Tag: HIPAA

What You Need to Know About Patient Matching and Your Privacy and What You Can Do About It

Feb 21, 2014• 4

By Adrian Gropper, MD

Today, ONC released a report on patient matching practices and to the casual reader it will look like a byzantine subject. It’s not.

You should care about patient matching, and you will.

It impacts your ability to coordinate care, purchase life and disability insurance, and maybe even your job. Through ID theft, it also impacts your safety and security. Patient matching’s most significant impact, however, could be to your pocketbook as it’s being used to fix prices and reduce competition in a high deductible insurance system that makes families subject up to $12,700 of out-of-pocket expenses every year.

Patient matching is the healthcare cousin of NSA surveillance.

Health IT’s watershed is when people finally realize that hospital privacy and security practices are unfair and we begin to demand consent, data minimization and transparency for our most intimate information. The practices suggested by Patient Privacy Rights are relatively simple and obvious and will be discussed toward the end of this article.

Health IT tries to be different from other IT sectors. There are many reasons for this, few of them are good reasons. Health IT practices are dictated by HIPAA, where the rest of IT is either FTC or the Fair Credit Reporting Act. Healthcare is mostly paid by third-party insurance and so the risks of fraud are different than in traditional markets.

Healthcare is delivered by strictly licensed professionals regulated differently than the institutions that purchase the Health IT. These are the major reasons for healthcare IT exceptionalism but they are not a good excuse for bad privacy and security practices, so this is about to change.

Health IT privacy and security are in tatters, and nowhere is it more evident than the “patient matching” discussion. Although HIPAA has some significant security features, it also eliminated a patient’s right to consent and Fair Information Practice.

Could Digital Rights Management Solve Healthcare’s Data Crisis?

Jan 27, 2014• 11

By Newman, Herrera, Frost & Parente

Today, academic medicine and health policy research resemble the automobile industry of the early 20th century — a large number of small shops developing unique products at high cost with no one achieving significant economies of scale or scope.

Academics, medical centers, and innovators often work independently or in small groups, with unconnected health datasets that provide incomplete pictures of the health statuses and health care practices of Americans.

Health care data needs a “Henry Ford” moment to move from a realm of unconnected and unwieldy data to a world of connected and matched data with a common support for licensing, legal, and computing infrastructure. Physicians, researchers, and policymakers should be able to access linked databases of medical records, claims, vital statistics, surveys, and other demographic data.

To do this, the health care community must bring disparate health data together, maintaining the highest standards of security to protect confidential and sensitive data, and deal with the myriad legal issues associated with data acquisition, licensing, record matching, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Just as the Model-T revolutionized car production and, by extension, transit, the creation of smart health data enclaves will revolutionize care delivery, health policy, and health care research. We propose to facilitate these enclaves through a governance structure know as a digital rights manager (DRM).

The concept of a DRM is common in the entertainment (The American Society of Composers, Authors and Publishers or ASCAP would be an example) and legal industries. If successful, DRMs would be a vital component of a data-enhanced health care industry.

Giving birth to change. The data enhanced health care industry is coming, but it needs a midwife.There has been explosive growth in the use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Outside the physician’s office, disease registries, medical associations, insurers, government agencies, and laboratories have also been gathering digital pieces of information on the health status, care regimes, and health care costs of Americans.

However, little to none of these data have been integrated, and most remain siloed within provider groups, health plans, or government offices.

Another Law Raising the Cost of Health Care

Nov 21, 2013• 11

By Josh Tenzer

While there has been much focus lately on the ways in which ObamaCare is chilling the growth of private business, we should not overlook the continuing deleterious effects of the one surviving relic of HillaryCare, the Health Insurance Portability and Accountability Act (HIPAA). Quietly, September 23 came and went as the compliance effective date for a new rule, expanding the reach of HIPAA, and likely driving many smaller players out of the health care industry.

Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information, referred to as protected health information, or PHI. It requires health care providers, known as “covered entities,” and their vendors, contractors, and agents with access to PHI, known as “business associates,” to comply with certain privacy standards under its “Privacy Rule,” and with certain security standards under its “Security Rule,” in order to protect sensitive health information that is held or transferred in electronic form.

Over the past decade, equipped with the noble aim of protecting our privacy, HIPAA has successfully demonstrated the power of the law of unintended consequences. Improved protection of PHI has been marginal. However, HIPAA has impeded communication among physicians, reduced physician time devoted to patient care, and deterred medical research. And all at an enormous cost of compliance. While estimates vary widely, the cost of compliance for many providers has been in the millions.

Now, rather than take heed, the government has decided to double down through expansion. Under the Health Information and Technology for Economic and Clinical Health Act (HITECH), a corollary of HIPAA, promulgated to create incentives to facilitate the development of healthcare information technology, the government has sought to update the requirements of HIPAA in light of the changing dynamics of technology and health practices, increasing the safeguards and obligations of health care providers and their business associates.

Chaos and Order: An Update From Patient Privacy Rights

Oct 16, 2013• 1

By Andy Oram

Thanks to the flood of new data expected to enter the health field from all angles–patient sensors, public health requirements in Meaningful Use, records on providers released by the US government, previously suppressed clinical research to be published by pharmaceutical companies–the health field faces a fork in the road, one direction headed toward chaos and the other toward order.

The road toward chaos is forged by the providers’ and insurers’ appetites for categorizing us, marketing to us, and controlling our use of the health care system, abetted by lax regulation. The alternative road is toward a healthy data order where privacy is protected, records contain more reliable information, and research is supported or even initiated by cooperating patients.

This was my main take-away from a day of meetings and a panel held recently by Patient Privacy Rights, a non-profit for whom I have volunteered during the past three years. The organization itself has evolved greatly during that time, tempering much of the negativity in which it began and producing a stream of productive proposals for improving the collection and reuse of health data. One recent contribution consists of measuring and grading how closely technology systems, websites, and applications meet patients’ expectations to control and understand personal health data flows.

With sponsorship by Microsoft at their Innovation and Policy Center in Washington, DC, PPR offered a public panel on privacy–which was attended by 25 guests, a very good turnout for something publicized very modestly–to capitalize on current public discussions about government data collection, and (without taking a stand on what the NSA does) to alert people to the many “little NSAs” trying to get their hands on our personal health data.

It was a privilege and an eye-opener to be part of Friday’s panel, which was moderated by noted privacy expert Daniel Weitzner and included Dr. Deborah Peel (founder of PPR), Dr. Adrian Gropper (CTO of PPR), Latanya Sweeney of Harvard and MIT, journalist Sydney Brownstone of Fast Company, and me. Although this article incorporates much that I heard from the participants, it consists largely of my own opinions and observations.

How the Federal Government Shutdown Is Hurting Healthcare: Agency by Agency

Oct 2, 2013• 1

By THCBist

The shutdown could not stop the rollout of the state and federal exchanges.

That’s because the Obama administration, sensing a political fight in the offing with Republicans, wisely prepaid the bill for the insurance exchanges and other key components of the rollout.

On the other hand, the fiscal standoff is having a very real impact on the infrastructure that supports healthcare across the United States. Agencies from the Centers for Disease and Control to the National Institutes of Health have seen their money turned off. Others have seen their staffing levels sharply reduced with non-essential employees furloughed.

It doesn’t take a wild imagination to imagine potential deadly consequences if something goes wrong. If for example, flu season strikes early or a drug recall is needed. Much of the pain will be felt over time. As the shutdown drags on, you can expect problems that are brewing under the surface to become much more visible …

Here’s a review of what’s happening:

Centers For Disease Control and Prevention
Funding for monitoring of disease outbreaks turned off. Lab operations sharply scaled back. 24/7 operations center to remain online. With some scientists predicting a severe 2013-2014 flu season, this is cause for concern …

National Institutes For Health
Enrollment in new clinical trials suspended, impacting thousands of patients suffering from serious diseases. No action on grant proposals. Minimal support for ongoing protocols.

Food and Drug Administration
Food safety inspections sharply cut back. Monitoring of imports eliminated. Oversight of production facilities curtailed, again potentially an issue with flu season on the way.The good news? Because drug approvals are funded by industry “user-fees” FDA approvals of new drugs will continue.

Centers For Medicare and Medicaid Services
Key ACA related operations intact. The bad news for docs and patients – claims and payment processing expected to continue but with slower service than usual. With purse strings tight, this is likely to become more of a problem as shutdown drags on. In the unlikely event that a shutdown continues for more than a month, the impact on physician practices could be much more serious.

Washington In Crisis: ONC Announces That It Will Not Tweet Or Respond to Tweets During Shutdown

Oct 1, 2013• 6

By THCBist

The U.S. government shutdown continues to claim victims.

The latest is HealthIT.gov, the website designed to help doctors and hospitals make the transition to electronic and make better use of health information technology – a key component of Obamacare’s drive to transform healthcare.

The Health Information Technology Office of the National Coordinator posted a brief announcement on the site informing visitors to HealthIT.gov that “information … may not be up to date, transactions submitted via the website may not be processed and the agency may not be able to respond to inquiries until appropriations have been enacted.”

Officials also sent a tweet saying that the ONC regrets to inform us that while the shutdown continues it will “not tweet or respond to tweets.”

This struck THCBist as slightly odd.

After all, if you’re looking for an inexpensive way to communicate with the public in a pinch, Twitter seems like the perfect choice. We get that government websites are ridiculously expensive things to run. Blogs are considerably cheaper. Operating a Twitter account — on the other hand — is almost free. Our brains were flooded with scenarios. How much could the ONC possibly be spending on Twitter? And for that matter, didn’t the Department of Defense originally invent the Internet to allow for emergency communication during times of national crisis? Doesn’t a fiscal insurrection by cranky Republicans qualify?

Fallout for the National Health IT Program

While federal officials have issued repeated assurances that the shutdown will not impact the Obamacare rollout, it does look as though there will be a fairly serious impact on the administration’s health IT program. If HHS sticks to script, only 4 of 184 ONC employees will remain on duty during the shutdown. That makes it sound like activities are going to have to be scaled back just a bit.

If you’re counting on getting an incentive payment from the government for participation in the electronic medical records program, you may be in trouble — at least until the stalemate is settled. Although ONC has not yet made an official statement, presumably because the aforementioned Twitter channel has been disabled, leaving the agency unable to speak to or otherwise communicate with the public, going by the available information in the thirteen-page contingency plan drafted by strategists at HHS, it is unclear where the money will come from.

This could be bad news for electronic medical records vendors counting on the incentive program to drive sales as the Obamacare rollout gets officially underway.

A Troubling Strategy at Health IT Week

Sep 19, 2013• 16

By Adrian Gropper, MD

Health IT Week demonstrated a double barrel strategy to segregate patient information from provider information. Providers already have the power to set prices and health IT plays the central role.

By rebranding HIPAA as “Meaningful Consent” and making patients second-class citizens in Meaningful Use Stage 2 interoperability, providers and regulators are working together to keep it that way.

Essential consumer protections such as price transparency or independent decision support are scarce in the US healthcare system. The journalists are shouting from the rooftops.

There’s $1 Trillion (yes, $3,000 per person per year) of unwarranted and overpriced health services steering the Federal health IT bus with an information asymmetry strategy. Those of us that want to see universal coverage succeed need the information transparency tools to drive for changes.

Here’s how it works: The department of Health and Human Services (HHS) controls the health IT incentives and regulations. HIPAA applies to most licensed health services providers. Laboratories and devices are regulated by Medicare and the FDA.

Unlicensed services offered directly to patients, such as personal health records, web info sites and apps are regulated by the FTC. Separate regulatory domains facilitate the segregation of information and contribute to the lack of transparency by making patient-directed services use delayed and degraded information. This keeps independent advice from FTC-regulated service providers from illuminating the specific abuses.

The segregation of patient information from “provider” information is the current federal regulatory strategy. It’s even more so in the states. By making patients into second-class citizens, the providers can avoid open scrutiny, transparent pricing, and independent decision support.

Federal regulators then create a parallel system where information is delayed, diluted, and depreciated by lack of “authenticity”. This is promoted as “patient engagement”. For regulators, it’s a win-win solution: the providers support the regulation that enables their price fixing and many patient advocates get to swoon over patient engagement efforts.

The proof of this strategy became clear on the first day of Health IT Week – the Consumer Health IT Summit.

Give Us Our Damn Lab Results!!

Sep 15, 2013• 61

By ALICE LEITER & DEVEN McGRAW

Two years ago, the Department of Health and Human Services released proposed regulations that would allow patients to obtain their clinical lab test results directly from the lab, rather than having to wait to receive the results from their health care provider. CDT and other consumer groups enthusiastically supported this proposed rule at the time of its release.

Yet an Administration largely characterized by increasing patient access to health information seems inexplicably unable to close the deal on this important access initiative. As a result, patients still must wait for their providers to contact them with test results.

Under the current regulations, known as the Clinical Laboratory Improvement Amendments (CLIA), laboratories are restricted from disclosing test results to patients directly. Instead, labs can only send the test results to health care providers, people authorized to receive test results under state law or other labs. Only a handful of states permit labs to send patients test results directly, and some of these states require the provider’s permission before patients can have the results. The HIPAA Privacy Rule reflects this restriction, exempting CLIA-regulated labs (which are the great majority of clinical labs) from patients’ existing right to access their health information.

This existing regime has put patients at risk. A 2009 study published in the Archive of Internal Medicine indicated that providers failed to notify patients (or document notification) of abnormal test results more than 7 percent of the time. The National Coordinator for Health IT recently put the figure at 20 percent. This failure rate is dangerous, as it could lead to more medical errors and missed opportunities for valuable early treatment.

The 2011 proposed regulations would modify CLIA to permit labs to send results directly to patients, and they would also modify the HIPAA Privacy Rule to give patients the right to access or receive their lab results. Contrary state laws would be preempted. Patients would have the ability to request their lab results in a particular form or format, as with their other health information; for example, patients could request a paper copy of their test results, or to have the results sent electronically to the their personal health records

A New Way to Sue Health Care Professionals Using HIPAA?

Sep 6, 2013• 20

By Pathology Blawgger

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees. While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened. At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.

Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach. The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.

Should Doctors Keep Patients’ HIV Status a Secret?

Aug 11, 2013• 53

By Lisa Fitzpatrick, MD

At my infectious-diseases clinic in Southeast Washington, I work with some of the city’s most indigent patients. Some don’t have jobs, a home, a car or enough to eat. But recently, I saw a patient whose problem made these issues seem trivial.

Dealing with fatigue, a cough and a fever for several months, this woman in her 40s had been evaluated by four internists. They had tested her for a variety of conditions but not HIV. Each had recommended rest, two prescribed antibiotics, and one suggested an over-the-counter cough medicine. Experiencing no physical relief from these suggestions, the woman had decided to “lay down and die.”

However, after her longtime partner insisted she get medical help, she agreed to go to a hospital emergency room. After a rapid test, which she initially refused because she said she was not at risk for HIV, she learned that she was HIV-positive.

After that ER visit, she brought her partner, whom she credits with saving her life, to my clinic to be tested; she was concerned that she had transmitted the virus to him. He tested positive. About a week later, when he accompanied her to an appointment with me, I asked if he had been seen by a doctor to discuss treatment. He said no and indicated that he wanted to establish care in the clinic.

When I asked if he had ever been on HIV drugs, he gazed at the medication chart and pointed out his previous regimen, a cocktail that contained indinavir. Because I and many other doctors stopped prescribing this medication a decade ago, I knew he had been keeping his condition from her for years. He stopped talking and avoided my gaze. It was clear he knew that I had learned his secret. I had many questions for him; but this visit was for her.

It was not the right moment to dredge up this history and ask how he could keep his diagnosis hidden while watching his partner struggle with her health. I chose not to ask about his dishonesty, their relationship and whether they had used condoms to protect her from getting HIV. At this point, I needed to help her understand that, even though she felt weak and sick, the medications would soon make her feel better. And that, with the right treatment, she could still live a long life.

While talking with my patient about her treatment, my mind kept wandering back to her partner’s secret. Was it my role to admonish him in front of her, or would that make things worse? What would they say to each other when they got home? I wanted to discuss these questions, but did I have a right to insert my judgment into this situation? At a private visit with me two weeks later, she let me know that this was the moment she realized he’d been keeping his diagnosis from her for years.

As a physician, I am not allowed to reveal any medical information about my patients or their circumstances without their written permission. This confidentiality is sacred. But in this case, that constraint felt inappropriate and irresponsible.