Steve Fox moderates panel in Boston on best practices for working with vendors

Steve Fox, Information Technology Practice Chair and Data Protection/Breach Co-Chair at Post & Schell, will speak  as well as moderate a panel discussion on "Dealing with Vendors:  Best Practices for Contracting and 3rd Party Compliance" in early September 2014 at the Privacy and Security Forum in Boston.

Via Health Privacy Forum:

As outsourcing continues to gain steam in the healthcare, security and privacy officers must be more vigilant than ever that cloud vendors and other business associates who handle PHI comply with HIPAA and make privacy and security a high priority.  Your relationship with your vendors begins with a well-negotiated contract, which is vital to protecting your interests and limiting potential liability in the event of a breach, but it’s only half the battle. 

Just because you have a contract in place, doesn’t mean you can be hands off about privacy and security issues.

In this session, Steven J. Fox, a leading healthcare IT attorney, outlines some of the key terms and conditions that make up the contractual foundation that covered entities need when working with HIT vendors and other business associates.  He'll also cover:

* What due diligence should be performed prior to starting contract negotiations?

* How vendors should share information about privacy & security breaches with your organization?

* How often (if at all) should you audit or monitor a vendor’s privacy & security performance?

* How to make sure a vendor returns, destroys, or appropriately safeguards your data at the end of the business relationship?

Fox will also moderate a panel discussion and examine what providers should expect from their vendor partners when it comes to protecting PHI and what vendors can realistically deliver.

Risks of EHRs accessible only via internet: a cloud downside

The cloud, popular because businesses can pay a monthly fee for computer-related services instead of paying for costly in-house hardware and the staff to manage it, has its drawbacks.  One of these became painfully evident for two days in mid-August.  While the fact has received surprisingly little news coverage, the internet experienced intermittent periods of brownout worldwide on Tuesday and Wednesday, August 12 and 13.  This was understandably alarming to healthcare providers who were unable to access patient records during these periods.  Not all EHR cloud storage providers were affected, and those that were, were able to resolve the problem by the end of Wednesday.  For cloud EHR storage vendors that invest in what are known as “system redundancies,” backup systems activated if primary systems become unavailable, business continued as usual during this period.  Smaller healthcare practices in particular, tending to have smaller budgets to spend on their EHR systems, often choose more affordable EHR programs from vendors with less robust system redundancies in place.  According to the Wall Street Journal, global internet traffic has grown too voluminous for the global routing system currently in place.  While engineers are working to upgrade the routing system, progress on this project is not keeping up with demand and periodic brownouts are likely to continue to occur.  Healthcare providers can protect themselves against the effects of future brownouts in various ways including investing in hybrid EHR storage systems, and including uptime guarantee clauses in their vendor contracts.

For more information see:

“Internet Outage Left Doctors Without Records For Hours – Huffington Post – internet – Google News,” News Journal Online (August 19, 2014)

 “Internet Brownout Exposes Risk of Cloud-Based EHRs,” Medscape (August 22, 2014)

“The 512K 'Crisis' Makes Its Mark:  Network Engineers Were Left Scrambling to Keep Web Customers Connected,” Wall Street Journal (August 18, 2014)

New developments at federal and state level on patent troll issue

While the healthcare industry has become well-acquainted with patent trolls, they are not the only industry that has been hit.  According to a Boston University study, American businesses paid $29 billion in 2011 alone to patent trolls in “licensing fees” in order to avoid litigation.  In response to the expanding activities of patent trolls, more formally known as PAEs (patent assertion entities), efforts have been underway at the federal and state levels to develop mechanisms for protecting businesses.  A patent reform bill which passed the House of Representatives 325-91 in December 2013, and had President Obama’s vocal support, was dropped by the Senate Judiciary Committee in May 2014 shortly before it would have come to a vote on the Senate floor.  Observers say a new bill on the subject is unlikely to appear before 2015.

States are coming up with some creative ideas to address PAE activities.  States are suing PAE’s under existing state consumer protection laws, and are also passing new laws directed at the activities of PAEs specifically.  Some of the new laws include fee shifting measures, requiring a PAE to post bond for the legal fees the target of their lawsuit would incur in order to facilitate their payment of their opponent’s legal fees if the PAE’s suit fails.  Bad faith demand letters tend to share common traits including being vague regarding the recipient’s alleged patent infringement, and threatening that a lawsuit will be filed if no settlement has occurred by a specific date.  Measures in some of the new state laws address these letters specifically by legislating how demand letters must be written to be legal, and/or requiring PAEs to submit their demand letters to the state for approval before they may send them out. 

Despite the states' energy around this issue, they are hampered in their efforts by a century-old Supreme Court decision.  In 1912 the Supreme Court ruled that for the most part cases pertaining to patent law fall under the jurisdiction of federal courts.  The case currently in the limelight testing how restrictive the 1912 decision will be for the states is Vermont v. MPHJ.  MPHJ asserts that, pursuant to the 1912 Supreme Court decision, the Vermont state court system in which Vermont filed its lawsuit against MPHJ has no jurisdiction.   The question has gone before the federal courts twice so far in this case.  In April 2014, Judge William K. Sessions III of the U.S. District Court for the District of Vermont noted that what the 1912 Supreme Court ruling actually says is that "Federal courts have exclusive jurisdiction of all cases arising under the patent laws, but not of all questions in which a patent may be the subject-matter of the controversy."  According to Judge Sessions, the Vermont case is about bad faith demand letters rather than about patent issues, and therefore, the state court does have jurisdiction.  In August 2014, the U.S. Appellate Court for the Federal Circuit dismissed MPHJ’s appeal, remanding the case back to state court.  According to observers, MPHJ is likely to file another jurisdictional appeal.

See additional information at:

“Patent-troll fight ends in retreat,” Burlington Free Press (July 7, 2014)

"Patent troll case referred back to Vermont courts,” Brattleboro Reformer (August 15, 2014)

"States go after patent trolls - how far can they go?" ABA Landslide Magazine (July/August 2014)

Attorney Steve Fox speaks on "Hidden Risks of Cloud Computing" at American Hospital Association conference

Healthcare IT attorney Steve Fox spoke on risks of cloud computing at the AHA's Leadership Summit held in San Diego this year.  According to attorney Fox, the data which the health care industry handles is growing exponentially, a trend driven in large part by  the increasing use of mobile devices. In his talk he explained that health care providers are adopting cloud and mobile technology for their affordability and convenience, but may be unaware of hidden costs in these new options. Fox asserts that cloud computing presents new challenges for health care organizations in terms of securing the applications and data. Issues with vendors may arise over service levels, security of information, ownership of information that is remotely hosted by a third party and use of hosted data by the vendor. In his presentation Fox provided advice on how to avoid some of the more important pitfalls with cloud computing. He said that technology may provide greater efficiencies, but it must be used responsibly and that patient information which passes through the technology must be responsibly handled as well.

PHI at risk in debt collection lawsuits involving medical services

Healthcare providers spend millions of dollars to comply with HIPAA in order to keep patients’ medical information private, and yet some of this same information is publicly available on the Internet in court records of medical debt lawsuits.

Maybe it’s time to consider expanding HIPAA protections to routine debt collection lawsuits where patients’ protected health information is currently available to anyone with an internet connection.

See Modern Healthcare article at “Online records pose privacy risks in medical-debt lawsuits”

Stage 2-ready software delays prompt CMS to postpone Stage 2 deadline

While vendors were able to supply the software needed for healthcare providers to comply with Stage 1 of the EHR incentive program, they are experiencing delays in developing the software needed for Stage 2 meaningful use compliance.  In response to feedback from the healthcare community on this subject, the Centers for Medicare and Medicaid Services and the HHS' Office of the National Coordinator for Health Information Technology propose postponing Stage 2 implementation deadlines one year -- to take effect in 2015 instead of in 2014

Via Modern Healthcare:

For the second time this year, the federal government is pushing back a major health information technology initiative, potentially giving early adopters of electronic health records an extra year to meet more stringent meaningful-use requirements.

The CMS and HHS' Office of the National Coordinator for Health Information Technology issued a proposed rule last week that would give hospitals, office-based physicians and other professionals eligible for the EHR incentive program an additional year to use 2011 Edition software for their systems and continue to meet Stage 1 criteria for meaningful use of the technology.

The proposed rule means providers that entered the program in 2011 could have as many as four years using 2011 software at Stage 1 meaningful use.

Continue Reading...

Rural providers cope with HIT staffing deficits

If compliance with ONC regulations is challenging for healthcare providers in urban areas, with high concentrations of IT professionals, it is especially challenging for rural providers where IT resources in the form of human capital are scarce.  The federal government's 2009 healthcare stimulus package, HITECH, provided funding for a national network of regional extension centers (RECs) designed to assist rural healthcare systems.  While the program is considered very effective, its funding will dry up in 2014.  Rural providers have devised a creative array of strategies to overcome their HIT staffing obstacles.

Via Modern Healthcare:

It took St. Claire Regional Medical Center, in the small town of Morehead in northeastern Kentucky, 2½ months to fill an open position on its computer help desk.

“We just don't see that many people who are even close to being qualified willing to work for the amount of money we're able to pay,” said Randy McCleese, vice president of information services and chief information officer of the 159-bed hospital. “That's part of what we have to deal with in the rural environment.”

Continue Reading...

Software to ease ICD-10 transition: providers consider the options

Congress' decision this spring to delay the ICD-10 deadline has given healthcare providers some extra breathing space to make the transition, but many are seeking additional help in the form of new "language-to-code" translation software. 

Via Modern Healthcare:

Despite the recent congressional delay in implementing the ICD-10 coding system, there is growing interest in a high-tech way of helping physicians convert their standard clinical terminology into the complex new payment codes. It's called “language-to-code” translation.

These translation systems are essentially computerized medical dictionaries stuffed with clinician-friendly descriptions in English or Latin of patient complaints, diagnoses and procedures, which are then linked to lists of clinical and billing codes. These words are presented to clinicians during preparation or updating of a problem list, for example, through software built into their electronic health records. Once a clinician selects a word or phrase, the software links it to code sets such as SNOMED CT—now available for free through the National Library of Medicine—the American Medical Association's Current Procedural Terminology, and ICD-9 and ICD-10.

Continue Reading...

Steven J. Fox gives talks on cloud vendor contracts, receives favorable media coverage

Health IT blawger Steven J. Fox spoke to healthcare providers on contracting with cloud-based technology vendors at events sponsored by the Pennsylvania and American bar associations recently.  Initially covered by, the presentation has garnered further industry media attention, sparking three additional articles so far:

  • “Hospitals can benefit from cloud-based IT technology,” TeraMedica (March 31, 2014)
  • “Attorney: Cloud vendor contracts wrought with pitfalls,” FierceEMR (April 7, 2014)
  • “Beware the hidden costs of a poorly constructed EHR contract,” FierceEMR (April 10, 2014)

PHI of 26-30 million Americans to be linked in single, vast network

By September 2015 database managers hope to have a network in place that will link databases containing the PHI records of millions of people.  The project is being implemented by PCORI, Patient-Centered Outcomes Research Institute, a non-profit organization formed at the behest of Congress as part of the 2010 Affordable Care Act.  PCORI’s mission is to organize “comparative effectiveness” research in the healthcare industry regarding different treatment possibilities, drugs and devices.  PCORI elected to use its funding to create a network pooling millions of patient records in aid of its mission.  Issues still undecided include what pharmaceutical and insurance companies’ access to the data will be.  PCORI asserts that the data, which will, in some cases, include links to genetic samples, will be anonymized before release to researchers.  Critics worry that patient identities may not remain private (see "De-identified PHI records relatively easy to re-identify Harvard prof demonstrates"). 

See full Washington Post article at “Scientists embark on unprecedented effort to connect millions of patient medical records”.