Here's a thought. When it comes to privacy and security, all patient information is equal.
This isn't a new idea, of course.
I have a copy of the Oath of Hippocrates on my wall. It says, “Whatever … I may see or hear … which ought not be spoken abroad I will not divulge, as reckoning that all such should be kept secret.”
In the U.S., however, that's all Greek to the feds and many states. They have created legal gradations of health information sensitivity. Patient information about mental health, drug and alcohol abuse treatment and HIV/AIDs, for example, is earmarked for special treatment, particularly when it comes to health information exchange.
Typically, U.S. laws specifically require patient consent before “sensitive” information can be shared, even between doctors and hospitals, whereas, under the 2002 HHS-revised HIPAA privacy rule, patient consent is no longer required for most data sharing of other health data types.
So, it was refreshing to visit with Dr. David Levin last week at a health IT leadership forum here in Chicago hosted by Microsoft.
“I'm a little bit of a contrarian,” said Levin, a board certified family practitioner and full-fledged geek doc. He is the chief medical information officer at the Cleveland Clinic.
Read more »
Permalink | Post a Comment
Professionally speaking, I am a connoisseur of a certain kind of crankiness.
I like to listen to people who don't like the deal we've been handed and are willing to grump about it.
Decorum may make the world turn smoothly, but noisy people make it change. Often, they also make my job more fun.
A lot of people in leadership pay lip service to the ideal that they're open to new ideas, but we all know from experience that many are not.
In the magazine this week are short profiles on four of the squeakiest wheels in healthcare information technology—three physicians and a researcher with a doctorate in sociology. They are Dr. Lawrence Weed, Dr. Scot Silverstein, Dr. Deborah Peel, and Ross Koppel, Ph.D.
Each are self-professed fans of health information technology, but each have bones to pick with current systems and practices.
Read more »
Permalink | Post a Comment
It should be an outrageous number—80,000 breaches—but crazy as it seems, that huge number might be a sign of progress.
I interviewed a group of health IT security specialists last week for a story we published about breaches and encryption.
Read more »
Permalink | Post a Comment
This year, it seems, the Healthcare Information and Management Systems Society is taking a more subtle approach to lobbying for privacy and security regulation.
During its annual Health IT Week lobbying push earlier this month, HIMSS presented just three "asks" to Congress. Two dealt with privacy and security issues.
One asked legislators to study patient identification. A two-page letter from HIMSS spent a lot of verbiage discussing the history of a national patient identifier and how Congress has, since 1999, banned federal funds from being used to "promulgate or adopt" one.
Nonetheless, HIMSS is looking for wiggle room.
Its statement pondered whether studying a patient identifier is verboten, then postulated that a "lack of clear congressional intent . . . poses a huge impediment to the optimal adoption of health information exchange."
That's a slight softening of focus. In 2006, HIMSS and another organization it helped create, the National Alliance for Health Information Technology, pushed for a national patient identifier.
In another "ask" this year, HIMSS is lobbying Congress to support "harmonization" of federal and state privacy laws—again, an apparent softening of its position.
Read more »
Permalink | Post a Comment
A million and a half dollars here, a million and a half dollars there, and pretty soon, you're talking real money—even in the healthcare industry.
The Office for Civil Rights at HHS on Monday announced a settlement agreement for $1.5 million with a venerable Massachusetts healthcare organization, Boston-based Massachusetts Eye and Ear Infirmary and its affiliated medical group, Massachusetts Eye and Ear Associates, over alleged HIPAA security-rule violations. They involve the reported theft of an unencrypted laptop bearing the records of 3,621 individual patients back in 2010.
I did a quick check of the OCR's "wall of shame" website and found MEEI was getting whacked on its second trip to the rodeo.
The privacy and security enforcers at the OCR, after a long, long period of quiescence, appear to be stepping up their enforcement efforts and availing themselves of the stiffer penalties that Congress provided in the American Recovery and Reinvestment Act's revisions to the Health Insurance Portability and Accountability Act's privacy and security rules.
And while the OCR is allowing MEEI to pay the fine on the installment plan, even $500,000 a year is a lot of money—a point not lost on MEEI itself.
In a statement, MEEI said that because no one appears to have been harmed, it was "disappointed with the size of the fine, especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines."
I'll bet.
But it's hard to know what the government was supposed to do other than to take out its proverbial 2x4 and start whacking to get the healthcare industry's attention.
Read more »
Permalink | Post a Comment
It was déjà vu for data security expert Michael "Mac" McMillan when he heard a hacker had tried to extort money from an Illinois medical group whose patient records and e-mail messages the intruder had accessed and encrypted.
"This is classic," McMillian said. "We saw this countless times in the 1990s with community banks. They would get access to the accounts with people's data and send the bank director a ransom note."
McMillan is the founder and CEO of CynergisTek, an Austin, Texas-based security consulting firm serving the healthcare industry.
He hasn't heard of another incidence in the healthcare industry in which encryption was used to hold a provider's data hostage—at least not yet—but "it doesn't surprise me that it's happened," he said.
When other industries computerized their business processes, security trailed, McMillan said. "They all went through these phases, where the big guys at the top did it first and the little guys dragged their feet."
In healthcare, "with all this digitization and data-sharing, you become more and more vulnerable to threats from the Internet," he said.
The hack job on the computer system of three surgeons in Libertyville, Ill., a northwest suburb of Chicago, was discovered in June but wasn't publicly revealed until recently. The investigation was turned over to the Secret Service—an agency most widely known for its work protecting the U.S. president, but that possesses other skills, too.
"The Secret Service is the organization within the federal government that has executive agency over computer security crimes," McMillan said. "Typically, when they get involved, there is some form of interstate extortion or threat or something big that can cross state lines or international boundaries."
Read more »
Permalink | Post a Comment
Encryption is a standard security procedure for moving patient information over the Internet, but not so much for patient records just sitting there on a computer not going anywhere.
So one thing that jumps out in the CMS' new Stage 2 meaningful-use rule is the increased emphasis on encryption for so-called data at rest—that is, patient-identifiable records on servers, hard drives and portable devices.
Under Stage 1 rules, providers are required to perform a risk assessment, as they are required to do under the security provisions of Health Insurance Portability and Accountability Act.
Now under Stage 2, they must give serious consideration to encrypting that data (PDF, see pages 132-136).
Why the change in emphasis?
Read more »
Permalink | Post a Comment
Personal health records and health record banks are nothing new.
Then again, neither are data breaches, consumer surveys saying people want their privacy rights respected and provider surveys indicating, within limits, that they'd like to respect their patients' privacy desires.
Read more »
Permalink | Post a Comment
Healthcare providers, if I'm wrong, you can taunt me with this in 2013, but I'm going to predict that in a year's time, without government intervention, patients are going to jackhammer their way into your electronic health-record systems with data from their Apple or Android phones and tablets.
Read more »
Permalink | Post a Comment
Readers here yesterday will recall the first half of the story of Julie, the pseudonym of a Boston-area lawyer who spoke at a healthcare privacy conference in Washington this month.
Julie said she began psychotherapy sessions in 2002. At the time, she was assured records of those sessions would be kept private.
But Julie said she learned in 2008 that a primary-care physician she was seeing for a stomachache had read notes from her years of psychotherapy.
Here's the rest of her story:
Julie said she first appealed to authorities at the big-name healthcare organization where she received care, seeking what she thought would be a quick fix: segregation of her therapist's notes from the rest of her records.
"There is supposed to be protection for what's called psychotherapy notes," she said. "Those are not allowed to be in the record."
Instead, someone at the big-name healthcare organization blithely told her it had "interpreted that what was in my record were not psychotherapy notes; those were psychiatric records. They said they were not going to segregate psychiatric records. It's a disservice to their patients."
Disservice?
Read more »
Permalink | Post a Comment
Readers here yesterday will recall the first half of the story of Julie, the pseudonym of a Boston-area lawyer who spoke at a healthcare privacy conference in Washington this month.
Julie said she began psychotherapy sessions in 2002. At the time, she was assured records of those sessions would be kept private.
But Julie said she learned in 2008 that a primary-care physician she was seeing for a stomachache had read notes from her years of psychotherapy.
Here's the rest of her story:
Julie said she first appealed to authorities at the big-name healthcare organization where she received care, seeking what she thought would be a quick fix: segregation of her therapist's notes from the rest of her records.
"There is supposed to be protection for what's called psychotherapy notes," she said. "Those are not allowed to be in the record."
Instead, someone at the big-name healthcare organization blithely told her it had "interpreted that what was in my record were not psychotherapy notes; those were psychiatric records. They said they were not going to segregate psychiatric records. It's a disservice to their patients."
Disservice?
Read more »
Permalink | Post a Comment
