Categories

Tag: PHI

Three Lessons Healthcare Executives Can Learn From the Sony Hack

Screen Shot 2015-02-12 at 1.55.51 PM

As if healthcare executives needed more to worry about, the recent hacker attack on Sony Pictures should send yet another reminder that data security can’t be ignored. On an international stage, Sony management learned the hard way that their e-mails, text messages, and private conversations were vulnerable to attack. Hackers accessed everything from the company’s sensitive financial information to its confidential employee communications. In the immediate aftermath of the attack, Sony is facing government inquiries, class action lawsuits from employees and business partners, and a significantly tarnished reputation.

Many executives in our industry might think that healthcare facilities are better prepared to withstand hacker attacks, with numerous government agencies regulating how we store and transmit protected health information (PHI) and personal identifiable information (PII). In reality, a significant number of healthcare facilities have already suffered damaging hacker attacks over the last few years and expectations are that hacker attacks will be a continued threat for the foreseeable future. The question healthcare executives must ask is: “What are we going to do about it?”

Continue reading…

Sex Sells (or at Least Leads to Some Interesting Analytics)


One guarantee in the healthcare sector is that when it comes to personal health information (PHI), there is no lack of issues and pundits to discuss security and privacy of such information/data. If one does not jump up and down bleating on about the sanctity of PHI and the need to protect it at all costs, well then you may be labeled a heretic and burned at the proverbial stake.

Now don’t get us wrong. Here at Chilmark Research we firmly believe that your PHI is arguably the most personal information you have and you do have a right to know exactly how it is used. Whether or not you own it remains to be seen for we have seen, read and heard one more than one occasion – some healthcare providers believe that it is their data, not yours, and may only begrudgingly give you access to some circumscribed portion of your PHI that they have stashed in their vast HIT fortress, or worse, scattered in a number of chart folders.

But where we do differ with many on the sanctity of PHI is that the collective use of our de-identified PHI on a community, regional, state or even national level can give us some amazing insights into what is working and what is not in this convoluted thing we call a healthcare system in the US and needs to be strongly supported. Unfortunately, we do a terrible job as a country in educating the populace on the collective value of their data to understand health trends, treatments and ultimately ascertain accurate comparative effectiveness. This leaves the door wide open for others to use the old FUD (fear uncertainty and doubt) factor to keep patients from actively sharing their de-identified PHI.

Continue reading…

Health Internet – The New Consumer-Friendly NHIN

Consumer directed HIE will become the most visible aspect of health IT stimulus and could lead a shift to consumer-directed health plans, increased interest in wellness programs and family-centered collaboration for the young, old and seriously ill.

At a recent Boston meeting on health records infrastructure, key stakeholders recognized the potential of patient control as a strategy to address privacy concerns that could otherwise limit ongoing health networking initiatives. MedCommons proposes one possible approach to making the national health information network (NHIN), currently conceived as a provider-to-provider exchange, consumer-friendly and consumer-accessible. We illustrate the need with a true story, propose a novel addition of independent identity service providers to the NHIN and then illustrate how this could be used to transfer the soldier’s CT to the US for a second opinion even as he’s being transported.

On the morning of the Boston meeting, a friend of mine called to say that his son was seriously wounded in Afghanistan and was being stabilized for transport via Germany to the US. He knew that his son had a CT in the field clinic and wanted to get it before the son was transported over four days through to Bethesda. Could the Health Internet be used to help this family?

The NHIN does not have to run like Big Brother. We propose a voluntary identity principle that distributes trust among multiple private and public institutions and gives consumers a choice of who controls their medical identity. Some might pick a particular hospital, others might choose their regional HIE while others could choose a private service such as a bank or telecom that is not a health care business at all.

The institution that manages a patient’s ID on the Health Internet is referred to as the IDP. To authorize health records exchange on the NHIN, an IDP would have to meet strict requirements and receive a NHIN Certificate. A NHIN Certificate is analogous to the SSL certificates issued to banks and other corporations on the Internet. Larger hospitals, military, VA and integrated delivery networks on the NHIN also hold a NIHN Certificate.

The issue and administration of NHIN Certificates could be handled by state or federal agencies or privatized to Verisign and similar services that already do this for the Internet.

We propose a Health Internet consisting of two kinds of certified entities, health care providers and identity providers. Both are chosen and trusted by the consumer but the identity providers are the key to effective competition and innovation.

Small group practices, insurance companies, web personal health records services and search engines would likely not carry NHIN Certificates and would participate in the Health Internet only under the control of the patient trough their IDP.

Substitutability, the central concept of the Boston platform meeting, is a key benefit of this proposal. An IDP that disappoints a patient could be swapped out without impacting the health care providers and a health care service that disappoints could be ignored or disconnected with a simple message to the IDP.

Public health and research users of the NHIN would not be affected since all entities that carry NHIN Certificates could still interact with each other directly under whatever rules and regulations the Certificates represent.

How would this have worked in the case of a soldier shot in Afghanistan and on his way to Bethesda?

– Before entering the service, the son might have picked Verizon as his IDP because they hold an HNIN Certificate and offer a family member override. He would have established the father, who also has a Verizon account as health care proxy.

– Upon induction, the health service saved the serviceman’s IDP selection (their Verizon health ID, possibly in OpenID format – see references below) along with the rest of his personal contact information.

– The father, when notified of the injury, is unsure which doctors will be available to consult on his son’s case, but needs to have the son’s CT scan at the ready as a first step.

– The father decides to do a transfer using a personally controlled health record service because it will give him control of the CT and make it easy to deliver the images to any physician that offers to help. Neither the father nor the health record service has a HNIN Certificate.

– The father goes to the military health service EHR portal. Without logging in, he goes to a form that requests his son’s Verizon health ID along with the MedCommons-type account ID where the CT is to be delivered.

– The EHR portal contacts Verizon for authorization on the basis of shared trust under the NHIN federation.

– When Verizon’s text message to the son goes unanswered, Verizon contacts the father as Health ID proxy. The father reviews the correctness of the familiar-looking MedCommons-type ID as a the destination and authorizes the transfer.

Note that the military health service does not actually know whether the son or the father actually authorized the request but they trust the transaction because the military health service knows that Verizon holds a valid NHIN Certificate.

In summary, the introduction of certified identity providers into the NHIN together with simple and commercially established OpenID protocol can transform the NHIN into the consumer-friendly Health Internet and bring simple regulation and market forces to bear on solving difficult privacy problems.

CODA: As of 10/4, the the soldier is stable, conscious and out of the ICU in Bethesda. A second opinion is in the works at a Boston hospital. The parents and collaborators are able to see and share 1.75 GB of imaging about their son. Let’s all hope for a good outcome and a speedy recovery.

Adrian Gropper is a physician and the CEO of MedCommons

References:

Patient ID on the Internet; October 12, 2007; Blog; http://agropper.wordpress.com/2007/10/12/patient-id-on-the-internet/

Web leaders initiate govt open identity pilot program; September 30, 2009; Health Imaging Editorial; http://www.healthimaging.com/index.php?option=com_articles&view=article&id=18927

Medical Data in the Internet “Cloud” – Data Privacy

Robert.rowley

The concepts of “security” and “privacy” of medical information (Protected Health Information, or PHI) are closely intertwined. “Security,” as described in the second part of this series, has to do with breaking into medical data (either data at rest, or data in transit) and committing an act of theft. “Privacy,” on the other hand, has to do with permissions, and making sure that only the intended people can have access to PHI.

So, who actually “owns” the medical record? The legal status of medical records “ownership” is that they are the property of those who prepare them, rather than about whom they are concerned. These records are the medico-legal documentation of advice given. Such documentation, created by physicians about patients, is governed by doctor-patient confidentiality, and cannot be discovered by any outside party without consent. HIPAA Privacy Rules govern the steps needed to ensure that this level of confidentiality is protected against theft (security) and against unauthorized viewing (privacy). HIPAA-covered entities (medical professionals and hospitals) are held accountable for ensuring such confidentiality, and can be penalized for violation.

The question of privacy, then, revolves around sharing PHI between professionals in order to coordinate health care – after all, health care is delivered by networks (formal or informal), and data sharing is necessary to deliver best-practices levels of care. In the traditional world of paper charts, record-sharing is accomplished by obtaining consent from the patient (usually a signed document placed in the chart), and then faxing the appropriate pages from the chart to the intended recipient. Hopefully the recipient’s fax number is dialed correctly, since faxing to mistaken parties is a vulnerability for unintended privacy violation using this technology.

When medical data moves from a paper chart to a locally-installed EHR, the organization of medical data across the landscape is not really changed – each practice keeps its own database (the equivalent of its own paper chart rack), and imports/exports copies of clinical data to others according to patient permission (just like with traditional paper records). Such clinical data sharing is often done by printout-and-fax, or by export/import of Continuity of Care Documents (CCDs) if the EHR systems on each end support such functionality.

As technology evolves, new layers of medical data sharing emerge, which challenge the simple traditional “give permission and send a copy” method of ensuring privacy. Health Information Exchanges (HIEs) are emerging regionally and nationally, and are supported by the Office of the National Coordinator (ONC) for health IT. HIEs are intended to be data-exchange platforms between practitioners who might be using different EHR systems (that do not natively “talk” to each other). Only certain types of data are uploaded by an EHR into an HIE – patient demographic information, medication lists, allergies, immunization histories. HIEs, then, function as a sort of evolving “library” of protected health data, where local EHRs feed their data on a patient-permission-granted basis, and can download data (if granted the permission to do so) as needed. The potential impact on quality of care is dramatic.

In addition to being a “library” of shared data, HIEs can serve to assist in public health surveillance. This can range from CDC-based surveillance of the emergence or prevalence of specific diseases, to FDA-based post-market surveys of the use of new medications (and shortening the timeline for identifying problems should they arise). This sort of use of HIE data is de-identified, so that permissions around using PHI are not violated – patient-specific data in HIEs is only used with permission, and used for direct patient care (e.g. downloading into your own EHR your patient’s immunization history).

HIEs, however, are essentially a “bridge technology” that tries to connect a landscape where health data remains segregated into “data silos.” A newer frontier of technology can be seen arising from web-hosted, Internet “cloud”-based EHRs, such as Practice Fusion. In this setting, a single data structure serves all practices everywhere, and local user-permissions determine which subset of that data are delivered as a particular practice’s “charts.” This technology raises the potential to actually share a common chart among multiple non-affiliated practitioners – based upon one physician referring a patient to another for consultation (with the patient’s permission to make the referral), both practices are then allowed access to the shared chart, see each other’s chart notes, view the patient medications, review labs already done (reducing duplication of services), see what imaging has already been accomplished, securely message one another, and even create their own chart-note entries into the common, shared chart.

This “new frontier” of technology, where clinical chart sharing between practices (based on patient permission) occurs across all boundaries of care, makes the Practice Fusion vision an “EHR with a built-in HIE.” Extending this even further – shared EHRs and linkage with Personal Health Records (PHRs) – is beyond the scope of this particular article, and will be addressed subsequently. With good design, as pioneered here, the balance between ensuring security and privacy of PHI on the one hand, and permission-based sharing of clinical information for the betterment of overall health care delivery on the other hand, a truly remarkable technology is being built. The impact on transforming health care is profound.

Dr. Rowley is a family practice physician and Practice Fusion’s Chief Medical Officer. Dr. Rowley has a first-hand perspective on the technology needs and challenges faced by healthcare practitioners from his 30 year career in the sector, including experience as a Medical Director with Hill Physicians Medical Group and as a developer of the early EMR system Medical ChartWizard. His family practice in Hayward, CA has functioned without paper charts since 2002.  You can find more of his writing at the Practice Fusion Blog, where this post first appeared.

If you liked this post you might be interested in these related posts:

Medical Data in the Internet “Cloud” (part 1) – Data Safety
Is “Cloud Computing” Right for Health IT?
Freenomics and Healthcare IT
Practice Fusion gets investment from Salesforce.com

September 27, 2009 in EHR/EMR, Privacy | Permalink