HHS begins enforcement of breach notification requirements

logo_kAs of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS’s Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR’s web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity.

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  “harm threshold” to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This “harm threshold” essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause “significant harm” to the affected person.

The HITECH Act defines “breach” as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The Act includes two important (albeit vague) exceptions to this definition for cases in which: (1) “the unauthorized acquisition, access, or use of PHI is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with the covered entity or business associate, and such information is not further acquired, accessed, used, or disclosed”; or (2) “where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.

The HITECH Act imposes a similar notification requirement on a business associate “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured” PHI. In the event of a breach, the business associate shall provide notice to the covered entity, including “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”

The term “unsecured protected health information” refers to PHI that is not secured through the use of a “technology or methodology” specified by the Secretary in a “Guidance” issued as part of the breach notification regulation in the Federal Register on August 24, 2009 (see link above).  The Guidance, which is to be updated annually, specifies two basic ways of rendering PHI “secure:” encryption and destruction. Electronic PHI must be properly encrypted “by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” The Guidance provided an exhaustive list of technologies which would encrypt PHI, referencing “approved” processes and methods from the National Institute of Standards and Technology (NIST). Electronic PHI may be properly destroyed in the hard copy media (e.g., paper, tapes) on which the PHI is stored is shredded or destroyed “suchin such a way “that the PHI cannot be read or otherwise cannot be reconstructed;” electronic media containing PHI “must be cleared, purged, or destroyed consistent with NIST [Guidelines] such that the PHI cannot be retrieved.”

Securing PHI in accordance with this Guidance will be the safest way to protect a healthcare organization from a serious breach of patient data privacy. Organizations that suffer a breach involving disclosed, stolen or lost data that was not “secured” may be subject to a wide range of newly established breach notification requirements.  It is important to note, however, that for both covered entities and business associates, the breach shall be deemed to have been discovered on the first day on which it is “known to such entity or associate.” The term “known” means that the circumstances of the breach are known by any “employee, officer, or other agent of such entity or associate,” other than the person who committed the breach. Furthermore, all notifications (by both covered entities and business associates) must be made “without unreasonable delay,” which, in Congressional time, means no later than 60 calendar days after discovery of the breach. The entity making the notification has the burden of demonstrating that all required notifications were made, as well as explaining the necessity of any delay.

There is a lot more information that covered entities and business associates must know about the new rules, including, for example, requirements regarding the content of breach notices.  For more information on these matters, please do not hesitate to contact us.

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , ,

Sebelius announces $28M in grants for EHR implementation

HHS Secretary Kathleen Sebelius announced almost $28 million in grants for more than twenty health centers to implement or improve their electronic health records technology.  This funding is allotted from the $2 billion set aside for Health Resources and Services Administration (HRSA) health centers in the ARRA.  HRSA health centers provide medical services for the uninsured and low-income individuals.

According to the HHS press release:

Eighteen grants totaling more than $22.6 million will support EHR implementation. Grants totaling more than $2.6 million will help four grantees implement a variety of HIT innovations, including the creation of health information exchanges among different providers and the incorporation of HIT at dental delivery sites. Another five grants totaling over $2.5 million will help health centers devise plans to use existing EHRs to improve patient health outcomes.

HRSA received $2 billion through the Recovery Act to expand health care services to low-income and uninsured individuals through its health center program. To date, more than $1.3 billion of these funds have been awarded to community-based organizations across the country. HRSA-supported health centers treated 17 million patients in 2008, 40 percent of whom have no health insurance.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security

Breach at Pacific Northwest insurance company impacts 11 million customers

Seattle-based Premera Blue Cross announced that it recently discovered it had been hacked in May 2014. The Premera hack accessed a full range of customer information including medical data. The insurer, which is working with the FBI in the investigation, is offering free credit monitoring and identity theft protection services to those affected.

See Washington Post article at “Cyberattack at health insurer exposed data on 11 million customers — including medical information”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Sophisticated one-time hacking scam costs target $289K; useful lessons for health industry

The details of a recent hacking scam, while not in the healthcare industry, may contain useful pointers for healthcare nonetheless. A San Diego area attorney clicked a link in a legitimate-looking email which released a virus into his computer which recorded his keystrokes. As the hackers could now follow the attorney’s activities from moment to moment, they waited until he attempted to access his firm’s bank account online. The hackers then initiated a telephone call to him, purporting to be from the bank. The ersatz bank employee noted that the bank saw he was attempting to access his account and having trouble logging in. As this was, of course, the case, thanks to the hackers’ behind-the-scenes work in his computer, the attorney saw no reason to doubt the caller, and followed the caller’s instructions to “fix the problem.” When the smoke cleared, $289,000 had been wired out of his firm’s bank account. While the bank is refusing to cover the loss, observers note that the level of sophistication of such multi-part scams is making it increasingly difficult for targets to identify what is happening in time to avert harm .

See ABA Journal (American Bar Association) article at “Lawyer who clicked on attachment loses $289K in hacker scam”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

80 million patient records breached in Anthem hack

Health insurance giant Anthem reports that it has been the target of a cyberattack exposing tens of millions of customer records. Anthem, until very recently known as WellPoint, the largest of the Blue Cross Blue Shield for-profit managed health care companies, is based in Indianapolis, and operates New York and California as well as in twelve other states. Anthem states that while neither credit card nor medical information was stolen, the information the hackers did make off with is significant and includes names, dates of birth, social security numbers, employer names, and income data. This latest data breach is the largest to date in the healthcare industry, 20 times the size of the most significant previous breach. Anthem has hired cybersecurity firm Mandiant to assist it in determining exactly what happened and how to improve security for the future. Anthem will be offering services for credit monitoring and identity protection free of charge to affected customers.

See Modern Healthcare article at “Hackers breach Anthem; 80M exposed”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , ,

Meaningful use program Stage 3 inches nearer to approval

The draft regulatory language of Stage 3 of the meaningful use program, scheduled to start in 2017, has been submitted for review to the Office of Information and Regulatory Affairs in the Office of Management and Budget. The rules, submitted to the OMB by the Office of the National Coordinator for Health Information Technology, may reflect some of the discussions that have been taking place in the healthcare industry regarding lessons learned from the program’s roll-out so far.

See Modern Healthcare article at “EHR Stage 3 proposals go to OMB, hint at changes”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Connecticut Supreme Court: plaintiffs can sue for HIPAA violations

It has been a commonly held belief that a patient cannot sue under HIPAA for a breach of confidential health information as HIPAA provides no private cause of action. The patient’s only recourse has been to report the violation to the relevant federal agency responsible for enforcing the law, in this case the Department of Health and Human Services.

Recently, however, the Connecticut Supreme Court overturned a lower court’s decision that HIPAA precludes plaintiffs’ individual liability claims relating to violations of health information confidentiality. In Byrne v. Avery Center for Obstetrics and Gynecology, in which the clinic released PHI in response to a subpoena, the higher court ruled that “If Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.”

The Connecticut court’s ruling follows similar rulings in Tennessee and Delaware in recent years. The Connecticut ruling went on to say “We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

Healthcare providers are, of course, paying close attention to these court rulings. But these rulings are sending shock waves through other industries as well whose privacy and data security is similarly governed by federal laws that do not provide a private cause of action. These laws include FERPA and COPPA — which protect the privacy of students and children, GLBA – the Gramm-Leach-Bliley Act – which governs financial institutions, and the wide-reaching FTC Act – the Federal Trade Commission Act.

See Clinical Psychiatry News article at “Court: Patients can sue over HIPAA breaches”

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

A plus in the operating room, EHRs can cause trouble for providers in the courtroom

Electronic health records have been touted as having – and have proven to have – many benefits for healthcare organizations in terms of cost savings and efficacy of medical treatment. They are not, however, unalloyedly beneficial in the courtroom. As might be expected, the most important evidence in malpractice cases is medical records and now that they are digitized these records tend to be in EHR form. According to defense attorneys, electronic medical records come with their own set of problems for the provider facing a malpractice lawsuit. One striking issue is the “autofill” feature in EHR templates which automatically populates fields with data that may not be pertinent to the situation at hand. Other issues include technical glitches, as well as users not using the software correctly.

See Business Insurance article at “Malpractice suits often tap electronic medical records”

Posted in ARRA, HITECH Act Tagged with: , , , , , , , , , , , ,

AHIMA issues health info management recommendations

The American Health Information Management Association (AHIMA) recently released a set of guidelines regarding data governance of what it calls “information assets.”  AHIMA asserts that the healthcare industry must manage the huge amounts of data it works with in an intentional, standardized manner across the industry.  According to AHIMA, “information governance” is “…an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”  Prioritizing accuracy, timeliness and accessibility, AHIMA’s approach rests on eight principles:  accountability, transparency, integrity, protection, compliance, availability, retention, and disposition.

See Modern Healthcare article at “AHIMA releases principles for new area: information governance,”and the 21-page AHIMA document at “Information Governance Principles for Healthcare”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , ,

California courts: Sutter Health not liable in $4.25 billion data breach case

In a development sure to draw attention, the California Supreme Court last week upheld a lower court’s dismissal of the $4.25 billion case against Sutter Health arising from an October 2011 data breach.  A password-protected computer full of unencrypted data, stolen from one of Sutter Health’s Sacramento locations, contained records for 4.24 million patients.  In July 2014, thirteen coordinated lawsuits in the case were dismissed by an appeals court.  According to the appeals court, the case was dismissed because there is no evidence the stolen data has been used.

See Sacramento Business Journal (California) article at “California Supreme Court declines to review Sutter data-breach case”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , ,

Human-computer interactions: what happened during September’s Texas Ebola misdiagnosis?

A new report on what went wrong in the processing of the late Thomas Eric Duncan upon his first visit to the emergency room proposes that a combination of human and computer errors was responsible. A team of medical informaticists reviewed events leading up to the misdiagnosis, reporting their findings in “Ebola U.S. Patient Zero: Lessons on Misdiagnosis and Effective Use of Electronic Health Records.” The report, published October 23 in the online journal Diagnosis, suggests that certain EHR usability issues can contribute to medical errors. One concern of the researchers is that EHRs are designed to try to “routinize” processing of patient information in a way that may blinder providers when faced with an out-of-the-ordinary situation.

See Modern Healthcare article at “Botched U.S. Ebola diagnosis points to computer, human errors” and Information Week article at “Ebola Misdiagnosis: Experts Examine EHR Lessons”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , ,

Medical info now 10 times more valuable than financial data on the black market

Credit card numbers have dropped precipitously in value in recent years as PHI replaces it on the underground market. Why? Cyber criminals use the PHI to engage in medical fraud which, because of its complexity, may continue undetected for years. Theft and misuse of credit cards, on the other hand, is usually detected almost immediately and the cards canceled. In addition, in part because the financial industry has had many more years to develop sturdy safeguards against data theft, healthcare industry data is relatively easier for thieves to access.

See Reuters article at “Your medical record is worth more to hackers than your credit card”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , ,

FDA issues final guidance to medical device makers on cybersecurity

fda-logoIn its final guidance issued last week, the Food and Drug Administration is requesting that device makers assess what information hackers might target in connection with their devices, how hackers might attempt to access the information, and how device makers intend to address these issues both before and after putting their products on the market. In addition, FDA is requesting that device makers report in to the agency on a continuing basis regarding cybersecurity incidents that arise after product approval.

Medical devices currently on the market are considered to be relatively easy to hack, according to cybersecurity experts. Cybersecurity and device usability, unfortunately, tend to exist in inverse relation so the challenge for device makers is to find a workable balance between the two.

See Modern Healthcare article at “FDA seeks cybersecurity assessments from medical-device makers,” the FDA press release, and the final guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” online and in pdf form.

Posted in ARRA, HITECH Act Tagged with: , , , , , , , , , , , , , , , , , ,

Techies invade HIT market: is their unfamiliarity with healthcare industry obstacle or advantage?

Until recently, healthcare software has been developed by IT professionals grounded in the healthcare industry. The latest arrivals to HIT development come from a range of non-healthcare industries. The vendor of one new product currently on the HIT market last developed software related to automobile sales, while another previously developed public relations software that helps customers manage their online image. Some observers worry that the newcomers’ disconnect from the healthcare arena threatens the success of products they may develop, but others say this freedom from preconceptions may lead to bold and successful innovation.

See Modern Healthcare article at “IT entrepreneurs rush into healthcare, but will human touch be missing?”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , ,

Billions at risk as providers face Stage 2 hurdle

An impressive number of healthcare providers met Stage 1 requirements and qualified for EHR payments in 2011 and 2012 – some 170,000. Of these providers, who are therefore eligible to continue in the EHR incentive program, only about 4% appear to be on track to meet Stage 2 requirements. With the December 2014 deadline looming, providers are in danger of losing billions according to data recently released by the Centers for Medicare & Medicaid Services (CMS).

See Modern Healthcare article at “Number of providers facing Stage 2 EHR hurdle puts billions at stake”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , ,

ONC’s EHR security provisions inadequate says OIG

Healthcare providers cannot attest to meaningful use unless they use certified EHR software. Providers purchasing certified EHR software tend to assume that a certified EHR has been rigorously tested and can be counted on to ensure protection of patient data. This assumption may not be valid according to a report recently issued by the HHS’ Office of Inspector General.

The report publishes the results of an OIG audit of the ONC’s EHR Certification Program, focusing in particular on structures and procedures for ensuring data security in electronic health records. The audit primarily reviewed the temporary program the ONC employed prior to 2014. This earlier, temporary program was carried out by a group of five certification bodies (ACTBs) accredited by the American National Standards Institute and the National Voluntary Laboratory Accreditation Program and the OIG found some troubling flaws in it. For instance, the OIG discovered that while the program was supposed to perform periodic re-evaluations of EHRs after their initial certification, this did not consistently happen. This means that some EHRs, which had been, since their initial certification, modified in ways that rendered them no longer compliant, and in some cases seriously non-compliant, remained – and may still remain — on the lists of certified products.

The ONC disagreed with the OIG report. The ONC claimed that since the temporary program has been replaced with the permanent one, which employs the 2014 Edition EHR Certification Criteria, the OIG’s critiques are no longer relevant. The OIG therefore went back to determine if problems with the temporary program had been corrected in the permanent program and found that many have not been. Among other concerns the OIG brought to light, the audit found that an EHR may be certified under ONC’s 2014 Certification Criteria – as under the earlier temporary program — with passwords as short as a single character. The OIG found another significant issue that has persisted from the temporary program. If an EHR has been hacked converting it into malware, the ONC certification program is, except in rare cases, is not authorized to decertify the EHR, even temporarily, to prevent sales of the product. The OIG report contains a set of recommendations addressing these and other concerns.

