Privacy | Meaningful HIT News

Yes, you do have a right to your health records

Lest anyone forget — including the American Hospital Association, which wants to take 30 days post-discharge to supply copies of medical records to patients — HIPAA explicitly gives patients the right to access their own records. This is not new. The HIPAA privacy rules have been in force since 2002. Yet, far too many patients have no idea of this right and far too many providers don’t inform patients of this right or do what they can to prevent access.

Fortunately, the HHS Office for Civil Rights, which enforces HIPAA privacy and security standards, is trying to change that with an outreach campaign, including this video.

Unfortunately, the video has been viewed just 556 times as of this writing. Equally unfortunately, the video directs viewers to visit HHS.gov/OCR. But the real information you need is at http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html. I found that page using Google, not by trying to navigate the menu, which is not very intuitive, even for someone who knows the healthcare industry. I can’t imagine the average consumer finding that page without help or plain old dumb luck.

Various HHS agencies are trying hard to disseminate messages to the public. I think of AHRQ’s Questions are the Answer campaign. I’ve seen poster-size ads around Chicago telling people to visit ahrq.gov for a list of questions they should be asking their healthcare providers, but the better link, not mentioned in the ads, is ahrq.gov/questions.

For that matter — and I mentioned this to one of the AHRQ higher-ups at the HIMSS conference a few months ago — how many people really know what the Agency for Healthcare Research and Quality is? Wouldn’t it be better to have a more memorable URL? The Obama administration is good at setting up URLs for programs it wants to promote for political reasons — think recovery.gov and even the consumer-friendly healthcare.gov — but the less-politicized divisions such as AHRQ (remember, Director Dr. Carolyn Clancy is a career professional who has run AHRQ for two presidents since 2003) and OCR haven’t done so. They need to come up with easy-to-remember URLs that the general public can remember. Bureaucrat-speak just isn’t getting the job done.

Meantime, physicians need to become more patient-friendly, too. I invite you to check out this Salon article from a few weeks ago entitled, “Listen up, doctors: Here’s how to talk to your patients.” Please share with family, friends and, yes, your doctors. Share the OCR video, too. If OCR can’t make the information easy to find, I will.

Australia considers huge fines for EHR snooping

How’s this for a deterrent against unauthorized snooping into patient EHRs? Australian Health Minister Nicola Roxon recently proposed whopping fines of A$13,200 for individuals and A$66,000 for companies that illegally access patient records. The Aussie dollar is nearly on par with the greenback these days, so the numbers are virtually equal when you convert to U.S. currency. That’s a lot of money.

Now, Australia doesn’t actually have much in the way of EHRs just yet, so this is somewhat speculative, but I think those numbers will get people’s attention. At least it will make records clerks think twice before peering at the records of people like Hugh Jackman or Nicole Kidman, right? The celebrity snooping at UCLA Health System cost the organization $865,000 in a legal settlement, and two employees were convicted of crimes, but I’m not aware of an individual being fined more than $2,000.

Would the threat of automatic big-dollar fines prevent unauthorized peeking at EHRs, or are lawsuits like the one the HHS Office for Civil Rights filed against UCLA more of a deterrent?

Post a Comment(0)

October 11, 2011 I Written By Neil Versel

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Filed Under: EMR/EHR HIPAA international privacy

Tags:Australia fines HIPAA Nicole Roxon Office for Civil Rights UCLA

‘Five rights’ for data administration

You know about the “five rights” for medication administrations: the right drug, for the right patient, in the right dosage, on the right route, at the right time.

More recently we’ve seen “five rights” for effective clinical decision support: the right information, to the right stakeholder, at the right point in workflow, through the right channel, in the right format.

Now, security vendor Symantec brings us the “five rights” for data administration: Read more..

A vendor’s view on selling of data

As long as there have been EMRs, there have been vendors selling aggregated, de-identified data. And there have been people worried about privacy.

That issue came up last week AHIMA Legal EHR Summit right here in Chicago, during a session exploring issues related to data ownership and stewardship in the era of cloud computing. (I’ll have a more complete rundown of the session Monday in InformationWeek Healthcare.)

Near the start of the panel, Daniel Orenstein, senior VP and general counsel of Athenahealth tried to put any lingering questions to rest right away. “I think data monetization is kind of a red herring,” Nussbaum said of people who criticize vendors for selling sensitive patient information. According to Nussbaum, de-identified data no longer includes any protected health information as defined by HIPAA, and only has value in the aggregate.

What he didn’t mention—and what nobody on the panel or in the audience brought up— is the possibility that data that supposedly were de-identified could be re-identified to a reasonable degree of precision. I’ve heard this for years, but I don’t know if anyone’s actually re-identified patient data outside of academia. Is this a real threat, or is Nussbaum right about it being a red herring?

UPDATE, August 22, 4:25 pm CDT: Here’s the InformationWeek story I referenced.

Facebook + health data = all sorts of HIPAA questions

“Time’s Person of the Year is Mark Zuckerberg. Sorry, Julian Assange, I guess you didn’t violate enough people’s privacy.” — Stephen Colbert, Dec. 15, 2010.

Yes, Facebook has issues with privacy. Just Monday, the Electronic Privacy Information Center, the Center for Digital Democracy, Consumer Watchdog and the Privacy Rights Clearinghouse formally asked the Federal Trade Commission to stop Facebook from launching a facial-recognition feature. Last week, European regulators said they would investigate Facebook after it came out that Facebook’s 500 million to 700 million users were automatically opted in to facial recognition.

And now we hear that Microsoft is adding Facebook authentication to its HealthVault health information platform.

Let me repeat: You can now sign in via Facebook to a HealthVault personal health record.

Though I’m not a lawyer, I’m wondering if Microsoft might not be treading in some dangerous territory. What if it’s possible to link HealthVault updates to Facebook so your entire social network knows that you just got a lab test result back? What if the Facebook location tagger indicates that you’ve just visited an STD clinic? Yeah, sometimes discretion is in order, and Facebook generally isn’t the place to be discreet.

According to Healthcare IT News’ MobileHealthWatch blog, Microsoft’s Sean Nolan was practically giddy about this arrangement helping HealthVault go mobile. I think mobility will help make PHRs a bit more attractive to patients, but I still think PHRs are DOA if they don’t link to EHRs.

I just don’t see a lot of medical practices being willing to send electronic data back and forth to HealthVault accounts if Facebook is handling the security, making MobileHealthWatch’s claim that, in wake of the supposed demise or at least de-emphasis of Google Health, HealthVault is now “more or less unchallenged as the PHR of record” a joke. There’s no such thing as a PHR of record, and there won’t be as long as authentication passes through Facebook.

Not just an EMR, but an HIE for mental health

Last month, I asked if anyone has been successful with an EMR for mental health. I wondered if an iPad might make it easier for a psychotherapist to take electronic notes during a session without making the patient feel like the computer was getting in the way, because a desktop PC certainly would be a distraction. I also wondered about where mental health fits in the realm of truly comprehensive EHRs.

(Yes, I make a distinction between EHR and EMR here, since, while it’s important to have a complete medication list to avoid harmful interactions, there’s little reason why an orthopedist or dermatologist would need to know whether a patient had been diagnosed with a mental illness. The same goes for records of sexually transmitted diseases or any other condition that patients may not want a lot of people to know about.)

I got a partial answer on Monday, when I interviewed Justin Bayless, president of Bayless Behavioral Health Solutions, which just launched a portal to share patient records with other caregivers, insurance companies, case managers, educators, probation officers and skilled nursing facilities. (See my story about this in InformationWeek.)

EMRs do indeed have a role in mental health, even if it’s mostly administrative. “It saves therapists a lot of time because it automatically generates forms,” Bayless said of the Credible Behavioral Health Software EMR that Bayless MHS clinicians carry on laptops to treatment sites such as assisted living facilities, nursing homes, schools and community centers. (That’s a quote you won’t see in the InformationWeek story.)

And segmentation of behavioral health information from other parts of a comprehensive EHR won’t be too much of an issue for a while—Bayless believes it could take 10-15 years—since so many providers still use paper right now. Remember, psychologists, addiction counselors, licensed clinical social workers and any other mental health professionals that aren’t psychiatrists (i.e., anyone without an M.D. or D.O. degree) don’t count as eligible providers for “meaningful use” purposes.

Post a Comment(0)

May 16, 2011 I Written By Neil Versel

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Filed Under: EMR/EHR health information exchange health IT interoperability meaningful use mobile privacy

Tags:Bayless Behavioral Health Solutions Credible Behavioral Health Software mental health

Blogging by Twitter?

Oh man, I’ve been busy. I filled in as writer of the Midwest edition of Payers and Providers the last two weeks because regular editor Duncan Moore, a former colleague, had been hospitalized. (Get well soon, Duncan.) I’ve been at the Institute for Health Technology Transformation health IT summit in Fort Lauderdale, Fla., since yesterday, and I’ve also had my regular deadlines for InformationWeek and MobiHealthNews.

I moderated two IHT2 conference sessions yesterday, on how health IT underpins Accountable Care Organizations and how business intelligence can create a framework for health information exchange. I haven’t had time to blog about those, but several people seem to have tweeted during those sessions. I therefore present a rundown via Twitter.

@narmi91 #iHT2 FMA #HIE strategy: Simple HIE gives physicians instant value, allows them to dip their tow in the water.

@narmi91 #iHT2 #HIE strategy: Adopt exchange before adopting #EHR. Which would you choose Internet (HIE) or PC (EHR)?

@narmi91 #iHT2 #HIT for #ACO: Primary care medical home is a must for ACO. Paying patients to perform. Also focus on medical assistants & nurses.

@narmi91 #iHT2 #HIT for #ACO: Changing patient behavior: need to engage patients. BCBS has new benefit plan $300-700 cash for manage health and qual.

@narmi91 #iHT2 #HIT for #ACO: Fed/state gov are more on the side of privacy but security always comes down to human behavior.

@narmi91 #iHT2 #HIT for #ACO: Pace of tech adoption in healthcare is much slower than other industries: Privacy & security, care coord, social sci.

@ICALeader Dr Freeman says healthcare is more focused on quality assurance than quality improvement, need multi-disciplinary groups to achieve QI #iHT2

@narmi91 #iHT2 #HIT for #ACO: Quality improvement process can help identify clinical decision support.

@narmi91 #iHT2 #HIT for #ACO: Victor from HRSA – HIE challenges include security issues and not enough discrete data. Most #EHR not designed for qual

@ICALeader Kevin Mather says upside & downside risk must be high & metrics must be measured for quality & cost monthly for ACO success #iHT2 #HIE #ACO

@ICALeader Dr. Freeman reminds #ACO & #HIE not to forget federal healthcare DOD, VA & IHS agencies in effort to coordinate care @ #iHT2 FTL

@bhparrish: Patient-centered #HIE with secure communication will be essential infrastructure for #ACO development. <RT @ICALeader> #iHT2

Post a Comment(0)

May 11, 2011 I Written By Neil Versel

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Filed Under: Accountable Care Organizations Business intelligence clinical decision support EMR/EHR health information exchange Healthcare IT privacy security

Tags:Institute for Health Technology Transformation patient-centered medical home

EMRs for mental health?

I’ve been wondering, has anyone in mental health truly had success with an EMR? I can’t imagine any psychotherapist sitting at a computer typing notes while there’s a patient on the couch. That would be particularly bad for a patient with self-esteem issues.

I imagine that tablets like the iPad may make this a little easier, but what psychotherapists really need is something like a pen tablet (with a stylus rather than touch-screen) or digital ink to mimic taking notes on a pad of paper.

The other issue related to EMRs in mental health is the exchange of notes with other physicians. Will an electronic note from therapist back to the primary care physician wind up in the electronic chart that might get sent, say, to an orthopedist or gastroenterologist? The only thing other specialists really would need to know is the patient’s medication list, not a psychiatric diagnosis or treatment history, right? Segmenting out sensitive parts of an EMR like treatment for mental health and sexually transmitted diseases is something vendors and CIOs have struggled with for years, and I believe continue to struggle with.

In both cases, I’d love to hear your anecdotes here.

David St. Clair on privacy

It’s a few weeks old and you may have seen it elsewhere, but I see no harm posting this commentary from David St. Clair, founder and CEO of care management software company MEDecision. You’ll note that the CNN video he references also appeared on my blog last month.

Consumers Need All of the Facts in the Privacy Debate

By David St.Clair

The economic stimulus package that President Obama has signed contains upwards of $20 billion to create electronic health records for most Americans within five years. The president has been very outspoken in his belief that EHRs are essential to health care reform and that the subsequent savings they’ll generate will help to strengthen the larger overall economy.

