Free Healthcare IT Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Get all the latest Health IT updates from Neil Versel for FREE!

Kill your fax machine (redux) and watch out for HIPAA violations

Today, noted medical informatics professor and professional Dr. Bill Hersh had this exchange on Twitter with his daughter, a new medical student.

 

Later today, I stopped to pick up my mail in this multi-unit building and saw this sticking out of someone else’s mailbox.

A HIPAA violation waiting to happen

A HIPAA violation waiting to happen

That’s right, it’s a “personal and confidential” letter from Quest Diagnostics, presumably either medical test results or a bill. Either way, it’s a HIPAA violation waiting to happen. In fact, it’s probably already a HIPAA violation because people now know what lab this person used. The envelope is hanging out of this mailbox because it was misdelivered and whoever got it by accident placed it there for the intended recipient. But who’s to say it does wind up in the right hands before someone opens it?

Anyone who thinks paper is still a safeguard against privacy and security breaches, raise your hand. (Crickets.) Sure, electronic transmissions can be intercepted and databases hacked, but if you take the time to encrypt them, you lessen the risk. And should there be a breach, the audit trail that HIPAA requires can help investigators pinpoint the culprit and create a disincentive for employees to leak data.

As for the fax, it’s sadly ironic that a twentysomething is encountering a fax machine for the first time when she enters a healthcare environment. Kill your fax machine! It’s 2014. Why are we still using 1980s technology to transfer health information?

January 13, 2014 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

The ‘Hospital of Tomorrow’

WASHINGTON—I’ve just finished 2 1/2 days of helping US News and World Report cover its inaugural Hospital of Tomorrow conference. My assignment was to sit in on four of the breakout sessions, take notes, then write up a summary as quickly as possible, ostensibly for the benefit of attendees who had to pick from four options during each time slot and might have missed something they were interested in. Of course, it’s posted on a public site, so you didn’t have to be there to read the stories.

Here’s what I cranked out from Tuesday and Wednesday:

Session 202: A Close-Up Look at EHRs — ‘Taking a Close Look at Electronic Health Records”

Session 303: The Future of Academic Medical Centers — “Academic Medical Centers ‘Must Become More Nimble’”

Session 305: Preventing and Coping With Infections — “How Hospitals Can Better Prevent and Cope With Infections”

Session 401: Provider and Patient Engagement — “Hospitals Grapple With Patient Engagement”

The one on infection control was particularly interesting, in large part due to the panel, which included HCA Chief Medical Officer and former head of the Veterans Health Administration Jonathan Perlin, M.D., Johns Hopkins quality guru Peter Pronovost, M.D., and Denise Murphy, R.N., vice president for quality and patient safety at Main Line Health in suburban Philadelphia.

The session on patient engagement was kind of a follow-on to my first US News feature in September.

If you want to read more about the whole conference, including US News’ live blog, visit usnews.com/hospitaloftomorrow

November 7, 2013 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Podcast: MMRGlobal’s Bob Lorsch addresses the ‘patent troll’ issue

Two weeks ago, I picked apart a terribly misleading, ideologically steeped Fox News story that wrongly linked the initial failure of the healthcare.gov Affordable Care Act insurance exchange to the Meaningful Use EHR incentive program. Among my many criticisms was the reporter’s apparent confusion between an actual EHR and My Medical Records, the untethered PHR offered by MMRGlobal.

In that post, I said, “I haven’t seen a whole lot of evidence that MMRGlobal isn’t much more than a patent troll.”

Bob Lorsch, CEO of that company, posted in the comments that I should put my money where my mouth is and interview him. (I had interviewed Lorsch before, but never wrote a story because of my longstanding policy of not paying attention to untethered PHRs since none that I know of has gained any market traction, despite years of hype.)

As this podcast demonstrates, I took Lorsch up on his offer. It was at times contentious, in part because I challenged many of his statements in the Fox story and to me, and in part because he challenged some of mine.

He asked me a pointed question, whether I still thought he was a patent troll. Based on the fact that MMR actually earned patents on a product it actively markets and didn’t just purchase someone else’s patents for the point of suing others, it’s hard to conclude that he is a patent troll.

Investopedia defines patent troll as:

A derogatory term used to describe people or companies that misuse patents as a business strategy. A patent troll obtains the patents being sold at auctions by bankrupt companies attempting to liquidate their assets, or by doing just enough research to prove they had the idea first. They can then launch lawsuits against infringing companies, or simply hold the patent without planning to practise the idea in an attempt to keep other companies productivity at a standstill.

By that definition, MMR is not. I still don’t think an untethered PHR is a good business model, a belief supported by the fact that publicly traded MMR is a penny stock, currently trading at less than 3 cents per share. I have said that patient engagement, called for on a small scale by Meaningful Use Stage 2 rules, could change the landscape for PHRs—with a better chance in pediatrics than for adult populations—but it certainly will take a few years.

I stand by my original statement that the Fox News story did health IT a huge disservice by latching onto one problem and trying to tie it to an unrelated issue simply because it fits an ideological narrative. As for MMR, well, take a listen and then judge for yourself. It’s a long podcast, but I went through the trouble of breaking it down by discussion point so you can skip around as necessary.

Podcast details: Interview with Bob Lorsch, CEO of MMRGlobal, recorded Oct. 18, 2013. MP3, mono, 128 bps, 49.5 MB, running time 54:07

2:03        About My Medical Records
3:26        Why he believes his product is better than traditional EHRs
5:00        My skepticism of untethered PHRs
6:28        Lorsch’s interview with HIStalk from February
6:40        MMR’s user base
8:00        Why he thinks MMR could facilitate health information exchange
9:40        Health information exchanges vs. health insurance exchanges
10:15     Patient-centered HIE as an alternative to multiple patient portals
12:20     Physician trust of patient-supplied data, and other workflow issues
15:05     Emergency use case
15:50     How MMR is different from other PHRs
16:32     “Last mile” of connectivity
18:17     His assertion in Fox story that patients lose control of health information and privacy under ACA, despite HIPAA
24:15     MMR carries cyber liability insurance
25:00     Scope of MMR’s patents
26:45     “Likely” infringement of patents
27:45     Lawsuits and licensing
29:30     Patent troll?
31:10     Negotiations with WebMD and others
33:00     MMR’s reputation
35:00     “We build and sell what we have intellectual property rights to.”
36:25     Other vendors ignoring patients?
36:50     Standardization in health IT
38:38     MMR’s low stock price
39:20     Patient engagement boosting PHR use?
42:00     Interest from WellPoint
42:48     Payers building trust with PHRs
44:18     Other features of MMR’s PHR
46:45     Segmentation of sensitive parts of medical records
49:08     Putting me on the spot
50:35     His objective in asserting patent rights
51:15     MMR’s issue with Walgreens
52:25     Revenue sharing vs. licensing

October 31, 2013 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Top 10 things wrong with Fox News smear job on EHRs

Today, FoxNews.com published a hit job on health IT and EHRs in the guise of another hit job on Obamacare. I found out about it courtesy of this tweet:

First off, it’s clear that Mostashari feels unshackled from having to watch his words now that he’s no longer national health IT coordinator. Secondly, he’s right. This story contains so many errors and misleading statements that it’s almost funny. Let’s count down the top 10.

10. “Under a George W. Bush-era executive order, all Americans should have access to their medical records by the end of 2014, part of a concept referred to as e-health. President Obama then made electronic medical records (EMRs) central to the success of the Affordable Care Act”

When Bush issued the executive order in 2004 that created the Office of the National Coordinator for Health Information Technology, he set as a goal interoperable EMRs for “most” Americans. The “all” part came after Barack Obama took office in 2009.

9. Though Obama did reiterate the 2014 goal and up the stakes by saying “all Americans,” nobody realistically thought it could happen. After all, the HITECH Act, which created Meaningful Use, didn’t pass until March 2009 and Meaningful Use didn’t even start until 2011. Before the HITECH Act, ONC barely had any funding anyway. For five years, Congress failed to pass much in the way of health IT legislation, even though a federal EHR incentive program had bipartisan support, symbolized by an unlikely alliance between Newt Gingrich and Hillary Clinton.

8. “Doctors, practitioners and hospitals, though, have been enriching themselves with the incentives to install electronic medical records systems that are either not inter-operable or highly limited in their crossover with other providers.”

Meaningful Use was never intended for enrichment, or even to cover the full cost of an EHR system.

7. While systems mostly are not interoperable yet, that wasn’t the intent of Stage 1 of Meaningful Use. Stage 1 was meant to get systems installed. Stage 2, which has barely started for the early adopters among hospitals and won’t start for 2 1/2 months for physicians, is about interoperability. That’s where the savings and efficiencies are supposed to come from.

6. We’re years away from knowing whether Meaningful Use program did its job, though I don’t fault members of Congress such as Sen. John Thune (R-S.D.) for putting pressure on the administration to demand more for the big taxpayer outlay.

5. “‘The electronic medical records system has been funded to hospitals at more than $1 billion per month. Apparently little or none of that money went to the enrollment process which is where the bottle neck for signing up to ObamaCare’s insurance exchanges appears to be,’ Robert Lorsch, a Los Angeles-based IT entrepreneur and chief executive of online medical records provider MMRGlobal, told Fox News.”

The money wasn’t supposed to go to the insurance enrollment process. The Meaningful Use incentive program was from the HITECH Act, part of the 2009 American Recovery and Reinvestment Act. The Patient Protection and Affordable Care Act, a.k.a. Obamacare, came a year later. Again, someone is confusing insurance and care. They are not the same thing.

4. “Lorsch, at MMRGlobal, offered the U.S. government what it describes as a user-friendly personal health record system for one dollar per month per family – a fraction of what it has cost the taxpayer so far.”

MMRGlobal’s product is an untethered personal health record. No untethered PHR anywhere is “user-friendly,” which is why adoption has been anemic. Without data from organizational EHRs, PHRs are worthless. Besides, the direct-to-consumer approach in healthcare has failed over and over, since people are used to having someone else — usually an insurance company — pick up the tab.

3. For that matter, MMRGlobal is a bad example to use as an alternative to EHRs. (The Fox story is correct in saying that other vendors do have close ties to the Obama administration, though the former Cerner executive’s name is Nancy-Ann DeParle, not “Nance.”) I could be wrong, but I haven’t seen a whole lot of evidence that MMRGlobal isn’t much more than a patent troll.

2. “But this process could have been easier if a nine-year, government-backed effort to set up a system of electronic medical records had gotten off the ground. Instead of setting up their medical ID for the first time, would-be customers would have their records already on file.”

Actually, as I wrote in a story just published in Healthcare IT News, we could have had national patient identifiers 15 years ago, as called for by the 1996 HIPAA statute. But Congress voted in 1998 not to fund implementation of a national patient ID and President Bill Clinton signed that into law. Since then, interoperability and patient matching have been mighty struggles.

1. “‘Plus, unlike under ObamaCare, the patient would be in control of their health information and, most importantly, their privacy,’ Lorsch said.”

Where in Obamacare does the patient lose control of health information? Less than a month ago, I was in Washington listening to HHS Office for Civil Rights Director Leon Rodriguez say, ““There is a clear right [in the HIPAA privacy rule] not only of patient access, but patient control over everything in their records.” This may come as news to some people, but patients own and control the information. They might not know it, but the language is pretty clear.

Already, the Fox story has been reposted in a number of blogs shared all over the Internet, so it’s being accepted as fact in some quarters. If you want the truth, you sometimes have to do the work yourself.

October 15, 2013 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Comprehensive coverage of WTN Media’s Digital Health Conference

As you may know from at least one of my earlier posts, I was in Madison, Wis., last month for a great little health IT event called the Digital Health Conference, a production of the Wisconsin Technology Network and the affiliated WTN Media. In fact, WTN Media hired me to cover the conference for them, so I did, pretty comprehensively. In fact, I wrote eight stories over the last couple of weeks, seven of which have been published:

I still have an overview story that should go up this week.

Why do I say it’s a great little conference? The list of speakers was impressive for a meeting of its size, with about 200 attendees for the two-day main conference and 150 for a pre-conference day about startups and entrepreneurship.

Since it is practically in the backyard of Epic Systems, CEO Judy Faulkner is a fixture at this annual event, and this time she also sent the company’s vendor liaison. Informatics and process improvement guru Dr. Barry Chaiken came in from Boston to chair the conference and native Wisconsinite Judy Murphy, now deputy national coordinator for programs and policy at ONC, returned from Washington. Kaiser Permanente was represented, as was Gulfport (Miss.) Memorial Hospital. IBM’s chief medical scientist for care delivery systems, Dr. Marty Kohn, flew in from the West Coast, while Patient Privacy Rights Foundation founder Dr. Deborah Peel, made the trip from another great college town, Austin, Texas. (Too bad Peel and Faulkner weren’t part of the same session to discuss data control. That alone would be worth the price of admission.)

July 2, 2013 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Yes, you do have a right to your health records

Lest anyone forget — including the American Hospital Association, which wants to take 30 days post-discharge to supply copies of medical records to patients — HIPAA explicitly gives patients the right to access their own records. This is not new. The HIPAA privacy rules have been in force since 2002. Yet, far too many patients have no idea of this right and far too many providers don’t inform patients of this right or do what they can to prevent access.

Fortunately, the HHS Office for Civil Rights, which enforces HIPAA privacy and security standards, is trying to change that with an outreach campaign, including this video.

 

Unfortunately, the video has been viewed just 556 times as of this writing. Equally unfortunately, the video directs viewers to visit HHS.gov/OCR. But the real information you need is at http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html. I found that page using Google, not by trying to navigate the menu, which is not very intuitive, even for someone who knows the healthcare industry. I can’t imagine the average consumer finding that page without help or plain old dumb luck.

Various HHS agencies are trying hard to disseminate messages to the public. I think of AHRQ’s Questions are the Answer campaign. I’ve seen poster-size ads around Chicago telling people to visit ahrq.gov for a list of questions they should be asking their healthcare providers, but the better link, not mentioned in the ads, is ahrq.gov/questions.

For that matter — and I mentioned this to one of the AHRQ higher-ups at the HIMSS conference a few months ago — how many people really know what the Agency for Healthcare Research and Quality is? Wouldn’t it be better to have a more memorable URL? The Obama administration is good at setting up URLs for programs it wants to promote for political reasons — think recovery.gov and even the consumer-friendly healthcare.gov — but the less-politicized divisions such as AHRQ (remember, Director Dr. Carolyn Clancy is a career professional who has run AHRQ for two presidents since 2003) and OCR haven’t done so. They need to come up with easy-to-remember URLs that the general public can remember. Bureaucrat-speak just isn’t getting the job done.

Meantime, physicians need to become more patient-friendly, too. I invite you to check out this Salon article from a few weeks ago entitled, “Listen up, doctors: Here’s how to talk to your patients.” Please share with family, friends and, yes, your doctors. Share the OCR video, too. If OCR can’t make the information easy to find, I will.

 

June 12, 2012 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Australia considers huge fines for EHR snooping

How’s this for a deterrent against unauthorized snooping into patient EHRs? Australian Health Minister Nicola Roxon recently proposed whopping fines of A$13,200 for individuals and A$66,000 for companies that illegally access patient records. The Aussie dollar is nearly on par with the greenback these days, so the numbers are virtually equal when you convert to U.S. currency. That’s a lot of money.

Now, Australia doesn’t actually have much in the way of EHRs just yet, so this is somewhat speculative, but I think those numbers will get people’s attention. At least it will make records clerks think twice before peering at the records of people like Hugh Jackman or Nicole Kidman, right? The celebrity snooping at UCLA Health System cost the organization $865,000 in a legal settlement, and two employees were convicted of crimes, but I’m not aware of an individual being fined more than $2,000.

Would the threat of automatic big-dollar fines prevent unauthorized peeking at EHRs, or are lawsuits like the one the HHS Office for Civil Rights filed against UCLA more of a deterrent?

October 11, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

‘Five rights’ for data administration

You know about the “five rights” for medication administrations: the right drug, for the right patient, in the right dosage, on the right route, at the right time.

More recently we’ve seen “five rights” for effective clinical decision support: the right information, to the right stakeholder, at the right point in workflow, through the right channel, in the right format.

Now, security vendor Symantec brings us the “five rights” for data administration: Read more..

September 21, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

A vendor’s view on selling of data

As long as there have been EMRs, there have been vendors selling aggregated, de-identified data. And there have been people worried about privacy.

That issue came up last week AHIMA Legal EHR Summit right here in Chicago, during a session exploring issues related to data ownership and stewardship in the era of cloud computing. (I’ll have a more complete rundown of the session Monday in InformationWeek Healthcare.)

Near the start of the panel, Daniel Orenstein, senior VP and general counsel of Athenahealth tried to put any lingering questions to rest right away. “I think data monetization is kind of a red herring,” Nussbaum said of people who criticize vendors for selling sensitive patient information. According to Nussbaum, de-identified data no longer includes any protected health information as defined by HIPAA, and only has value in the aggregate.

What he didn’t mention—and what nobody on the panel or in the audience brought up— is the possibility that data that supposedly were de-identified could be re-identified to a reasonable degree of precision. I’ve heard this for years, but I don’t know if anyone’s actually re-identified patient data outside of academia. Is this a real threat, or is Nussbaum right about it being a red herring?

UPDATE, August 22, 4:25 pm CDT: Here’s the InformationWeek story I referenced.

 

August 21, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Facebook + health data = all sorts of HIPAA questions

“Time’s Person of the Year is Mark Zuckerberg. Sorry, Julian Assange, I guess you didn’t violate enough people’s privacy.” — Stephen Colbert, Dec. 15, 2010.

Yes, Facebook has issues with privacy. Just Monday, the Electronic Privacy Information Center, the Center for Digital Democracy, Consumer Watchdog and the Privacy Rights Clearinghouse formally asked the Federal Trade Commission to stop Facebook from launching a facial-recognition feature. Last week, European regulators said they would investigate Facebook after it came out that Facebook’s 500 million to 700 million users were automatically opted in to facial recognition.

And now we hear that Microsoft is adding Facebook authentication to its HealthVault health information platform.

Let me repeat: You can now sign in via Facebook to a HealthVault personal health record.

Though I’m not a lawyer, I’m wondering if Microsoft might not be treading in some dangerous territory. What if it’s possible to link HealthVault updates to Facebook so your entire social network knows that you just got a lab test result back? What if the Facebook location tagger indicates that you’ve just visited an STD clinic? Yeah, sometimes discretion is in order, and Facebook generally isn’t the place to be discreet.

According to Healthcare IT News’ MobileHealthWatch blog, Microsoft’s Sean Nolan was practically giddy about this arrangement helping HealthVault go mobile. I think mobility will help make PHRs a bit more attractive to patients, but I still think PHRs are DOA if they don’t link to EHRs.

I just don’t see a lot of medical practices being willing to send electronic data back and forth to HealthVault accounts if Facebook is handling the security, making MobileHealthWatch’s claim that, in wake of the supposed demise or at least de-emphasis of Google Health, HealthVault is now “more or less unchallenged as the PHR of record” a joke. There’s no such thing as a PHR of record, and there won’t be as long as authentication passes through Facebook.

 

June 13, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.