Linda Sanches, Senior Advisor, Health Information Privacy, at OCR, DHHS, spoke with Tom Sullivan (@GovHITeditor) at the HIMSS Media #HITprivacy and security conference in Boston today (September 9, 2014) about OCR HIPAA compliance audits. See the Storify after the jump.
The Heartbleed web security exploit was first publicized several weeks ago. In the time since then, numerous web-based services have let their users know (some more clearly than others) whether and how their data security was compromised by this OpenSSL flaw that has been open for about two years. This is one flaw, one exploit, but on a scale of 1 to 10, it has registered as an 11 on our collective consciousness. Fred Trotter notes in the MIT Technology Review that other similarly worrisome exploits do not get our attention in the same way, and that more health data leaks are likely in our future. He also cites others' observations that many health IT vendors are not currently equipped to respond effectively to such exploits in a timely manner.
A Perspectives piece I wrote was published this week by iHealthBeat - Unlocking the Power of Health Data. In it I argue for patient-controlled sharing of rich data, as opposed to HIPAA-regulated stripping of identifiers in order to eliminate the risk to patient privacy as data is shared for research and other purposes. Googler Larry Page and Josh Stevens of Keas have argued recently in favor of broader uses of health data, but the issue of HIPAA keeps coming up in those conversations. Most connected patients seem comfortable with the idea of sharing health data, and as more of us get connected, this sentiment is only likely to spread.
As I wrote at iHealthBeat:
I have discussed the patient donation of data before, and the first objection I heard was from a data scientist who worried that the volume of patient records collected in this manner would be too small to yield any meaningful insights. While this may be true at first, I believe that over time patients will come to prefer to set their own limits on data sharing rather than be stuck with the one-size-fits-none approach available under HIPAA. In addition, the data made available through these repositories will be more valuable than that available as de-identified data for research precisely because there are more identifiers attached.
Are we ready for a new paradigm in data sharing and big data analysis?
Welcome to Health Wonk Review's In Like a Lion edition, wherein we consider the big questions of the moment.
It seems clear that March is coming in like a lion in most parts of the country. That much is not up for debate.
Our always incisive health wonks have raised numerous important questions over the past fortnight and have attempted to answer them, for their own satisfaction and yours, gentle reader. As they say, reasonable minds may differ -- and you'll see a range of opinions on some of the issues of the day.
So let's take a walk on the wild side and see if we can come up with some answers. Questions on the table include the following:
What's new in the world of Obamacare implementation, HITECH Act implementation, and our 50 laboratories, the states?
Is there a law of physics that can limit the fiction quotient in Obamacare press coverage?
What's the best way for the U.S. to pay for health care expenses?
What's the connection between Irish-American heritage and the Massachusetts gubernatorial race?
Why does February only have 28 days (usually)?
Why promote teamwork and collaboration?
Is there deep meaning in synchronicity, or is Roy Poses just messing with me?
The Sustainable Growth Rate mechanism creating a zero-sum game for Medicare Part B reimbursement rates (dropping rates as volume picks up) has long been unsustainable, and so Congress has been messing around with short-term SGR fix legislation for years now. Every six to twelve months we've been hearing about the impending 20% or 30% Medicare pay cut about to hit physicians' pocketbooks, and the likely exit of physicians from the rolls of participating providers. However, the stars are now aligned in such a way that real progress seems likely: multiple powerful Congressional committees have signed off on a deal to replace the SGR rule with something more workable: A unified approach to financial incentives to physicians and other medical professionals who are Medicare participating providers intended to promote quality and enrollment in alternative payment arrangements.
CIO.com covered the presentation I gave at Strata Rx on the idea of patient-controlled donation of data for purposes of data analysis. Putting control in the hands of patients avoids some potential HIPAA issues and may make for richer data sets.
Healthcare IT News ran a cover story in its November issue on the use of Open Notes at Beth Israel Deaconess Medical Center. See further discussion of the piece and links to more information on Open Notes at e-patients.net. I was interviewed on the issue of patients' rights to access their own medical records.