See Modern Healthcare article at “OIG faults ONC’s electronic health record security provisions,” and a copy of the OIG report.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

CMS issues final EHR meaningful-use rule – with some flexibility

The Centers for Medicare and Medicaid Services issued a final EHR meaningful-use rule last Friday, consistent with the proposal it published in May. The rule will grant healthcare providers more time and some flexibility in how they meet requirements for the EHR incentive program. One of the points on which the rule grants more leniency is that the MU third stage deadline for the first wave of adopters will change from January 1, 2016 to January 1, 2017. Another is that providers who need the time will have an additional year to use 2011 Edition EHR software before they must implement 2014 software.
See Modern Healthcare article at “CMS finalizes EHR meaningful-use rule, adds some flexibility”

Posted in ARRA, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

New hope for resolving thorny sensitive PHI issues in health data exchanges

Uncertainty and disagreement regarding how to handle behavioral and other sensitive healthcare data such as HIV and reproductive health records has been a stumbling block for healthcare in various ways. Potential patients don’t seek help because of fear their records will be too widely released and the patients permanently harmed as a result. According to the Substance Abuse and Mental Health Services Administration (SAMHSA), one quarter of adults needing mental healthcare go without due to this fear, with that statistic rising to over 35% among young adults.
Meanwhile, healthcare providers want to provide more effective treatment by coordinating physical and behavioral care. To do this, sensitive PHI must be transferred from behavioral to physical care providers. However, behavioral healthcare and physical healthcare providers operate under different and sometimes mutually contradictory rules about how patient records may be handled and shared. Many providers have technology to handle only “less sensitive” healthcare records. Because the whole issue is in such a state of flux, little software exists so far to properly handle sensitive PHI. Even if the technology to handle sensitive data was easily available, purchasing additional software to handle such data is out of financial reach for many providers.

In the midst of all this, providers, vendors and federal agencies move forward in developing solutions. A new technological approach is to place patient-directed privacy controls on EHRs. The federal initiative promoting this type of technology is called DS4P — data segmentation for privacy. A pilot software system being tested by University of Michigan Health and an Ann Arbor behavioral health provider compares behavioral health record requests made by UMH against the list of patient consent forms which are stored in the system. If a patient consent form in the system matches the request, the information is released to UMH through a secure portal.

See Modern Healthcare article at “Tech fixes ease sharing of sensitive patient data”

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

Steve Fox moderates panel in Boston on best practices for working with vendors

Steve Fox, Information Technology Practice Chair and Data Protection/Breach Co-Chair at Post & Schell, will speak as well as moderate a panel discussion on “Dealing with Vendors: Best Practices for Contracting and 3rd Party Compliance” in early September 2014 at the Privacy and Security Forum in Boston.

Via Health Privacy Forum:

As outsourcing continues to gain steam in the healthcare, security and privacy officers must be more vigilant than ever that cloud vendors and other business associates who handle PHI comply with HIPAA and make privacy and security a high priority. Your relationship with your vendors begins with a well-negotiated contract, which is vital to protecting your interests and limiting potential liability in the event of a breach, but it’s only half the battle.

Just because you have a contract in place, doesn’t mean you can be hands off about privacy and security issues.
In this session, Steven J. Fox, a leading healthcare IT attorney, outlines some of the key terms and conditions that make up the contractual foundation that covered entities need when working with HIT vendors and other business associates. He’ll also cover:
* What due diligence should be performed prior to starting contract negotiations?
* How vendors should share information about privacy & security breaches with your organization?
* How often (if at all) should you audit or monitor a vendor’s privacy & security performance?
* How to make sure a vendor returns, destroys, or appropriately safeguards your data at the end of the business relationship?
Fox will also moderate a panel discussion and examine what providers should expect from their vendor partners when it comes to protecting PHI and what vendors can realistically deliver.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Risks of EHRs accessible only via internet: a cloud downside

The cloud, popular because businesses can pay a monthly fee for computer-related services instead of paying for costly in-house hardware and the staff to manage it, has its drawbacks. One of these became painfully evident for two days in mid-August. While the fact has received surprisingly little news coverage, the internet experienced intermittent periods of brownout worldwide on Tuesday and Wednesday, August 12 and 13. This was understandably alarming to healthcare providers who were unable to access patient records during these periods. Not all EHR cloud storage providers were affected, and those that were, were able to resolve the problem by the end of Wednesday. For cloud EHR storage vendors that invest in what are known as “system redundancies,” backup systems activated if primary systems become unavailable, business continued as usual during this period. Smaller healthcare practices in particular, tending to have smaller budgets to spend on their EHR systems, often choose more affordable EHR programs from vendors with less robust system redundancies in place. According to the Wall Street Journal, global internet traffic has grown too voluminous for the global routing system currently in place. While engineers are working to upgrade the routing system, progress on this project is not keeping up with demand and periodic brownouts are likely to continue to occur. Healthcare providers can protect themselves against the effects of future brownouts in various ways including investing in hybrid EHR storage systems, and including uptime guarantee clauses in their vendor contracts.

For more information see:
“Internet Outage Left Doctors Without Records For Hours – Huffington Post – internet – Google News,” News Journal Online (August 19, 2014)
“Internet Brownout Exposes Risk of Cloud-Based EHRs,” Medscape (August 22, 2014)
“The 512K ‘Crisis’ Makes Its Mark: Network Engineers Were Left Scrambling to Keep Web Customers Connected,” Wall Street Journal (August 18, 2014)

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Patent trolls: new developments at federal and state level

While the healthcare industry has become well-acquainted with patent trolls, they are not the only industry that has been hit. According to a Boston University study, American businesses paid $29 billion in 2011 alone to patent trolls in “licensing fees” in order to avoid litigation. In response to the expanding activities of patent trolls, more formally known as PAEs (patent assertion entities), efforts have been underway at the federal and state levels to develop mechanisms for protecting businesses. A patent reform bill which passed the House of Representatives 325-91 in December 2013, and had President Obama’s vocal support, was dropped by the Senate Judiciary Committee in May 2014 shortly before it would have come to a vote on the Senate floor. Observers say a new bill on the subject is unlikely to appear before 2015.

States are coming up with some creative ideas to address PAE activities. States are suing PAE’s under existing state consumer protection laws, and are also passing new laws directed at the activities of PAEs specifically. Some of the new laws include fee shifting measures, requiring a PAE to post bond for the legal fees the target of their lawsuit would incur in order to facilitate their payment of their opponent’s legal fees if the PAE’s suit fails. Bad faith demand letters tend to share common traits including being so vague regarding the recipient’s alleged unlawful behavior that the recipient is unable to determine the validity of the accusation which, in the case of PAE demand letters, is patent infringement. Measures in some of the new state laws address these letters specifically by legislating how demand letters must be written to be legal, and/or requiring PAEs to submit their demand letters to the state for approval before they may send them out.

Despite the states’ energy around this issue, they are hampered in their efforts by a century-old Supreme Court decision. In 1912 the Supreme Court ruled that for the most part cases pertaining to patent law fall under the jurisdiction of federal courts. The case currently in the limelight testing how restrictive the 1912 decision will be for the states is Vermont v. MPHJ. MPHJ asserts that, pursuant to the 1912 Supreme Court decision, the Vermont state court system in which Vermont filed its lawsuit against MPHJ has no jurisdiction. The question has gone before the federal courts twice so far in this case. In April 2014, Judge William K. Sessions III of the U.S. District Court for the District of Vermont noted that what the 1912 Supreme Court ruling actually says is that “Federal courts have exclusive jurisdiction of all cases arising under the patent laws, but not of all questions in which a patent may be the subject-matter of the controversy.” According to Judge Sessions, the Vermont case is about bad faith demand letters rather than about patent issues, and therefore, the state court does have jurisdiction. In August 2014, the U.S. Appellate Court for the Federal Circuit dismissed MPHJ’s appeal, remanding the case back to state court. According to observers, MPHJ is likely to file another jurisdictional appeal.

See additional information at:
“Patent-troll fight ends in retreat,” Burlington Free Press (July 7, 2014)
“Patent troll case referred back to Vermont courts,” Brattleboro Reformer (August 15, 2014)
“States go after patent trolls – how far can they go?” ABA Landslide Magazine (July/August 2014)

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

ICD-10 delay reopens door to broader discussion among providers: is ICD-10 even the right way to go?

The postponement of the deadline for healthcare providers to implement ICD-10 (International Statistical Classification of Diseases and Related Health Problems) would seem to help ensure that the transition to the new coding system will unfold successfully. However, it is also now allowing time for further discussion in the medical community about whether ICD-10 is the right choice at all. As Meaningful Use Stage 2 requires adoption of the many times more complex SNOMED (Systematized Nomenclature of Medicine), some practitioners suggest that the community should skip ICD-10 altogether. Pointing out that ICD-10 is already 25 years old, they suggest the industry’s time would be better spent transitioning to SNOMED, completing ICD-11, and then implementing that once finished. Others suggest that using two separate, parallel coding systems doesn’t make sense and that one or the other should be chosen and implemented. Of these, some feel the industry should use SNOMED only, claiming that the ICD coding system is geared so specifically toward facilitating reimbursement that it doesn’t support providers in delivering care.

See Modern Healthcare article at “ICD-10: Is it for clinicians or reimbursement?”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Senate committee concerned by EHR interoperability issues

Members of the Senate Appropriations Committee have become concerned that different brands of electronic health records software, paid for with tax dollars, are incompatible with one another thereby preventing healthcare organizations from sharing data. A recent Rand Corporation report highlighted this issue and noted that some software is engineered to block sharing of data. The Senate committee is requesting an investigation into the issue, and in the meantime has drafted a bill asking that the ONC “…decertify products that proactively block the sharing of information….”

See Information Week article at “Senate Committee Seeks EHR Interoperability Investigation” and “Draft Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriation Bill, 2015” (PDF)

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Attorney Steve Fox speaks on “Hidden Risks of Cloud Computing” at American Hospital Association conference

Healthcare IT attorney Steve Fox spoke on risks of cloud computing at the AHA’s Leadership Summit held in San Diego this year. According to attorney Fox, the data which the health care industry handles is growing exponentially, a trend driven in large part by the increasing use of mobile devices. In his talk he explained that health care providers are adopting cloud and mobile technology for their affordability and convenience, but may be unaware of hidden costs in these new options. Fox asserts that cloud computing presents new challenges for health care organizations in terms of securing the applications and data. Issues with vendors may arise over service levels, security of information, ownership of information that is remotely hosted by a third party and use of hosted data by the vendor. In his presentation Fox provided advice on how to avoid some of the more important pitfalls with cloud computing. He said that technology may provide greater efficiencies, but it must be used responsibly and that patient information which passes through the technology must be responsibly handled as well.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Congressional letter requests CMS waive EHR requirements for Medicare labs

Eighty-nine members of the U.S. House of Representatives signed a letter to the Centers for Medicare and Medicaid Services requesting that Medicare laboratories be exempt from EHR requirements. CMS had already postponed the deadline for laboratory pathologists to comply with the requirements by a year. The lawmakers, however, assert that EHR systems are unnecessary for diagnostic labs, and are too financially burdensome. They are asking that the requirement be postponed until at least 2020, if not waived permanently.

See The Hill article at “Lawmakers look to exempt Medicare labs from e-health records”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

FDA lags behind in regulating torrent of new mobile health apps

So far the FDA has reviewed a total of approximately one hundred mobile health apps since these apps started becoming available – and yet hundreds of new health apps appear on the market every month. As reported in our previous blog entries (see April 2014, and September and October 2013), the FDA is regulating health information technology with as light a touch as possible, in line with the FDASIA Health IT Report draft released in April 2014. This means that for now the FDA regulates only applications that fall under its “medical device software” definition – that is software intended for medical devices, or software that transforms a smartphone into a medical device. All other health-related software is considered lower risk or no risk and is currently not subject to pre-market regulation. Industry observers are, however, concerned that the sheer volume of new health apps coming to market is so great that the FDA may not be in a position to monitor much less regulate the new products adequately. Many apps, currently exempt from pre-market regulation, actually fall into a category between the low risk and higher risk definitions and may not be receiving sufficient oversight, observers worry. Lawmakers have called for Congress to establish a department within the FDA to focus specifically on mobile applications.

See PBS Newshour article at “FDA regulation can’t keep pace with new mobile health apps”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

New report: EHRs not immune to technical, human error; rigorous monitoring essential

A report just published in the Journal of the American Medical Informatics Association asserts that even if EHRs were not still relatively new, they are not exempt from the glitches all software can be prone to.  Researchers evaluated data from the Veterans Health Administration which oversees a non-punitive, voluntary reporting program to encourage employees to report EHR-related safety incidents.  The researchers focused on a set of almost 350 patient safety incidents that occurred between 2009 and 2013.  The research team found that errors occurred because of both technical problems, and problems with how employees interpreted or used the technology.  Technical problems most frequently related to how information is displayed, to software modifications and upgrades, and to transfer of data between different parts of the EHR system.

The researchers advise healthcare providers to implement robust programs to track and evaluate technical and human errors that occur in the context of EHR use.  They suggest that providers incorporate the concepts set forth in the SAFER Guides issued in January 2014 by the ONC in setting up their monitoring systems.

For more information see
Modern Healthcare article at “Complicated, confusing EHRs pose serious patient safety threats”
Journal of the American Medical Informatics Association report at “An analysis of electronic health record-related patient safety concerns,” also available in pdf form
— the SAFER Guides

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , ,

PHI at risk in debt collection lawsuits involving medical services

Healthcare providers spend millions of dollars to comply with HIPAA in order to keep patients’ medical information private, and yet some of this same information is publicly available on the internet in court records of medical debt lawsuits.

Maybe it’s time to consider expanding HIPAA protections to routine debt collection lawsuits where patients’ protected health information is currently available to anyone with an internet connection.

See Modern Healthcare article at “Online records pose privacy risks in medical-debt lawsuits”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

ONC plans more flexible approach for future EHR quality monitoring and improvement

Dr. Jacob Reider, deputy national coordinator and chief medical officer for the ONC, told attendees at the Physician-Computer Connection Symposium this week that the ONC is looking to change how it uses clinical quality measures as meaningful-use criteria.  While the ONC’s approach in the past has been to evaluate providers against a fixed list of requirements – for instance, a checklist of 816 items used for the meaningful use program – it is seeking a more ‘outside the box’ method for the future.  One option being considered is to inquire of providers what quality measurement programs they may already have in place independent of federal requirements and to give them credit for these.  Reider said the ONC hopes to improve the measurements it uses to monitor clinical quality nationwide by incorporating ideas developed by individual providers.  Reider noted that the agency is ultimately looking to change the focus of the discussion from simply improving EHR quality to improving quality of care.

See Modern Healthcare articles at “ONC looks to new, more flexible approach on EHR quality improvement” and “Feds to weight value in more flexible approach to quality measures”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Stage 2-ready software delays prompt CMS to postpone Stage 2 deadline

While vendors were able to supply the software needed for healthcare providers to comply with Stage 1 of the EHR incentive program, they are experiencing delays in developing the software needed for Stage 2 meaningful use compliance.  In response to feedback from the healthcare community on this subject, the Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health Information Technology propose postponing Stage 2 implementation deadlines one year — to take effect in 2015 instead of in 2014

Via Modern Healthcare:

For the second time this year, the federal government is pushing back a major health information technology initiative, potentially giving early adopters of electronic health records an extra year to meet more stringent meaningful-use requirements.

The CMS and HHS’ Office of the National Coordinator for Health Information Technology issued a proposed rule last week that would give hospitals, office-based physicians and other professionals eligible for the EHR incentive program an additional year to use 2011 Edition software for their systems and continue to meet Stage 1 criteria for meaningful use of the technology.

