Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

The demo was part of a Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS. It also answers a 2010 call by the President's Council of Advisors on Science and Technology to use metadata tagging to enhance privacy while making medical data more readily available for research. A metadata tag provides information about the underlying data.

Tagging a patient's record at the “granular” or data-element level enables patients to give consent to the exchange of some parts of their medical record—such as a diagnosis code for diabetes and a drug prescription for its treatment—but not other parts, such as the diagnosis of a sexually transmitted disease or a mental health counseling session.

“The bottom line is we're trying to provide patients some ability to control what information is shared and make it easy on them,” said Mike Davis, VA project lead and Veterans Health Administration security architect.

Federal law applying specifically to the VA requires that, under typical circumstances, the VA must obtain a veteran's consent before his or her medical records can be shared outside the organization. The VA also abides by another federal law that bars federally funded alcohol and drug treatment providers from sharing information about such treatment without patient consent. The latter law creates a consent requirement that sticks to and flows with the data, so that each subsequent provider to receive it also must obtain patient consent to disclose it elsewhere.

Privacy laws in several states also contain these sticky provisions, said Joy Pritts, chief privacy officer at ONC, who attended the demo in Baltimore this month during a conference sponsored by Health Level 7. The healthcare standards development organization has produced a classification and coding system to identify and constrain particularly sensitive information; the system was used by the VA and SAMHSA in the demo, as were the ONC's Direct messaging protocols.

In the demonstration, a care summary was exchanged between providers for a patient enrolled in an alcohol and drug abuse treatment program. The VA/SAMHSA system tagged discrete elements of the record “do not re-disclose.”

One missing piece in the automated privacy protection scheme, however, is how to deal with dictated notes containing sensitive patient data. A text document could be constrained by tagging the entire document, Davis said, but that would need to be done by hand, whereas tagging of discrete data can be done by the system, which can sit as a layer between one provider's EHR and another's.

Patients can specify their wishes with computerized consent directives created online at home or on a provider's computer system, he said.

Davis said there is no timeline for rolling out these functions across the VA, but the VA has several pilot sites running where the system is in daily use recording a veteran's simple “yes/no” electronic consent directives for exchange of their records with outside providers.

Pritts said ONC has two additional pilots planned, one with the VA and one with private-sector providers.

“I think this can work for what's called structure data—medications in the medication list, allergies in the allergies list, diagnostic codes in the problem list, lab test results, vital signs—that type of information,” said Daniel Gottlieb, a partner in the Chicago office of McDermott Will & Emery who heads the firm's health information technology and data protection practice.

With the EHR systems used by providers today, “typically the technology doesn't have the capability” to segregate those drugs on a medication list for a common ailment from those drugs to treat another, more sensitive one, such as a psychiatric condition, Gottlieb said.

“That leaves you with two options in the real world,” he said. “One is not to make that medication list available” outside the organization. “Or, you can take the position that providing high-quality care” is the greater good, “and just decide that you're going to accept that legal risk.”

Gottlieb said many providers lean toward the latter, for instance if a patient is taking medication for a psychiatric disorder but also for a chronic condition such as diabetes. “There could be the potential for the adverse reaction between the psychiatric drug and some other drug,” prescribed either in the same hospital or by another provider. “I think most people think avoiding that reaction takes precedent over the privacy concern.”

By Joseph Conn

“Working with the rules: Data tagging allows selective sharing with EHRs,” Modern Healthcare  (September 22, 2012)

Mostashari said the federal government estimates it will pay out around $20 billion in incentives before the program shifts to a penalty in 2015, but there is no fixed budget set in the HITECH Act that mandated the program. The government recently announced it has paid out nearly $7 billion since the program began in 2011.

[See also: "Government EHR incentives near $7B."]
 

The federal health IT czar said he couldn't imagine health IT advancement – which enjoys widespread bipartisan support – losing the backing of Congress after the election, no matter the party in control.

It would be hard to picture Congress cutting or capping the program after doctors and hospitals have made major investments in health IT "on the good word of Congress," he said.

An attendee of the HIMSS Policy Summit – a sort of pep rally for HIMSS members to promote HIT on the Hill – recommended that Congress all be encouraged to use Blue Button to access their personal health data. This would "crystallize quite clearly" where things stand with regard to health IT today. We need more time and support, the attendee said, and Mostashari and other attendees agreed.

Mostashari praised the meaningful use incentive program, noting that "we've made great steps." He predicted that Stage 2, set to begin in 2014, will bring about even more "incredible progress."

The use of electronic health records is "ultimately about population health," Mostashari said. "You have to care more about the people who didn't walk into your door, than those who did." The meaningful use program is intended to go from measuring quality at the start, to accounting for population health. "That's why doctors are doing what they're doing, [and] that's why we're doing what we're doing," he said of federal regulators.

At a visit to the Cleveland Clinic recently, Mostashari said he observed health data exchanged between the clinic and other local facilities, using compatible coding that transferred the data easily. "They do it all day, every day," he said. "So don't tell us that exchange isn't happening."

[See also: "Stage 2 MU released at last."]

Two years ago, the industry wasn't there, he said of health information exchange. The patient information wasn't packaged and ready to code medications and lab reports in the same record. But things have changed, Mostashari added. He praised the industry and the  marketplace for pushing it forward.

The industry came together with a consensus and pilots and working groups, which resulted in the meaningful use Stage 2 rule, Mostashari said. "We're light years ahead of where we could possibly have been in Stage 1," he added, noting that he believes meaningful use Stage 2 will necessitate a push from the industry for health information exchange standards.

It will be important in the near future to tap into "the biggest underused resource – the patient," Mostashari said. Providers will have to "be sticky," and attract patients to their services because patients will no longer be limited to the provider that holds their health information.

Said Mostashari, speaking to doctors as a doctor: "We have to make them want to come to us."

By Diana Manos, Senior Editor

“Mostashari: No cap on EHR incentive payouts,” Healthcare IT News (September 13, 2012)

“This story is so ironic -- most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors -- in fact, nobody -- can access these records.”

The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

Data Breach
The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.

Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, Kam wrote in an e-mail.

Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.

One case involved Express Scripts (ESRX), the large prescription- drug benefits manager, and a threat it received in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually told 700,000 customers that their information could have been exposed.

Patient Confidentiality
In 2003 and 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.

The spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing risk. Security and privacy risks are also emerging with the creation of “health information exchanges,” vast databases that states are setting up to handle electronic medical records.

It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.

“Safeguarding every patient’s personal information is a top priority at the Surgeons of Lake County,” Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”

For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.

“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

By Jordan Robertson

"Hacking Expecting [sic] To Increase As More Facilities Institute EHRs," Bloomberg News (August 10, 2012)
 

 <...>

The electronic exchange is not a repository of information, but a secure method for sharing up-to-date hospital discharge summaries, radiology reports and lab results. The idea is that during medical emergencies, physicians will be able to access the health histories of those under their care. It will also help specialists and primary care providers compile complete medical histories known as continuity-of-care documents.

"Md. health information exchange begins operation," Washington Post (October 18, 2010).

"Maryland health IT exchange launches," Baltimore Business Journal (October 12, 2010).

Bloomberg Business Week described some of the proposed safeguards:

However, any data exchange that involves a third-party does require specific and "meaningful" patient consent, the letter noted. Any such consent also needs to be transparently and easily revocable by the patient at any time, the panel said.

The letter also recommended further exploration of technologies that allow individuals to exercise more granular control over the data for instance permitting the exchange of certain kinds of health data, but not all.

Third-party service organizations should also not be allowed to collect, use or share personal health data for any purposes other what's specified in their service agreements, the panel recommended.

Third parties should also be required to retain personal health data only for as long as it is reasonably needed and should then be required to destroy the data, the panel said.

All third parties having access to patient health information also need to comply with the privacy and security requirements of HIPAA.

"Panel drafts privacy recommendations for health data exchanges," Bloomberg Business Week (August 19, 2010).

According to the Wall Street Journal's Washington Wire blog:

Patient privacy is the top priority,” Health and Human Services Secretary Kathleen Sebelius said. The agency is about to appoint a chief privacy officer, and the government has strengthen [sic] the penalties for negligent security breaches for companies so they reach up to $1 million.

"Electronic Medical Records get a boost," Washington Wire (February 12, 2010).

"Obama awards money for electronic medical records," Associated Press (February 13, 2010).

However, the study also found a high rate of increase of EMR use among U.S. doctors, rising from 28% to 46% from 2006 to 2009.  At the same time, only 26% of U.S. physicians were reported to have "advance electronic information capacity" (i.e., reporting use of more 9 - out of 14 - clinical IT functions such as e-prescribing and ordering tests, Rx alerts, clinical notes, and others).

The situation seems even more dire in Canada, where only 37% of physicians use EMRs, and only 14% have "advance electronic information capacity."

On the access, cost and quality of care issues, the Commonwealth Fund study found that:

More than half (58%) of U.S. physicians—by far the most of any country surveyed—said their patients often have difficulty paying for medications and care. Half of U.S. doctors spend substantial time dealing with the restrictions insurance companies place on patients’ care.

Only 29 percent of U.S. physicians said their practice had arrangements for getting patients after-hours care—so they could avoid visiting a hospital emergency room. Nearly all Dutch, New Zealand, and U.K. doctors said their practices had arrangements for after-hours care.

Twenty-eight percent of U.S. physicians reported their patients often face long waits to see a specialist, one of the lowest rates in the survey. Three-quarters of Canadian and Italian physicians reported long waits.

While all the countries surveyed use financial incentives to improve the quality of care, primary care physicians in the U.S. are among the least likely to be offered such rewards; only one-third reported receiving financial incentives. Rates were also low in Sweden (10%) and Norway (35%), compared with large majorities of doctors in the U.K. (89%), the Netherlands (81%), New Zealand (80%), Italy (70%), and Australia (65%).

Patients with chronic illness require substantial time with physicians, education about their illness, and coaching about treatment, diet, and medication regimens. Care teams composed of clinicians and nurses have been shown to be effective in providing care to people with chronic conditions and in improving outcomes. The use of such teams is widespread in Sweden (98%), the U.K. (98%), the Netherlands (91%), Australia (88%), New Zealand (88%), Germany (73%), and Norway (73%). It is less prevalent in the U.S. (59%) and Canada (52%), with France (11%) standing out on the low end.

You can find the Commonwealth Fund study here, and please be sure to take a look at the accompanying graphs here.

"A Survey Of Primary Care Physicians In Eleven Countries, 2009: Perspectives On Care, Costs, And Experiences," Health Affairs (November 5, 2009).

• American Medical News reported on the staffing changes for healthcare organizations necessitated by the nationwide switch to electronic health records. According to the article:

There are some assumptions about staff changes that are easy to make, experts say. Any job that was strictly paper-based prior to implementation, for example, will need to be overhauled or eliminated.

Other changes are not so easy to predict, and could depend on how willing your employees are to adapt and learn new skills.

• According to Crain's Detroit Business, urban hospitals lag behind rural hospitals and physicians' practices in joining health information exchanges (HIE's) because such HIE's pose a combination of monetary, strategic, and technological challenges.
   
• Washington Post reported on a pilot project in Ohio aimed at streamlining the cost of healthcare administration.  The state's eight major health insurers - representing 91% of the patients - have signed on to participate in this initiative.  The Post described the program as:

a single Web portal [that the participants] believe will reduce duplication, miscommunication, and confusion between doctors and insurance companies. That will mean quicker office and hospital service, more time for patient care, and, ultimately, cost savings, participants said.

• Healthcare IT News reported that -- according to e-prescribing company Surescripts -- "the number of physicians using electronic prescribing will have more than doubled in 2009 and that "more than 140,000 – 23 percent of all office-based physicians, nurse practitioners and physician assistants in the United States – are e-prescribing today."
   
• USA Today reported on the various hardships and setbacks to widespread implementation of EHRs.  The article ended on a somewhat hopeful note, with a great quote by Stephanie Reel, the CIO of Johns Hopkins University:

We've been saying that we're five years away from electronic medical records for the past 40 years ... Now maybe we really are only five years away.

"Meaningful" Progress Toward Electronic Health Information Exchange, David Blumenthal, MD (October 1, 2009).

"Specialists, primary care providers differ in meaningful use," Government HealthIT (October 6, 2009).

"Health IT effort to create thousands of new jobs, says Blumenthal," Healthcare IT News (October 6, 2009).

"How electronic medical records affect staffing," Amednews.com (October 5, 2009).

"Slow with the flow: Hospitals lag in joining health info exchanges," Crain's Detroit Business (October 4, 2009).

"Paperwork angst drives Ohio doctor, insurer effort," The Washington Post (October 5, 2009).

"More than 140,000 physicians on growing list of e-prescribers," Healthcare IT News (October 5, 2009).

"High-tech 'scribes' help transfer medical records into electronic form, " USA Today (October 7, 2009).