Site moved to, redirecting in 1 second...

« October 2009 | Main | December 2009 »

11 posts from November 2009

November 30, 2009

HealthBlawg listed in ABA Journal Blawg 100

Blawg100_2009_logoI'm pleased to announce that HealthBlawg has been named to the ABA Journal Blawg 100 I appreciate the recognition, and the nominations from you, dear readers, that put this blawg on the list.  I do not envy the editors who had to make the tough decisions -- there are many more than 100 deserving blawgs out there.

Since I began blogging over three years ago, I have been fortunate enough to get to know many bloggers -- including some of the other honorees -- both IRL (in real life) and virtually (via blogging and, more recently, via Twitter).  It has been an incredibly enriching experience; thank you, all.

The next phase of the Blawg 100 involves the general public, not just the ABA Journal's editorial staff.  Public voting will determine the ranking of blawgs within several editorial categories; HealthBlawg is in the "Practice Specific" category.

I would greatly appreciate your vote, not just in recognition of this blawg, but in recognition of health care law and policy as a significant practice area -- one that has not been represented in the ABA Journal Blawg 100 to date.  Please take a few moments to register on the ABA Journal website, and then vote for HealthBlawg.  Voting is open through the end of December.  Even though the ABA Journal is based in Chicago, I will refrain from exhorting you to vote early and often.    

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 25, 2009

Engage With Grace

As patients, as family members, as friends, as health care providers, we have all faced end-of-life issues at one time or another, and we will face them again.  And again. 

This weekend, the "Engage With Grace" message is being broadcast virally, through a "blog rally," at a time when many people are with family and friends over the long weekend.  The point is: we all need to have the potentially uncomfortable conversation with people close to us about what kind of treatment we would want, and they would want, if incapable of making or communicating health care decisions.  (Check out coverage of last year's blog rally in the Boston Globe.) 

End-of-life decision-making has long been an issue of great personal and professional interest to me, and I am proud to have played a role in having out-of-hospital DNR orders recognized in Massachusetts by EMS providers, as an example. 

Download your copies of the Massachusetts health care proxy form or other states' proxy or living will forms -- and add specific instructions about nutrition, hydration, and anything else that is important to you so that everything is crystal clear.  My mom kept a stack of living will forms in the dining room when I was growing up, and was not shy about raising the issue with dinner guests and offering to witness their directives.  Having the conversation is a starting point; we all need to follow through and make sure that our loved ones' wishes are documented, placed in medical records, discussed with physicians and other caregivers, and honored. 

When I have the opportunity to speak to groups of lawyers or health care providers, I often ask for a show of hands: how many of you have health care proxies?  The percentage seems to have increased over time, but it is still not where it needs to be.  If groups that should be above average in this respect are not all raising their hands, then we clearly have a lot to do in terms of educating the general public about the need to have the sometimes difficult conversation with friends and family members.  That's what the Engage With Grace project is all about.  And with that, I turn over this post to Engage With Grace:

*    *    * 

Last Thanksgiving weekend, many of us bloggers participated in the first documented “blog rally” to promote Engage With Grace – a movement aimed at having all of us understand and communicate our end-of-life wishes. It was a great success, with over 100 bloggers in the healthcare space and beyond participating and spreading the word. Plus, it was timed to coincide with a weekend when most of us are with the very people with whom we should be having these tough conversations – our closest friends and family. Our original mission – to get more and more people talking about their end of life wishes – hasn’t changed. But it’s been quite a year – so we thought this holiday, we’d try something different. A bit of levity. At the heart of Engage With Grace are five questions designed to get the conversation started. We’ve included them at the end of this post. They’re not easy questions, but they are important. To help ease us into these tough questions, and in the spirit of the season, we thought we’d start with five parallel questions that ARE pretty easy to answer:


Silly? Maybe. But it underscores how having a template like this – just five questions in plain, simple language – can deflate some of the complexity, formality and even misnomers that have sometimes surrounded the end-of-life discussion. So with that, we’ve included the five questions from Engage With Grace below. Think about them, document them, share them.

Over the past year there’s been a lot of discussion around end of life. And we’ve been fortunate to hear a lot of the more uplifting stories, as folks have used these five questions to initiate the conversation.

One man shared how surprised he was to learn that his wife’s preferences were not what he expected. Befitting this holiday, The One Slide now stands sentry on their fridge.

Wishing you and yours a holiday that’s fulfilling in all the right ways.

To learn more please go to This post was written by Alexandra Drane and the Engage With Grace team. If you want to reproduce this post on your blog (or anywhere) you can download a ready-made html version here.

Update 11/29/09:  Paul Levy, one of the moving forces behind this blog rally, has been cataloging the participants over at his blog, Running a Hospital.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 18, 2009

Health Care Social Media Legal Issues and Strategy Webinar

Today's HIPAA and Your Social Media Strategy webinar, which I presented together with Jamie Verkamp of (e)Merge, was a success.  We had a good turnout, interesting questions and engaging discussion.  Here is a version of the slide deck I used today, complete with links to other useful resources here at HealthBlawg and elsewhere on the web.

Jamie and I will be repeating this webinar in two weeks, on December 2 , at 1:00 p.m. Eastern, 12:00 Central.  If you missed it the first time around, or would like to recommend it to a colleague, you can register here.

If you have any questions or comments on the subject, we'd like to hear from you.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

An ounce of prevention

SmokinggraphToday's Boston Globe reports on a feature of the Massachusetts universal health care law that may be replicated at the national level: MassHealth -- the Massachusetts Medicaid program -- has been covering the costs for smoking cessation counseling and medications for eligible enrollees.

Using the data available, researchers were able to associate the roll-out of these services with a significant drop in smoking rates -- a drop not seen among the small percentage of Bay Staters who remain uninsured.

Not only that, but there are cost savings involved.  Fewer health care services are required by nonsmokers -- notably, less asthma and heart attack related services.

Thanks to aggressive promotion of the services through a variety of channels, 40% of eligible smokers enrolled, as opposed to the 5-10% that the program anticipated.

The success of this program had previously been announced by the Commonwealth in June.

Bottom line from the Globe:

Although the study being released today does not assess whether the stop-smoking campaign reduced health care costs overall, the findings led some advocates to call on the state to make all health plans - public and private - provide cessation programs with low co-pays and deductibles.

As health reform is further debated at the national level, we need to focus on the investments that may be made in the nation's health that will yield monetary as well as quality returns, and this initiative is certainly one that is worthy of closer examination.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 17, 2009

Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready?

HIMMS Analytics surveyed about 250 hospital and business associate representatives, and came up with some figures to back up what we all knew in our hearts:  Most hospitals are gearing up for compliance with the HITECH Act / Son of HIPAA data security and breach notification requirements, but many experience data breaches -- about half of hospitals surveyed in the past year -- and business associates lag behind hospital in awareness and preparedness for compliance with new business associate requirements.

Check out the full report on the HITECH Act's impact on privacy and security, and check out recent HealthBlawg posts on HITECH Act and Son of HIPAA issues here: HITECH Act security breach rules now effective; Comments on HITECH Act breach notification rule from Capitol Hill; and Son of HIPAA Breach Notification Rules

Anyone who needs to be convinced that attention must be paid to this issue need only check out the cautionary tale of the Virginia prescription record security breach or any of the many breaches detailed here or here.

The survey provides a handful of key take-away points:

  • Risk assessments are common practice but alone do not mitigate breach risks.
  • Large hospitals experience the most data breaches and are at the greatest risk for future incidents.
  • Business associates are generally unprepared to meet the new data breach related obligations brought on by the HITECH Act.
  • Health care organizations are prepared to sanction business associates that don’t comply with the regulations outlined in the HITECH Act.
  • Inter-departmental disconnects between IT and Compliance on data breach policies and procedures leave hospitals at risk.
Bottom line: most health care provider organizations and most business associates (vendor organizations) have a great deal of work to do, not only in terms of conducting a through review of policies and procedures so as to come up with a gap analysis, but also in terms of implementing policies and procedures to fill the gaps identified, and to conduct appropriate trainings at all levels of the organization, including clear delineation of lines of communication regarding data security matters.

The Harlow Group network stands ready to assist provider and vendor organizations in preparing themselves for full compliance with the new HIPAA requirements promulgated in the HITECH Act and its regulations.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 13, 2009

Social Media Session at Oklahoma Hospital Association Annual Meeting

Yesterday I had the pleasure of sharing the podium -- at least virtually -- at the Oklahoma Hospital Association's annual meeting with two leaders in the health care social media sphere, Ed Bennett of the University of Maryland Medical System and Lee Aase of the Mayo Clinic, for a program on health care social media presented by the Public Relations and Marketing Society of the OHA.  Our host, Brenda Finkle, and others, livetweeted the session.  Here for your perusal are our presentations.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 11, 2009

Son of HIPAA Breach Notification Rules

Health care providers: If your patient records aren't already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government -- as well as by some private payors and self-insured employers -- to get all health care providers wired in the near future, in order to better coordinate patient care, improve outcomes, and "bend the cost curve" all at the same time. There are some financial incentives in play to achieving "meaningful use" of "certified" EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data -- or as it is known in HIPAA-speak, protected health information (PHI) -- is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach. Compliance with these rules -- issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to health care providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties -- requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity-certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be fled with the regulators. The new rules -- I call them Son of HIPAA -- are layered on top of existing HIPAA privacy and security rules, the FTC's Red Flags Rule regarding identity theft protections to be put in place by any "creditor" (which includes health care providers not paid in full at the time of service -- though the effective date of Red Flags Rule is now delayed yet again), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (i.e., unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm-the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that "pose a significant risk of financial, reputational, or other harm to the individual." For example, if an employee of a health care provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, "business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Health care providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

This is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

A version of this post was published on HCPlive.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 08, 2009

David Harlow quoted in "Social Networking 101 for Physicians" piece in Mass Medical Law Report

More and more physicians are exploring the use of social media in their practices, and the Massachusetts Medical Law report ran a piece on Social Networking 101 for Physicians recently, quoting Kevin Pho of KevinMD, Jim Tobin of Ignite Health (regards to Fabio aka @skypen!) and me, among others.  As I posted recently, I will be giving a free webinar on the subject of regulatory issues around social media in health care on November 18, together with Jamie Verkamp of (e)Merge, who will speak to other aspects of planning a social media presence.  In addition to working with Jamie, whose agency focuses on physician practices, I am also working with agencies focused on hospital social media planning.  If this piques your interest, please register for the social media webinar and/or get in touch to discuss strategies for your organization and the regulatory hurdles you need to be aware of in the planning process.  FYI, my slides will be posted after the webinar.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 05, 2009

HIPAA and your social media strategy - Webinar November 18, 2009

Physicians, practice managers and other health care providers and managers considering a foray into social media, you are invited to join The Harlow Group and (e)Merge for a webinar discussing this timely and important topic.  Here is the (e)Merge announcement:

HIPAA and Your Social Media Strategy

Health care has taken notice of social media as a way to connect and interact with patients. With the escalating use by physicians, medical professionals, hospitals and clinics, concerns are growing as to how HIPAA regulations affect your online presence. Join Jamie Verkamp of (e)Merge as we sort out the confusion with leading health care attorney David Harlow, Principal of The Harlow Group.  We'll answer your questions and share valuable tips on how your practice can develop an effective social media and online strategy, while remaining compliant with HIPAA and other applicable rules.

Join us for a complimentary webinar sponsored by (e)Merge and The Harlow Group on Wednesday, November 18th at 1pm Eastern. Please feel free to share this invitation with others who you think may benefit from this webinar.


Please feel free to forward questions for Jamie or me in advance of the webinar so that we may be able to address them in our presentations.  We look forward to being with you virtually on the 18th.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

November 02, 2009

FDA and social media: The regulated community's current obsession overlooks off-label promotions by the advocacy community

This morning I received a tweet exhorting me to learn about Low Dose Naltrexone (LDN) for autoimmune diseases.  (Naltrexone, by the way, is approved by the FDA only to treat alcoholism.)  Within a few clicks, I found claims that LDN would be a good drug to take for dozens of conditions: everything from neuroblastoma to HIV to celiac disease, and learned of a network of tweeps promoting LDN. 

The above tweet linked to a blog promoting LDN which is part of the Health Central community.

All this got me thinking about a bunch of issues; for instance:

  • Does the promotion of off-label uses by a member blog comply with the HON Code, which has been adopted by Health Central?
  • Since folks are already using social media to promote off-label uses of prescription medications, what are, and what should be, the obligations of pharma companies to address the information put out by such folks?
  • Should we expect any of those obligations to change post-#FDASM (i.e., after the much-anticipated public hearing at the FDA on the use of social media in pharma marketing and subsequent anticipated rulemaking)?   

Well, marketing of drugs for off-label uses is supposed to follow certain FDA rules -- not very restrictive, and essentially self-policed, since the rules just say that only medical journal articles on off-label uses may be shared with docs. Of course, some drug reps cross the line, and one pharma company -- Allergan, the maker of Botox -- is seeking to have even these limits lifted as unconstitutional limits on free speech.  These rules apply to the pharma companies' reps, not independent bloggers, of course, but the HON Code (which ought to apply, given the Health Central endorsement of the blog in question) ought to impose some relevant standards.  Consider  Principle 5 - Justification of claims:

All information about the benefits or performance of any treatment (medical and/or surgical), commercial product or service are considered as claims. All claims have to be backed up with scientific evidence (medical journals, reports or others).

Pharma's concern about content created by others but posted on a pharma company web site or blog or other social media site should perhaps be extended to a concern about content posted by others on other sites.  Both may be found just as easily, given the plethora of web search and alert tools now available.  I am not suggesting that pharma companies be called upon to monitor the entire internet; rather, perhaps the time has come to create firmer rules about promotion of off-label uses of prescription drugs, to be enforced by state and federal authorities.

Without waiting for the public hearing to be completed and rules to be written (which could take a year), many pharma companies have already established a social media presence.  While the manner in which they use the medium is a topic for another day, we should expect at least some of them to become more actively engaged in social media in the future.  

David Harlow
The Harlow Group LLC
Health Care Law and Consulting