I spoke yesterday at the StrataRx conference in Boston, as part of the data liquidity track. This was sort of a blue sky presentation (as you can tell from the first slide); the thought was to explore the notion of building big data analytics on top of a data store populated by health record information obtained as a result of patient requests. Why? Because doing it that way would bring the data out from under HIPAA and HITECH regulations. Patients could contribute as much or as little of the data as they wish, patients could be compensated for their contributions, and other pesky HIPAA restrictions would fall by the wayside. I used one company's newly-announced service as an example, but there are others in this space as well.
Sponsored by Canon U.S.A., Inc. “Canon’s extensive scanner product
line enables businesses worldwide to capture, store and distribute information.”
The ideas below are my own.
A recent HHS OCR HIPAA settlement
with a New York area health plan seemed to come out of left field: A CBS
news investigative reporting team bought a copier formerly leased by the health
plan and found protected health information (PHI) of about 350,000 individuals on
the copier’s hard drive. This led the health plan to self-disclose to the OIG,
and to agree to a fine north of $1 million and a correction plan.
Clearly, HIPAA and related state privacy rules require that a
health care entity wipe hard drives of all PHI, or destroy them – the rules
require the use of a variety of administrative, technical and physical controls
to keep personal health data private and secure. The health plan in this case
fell down on the job; it hadn’t even included the copier hard drives in its required
self-analysis of risks and vulnerabilities.
and Productivity Impact of Outdated Communications Technology
estimate that only 45 percent of each work day is spent with patients; the
remaining 55 percent is spent communicating and collaborating with other
clinicians and using EMRs and other clinical IT Systems.
to the study, clinicians waste an average of 46 minutes each day due to the use
of outdated communications technologies. The primary reason is the inefficiency
of pagers (as cited by 52 percent of survey respondents), followed by the lack
of Wi-Fi availability (39 percent) and the inadequacy of email (38 percent).
Ponemon Institute estimates that this waste of clinicians’ time costs each U.S.
hospital $900K per year, and based on the number of registered hospitals in the
U.S., this translates to a loss of more than $5.153 billion annually across the
deficiencies in communications lengthen patient discharge time, which currently
averages 102 minutes. About 37 minutes of this is due to waiting for doctors,
specialists or others to respond with information necessary for the patient’s
release. The Ponemon Institute estimates that this lengthy discharge process
costs the U.S. hospital industry more than $3.189 billion annually in lost
percent of respondents believe secure text messaging to communicate with care
teams during the discharge process can cut discharge time by 50 minutes.
of Regulations on the Delivery of Patient Care and Technology Adoption
percent of survey respondents say HIPAA compliance requirements can be a
barrier to providing effective patient care. Specifically, HIPAA reduces time
available for patient care (according to 85 percent of respondents), makes
access to electronic patient information difficult (79 percent) and restricts
the use of electronic communications (56 percent).
59 percent of survey respondents cite the complexity of compliance and
regulatory requirements as the primary barrier to achieving a strong IT
While health IT did not create the need for clinicians to spend time reviewing and updating patient records, the promise of health IT -- to make things easier for clinicians, better for patients and more efficient and cost-effective for all of us -- is a matter for the future. As the saying goes, "The future is already here -- it's just not evenly distributed." Kelly makes the case for SSO and secure SMS, and the Ponemon study provides a snapshot evoking the scope of the opportunity.
Interview of Sean Kelly Chief Medical Officer, Imprivata
May 7, 2013
David Harlow: This is David Harlow with HealthBlawg and I have with me today Sean Kelly, the Chief Medical Officer of Imprivata, which is providing some interesting new services and has news about a recent study which was conducted regarding communications systems that are in place in hospitals today and how that helps or hurts our healthcare system. Sean, thank you very much for speaking with us today.
Sean Kelly: My pleasure, David.
David Harlow: So Sean in an nutshell what can you tell us about this new study and what it may mean for folks looking at this from the hospital perspective?
Sean Kelly: Sure, the study was conducted by the Ponemon Institute and it’s entitled Economic and Productivity Impact of IT Security on Healthcare. It explores essentially the impact of security in people’s perception of how their workflow happens in the hospital both with regard to HIPAA compliance and security issues as well as with efficiency and convenience and the ability to take care of patients. Some of the higher level points that came out of the study are that doctors and other caregivers including nurses and other people who have direct patient contacts feel like they spend really less than 45% of their time actually caring for patients and in direct patient care, face-to-face contact. They also feel that outdated technology leads to at least 45 minutes a day of wasted time. The economic impact of this amount of time being wasted with outdated technologies can amount to a significant amount per hospital -- probably close to $1 million per hospital per year in the United States, and when you add all that up that over $8.3 billion per year in the US alone. This is probably a problem with economic impact around the globe as well although this study was conducted on participants in the United States alone.
There is a lot of subjective information that came back as far as people’s information and opinions about what the cause of some of these delays were. Specifically they cited the inefficiency of pagers, the lack of WiFi availability and inadequacy of e-mail as well as the fact that text messaging wasn’t allowed. They felt that a lot of these things led to the inefficiency and inconvenience at work as opposed to what they’re used to in their consumer life.
I’m a practicing emergency physician as well as the Chief Medical Officer at Imprivata and I can tell you that there is a lot of promise and potential that comes with technology and there is also a lot of difficulties with it as well. Traditionally in healthcare we’ve seen a lot of tension between security concerns and convenience and we see this at Imprivata since we provide a single sign on solution addressing some of the pain points around the fact that providers are required to log on and authenticate just about every time they touch protected health information. This is a reasonable thing to ask providers to do because you really want to have an audit trial – it’s required by HIPAA to be compliant it’s very necessary and proper to have good security barriers in place because you really want to make sure patients’ private information is protected and it’s really the right thing to do.
The problem is a lot of these systems inherently can be difficult. In my life as a practicing doctor on a typical shift in the emergency department I might log on and off of systems hundreds of times per shift for multiple patients and try to navigate back and forth between my electronic medical record and the PACS system to look up X-rays and other radiologic findings I might go to other clinician applications such as Up-to-Date or epocrates or other websites and for every one of these jumps between and navigating around the system I might need to log in or log out or try to boot something up or close it down and every one of those points can cause delay -- not just in the time but also in cognitive disruption of my thought process, and so it’s really important to make sure that we have sort of a latest and greatest technology to allow us to do our jobs as physicians.
David Harlow: Right -- so it sounds like the single sign on solution would address something like that, that problem that you describe in the emergency department. And my understanding is that you’re talking also about another solution in terms of trying to ease the pain and reduce the time that’s spent on these various tasks in the day in the life in the hospital, is this a texting solution?
Sean Kelly: Yeah, I think it’s important for people to understand that healthcare is still reliant on some outdated technology -- specifically pagers -- and just to give you an example of what a typical workflow might be in a hospital, is that to page a colleague, whether it’s a nurse that you need to try to find out something or order not necessarily something you do through the EMR but if you just want to find out Room 7 has had a recent vital sign performed or oxygen saturation level or something you might page the nurse and the pager system as it currently exists might be unidirectional and so I would go to a desktop, have to log on, open up an application, look at what nurse is on call for a patient that’s on duty at that time, send the page out to that person who may or may not contact me back and that unidirectional message flow can get lost out there, it’s hard to know, there is no read receipt, I’m not sure if it’s delivered or read -- there is no easy way to just text me back and say well, yes, that was performed or no, it was not performed but I’ll do it, or actually the result is 97% on room air.
And that kind of inability to just quickly send a message out, have it come back, complete the workflow in the current state of affairs in most places makes it difficult, especially when I walk into the hospital and in my pocket is this very efficient tool that I’m used to using all the time in my consumer life, where I can text message back and forth and get a quick reply, finish my thought process, move on to the next step. When I’m trying to discharge a patient from the hospital or from the emergency department there are many, many different points in that workflow that can lead to delay and in this study for example they found that it may take over 100 minutes to get a patient discharged from a hospital of which 37 minutes or more might be spent just trying to contact physicians and hear back from them that it’s okay to discharge a patient, or there might be one last minute thingthey need to clear up and this kind of operational flow issue would be very ideally solved with the text messaging platforms.
David Harlow: Right. So these issues aren’t new but I guess what you’re suggesting is that there is a solution just beyond our reach or maybe now just within our reach, but the problem as you state it is not a new problem. There has always been a need for people to be reviewing records, consulting with colleagues in the course of caring for an inpatient and it’s been traditionally a paper process but now with Meaningful Use starting to take hold, do you see an improvement on that front? Are these numbers based on a recent survey? Is there an older survey to compare these against? It just seems to me that there has been some improvement over time and perhaps things are better than they were but not quite as good as they could be.
Sean Kelly: Yes it’s a very good point you raised. I think it is a double-edged sword there are lot of things that have certainly improved with the advent of electronic medical records and computers are good at a lot of things. For example, when we’re about to discharge someone home, it’s very nice to be able to take their current medication list and when you write a new prescription the computer is very good at cross checking the drug- drug interactions or looking up their past listed allergies or reminding me that they’re due for their flu vaccination, and so from a population health standpoint and even from a patient care standpoint there are a lot of things that technology does for us, and you’re right, though, that the problem has been in existence for a while where we’re trying to figure out all these different moving parts and be as efficient as possible -- that problem has been around.
Now we have tools that we can use to help solve those problems so that we can bring technology to bear. The issue in the past couple of years with acceleration of adoption of a lot of different technologies, as healthcare starts to finally catch up to a lot of the rest of the world, the issue is this again this tension between security and convenience or efficiency, and the problem is that since we’re required to make sure that we’re absolutely compliant from a HIPAA standpoint we traditionally haven’t been able to use things like SMS texting because it’s not HIPAA compliant or secure and above all else we have to make sure we hit that threshold. So the solution we created was really due to feedback from hospitals saying we want this tool but it needs to be ironclad secure, and so we as a healthcare security company set about working on this as a solution to help address the pain that’s out, to say doctors and nurses want security and efficiency. If there is a tool that works they will do the right thing and use it, but it has to actually work and it has to actually be secure enough to satisfy the security officer at the hospital in order to be enabled on a hospital-wide basis and okayed for use by endpoint clinicians.
David Harlow: My readers and I are at varying levels of sophistication when it comes to the technical details behind this but I wonder if you could delve in a little bit and explain how the product or service achieves this level of security?
Sean Kelly: Sure, and my specific role is Chief Medical Officer and so I’m also not a security officer, I’m a workflow person and I understand workflow from the clinician’s perspective, but what we have done is we’re in conjunction with a lot of our partner hospitals to work with their security officers to make sure that we are compliant with their needs to be HIPAA compliant, and the long and the short of that is that instead of using just an SMS text platform where messages and pictures and everything else lives on the server or on the phone itself and is not HIPAA compliant what we’ve done is create a protected area within an app. So this is essentially an app that you download to the phone, users are enabled by the hospitals it syncs to their active directory and you can immediately enable or disable users on to the system and it’s configured in such a way that everybody that the hospital wants to be visible to each other on this network within this app can be visible to one another but if you’d like to remove somebody you can erase them immediately and all the Protected Health Information or PHI along with their conversations just go away -- no longer visible for that person, it lives within the app.
David Harlow: And then do the conversations reside on a hospital server of some sort?
Sean Kelly: So the conversations reside in the cloud on a server that is accessible only to the hospital. It’s encrypted so that the hospital is the only one who can see the protected health information within it. We will see usage stats and we will know messaging information about how much is being used and by whom in the hospital but we won’t see any of the information within that -- that’s encrypted and only visible to the hospital users themselves -- to the admin and to the end users within the hospitals, and for greater detail on the security measures involved I’d be happy to let readers or you hook up with people on our end that are experts, but our basic strategic process has been: let’s pick the information security officers that we know around the country and the world that are the most strict, make sure it meets their needs because if it meets their needs as to hospital IT then it will certainly meet the needs of the others who are less stringent out there and as long as it meets their needs and we’ve gone through that due diligence and we sign business agreements stating that we’re HIPAA compliant as a vendor, then hospitals are comfortable as per their policy to enable users on this, and then on the other end we want to make sure that we are creating the best user experience and the user satisfaction in a very healthcare centric way for the end users specifically physicians, nurses, administrators, other caregivers within the hospital.
David Harlow: Okay. You mentioned earlier that you’re focused on this from a workflow perspective and I’m wondering if there are other changes to workflow in your typical hospital - if there is such a thing - that could be looked at in order to alleviate some part of this problem that you’re trying to solve?
Sean Kelly: Yeah, I think the possibilities are certainly exciting. Once you have a platform in place that allows for control of your desktop and easier access in and out of systems throughout the desktop -- which is part of our core offering with single sign on and authentication and sort of a trust fabric of authentication -- and you have endpoints involved where you’re reaching out and those messages that get out sent out to endpoints like mobile devices and you’ve got providers within the network able to now have secure messaging back and forth now things get really interesting because you can really accelerate the provider’s ability to provide good care because you’re making their workflow much more efficient, and so this is where we’re actually the fun just gets started once people start to use it because then they realize, okay well there are these Meaningful Use guidelines or there are these problems as an Accountable Care Organization where we need to really enhance communication between our facilites when we do interfacility transfers, or we really need to make sure we prevent congestive heart failure readmissions and we think that the best way to do that is to facilitate communications between our case managers and our primary care doctors and our cardiologists so here is a package of communications that we could enable using CorText which is the secure messaging platform, along with some of our ability to automate which applications pop up when someone signs on in the cardiology unit and you could picture a hospital now structuring because they have just enough of these different secure collaboration communication tools to really create an interesting package that can be used as a template by different hospitals to address a particular clinical problem and just like someone comes up with a really good stethoscope and then it’s up to the caregivers to figure out how they’re going to best use it to care for a patient -- technical tools in a way are similar. We’ve created a very secure way of communications I don’t know that we’re going to try to tell doctors and nurses and hospitals this is how you should use it -- we can say here are examples of how we think it can be used work with us to tell us how it could be the most valuable to make your jobs easier and make your patients lives better so that’s sort of the goal.
David Harlow: Right - sounds good. Well it’s an exciting time and that’s a very interesting tool, set of tools that you’re developing. I thank you for taking the time to share with us today. This is David Harlow and I’m speaking with Sean Kelly, Chief Medical Officer of Imprivata. We’ve been talking about CorText, their secure texting service and related products as well. Thank you for listening on HealthBlawg.
We discussed three possible sub-regulatory changes (which is what ONC asked for), and reiterated the value of a specific regulatory change that would not require a new rulemaking process, because it may be incorporated into the final rule on patient access to lab results (draft rule released in 2011, no final rule yet).
Specifically, we proposed:
Leverage existing regulatory requirements by building meaningful use of EHRs and HIE into the lexicon of the health care facility surveyor; a Meaningful User should be cited with a deficiency specifically citing the EHR use or misuse or non-use if proper meaningful use would have eliminated the root cause of the deificency.
Advance provider directories to support HIE by using the attestation process to link a provider's Direct address with other contact information in the National Plan and Provider Enumeration System (NPPES, NPI system).
Increase patient access and use of EHR information by developing patient education programs as well as improving usability of the patient interface.
Increase standards-based electronic exchange of lab results; see Keith Boone's reg change proposal and my reply to Farzad Mostashari's tweet ("Lawyers: Would this work?") about Keith's post.
The discussion that yielded this comment letter followed hard on the heels of a discussion about Meaningful Use Stage 3 facilitated by Claudia Williams of ONC, so we certainly hope that ONC is listening.
(Click on the image above to see Regina Holliday's painting, Open Doors, painted over the course of the unconference.)
I was also involved in the preparation of the ONC comment letter filed by the Society for Participatory Medicine, which covers most of the same ground, and also promotes adoption of Blue Button Plus as a means to empower patients to a degree that current systems do not allow.
These letters are addressed both to ONC and to CMS, in response to their joint request for information. This collaboration within HHS is encouraging, and it may well point to greater interest in leveraging EHRs within CMS.