The proposed rule means providers that entered the program in 2011 could have as many as four years using 2011 software at Stage 1 meaningful use.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

Emailing PHI: considerations for developing best practices

PHI breaches that make the headlines often result from computer thefts or hacking.  Another, less well-publicized vulnerability for PHI records, however, is in the realm of electronic mail which is arguably not a particularly secure form of communication.  Over 100 billion emails were exchanged daily within the business community in 2013 and the number routinely exchanged within the healthcare industry is also enormous.  Institutions and entities that work with PHI’s can consider some of the following issues and questions regarding email and PHI’s either on a case-by-case basis, or in developing broader policies:

  • Email is not what it used to be:  with continuing changes in technology, communication methods that have up until now been considered separate from email, may now also be considered email, including, for instance, telephone messages and faxes which are now routinely delivered by email.
  • Is email the only or best way to transmit the PHI or is there another, more secure method?
  • Is disclosing the PHI really required in this instance, or is it possible to simply allude to the information within the PHI more generally?
  • The contracts governing interactions with business associates and other entities may themselves limit what and how communication occurs.
  • Is encryption appropriate, and if so what is the best method?

See full AHLA Connections article at “Tips and Tactics for Transmitting PHI by Email”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Rural providers cope with HIT staffing deficits

If compliance with ONC regulations is challenging for healthcare providers in urban areas, with high concentrations of IT professionals, it is especially challenging for rural providers where IT resources in the form of human capital are scarce.  The federal government’s 2009 healthcare stimulus package, HITECH, provided funding for a national network of regional extension centers (RECs) designed to assist rural healthcare systems.  While the program is considered very effective, its funding will dry up in 2014.  Rural providers have devised a creative array of strategies to overcome their HIT staffing obstacles.

Via Modern Healthcare:

It took St. Claire Regional Medical Center, in the small town of Morehead in northeastern Kentucky, 2½ months to fill an open position on its computer help desk.

“We just don’t see that many people who are even close to being qualified willing to work for the amount of money we’re able to pay,” said Randy McCleese, vice president of information services and chief information officer of the 159-bed hospital. “That’s part of what we have to deal with in the rural environment.”

The need for qualified information technology professionals to work in hospital and clinic settings has increased enormously in recent years, given the expanded use of technology such as electronic health records. But more than two-thirds of the CIOs surveyed in 2012 by the College of Healthcare Information Management Executives reported shortages on their IT staff. That’s an especially big problem for providers in small towns and rural areas, who can’t necessarily afford to pay nationally competitive salaries and who can’t offer big-city attractions to lure candidates.

These IT staffing shortages create daily inefficiencies for small hospitals such as St. Claire Regional. New computers sit idle because there’s no one there to set them up. Software fixes don’t always get taken care of in a timely manner. “We really get into a backlog of the things that need to be done,” McCleese said.

To address these challenges in filling their IT staffing needs, small-town and rural providers are adopting a variety of strategies. Some are training current employees, such as nurses, in IT skills, some are partnering with other hospitals to share IT staff, and some are outsourcing IT work to consultants. Many worry that the end of federal funding for IT regional extension centers will cut off a valuable source of technology assistance.

While small-town and rural providers also have trouble filling clinical positions, McCleese, CHIME’s board chairman, estimates that a typical nurse opening at St. Claire Regional might generate 10 to 15 applicants, compared with the three he received for the recent help-desk position. “Comparatively speaking, we get a much smaller number for the IT positions,” he said.

McCleese faces competition for IT workers from providers based an hour away in the bigger cities of Lexington, Ky., and Huntington, W.Va. He estimates that his hospital pays salaries that are 25% to 30% lower than in those bigger towns.

National data confirm that disparity. The median annual salary for a medical records and health IT technician averaged across non-metro areas is $31,390, compared with $33,566 for metro areas, according to U.S. Bureau of Labor Statistics data.

Across the country, the need for HIT professionals has boomed. The BLS estimated that an additional 41,100 health information technicians will be needed between 2012 and 2022. The bureau also projected that employment for medical-records and health-information technicians will increase 22% by 2022, much higher than the expected 11% increase in overall employment.

The starting gun for the HIT employment boom—and the associated squeeze in smaller towns and rural areas—was the American Recovery and Reinvestment Act of 2009, which pushed many providers to adopt EHR systems by 2014 through $25 billion in payment incentives and grants for training programs.

“The demand (for HIT professionals) just exploded when the electronic record stuff took hold,” said Mark Sonneborn, vice president of information services at the Minnesota Hospital Association. From February 2009 to February 2012, the number of online job postings in the field almost tripled from 4,850 to 14,512, according to a data brief from HHS’ Office of the National Coordinator for Health Information Technology. The ONC does not break out urban and rural job listings.

Brock Slabach, senior vice president for member services at the National Rural Health Association, said the looming end of the EHR incentive payments could hurt HIT efforts at rural hospitals and clinics. “The question will be, can these facilities, with these declining reimbursements, and the incentives ending with the American Recovery and Reinvestment Act, continue to operate these information systems efficiently and effectively?” he asked.

In addition to the stimulus program, the Patient Protection and Affordable Care Act drove the need for IT development and staffing through its focus on population-health initiatives, quality-of-care measures, and preventable readmissions. Another factor is the looming implementation of the ICD-10 coding system.

Implementing EHRs is the heavier lift for Milly Prachar’s hospital, however. “It’s so far-reaching and really touches all users within the organization,” said Prachar, director of health-information management at Roseau LifeCare Medical Center, a 25-bed critical-access hospital in Roseau, Minn., a town of 2,600 near the Canadian border.

Tight deadlines and finances are one side of the problem, and finding qualified IT workers is the other. Prachar’s hospital opted to train one of its nurses in clinical IT rather than recruit an IT specialist. That’s a strategy a number of other rural-health facilities are using for their IT needs. “Because of our location—we’re pretty remote—we didn’t think it would be likely that there would be someone with the knowledge of the organization as well as EHR knowledge that could step into that role,” she said.

But that does not solve the problem of how to deal with the increasing number and scope of IT projects on top of the hospital’s usual workload. The result for small town and rural providers is a backlog of work and delays in implementing meaningful use of EHR systems and cost-saving quality measures. It also holds them back from participating in alternative payment and delivery models such as accountable care organizations and bundled payment, which require sophisticated data systems.

“They’re not keeping up with health reform,” said Joe Wivoda, a health IT consultant based in Hibbing, Minn. “There’s no way in the world that you can do health reform without robust health IT capabilities.”

Chantal Worzala, director of policy at the American Hospital Association, said there are two issues for rural providers in hiring IT talent. One is whether the hospital can afford to pay enough to be competitive with urban hospitals, vendors and consulting firms, and the answer is often no. The second issue is convincing IT professionals to live and work in a small town or rural community.

A key for rural providers in recruiting students for HIT jobs is identifying candidates who want to live in a rural community or small town, said Sunny Ainley, associate dean of continuing education and workforce development at the Center for Applied Learning at Normandale Community College in Bloomington, Minn. “You have to enjoy the rural amenities of living in Minnesota,” she said.

Effectively using social media is one way to reach candidates. “People have a very high trust for social media, so we always recommend to our clients to make sure they have a Facebook page and they’re very active,” said Ralph Henderson, president of healthcare staffing at AMN Healthcare. “That takes away some of the issues that, ‘I don’t know that health care system’ or ‘I don’t know that city very well.’”

He also advises conducting on-campus recruiting at colleges and universities to get to know people early in their careers and establish relationships with them. In addition, he recommends having a strong training program. “The healthcare systems that do a good job of hiring new grads and then setting up training programs for them are the ones that tend to win those competitive wars for talent,” Henderson said. These programs breed loyalty to the hospital as well as the local community.

Hire and train
Another approach is to hire and train, bringing on new employees knowing they’ll need skills development to do the job effectively. A related strategy is to develop existing employees’ IT skill sets through onsite or off-site training, as Roseau LifeCare Medical Center did with the nurse on its staff.

Other small providers are exploring partnerships with larger hospitals, although Slabach worries this could hurt rural providers in the long run. “If the urban partner doesn’t have a real keen sensitivity to rural healthcare, preserving access and maintaining traditional patterns of care, you could see patients being transferred to larger facilities,” he said.

A way around this is the IT cooperative approach, which a few small providers have pursued. The not-for-profit Illinois Critical Access Hospital Network offers IT services to its 53 member hospitals on a fee-for-service basis. “(It’s at) far less cost to us than if we A, had hired that individual ourselves or B, if we were working through a third-party consulting firm,” said Harry Wolin, CEO of the 20-bed Mason District Hospital in Havana, Ill.

Even so, consulting firms are finding plenty of work with the boom in IT needs. “Small organizations have limited resources (and) limited availability to reach out to talent because everybody wants to work for a larger organization and make more money,” said Carol LeMaster, senior director of career services and professional development at the Healthcare Information and Management Systems Society. “Typically, it’s just easier for them to just hire a consulting organization.”

Educators also are working to connect graduates of their HIT training programs to open positions. Normandale Community College was one of about 81 community colleges that received stimulus funding through the ONC for a program aimed at training HIT professionals to help implement EHRs as demand for these positions soared.

But a key source of support for the smallest rural providers as they strive for meaningful use is about to dry up. The HITECH provision of the 2009 stimulus law funded a nationwide network of 62 regional extension centers, run by the ONC to help rural providers implement EHRs. As of January, 3,427 of the 6,700 providers at critical-access and rural hospitals that worked with the RECs had achieved some level of meaningful use.

The RECs will run out of stimulus funding this year. “That is going to be, in certain parts of the country, really, really hard,” said Mat Kendall, who left his position running the REC program at HHS in March. Seventy-one percent of healthcare leaders surveyed by Modern Healthcare between November and January said they think federal funding for these centers should continue.

Kendall worries that the digital divide between urban and rural providers will widen during implementation of Stage 2 meaningful use of EHRs. The ONC is working with providers and vendors to help them with this process, he said. But “there’s nothing we can do about the inability to find (IT professionals).”


Posted in ARRA, Higher Ed, HITECH Act, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Software to ease ICD-10 transition: providers consider the options

Congress’ decision this spring to delay the ICD-10 deadline has given healthcare providers some extra breathing space to make the transition, but many are seeking additional help in the form of new “language-to-code” translation software.

Via Modern Healthcare:

Despite the recent congressional delay in implementing the ICD-10 coding system, there is growing interest in a high-tech way of helping physicians convert their standard clinical terminology into the complex new payment codes. It’s called “language-to-code” translation.

These translation systems are essentially computerized medical dictionaries stuffed with clinician-friendly descriptions in English or Latin of patient complaints, diagnoses and procedures, which are then linked to lists of clinical and billing codes. These words are presented to clinicians during preparation or updating of a problem list, for example, through software built into their electronic health records. Once a clinician selects a word or phrase, the software links it to code sets such as SNOMED CT—now available for free through the National Library of Medicine—the American Medical Association’s Current Procedural Terminology, and ICD-9 and ICD-10.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , ,

Steven J. Fox gives talks on cloud vendor contracts, receives favorable media coverage

Health IT blawger Steven J. Fox spoke to healthcare providers on contracting with cloud-based technology vendors at events sponsored by the Pennsylvania and American bar associations recently.  Initially covered by AuntMinnie.com, the presentation has garnered further industry media attention, sparking three additional articles so far:

  • “Hospitals can benefit from cloud-based IT technology,” TeraMedica (March 31, 2014)
  • “Attorney: Cloud vendor contracts wrought with pitfalls,” FierceEMR (April 7, 2014)
  • “Beware the hidden costs of a poorly constructed EHR contract,” FierceEMR (April 10, 2014)
Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

PHI of 26-30 million Americans to be linked in single, vast network

By September 2015 database managers hope to have a network in place that will link databases containing the PHI records of millions of people.  The project is being implemented by PCORI, Patient-Centered Outcomes Research Institute, a non-profit organization formed at the behest of Congress as part of the 2010 Affordable Care Act.  PCORI’s mission is to organize “comparative effectiveness” research in the healthcare industry regarding different treatment possibilities, drugs and devices.  PCORI elected to use its funding to create a network pooling millions of patient records in aid of its mission.  Issues still undecided include what pharmaceutical and insurance companies’ access to the data will be.  PCORI asserts that the data, which will, in some cases, include links to genetic samples, will be anonymized before release to researchers.  Critics worry that patient identities may not remain private (see “De-identified PHI records relatively easy to re-identify Harvard prof demonstrates”).

See full Washington Post article at “Scientists embark on unprecedented effort to connect millions of patient medical records”.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Washington state inadvertently released computers containing PHI and other sensitive data

All state governments dispose of large numbers of older computers each year, and while they all have procedures in place to scrub sensitive data from the hard drives before releasing them, there have been reports of slip-ups.  An audit conducted last summer on computers approved for sale or donation by Washington state found that 9% still contained sensitive information such as Social Security numbers and health data including psychiatric records.  Washington releases as many as 10,000 older computers each year.  Since the audit, the state has changed how it processes computers destined for disposal including submitting them to an additional scrubbing procedure.

See full Consumerist article at “Washington State Sold Computers Loaded With Sensitive Personal Information,” as well as additional coverage at Spokesman-Review (Spokane, WA) and Govtech.com.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

FDA, ONC and FCC release FDASIA Health IT Report draft

Last week  the Food and Drug Administration (FDA), the Office of the National Coordinator for Health IT (ONC), and the Federal Communications Commission (FCC) announced the release of their draft FDASIA Health IT Report which incorporates the September 2013 recommendations of the FDASIA Workgroup (see our earlier blog entry).  The 34-page report introduces a proposed strategy for a risk-based regulatory framework for health IT.  The public is invited to comment.

See FDA announcement and the draft report itself at “FDASIA Health IT Report:  Proposed Strategy and Recommendations for a Risk-Based Framework”.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

‘Fasten your contracts’ or risk a bumpy ride in the ‘Cloud’ blawger Steven J. Fox warns healthcare providers

Never accept the vendor’s standard form contract as the final word; remember that everything is negotiable,” cautions Steven J. Fox.  Fox shared the podium with Lee Kim, HIMSS’ Director of Privacy and Security, at the HIMSS conference in Orlando to speak on “Hidden Pitfalls with Cloud, Mobile Technology, and Mobile Data”.  Fox, who chairs Post & Schell’s Information Technology Practice Group, spoke extensively on steps healthcare providers can take before and during contract negotiations to protect their interests.  According to AuntMinnie, the medical imaging industry’s online news magazine, which covered the talk in depth, if you “[w]ant to implement a cloud-based health IT system…[you] need to perform thorough technical and business due diligence to ensure patient privacy and the availability and security of your data….”  While this is good advice for any contract negotiations, cloud data storage’s unique set of issues – reviewed in the HIMSS talk — makes these precautions especially vital.

See full AuntMinnie article at “Cloud IT use requires technical, business due diligence”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Over 220K PHI records affected in San Francisco area burglary

In a February incident at a Torrance, California medical billing company, burglars made off with several unencrypted computers.  According to an announcement by San Francisco’s Department of Public Health, the loss resulted in the theft of 56,000 San Francisco area patient records, and compromised an additional 168,500 Los Angeles area patient records, The medical billing company, Sutherland Healthcare Solutions, is offering the affected San Francisco area patients free credit monitoring and recovery services.  Sutherland has also committed to henceforth encrypt its computers, anchor them to office furniture, and require that all data be saved to shared drives rather than to individual computers.

See full LA Times article at “San Francisco patient records stolen in Torrance burglary”

Posted in ARRA, Higher Ed, HITECH Act, News Tagged with: , , , , ,

GAO report: EHR incentive program suffers high attrition rate

While 89% of qualified hospitals and 65% of qualified individual medical professionals have received incentive payments, a significant number of these have dropped out of the incentive program in its later stages according to a recent GAO study.  The report speculates on possible reasons for this phenomenon.  One possibility is the fact that participants were not required to demonstrate meaningful use at earlier stages in the program, and then dropped out once that became necessary.  Other reasons program dropouts gave ranged from that they had changed software companies and were not yet ready to provide CMS with the new EHR information to others which were unaware they were expected to continue participating in the program.

Via Modern Healthcare:

By one oft-reported measure, the federal government’s electronic health record incentive payment programs have been an unmitigated success.

That measure is the increase in the number of hospitals and physicians (and other professionals) that have received payments from the programs under Medicare, Medicaid and Medicare Advantage for installing and “meaningfully using” EHRs. The payments are designed to incentivize providers to buy and use, in a meaningful manner, EHR systems.

Each month since the CMS began issuing monthly reports on the programs, which made their first payouts in January 2012, the number of providers receiving federal dollars has gone up.

Through January, the programs, created under the American Recovery and Reinvestment Act of 2009, have paid out more than $20.9 billion, providing incentive payments to 89% of eligible hospitals and 65% of physicians and other eligible professionals, according to the latest program report from the CMS.

But now, according to a March General Accountability Office review, there is another story in the CMS data-“a substantial percentage” of providers dropped out of two of the Medicare and Medicaid programs in 2012 after receiving payments for 2011. The findings are tucked into GAO’s wide-ranging, 81-page review of the incentive payment programs, “Electronic Health Record Programs-Participation Has Increased, but Action Needed to Achieve Goals, Including Improved Quality of Care.”

The GAO looked at Medicaid program participation in 36 states and found that 60.8% of physicians and eligible professionals and 35.7% of hospitals that participated in the program in its first year, 2011, did not stick with it in 2012. Turnover in the Medicare program was far less significant, based on data nationwide, with 16.3% of physicians and other professionals and 9.5% of hospitals that participated in 2011 dropping out in 2012, according to the GAO.

CMS officials “told us that they are monitoring the issue and taking steps to reverse this trend,” the GAO said. “One CMS official told us there are various possible reasons Medicare and Medicaid providers did not continue to participate,” the report authors said. “Noteworthy for the Medicaid EHR program, and in contrast to the Medicare EHR program, providers do not need to participate in consecutive years to maximize their incentive payments,” they said.

Payments under the Medicaid program for these providers are available over a far longer period than under Medicare. Medicaid payments for them started in 2011 and could run through 2010. In contrast, payments for Medicare physicians and other “EPs” began in 2011 and will end in 2016.

“Another possible reason providers did not continue to participate in the Medicaid program in 2012 is that providers are not required to demonstrate meaningful use their first year of participation,” the GAO said. For them, the standard to qualify for a first-year payment under Medicaid is merely to adopt, implement or upgrade to a tested and certified EHR. Meeting meaningful use, a much higher bar, is not required for these participants until their second year of the program.

“One CMS official noted that a provider who received an incentive payment” under Medicaid the first year “could still be far from having the capability to demonstrate meaningful use,” the GAO said.

The CMS had surveyed program dropouts to determine why they left and found other rationales, including providers had switched EHR vendors and weren’t ready to submit EHR data. Others found it more difficult to move up from the 90-day meaningful use reporting period required under the Medicare program in the first year to a full-year reporting period in the second year; still others surveyed said they simply were unaware of program deadlines, and some “did not realize they needed to participate in the program again,” the GAO said.

The GAO warned that stiffer program requirements for Stage 2, which began Oct. 1, 2013 for hospitals and Jan. 1, 2014, for physicians and other EPs, “may slow participation.”

By Joseph Conn

“GAO finds significant EHR incentive program dropouts,” Modern Healthcare (March 7, 2014)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

42K records breached at Wisconsin health insurance group

Unity Health Plans Insurance Corporation, affiliated with the University of Wisconsin, discovered in December 2013 that an unencrypted external hard drive of medical records had disappeared.  The records contained patient names, dates of birth, dates of service, and names of prescription drugs.  Unity has notified the almost forty-two thousand individuals affected.  The Department of Health and Human Services Office of Civil Rights has been notified of over 80,000 breaches since reporting began in 2003.

See Healthcare IT News article at “42K get HIPAA breach letters”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Interoperability collaborators present at HIMSS conference

Although the majority of healthcare care settings are now digitalized, lack of interoperability among the wide range of software applications now in place continues to be a problem.  Several groups addressing this issue presented their innovations at this year’s HIMSS national conference in Orlando.  Among the groups were the CommonWell Health Alliance, made up of EHR vendors committed to increased interoperability, and the newly-formed Carequality which includes UnitedHealth Group, Walgreen and Epic.

Via Modern Healthcare:

Several interoperability collaborations presented at the HIMSS conference demonstrated that information technology vendors and healthcare providers are focusing on connecting competing electronic health records and health information exchanges as well as medical devices and health IT systems.

Digital tools still have long way to go, some say The CommonWell Health Alliance, a trade group for EHR vendors advocating for improved interoperability, announced CVS Caremark Corp. as its newest member. A separate group, including UnitedHealth Group, Walgreen Co. and Epic Systems Corp., announced the formation of Carequality, which is developing a framework to share data across health IT networks.

“There are many strategies around interoperability,” said Dr. Tripp Jennings, system vice president and medical informatics officer for Palmetto Health, Columbia, S.C., which is participating in a CommonWell pilot.

By Joseph Conn and Jaimy Lee

“Groups showcase interoperability efforts,” Modern Healthcare (March 1, 2014)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

ONC leaders mark agency’s 10th anniversary with review of government’s role in health industry IT

ONC past and current leaders met this week to share thoughts on government’s role in the development of health IT in commemoration of ONC’s ten year anniversary.  The agency, formed by then-President George Bush in 2004, was tasked with providing every American with an electronic medical record.

According to the ONC’s current leader, Dr. Karen DeSalvo, government is responsible for ensuring that the benefits of health IT are available to all.  Former ONC chief Dr. Farzad Mostashari believes government should use the market to reach national health IT goals.  However, noting the market’s natural drift away from competition, he stresses that the government – i.e., the FTC – is essential to keep the market functioning properly by blocking this tendency.  Former ONC leader Dr. Robert Kolodner holds that the government’s $19.2 billion EHR incentive program has distorted the market and welcomes the end of the incentive program as a time in which, he says, consumers will resume control of the market.

When Dr. David Brailer began his tenure as the ONC’s first leader, he expected the agency would accomplish its goals and be phased out after ten years.  Now he, along with the others, cannot imagine the future of healthcare IT’s ongoing evolution without the ONC continuing to play a central role.

Via Modern Healthcare:

Three former heads of the Office of the National Coordinator for Health Information Technology plus its current leader appeared on one panel at the Healthcare Information and Management Systems Society convention Wednesday, sharing their thoughts on health IT’s history and future and the role government should play in it.


The government can help the industry set goals, said Dr. Farzad Mostashari, now a visiting fellow at the Brookings Institution, a Washington think tank, who stepped down as the fourth ONC leader in October. The ONC chief can use that “bully pulpit” to ensure it remains focused on them. The government also should use the market to achieve national goals, “but the corollary is, if markets fail,” and providers enter into anti-competitive behavior, then the government has a role through the Federal Trade Commission “to make sure the market works the way it’s supposed to,” he said.

The FTC has set hearings March 20-21 on EHRs and how they could be used to create non-competitive behavior,” Mostashari noted. One role of the ONC “is to make sure the regulators are well informed on what we’re doing in health IT,” he said.

Government needs to provide “the broad view” to ensure the interests of individuals and communities are addressed, said Dr. Robert Kolodner, the second and longest-serving leader of the ONC.

“There are times when the customer has to drive the marketplace,” said Kolodner, now vice president and CMO of ViTel Net, a McLean, Va., provider of telehealth software and services. “Each of the vendors wants to maximize the markets they have.” The federal government, pouring $19.2 billion thus far into the EHR incentive program under the American Recovery and Reinvestment Act of 2009, has distorted the market, the ONC chiefs agreed. Now that the federal incentive money is running out, the consumer will re-assume control of the market, Kolodner said.

“It’s a question of when that sleeping giant will awaken,” he said.

His view on the appropriate role of government in health IT has evolved since he became the first ONC head in 2004, said Dr. David Brailer, a former health IT entrepreneur, now the CEO of Health Evolution Partners, a San Francisco-based private equity firm.

He assumed the ONC would sunset after 10 years, Brailer said, the time President Bush allotted for achieving his goal, also set in 2004, of providing every American access to an electronic medical record.

“I’ve come around on that,” Brailer said. “I think it could provide an enormously beneficial function synchronizing things across different (federal) agencies.” Without it, the government risks reverting to “a tower of Babel” with many agencies sending differing messages on where health IT should go.”

The ONC, created by executive order of then-President George Bush in 2004, will mark its 10th anniversary in April. All of its leaders except the nation’s third national coordinator, Dr. David Blumenthal, were gathered by HIMSS to take a look at health IT history and its future during a panel discussion at the Chicago-based trade group’s annual convention in Orlando, Fla.

Consumer oriented digital health tools such as FitBit, gathering and submitting patient-generated data will be part of that awakening, said Dr. Karen DeSalvo, national coordinator for health IT.

“We don’t have ways to receive it very well, but I think people are really willing to quantify their health,” she said. Government needs to make sure access to the benefits of health IT is open to all, DeSalvo said, to “make sure no one is left behind.”

By Joseph Conn

“ONC leaders examine role of government in health IT,” Modern Healthcare (February 26, 2014)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Opposition halts nationwide UK EHR database project

Alongside media reports in January of U.S.-U.K. plans to collaborate on healthcare data policy, National Health Service England announced its plans to combine the records of all its patients into asingle database to be available by April.  This week, the NHS halted the proposed program due to widespread concerns.  Promoters of the program claim that the database will allow for medical advances, and that sales of the data to private companies will be necessary as the NHS is privatized. Opponents list a variety of potential problems with the database the contents of which will be available for sale to pharmaceutical and insurance companies.  Uncertainty regarding who will have access to the data is a big concern.  According to Phil Booth, director of a patient privacy group, “One of people’s commonest concerns about their medical records is that they’ll be used for commercial purposes, or mean they are discriminated against by insurers or in the workplace.”  Still another worry is the fact that the £50 million plan will be illegal and will have to be terminated within a year or so if proposed EU laws are passed in the coming year.  A recent poll found only 17% of the public supports the database plan, with 65% opposing it.  The plan’s supporters are launching a publicity campaign to address the public’s concerns.

See full Telegraph (London) article at “NHS medical records database halted amid concerns”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Brooklyn brothers develop new EHR-accessing service for patients

If managing often voluminous patient health records is a challenge for healthcare providers, it can be even more overwhelming for the patients themselves, especially if they develop multiple health conditions.  In the aftermath of a family medical emergency, four brothers of the Dib family in Brooklyn have created a new medical records service.  The brothers Dib claim that through their newly-launched website patients and their loved ones can easily access their medical records and – for a fee – do so without having to go through their doctors’ offices.  As every EMT knows, speedy access to health records in an emergency can mean the difference for a patient between tragedy and staying alive.

See full Brooklyn Daily Eagle (NY) article at “Brooklyn brothers team up to build medical-records site”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Two EHRs picked to test interoperability

The Centers for Medicare & Medicaid Services and the Office of the National Coordinator for Health Information Technology have selected products developed by McKesson Corp. and Meditech to test interoperability of EHRs.  McKesson and Meditech have collaborated with ONC and National Institute for Standards and Technology in the past on earlier phases of this project.  CMS and ONC invite other software vendors to participate in these trials.

Via Modern Healthcare:

The CMS and the Office of the National Coordinator for Health Information Technology designated the first two electronic health-record systems to test whether EHRs are interoperable as required under the Stage 2 criteria of the government’s incentive program for the meaningful use of health IT.

The Stage 2 rules, now in effect for qualifying hospitals and qualifying physicians and other “eligible professionals,” require providers to swap a summary of a patient’s care record with other providers using at least one EHR system from a developer different than their own. At a minimum, they must conduct one or more tests of a swap with EHRs selected by the CMS to serve as test systems in a federal test bed environment created for this purpose.

The “Test EHRs” are products by software developers McKesson Corp. and Meditech, which have worked previously with ONC and National Institute for Standards and Technology to develop the test procedure.

The feds are looking for other developers to step forward and offer their systems to serve as test EHRs.

More information about the testing program is available at the ONC website.

By Joseph Conn

“First two EHRs selected to test Stage 2 interoperability,” Modern Healthcare (January 16, 2014)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Telemed regs currently discourage telemed, say stakeholders

A group made up of accountable care organizations, telehealth technology vendors, and professional associations has issued a statement to the Department of Health and Human Services decrying the lack of cohesion in the body of regulations governing telemedicine at the present time.  According to the group, several telehealth policies currently serve as disincentives to connected health implementation.

See Modern Healthcare article at “Trade groups, ACOs push telemedicine reg changes”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , ,

Montana hospital one of first to sue vendor in court over non-compliant EHR system

Healthcare providers face many challenges in trying to keep up with ever more rigorous requirements for EHR software compliance.  EHR software vendors seem to be struggling, too, in many cases causing their clients to fail the federal EHR certification requirements, thereby losing eligibility for incentive payments.  Montana’s Mountainview Medical Center, which failed the October 1, 2013 certification deadline, is one of the first healthcare providers to take this issue to court.

Via Modern Healthcare:

A small Montana hospital may be among the first of many providers to go to court to resolve their frustrations with electronic health record systems developers that are either lagging or failing to update their software to the new, more stringent testing and certification requirements of the federal EHR incentive payment program.

Mountainview Medical Center in White Sulphur Springs is suing NextGen Healthcare Information Systems in federal court for failing to provide a certified EHR system in a timely manner.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , ,

Recently released 2013 WEDI report to guide health IT in coming decade

WEDI, Workgroup for Electronic Data Interchange Foundation, recently announced release of its 2013 report, generated in partnership with healthcare industry leaders.  The report identifies the following four critical focus areas:

•Patient Engagement: consumer (patient) engagement through improved access to pertinent healthcare information.
•Payment Models: Business, information, and data exchange requirements that will help enable payment models as they emerge.
•Data Harmonization and Exchange: Alignment of administrative and clinical information capture, linkage, and exchange.
•Innovative Encounter Models: Business and use cases for innovative encounter models that use existing and emergent technologies

The report also presents a set of recommendations for the development of healthcare information exchange over the next ten years.

See WEDI press release here, and full report at http://www.wedi.org/topics/2013-wedi-report.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Most medical devices and EHR systems not on speaking terms … yet

As there has been no financial benefit up until now to EHR system and medical device companies for making their software interoperable, they have, by and large, not done so.  On the other hand, full interoperability could benefit the U.S. health care system to the tune of as much as $30 billion a year in savings according to recent estimates.

So why are health care providers not using their tremendous purchasing power to insist on interoperability?  Apparently the conventional process by which hospitals acquire new software and equipment – usually via big contracts only once every ten years or so — significantly undermines their ability to influence manufacturer behavior – and specifically product design decisions — on an ongoing basis.

Despite these and other barriers to interoperability, pressure to require that EHR systems and medical devices are interoperable is building in various quarters — from health care providers’ groups, to the FDA via new voluntary standards, to a group of medical device makers who made a public commitment to interoperability this past year.

Via Modern Healthcare:

The typical hospital bed in an intensive-care unit is surrounded by as many as a dozen medical devices that monitor the patient, track blood pressure and heart rate, dispense medications and perform other vital functions.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Cybersecurity in the health care setting: issues and strategies

Health care providers have a long history of protecting sensitive patient information but the fact that more and more health care equipment is now connected to the internet opens up this data to a new range of exposure risks.  All hospitals currently do have formal strategies to protect medical device security in order to comply with federal regulations, but according to an ECRI Institute survey, less than half have comprehensive facility-wide cybersecurity management policies in place.

Via Modern Healthcare:

When Dick Cheney learned hackers might be able to alter his pacemaker’s settings, he asked his physicians to sever the device’s wireless Internet connection.

His physician used that connection to monitor the device’s functionality. Cheney feared some terrorist would reprogram the device to kill the former vice president.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

State inadvertently publishes PHI on web; apologizes

A website of the North Carolina Department of Health and Human Services (DHHS) that is intended to provide transparency regarding how government moneys are spent got a little too transparent recently when it displayed sensitive information belonging to more than 1,300 health care patients.  DHHS inadvertently published PHI (protected health information), including patients’ names, addresses and payment amounts on NC Openbook, a state website designed to provide transparency for payments made to government vendors and contractors. Some of the information was especially sensitive, since it involved patients receiving mental health treatments. DHHS has issued an apology and sent notification letters to all of those affected. In addition, the agency notified the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS), as required by the HIPAA Breach Notification rules. As a result, this breach will appear on HHS’s “Wall of Shame” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html) where the HITECH Act requires all breaches affecting more than 500 individuals to be posted.

Unlike so many breaches caused by the accidental loss of a thumb drive or laptop, this breach demonstrates the need for ongoing training of employees who deal with PHI. Training is not just for new employees of an organization. It has to be an integral, ongoing part of every organization’s policies and procedures to avoid the kind of breach described here.

To see the WSOC TV story on this, click on: http://www.wsoctv.com/news/news/local/state-apologizes-patients-records-posted-internet/nbm86/.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , ,

“Healthcare Dive” interviews “Health IT Law” blog founder Steven J. Fox regarding pitfalls to avoid in electronic medical record (EMR) contracts

“No matter how well you investigate an EMR, it’s possible that the product won’t be as usable as it seemed when you first tested it. But that’s not the only EMR risk your hospital or medical practice needs to address. Steven Fox, Principal with Post & Schell, told us about several other EMR contract gotchas that can potentially lead to serious problems for your business.”

See full Healthcare Dive article, excerpted above, at “Signing an EMR contract? Avoid these 5 gotchas”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Congress introduces bill to regulate mobile health apps — the SOFTWARE Act

Following up on our September 2013 blog entry, “How much pre-market regulation should the FDA impose on health IT?,” we note that Congress last week introduced a bill empowering the Food and Drug Administration to regulate mobile health applications.  Entitling their bill the SOFTWARE Act – Sensible Oversight for Technology which Advances Regulatory Efficiency — the bill’s bipartisan sponsors concur with the prevailing view that such regulation should be kept to a minimum, supporting innovation while protecting consumer safety,

As the September blog entry emphasized, the crux of the issue is defining which mobile health apps are considered to be employed in “’higher risk’ use cases” – and should therefore be regulated – and which apps are considered to be employed in lower risk or no risk situations, and can therefore be subject to less or no regulation.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

California court ruling: health care providers may be off the hook for data theft in some cases

In a judicial decision sure to garner attention, a California state appellate court decided last week that UCLA Health is not liable for patient data breaches due to a 2011 theft.  It is important to note, however, that regardless of this decision, in the event of any breach affecting the records of 500 or more patients, health care organizations will still be held to all HIPAA regulations, including reporting requirements and possible fines levied by the U.S. Department of Health and Human Services.

See Payers and Providers article at “Privacy Ruling Benefits CA Hospitals: They May Not be Liable For All Stolen Data, Court Rules”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with:

Intellectual property licenses in bankruptcy: review of current law

Bankruptcy law is designed to give a struggling company the respite it needs to reorganize itself and hopefully get a fresh start, even if this means severing existing business relationships.  But what happens when the bankrupt company is a licensor of intellectual property and the business relationships it is severing are with its licensees?  The law is in a constant race to keep up with technological advances, and nowhere is this more evident than in the arena where bankruptcy and intellectual property law overlap.

See Landslide (publication of the American Bar Association’s IP Law Section) article at “Intellectual Property Licenses in Bankruptcy: Can Lubrizol, § 365(n), and Sunbeam Be Reconciled?”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Mostashari in first public appearance since his ONC departure

Dr. Farzad Mostashari, former chief of the Office of the National Coordinator for Health Information Technology, shared thoughts and concerns in his first address since stepping down, at a conference of the College of Healthcare Information Management Executives.  Dr. Mostashari, who will be on staff at the Washington-based Brookings Institution, addressed the topic of HIT usability as well as communication across the healthcare industry in his comments.

Via Modern Healthcare:

Dr. Farzad Mostashari didn’t quite bare his soul to a bunch of hospital CIOs, but the man who was indefatigably buoyant as the nation’s federal health information technology czar did pull back the curtain a bit and offered an assessment of his own concerns as well as some “insider clues” in his first speech since leaving federal service.

Mostashari stepped down as head of the Office of the National Coordinator for Health Information Technology on Oct. 5.

He announced last week that he’d be joining the Brookings Institution, a Washington think tank, working for its Engelberg Center for Health Care Reform.

“I’m hopeful and optimistic, but in terms of having new technologies and systems, I’m a little concerned,” Mostashari said.

And now, speaking “not as national coordinator,” he shared some of those concerns about both the current state and the future of healthcare IT.

“Too many don’t know how to do this,” Mostashari said, meaning the needed, technology-enabled changes in healthcare delivery.

Healthcare organizations can buy population management software, “but flipping the practice, flipping the hospital, so that everything doesn’t take place in an eight-minute visit, that’s a cultural challenge. It’s not an IT challenge; it’s a business practice challenge. And we have providers who are struggling with the pace of change. We all are, but the front-line provider, there is more and more being placed on them.”

“I do worry about usability,” Mostashari added, referring to the oft-aired complaints that today’s EHR systems are hard to navigate, slow providers down and interfere with the physician-patient relationship.

“Not that it (usability) isn’t getting better,” Mostashari said. “It is getting better. But the expectations are rising even faster. I didn’t think there is a clear government role as there is a market role, but I wonder if the market is incentivizing usability as much as it should.”

Poor communication across the industry is another concern, he said, and wondered aloud about how much time “is being spent on things others have already done.”

Innovations and best practices need to be better shared, Mostashari said. “Everyone re-discovering the same thing is not necessary.” Healthcare IT people need to “find ways to sustain information sharing. It just doesn’t feel we’re having enough of that happening to get us through this next period.”

He also dropped “a couple of insider clues” as to the policymakers’ perspectives on calls for delaying Stage 2 of the federal EHR incentive payment program under the American Recovery and Reinvestment Act.

“There is no legal way to change the final rule without a pretty elaborate process that takes nine to 12 months,” he said. Instead, Mostashari said, CHIME and others pressing for relief from penalties for noncompliance might look to “sub-regulatory guidances.”

“There is the ability in the rule for hardship exemption,” Mostashari said. “You wouldn’t get the payment, but you wouldn’t get the penalty. That’s where I would advise CHIME to look.”

Besides, Mostashari said, without the technological leap required in the upgrade to the so-called 2014 Edition tested and certified software (providers must use the 2014 systems for both Stage 2 and, some, for Stage 1) other programs that depend on interoperability are jeopardized.

“We can’t wait for interoperability,” he said. “You all know this. It’s past time. We have a series of really, really important standards” baked into the 2014 Edition criteria. “I think folks should assume the timelines will stick.”

CHIME President and CEO Russell Branzell asked Mostashari to recall during his four-year stint at ONC, including more than two years as its leader, what was his proudest moment.

There was a long, silent pause.

“One moment does stick out,” he said. It was at a “town hall” meeting at another convention when David Muntz, a CHIME member and the former principal deputy director of ONC; Joy Pritts, chief privacy officer, Jodi Daniel, director of policy and planning, and other top ONC leaders, were all assembled on the dais.

“You just looked up there and (saw) person after person who really knows their stuff, and all of them had been out there in the field and probably could have done other things, but they chose service, and the crowd really appreciating them for their service. That was my proudest moment,” he said.

By Joseph Conn

“Mostashari shares concerns, ‘insider clues’ in first speech since leaving ONC,” Modern Healthcare (October 10, 2013)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

College of Healthcare Information Management Executives honors Virginia CIO Geoff Brown

During this year’s National Health IT Week in Washington, DC, CHIME presented its State Public Policy Award for CIO Leadership to Geoff Brown, senior VP and CIO of Virginia-based Inova Health System.  Brown, who is currently chair of the Virginia Health Reform Initiative Advisory Council’s technology committee, has a long record of service dedicated to the advancement of healthcare technology in the state of Virginia.

See healthsystemcio.com article at “Brown Recognized For State Policy Work”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Litigants employ new tactic in facing off with “patent trolls”: RICO

RICO, the federal Racketeer Influenced Corrupt Organization statute passed in 1970 is known primarily from headlines regarding cases against organized crime figures.  The law is now being used on a new target — patent trolls.

See Washington Post article at “Here’s how a law designed to fight the Mafia could stop abusive patent lawsuits”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

How much pre-market regulation should the FDA impose on health IT? Work group issues recommendations

The Food and Drug Administration Safety Innovation Act (FDASIA) work group, made up of experts from various branches of the healthcare industry, recommends that the FDA proceed with as light a touch as possible in reviewing new health information technology products.  The work group’s new report suggests that reducing regulatory burdens on the software industry – with exceptions for technologies pertaining to higher risk medical procedures – frees developers to generate the technological innovations the healthcare industry needs at a faster pace.

Via Modern Healthcare:

Health information technology should not, as a general rule, be subject to pre-market regulation by the Food and Drug Administration as many medical devices are today, according to a work group giving advice to three federal regulatory agencies.

The experts, however, carved out some exceptions to that broad recommendation, part of an ongoing look by the federal government into the patient safety implications of the expanding use of health information technology.

Software that serves as a medical device accessory could be regulated, as well as software systems that have artificial intelligence functions that present a high risk to the patient, such as systems that provide computer-assisted diagnoses, the group concluded. Another area that could benefit from FDA oversight, the experts said, is software deployed in “higher risk” use cases in which “the intended use elevates aggregated risk.”

The group also called on health IT vendors to be required “to list products which are considered to represent at least some risk, if a non-burdensome approach can be identified to do so.” And the industry, through a “collaborative process,” needs to develop a better post-market surveillance and report system for health IT systems modeled after the National Transportation Safety Board reporting mechanism for malfunctions in the airline and other industries.

In a footnote in the group’s slide presentation, it suggested extending to EHR vendors the legal protections afforded providers who report errors to patient-safety organizations, saying the protections “could boost reporting for minor infractions.”

Dr. David Bates, chairman of the Food and Drug Administration Safety Innovation Act workgroup, presented the recommendations Wednesday to the federally chartered Health Information Technology Policy Committee. Bates said there were a few changes to a preliminary report given to the policy committee last month.

The committee is normally an advisory panel to HHS’ Office of the National Coordinator for Health Information Technology. This time, however, its input will also be shared with the Federal Communications Commission and the FDA.

HHS was charged by the 2012 FDASIA with producing a report by January 2014 on a “proposed strategy and recommendations on a risk-based regulatory framework pertaining to health IT, including mobile applications, that promotes innovation, protects patient safety and avoids regulatory duplication.”

In two additional prongs of a federal approach to health IT patient safety, the ONC hired the Joint Commission to investigate and analyze health IT-related adverse events and released a 47-page “Information Technology Patient Safety Action and Surveillance Plan” to continuously improve the safety of health IT.

Bates’ group said that some method is needed to allow aggregation of data about “safety issues at the national level” and that federal support for such an effort is warranted, the group said.

The group also said “cross-agency collaboration will be essential” among three federal agencies whose jurisdictions overlap in regulating some health information technologies.

Finally, the group the said either the public or private sectors, or both, should work on improving health IT interoperability standards and develop a public process—facilitated by an independent group using validated measurement results—in which customers can rate health IT systems.

A list of documents and Bates’ FDASIA workgroup slide presentation is available on the policy committee’s website.

By Joseph Conn

Work group suggests limited regulation of health IT by FDA,” Modern Healthcare (September 5, 2013)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Advocate Health Care already facing first lawsuit for July 15 breach involving 4 million EHR patient records

Chicago area Advocate Health Care suffered the country’s biggest health care record breach to date on July 15 – when four unencrypted laptops containing over four million patient records were stolen.  Seven weeks later the legal repercussions to July’s event are already beginning to unfold with last week’s filing of a class-action complaint in Cook County Circuit Court.

Once again, we are reminded both of the repercussions of such a loss and, more importantly, how easy it is to prevent this.  I’m not suggesting that the theft could have been prevented, but if the laptops had been encrypted, then this would have been a non-event (at least as far as the breach notification issue).  No one outside of Advocate would even know about the theft, because Advocate wouldn’t have had to report the loss and it would not have made the news at all.  So the take-away:  encrypt all of your mobile devices, including laptops, thumb drives, smart phones, etc.

Via Modern Healthcare:

The recent massive data breach at Advocate Health Care has already had legal consequences.

Downers Grove, Ill.-based Advocate and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and 4 million individuals whose personally identifiable health records were taken along with four desktop computers in a burglary in July. The computers were password protected but not encrypted, according to Advocate.

The five-count, 12-page complaint in Cook County Circuit Court in Chicago alleges negligence, deceptive business practices, invasion of privacy, intentional infliction of emotional distress and consumer fraud, all violations of Illinois law.

According to the class-action complaint, Advocate “continued its use of nonsecure, unencrypted computers and software to maintain the private and confidential patient data” it had collect, in violation of two state privacy laws.

The suit alleges Advocate violated the Illinois Personal Information Protection Act when it “permitted an unauthorized acquisition of computerized data that compromised the security, confidentiality, or integrity of personal information,” and the Illinois Medical Patients Rights Act when it “facilitated and allowed for the unlawful disclosure of patients’ private and confidential health information.”

The lawsuit requests a jury trial and judgment of an unspecified dollar amount for actual damages, costs and other relief the court deems appropriate.

The named plaintiffs were former Advocate patients, Pierre Petrich, and her minor daughter, Amara Petrich, of Northbrook, Ill. The suit was filed by Chicago personal injury attorney Robert Clifford.

The suit alleges the plaintiffs’ records were part of the massive July 15 data breach at an administrative office of the 1,100-plus physician Advocate Medical Group in Park Ridge, Ill. At just over four million records, it is the largest breach by a healthcare provider since the federal government began requiring public reporting of larger healthcare records breaches in 2009.

Personally identifiable data on the compromised records varied, according to an Advocate spokeswoman, but included patients’ names, addresses, dates of birth, Social Security numbers, diagnoses and medical record numbers.

Advocate previously made the federal “wall of shame” list kept by HHS’ Office for Civil Rights after the theft of an unencrypted laptop in 2009 carrying 812 patient records.

