Site moved to, redirecting in 1 second...

81 posts categorized "Ehealth"

February 06, 2015

Lessons from the Anthem breach

Into the Breach

Anthem experienced a major data breach last week, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

Continue reading "Lessons from the Anthem breach" »

February 03, 2015

ONC, Interoperability, and the 2/6/2015 #HITsm Tweetchat

HITsmI am pleased to be moderating the weekly #HITsm tweetchat this Friday, February 6, 2015 -- Beyond Meaningful Use: What’s next for ONC … and the rest of us. Join us at 12 noon Eastern Time.

Top of mind for the #HITsm twitterati this week are the ONC interoperability roadmap released at the end of last week, and the ONC conference taking place this week in DC. Check out the ONC liveblogging from Mark Scrimshire (aka @ekivemark), and the #ONC2015 tweetstream at large.

Here are the topics for this week's chat. I look forward to discussing them with you.

Continue reading "ONC, Interoperability, and the 2/6/2015 #HITsm Tweetchat" »

January 30, 2015

Privacy and Security and the Internet of Things

"Only Connect"

In the future, everything will be connected.

That future is almost here.

Over a year ago, the Federal Trade Commission held an Internet of Things workshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.

As in the case of the HITECH Act's attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report -- and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) -- seeks to increase the public's confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum -- I can't define it, but I know it when I see it (see Justice Stewart's timeless concurring opinion in Jacobellis v. Ohio).

Continue reading "Privacy and Security and the Internet of Things" »

August 27, 2014

Health Care Conferences This Fall

Friendship Pins No 89 David HarlowYour faithful HealthBlawger will be out and about at a number of conferences and events this fall, speaking, moderating . . . and immoderately disrupting.

I hope to see you at one or more of these. See descriptions below for links to registration.

Keep an eye out for "Friendship Pins" -- my jacket from The Walking Gallery, pictured here -- and I will be in or near it.

If you are organizing a conference a little further down the road, please consider including me as a keynote speaker or otherwise. We should talk.

Here's the rundown:

HIMSS Privacy & Security Forum

September 8-9, 2014, Boston, MA

I'll be one of the general session speakers: Keeping Your Edge: Managing Social Media While Protecting Privacy & Security.

Continue reading "Health Care Conferences This Fall" »

June 06, 2014

Telehealth: Roy Schoenberg, CEO of American Well, Speaks with David Harlow

5669123427_4ab5769ecf_oI had the opportunity to speak with Roy Schoenberg about the model policy recently adopted by the Federation of State Medical Boards (FSMB): Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine. The model policy is offered as a means for state medical boards to get up to speed quickly and to access standards of care that are both protective of patients' interests and, frankly, are baselines against which physician behavior may be judged by an individual board. Roy distinguishes between telemedicine (doc-to-doc communication) and telehealth (patient-to-doc communication). The latter, particularly using a secure live video platform is a disruptive innovation in a way that the former is not: it allows patients to access medical advice at their convenience, without the need for an office visit or a trip to a specialist.

Continue reading "Telehealth: Roy Schoenberg, CEO of American Well, Speaks with David Harlow" »

March 27, 2014

Unlocking the Power of Health Data

3769904793_e08235af58_zA Perspectives piece I wrote was published this week by iHealthBeat - Unlocking the Power of Health Data. In it I argue for patient-controlled sharing of rich data, as opposed to HIPAA-regulated stripping of identifiers in order to eliminate the risk to patient privacy as data is shared for research and other purposes. Googler Larry Page and Josh Stevens of Keas have argued recently in favor of broader uses of health data, but the issue of HIPAA keeps coming up in those conversations. Most connected patients seem comfortable with the idea of sharing health data, and as more of us get connected, this sentiment is only likely to spread.

As I wrote at iHealthBeat:

I have discussed the patient donation of data before, and the first objection I heard was from a data scientist who worried that the volume of patient records collected in this manner would be too small to yield any meaningful insights. While this may be true at first, I believe that over time patients will come to prefer to set their own limits on data sharing rather than be stuck with the one-size-fits-none approach available under HIPAA. In addition, the data made available through these repositories will be more valuable than that available as de-identified data for research precisely because there are more identifiers attached.

Are we ready for a new paradigm in data sharing and big data analysis?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

photo: flickr cc Tripp

January 03, 2014

Health IT Wisdom at the End of 2013 and Start of 2014

Janus1I am quoted in a couple of year-end / new year pieces on health IT, appearing this week in iHealthBeat and FierceHealthIT.

With new developments over the past year in the realms of telehealth, mobile health and health data privacy and security, and opportunities for accountable care organizations, integration of connected health and implementation of HIPAA compliance plans, there is plenty of material for prognosticators.

Kate Ackerman, Editor-in-Chief at iHealthBeat asked 13 experts three questions.

Here are the questions and my answers; follow the link above to read 12 other perspectives.

Continue reading "Health IT Wisdom at the End of 2013 and Start of 2014" »

October 30, 2013

Mobile Health Apps: Pass the Secret Sauce

6029363903_0e9abdceab_mThe IMS Institute for Healthcare Informatics released a report on the ecosystem bloody mess of 40,000+ mobile health apps that are available today. Hat tip to Jane Sarasohn-Kahn for writing about it today at Health Populi.

From the executive summary:

Over time, the app maturity model will see apps progress from being recommended on an ad hoc basis by individual physicians, to systematic use in healthcare, and ultimately to an end goal of being a fully integrated component of healthcare management. There are four key steps to move through on this process: recognition by payers and providers of the role that apps can play in healthcare; security and privacy guidelines and assurances being put in place between providers, patients and app developers; systematic curation and evaluation of apps that can provide both physicians and patients with useful summarized content about apps that can aid decision-making regarding their appropriate use; and integration of apps with other aspects of patient care. Underpinning all of this will be the generation of credible evidence of value derived from the use of apps that will demonstrate the nature and magnitude of behavioral changes or improved health outcomes.

(Emphasis supplied.)

We are nowhere near this endpoint -- integration of the use of health apps into health care management -- right now, due to a number of factors.

Continue reading "Mobile Health Apps: Pass the Secret Sauce" »

January 05, 2012

Health Care Social Media – How to Engage Online Without Getting into Trouble (Part II)

I have been asked to write up some of the core takeaways from the health care social media presentations I have been giving recently, so I am sharing a version of this narrative on HealthBlawg, in two parts.  You may wish to begin with Part I 

Professional responsibility and malpractice liability

The American Medical Association has promulgated a social media policy; so has the Veterans Administration.  The two represent very different approaches.  The AMA essentially advocates proceeding with caution, and being cognizant of the damage that one’s own social media activities – and one’s colleagues’ – may do to the profession.  The VA, on the other hand, is out in front on this issue – just as it was with electronic health records – encouraging the use of social media tools to disseminate information and engage patients and caregivers in productive dialogue likely to improve overall wellbeing and health care outcomes.

Patient care should not be provided in open social media forums, but appropriate disclaimers on blogs, Facebook pages, YouTube channel pages, and the like, should be sufficient protection for providers seeking to use these tools for sharing of general advice and information.

As in other settings, there are emergency exceptions.  If the only way to communicate lifesaving information to a patient is via a public social media channel, then a clinician should not refrain from doing based on a concern about a privacy violation.

Daily deal websites

Groupon, Living Social and other daily deal websites are being used by health care providers -- though thus far mostly by those that are not covered by traditional commercial or governmental health insurance (e.g., dental, chiropractic, acupuncture services).  This may change as the health insurance landscape changes over time.  There are a number of legal issues, and their resolution will depend, in part, on where you are situated, since many of the relevant rules are state laws, which vary.  For example:

  • Groupon collects 50% of the price of the groupon as its fee; is that illegal fee-splitting under applicable state law?
  • Is the 50% fee an illegal kickback in exchange for a referral?  Are you subject to federal laws in this area in addition to any state laws?
  • Do provider agreements with third party payors prohibit the offering of discounts to plan subscribers?  (If you can get over the first two issues, you may need to screen out patients who are insured by carriers who limit your ability to discount or risk being in default under an agreement with your biggest customer.)
  • There is at least one more issue to consider, as well:  State laws on gift certificates and their requirements touching on expiration dates.  Lawsuits have been filed alleging that the relatively short life of the daily deal violates state gift certificate laws. 

With the proliferation of high-deductible health plans, and FSAs, HSAs and the like, the general public is becoming more price sensitive in paying for health care services; while health care providers need to become more creative in order to address this issue, they must also remember that they are subject to a wide-ranging set of regulations above and beyond other consumer-facing businesses.

Social Media Policies and Procedures

Despite the legal landscape, it is possible for a health care provider to develop a robust social media program.  The critical first step is developing a set of policies that respects the legal and regulatory limits, and that is consistent with the organization's level of readiness to engage through social media.  Establishing clear guidelines will allow clinicians and staff to participate in the online conversation without having to review individual posts on a regular basis with legal and regulatory advisors. An existing policy from another organization may be used as a starting point in the development process, but local customization is key. 

An external-facing social media policy should set limits and expectations for people who come to the organization's web properties – web site, Facebook page, blog, YouTube channel, Twitter stream, etc. -- so that, for example, a poster who violates the terms of service will be on notice that a hospital whose staff should be monitoring social media accounts at least daily may decide to take down a post (on a forum such as Facebook) if it does not comply with the policy.

An internal set of policies and procedures is also needed to address internal operational and policy issues for both official and unofficial channels. Staff need to be sensitive to the fact that they are, in effect, brand ambassadors on a 24/7 basis, and that if they mention their employer in their own posts on their personal Twitter accounts or Facebook pages, they should do so consistent with company policy – noting that “tweets are my own” or words to that effect.  Some organizations may desire to insist on all employees' “radio silence” except for designated spokespersons.

The best policies are those that are developed through an inclusive process, rather than a top-down process, so that the employees most likely to be active on social media may offer input to the process sand also feel ownership of the final product in a way that will promote adherence.

No matter what the tenor of an individual organization’s policies may be, they must be implemented – they do no good up on the shelf.  Staff must be trained on the policies, and are retrained as policies are updated on at least an annual basis.  Adherence to the social media policies should be a condition of employment, just the same as adherence to any other employer policy, and the distribution of policy documents and training may be integrated with a broader employment process within your organization.

Sine this is a rapidly changing arena – and since social media comfort levels in an organization may change relatively rapidly – social media policies should be reviewed on a regular basis, at least annually.


The cat is out of the bag.  Even if you wanted to avoid social media entirely, it is simply too late to attempt to do so.  Even if your practice or institution does not have an active social media presence, it is likely that others are already discussing you on line.  It is important to set up a social media monitoring program right away, if you do not already have one in place, so that you may respond in the real world to issues flagged in cyberspace.

You can become an active participant in health care social media and stay on the right side of the law, and these days it is becoming more and more imperative to use this toolset for marketing, patient communication and care management.


Be sure to check out Part I of this two-part series on health care social media, which lays out the range of issues and concerns and goes into greater detail on HIPAA issues.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

January 03, 2012

Health Care Social Media – How to Engage Online Without Getting into Trouble (Part I)

I have been asked recently to write up some of the core takeaways from the health care social media presentations I have been giving recently, so I am sharing a version of this narrative on HealthBlawg, in two parts.  Check back later this week for Part II


“Why do you rob banks?”

“That’s where the money is.”

The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation.  A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line.  Why be active in on line social networks?  That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more.  Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids.  In today’s wired society, on line social networking is the new word of mouth.  Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.

Over half of Americans rely on the internet when looking for health care information.  Many on line searches are conducted on behalf of another person.  Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed.  In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.

Only about twenty percent of U.S. hospitals have a social media presence, and likely a similar proportion of other health care providers.  Thus, while some health care providers have been using social media for years, there is still an opportunity to reap the benefits of being an early adopter.  Whether or not a provider is on line, others are likely discussing that provider – on review sites, on Facebook, even on Twitter – so whether or not one establishes a social media presence, it is imperative to establish a listening post to keep abreast of what is already being posted on line – complaints, recommendations and other information will come to light, and steps may be taken in the real world to ameliorate situations giving rise to complaints and to capitalize on praise and referrals.

Finally, health care reform is pushing health care providers into social media.  The Meaningful Use regulations will soon require that providers seeking incentive payments for adoption of electronic health records must make greater use of personal health record portals, and programs like the Medicare Shared Savings Program, or Accountable Care Organization program, require patient-centeredness and patient engagement, which in this day and age require the use of online social tools.

With all of these motivating factors, why are health care providers reticent, and slow to adopt the use of social media tools?  There are numerous legal and regulatory issues triggered by the use of social media and some health care providers are put off by the perception of the risk involved.  However, there are legal and regulatory risks (and attendant market and business risks) to the decision to remain uninvolved.

The key issues for consideration include the following:

  • Privacy and security rules, under HIPAA as well as other federal and state laws, and the ever-diminishing ability to fully de-identify protected health information
  • Professional responsibility codes, including both professional society codes of ethics and state regulations promulgated by boards of registration in medicine
  • Malpractice liability for professional advice rendered via social media
  • Issues raised by daily deal sites such as Groupon and Living Social, including anti-kickback, fee-splitting, insurance contracts, state insurance laws and gift certificate laws
  • Liability under Federal Trade Commission rules for failure to disclose a financial relationship in conjunction with an online rating, review or other commentary
  • Trouble with the National Labor Relations Board if employee discussion of working conditions in unreasonably limited (even in non-union shops)

If not managed appropriately, it is clear that these issues may lead to significant liabilities, ranging from civil and administrative fines, to negative publicity, to private lawsuits predicated on HIPAA or state law violations.  (Even though HIPAA does not provide for third-party liability some state laws do, and creative lawsuits may seek to bootstrap private liability on a HIPAA violation as well.)

However, it is possible to manage all of these issues through the development of comprehensive social media policies – both outward-facing (i.e., to patients and the general public) and inward-facing (i.e., to physicians, other clinicians, and other staff) that are tailored to a specific medical practice or other health care organization.  The policies themselves must be tailored to local conditions, because each practice, each health care organization is at a slightly different point on its own health care social media journey, its comfort level with social media tools, and its thoughts about how to use these tools, and to what end.

Here is further detail about several of the key categories of legal issues identified above:

HIPAA and other privacy concerns

Privacy concerns arising from HIPAA and state privacy laws start from the proposition that only a patient has the right to authorize the release of his or her own private health information.  Thus, while an individual patient is free to blog about her medical condition or experience with the health care system without implicating HIPAA or other privacy rules, provider-generated social media content with identifiable patient information used without consent would raise red flags.  Provider discussions of cases on social media should follow the “elevator rule” or the “coffee shop rule” – If you wouldn’t say it in a crowded elevator or coffee shop, don’t post it online.

As one emergency room physician recently learned the hard way (she was dismissed by her employer and sanctioned by her state medical board), even a de-identified Facebook post about a patient may easily be re-identified using information from third-party sources.  The HIPAA rules list eighteen categories of identifying information that must be stripped from a record or patient story in order for it to be considered de-identified. Number eighteen is, essentially, anything else that may be used to re-identify the de-identified information.  Since we are, collectively, doubling the amount of information posted online on a regular basis, that which is de-identified today may well be easily re-dentified tomorrow. 

Thus, the best practice would be to write about composite/fictionalized patients, or simply get patient consent.  Providers may wish to rewrite their HIPAA NPPs (notice of privacy practices) to include some level of consent to communication with or about a patient on Facebook, for example, if that is something that would make sense, and that might happen on a regular basis. 

Other disclosures made inadvertently may lead to difficulties as well.  For example:

  • A cell phone photo taken in a hospital emergency room of a friend proudly displaying a newly-stitched wound may inadvertently capture the image of another patient in the background. That post may be a HIPAA violation attributable to the hospital, even if it did not post the photo. 
  • An employee of a public hospital tweets her displeasure in seeing a clinic staffed up for the convenience of a political figure seeking service off-hours.  Her public sharing of identifiable health information led to her being fired.
  • Positive test results posted by a patient on Facebook might invite response on a human level, but the response must be more measured.  For example, if a patient posts on a hospital Facebook wall after getting some good test results, “I'm cancer free one year later,” hospital staff can't post much more than “Congrats; everyone should check out our cancer center's web page.”  Even in a situation like this, where the patient self-identifies first, there is no consent to unlimited public discussion of his condition.


Please check back later this week for Part II, which will touch on professional responsibility and malpractice issues, daily deal sites and the development of policies and procedures for provider organizations engaged in the use of health care social media.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting