In the news: EHR incentives; the rising threat of medical identity theft

  • In a letter to Dr. Blumenthal, the Medical Group Management Association (MGMA) urged the ONC to define "meaningful use" in a practical and achievable way.  Otherwise, many providers could fail to qualify for the HITECH Act's incentives.  The MGMA is recommending, inter alia, instituting a pilot test prior to the start of the program and before each new phase of the program; including only criteria for meaningful use that have widespread industry use or have been tested; permitting physicians to test their reporting systems prior to their “go-live” date; permitting flexibility in achieving meaningful use and avoiding a “pass/fail” approach; developing a simple process for physicians to attest that they have achieved meaningful use; simplifying the data-reporting process and ensuring that the government is ready to accept the data; closely monitoring the industry to ensure that the program logistics operate appropriately; and ensuring government oversight of the vendor community for its ability to produce high-quality and reasonably priced software.

  • A former Johns Hopkins hospital employee, Michelle Johnson, was sentenced to 18 months in prison and ordered to pay $200,000 in restitution for stealing patient information.  According to the Associated Press, Ms. Johnson, formerly a patient services coordinator, "provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Johnson kept some of the fraudulently ordered merchandise for herself, including a computer monitor, a cordless phone, and clothes for herself and her children."


Continue Reading...

Identity thieves target victims of accidents at a medical center in Nevada

This article serves as a great reminder about the importance of safeguarding your patients' data, both from thieves outside and, unfortunately, from within the organization.  Via Las Vegas Sun:

Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.

Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.

Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun. Now they’re scrambling to catch up to a crisis that may affect hundreds, if not thousands, of patients.

The full article is available here.

"UMC has patient privacy leak," Las Vegas Sun (November 20, 2009).

Health Net data breach affects 450,000 people

Health insurance provider Health Net reported a loss of a portable disk drive (which occurred six months ago).  The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons. 

Connecticut Attorney General Richard Blumenthal was "outraged" the company waited this long to go public about this major data breach:

Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information <...> Personal information is like cash and should be guarded with equal care. Casual and cavalier attitudes toward data protection and breaches are intolerable and must stop.

This case provides yet another reminder about the importance of encrypting the sensitive and protected data, including PHI, in your possession.

Continue Reading...

New York Times: New study shows little improvement for EMR users

The New York Times reported on a new study led by Dr. Ashish Jha of the Harvard School of Public Health and Catherine M. DesRoches of Massachusetts General Hospital which found only marginal benefits to hospitals using electronic health records in terms of reducing costs and improving the quality of care.

The new study placed hospitals into three groups: those with full-featured electronic health records, those with more basic ones, and those without computerized records. It then looked at their performance on federally approved quality measures in the care of conditions like congestive heart failure and pneumonia, and in surgical infection prevention.

In the heart failure category, for example, the hospitals with advanced electronic records met best-practice standards 87.8 percent of the time; those with basic computer records, 86.7 percent; and those without, 85.9 percent. The differences in other categories were similarly slender.

Reducing the length of hospital stays, according to many experts, should be a big money-saving payoff from electronic health records — as better care aided by technology translates into less time spent in hospitals. For hospitals with full-featured digital records, the average length of stay was 5.5 days; for those with basic computer records, 5.7 days; and those without, 5.7 days.

The upside, if any? Dr. Karen Bell, a former HHS official, was not surprised by the findings and hopes that the real benefits will be achieved after use of EMRs is much more widespread:

'There will be no clear answers on the overall payoff from the wider use of electronic health records until we get further along, five years or more, said Dr. Bell, [now a] senior vice president for health information technology services at Masspro, a nonprofit group. “But that doesn’t mean we shouldn’t go forward.'

"Little Benefit Seen, So Far, in Electronic Patient Records," New York Times (November 16, 2009).


Timely advice: Begin preparations for "meaningful use" now

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act. 

The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.


Continue Reading...

Study: US lags behind other nations in HIT use

A study conducted by the Commonwealth Fund, published in this month's issue of Health Affairs, found that physicians in the United States significantly lag behind their colleagues in Western Europe, Australia and New Zealand in several categories, including rates of adoptions of electronic medical records.  This study of more than 10,000 primary care physicians in 11 countries found that only 46% of U.S. doctors use electronic medical records, compared with almost universal EMR use among doctors in Australia (95%), Italy (94%), the Netherlands (99%), New Zealand (97%), Norway (97%), Sweden (94%), and the United Kingdom (96%).  Among other HIT-related findings, the study concluded that:

<...> among the seven countries with near-universal EMRs, the majority of physicians reported electronic access to lab results, yet fewer than half of Dutch, Norwegian, and U.K. doctors can order tests electronically. Across countries, most doctors with EMRs reported electronic clinical notes, routine electronic prescribing, and computerized alerts about potential problems with drug doses or interactions (except in Norway). Answers varied for other functions.

Decision support appears generally less well developed. Computerized reminders for treatment guidelines, tracking laboratory tests, and prompts to provide patients with test results were the least frequently reported, including in countries with multifunctional capacity. Notably, the seven countries with near-universal EMRs have succeeded in spreading multifunctional capacity to smaller as well as larger practices. Their national policies and standards have supported spread of multifunctional capacity. In contrast, U.S. multifunctional capacity remains concentrated in larger practices. Half of U.S. practices with high-function capacity were associated with integrated care systems such as Kaiser.

Continue Reading...

HHS releases interim final regulations on HIPAA enforcement changes

Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA.  As reported in Healthcare IT News:

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

You can find the full text of the rule is here.

"HIPAA violators could face fines up to $1.5M," Healthcare IT News (November 2, 2009).

FTC delays enforcement of the Red Flags Rule till June 2010

In a fairly predictable move, the Federal Trade Commission delayed enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.  According to the FTC press release, the Commission decided to extend the enforcement deadline at the request of the members of U.S. Congress.

However, in the press release, the FTC reminded us about the progress its staff has made in the last year in providing businesses subject to the Red Flags Rule with sufficient guidance and materials:

The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (, and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

You can find the full text of the press release here.

"FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule," FTC Press Release (October 30, 2009).