Patient control over patient data in electronic health records: A work in progress

Over the past six months, there has been a growing (and certainly more visible) patient-centered movement fomented in large part by some of the health care digerati / blogerati / twitterati I know -- revolving around patient control over electronic health records. 

Dave DeBronkart (@ePatientDave) -- not the most circumspect guy you'll ever meet -- is very straightforward about it. He says: "Gimme My Damn Data."  (See my earlier take, with links to his post on his Google Health experience.)  Gilles Frydman (@gfry)and others were responsible for putting together the "Declaration of Health Data Rights" (the link is to my post on the subject, with links to related resources); while that title is more sedate, Gilles is an equally vocal advocate for patient control of data.  In fact, he and Dave are two of the key drivers of e-patients.net and the Journal of Participatory Medicine.  Mark Scrimshire (@ekivemark) -- HealthCamp's "chief troublemaker," with whom I had the pleasure of organizing HealthCamp Boston earlier this year -- blogged on the subject of patient control of patient data a couple days ago, as he pulled together some recent posts by Gilles and Jen McCabe (@jensmccabe) which relate to part of this past Sunday's #hcsm tweetchat with Steven Daviss (@HITshrink) and others (scroll down to 8 pm or so to read about licensing of patient data).  Please follow all of these links to catch yourself up on the conversation, if you haven't been following along.

Mark suggests in his recent post that each of us should offer an emendation to the standard HIPAA Notice of Privacy Practices, directing our health care providers to upload our health data into our PHR of choice, and has called for some editing assistance.

My gut level reaction to Mark's suggestion is to agree that it makes sense and to dive into the editing.  Unfortunately, making sense is not a prerequisite (and may even be an impediment) to adoption of suggestions like this.

In my post on the Declaration of Health Rights (linked to above), I wrote that one key approach to ensuring that there be more widespread sharing of data would be for participatory-medicine-minded health care providers to revise their Notices of Privacy Practices (NPPs) (as they will have to by February, thanks to the Son of HIPAA rules under the HITECH Act effective then).  One reason for my suggestion that the change come from the provider side is very pragmatic.  Privacy advocates have promoted a number of emendations to the standard NPP language used by health care providers, but my educated guess is that virtually all health care providers collecting signed NPPs are completely incapable of managing such "exceptions."  Are they required to do so?  Yes.  Can we reasonably expect that they will?  No.  So the carefully-drafted amendments are, at best, sitting in non-digitized storage somewhere, collecting dust.

In the #hcflower conversation in the past week or so on twitter and elsewhere, prompted by a guest post and subsequent discussion on Howard Luks' (@hjluks) blog, a core of health care providers and HIT cognoscenti have begun wrestling with the technical details that would have to be working in the background to enable the instant availability of patient data to any relevant clinician or health care facility.  Because of the difficulties inherent in this exercise, Mark's proposed NPP amendment addresses the existing EHR/PHR architecture; nevertheless, it seems to me that it is probably premature -- even if acknowledged and honored by health care providers, the data shared would, more likely than not, be of the quality experienced by ePatientDave, leading him to exclaim "Gimme My Damn Data," and would very likely not be provided in real time (leading, of course, to the potential of excess testing and inappropriate treatment).

There are other related issues raised in the #hcsm tweetchat, but those are perhaps best reserved for another day.

So, what do you think? 

• Are patients now ready to insist on having their health care providers upload their health information to PHR systems such as Google Health or Microsoft HealthVault?  How can patients ensure that these data be transportable from a tethered PHR to a freestanding one if and when they change providers or insurers?
  
• Are PHR platforms and health care providers prepared (and equipped) to act on these requests?  My working assumption is that the answer at the moment is no, since there are some technical issues to overcome.  One approach to the technical issues relating to real-time queries from one provider to another's EHR is outlined here.  It is unclear to me what would be involved (in time and money) in getting from here to there.  (Technical congnoscenti: help me out here.)
  
• What other questions need to be asked and answered in order to move this further along?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Ten Years After "To Err Is Human"

Ten Years After sang "I'd Love to Change the World" more than ten years ago. 

