Site moved to www.healthblawg.com/2009/04, redirecting in 1 second...

« March 2009 | Main | May 2009 »

13 posts from April 2009

April 30, 2009

Health Wonk Review is up

Bob Laszewski hosts the current edition of Health Wonk Review at Health Care Policy and Marketplace Review -- check it out if you're ready for a dive into all things health care: health care reform, IT, payment, congressional jockeying, social media and related wonkery.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

April 27, 2009

David Harlow quoted in Boston Business Journal column on lawyers and twitter

I spoke last week with Lisa van der Pool at the Boston Business Journal about twitter, now the hot trend in social media for lawyers.  See her Legal Briefs column in the current issue.  I know newspaper websites have policies on links, but it drives me nuts when online editions don't have links to resources they reference.  So ... please check out my twitterfeed and the feeds of the other attorneys featured in the column: @healthblawg (David Harlow), @attyimmigration (Joshua Goldstein), @jayshep (Jay Shepherd) (employment), @dfrederico (Donald Frederico) (litigation).

The Legal Brief piece puts the fact of twitter use by lawyers out there for those not already following Massachusetts' "legal birds" or healthcare "legal birds" -- if you're one of those, I encourage you to experience the twitterstream for yourself.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

April 22, 2009

Health 2.0 conference today and tomorrow in Boston: follow along here via CoverItLive

Health 2.0 begins today in Boston.  Follow along here or elsewhere via twitter hashtag #health2con.

Update 5/8/09: Check out Chris Hogg's tweetstream analysis:

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

April 21, 2009

HealthCamp Boston / SocialPharmer Boston Twitterstream via Cover It Live

HealthCamp Boston and SocialPharmer Boston are taking place today.  For those of you on site, please live tweet using hashtags #hcbos or #socpharm.  For those of you following along at home, please follow those hashtags in your reader of choice, or right here.  Separate windows are provided for #hcbos and #socpharm (each will have more than one thread, so mashing them together seemed too unwieldy).  The twitterstream will be archived here for future reference.  Information on audio and video archives will be available via the event website at some point in the future.



David Harlow
The Harlow Group LLC
Health Care Law and Consulting

April 20, 2009

HealthCamp Boston April 21 - Come join in the fun, or follow along at home

HealthCamp Boston and SocialPharmer Boston are happening tomorrow, April 21.  If you can't make it in person and would like to follow the events of the day, check back here at HealthBlawg for CoverItLive windows: one will be set to follow the #hcbos twitterstream, the other, the #socpharm stream.  If you are on twitter, use your reader of choice.  The tweets will be archived here for future reference.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Blawg Review goes green

EarthDayFlag Today's edition of Blawg Review at Green Patent Blog celebrates Earth Day by examining the EPA's stance on greenhouse gases, the carbon footprint of spam, a lawsuit involving the appropriation of Woody Allen's image (dressed as a hasid in Annie Hall), a trademark case about silver birch that sounds more like slippery elm, the HealthBlawger's post about the controlled environment of the hospital operating room, and going camping in the great outdoors.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

April 17, 2009

Draft guidance on rendering PHI unusable or indecipherable posted; comment period runs through May 21

The federales posted today, for a brief comment period, proposed guidance on how to render PHI unusable, unreadable or indecipherable to unauthorized individuals.  (This keys into the FTC's proposed interim breach notification rule, released yesterday, as well.) In addition to input on the technical specifications reproduced below, the agency is soliciting comments (as set forth further below) on a broad range of policy issues - rendering PHI unreadable, but also on breach notification provisions generally.  The full notice is linked to from the page linked above, but here is the meat of the proposal:

B. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
ii) Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.

b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

III. Solicitation of Comments

A. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

The Department is seeking comments on its guidance regarding the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals for purposes of section 13402(h)(2) of the Act. In particular, the Department is interested in receiving comments on the following:

1. Are there particular electronic media configurations that may render PHI unusable, unreadable, or indecipherable to unauthorized individuals, such as a fingerprint protected Universal Serial Bus (USB) drive, which are not sufficiently covered by the above and to which guidance should be specifically addressed?
2. With respect to paper PHI, are there additional methods the Department should consider for rendering the information unusable, unreadable, or indecipherable to unauthorized individuals?
3. Are there other methods generally the Department should consider for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals?
4. Are there circumstances under which the methods discussed above would fail to render information unusable, unreadable, or indecipherable to unauthorized individuals?
5. Does the risk of re-identification of a limited data set warrant its exclusion from the list of technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals? Can risk of re-identification be alleviated such that the creation of a limited data set could be added to this guidance?
6. In the event of a breach of protected health information in limited data set form, are there any administrative or legal concerns about the ability to comply with the breach notification requirements?
7. Should future guidance specify which off-the-shelf products, if any, meet the encryption standards identified in this guidance?

B. Breach Notification Provisions Generally

In addition to public comment on the guidance, the Department also requests comments concerning any other areas or issues pertinent to the development of its interim final regulations for breach notification. In particular, the Department is interested in comment in the following areas:

1. Based on experience in complying with state breach notification laws, are there any potential areas of conflict or other issues the Department should consider in promulgating the federal breach notification requirements?
2. Given current obligations under state breach notification laws, do covered entities or business associates anticipate having to send multiple notices to an individual upon discovery of a single breach? Are there circumstances in which the required federal notice would not also satisfy any notice obligations under the state law?
3. Considering the methodologies discussed in the guidance, are there any circumstances in which a covered entity or business associate would still be required to notify individuals under state laws of a breach of information that has been rendered secured based on federal requirements?
4. The Act’s definition of “breach” provides for a variety of exceptions. To what particular types of circumstances do entities anticipate these exceptions applying?


Comments will be accepted through May 21.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

MGH pediatric heart surgery: Volume, volume, volume, or, How low can you go?

Today's Boston Globe reports that Massachusetts General Hospital has voluntarily suspended operation of its pediatric cardiac surgery program, following two significant negative outcomes.  MGH is conducting an internal investigation, much as UMass Memorial suspended its heart surgery program while investigating higher-than-average CABG mortality rates a while back (see HealthBlawg interview with UMMMC general counsel Doug Brown on its cardiac surgery program).  David Torchiana and MGH will certainly be able to identify opportunities for improvement, as did UMMMC, by going through this exercise.  UMass Memorial restarted its program after implementing quality improvements it identified through the review process.  The question on many minds today is whether it makes sense for MGH to continue to run such a program, with the relatively low volume that it has, given the resources and existing programs of Boston's nearby Children's Hospital.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

April 16, 2009

Health Wonk Review is up

The collective self-delusion edition of Health Wonk Review is up at Glenn Laffel's Pizaazz.  Read all about "progress" in health care and get ready to pitch in and change it all.  For those of you in the Boston area, come join us at the HealthCamp Boston unconference on April 21 or follow the events of the day here at HealthBlawg or via twitter at #hcbos.  Hope to see you at Health 2.0 Boston as well.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

April 13, 2009

All the blawgs that fit, we print

A tribute to journalism not being dead yet, the current edition of Blawg Review is up at Jordan Furlong's Law21.  Amazingly, this edition marks the end of the first four years of Blawg Review.  The HealthBlawger will be hosting in two four weeks' time, so prepare yourselves for a Blawg Review look at President Obama's first hundred days, and send in those posts.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting