servers, hosts generally respond like Pavlov’s dog to such notices. In theory, copyright could be asserted regardless of whether a comment is true or false, and regardless of whether it is an opinion that is constitutionally protected from libel claims; copyright can also be used as a basis for seeking awards of statutory damages even if there are no real damages.
On September 14, HHS released for comment draft lab results regulations that will, if finalized, effectively bathe the Achilles’ heel of health data in the River Styx of ¡data liberación! All lab results will be made available to patients, just like all other health data. (See the HHS presser and YouTube video from the recent consumer health summit. Todd Park, HHS CTO, is also the chief activist for what he calls ¡data liberación!)
Forgive me for mixing my metaphors (or whatever it is I just did), but even though there are just a couple dozen words of regulations at issue here, this is a big deal.
When HIPAA established a federal right for each individual to obtain a copy of his or her health records, in paper or electronic format, there were a couple of types of records called out as specifically exempt from this general rule of data liberation, in the HIPAA Privacy Rule, 45 CFR § 164.524(a)(1): psychotherapy notes, information compiled for use in an administrative or court proceeding, and lab results from what is known as a CLIA lab or a CLIA-exempt lab (including “reference labs,” as in your specimens get referred there by the lab that collects them, or freestanding labs that a patient may be referred to for a test; these are not the labs that are in-house at many doctors’ offices, hospitals and other health care facilities — the in-house labs are part of the “parent” provider organization and their results are part of the parents’ health records already subject to HIPAA).Continue reading…