Sadly, ten years after the seminal IOM report on medical errors -- To Err Is Human -- was released, we should all be singing that song, because that wake-up call has gone largely unheeded; or perhaps a better way of putting it would be to say that efforts to address the issues raised by the report have not been uniformly successful.  The Interdisciplinary Nursing Quality Research Initiative released the following observations today:

In 1999, the Institute of Medicine’s (IOM) groundbreaking “To Err Is Human” report found that as many as 98,000 people die each year from medical errors in hospitals, making medical errors a more common cause of death than motor vehicle accidents, breast cancer, or AIDS. The report estimated that these errors cost the country nearly $38 billion each year.

Ten years later, medical errors are still a widespread problem in the American health system.  More than 1.5 million Americans are sickened, injured, or killed by medication errors each year.  1.7 million Americans battle illnesses due to hospital acquired infections, 99,000 of whom die.

INQRI posted several perspectives on the topic on its blog, including an interview with BIDMC CEO and blogger Paul Levy.  Like many health care organizations across the country, BIDMC has worked to improve quality and address medical errors over the years and, in fact, was recently recognized by the Leapfrog Group as one of 45 "Leapfrog Top Hospitals" nationwide.

The information from INQRI shows that medical error morbidity and mortality is on the rise, not on the decline, despite the attention paid to this vexing issue in the decade since "To Err Is Human." 

The question remains: How can these quality issues be addressed in the context of current health reform efforts?  Where are the "best practices" that all health care providers can learn from?  Are there best practices that are easily transferable from setting to setting?  Much has been said about "bending the cost curve," but more needs to be said -- and, more importantly, done -- about taking concrete steps to improve quality by aligning incentives properly.  Payment system reform, creating new incentives for efficient and effective care delivery, ought to be closer than it is to front and center in the current health care debate.  In addition, more attention must be paid to aligning the incentives of the various payers in the health care delivery system.  For example, employment of physicians seems to be the way of the future, though some folks trying to move large systems in that direction have been burned (Exhibit A: Alegent).  Integrated delivery systems with employed physicians seem to be able to do the best at aligning incentives, though there are certainly some counterexamples out there (including BIDMC).

This is an issue that must be addressed by lawmakers, payors and the delivery system, working together -- or at least aiming in the same direction.  Thus far, we have seen only incremental progress, at best.  

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthBlawg listed in ABA Journal Blawg 100

I'm pleased to announce that HealthBlawg has been named to the ABA Journal Blawg 100.  I appreciate the recognition, and the nominations from you, dear readers, that put this blawg on the list.  I do not envy the editors who had to make the tough decisions -- there are many more than 100 deserving blawgs out there.

Since I began blogging over three years ago, I have been fortunate enough to get to know many bloggers -- including some of the other honorees -- both IRL (in real life) and virtually (via blogging and, more recently, via Twitter).  It has been an incredibly enriching experience; thank you, all.

The next phase of the Blawg 100 involves the general public, not just the ABA Journal's editorial staff.  Public voting will determine the ranking of blawgs within several editorial categories; HealthBlawg is in the "Practice Specific" category.

I would greatly appreciate your vote, not just in recognition of this blawg, but in recognition of health care law and policy as a significant practice area -- one that has not been represented in the ABA Journal Blawg 100 to date.  Please take a few moments to register on the ABA Journal website, and then vote for HealthBlawg.  Voting is open through the end of December.  Even though the ABA Journal is based in Chicago, I will refrain from exhorting you to vote early and often.    

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Engage With Grace

As patients, as family members, as friends, as health care providers, we have all faced end-of-life issues at one time or another, and we will face them again.  And again. 

This weekend, the "Engage With Grace" message is being broadcast virally, through a "blog rally," at a time when many people are with family and friends over the long weekend.  The point is: we all need to have the potentially uncomfortable conversation with people close to us about what kind of treatment we would want, and they would want, if incapable of making or communicating health care decisions.  (Check out coverage of last year's blog rally in the Boston Globe.) 

End-of-life decision-making has long been an issue of great personal and professional interest to me, and I am proud to have played a role in having out-of-hospital DNR orders recognized in Massachusetts by EMS providers, as an example. 

Download your copies of the Massachusetts health care proxy form or other states' proxy or living will forms -- and add specific instructions about nutrition, hydration, and anything else that is important to you so that everything is crystal clear.  My mom kept a stack of living will forms in the dining room when I was growing up, and was not shy about raising the issue with dinner guests and offering to witness their directives.  Having the conversation is a starting point; we all need to follow through and make sure that our loved ones' wishes are documented, placed in medical records, discussed with physicians and other caregivers, and honored. 