Whenever the subject of proliferating EHRs catches the national spotlight, you can bet that debates about privacy aren’t far behind. Indeed the privacy issue has already started to gain some traction in the media. In this video clip, CNN’s Campbell Brown and Elizabeth Cohen examine how easy it is for someone to obtain private medical information online by simply using someone’s Social Security number and date of birth.

While this assessment may be accurate, it’s a bit light on the fairness scale. Brown and Cohen only make a very brief mention of facts like President Obama’s plan to appoint a chief privacy officer and to implement unprecedented privacy controls to safeguard the EHR transformation. Instead they emphasize the more sensational angle implying that electronic health information just isn’t safe. They also seem to downplay the fact that a simple thing like creating a password can protect one’s private information.

I suspect the privacy issue is going to reach a crescendo in the coming months, and it’s very important that Americans have all of the facts. There are unfortunately people in the world who are going to try to illegally obtain and misuse private health information. But that doesn’t mean we should just write off EHRs as a bad idea. We simply need to be vigilant and proactive in incorporating the highest security measures into the planning process — which the president has done. To borrow an analogy from a close colleague: we don’t stop building roads because some people drive drunk. We punish the drunk drivers and continue building roads because of the tremendous benefits they bring to the rest of our law-abiding society. There is too much at stake for the health care system and the nation’s economy to allow over-dramatized and misperceived weaknesses in EHR security to thwart progress.

Additionally, to make the privacy debate a fair one we must ask what’s more dangerous: the potential misuse of information or simply not using information at all? Should we put the privacy of an overwhelming minority of people ahead of safer, more efficient, more affordable and potentially life-saving health care for the overwhelming majority? In reality, the only people who stand to be harmed by an unlikely EMR privacy breach are celebrities and other high profile individuals. Even if someone were to gain access to the average person’s health information, there isn’t much they could do with it, other than cause that person some personal embarrassment. In a very real sense, the question then becomes whether we value the privacy of information more than its potential to help us lead healthier lives.

Without question we must make ensuring privacy a top priority in any plans to implement EHRs. I’m confident that the Obama plan does so and, in fact, I think we’ll see even stronger controls than we may have previously imagined. No EHR is going to come with guaranteed safety, but I would argue that the risk level is the same or less than that associated with online retail and banking transactions. The public needs to understand this. It is up to those of us in the industry to ensure that the facts are clear and readily available. Hopefully the media will choose to report all of them so that Americans can form opinions based on complete information.

Post a Comment(0)

March 15, 2009 I Written By Neil Versel

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Filed Under: privacy

Tags:EMR MEDecision

Deborah Peel on Fox Business

Privacy hawk Deborah C. Peel, M.D., appeared Thursday on the Fox Business Channel to talk about the new privacy protections for EHRs contained in the economic stimulus bill.

The segment is about three minutes long:

Post a Comment(0)

March 6, 2009 I Written By Neil Versel

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality, hospital/physician practice management and healthcare finance.

Filed Under: media privacy

Tags:Deborah Peel

Meaningful HIT News Sponsors

Advertise on Meaningful Healthcare IT News

Recent Posts
- Natural Health Forum
- Healthcare Administration
Calendar
May 2013

M T W T F S S

« Apr

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31
Jobs by SimplyHired

May 2013
M	T	W	T	F	S	S
« Apr
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Meaningful Health IT News Resources
Recent Comments
- Guest podcast: Suzanne Leveille from OpenNotes (1)
  - Kyle Samani: howdy I have to disagree with the assessment of open notes in its current incarnation. The problem is an...
- So many types of telehealth (11)
  - Neil Versel: Greg, I don’t think it was, so thanks for that. Nursing telemedicine *might* count, but, again,...
  - Greg Judd: great job of capturing telehealth’s diversity, Neil! Clinics-based telehealth may be another...
- Breaking down ignorance about telehealth (3)
  - George Margelis: Sorry I missed your talk, stuck at SFO on my way to Austin but look forward to seeing you at ATA.
- Patients with complex cases don’t want multiple provider portals, Rady CIO says (2)
  - Neil Versel: You did read that wrong, Kristin, or perhaps I simply wasn’t clear enough. They are doing both,...
Categories

Recent Posts

Calendar

Meaningful Health IT News Resources

Recent Comments

Categories