Do you trust the cloud for EHRs? That’s the question I ask in my weekly post for EMR and HIPAA. Check it out, and share your opinion.
The Office of the National Coordinator for Health Information Technology today opened a four-week comment period on proposed revisions to the Federal Health IT Strategic Plan (pdf). Last updated in 2008, the plan spells out ONC’s strategy for meeting national health IT goals for the five-year period beginning in 2011. The HITECH Act requires this revision.
According to a blog post by national coordinator Dr. David Blumenthal:
Some components of the Plan may already be familiar, including the Medicare and Medicaid Electronic Health Record Incentive Programs and the grant programs created by the HITECH Act, which are creating an infrastructure to support meaningful use. However, the Plan also charts new ground for the federal health IT agenda:
- In Goal I, the health information exchange strategy focuses on first fostering business models that create health information exchange, supporting exchange where it is not taking place, and ensuring that information exchange takes place across different business models.
- In Goal II, we discuss how integral health IT is to the National Health Care Quality Strategy and Plan that is required by the Affordable Care Act.
- In Goal III, we highlight efforts to step up protections to improve privacy and security of health information, and discuss a major investment in an education and outreach strategy to increase the provider community and the public’s understanding of electronic health information, how their information can be used, and their privacy and security rights under the HIPAA Privacy and Security rules.
- In Goal IV, we recognize the importance of empowering individuals with access to their electronic health information through useful tools that can be a powerful driver in moving toward more patient-centered care.
- In Goal V, we have developed a path forward for building a “learning health system,” that can aggregate, analyze, and leverage health information to improve knowledge about health care across populations.
ONC is accepting comments through April 22 via the blog site.
From InformationWeek via the Health Care Law Blog comes news that the Virginia Department of Health Professions has received a $10 million ransom demand for 8.3 million patient records and 35.6 million prescription records.
Let me repeat: someone allegedly is extorting the State of Virginia for $10 million over a security breach involving millions of electronic health records.
I’d write more, but it seems like Bob Coffield has covered the issue pretty comprehensively on the Health Care Law Blog. He cites the alleged ransom note, Virginia’s response and a very interesting blog post about HIPAA notification responsibilities from John Moore of Chilmark Research.
CHICAGO—I’m sitting in a HIMSS session where reformed hacker extraordinaire Kevin Mitnick is demonstrating how bad guys exploit security vulnerabilities, and asked for a volunteer from the audience. The volunteer was Will Weider, aka the Candid CIO. Mitnick entered Weider’s name and home state (Wisconsin) into a personal-search database and came up with Weider’s Social Security number that displayed on the two giant projector screens in the meeting room.
I can’t wait to read what Will has to say about the experience.
I was astounded today to read in Modern Healthcare (the fact that I apparently was blacklisted from writing there for reasons never explained to me makes me reluctant to link to the story) that Google says the new privacy and security rules won’t change its PHR plans.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted last month as Title XIII of the American Recovery and Reinvestment Act of 2009, strengthens much of the privacy and security language of HIPAA. Some of the language effectively gives business associates the same responsibilities as covered entities when it comes to protecting patient data. Section 13408 specifically includes personal health records.
Reporter Joe Conn, my former boss and an all-round good guy (rare at MHC these days), quotes Google Health Product Manager Roni Zeiger, M.D., as saying the new legislation has no effect on the company’s offering. Zeiger actually said that Google Health, as a service offered directly to consumers, is neither a covered entity nor a business associate under the new law.
Excuse me? I’ve been struck since Day 1 with the arrogance Google seems to be exhibiting with its entry into healthcare (actually, since before Day 1, since Google says CEO Eric Schmidt’s speech to the 2008 HIMSS conference was not technically a product introduction), but it seems to me Zeiger is intimating that the law doesn’t apply to Google.
This is almost as ludicrous as former Vice President Dick Cheney suggesting in 2007 that he was a fourth branch of government.
In case, as I did, you missed the Office of the National Coordinator for Health Information Technology‘s Oct. 15 town hall on medical identity theft, you can download an MP3 audio recording and a transcript (Microsoft Word document) of the proceedings.
Warning: the MP3 file is a whopping 286 MB. It took me about 7 minutes to download on a typical residential cable Internet connection. It will take you 5 hours and 12 minutes to listen to the whole thing if you’re so inclined.
More details of the ONC-sponsored assessment on medical identity theft are at http://www.hhs.gov/healthit/privacy/identytheft.html
ONC promises a full report sometime this winter on issues related to health IT and identity theft, as well as a recommended roadmap for addressing these issues.
A weekend trip to Maine for a family wedding turned into a business trip (and a tax deduction) when I was reminded that the 16th National HIPAA Summit and related Privacy Symposium were taking place at Harvard University this week. Since I was flying in and out of Boston, I hesitantly forked over the $150 extortion—er, change—fee to American Airlines and sprung for a hotel room, mostly so I could attend a heated debate—er, “roundtable discussion” (even though the table was not round)—about whether patient privacy rules were effective.
I’m pretty sure it was worth the money. Boston usually is. While in the area, I also got a tour of athenahealth’s Watertown headquarters. I learned that “chief athenista” and new daddy Todd Park is on paternity leave for the next several months, is relocating to the west coast and will come back as a board member only while he dedicates much of his time to some new ventures.
But I digress once again.
The roundtable featured a couple of heavy hitters in the privacy world, namely Dr. Deborah Peel and Dr. Bill Braithwaite, as well as Partners HealthCare System Chief Privacy Officer Karen Grant, Linda Sanches, representing the HHS Office of Civil Rights, and, via telephone, Jodi Daniel, from the Office of the National Coordinator. Given the expense I just incurred, I wrote a story Tuesday about the Peel-Braithwaite debate for someone who actually will pay me, Digital HealthCare & Productivity.
In the interest of getting the news out and getting picked up by this week’s Health Wonk Review, I’m going to give you for free some notes from other Tuesday sessions.
On Friday, HHS released some proposed dates for transitioning to the next generation of HIPAA transactional code sets—otherwise known as ANSI X12 version 5050—as well as to ICD-10 standards for E&M coding. The proposal also includes the the National Council for Prescription Drug Programs standard version D.0 for electronic pharmacy transactions.
The full language is at http://www.cms.hhs.gov/TransactionCodeSetsStands/02_TransactionsandCodeSetsRegulations.asp#TopOfPage and will appear in this Friday’s Federal Register to trigger a 60-day comment period, closing Oct. 21.
“This is not a do-over of HIPAA,” said Workgroup for Electronic Data Interchange Chairman James Whicker, who also phoned in to the HIPAA Summit. Whicker, director of EDI and e-commerce at Intermountain Healthcare in Salt Lake City, said that changes are necessary because the current version 4010A1 is more than six years old already and has significant shortcomings.
Among the changes he highlighted:
- The 835 transaction for remittance advice adds an embedded link to payer URLs for some payment adjustment and denial codes.
- 834 will allow ICD-10 to report pre-existing conditions and address some privacy concerns
- 270 and 271 eligibility transactions bring what Whicker called “a significant number of changes and improvements” from the provider perspective. For example, he said, the new code sets clarify instructions for sending inquiries based on whether the patient is the health plan’s primary enrollee or a dependent. If the eligibility date, plan name or benefit effective date for a particular encounter is different from that of the overall coverage, the health plan must report it as part of the transaction. Version 5010 also requires alternate search options for 270 and 271 transactions so a provider can search by member ID, last name only or date of birth to help eliminate false negatives and phone calls, Whicker said.
- 276 and 277 transactions for healthcare claims status have minor changes addressing privacy concerns over sensitive patient information that is unnecessary for business purposes.
- Implementation guides will no longer be free when 5010 takes effect.
I personally don’t know what to make of the 5010 news, but I know that there is significant opposition to the proposed Oct. 1, 2011, compliance date for ICD-10. As Whicker spoke, I was reading a press release from the Medical Group Management Association denouncing the idea, and would wager a large sum that the American Medical Association thinks three years and two months is not long enough.
And now back to the privacy debate.
In a separate session, Sanches vigorously defended OCR’s record on HIPAA privacy enforcement, despite the fact the office has not assessed a single civil monetary penalty in the five years the rules have been in effect. “Our enforcement has resulted in changes,” Sanches said, a sentiment also expressed by Michael Phillips, a health insurance specialist in the CMS Office of E-Health Standards and Services regarding enforcement of HIPAA security regulations.
Sanches said most privacy complaints have either been dismissed or resolved with corrective action, while some, as with Providence Health and Services last month, have been settled with with “resolution agreements,” usually resulting in a fine. Sanches described the resolution agreements as “forward-looking,” since they require corrective action even though there is no admission of liability. “We will be monitoring their compliance,” Sanches said of Providence, which agreed to pay $100,000 as part of the deal.
Suffice it to say, OCR still has plenty of critics. Deven McGraw, director of the Health Privacy Project at the Washington-based Center for Democracy & Technology, said that enforcement clearly is lacking. “When you haven’t imposed a single civil monetary penalty, you are not sending a message that you are going to hit people in the pocketbook,” McGraw said during a joint session with Peel.
Those who don’t know Peel well might think she would wholeheartedly agree with this sentiment, but she says the August 2002 HIPAA privacy amendments that created the “treatment, payment and healthcare operations” exemption effectively neutered the rule. “We believe there is nothing for OCR to enforce because there isn’t a privacy law anymore,” she said, arguing that lack of privacy is keeping people from seeking treatment for some conditions, including Iraq war veterans who might suffer from depression or post-traumatic stress disorder.
As for HIPAA security enforcement, Phillips said OCR gets many more privacy complaints per year than CMS does for the security rule, largely because so many violations involve paper PHI and the security rule only applies to electronic information. He said that CMS has received 350 security rule complaints, to date, but, surprisingly, given all the attention paid to laptop theft, only 10 percent have involved lost or stolen devices.
Of those 350 complaints, 248 have been resolved and 102 investigation remain open.
Phillips also discussed the CMS contract with PricewaterhouseCoopers to conduct 10 compliance reviews this year, saying that the audit firm has done six reviews, including the well-publicized critique of Piedmont Healthcare in Atlanta. Phillips said CMS will share information about one of the 10 cases when all the reports are done.
Another conference session focused on the Piedmont case, and I think I will do a story for one of my publication clients in the next week or two. Stay tuned.
And finally, since anything involving David Brailer tends to generate a lot of traffic to this site, I shall call your attention to the following from former U.S. Sen. Dave Durenberger (R-Minn.), who founded and chairs the National Institute of Health Policy and sits on the Medicare Payment Advisory Commission:
DAVID BRAILER a few short years ago was the No. 1 name in American healthcare according to the annual Modern Healthcare survey of important people in the field. His job then was to be President Bush’s “Health Information Czar” to get the medical system moving toward automation and electronic information interchange.
Today he runs Health Evolution Partners out of San Francisco. He says HEP was founded to accelerate the best in the inevitable change taking place in the healthcare market. It will focus on redefining quality, efficiency and accountability of healthcare services to consumers and payers. He has developed a “Purchaser Value Initiative” as well, and raised nearly a billion dollars from CALPERS and from an additional four or five state public employees retirement funds (including Minnesota).
Susan and I enjoyed lunch with David recently at the Buckeye Roadhouse just off CA Highway 101 near Sausalito. David’s no. 1 interest these days is in his family, especially his seven-year old son and year old daughter. I listened to much of a fascinating discussion over elementary education in San Francisco and the merits of various institutions before we got to passion no. 2. How health system entrepreneurs will use the cost-quality-access quandary we face in this country, to innovate our way to better health, medical care and health management services.
Listening to Brailer, you get the impression that there may have been a lot not to like in the Bush administration’s approach to “consumer driven healthcare.” On the other hand, it focused us on a critical reality. Everyone in America is a potential consumer of better health, more appropriate medical services and, someday, good judges of value in the healthcare system. Entrepreneur innovators are doing it right now, and Brailer’s EHP team will help make sure they succeed.
I’ve got some international items on the agenda today:
First off, did anyone catch the big “oops” in Australia this week that knocked out telecommunications services across the state of Queensland? Apparently, a backhoe at a construction site cut a cable that took phone lines down statewide, and a major backup system failed as well. The outage reportedly affected phone calls in and out of a number of regional hospitals, but what was not reported was whether any health IT infrastructure was affected. Perhaps that’s a problem in and of itself.
A couple of weeks ago, a health trust in Scotland had to declare a “data amnesty” to encourage employees to return a misplaced USB drive that reportedly contained the health records of 137 patients. Left unanswered is why the records were not secured before being transferred to the portable drive.
I hopefully will be reporting some international health IT news in a couple of weeks, as I’ve been invited to attend one week of the Rockefeller Foundation‘s “Making the eHealth Connection” conferences in Bellagio, Italy. Consider this a solicitation to editors looking for coverage of EHR and mobile-health issues in developing countries.
FORT LAUDERDALE, Fla.—Sitting in my hotel room the night before the end of TEPR, I just received an article from NextGov, a publication I had not been familiar with, but which seems to have a good amount of health IT coverage. (I might have to pitch some ideas of my own the editor.)
This particular story is alarmingly headlined: “Cyber criminals overseas steal U.S. electronic health records” According to the report, “medical records are a ‘platinum card’ for organized crime, which can rake in millions of dollars from false billings, said Pam Dixon, executive director of the World Privacy Forum.”
Another source is quoted as saying stolen U.S. health data, including diagnoses, medical histories, prescriptions, insurance information and Social Security numbers, was found on a Russian-registered server in Malaysia.
As for TEPR, the conference itself is really small, particularly when compared to the last time in Fort Lauderdale in 2004, when David Brailer delivered his first major speech as national health IT coordinator, and the opening session also included Bill “Dr. HIPAA” Braithwaite and the legendary Dr. Larry Weed.
This year’s conference has been truncated from four days to three, and Cerner and NextGen are among the vendors who are conspicuously absent from the trade show. In fact, Mark Anderson’s AC Group had a bigger booth than McKesson.
However, the educational presentations I’ve been to have been very good, though the compressed schedule means that some time slots had two dozen concurrent sessions, so I missed a few I would have liked to have seen.
I recorded a new podcast here on Tuesday, and hope to have it up soon.
Here are just a couple of links for the politically minded.
And the Healthcare Update News Service, mostly a compendium of press releases from various companies that also has weekly updates from Health Affairs, has posted video of a March 28 speech by the always-entertaining Bill “Dr. HIPAA” Braithwaite from the Fourth Health Information Technology Summit on privacy and security issues that may hold back health information exchange. I saw the speech live, and I think it’s worth the 33 minutes. Even if you don’t have that much time, you can skip to the “chapters” most of interest, much like watching a DVD.