When I have the opportunity to speak to groups of lawyers or health care providers, I often ask for a show of hands: how many of you have health care proxies?  The percentage seems to have increased over time, but it is still not where it needs to be.  If groups that should be above average in this respect are not all raising their hands, then we clearly have a lot to do in terms of educating the general public about the need to have the sometimes difficult conversation with friends and family members.  That's what the Engage With Grace project is all about.  And with that, I turn over this post to Engage With Grace:

*    *    * 

Last Thanksgiving weekend, many of us bloggers participated in the first documented “blog rally” to promote Engage With Grace – a movement aimed at having all of us understand and communicate our end-of-life wishes. It was a great success, with over 100 bloggers in the healthcare space and beyond participating and spreading the word. Plus, it was timed to coincide with a weekend when most of us are with the very people with whom we should be having these tough conversations – our closest friends and family. Our original mission – to get more and more people talking about their end of life wishes – hasn’t changed. But it’s been quite a year – so we thought this holiday, we’d try something different. A bit of levity. At the heart of Engage With Grace are five questions designed to get the conversation started. We’ve included them at the end of this post. They’re not easy questions, but they are important. To help ease us into these tough questions, and in the spirit of the season, we thought we’d start with five parallel questions that ARE pretty easy to answer:

 

Silly? Maybe. But it underscores how having a template like this – just five questions in plain, simple language – can deflate some of the complexity, formality and even misnomers that have sometimes surrounded the end-of-life discussion. So with that, we’ve included the five questions from Engage With Grace below. Think about them, document them, share them.

Over the past year there’s been a lot of discussion around end of life. And we’ve been fortunate to hear a lot of the more uplifting stories, as folks have used these five questions to initiate the conversation.

One man shared how surprised he was to learn that his wife’s preferences were not what he expected. Befitting this holiday, The One Slide now stands sentry on their fridge.

Wishing you and yours a holiday that’s fulfilling in all the right ways.


To learn more please go to www.engagewithgrace.org. This post was written by Alexandra Drane and the Engage With Grace team. If you want to reproduce this post on your blog (or anywhere) you can download a ready-made html version here.

Update 11/29/09:  Paul Levy, one of the moving forces behind this blog rally, has been cataloging the participants over at his blog, Running a Hospital.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Health Care Social Media Legal Issues and Strategy Webinar

Today's HIPAA and Your Social Media Strategy webinar, which I presented together with Jamie Verkamp of (e)Merge, was a success.  We had a good turnout, interesting questions and engaging discussion.  Here is a version of the slide deck I used today, complete with links to other useful resources here at HealthBlawg and elsewhere on the web.

Social Media In Health Care Legal Issues

View more presentations from DavidHarlow.

Jamie and I will be repeating this webinar in two weeks, on December 2 , at 1:00 p.m. Eastern, 12:00 Central.  If you missed it the first time around, or would like to recommend it to a colleague, you can register here.

If you have any questions or comments on the subject, we'd like to hear from you.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

An ounce of prevention

Today's Boston Globe reports on a feature of the Massachusetts universal health care law that may be replicated at the national level: MassHealth -- the Massachusetts Medicaid program -- has been covering the costs for smoking cessation counseling and medications for eligible enrollees.

Using the data available, researchers were able to associate the roll-out of these services with a significant drop in smoking rates -- a drop not seen among the small percentage of Bay Staters who remain uninsured.

Not only that, but there are cost savings involved.  Fewer health care services are required by nonsmokers -- notably, less asthma and heart attack related services.

Thanks to aggressive promotion of the services through a variety of channels, 40% of eligible smokers enrolled, as opposed to the 5-10% that the program anticipated.

The success of this program had previously been announced by the Commonwealth in June.

Bottom line from the Globe:

Although the study being released today does not assess whether the stop-smoking campaign reduced health care costs overall, the findings led some advocates to call on the state to make all health plans - public and private - provide cessation programs with low co-pays and deductibles.

As health reform is further debated at the national level, we need to focus on the investments that may be made in the nation's health that will yield monetary as well as quality returns, and this initiative is certainly one that is worthy of closer examination.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready?

HIMMS Analytics surveyed about 250 hospital and business associate representatives, and came up with some figures to back up what we all knew in our hearts:  Most hospitals are gearing up for compliance with the HITECH Act / Son of HIPAA data security and breach notification requirements, but many experience data breaches -- about half of hospitals surveyed in the past year -- and business associates lag behind hospital in awareness and preparedness for compliance with new business associate requirements.

Check out the full report on the HITECH Act's impact on privacy and security, and check out recent HealthBlawg posts on HITECH Act and Son of HIPAA issues here: HITECH Act security breach rules now effective; Comments on HITECH Act breach notification rule from Capitol Hill; and Son of HIPAA Breach Notification Rules. 

Anyone who needs to be convinced that attention must be paid to this issue need only check out the cautionary tale of the Virginia prescription record security breach or any of the many breaches detailed here or here.

The survey provides a handful of key take-away points:

• Risk assessments are common practice but alone do not mitigate breach risks.
• Large hospitals experience the most data breaches and are at the greatest risk for future incidents.
• Business associates are generally unprepared to meet the new data breach related obligations brought on by the HITECH Act.
• Health care organizations are prepared to sanction business associates that don’t comply with the regulations outlined in the HITECH Act.
• Inter-departmental disconnects between IT and Compliance on data breach policies and procedures leave hospitals at risk.

Bottom line: most health care provider organizations and most business associates (vendor organizations) have a great deal of work to do, not only in terms of conducting a through review of policies and procedures so as to come up with a gap analysis, but also in terms of implementing policies and procedures to fill the gaps identified, and to conduct appropriate trainings at all levels of the organization, including clear delineation of lines of communication regarding data security matters.

The Harlow Group network stands ready to assist provider and vendor organizations in preparing themselves for full compliance with the new HIPAA requirements promulgated in the HITECH Act and its regulations.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Social Media Session at Oklahoma Hospital Association Annual Meeting

Yesterday I had the pleasure of sharing the podium -- at least virtually -- at the Oklahoma Hospital Association's annual meeting with two leaders in the health care social media sphere, Ed Bennett of the University of Maryland Medical System and Lee Aase of the Mayo Clinic, for a program on health care social media presented by the Public Relations and Marketing Society of the OHA.  Our host, Brenda Finkle, and others, livetweeted the session.  Here for your perusal are our presentations.

Presentation at the Oklahoma Hospital Association

View more presentations from Ed Bennett.

Oklahoma Hospital Association

View more documents from Lee Aase.

David Harlow on Social Media In Health Care Legal Issues - OHA

View more presentations from DavidHarlow.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Son of HIPAA Breach Notification Rules

Health care providers: If your patient records aren't already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government -- as well as by some private payors and self-insured employers -- to get all health care providers wired in the near future, in order to better coordinate patient care, improve outcomes, and "bend the cost curve" all at the same time. There are some financial incentives in play to achieving "meaningful use" of "certified" EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data -- or as it is known in HIPAA-speak, protected health information (PHI) -- is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach. Compliance with these rules -- issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to health care providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties -- requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity-certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be fled with the regulators. The new rules -- I call them Son of HIPAA -- are layered on top of existing HIPAA privacy and security rules, the FTC's Red Flags Rule regarding identity theft protections to be put in place by any "creditor" (which includes health care providers not paid in full at the time of service -- though the effective date of Red Flags Rule is now delayed yet again), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (i.e., unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm-the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that "pose a significant risk of financial, reputational, or other harm to the individual." For example, if an employee of a health care provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, "business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Health care providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

This is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

A version of this post was published on HCPlive.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

David Harlow quoted in "Social Networking 101 for Physicians" piece in Mass Medical Law Report

More and more physicians are exploring the use of social media in their practices, and the Massachusetts Medical Law report ran a piece on Social Networking 101 for Physicians recently, quoting Kevin Pho of KevinMD, Jim Tobin of Ignite Health (regards to Fabio aka @skypen!) and me, among others.  As I posted recently, I will be giving a free webinar on the subject of regulatory issues around social media in health care on November 18, together with Jamie Verkamp of (e)Merge, who will speak to other aspects of planning a social media presence.  In addition to working with Jamie, whose agency focuses on physician practices, I am also working with agencies focused on hospital social media planning.  If this piques your interest, please register for the social media webinar and/or get in touch to discuss strategies for your organization and the regulatory hurdles you need to be aware of in the planning process.  FYI, my slides will be posted after the webinar.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting