California courts: Sutter Health not liable in $4.25 billion data breach case

In a development sure to draw attention, the California Supreme Court last week upheld a lower court’s dismissal of the $4.25 billion case against Sutter Health arising from an October 2011 data breach.  A password-protected computer full of unencrypted data, stolen from one of Sutter Health’s Sacramento locations, contained records for 4.24 million patients.  In July 2014, thirteen coordinated lawsuits in the case were dismissed by an appeals court.  According to the appeals court, the case was dismissed because there is no evidence the stolen data has been used. 

See Sacramento Business Journal (California) article at “California Supreme Court declines to review Sutter data-breach case”

Human-computer interactions: what happened during September's Texas Ebola misdiagnosis?

A new report on what went wrong in the processing of the late Thomas Eric Duncan upon his first visit to the emergency room proposes that a combination of human and computer errors was responsible.  A team of medical informaticists reviewed events leading up to the misdiagnosis, reporting their findings in "Ebola U.S. Patient Zero: Lessons on Misdiagnosis and Effective Use of Electronic Health Records."   The report, published October 23 in the online journal Diagnosis, suggests that certain EHR usability issues can contribute to medical errors.  One concern of the researchers is that EHRs are designed to try to “routinize” processing of patient information in a way that may blinder providers when faced with an out-of-the-ordinary situation.

See Modern Healthcare article at “Botched U.S. Ebola diagnosis points to computer, human errors” and Information Week article at “Ebola Misdiagnosis: Experts Examine EHR Lessons”

Medical info now 10 times more valuable than financial data on the black market

Credit card numbers have dropped precipitously in value in recent years as PHI replaces it on the underground market.  Why?  Cyber criminals use the PHI to engage in medical fraud which, because of its complexity, may continue undetected for years.  Theft and misuse of credit cards, on the other hand, is usually detected almost immediately and the cards canceled.  In addition, in part because the financial industry has had many more years to develop sturdy safeguards against data theft, healthcare industry data is relatively easier for thieves to access.

See Reuters article at “Your medical record is worth more to hackers than your credit card”

FDA issues final guidance to medical device makers on cybersecurity

In its final guidance issued last week, the Food and Drug Administration is requesting that device makers assess what information hackers might target in connection with their devices, how hackers might attempt to access the information, and how device makers intend to address these issues both before and after putting their products on the market.  In addition, FDA is requesting that device makers report in to the agency on a continuing basis regarding cybersecurity incidents that arise after product approval.

Medical devices currently on the market are considered to be relatively easy to hack, according to cybersecurity experts.  Cybersecurity and device usability, unfortunately, tend to exist in inverse relation so the challenge for device makers is to find a workable balance between the two.

See Modern Healthcare article at “FDA seeks cybersecurity assessments from medical-device makers,” the FDA press release, and the final guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” online and in pdf form.

New hope for resolving thorny sensitive PHI issues in health data exchanges

Uncertainty and disagreement regarding how to handle behavioral and other sensitive healthcare data such as HIV and reproductive health records has been a stumbling block for healthcare in various ways.  Potential patients don’t seek help because of fear their records will be too widely released and the patients permanently harmed as a result.  According to the Substance Abuse and Mental Health Services Administration (SAMHSA), one quarter of adults needing mental healthcare go without due to this fear, with that statistic rising to over 35% among young adults. 

Meanwhile, healthcare providers want to provide more effective treatment by coordinating physical and behavioral care.  To do this, sensitive PHI must be transferred from behavioral to physical care providers.  However, behavioral healthcare and physical healthcare providers operate under different and sometimes mutually contradictory rules about how patient records may be handled and shared.  Many providers have technology to handle only “less sensitive” healthcare records.  Because the whole issue is in such a state of flux, little software exists so far to properly handle sensitive PHI.  Even if the technology to handle sensitive data was easily available, purchasing additional software to handle such data is out of financial reach for many providers.

In the midst of all this, providers, vendors and federal agencies move forward in developing solutions.  A new technological approach is to place patient-directed privacy controls on EHRs.  The federal initiative promoting this type of technology is called DS4P -- data segmentation for privacy.  A pilot software system being tested by University of Michigan Health and an Ann Arbor behavioral health provider compares behavioral health record requests made by UMH against the list of patient consent forms which are stored in the system.  If a patient consent form in the system matches the request, the information is released to UMH through a secure portal.

See Modern Healthcare article at “Tech fixes ease sharing of sensitive patient data”

Techies invade HIT market: is their unfamiliarity with healthcare industry obstacle or advantage?

Until recently, healthcare software has been developed by IT professionals grounded in the healthcare industry.  The latest arrivals to HIT development come from a range of non-healthcare industries.  The vendor of one new product currently on the HIT market last developed software related to automobile sales, while another previously developed public relations software that helps customers manage their online image.  Some observers worry that the newcomers’ disconnect from the healthcare arena threatens the success of products they may develop, but others say this freedom from preconceptions may lead to bold and successful innovation.

See Modern Healthcare article at "IT entrepreneurs rush into healthcare, but will human touch be missing?"

Billions at risk as providers face Stage 2 hurdle

An impressive number of healthcare providers met Stage 1 requirements and qualified for EHR payments in 2011 and 2012 – some 170,000.  Of these providers, who are therefore eligible to continue in the EHR incentive program, only about 4% appear to be on track to meet Stage 2 requirements.  With the December 2014 deadline looming, providers are in danger of losing billions according to data recently released by the Centers for Medicare & Medicaid Services (CMS).

See Modern Healthcare article at “Number of providers facing Stage 2 EHR hurdle puts billions at stake”

ONC's EHR security provisions inadequate says OIG

Healthcare providers cannot attest to meaningful use unless they use certified EHR software.  Providers purchasing certified EHR software tend to assume that a certified EHR has been rigorously tested and can be counted on to ensure protection of patient data.  This assumption may not be valid according to a report recently issued by the HHS’ Office of Inspector General.

The report publishes the results of an OIG audit of the ONC’s EHR Certification Program, focusing in particular on structures and procedures for ensuring data security in electronic health records.  The audit primarily reviewed the temporary program the ONC employed prior to 2014.  This earlier, temporary program was carried out by a group of five certification bodies (ACTBs) accredited by the American National Standards Institute and the National Voluntary Laboratory Accreditation Program and the OIG found some troubling flaws in it.  For instance, the OIG discovered that while the program was supposed to perform periodic re-evaluations of EHRs after their initial certification, this did not consistently happen.  This means that some EHRs, which had been, since their initial certification, modified in ways that rendered them no longer compliant, and in some cases seriously non-compliant, remained – and may still remain --  on the lists of certified products.  

The ONC disagreed with the OIG report.  The ONC claimed that since the temporary program has been replaced with the permanent one, which employs the 2014 Edition EHR Certification Criteria, the OIG’s critiques are no longer relevant.  The OIG therefore went back to determine if problems with the temporary program had been corrected in the permanent program and found that many have not been.  Among other concerns the OIG brought to light, the audit found that an EHR may be certified under ONC’s 2014 Certification Criteria – as under the earlier temporary program -- with passwords as short as a single character.  The OIG found another significant issue that has persisted from the temporary program.  If an EHR has been hacked converting it into malware, the ONC certification program is, except in rare cases, is not authorized to decertify the EHR, even temporarily, to prevent sales of the product.  The OIG report contains a set of recommendations addressing these and other concerns.

See Modern Healthcare article at “OIG faults ONC's electronic health record security provisions,” and a copy of the OIG report.


CMS issues final EHR meaningful-use rule - with some flexibility

The Centers for Medicare and Medicaid Services issued a final EHR meaningful-use rule last Friday, consistent with the proposal it published in May.  The rule will grant healthcare providers more time and some flexibility in how they meet requirements for the EHR incentive program.  One of the points on which the rule grants more leniency is that the MU third stage deadline for the first wave of adopters will change from January 1, 2016 to January 1, 2017.  Another is that providers who need the time will have an additional year to use 2011 Edition EHR software before they must implement 2014 software.

See Modern Healthcare article at “CMS finalizes EHR meaningful-use rule, adds some flexibility”

Steve Fox moderates panel in Boston on best practices for working with vendors

Steve Fox, Information Technology Practice Chair and Data Protection/Breach Co-Chair at Post & Schell, will speak  as well as moderate a panel discussion on "Dealing with Vendors:  Best Practices for Contracting and 3rd Party Compliance" in early September 2014 at the Privacy and Security Forum in Boston.

Via Health Privacy Forum:

As outsourcing continues to gain steam in the healthcare, security and privacy officers must be more vigilant than ever that cloud vendors and other business associates who handle PHI comply with HIPAA and make privacy and security a high priority.  Your relationship with your vendors begins with a well-negotiated contract, which is vital to protecting your interests and limiting potential liability in the event of a breach, but it’s only half the battle. 

Just because you have a contract in place, doesn’t mean you can be hands off about privacy and security issues.

In this session, Steven J. Fox, a leading healthcare IT attorney, outlines some of the key terms and conditions that make up the contractual foundation that covered entities need when working with HIT vendors and other business associates.  He'll also cover:

* What due diligence should be performed prior to starting contract negotiations?

* How vendors should share information about privacy & security breaches with your organization?

* How often (if at all) should you audit or monitor a vendor’s privacy & security performance?

* How to make sure a vendor returns, destroys, or appropriately safeguards your data at the end of the business relationship?

Fox will also moderate a panel discussion and examine what providers should expect from their vendor partners when it comes to protecting PHI and what vendors can realistically deliver.