Washington state inadvertently released computers containing PHI and other sensitive data

All state governments dispose of large numbers of older computers each year, and while they all have procedures in place to scrub sensitive data from the hard drives before releasing them, there have been reports of slip-ups.  An audit conducted last summer on computers approved for sale or donation by Washington state found that 9% still contained sensitive information such as Social Security numbers and health data including psychiatric records.  Washington releases as many as 10,000 older computers each year.  Since the audit, the state has changed how it processes computers destined for disposal including submitting them to an additional scrubbing procedure.

See full Consumerist article at “Washington State Sold Computers Loaded With Sensitive Personal Information,” as well as additional coverage at Spokesman-Review (Spokane, WA) and Govtech.com.

FDA, ONC and FCC release FDASIA Health IT Report draft

Last week  the Food and Drug Administration (FDA), the Office of the National Coordinator for Health IT (ONC), and the Federal Communications Commission (FCC) announced the release of their draft FDASIA Health IT Report which incorporates the September 2013 recommendations of the FDASIA Workgroup.  The 34-page report introduces a proposed strategy for a risk-based regulatory framework for health IT.  The public is invited to comment.

See FDA announcement and the draft report itself at “FDASIA Health IT Report:  Proposed Strategy and Recommendations for a Risk-Based Framework”.

'Fasten your contracts' or risk a bumpy ride in the 'Cloud' blawger Steven J. Fox warns healthcare providers

"Never accept the vendor's standard form contract as the final word; remember that everything is negotiable," cautions Steven J. Fox.  Fox shared the podium with Lee Kim, HIMSS’ Director of Privacy and Security, at the HIMSS conference in Orlando to speak on “Hidden Pitfalls with Cloud, Mobile Technology, and Mobile Data".  Fox, who chairs Post & Schell’s Information Technology Practice Group, spoke extensively on steps healthcare providers can take before and during contract negotiations to protect their interests.  According to AuntMinnie, the medical imaging industry’s online news magazine, which covered the talk in depth, if you “[w]ant to implement a cloud-based health IT system…[you] need to perform thorough technical and business due diligence to ensure patient privacy and the availability and security of your data….”  While this is good advice for any contract negotiations, cloud data storage’s unique set of issues – reviewed in the HIMSS talk -- makes these precautions especially vital. 

See full AuntMinnie article at “Cloud IT use requires technical, business due diligence”

Over 220K PHI records affected in San Francisco area burglary

In a February incident at a Torrance, California medical billing company, burglars made off with several unencrypted computers.  According to an announcement by San Francisco’s Department of Public Health, the loss resulted in the theft of 56,000 San Francisco area patient records, and compromised an additional 168,500 Los Angeles area patient records, The medical billing company, Sutherland Healthcare Solutions, is offering the affected San Francisco area patients free credit monitoring and recovery services.  Sutherland has also committed to henceforth encrypt its computers, anchor them to office furniture, and require that all data be saved to shared drives rather than to individual computers.

See full LA Times article at “San Francisco patient records stolen in Torrance burglary”

Emailing PHI: considerations for developing best practices

PHI breaches that make the headlines often result from computer thefts or hacking.  Another, less well-publicized vulnerability for PHI records, however, is in the realm of electronic mail which is arguably not a particularly secure form of communication.  Over 100 billion emails were exchanged daily within the business community in 2013 and the number routinely exchanged within the healthcare industry is also enormous.  Institutions and entities that work with PHI’s can consider some of the following issues and questions regarding email and PHI’s either on a case-by-case basis, or in developing broader policies: 

  • Email is not what it used to be:  with continuing changes in technology, communication methods that have up until now been considered separate from email, may now also be considered email, including, for instance, telephone messages and faxes which are now routinely delivered by email.
  • Is email the only or best way to transmit the PHI or is there another, more secure method?
  • Is disclosing the PHI really required in this instance, or is it possible to simply allude to the information within the PHI more generally?
  • The contracts governing interactions with business associates and other entities may themselves limit what and how communication occurs.
  • Is encryption appropriate, and if so what is the best method?

See full AHLA Connections article at “Tips and Tactics for Transmitting PHI by Email” 

GAO report: EHR incentive program suffers high attrition rate

While 89% of qualified hospitals and 65% of qualified individual medical professionals have received incentive payments, a significant number of these have dropped out of the incentive program in its later stages according to a recent GAO study.  The report speculates on possible reasons for this phenomenon.  One possibility is the fact that participants were not required to demonstrate meaningful use at earlier stages in the program, and then dropped out once that became necessary.  Other reasons program dropouts gave ranged from that they had changed software companies and were not yet ready to provide CMS with the new EHR information to others which were unaware they were expected to continue participating in the program.

Via Modern Healthcare:

By one oft-reported measure, the federal government's electronic health record incentive payment programs have been an unmitigated success.

That measure is the increase in the number of hospitals and physicians (and other professionals) that have received payments from the programs under Medicare, Medicaid and Medicare Advantage for installing and "meaningfully using" EHRs. The payments are designed to incentivize providers to buy and use, in a meaningful manner, EHR systems.

Continue Reading...

Interoperability collaborators present at HIMSS conference

Although the majority of healthcare care settings are now digitalized, lack of interoperability among the wide range of software applications now in place continues to be a problem.  Several groups addressing this issue presented their innovations at this year’s HIMSS national conference in Orlando.  Among the groups were the CommonWell Health Alliance, made up of EHR vendors committed to increased interoperability, and the newly-formed Carequality which includes UnitedHealth Group, Walgreen and Epic.

Via Modern Healthcare:

Several interoperability collaborations presented at the HIMSS conference demonstrated that information technology vendors and healthcare providers are focusing on connecting competing electronic health records and health information exchanges as well as medical devices and health IT systems.

Continue Reading...

ONC leaders mark agency's 10th anniversary with review of government's role in health industry IT

ONC past and current leaders met this week to share thoughts on government’s role in the development of health IT in commemoration of ONC’s ten year anniversary.  The agency, formed by then-President George Bush in 2004, was tasked with providing every American with an electronic medical record.

According to the ONC’s current leader, Dr. Karen DeSalvo, government is responsible for ensuring that the benefits of health IT are available to all.  Former ONC chief Dr. Farzad Mostashari believes government should use the market to reach national health IT goals.  However, noting the market’s natural drift away from competition, he stresses that the government – i.e., the FTC – is essential to keep the market functioning properly by blocking this tendency.  Former ONC leader Dr. Robert Kolodner holds that the government’s $19.2 billion EHR incentive program has distorted the market and welcomes the end of the incentive program as a time in which, he says, consumers will resume control of the market.

When Dr. David Brailer began his tenure as the ONC’s first leader, he expected the agency would accomplish its goals and be phased out after ten years.  Now he, along with the others, cannot imagine the future of healthcare IT’s ongoing evolution without the ONC continuing to play a central role.

Via Modern Healthcare:

Three former heads of the Office of the National Coordinator for Health Information Technology plus its current leader appeared on one panel at the Healthcare Information and Management Systems Society convention Wednesday, sharing their thoughts on health IT's history and future and the role government should play in it.


Continue Reading...

Opposition halts nationwide UK EHR database project

Alongside media reports in January of U.S.-U.K. plans to collaborate on healthcare data policy, National Health Service England announced its plans to combine the records of all its patients into a single database to be available by April.  This week, the NHS halted the proposed program due to widespread concerns.  Promoters of the program claim that the database will allow for medical advances, and that sales of the data to private companies will be necessary as the NHS is privatized. Opponents list a variety of potential problems with the database the contents of which will be available for sale to pharmaceutical and insurance companies.  Uncertainty regarding who will have access to the data is a big concern.  According to Phil Booth, director of a patient privacy group, “One of people's commonest concerns about their medical records is that they'll be used for commercial purposes, or mean they are discriminated against by insurers or in the workplace.”  Still another worry is the fact that the £50 million plan will be illegal and will have to be terminated within a year or so if proposed EU laws are passed in the coming year.  A recent poll found only 17% of the public supports the database plan, with 65% opposing it.  The plan’s supporters are launching a publicity campaign to address the public’s concerns.

See full Telegraph (London) article at “NHS medical records database halted amid concerns”

42K records breached at Wisconsin health insurance group

Unity Health Plans Insurance Corporation, affiliated with the University of Wisconsin, discovered in December 2013 that an unencrypted external hard drive of medical records had disappeared.  The records contained patient names, dates of birth, dates of service, and names of prescription drugs.  Unity has notified the almost forty-two thousand individuals affected.  The Department of Health and Human Services Office of Civil Rights has been notified of over 80,000 breaches since reporting began in 2003.

See Healthcare IT News article at “42K get HIPAA breach letters”