Thus far, 659 breaches involving records of 500 or more individuals have made the list, accounting for more than 22.8 million records being exposed. Of those involving electronic devices, 48% of the incident reports mentioned theft, 11% loss; and 8% hacking, all of which could have been mitigated by encryption.

The breach is being investigated by the OCR, the chief federal agency enforcing the health information privacy and security rules under the Health Insurance Portability and Accountability Act, and by the Illinois Attorney General’s office, for possible HIPAA and Illinois privacy law violations, spokespersons for those agencies have said.

Advocate has faced criticism for not encrypting the data. Encryption is a technique in which software is used to scramble messages or data, rendering them unusable and unreadable to anyone who doesn’t have the key, another piece of software code to unscramble the protected information.

An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.

Advocate’s Kelly Jo Golson, senior vice president of public affairs and marketing, in a statement, said “We deeply regret any inconvenience this incident has caused our patients who have entrusted us with their care. Our focus continues to be delivering the highest level of care and service. We are also committed to providing all individuals impacted by this incident with resources to answer their questions and tools to protect their personal information. Although we are unable to comment specifically on active litigation matters, we want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused.”

By Joseph Conn

Advocate Health Care sued following massive data breach,” Modern Healthcare (September 6, 2013)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 23 start of Meaningful Use program’s Stage 2 now just weeks away

Up until now, initiatives under the Patient Protection and Affordable Care Act – also known as the ACA or Obamacare — have focused on facilitating healthcare’s shift from paper to electronic recordkeeping.  Stage 2 of the three-stage “Meaningful Use” program, which is intended to encourage patient engagement with the new electronic records systems, rolls out this fall.  To inspire healthcare providers’ creativity in devising means of enticing patients to participate, extra Medicare and Medicaid payments are available to organizations that meet specific criteria of success in their efforts.

See U.S. News & World Report article at “Helping Patients Stay Engaged in their Own Care: Will electronic record keeping make patients more willing to take part in keeping themselves healthy?”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Maryland HIPAA violations allegations result in $250K penalty for CVS

The state of Maryland’s Consumer Protection Division and CVS came to an agreement this week comprised of a $250,000 penalty as well as a corrective action plan that will include employee training and monthly audits of CVS stores in Maryland.  The state’s allegations included charges that CVS has been improperly disposing of protected health information.

View Maryland Office of the Attorney General announcement here.

See Baltimore Business Journal article at “CVS to pay Maryland $250,000 to settle expired products allegations”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Video interview: discussing the Affinity Health Plan photocopier data leak with LXBN TV

Following up on my recent post on the matter, I had the opportunity to speak with Colin O’Keefe of LXBN regarding Affinity Health Plan’s photocopier PHI leak. In the interview, I explain how the leak happened and what companies can do to make sure it doesn’t happen to them.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Minnesota draws on Scandinavian heritage in battle with modern-day trolls; states begin to address patent troll issue

In May 2013 the state of Vermont filed a complaint against alleged “patent troll” MPHJ Technology accusing it of violating the state’s Consumer Protection Act.  This week the Minnesota attorney general’s office announced a settlement with the company which it started investigating in 2012.  Terms of the Minnesota settlement include a fine as well as requiring MPHJ Technology to obtain permission from the attorney general before operating in the state in future.

While the Minnesota settlement does not directly relate to the HIT arena, the healthcare industry is watching this new development with interest, as the issue is one of growing concern among clients and other healthcare organizations.  Many healthcare clients have already reported aggressive tactics by patent trolls, as well as by companies that preface their “inquiries” with the announcement that they are not patent trolls.

We will continue to monitor this area for further developments.

See Washington Post article at ” Minnesota settlement orders Delaware company to stop ‘patent trolling ‘”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Affinity to pay $1.2 million for photocopier breach

In 2010 CBS Evening News purchased a photocopier previously used by New York City area Affinity Health Plan and discovered patient-identifiable medical records on the device’s hard drive – which had never been erased.  The photocopier was one of approximately seven Affinity sold or returned to leasing agents around the same time.  Affinity estimates the breach involved over 300,000 records and will be paying in excess of $1.2 million in a settlement agreementwith the Department of Health and Human Services.

Via Modern Healthcare:

Healthcare organizations need to consider all kinds of digital devices, including photocopy machines, in examining their data security.

That’s the takeaway from HHS’ Office for Civil Rights announcement that Affinity, a managed-care plan serving the New York metropolitan area, will pay more than $1.2 million in a settlement agreement for a breach of personally identifiable health records under the privacy and security protections of the Health Insurance Portability and Accountability Act of 1996.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Northern California Sutter’s $1B EHR system down for a full day

The EHR system of Sacramento, California-based Sutter Health, which provides healthcare in over 100 towns and cities in the region, crashed on August 26, leaving physicians and other healthcare workers without access to patient records at numerous locations.

See Healthcare IT News article at “Setback for Sutter after $1B EHR crashes”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Unprecedented OCR settlement with WellPoint requires payment of settlement amount only

200px-US-DeptOfHHS-Logo.svgHHS Office for Civil Rights settlements have up until now required healthcare providers to pay a settlement amount and to implement a corrective action plan. OCR’s recent settlement with WellPoint breaks from this pattern.

See AIS Health article at “WellPoint Settles with OCR for $1.7 Million; No Corrective Action Plan Is Required”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

HHS announces new HIE acceleration strategy

200px-US-DeptOfHHS-Logo.svgMuch of the focus of the healthcare industry’s advance into the electronic era so far has been on converting patient information to electronic health records.  Now that progress is being made on that front, some of the emphasis is now shifting to HIE – health information exchange.  This week the Department of Health and Human Services released “Strategy and Principles to Accelerate HIE [PDF – 714 KB]” intended to support delivery and payment reform, among other goals.

For more see:

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Senate committee: EHRs don’t improve healthcare as much as they could

The U.S. Senate Committee on Finance heard testimony this week from industry representatives on EHR conversion’s impact on healthcare quality.  One concern voiced more than once was that metrics for measuring progress are not standardized across the industry, making it difficult to judge what success has been achieved.  Speakers expressed the opinion that while EHR conversion is not the only method of improving healthcare, it has tremendous potential to do so.

See Healthcare IT Newsweek article at “Senate hearing: EHRs still falling short.”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

De-identified PHI records relatively easy to re-identify Harvard prof demonstrates

Harvard University professor Latanya Sweeney caused a stir in 1997 when she found the medical records of former Massachusetts Governor Weld in a redacted data set.  Her recent activities are really causing state governments to sit up and take notice.  She successfully re-identified the de-identified medical records of Washington state hospital patients — by combining the limited information available within the hospital data sets with publicly available information.

See Bloomberg News article at “Patients ID’d From Hospital Records Trigger State Reviews“.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Hackers post detailed ads online selling stolen health data

he lucrative stolen identity market is taking a new turn into health insurance data.  Those seeking a new identity can now obtain a full set of credentials including all the information and documentation needed to use someone else’s health insurance.

See Dark Reading article at “Hackers Hawk Stolen Health Insurance Information In Detailed Dossiers.”

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Mostashari: EHR adoption progressing but we’re not out of the woods yet

In an address at the National Press Club this week Farzad Mostashari, National Coordinator for Health Information Technology, reviewed the healthcare industry’s progress in digitizing health records.  As mentioned in previous posts on this blog, physician adoption of EHRs continues to advance.  Mostashari quoted a recent study by the CDC’s National Center for Health Statistics which noted that adoption of at least some form of EHR system rose from 25% in 2010 to 72% in 2012.  The study further found, not surprisingly, that physician practices of 11 or less, as well as physicians aged 65 and over, have been digitizing their records at a slower pace.  HIT chief Mostashari predicts another big rush in EHR adoptions just prior to the October 2014 deadline for participation in the incentives program.

While Mostashari finds progress in EHR adoption heartening, he says there is still a long way to go as communication among EHR systems continues to pose a challenge.

For more see:
More Doctors Adopt Electronic Health Records,” Kaiser Health News

Report: Health IT Adoption in U.S. Sees Steady Increase, HIE Growing Pains Remain,” HL 7 Standards

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , ,

Physicians doubtful October 2014 transition from ICD-9 to ICD-10 realistic

In October 2014 all health care providers covered by HIPAA will be required to make the switch from ICD-9 (International Classification of Diseases-9) to ICD-10.  The ICD-9 is now 30 years old and the United States is the only industrialized country that has not yet upgraded to ICD-10.  Via a recent survey by the Medical Group Management Association, however, physicians expressed concerns regarding the costs of conversion, and whether the technology will be in place in time to meet the deadline.

Via Modern Healthcare:

With 16 months left before the CMS expects the healthcare industry to flip the switch to ICD-10, physicians are still expressing significant worries with the readiness of the technology that has to be upgraded to pull it off. They’re also signaling resignation that the long-delayed conversion will really happen this time.

In a survey of more than 1,000 office-based physician practices by the trade group MGMA, more than half of the respondents indicated they were “very concerned” about the overall cost of the conversion to the new diagnosis and procedure codes, scheduled for Oct. 1, 2014.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Computer viruses in medical devices: who should bear the costs for combatting? FDA issues warning, takes action

200px-Food_and_Drug_Administration_logo.svgComputer virus infections of medical devices continue to be a serious issue, keeping healthcare provider IT departments busy removing malware.  (See our October 2012 blog post “Computer viruses on hospital medical devices: a growing concern; possible solutions“).  The FDA has issued a warning regarding this threat, and is now asking, although not yet requiring, both healthcare providers and medical device manufacturers to take additional steps to heighten cybersecurity.

Via Modern Healthcare:

The Food and Drug Administration issued a notice on Thursday asking medical device manufacturers and healthcare facilities to introduce controls that would guard against cyberattacks on medical equipment and hospital networks.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

EHR vendor loses ONC certification for two of its records systems

200px-US-DeptOfHHS-Logo.svgThis week health care organizations were startled and not a little concerned to learn of the ONC’s unprecedented action with regards to a California health software company.  The agency is decertifying electronic health records systems which initially met ONC requirements for certification.

Via Modern Healthcare:

For the first time, the Office of the National Coordinator for Health Information Technology at HHS has revoked certifications for two electronic health-record systems, raising troubling questions about how physicians and hospitals should react if the government nixes a system they’re already using.

Federal officials require that doctors and hospitals use certified EHR systems in order to receive federal money to defray the cost of converting to EHRs. But on Thursday, the ONC said it decided to revoke certifications for two products on the market after anonymous complaints were lodged about the systems.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

IT staffing shortage a chronic issue for health industry

The healthcare industry continues to face a greater deficit than ever in terms of qualified professionals to fill its ever-expanding information technology staffing needs.

Via Modern Healthcare:

Many U.S. healthcare companies – about 67% — report that they’re struggling to attract experienced information technology workers, according to a survey.

That’s compared with 10% that said they have problems attracting all workers, according to the “Towers Watson 2013 Healthcare IT Survey” (PDF).  Meanwhile, 38% of healthcare companies reported problems with retaining experienced IT workers, compared with 8% reporting problems retaining all types of workers.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

“Health IT Law” blogger Steven J. Fox featured in “Healthcare Informatics” article

Negotiating favorable contracts with IT vendors requires skill and determination on the part of healthcare providers, on a playing field that currently favors vendors.  Blawger Steven J. Fox and three healthcare IT leaders share their insights in this in-depth article.

See Healthcare Informatics article at “Time for New Rigor on Vendor Contracts“.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

CMS inaugurates new HIT information clearinghouse website and associated listserv

Looking for a central source of information on all the federal government’s initiatives to digitize the health industry? Try the Centers for Medicare & Medicaid Services’ new eHealth(http://www.cms.gov/eHealth/) website.

Via Modern Healthcare:

The CMS launched the eHealth initiative this week as a central repository for information on the federal government’s digital record-keeping and electronic prescribing initiatives.

The page provides a central location to search the CMS site for details of the major digital health initiatives, including the $22 billion electronic health-record incentive program, the hospital inpatient quality reporting system and the e-prescription incentive program.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , ,

Health care digitization enriches software industry

The health IT industry’s pitch to Congress, and to the public, was that health care would be transformed through digitization, and that the shift to electronic records would result in huge health care savings.  Four years after the passage of ARRA and the HITECH Act, which included $19 billion in EHR incentives, it remains to be seen whether the federal government and the American public will see such benefits as reduced costs and improved levels of health care. Meanwhile, the software industry appears to be the big winner.

For more, see the New York Times article by clicking here:  “A Digital Shift on Health Data Swells Profits in an Industry“.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Health IT Law Blog Named to a List of Top Health Care Organizations

Our blog is proud to be featured in the Top 100 Health Care Organizations to Watch in 2013. The designation was published by MHAPrograms.org, a website that highlights the most prominent organizations and information resources across health care and health care administration. In addition to highlighting the blog’s authors, MHAPrograms.org specifically noted the diverse topics covered by the Health IT Law blog, including features on ARRA, HIPAA, HITECH Act and the related regulations, as well as privacy and security issues more broadly.

The complete article and list can be found here.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , ,

Family doctor EHR use up although use varies by location

The Annals of Family Medicine reports that although use of electronic health records has not increased significantly in all regions, it has risen dramatically nationwide in the last few years.

Via Modern Healthcare:

The number of family physicians who have adopted electronic health records has more than doubled since 2005, though wide geographic variations exist, according to a report in the Annals of Family Medicine.

Using census survey data from the American Board of Family Medicine maintenance of certification exam and the National Ambulatory Medical Care Survey, researchers predicted that the adoption rate could pass 80% by the end of the year.

In the NAMCS, adoption among family physicians grew to 66.4% in 2011 from 24.8% in 2005. Among physicians undergoing the ABFM’s maintenance of certification, adoption increased to 67.8% in 2011 from 28% in 2005.

The study notes “how federal efforts to increase adoption of EHRs have accelerated in recent years.” It adds that the federal government’s “triple aim” goals to improve population health and healthcare delivery while lowering costs “will require data sharing and exchange that transects all aspects of healthcare delivery and depend in part on widespread adoption of EHRs, particularly by office-based physicians.”

But geographic variations were identified in both data sets. Utah, at 94.9%, had the highest rate of adoption among family physicians seeking maintenance of board certification; while North Dakota had the lowest rate of adoption, 47.1%. For family physicians in the national ambulatory survey, Hawaii had the highest rate of adoption, 87.6%. North Carolina family physicians had the lowest, 44%.

The researchers wrote that there was “strong regional clustering for adoption.” They speculated that states’ commitment varied in their support for health IT funding mechanisms to promote EHR adoption, prescription drug tracking and quality data reporting. Other reasons that could explain the variation included differences in market penetration of health maintenance organizations and the presence of large integrated healthcare organizations.

By Andis Robeznieks

EHR use up among family doctors, but varies by area,” Modern Healthcare (February 5, 2013)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , ,

Mostashari urges HIT vendors to conduct themselves ethically

Farzad Mostashari, National Coordinator for Health Information Technology, believes most HIT vendors operate in good faith.  At a recent meeting, however, Mostashari stated that he will be testing organized peer pressure as a means of bringing more ethically problematic vendors into line, in order to avoid having to develop onerous additional regulations.  He warned that he will impose more regulations if necessary.

See Healthcare IT News article at “Mostashari calls on vendors to play fair“.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

Breaking: HHS releases final rule on HITECH Act provisions

200px-US-DeptOfHHS-Logo.svgHHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the “Stimulus Bill,” to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Register here.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

Posted in HIPAA Tagged with: , , , , , , , , , , , , , , ,

HIPAA Transaction Rules Compliance Enforcement Delayed Until April 2013

HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the “Stimulus Bill,” to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Registerhere.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The Centers for Medicare & Medicaid Services will postpone the start of HIPAA Transaction Rules compliance enforcement for 90 days, according to a recent announcement.

See CMS press release here. Via CMS website:

Today, the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS) announced that to reduce the potential of significant disruption to the health care industry, it will not initiate enforcement action until March 31, 2013, with respect to HIPAA covered entities (including health plans, health care providers, and clearinghouses, as applicable) that are not in compliance with the operating rules adopted for the following transactions as required by the Affordable Care Act: eligibility for a health plan and health care claim status. Notwithstanding OESS’ discretionary application of its enforcement authority, the compliance date for using the operating rules remains January 1, 2013.

Industry feedback suggests that HIPAA covered entities have not reached a threshold whereby a majority of covered entities would be able to be in compliance with the operating rules by January 1, 2013. This enforcement discretion period does not prevent applicable HIPAA covered entities that are prepared to conduct transactions using the adopted operating rules from doing so, and all applicable covered entities are encouraged to determine their readiness to use the operating rules as of January 1, 2013 and expeditiously become compliant. Although enforcement action will not be taken, OESS will accept complaints associated with compliance with the operating rules beginning January 1, 2013. If requested by OESS, covered entities that are the subject of complaints (known as “filed-against entities”) must produce evidence of either compliance or a good faith effort to become compliant with the operating rules during the 90-day period. HHS will continue to work to align the requirements under Section 1104 of the Affordable Care Act to optimize industry’s ability to achieve timely compliance.

OESS is the U.S. Department of Health and Human Services’ (HHS) component that enforces compliance with HIPAA transaction and code set standards, including operating rules, identifiers and other standards required under HIPAA by the Affordable Care Act.

For copies of the operating rules for the eligibility for a health plan and health care claim status transactions, visit the Council for Affordable Quality Healthcare (CAQH) CORE website athttp://www.caqh.org. Links to information on the operating rules for eligibility for a health plan and health care claim status are available at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/OperatingRulesforEligibilityandClaimsStatus.html


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

Settlement of first small scale HIPAA breach announced by HHS

200px-US-DeptOfHHS-Logo.svgIn a sign that HHS is serious about small data breaches, the Office of Civil Rights (OCR) and The Hospice of North Idaho reached a settlement agreement to resolve allegations of a 2010 breach involving 441 patient records. OCR Director Leon Rodriguez reminded the industry that every covered entity, regardless of size, must implement the privacy and security safeguards – including, e.g., encryption of protected health information on mobile devices – required under HIPAA, as amended pursuant to the HITECH Act.

This settlement comes at the same time as the OCR rolls out its new educational initiative aimed at securing protected data on mobile devices. You can learn more about this initiative here.

Via HHS Press Release:

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.  For more information, visitwww.HealthIT.gov/mobiledevices.

The Resolution Agreement can be found on the OCR website athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

HHS announces first HIPAA breach settlement involving less than 500 patients:
Hospice of North Idaho settles HIPAA security case for $50,000
,” HHS Press Release (January 2, 2013)


Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

HHS Inspector General: Medicare EHR incentive program lacks adequate safeguards against error and fraud

The HHS Inspector General this week reported the results of its recent investigation to “verify the accuracy of professionals’ and hospitals’ self-reported meaningful-use information, as well as eligibility and payment amounts.”   The investigation reviewed payments issued from May through December 2011, a period during which approximately $1.7 billion was distributed to almost  28,000 recipients.  The Inspector General’s office concluded that Medicare needs to improve its review process.

Link to report here.

Via Modern Healthcare:

The CMS and the Office of the National Coordinator for Health Information Technology at HHS need to tighten up their oversight of the Medicare EHR incentive payment program, according to HHS’ inspector general’s office.

The watchdog office, headed by Inspector General Daniel Levinson, offered a couple of recommendations for the agencies in its report, “Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program” (PDF). The report is based on audits of EHR incentive payment attestations, reviews of internal CMS and ONC documents about the program and interviews with CMS personnel. The inspector general’s office did not focus this time on the Medicaid portions of the program, although a previous report, issued in July 2011, did, focusing on 13 state-run Medicaid EHR incentive programs. The inspector general’s office also is conducting “a series of audits of Medicare and Medicaid EHR incentive payments” to “verify the accuracy of professionals’ and hospitals’ self-reported meaningful-use information, as well as eligibility and payment amounts. No time frame for those audits was included in the report.

The inspector general’s review covered the early stages of the Medicare EHR incentive program, from when payments started flowing in May 2011 through December 2011. During that period, the program paid out about $1.7 billion to nearly 27,000 physicians and other eligible professionals and 668 hospitals, the report said.

The inspector general said that the CMS validates the presence of some required information and confirms some calculations provided by hospitals and providers. For example, “The validation checks that self-reported numerators and denominators calculate to required percentage thresholds and that all relevant yes/no measures were checked ‘yes,’ ” according to the report. However, the report continued, the CMS “does not verify that numerators and denominators entered for percentage-based measures reflect the actual number of patients for a given measure or that professionals and hospitals possess certified EHR technology.”

One “obstacle” the CMS faces in trying to get independent validation that what the providers are attesting to actually happened is that data from other sources—such as Medicare claims or private insurance data—is either incomplete for the task or unavailable.

The inspector general’s office notes that although the CMS is not required to perform prepayment verification, “doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments” the program is expected to shell out over its lifetime, which runs through 2016.

Regarding post-payment oversight, the inspector general noted that, so far, the CMS “has not yet completed any post-payment audits.” But the CMS has said it plans to use EHR-generated reports “to verify the accuracy of self-reported information where possible” and obtain supporting documents in instances where the reports don’t cover the audit subject matter—and this is where the ONC comes in for criticism.

The ONC oversees the rule writing, and the testing and certification programs to determine whether EHR technology qualifies for use in the Medicare EHR incentive payment program.

The CMS “cannot use EHR reports to verify all self-reported meaningful-use information because ONC does not require certified EHR technology to be capable of producing reports for all meaningful-use measures,” the inspector general’s report said. The ONC requires an EHR to write reports on the 30 percentage-based measures but not the 19 yes/no measures users also are required to attest to in order to get paid.

“EHR reports also do not contain information necessary for CMS to verify all percentage-based measures,” the inspector general’s report said, specifically noting that denominators for many of those measures include data from both paper-based and EHR systems.

The inspector general’s office recommended that the CMS beef up its prepayment assessment program, including by focusing on “high-risk” professionals and hospitals, asking them to “submit supporting documentation for prepayment review.”

It also recommended that ONC “improve the certification process” to ensure that certification bodies “comprehensively test EHR reports for accuracy as part of the certification process” as well as not rely on “vendor-supplied data” during the testing phase.

The CMS, in an Oct. 9 letter from acting Administrator Marilyn Tavenner, said prepayment audits were not necessary at this time, but concurred with another inspector general’s office recommendation to issue a guidance on proper provider documentation required for the program.

In a similar letter to the inspector general’s office dated Sept. 25, ONC chief Dr. Farzad Mostashari concurred with the inspector general’s office’s recommendation of testing a “yes/no” reporting functionality. He said he would ask his two advisory committees, the Health IT Policy and Standards committees, to make recommendations “on the appropriate scope and feasibility of a certification criterion focused on ‘yes/no’ reports.”

Mostashari also said the ONC has “already taken steps” to address a separate inspector general’s recommendation that it improve its EHR testing and certification program. Specifically, the OIG recommended that the national coordinator supplant vendor-supplied data used in the initial rounds of its certification tests with a standard data set to be used by all vendors.

Last fall, GE warned customers of two of its EHR systems for ambulatory-care providers that errors had been found in reports to support meaningful-use attestations. That incident was specifically mentioned in the OIG report, which added that the ONC’s certification process “did not identify these potential inaccuracies because the vendor-supplied test data did not account for the manner in which some professionals use the products.” Similar problems may exist with reports from other EHR products, the OIG report said, but it cited no other examples of report-writing failures.

In his letter, Mostashari said the updated 2014 edition testing and certification rules—which were released in February in conjunction with the CMS’ Stage 2 meaningful-use rules—contain “more rigorous testing requirements” that became effective Oct. 4, 2012. He said the ONC “will continue to migrate away from the exclusive use of vendor-supplied data.”

In a telephone interview, Mostashari said the GE report-writing problem was “old news.” Asked whether he was aware of any other incidents of EHR systems failing to produce accurate test reports, Mostashari said, “It’s really a CMS question.”

By Joseph Conn

HHS inspector general: Medicare EHR program needs better oversight,Modern Healthcare  (November 29, 2012)


Posted in ARRA, Higher Ed, HITECH Act, News Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

3.8 million record breach in South Carolina: lessons learned

Hackers recently infiltrated South Carolina’s state tax records, absconding with the largest haul to date of Social Security numbers, credit and debit card numbers from a state agency. State officials describe how the theft was worked, and list enhanced security measures that could have prevented the attack.

See New York Times article at “South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere“.

Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , ,

EHR access lost during Hurricane Sandy

Hurricane Sandy this week tested East Coast health care systems’ electronic infrastructure.  Emergency preparedness plans were implemented fairly successfully for most health care facilities, allowing them to continue to operate adequately.  Others, however, were negatively impacted, including some which lost access to their EHRs.

It is absolutely critical that health care providers, even in areas which are not prone to massive weather-related disruptions, consider and implement back up plans for their IT systems. The crisis at NYU Langone center in Manhattan demonstrated just how dependent we are on electronic systems and power supply. It is imperative that the IT staff at each healthcare provider organization knows that its important software systems including EHRs are backed up, and that the organization’s data – including patient data – is readily available, and is never lost due to a storm or an earthquake.


Power outages across New Jersey, New York and Pennsylvania forced some hospitals to evacuate and others to rely on backup generators in the wake of superstorm Sandy.

The powerful and massive storm, which reached the coast in southern New Jersey around 8 p.m. on Monday, is responsible for at least 35 deaths, the Associated Press reported.

One Manhattan hospital was forced to evacuate 300 patients hours after Sandy’s landfall when backup power failed. Evacuation of the New York University Langone Medical Center was complete by late Tuesday morning, a statement from the hospital said.

Meanwhile, plans to evacuate about 200 patients from Coney Island Hospital were underway early Tuesday afternoon, said Evelyn Hernandez, a spokeswoman for New York City Health and Hospitals Corp., which owns the hospital. Backup power was restored on Tuesday to Coney Island Hospital after it lost power during the storm. Most patients who depend on ventilators or other devices were evacuated ahead of the storm, but seven critically ill patients remained at Coney Island Hospital and relied on battery-supported ventilators during the power outage. Those patients were transferred elsewhere Tuesday morning.

In New Jersey, Palisades Medical Center, North Bergen, began evacuating 83 patients Tuesday morning, said Donna Leusner, a spokeswoman for the New Jersey Department of Health. Flood damage knocked out power to Palisades Medical Center, said a spokeswoman with Hackensack (N.J.) University Medical Center, where Palisades patients were transferred by National Guard troops after 9 a.m. on Tuesday. Hackensack University Medical Center was expected to accept 51 patients from Palisades Medical Center, Nancy Radwin, an HUMC spokeswoman said.

Approximately 30 New Jersey acute-care hospitals were operating on backup generators after the storm, said Kerry McKean Kelly, a spokeswoman for the New Jersey Hospital Association.

Eight Pennsylvania hospitals experienced power outages and were operating on backup generators on Tuesday, the state Health Department said.

North Shore-Long Island Jewish Health System reported that Glen Cove (N.Y.) Hospital, Huntington (N.Y.) Hospital, Plainview (N.Y.) Hospital, Syosset (N.Y.) Hospital and its Stern Family Center for Rehabilitation, Manhasset, were operating on backup power, as was one campus of the two-campus Staten Island University Hospital in New York City.

Also, Staten Island University Hospital could no longer access electronic health records after flooding on Monday disrupted power to the building where data is stored. Doctors continued to use paper records on Tuesday.

Other hospitals lost access to EHRs during the storm. Doctors at West Penn Allegheny Health System in Pittsburgh reverted to paper and written orders as the storm came ashore and damaged a data center in Mountain Lakes, N.J. Dan Laurent, a spokesman for the system, said Allegheny General and Western Pennsylvania hospitals, both in Pittsburgh, and the emergency room at Forbes Regional Hospital, Monroeville, could not access electronic medical records between 8:30 p.m. on Monday and 4 a.m. on Tuesday.


Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Computer viruses on hospital medical devices: a growing concern; possible solutions

Medical device security experts report increasing issues with computer viruses on hospital medical devices. Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems. The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.

See Forbes article at “Hospital Medical Devices ‘Rampant’ With Computer Viruses”.

Posted in HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Computer viruses on hospital medical devices: a growing concern; possible solutions

Medical device security experts report increasing issues with computer viruses on hospital medical devices. Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems. The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.

See Forbes article at “Hospital Medical Devices ‘Rampant’ With Computer Viruses“.

Posted in ARRA, Higher Ed, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Public-private group, eHealth Exchange, to oversee development of health info network

The HHS Office of the National Coordinator for Health Information Technology is passing management of the Nationwide Health Information Network to a coalition of public and private health care organizations.

Via Modern Healthcare:

Following last month’s announcement that “now is not the time” for formal regulation of a proposed network of health information exchanges, HHS’ Office of the National Coordinator for Health Information Technology said it is transitioning control of that network—known as the Nationwide Health Information Network—to a public-private partnership known as the eHealth Exchange.

According to an e-mailed news release, eHealth Exchange “represents ONC’s commitment to support health information exchange innovation in the private sector.” The partnership’s operations will besupported by Healtheway (PDF), a Richmond, Va.-based not-for-profit organization also founded as a public-private partnership.

These operations include conformance and interoperability testing, on-boarding of new participants in eHealth Exchange, and maintenance of operating policies and procedures, the service registry and digital certificates, according to the release.

In addition, the Chicago-based Certification Commission for Health Information Technology will participate in the effort’s compliance testing and will certify that interfaces between exchanges are “consistent across multiple states and systems,” according to a CCHIT news release.

More details will be announced at the New York eHealth Collaborative’s Digital Health Conference, scheduled for Oct. 15-16 in New York, the release stated.

By Andis Robeznieks

ONC moves control of health info network to public-private group,” Modern Healthcare (October 11, 2012)


Posted in ARRA, Higher Ed, HIPAA, HITECH Act, News, Privacy & Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Health education information incomprehensible to many; HHS program to rate EHR-linked education materials for “understandability”

Health education materials provided to health care consumers until now have commonly assumed a fairly high level of “health literacy” – a level which, research has shown, makes the materials inaccessible to about 77 million people.  HHS’ new program addressing this issue begins with the development of a system to rate health information as efforts are made to improve the quality of these materials.

Via Modern Healthcare:

HHS’ Agency for Healthcare Research and Quality is developing a rating system for the growing amount of health information directed at patients.

The agency’s Health Information Rating System, discussed in a Federal Register posting, will focus especially on patient data provided by electronic health records.

The agency’s notice stated that health education materials delivered by EHRs “are rarely written in a way that is understandable and actionable for patients with basic or below basic health literacy,” which includes about 77 million people. “Persons with limited health literacy face numerous healthcare challenges,” according to the AHRQ notice. “They often have a poor understanding of basic medical vocabulary and healthcare concepts.”

Agency officials expect the rating system to address that challenge by giving clinicians a method to determine the quality of the data their systems provide or that such resources are even available.

A draft version of the rating system was applied by researchers at AHRQ to sample education materials on asthma and colonoscopy and indicated some of the material had “low understandability or low actionability.” The agency plans to next use consumer panels to test the accuracy of the rating system.

Other related health literature activities planned by AHRQ includes creating a library of patient health education materials, a review of EHR’s patient education capabilities and education of EHR vendors and users.

By Rich Daly

AHRQ developing consumer info rating system,” Modern Healthcare (October 8, 2012)

Posted in ARRA Tagged with: , , , , , , , , , , , , , , , , , , , , , , ,

Sharing EHR notes between providers and patients improves care, patient loyalty among other benefits

According to Annals of Internal Medicine, a new study found no disadvantages to health care providers sharing EHR notes with patients.

Via Kaiser Health News:

Doctors are required by federal law to provide patients with a copy of their medical notes upon request, but few patients ask and doctors generally don’t make the process easy.

When patients were offered online access, however, 90 percent read their doctors’ notes with some impressive results.


A study published in the most recent issue of the Annals of Internal Medicine found that 60 to 78 percent of patients who read their visit notes reported that they were more likely to take their medications as prescribed.  And their doctors reported that sharing their notes actually strengthened relationships with patients.

The study included 105 primary care physicians and 13,564 of their patients at Beth Israel Deaconess Medical Center in Massachusetts, Geisinger Health System in Pennsylvania and Harborview Medical Center in Washington, who participated  in a project called OpenNotes, in which patients were given electronic access to their files.

Study authors Tom Delbanco and Jan Walker of Beth Israel said they were surprised and delighted to find that patients who viewed their medical notes were more likely to take their medicines correctly. “Medication adherence is one of the greatest problems in health care,” said Delbanco, “yet flipping this switch seems to activate patients.”

As one patient explained, “having it written down, it’s almost like there’s another person telling you to take your meds.”

Patients also reported “an increased sense of control, greater understanding of their medical issues, improved recall of their plans for care, and better preparation for future visits,” the study authors write.

Despite concerns among participating physicians that sharing their notes would increase their workload, few of them reported longer visits or spent more time answering patients’ questions outside of visits.

One concern is that doctors may change the way they write their notes if their patients can read them. Since the same notes are shared with other doctors, this could have a clinical impact. As an example of a minor change, some doctors reported using “body mass index” in place of “obesity” to avoid offending their patients.

Blunt language, however, seems to have motivated some patients. “In his notes, the doctor called me ‘mildly obese,” one patient commented. “This prompted my immediate enrollment in Weight Watchers and daily exercise. I didn’t think I had gained that much weight. I’m determined to reverse that comment by my next check-up.”

At the end of the experiment, nearly 99 percent of the participating patients wanted continued access to their visit notes. And all three participating hospital sites have decided to broaden patient access to their doctors’ notes.

“Our greatest hope is that this will become a standard of care,” said Walker. “We’re at a good time in history because more and more doctors and hospitals are getting electronic health records and putting up secure patient portals,” allowing many patients easy access to their records.

They add, however, that privacy implications could be enormous: 20 to 45 percent of patients reported that they shared their notes with others, including family and friends. A patient could also choose to post their notes on Facebook or Twitter. “The patient-doctor relationship is confidential,” explained Delbanco, “but whether it’s private is now up to the patient.”

By Jenny Gold

For Patients, What A Difference A Note Makes,” Kaiser Health News (October 2, 2012)

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Laptop theft costs Massachusetts provider $1.5 million in HHS settlement

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident.  It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives.  The MEEI data breach, on the other hand,  involved only 3,621 patient records.

Regardless of OCR’s exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.

Via Modern Healthcare:

HHS’ Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.

The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI’s alleged violations of the Health Insurance Portability and Accountability Act’s security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.


The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information.

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI’s compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Tagging technique keeps more sensitive portions of an EHR more private

State and federal privacy laws rigorously restrict sharing of mental health and other highly sensitive patient records.  A technique called “data tagging” may be key in facilitating health care providers’ compliance with these requirements.

Via Modern Healthcare:

Using off-the-shelf content standards and messaging protocols, the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration of HHS have successfully demonstrated how to electronically tag mental health and other highly sensitive clinical records to help providers comply with stringent state and federal privacy laws limiting the sharing of those records without patient consent.

Development of the electronic patient-consent management system came in response to the VA’s and SAMHSA’s own needs to protect the privacy of patients under two federal medical record privacy laws that are more robust than the privacy rule under the Health Insurance Portability and Accountability Act.

The demo was part of a Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS. It also answers a 2010 call by the President’s Council of Advisors on Science and Technology to use metadata tagging to enhance privacy while making medical data more readily available for research. A metadata tag provides information about the underlying data.

Tagging a patient’s record at the “granular” or data-element level enables patients to give consent to the exchange of some parts of their medical record—such as a diagnosis code for diabetes and a drug prescription for its treatment—but not other parts, such as the diagnosis of a sexually transmitted disease or a mental health counseling session.

“The bottom line is we’re trying to provide patients some ability to control what information is shared and make it easy on them,” said Mike Davis, VA project lead and Veterans Health Administration security architect.

Federal law applying specifically to the VA requires that, under typical circumstances, the VA must obtain a veteran’s consent before his or her medical records can be shared outside the organization. The VA also abides by another federal law that bars federally funded alcohol and drug treatment providers from sharing information about such treatment without patient consent. The latter law creates a consent requirement that sticks to and flows with the data, so that each subsequent provider to receive it also must obtain patient consent to disclose it elsewhere.

Privacy laws in several states also contain these sticky provisions, said Joy Pritts, chief privacy officer at ONC, who attended the demo in Baltimore this month during a conference sponsored by Health Level 7. The healthcare standards development organization has produced a classification and coding system to identify and constrain particularly sensitive information; the system was used by the VA and SAMHSA in the demo, as were the ONC’s Direct messaging protocols.

In the demonstration, a care summary was exchanged between providers for a patient enrolled in an alcohol and drug abuse treatment program. The VA/SAMHSA system tagged discrete elements of the record “do not re-disclose.”

One missing piece in the automated privacy protection scheme, however, is how to deal with dictated notes containing sensitive patient data. A text document could be constrained by tagging the entire document, Davis said, but that would need to be done by hand, whereas tagging of discrete data can be done by the system, which can sit as a layer between one provider’s EHR and another’s.

Patients can specify their wishes with computerized consent directives created online at home or on a provider’s computer system, he said.

Davis said there is no timeline for rolling out these functions across the VA, but the VA has several pilot sites running where the system is in daily use recording a veteran’s simple “yes/no” electronic consent directives for exchange of their records with outside providers.

Pritts said ONC has two additional pilots planned, one with the VA and one with private-sector providers.

“I think this can work for what’s called structure data—medications in the medication list, allergies in the allergies list, diagnostic codes in the problem list, lab test results, vital signs—that type of information,” said Daniel Gottlieb, a partner in the Chicago office of McDermott Will & Emery who heads the firm’s health information technology and data protection practice.

With the EHR systems used by providers today, “typically the technology doesn’t have the capability” to segregate those drugs on a medication list for a common ailment from those drugs to treat another, more sensitive one, such as a psychiatric condition, Gottlieb said.

“That leaves you with two options in the real world,” he said. “One is not to make that medication list available” outside the organization. “Or, you can take the position that providing high-quality care” is the greater good, “and just decide that you’re going to accept that legal risk.”

Gottlieb said many providers lean toward the latter, for instance if a patient is taking medication for a psychiatric disorder but also for a chronic condition such as diabetes. “There could be the potential for the adverse reaction between the psychiatric drug and some other drug,” prescribed either in the same hospital or by another provider. “I think most people think avoiding that reaction takes precedent over the privacy concern.”

By Joseph Conn

Working with the rules: Data tagging allows selective sharing with EHRs,” Modern Healthcare  (September 22, 2012)

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

ONC: no caps on per-provider EHR incentive payments

National Coordinator for Health IT Farzad Mostashari has announced there is no cap on how much individual providers may receive in meaningful use incentive payouts, as long as they meet the requirements for the EHR incentive payments program.  According to the ONC, almost seven billion of the approximately twenty billion dollars in incentives allocated under the HITECH Act has already been distributed.

Via Healthcare IT News:

WASHINGTON – There are no set appropriations for how much the federal government can spend on rewarding providers who adopt and use electronic health records under the Medicare and Medicaid meaningful use EHR incentive program, according to National Coordinator for Health IT Farzad Mostashari, MD.

“Whoever qualifies, gets paid; there’s no hard cap,” said Mostashari, who gave a keynote at the Annual Policy Summit for the Health Information Management and Systems Society (HIMSS) on Wednesday.

Mostashari said the federal government estimates it will pay out around $20 billion in incentives before the program shifts to a penalty in 2015, but there is no fixed budget set in the HITECH Act that mandated the program. The government recently announced it has paid out nearly $7 billion since the program began in 2011.

[See also: “Government EHR incentives near $7B.”]
The federal health IT czar said he couldn’t imagine health IT advancement – which enjoys widespread bipartisan support – losing the backing of Congress after the election, no matter the party in control.

It would be hard to picture Congress cutting or capping the program after doctors and hospitals have made major investments in health IT “on the good word of Congress,” he said.

An attendee of the HIMSS Policy Summit – a sort of pep rally for HIMSS members to promote HIT on the Hill – recommended that Congress all be encouraged to use Blue Button to access their personal health data. This would “crystallize quite clearly” where things stand with regard to health IT today. We need more time and support, the attendee said, and Mostashari and other attendees agreed.

Mostashari praised the meaningful use incentive program, noting that “we’ve made great steps.” He predicted that Stage 2, set to begin in 2014, will bring about even more “incredible progress.”

The use of electronic health records is “ultimately about population health,” Mostashari said. “You have to care more about the people who didn’t walk into your door, than those who did.” The meaningful use program is intended to go from measuring quality at the start, to accounting for population health. “That’s why doctors are doing what they’re doing, [and] that’s why we’re doing what we’re doing,” he said of federal regulators.

At a visit to the Cleveland Clinic recently, Mostashari said he observed health data exchanged between the clinic and other local facilities, using compatible coding that transferred the data easily. “They do it all day, every day,” he said. “So don’t tell us that exchange isn’t happening.”

[See also: “Stage 2 MU released at last.”]

Two years ago, the industry wasn’t there, he said of health information exchange. The patient information wasn’t packaged and ready to code medications and lab reports in the same record. But things have changed, Mostashari added. He praised the industry and the  marketplace for pushing it forward.

The industry came together with a consensus and pilots and working groups, which resulted in the meaningful use Stage 2 rule, Mostashari said. “We’re light years ahead of where we could possibly have been in Stage 1,” he added, noting that he believes meaningful use Stage 2 will necessitate a push from the industry for health information exchange standards.

It will be important in the near future to tap into “the biggest underused resource – the patient,” Mostashari said. Providers will have to “be sticky,” and attract patients to their services because patients will no longer be limited to the provider that holds their health information.

Said Mostashari, speaking to doctors as a doctor: “We have to make them want to come to us.”

By Diana Manos, Senior Editor

Mostashari: No cap on EHR incentive payouts,” Healthcare IT News (September 13, 2012)


Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

ONC announces five organizations to serve as EHR certifiers

In preparation for the launching of ONC’s permanent EHR system testing and certification program, part of the EHR incentive payment initiative, ONC has authorized five groups as permanent EHR certifiers.

Via Modern Healthcare:

Even though the new regime for testing and certifying electronic health-record systems under the federal EHR incentive program won’t take effect until October—and testing against newly released criteria might not begin until year’s end—federal authorities have given five organizations the OK to certify software for that program.

HHS’ Office of the National Coordinator for Health Information Technology has authorized the Certification Commission for Health Information Technology, the Drummond Group, ICSA Labs, InfoGard Laboratories and Orion Register to serve as certification bodies under the EHR incentive payment program, according to ONC spokesman Peter Ashkenaz. The program was established by the American Recovery and Reinvestment Act.


C. Sue Reber, spokeswoman for one of the five, the Chicago-based CCHIT, said the news came in a conference call with the ONC on Tuesday.

In July, all five organizations were accredited by the American National Standards Institute as certification bodies and by the National Voluntary Laboratory Accreditation Program as accredited testing laboratories for EHR systems.

Back in January 2011, the ONC published a final rule creating permanent and separate EHR testing and certification programs for the incentive payment programs run by Medicare and state Medicaid agencies. The permanent programs replace a temporary testing and certification regime set up to get the EHR incentive program off the ground. Under the temporary program, EHR testing and certification functions were combined and performed by the same organizations.

Under the new regime, it is still possible for the same organization to perform both testing and certification, but the procedures to receive authorization to do both are now separate, and the organizations must maintain a “firewall” between those functions, according to the ONC, which has an explanation of the program on its website.

CCHIT will continue to offer testing and certification services under the temporary program until the Oct. 4 effective date of the permanent program, and after that will continue to test and certify systems under the initial, Stage 1 certification criteria.

New testing and certification criteria for what’s being called the 2014 edition were released in a new final rule by ONC last week. CCHIT said it would incorporate those new criteria into its programs “as soon as ONC releases approved testing procedures,” which are expected to be available at the end of the year.

Five groups named permanent EHR certifiers“, Modern Healthcare (August 29, 2012)

Posted in ARRA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

Cybersecurity risk management by boards and senior executives: 12 recommendations

According to Forbes, a recent Carnegie Mellon study has found that corporate boards “are not actively addressing cyber risk management.”  The researchers collected data from corporations worldwide and across all industrial sectors, and found that while boards actively attend to risk management as part of their oversight, “there is still a gap in understanding the linkage between cybersecurity risks and enterprise risk management”.

The study’s report, well worth reviewing for its instructive if sometimes disturbing findings, concludes that by implementing the following twelve recommendations, boards and senior management can “significantly improve their organizations’ security posture and reduce risk”:


  1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.
  2. Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.
  3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues.  This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives.
  4. Review existing top-level policies to create a culture of security and respect for privacy.  Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.
  5. Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.
  6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.
  7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.
  8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.
  9. Require regular reports from senior management on privacy and security risks.
  10. Require annual board review of budgets for privacy and security risk management.
  11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.
  12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

Boards Are Still Clueless About Cybersecurity,” Forbes (May 16, 2012).

“Governance of Enterprise Security: CyLab 2012 Report — How Boards and Senior Executives Are Managing Cyber Risks” by Jody Westby, Carnegie Mellon CyLab (May 16, 2012)

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

EHR hackers turn to extortion

Hackers recently struck a small medical practice in suburban Chicago, encrypted the facility’s digital medical records, and then demanded a ransom payment in exchange for allowing the facility to regain access to its records. Medical industry observers note that this is not the first instance of this new type of criminal hacking activity.

This case should serve as a reminder to healthcare providers that, in addition to significant concerns regarding securing patient data from unlawful access, use or disclosure, such organizations should make sure that their patient data is backed up and accessible through more than one channel, in order to avoid a “hostage” situation like the one described below.

Via Bloomberg News:

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.
The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.
Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.
The doctors turned the server off and notified the authorities, refusing to pay.

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , ,