Tag: HIPAA

If data is the new oil, there’s going to be war over it

Apr 15, 2024

By MATTHEW HOLT

I am dipping into two rumbling controversies that probably only data nerds and chronic care management nerds care about, but as ever they reveal quite a bit about who has power and how the truth can get obfuscated in American health care.

This piece is about the data nerds but hopefully will help non-nerds understand why this matters. (You’ll have to wait for the one about diabetes & chronic care).

Think about data as a precious resource that drives economies, and then you’ll understand why there’s conflict.

A little history. Back in 1996 a law was passed that was supposed to make it easy to move your health insurance from employer to employer. It was called HIPAA (the first 3 letters stand for Health Insurance Portability–you didn’t know that, did you!). And no it didn’t help make insurance portable.

The “Accountability” (the 1st A, the second one stands for “Act”) part was basically a bunch of admin simplification standards for electronic forms insurers had been asking for. A bunch of privacy legislation got jammed in there too. One part of the “privacy” idea was that you, the patient, were supposed to be able to get a copy of your health data when you asked. As Regina Holliday pointed out in her art and story (73 cents), decades later you couldn’t.

Meanwhile, over the last 30 years America’s venerable community and parochial hospitals merged into large health systems, mostly to be able to stick it to insurers and employers on price. Blake Madden put out a chart of 91 health systems with more than $1bn in revenue this week and there are about 22 with over $10bn in revenue and a bunch more above $5bn. You don’t need me to remind you that many of those systems are guilty with extreme prejudice of monopolistic price gouging, screwing over their clinicians, suing poor people, managing huge hedge funds, and paying dozens of executives like they’re playing for the soon to be ex-Oakland A’s. A few got LA Dodgers’ style money. More than 15 years since Regina picked up her paintbrush to complain about her husband Fred’s treatment and the lack of access to his records, suffice it to say that many big health systems don’t engender much in the way of trust.

Meanwhile almost all of those systems, which already get 55-65% of their revenue from the taxpayer, received additional huge public subsidies to install electronic medical records which both pissed off their physicians and made several EMR vendors rich. One vendor, Epic Systems, became so wealthy that it has an office complex modeled after a theme park, including an 11,000 seat underground theater that looks like something from a 70’s sci-fi movie. Epic has also been criticized for monopolistic practices and related behavior, in particular limiting what its ex-employees could do and what its users could publicly complain about. Fortune’s Seth Joseph has been hammering away at them, to little avail as its software now manages 45%+ of all encounters with that number still increasing. (Northwell, Intermountain & UPMC are three huge health systems that recently tossed previous vendors to get on Epic).

Meanwhile some regulations did get passed about what was required from those who got those huge public subsidies and they have actually had some effect. The money from the 2009 HITECH act was spent mostly in the 2011-14 period and by the mid teens most hospitals and doctors had EMRs. There was a lot of talk about data exchange between providers but not much action. However, there were three major national networks set up, one mostly working with Epic and its clients called Carequality. Epic meanwhile had pretty successfully set up a client to client exchange called Care Everywhere (remember that).

Then, mostly driven by Joe Biden when he was VP, in 2016 Congress passed the 21st Century Cures Act which among many other things basically said that providers had to make data available in a modern format (i.e. via API). ONC, the bit of HHS that manages this stuff, eventually came up with some regulations and by the early 2020’s data access became real across a series of national networks. However, the access was restricted to data needed for “treatment” even though the law promised several other reasons to get health data.

As you might guess, a bunch of things then happened. First a series of VC-backed tech companies got created that basically extract data from hospital APIs in part via those national networks. These are commonly called “on-ramp” companies. Second, a bunch of companies started trying to use that data for a number of purposes, most ostensibly to deliver services to patients and play with their data outside those 91 big hospital systems.

Which brings us to the last couple of weeks. It became publicly known among the health data nerd crowd that one of the onramp companies, Particle Health, had been cut off from the Carequality Network and thus couldn’t provide its clients with data.

Virtual Care Regulatory Round-Up: Dobbs & the ‘Weaponization’ of Digital Health Data

Aug 10, 2022

BY JESSICA DaMASSA

How will the reversal of Roe v. Wade impact virtual care and digital health companies from a health data privacy standpoint, particularly as States crack down on the use of telehealth as a mechanism for obtaining abortions and begin to look at digital health data as potential evidence in criminal cases where abortions are illegal?

Health data privacy expert and rightfully-so-self-proclaimed HIPAA Scholar, Deven McGraw, who spent three years as Deputy Director of the Health Information Privacy Office at HHS and currently leads Data Sharing and Stewardship at Invitae, gives us her hot take on what’s happened from a health data privacy standpoint and how it will impact health tech businesses and healthcare consumers in the short and long terms.

Deven’s take: “We’ve really jumped the shark in terms of what the consequences are of health data falling into the hands of people who intend to use it in order to pursue a criminal case either against a woman (or a man) seeking a service, or the provider that performed the service…” So, what does that mean for those who are dealing with digital health data? What are the limitations as far as what HIPAA can protect for patients and what it can’t? What loopholes have Deven worried about the privacy law’s ability to stand-up to the challenges now posed by the Dobbs decision? And, what does all this mean for the telehealth-based businesses that are providing services to these patients?

We have a sweeping conversation about the shifting health data privacy landscape in the wake of Roe’s reversal in this latest episode of our special monthly Virtual Care Regulatory Round-up Series, sponsored by the health tech company powering the virtual care industry, Wheel.

Matthew’s health care tidbits: Texas is the present future of abortion care

Jul 5, 2022

Each week I’ve been adding a brief tidbits section to the THCB Reader, our weekly newsletter that summarizes the best of THCB that week (Sign up here!). Then I had the brainwave to add them to the blog. They’re short and usually not too sweet! –Matthew Holt

In this edition’s tidbits, I have to return to the stunning impact of the Dobbs ruling. We know will happen because it is already happening in Texas where the 6 week law was already being enforced in contravention of Roe v Wade.

Taxpayer money is going to “pregnancy crisis centers” that flat out lie to vulnerable patients about the impact of abortions on their health. Doctors are questioning women who have miscarried–at a moment that is already terrible for them, and women who have miscarried are being denied basic D&Cs–which can kill them.

Don’t get me started on the absolute nonsense being talked–and passed into law –about ectopic pregnancies, of which there are over 130,000 each year in the US, being carried to term. How unlikely is it that an ectopic pregnancy makes it to term with no ill effects? Let me tell you a story. My dad was an OBGYN. He and his anesthetist saved the life of a woman and her baby who somehow had made it to term while being ectopic. During the surgery she needed 12 pints of blood (a normal woman has 7-8 pints in her body) and he considered it the greatest piece of surgery he did in his entire career. He thought that he and the patients were very lucky. So I demand that crazy legislation saying ectopic pregnancies have to be carried to term also mandates that my dad is around to do every single C-Section. Unlikely, as he’s dead, but no crazier than the legislation in Indiana.

Then there’s the impact on telehealth. Most abortions are done using drugs but more and more of the pandemic-era exemptions to prescribing drugs and seeing patients over telehealth across state lines are being withdrawn. Clearly the state-based licensing of doctors is itself ridiculous in an age of online commerce, but despite the DOJ statements the legality of prescribing abortifacients across state lines is very unclear and, as Deven McGraw explained in this harrowing piece on THCB Gang, HIPAA doesn’t protect patient privacy from local law enforcement. So what happens to someone in a state where abortion is banned if they have to go to hospital because of a complication from taking an abortifacient? Trump thinks they should go to jail.

What is clear is that bans on abortion don’t stop abortions. But they do endanger women. And if the pregnancy crisis center stops a woman from getting an abortion, do they help afterwards? Why yes, if you mean by “helping”, they have a celebratory dinner and light a fricking candle.

How Can Patients Get Medical Records from a Closed Medical Practice?

Oct 8, 2020• 22

By GRACE CORDOVANO, DEVEN McGRAW, and AARON MIRI

The HIPAA Privacy Rule gives patients the right to copies of their medical records, with rare exceptions. When patients need a copy of their medical records, most start the process by calling their doctor’s office and asking for how to get access. The receptionist or office staff point them in the right direction, whether it’s instructing them to write down their request and sending it to the office, pointing them to contact the medical records or radiology department (if the practice is large enough), or assisting them in setting up their patient portal, if the practice is using an electronic health record (EHR). Being able to connect with a person inside the four walls of medicine is often crucial for many patients and their carepartners who may be unsure of exactly how to request their records.

But what happens to those records when a doctor closes or leaves the practice?

Independent practices close for a variety of reasons. Physicians may merge with a large practice or health system, retire, they may sell or close their practice for personal reasons, they may file for bankruptcy, or they may get sick and die. The COVID19 pandemic has had devastating financial consequences on many small, independent, and rural practices, leading to their consequent closure, acquisition, or merger.

What should patients do when their doctor’s office closes, and they need a copy of their medical records? This is especially challenging when a doctor may not have had an EHR, as is the case with many independent practices as well as more rural settings. On September 26, 2020, a tweet from Cait DesRoches, Executive Director of OpenNotes, inquired about how a family member may get access to medical records from her physican’s practice that closed, triggering a robust conversation that led to the realization that patients and families are not well informed in these circumstances.

Prevention is Worth a Pound of Cure

It can be much more difficult to get copies of records after a practice has closed. Patients should get copies of their medical records as they are generated instead of waiting until they’re needed. HIPAA Privacy Rule guidance states that individuals can get digital copies of digital information (or even digital copies of records kept on paper, as long as the practice has a scanner). Companies are developing tools and services that enable individuals and their care partners to collect, use, and store health records. Request digital (or paper, if that is preferred) copies of blood work, imaging, discharge instructions, and corresponding reports before you leave the practice.

Patient Identity and Patient Record Matching

Sep 11, 2020

By ADRIAN GROPPER and DEBORAH C. PEEL

September 4, 2020

Thank you, ONC for the opportunity you gave me to speak in June. Also, thank you for the format of your August meeting where the Zoom chat feature offered a wonderful venue for an inclusive commentary and discussion as the talks were happening. Beats lining up at the microphone any day.

Here is a brief recap of my suggestions, in no particular order:

Getting Ahead of Privacy and the CCPA – Healthcare Needs to Move Beyond HIPAA

Feb 18, 2020

By DAN LINTON

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Privacy concerns are on the rise. Over the last couple of years, survey after survey have clearly shown a dramatic rise in overall consumer privacy awareness and concern – driven primarily by the never-ending litany of ongoing data breaches that make the news.

The healthcare industry has been somewhat shielded from this, seemingly due to the trust that patients extend to their doctors and, by proxy, the organizations they work with. HITECH and HIPAA legislation have acted as a perceived layer of safety and protection.

But healthcare is not immune from privacy issues.

Most people aren’t even aware of the hundreds of data breaches of unsecured health information in the last 24 months which are being investigated by the U.S. Department of Health & Human Services Office for Civil Rights. In fact, research indicates that consumers still trust healthcare organizations with their data more so than many other industries.

But for how much longer?

Healthcare in the National Privacy Law Debate

Feb 10, 2020• 3

This article originally appeared in the American Bar Association’s Health eSource here.

By KIRK NAHRA

Congress is debating whether to enact a national privacy law. Such a law would upend the approach that has been taken so far in connection with privacy law in the United States, which has either been sector specific (healthcare, financial services, education) or has addressed specific practices (telemarketing, email marketing, data gathering from children). The United States does not, today, have a national privacy law. Pressure from the European Union’s General Data Protection Regulation (GDPR)¹ and from California, through the California Consumer Privacy Act (CCPA),² are driving some of this national debate.

The conventional wisdom is that, while the United States is moving towards this legislation, there is still a long way to go. Part of this debate is a significant disagreement about many of the core provisions of what would go into this law, including (but clearly not limited to) how to treat healthcare — either as a category of data or as an industry.

So far, healthcare data may not be getting enough attention in the debate, driven (in part) by the sense of many that healthcare privacy already has been addressed. Due to the odd legislative history of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),³ however, we are seeing the implications of a law that (1) was driven by considerations not involving privacy and security, and (2) reflected a concept of an industry that no longer reflects how the healthcare system works today. Accordingly, there is a growing volume of “non-HIPAA health data,” across enormous segments of the economy, and the challenge of figuring out how to address concerns about this data in a system where there is no specific regulation of this data today.

Health Data Outside HIPAA: Simply Extending HIPAA Would Be a #FAIL

Jan 20, 2020• 2

By DEVEN McGRAW and VINCE KURAITIS

Early in 2019 the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) proposed rules intended to achieve “interoperability” of health information.

Among other things, these proposed rules would put more data in the hands of patients – in most cases, acting through apps or other online platforms or services the patients hire to collect and manage data on their behalf. Apps engaged by patients are not likely covered by federal privacy and security protections under the Health Insurance Portability and Accountability Act (HIPAA) — consequently, some have called on policymakers to extend HIPAA to cover these apps, a step that would require action from Congress.

In this post we point out why extending HIPAA is not a viable solution and would potentially undermine the purpose of enhancing patients’ ability to access their data more seamlessly: to give them agency over health information, thereby empowering them to use it and share it to meet their needs.

The Intrusion of Big Tech into Healthcare Threatens Patients’ Rights

Dec 24, 2019• 1

By ANDREW DORSCH, MD

The question of how much time I spend in front of the screen has pestered me professionally and personally.

A recent topic of conversation among parents at my children’s preschool has been how much screen time my toddlers’ brain can handle. It was spurred on by a study in JAMA Pediatrics that evaluated the association between screen time and brain structure in toddlers. The study reported that those children who spent more time with electronic devices had lower measures of organization in brain pathways involved in language and reading.

As a neurologist, these findings worry me, for my children and for myself. I wonder if I’m changing the structure of my brain for the worse as a result of prolonged time spent in front of a computer completing medical documentation. I think that, without the move to electronic medical records, I might be in better stead — in more ways than one. Not only is using them potentially affecting my brain, they pose a danger to my patients, too, in that they threaten their privacy.

As any practicing physician can tell you, electronic medical records represent a Pyrrhic victory of sorts. They present a tangible benefit in that medical documentation is now legible and information from different institutions can be obtained with the click of a button — compared to the method of decades past, in which a doctor hand-wrote notes in a paper chart — but there’s also a downside.

Patient-Directed Uses vs. The Platform

Dec 18, 2019• 4

By ADRIAN GROPPER, MD

It’s 2023. Alice, a patient at Ascension Seton Medical Center Austin, decides to get a second opinion at Mayo Clinic. She’s heard great things about Mayo’s collaboration with Google that everyone calls “The Platform”. Alice is worried, and hoping Mayo’s version of Dr. Google says something more than Ascension’s version of Dr. Google. Is her Ascension doctor also using The Platform?

Alice makes an appointment in the breast cancer practice using the Mayo patient portal. Mayo asks permission to access her health records. Alice is offered two choices, one uses HIPAA without her consent and the other is under her control. Her choice is:

Enter her demographics and insurance info and have The Platform use HIPAA surveillance to gather her records wherever Mayo can find them, or
Alice copies her Mayo Clinic ID and enters it into the patient portal of any hospital, lab, or payer to request her records be sent directly to Mayo.

Alice feels vulnerable. What other information will The Platform gather using their HIPAA surveillance power? She recalls a 2020 law that expanded HIPAA to allow access to her behavioral health records at Austin Rehab.

Alice prefers to avoid HIPAA surprises and picks the patient-directed choice. She enters her Mayo Clinic ID into Ascension’s patient portal. Unfortunately, Ascension is using the CARIN Alliance code of conduct and best practices. Ascension tells Alice that they will not honor her request to send records directly to Mayo. Ascension tells Alice that she must use the Apple Health platform or some other intermediary app to get her records if she wants control.