Categories

Tag: HIPAA

How Healthcare’s Embrace of Mobility has Turned Dangerous


No industry has adopted mobility faster than healthcare.

Doctors love their devices. 81% of physicians have smartphones. They also love their apps. 38% of them use medical apps daily. One-third use smartphones or tablets to access electronic medical records today, with another 20% expecting to start using them this year.

For instance, 200 doctors and nurses at Charite Berlin, one of Europe’s largest hospitals, are piloting SAP’s new Electronic Medical Record app on iPad.

The app allows medical providers to trade their clipboards for (electronic) tablets, which present them a clean dashboard that lets them drill down into data such as medical history, medications (and allergies), X-rays and vital signs. It pulls that data down from a speedy SAP Hana in-memory database.

Continue reading…

Health Care Social Media – How to Engage Online Without Getting into Trouble

“Why do you rob banks?”

“That’s where the money is.”

The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation.  A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line.  Why be active in on line social networks?  That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more.  Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids.  In today’s wired society, on line social networking is the new word of mouth.  Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.

Over half of Americans rely on the internet when looking for health care information.  Many on line searches are conducted on behalf of another person.  Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed.  In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.

Continue reading…

Medical Injustice – Contracts That Suppress Patient Comments About Their Doctors or Dentists


Last week we filed a class action complaint on behalf of the patients of a New York dentist, Stacy Makhnevich, over a form agreement that she imposes on all new patients to try to suppress any online comments on her work that she finds disagreeable.  In the form, Makhnevich promises not to evade HIPAA’s patient privacy protection in return for patients’ commitment not to disparage her, not to post any comments about her publicly; if the patient writes anything about the dentist, the patient assigns the copyright in those comments to Makhnevich.   Relying on the form, Makhnevich sent one of her patients invoices purporting to bill him a daily hundred-dollar fine for having posted comments about her on Internet review web sites.

The copyright assignment aspect of the agreement is especially dastardly.  It is intended to enable the dentist to send a DMCA takedown notice to the host of any web site where the criticism is posted.  Because the DMCA protects site hosts from liability for copyright infringement, but only if they act expeditiously to remove infringing material once they receive notice of its presence on their servers, hosts generally respond like Pavlov’s dog to such notices.  In theory, copyright could be asserted regardless of whether a comment is true or false, and regardless of whether it is an opinion that is constitutionally protected from libel claims; copyright can also be used as a basis for seeking awards of statutory damages even if there are no real damages.

Continue reading…

Lab Results For All!

On September 14, HHS released for comment draft lab results regulations that will, if finalized, effectively bathe the Achilles’ heel of health data in the River Styx of ¡data liberación! All lab results will be made available to patients, just like all other health data.  (See the HHS presser and YouTube video from the recent consumer health summit.  Todd Park, HHS CTO, is also the chief activist for what he calls ¡data liberación!)

Forgive me for mixing my metaphors (or whatever it is I just did), but even though there are just a couple dozen words of regulations at issue here, this is a big deal.

When HIPAA established a federal right for each individual to obtain a copy of his or her health records, in paper or electronic format, there were a couple of types of records called out as specifically exempt from this general rule of data liberation, in the HIPAA Privacy Rule45 CFR § 164.524(a)(1): psychotherapy notes, information compiled for use in an administrative or court proceeding, and lab results from what is known as a CLIA lab or a CLIA-exempt lab (including  “reference labs,” as in your specimens get referred there by the lab that collects them, or freestanding labs that a patient may be referred to for a test; these are not the labs that are in-house at many doctors’ offices, hospitals and other health care facilities — the in-house labs are part of the “parent” provider organization and their results are part of the parents’ health records already subject to HIPAA).Continue reading…

The Identity Theft Smoke Screen

Personal data privacy once again has taken front stage in Sorrel v. IMS Health, Inc.[1] Vermont passed the Vermont Confidentiality of Prescription Information Law that allows doctors which prescribe drugs to patients, to decide whether pharmacies can sell their prescription drug prescription records.[2] IMS Health as well as other health information companies contested the law, arguing that the law poses a restriction on commercial speech as access to such information helps pharmaceutical companies market their drugs effectively to doctors. The Supreme Court is now tasked with determining the constitutionality of the restriction on access to prescription information with regards to our First Amendment. [3]

However, this post is focused on the secondary effects asserted in amici curiae briefs supporting the petitioners of allowing companies to purchase such information, specifically the concern of data privacy and patient re-identification. [4] Under the Health Information Portability and Accountability Act (HIPAA), personal health information is de-identified by your local pharmacy prior to such information being shared with any third party. By de-identifying the data, your personal data cannot, it is believed, be linked or traced back to you. De-identifying your health information is a way for covered entities to share your information without your consent or authorization and in accordance with the law. The information once shared is completely anonymized. After the transfer to a third party, like IMS Health, your information is solely data of zeros and ones that translate to dates of dispensing and drug names. No longer does your prescription record list your name or month or day of birth. [5]Continue reading…

Facebook Misstep Costs RI Physician Fine, Job

In recent years many health care providers and managers have told me, time and again, that the health care world is accustomed to managing confidential patient information, and therefore doesn’t need much in the way of social media training and policy development.  This week brings news that should make those folks sit up and take notice.  A physician in Rhode Island, who was fired for a Facebook faux pas, has now been fined by the state medical board as well.  The physician posted a little too much information on Facebook — information about a patient that, combined with other publicly available information, allowed third parties to identify the patient.  The details of the story are available here and here.

The key takeaway from this story — and the Johnny-come-lately approach to health care social media taken by the Rhode Island hospital in question and the Boston teaching hospital that the Boston Globe turned to for comment — is that prevention is the best medicine.

Facebook and other social media are a fact of life, and cannot be ignored by health care providers and organizations.  They can even be used as a force for good.  As one example, take note of the recently-announced initiative by my colleague, Dr. Val, to start up a peer-reviewed tweetstream, @HealthyRT.  At he very least, health care providers and organizations should be monitoring social media for mentions so that they can reach out, as may be necessary, to address health care and public relations issues.Continue reading…

The ACO Rules & Privacy

One day before the first of April, HHS published the much anticipated rules defining the creation and operations of Accountable Care Organizations (ACO) spanning 429 pages of business regulation, analysis of various options available, proposed solutions and ways to measure and reward (punish) success (failure) in achieving HHS seemingly incompatible goals of providing better care for less money. I am fairly certain that health policy experts, health care economists and the multitude of industry stakeholders will be dissecting and analyzing the hefty document in great detail in the coming weeks. I started reading the document with an eye towards the ACO implications for HIT, which as expected are many, but something on page 108 made me stop in my tracks. HHS is proposing to share personally identifiable health information (PHI) contained in Medicare claims with ACO providers unless patients “opt-out”.

Beginning on page 108 and through 22 pages of tortured arguments, HHS makes the case for the legality and benefits of providing ACOs with PHI contained in Medicare claims, unless the patient actively withdraws consent for this type of transaction. The argument for the legality of claim data sharing rests on the nebulous HIPAA clause which allows disclosure of PHI for “health care operations” within a web of covered entities and business associates connecting the ACO with Medicare and other providers of health care services for a particular patient. HHS is proposing to make available four types of medical information to participating ACOs:Continue reading…

Crowdsourcing the Future: Health 2.0 and HIPAA

The Health 2.0 movement has seen incredible growth recently, with new tools and services continuously being released. Of course, Health 2.0 developers face a number of challenges when it comes to getting providers and patients to adopt new tools, including integrating into a health system that is still mostly paper-based. Another serious obstacle facing developers is how to interpret and, where appropriate, comply with the HIPAA privacy and security regulations.

Questions abound when it comes to Health 2.0 and HIPAA, and it’s vital we get them answered, both for the sake of protecting users’ privacy and to ensure people are able to experience the full benefits of innovative Health 2.0 tools. We can’t afford to see the public’s trust in new health information technology put at risk, nor can we afford to have innovation stifled.

To help solve this problem, the Center for Democracy & Technology (CDT) has launched a crowdsourcing project to determine the most vexing Health 2.0/HIPAA questions.

This is where you come in:

Whether you are a healthcare provider, a Health 2.0 developer or an e-patient, we hope you’ll visit our website to submit your questions on Health 2.0 and HIPAA.

Once CDT has received your questions, we’ll use them to urge the Office of Civil Rights, which enforces HIPAA, to provide clarification. We’ll accept questions until Feb. 11, 2011, so please weigh in soon, and ask others to do the same.

Deven McGraw is Director of the Health Privacy Project at the Center for Democracy & Technology.

Privacy Paradigms: From Consent to Reciprocal Transparency

Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyright holders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.Continue reading…

ClearPractice’s Nimble brings a comprehensive EMR to the iPad

While over 500 medical apps have been created for the iPad since its launch in April of this year, few attempt to bring an entire electronic medical record system onto the device. Today, St. Louis-based medical software company ClearPractice is releasing Nimble, which the company says is “the first comprehensive EMR solution developed in iOS to run natively on the iPad”.

IPad_Dashboard

With Nimble, ClearPractice aims to use the iPad to address several commonly cited issues about EMRs. They emphasize the iPad’s potential for removing barriers in EMR use and physician workflow by integrating the device and software in the care delivery process. The hope is that the iPad’s portability and accessibility will allow it (and thus Nimble) to be present wherever the doctor is—from the clinic to the hospital to the home—and make having an EMR more appealing, especially to doctors in small practices. Given that the app was built as a native iPad application, it attempts to take full advantage of the iPad’s unique interface and user experience.

Continue reading…

Registration

Forgotten Password?