Pritts named first ONC Chief Privacy Officer

Posted on February 18, 2010 by Steve Fox and Vadim Schick

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT.  This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law.  She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

According to Government Health IT:

Blumenthal said Pritts, who started her job Feb. 16, has extensive experience on all the issues that ONC grapples with. For instance, she was heavily consulted by members of Congress in legislating the HITECH health IT incentive law.

'So she has an understanding of the legislative process and a policy understanding, in addition to having worked for the government previously,' Blumenthal said in answer to a reporter’s question after a meeting of HHS’s Health IT Policy Committee.

'She has a combination of an understanding of government, understanding of the issues, and her legal background is very important – her research and policy qualifications,' he added.

"HHS appoints Joy Pritts chief privacy officer," Government Health IT (February 17, 2010).

 
Tags: , , , , , , , , , , , ,

Study finds big increases in physicans' online communications with patients

Posted on February 16, 2010 by Steve Fox and Vadim Schick

According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006.  The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain.  Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information.  Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients.  And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

Graphic via AMN.  Source: "Physicians in 2012: The Outlook on Health Information Technology," Manhattan Research, January.

"Online contact growing between physicians, patients," American Medical News (February 15, 2010).

 

 
Tags: , , , , , , , , , , , , ,

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

 

There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:
 

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.  The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."  Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," Inforsecurity.com (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," theday.com (January 13, 2010).

 

 
Tags: , , , , , , , , , , , , , , , , ,

CBS News reports on EHR efforts

Posted on October 21, 2009 by Steve Fox and Vadim Schick

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S. 


Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

Tags: , , , , , , , , , , , , , , , , , , ,

New York Times interviews David Blumenthal

Posted on October 21, 2009 by Steve Fox and Vadim Schick

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.

 

On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We've got it in other parts of the industry, but we don't have it for healthcare. So I think that's a very important agenda item for us.

<...>

There are two kinds of anxieties. One is that their data may be used for purposes that they haven't authorized it. So if they haven't authorized their personal data to be used for research, they don't want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There's another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That's where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It's well known that the security of information is a national need for defense purposes. It's also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we've taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it's a big challenge, it's an exciting challenge, and a historic challenge. There's nothing that's worth doing that's easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can't record data the same way the Greeks did in 500 B.C. We've gotta move to use the computer to support our work. And that's what we're trying to do.

There'll be bumps on the road. We're not gonna be perfect. We'll make mistakes. But I think the wind is at our back in terms of the historical trends. And we'll get there, sooner or later.

"Computerized Health Records," New York Times (October 15, 2009).

"Charting a New Course," CBS News (September 13, 2009).

 


Watch CBS News Videos Online
Tags: , , , , , , , , , , , , , , , , ,

HIT Standards Committee endorses privacy and security standards

Posted on September 21, 2009 by Steve Fox and Vadim Schick

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems. 
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology."   Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

 

 

Tags: , , , , , , , , , , , , ,

HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. 

Also, pursuant to Section 13403(a) of the HITECH Act, the HHS Secretary Kathleen Sebelius designated an individual in each regional office of HHS (Regional Office Privacy Advisors) in order "to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules."  The names, addresses, and contact information for each of the Regional Managers are listed here, together with a list of the States for which each Regional Manager has responsibility.

"HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information," HHS Press Release (August 19, 2009).

" Designation of Regional Office Privacy Advisors," HHS Press Release (July 27, 2009).
Tags: , , , , , , , , , , , , , ,

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: , , , , , , , , , , , , , , , , ,

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.  

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes.  While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.  <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

The Times article also touches on a few other important areas of concern for privacy advocates:  the effect of widespread adoption and use of electronic health records (EHR's) and personal health records (PHR's) on privacy and security of patients' protected health information.  

Interestingly, the article notes that while "Microsoft and WebMD acknowledge that the privacy rules in the stimulus law apply to them," "Google says the law’s prohibitions do not apply to it, except for its duty to report any breaches of medical privacy."  According to a Google spokeswoman, "Google is bound by the privacy policy that people agree to when they sign up."  Right after the enactment of the Recovery Act, Google claimed that the additional privacy rules included in the ARRA did not apply to its PHR products.  However, Google acknowledged the applicability of ARRA's data breach notification requirements a few months thereafter.  This quote in the Times may reintroduce, if not underscore, Google's ambiguous attitude toward applicability of the new privacy and security rules.

"And You Thought a Prescription Was Private," The New York Times (August 9, 2009).

 

 
Tags: , , , , , , , , , , , ,

New York Times reports on the growing threat of medical identity theft

Posted on June 12, 2009 by Steve Fox and Vadim Schick

The New York Times reported today on the growing threat posed to patients and consumers by medical identity theft.  The article rightfully notes that this threat may only become more prominent with the widespread adoption of electronic health records technology championed by the Obama Administration. 

According to the Times, over 250,000 Americans are victims of medical identity theft each year, and this number does not include those who are not yet aware that they are victims of such identity theft.  The article profiled one case of medical identity theft, that of Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston:

In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

 

The article continued:

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

The new privacy and security regulations included in the HITECH Act are aimed at increasing protections for privacy of patient information (e.g., new accounting and reporting rules, as well as rules regarding access and accuracy of a patient's record.)  HHS has yet to provide some regulation around such privacy and security requirements. 

Finally, the Federal Trade Commission's "Red Flags Rule" is aimed at preventing medical identity theft.  In fact, one of FTC's suggestions to healthcare organizations for identity theft prevention is to institute a practice of checking patients' ID before providing services to such patients.

"Your Medical Problems Could Include Identity Theft", New York Times (June 12, 2009).

 
Tags: , , , , , , , ,

Sears settles FTC claims regarding its online tracking software

Posted on June 10, 2009 by Steve Fox and Vadim Schick

On June 4, 2009, Sears Holdings Corporation (Sears) settled its dispute with the Federal Trade Commission (FTC) regarding Sears's controversial online tracking software.  Sears paid its customers $10 to join "My SHC community" and download  software which would track participants' online behavior.  However, FTC alleged that Sears did not adequately disclose the enormous scope of information Sears collected on the participants:

<...> Sears represented to consumers that the software would track their “online browsing.” The FTC charges that the software would also monitor consumers’ online secure sessions – including sessions on third parties’ Web sites – and collect information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. The software would also track some computer activities that were not related to the Internet.

Sears did disclose the full extent of what information it would monitor, but only "in a lengthy user license agreement, available to consumers at the end of a multi-step registration process", which the FTC deemed to be inadequate. 

Under the settlement, Sears is required to destroy the data collected under this program, and to "clearly and prominently disclose the types of data the software will monitor, record, or transmit" if Sears advertises or disseminates any tracking software in the future.  The FTC also required Sears to make such disclosure prior to installation of the software and separate from any user license agreement; and disclose whether any of the data will be used by a third party.

"Sears Settles FTC Charges Regarding Tracking Software", FTC press release (June 4, 2009).
"Sears settles with FTC in privacy flap", Reuters (June 4, 2009).

Tags: , , , , , ,

California fines Kaiser hospital $250,000 for violations of patient privacy

Posted on May 15, 2009 by Steve Fox and Vadim Schick

As we mentioned earlier, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom."

On May 14, 2009, California authorities fined Bellflower Hospital, the Kaiser facility where Ms. Suleman was treated, $250,000, the maximum allowed under California's new patient privacy law. The law allows the California Department of Public Health to impose fines against healthcare facilities of up to $25,000 per patient for the first violation and $17,500 for each additional violation, up to $250,000.

While the spokesperson for Kaiser argued that the healthcare provider "took numerous steps to prevent" violations of Ms. Suleman's privacy, state officials maintain that such steps were insufficient:

The steps Kaiser took to protect Suleman's privacy were not aggressive enough, Billingsley and other state health officials said.

"It's the hospital's job to prevent these breaches from occurring, not just crack down after the fact," said Kim Belshé, secretary of California's Health and Human Services.

Governor Schwarznegger supported this development:  "The fine issued today should be a reminder that there are consequences for violations of medical privacy."

"Kaiser hospital fined $250,000 for privacy breach in octuplet case", Los Angeles Times (May 15, 2009).
 

Tags: , , , ,

Steve Fox on the ARRA privacy requirements

Posted on April 22, 2009 by Vadim Schick

In an interview with Thompson's Compliance Information Center, Steve Fox urged healthcare providers to begin the compliance process to meet the new data privacy and security requirements imposed under the American Recovery and Reinvestment Act of 2009: 

“The main message for providers is that ARRA is not something they can wait until next year for,” said Steven J. Fox, Esq., a partner at the law firm Post & Schell in Washington D.C. and co-author of the Guide to Medical Privacy & HIPAA.  Although Fox does not advise covered entities to completely overhaul their HIPAA compliance programs before HHS issues regulations, he does say they should begin reviewing all of their current privacy and security policies and procedures and comparing them with the new ARRA requirements. Entities should conduct “a thorough self analysis to determine where they stand.

Covered entities also should train their staff so they understand the importance of privacy and security. Under ARRA’s new penalty provisions, there is an increased potential of significant fines being levied, so entities should prepare by readying their staff for new requirements.

“People need to be trained and retrained to understand how their jobs are changing” as a result of the ARRA privacy and security provisions, Fox said. But, he cautioned “it is premature to do an overhaul of training programs” right away. “Someone needs to revise the whole compliance training program to include all of the ARRA changes — but not too far in advance before the changes are required,” he said.

This interview also headlined IAPP's Daily Dashboard briefing on April 16, 2009.

 

Tags: , , , , ,

Deloitte Publishes Healthcare Consumer Survey Findings

Posted on April 9, 2009 by Steve Fox and Vadim Schick

Deloitte published the results of its 2009 survey of more than 4,000 healthcare consumers, and the findings included some good news for the healthcare IT industry:

  • 9% of consumers have an electronic personal health record (PHR), but 42% are interested in creating one connected online to their physicians.  This leaves much room for growth for companies like Microsoft and Google which offer a PHR product.
     
  • 55% want the ability to communicate with their doctor via email to exchange health information and get answers to questions, and 57% would be interested in scheduling appointments, buying prescriptions and completing other transactions online if their information is protected.
  • 4 in 10 favor increasing government funding and incentives to support adoption of electronic medical records by doctors, hospitals and health plans.

However, consumers remain worried about the privacy and security of their personal health information, with 38% of those surveyed being "very concerned" as opposed to 24% of those who are not concerned at all.  Sixty percent support government establishing standards "for how medical for how medical information is collected, stored, exchanged and protected." 

The full survey findings can be downloaded here.

"Deloitte Survey Finds Healthy Consumer Demand For Electronic Health Records, Online Tools and Services", PRNewswire.com, April 6, 2009.

"2009 Survey of Health Care Consumers: Key Findings, Strategic Implications", Deloitte Center for Health Solutions, released April 2009.

Tags: , , , , ,

In the news: CVS and Google; Connect Open Source Software; and more

Posted on April 8, 2009 by Steve Fox and Vadim Schick
  • CVS pharmacy customers now have the ability to download their prescription and medication histories to Google Health accounts after CVS and Google expanded their partnership.  Patients at CVS' walk-in MinuteClinics are also able to add summaries of their visits to their Google Health accounts.  It would be interesting to find out if CVS and Google ever executed a Business Associate Agreement.  After the enactment of the HITECH Act, Google famously maintained that its personal health records product is not a subject to the new legislation and certain privacy and security provisions under HIPAA.  ("CVS-Google Health pact now includes drugstores", AP, April 6, 2009.)
  • The federal government released Connect, and open source software which allows public and private entities to share health information via the National Health Information Network.  The source code is free to download (the code and its documentation are available here), but organizations choosing to acquire and use this product will be responsible for costs associated with the installation and maintenance of Connect.  The Social Security Administration, Department of Defense, Veterans Affairs, and the CDC are among the many government agencies using this software for health information exchange already.  ("NHIN software released to open-source community", Government Health IT, April 7, 2009.)

     

 

  • This Business Week article analyzes the various data privacy and security concerns facing health care providers and patients alike.  ("Putting Patient Privacy in Peril?", Business Week, April 6, 2009.)
  • The New York Times reports that New York-Presbyterian Hospital became "the first large institution to move beyond the pilot stage this week as it begins to offer consumer-controlled health records for patients... New York-Presbyterian has been working with Microsoft for more than a year, not only on technical matters but also ease-of-use concerns with patients. The introduction will be gradual, beginning with heart patients, who will be told of the potential benefits of personal health records when they visit a New York-Presbyterian hospital or outpatient clinics."  Once again, it would be very interesting to find out if NYB and Microsoft signed a Business Associate Agreement, or if Microsoft acknowledged whether it is now subject to certain privacy and security provisions under HIPAA.  ("A Hospital Is Offering Digital Records", New York Times, April 5, 2009.)

 
Tags: , , , , , , , , , , , , ,

Risk Prevention/Management Advice to Hospitals Regarding Document-Sharing Technology

Posted on April 1, 2009 by Steve Fox and Vadim Schick

Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors. 

For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.

 

 

Communications to a hospital Board may include:

  • Confidential information regarding the hospital’s operations or personnel;
  • Data on non-public commercial and financial affairs of the hospital;
  • Legally privileged information regarding law suits on behalf of or against the hospital; and
  • Confidential and privileged peer review materials, including protected health information (PHI, as defined under HIPAA) of the hospital’s patients.

Prior to acquiring or using such data-sharing technology, healthcare business enterprises should make sure that the software is secure and that both the enterprise and the service provider use appropriate physical and technical security safeguards to protect personal and otherwise protected information. There is no one fail-safe approach to implementation and operation of data-sharing technology, and such technology should be customized to fit the enterprise’s needs and requirements. However, at minimum, preliminary precautions should include:

  • Knowing exactly what information is being distributed, via what channels (e.g., whether it is contained on a laptop, another portable device or on the network);
  • Avoiding access, storage, sharing, or use (including downloading, printing, or emailing) of information from or via unsecured home office computers or other mobile devices;
  • As much as possible, limiting the unencrypted sensitive data being transmitted;
  • Avoiding use of actual personal or confidential data in testing of the software;
  • Implementing access control checks, including restricting access to essential personnel only;
  • Using intrusion detection technology or procedures to quickly detect any unauthorized access; and
  • Training and educating all relevant personnel and all persons with access to such information regarding the enterprise’s data privacy protection policies and procedures.

In order to protect your healthcare business enterprise, your Legal and IT teams should negotiate an agreement with the service provider which, at minimum, includes the following provisions:

  • A warranty from the service provider that their product is safe, secure, and complies with all applicable privacy and security standards; 
  • A requirement for the software provider to comply with your institutional privacy and security policies, as well as all applicable laws and regulations;
  • An explicit prohibition for the service provider to use, communicate, divulge, exploit, duplicate, distribute, publish, reproduce, transfer, dispose of, recreate, modify, or create derivative works based upon or otherwise reveal or make available to any third party, directly or indirectly, for any purpose, except as provided in such contract; and
  • Indemnification, remedies, limitation of liability, and other provisions protecting your business enterprise for any damages resulting from a data breach or loss, in instances where such breach or loss are caused by the purchased software or the service provider.

Finally, the agreement with the service provider should include a Business Associate Agreement (BAA, as defined under HIPAA); however, please keep in mind that the BAA should acknowledge the changes mandated by the recent American Recovery and Reinvestment Act of 2009, as well as numerous new regulations to be promulgated by the Secretary of Health and Human Services under this Act.

 

 
Tags: , , , , , , , ,

In the news: "Octomom" privacy breach at Kaiser Permanente; uptick in HIT stocks; and more

Posted on March 30, 2009 by Steve Fox and Vadim Schick
  • After what has become a rather typical breach of patient privacy for Southern California, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom".  Previously, similar breaches occurred at UCLA when that medical center's staff leaked celebrities' medical records to the tabloids.  (MercuryNews.com, via AP, March 30, 2009.)
  • Wall Street Journal reported last week that HIT stocks, especially smaller companies, like eClinicalWorks (which provide the software component of Wal-Mart's new EHR package) will benefit greatly from the billions of dollars in HIT funding included in the stimulus bill.  Also, in another sure sign of a growing industry, Quality Systems, the maker of the NextGen EHR software, is "beefing up its sales force." ("Stimulus Funds for E-Records Augur Big Windfall for Small Health Firms", Wall Street Journal, March 24, 2009.)
  • A new bill is introduced in the Pennsylvania Senate that would ban businesses from collecting personal data from driver's licenses.  This should also serve as a good reminder for businesses not to collect or store more information than absolutely necessary.  (Pennlive.com, March 30, 2009.)
  • Perot Systems will launch a new service tomorrow (April 1, 2009) to help hospitals achieve "meaningful use" status under HITECH, geared towards meeting the interoperability and standardization of HIT use.  (Healthcare IT News, March 30, 2009).

 
Tags: , , , , , , , , , , , , ,