Red Flags Rule: The FTC piles on, because HIPAA, ARRA and overlapping state laws just weren't enough

After a couple of delays, the FTC Red Flags Rule will be effective August 1, 2009.  This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft.  If a red flag is triggered, the creditor must take steps to notify the consumer and correct any inappropriate information included the creditor's records.

As you probably already know, the FTC is extending its reach with this rule (among others) into the health care sector.  (Cf. the FTC's role in enforcing certain Son of HIPAA provisions.)  The AMA has all but dropped a draft complaint on the FTC's desk, citing assorted legal precedents in its correspondence with the FTC arguing that the Red Flags Rule should not apply to physician practices.  The FTC is unmoved -- except to the extent that it has been willing to delay the effective date twice (from November 2008 to May 2009 to August 2009).

At any rate, the August 1 effective date is around the corner, and affected health care entities need to develop and implement compliance plans now, if they haven't already.  (Even the AMA says so, and has published guidance and a sample policy for members.)

A few more general comments before stepping back and examining the language of the rule and its applicability to health care providers.

The federales are taking something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations.  Bank of America, N.A. and Springfield Medical Associates, P.C. will have very different compliance plans, because their potential red flags and the potential risks are vastly different.

Affected health care providers need to understand that the Red Flag Rule requirements overlap with HIPAA and state privacy law requirements (and looming Son of HIPAA requirements in ARRA), but will not be satisfied by implementation of existing privacy policies and compliance plans.  Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.

As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it.  The rule calls for regular monitoring of the plan and issues that arise by a senior manager.  Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.

Even if not clearly subject to the Red Flags Rule, providers should undertake to comply, for a couple of interrelated reasons:

• Good patient PR.  Data security is top of mind these days.  Much of the effort required under the rule should be expended anyway simply to respond to market pressures calling for improved data security.
• Potential liability.  The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information.  The incensed jury will go along.  The health care provider caught in the middle between thieves and victims may be the only perceived deep pocket available.

OK, so what is a "creditor" and what is a "covered account?"

Any entity that accepts payment other than payment in full at the time of service is a creditor.  Health care providers that go the cash-on-the-barrelhead route aren't creditors; all others are creditors.

The FTC Guide defines covered accounts as follows: either

• a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or

• any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

Any creditor with covered accounts must have a red flags rule compliance plan in place with policies and procedures for dealing with "red flags" -- i.e., signs that personal information may have been compromised.  The World Privacy Forum suggests that the following red flags are the ones most applicable in the health care context:

• A complaint or question from a patient based on the patient’s receipt of:
   o a bill for another individual
   o a bill for a product or service that the patient denies receiving
   o a bill from a health care provider that the patient never patronized or
   o a notice of insurance benefits (or Explanation of Benefits) for health services never received.
• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
• A complaint or question from a patient about the receipt of a collection notice from a bill collector.
• A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft.  Again, the World Privacy Forum notes:

There need to be uniform but appropriately flexible answers to these questions:

• What do we do when a patient claims fraud is in their files?
• What do we do when a patient says the bills are for services she did not receive?
• What do we do for patients and other impacted victims when we uncover a fraudulent operation?
• When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
• What do we do when a provider has altered the patient records?
• How do we handle police reports and requests for investigation from victims?

The answers to these questions need to viewed not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially.

There are a number of useful resources available for health care providers seeking to take stock of their situation, establish Red Flags Rule compliance policies and procedures, and undertake staff training on the subject.  For example, the FTC, the AMA and the World Privacy Forum have all released valuable guidance documents (all linked to above) that would assist any organization with coming into compliance. 

As with any effort of this sort, it is often valuable to have someone outside the organization come in to review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement.  The HealthBlawger and members of the HealthBlawger's virtual consulting network are available to come in and assess, plan and help implement compliance strategies for organizations large and small touched by the Red Flags Rule.

Whatever the size or nature of your business, please take a moment to consider how the Red Flags Rule may apply to its operations, and how it may relate to other regulatory schemes such as HIPAA and state laws.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Marc Rodwin, Suffolk University law professor, speaks with David Harlow about his proposal for public ownership of health data published in JAMA

I spoke with Marc Rodwin last week about his proposal that there should be public ownership of all de-identified health record data, to guarantee the availability of complete data in improving public health and advancing evidence-based medicine: goals of the Obama Administration articulated as part of the rationale for expanding the use of EHRs and promoting that expansion through unprecedented grants to providers for meaningful use of certified EHRs.  Professor Rodwin is on the faculty of the Suffolk University Law School; his piece on public ownership of health record data was published in JAMA earlier this month.

The audio file of my interview with Marc Rodwin (about 20 minutes long) is available for download/podcast.  A full transcript is at the end of this post (and in the linked transcript here). 

Rodwin's proposal, which would require legislative action, runs near the Declaration of Health Data Rights, which asserts individuals' control over their own health data.  The two initiatives should not be mutually exclusive. 

Rodwin notes that in the current flurry of health care legislative activity it's more likely that data mining firms will get legislative protection for the status quo than public ownership of health data will be recognized.  The resulting fragnmentation of control of, and access to, health data, would undercut the value of the pending investment in health data infrastructure in this country.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthBlawg Interview of Prof. Marc Rodwin, JD, PhD, Suffolk University Law School
July 7, 2009

David Harlow:  Hello. This is David Harlow on HealthBlawg and I have with me today Marc Rodwin, Professor at the Suffolk University Law School in Boston, who has a piece published in the current issue of JAMA, the Journal of the American Medical Association, regarding the case for public ownership of patient data. Good afternoon Marc.

Marc Rodwin:  Good afternoon, David. Nice to speak with you.

David Harlow:  Thank you for being with us. The case that you make is a compelling one and I wonder if you could lay it out in brief for our listeners and readers.

Marc Rodwin:  Sure, maybe I should give a little background.

David Harlow:  Thank you.

Marc Rodwin:  There is a new emerging market in patient data -- de-identified or anonymized data, aggregate data -- and it’s growing particularly because of the move to electronic medical records.  The significance of this is that it will now be much easier to do all sorts of analysis of public health, of marketing trends, of valuation of healthcare systems, of hospitals, epidemiological research and so it’s a very valuable development.

David Harlow:  Yes and that’s part of the background for the push to add electronic medical records to our healthcare system.

Marc Rodwin:  Right, but what hasn’t been discussed very much – it’s been overshadowed by the talk of confidentiality issues or technology or making this happen – is how to make this work for the public and for private parties too, and the main question that’s been ignored is who owns this data, who should own it and what is the consequence of the law on ownership in this area and in fact there is an area of great uncertainty because the law has really been established to decide ownership of medical records, tangible property in the past and there, there is a pretty clear resolution of records pretty much in most states owned by providers but patients have access to the records and their limits on provider use of it for confidentiality.  But with electronic data you don’t necessarily have exclusive ownership and it’s not really clear what its status is. There are a few parameters so it’s pretty clear from what's been said so far that this is not something that the law would normally allow to be copyrighted or patented because it doesn’t involve (the raw data on patients) creativity and it’s not an invention but there is some referring to data that comes from a billing record or a patient record something that’s been produced there and in that sense it’s not protected.  On the other hand, what has happened so far is people who have been selling the data they have both for-profit firms, not-for-profit hospitals, insurance companies and they have often used contracts in selling it to restrict others from using it and they have put the data in -.

David Harlow:  Just to be clear we are talking about aggregated de-identified data for the most part.

Marc Rodwin:  Yes, absolutely, I thought I said that up front. So there is an effort to really make this a private property and there have actually been some people out there in the policy world suggesting that it should be private, not public: The Heritage Foundation in a brief a while ago said that government shouldn’t have any privileged access and so they have to buy it and other groups that have looked it have said don’t think about ownership, just about access. But if there isn’t some provision set up to make it public, publicly available, then it’s going to be treated quite possibly as private property and that’s going to create problems most with the public and for private development is my argument.  Now for the public the problem is this: if individual insurance companies and hospitals have a right to own the data, they can restrict who uses it and they can not make it available, they can sell it only on terms that they want, and even if it’s made sellable to public health authorities it maybe simply to expensive to get.  The problem is larger than you might think, because the value of this data is particularly if you have a comprehensive database; so fracturing it into parts owned by lots of different entities makes it much harder to collect together and to use, and even the transaction cost -- if you have the money -- would impede use, so that would really limit many of the public health and research functions of it. We have seen this happen in other areas there has been some discussion of patenting genes, Lori Andrews and others have written about that and there is actually an economic literature that discusses what's called “the tragedy of the anti-commons” and the basic idea is that if you allow private ownership but such that the values are really downstream it becomes very hard for private owners to collect them together and get the beneficial uses. That’s what I am saying is going to occur here and why I recommend that there be a mandate to have reporting of certain aggregate data to say HHS or a new government entity and that that data then be made available to the public.  Now there actually are some precedents for that in limited ways: California requires hospital discharge data to be reported for all hospitals, Medicare requires all hospitals to report certain cost data -- so this is not a totally new approach or a radical approach. The other thing that is important to know is making this publicly available doesn’t impede commercialization of sorts, it just makes a better market for it because once that’s public you can have different firms take the data, analyze it and put it into software in different ways, do all the kind of things that make it valuable and usable, the only thing that happens when its public is you prevent these parties that analyze the data from having a monopoly and applying and kind of having that tie in with the data ownership in their analysis.

David Harlow:  So whatever the value they add in terms of analysis would be added in, and you create a market for that sort of analysis.

Marc Rodwin:  Sure so if Harlow and Rodwin Associates does very good graphics on the data and puts it into a usable friendly format, we could sell that.  But given that the data is out there and others could do it we wouldn’t be able to sell it with a monopoly profit based on our having the data or on having an inferior product that no one else could compete with.  Someone else down the street, Tom Jones, could say I can do that even better, or sell it with different unit pricing and make it and compete with you so you can actually have two or three folks developing the analysis and delivery in certain ways and none would be able to require that you only go to them for their services because you have to buy the services with the data.  So I can say a bit more, but why don’t I let you ask some questions.

David Harlow:  What I was going to ask next is: Would you see the sort of protection of rights or protection of the usability of this data, as something that could fit in with the framework for meaningful use that’s been articulated under the Recovery Act?

Marc Rodwin:  Well I don’t think it’s been sufficiently articulated yet and I think it’s yet to be articulated with regulation.

David Harlow:  There is a draft definition or working definition if you will out there for comment and I guess one of the ways that’s being framed is: What are the health outcomes or policy priorities that are going to be advanced by a definition of meaningful use and you have articulated a very important one which is the use of all of this data for population-based, evidence-based healthcare.

Marc Rodwin:  Yes, we will see what comes out in the regulations and how they develop, but what I am suggesting is a broadest possible definition, possible and that would require that it all be made available and what worries me is that “meaningful use” might significantly restrict it in different ways and the approach I am taking is that it’s all reported and made -- through a government entity -- available to everybody who wants to use it once it’s protected, and that would preclude anyone not making something available or making it available later or on less favorable terms and for broader than just population data, conceivably. While I am very interested in the public health uses, it would be also usable for a subpopulation, for the Boston area population or for studying of one hospital system or one HMO.

David Harlow:  Or for a particular disease.

Marc Rodwin:  That’s right and so I think there is a value to having some mandatory reporting which will certainly get the data out there in a way that’s saying the data has to be made available to those who request it or  in certain circumstances that puts the cost of collecting it elsewhere. Right now we have done this with Medicaid data in California and there are certain times you just have to report certain things and maybe there should be some compensation for that but basically we are talking about people reporting things that they already have and do report to others so if you have to turnover information already for billing or for Medicare cost data and the like, we are not talking about a lot more burden to make that same data available more broadly.

David Harlow:  Now in this piece you have highlighted the fact that some data sellers will draft agreements that limit buyers of the data from further disseminating that information and I guess the question I would have on that front is whether you are aware of law suits or decisions that have addressed the enforceability of those agreements?  Take the case that the work that’s done in manipulating that data doesn’t really create something that copyrightable. So the question is can the seller really enforce an agreement that requires someone to not disseminate that information further?

Marc Rodwin:  Right, well I am not aware of decisions that have ruled on it but there is a difference between the copyrightability and enforceability of a contract.  It could be, I assume, the evidence I have, it’s not copyrightable. A breach of copyright would mean someone could claim a copyright infringement for use and you have the remedies there, a breach of contract is a different matter and even if they can't copyright the data they might be able to, under the terms of the contract, have contract remedies.  It’s also quite possible that simply having that clause in contracts is going to chill and limit what different people do with their data and limit access there, and in addition what I have been reading about and told is that people are trying to put this data into software in ways to limit its access. But the tension is basically here: if the data really is available publicly, you are going to have less of a primary market in people buying it from others without the analysis and the fact is if you want to buy certain data now there are known sellers and they can deliver a database and certain kind of databases and there really aren’t a lot of alternatives at this point.

David Harlow:  Right, so you are talking about encouraging a much more robust secondary use of the data.

Marc Rodwin:  Yes, that’s what I think would be beneficial.

David Harlow:  Now, do you see patient rights activist is being opposed to this sort of approach?

Marc Rodwin:  Well you know it doesn’t fit into standard categories and I think a lot of people’s initial reaction is that you don’t want something public -- with the idea that it’s safer when it’s private, in the sense that it’s confidential.  But I think that misconstrues what's going on, because public doesn’t mean that it’s not protected in terms of confidentiality, nor does not public or private mean that it is.  In fact there are, of course, risks any time there is data available, whether it’s publicly available or private, on a private market, that there will be a breach of confidentiality.  If the data is not properly coded or if it’s broken down in certain ways and there’s other information you can combine with it, you might be able to then identify patient information, but my point is that that’s equally a problem if there is a private market where you can buy this data, where firms have exclusive ownership interests in the data and in a situation where it’s available through a government entity like HHS.  So it hasn’t really been broached; as far as I know much of the public and patient rights groups haven’t been talking about this so far, they have been talking about privacy as a separate issue.

David Harlow:  So we are talking about privacy and control of health records and I was getting at the question of whether you think some folks would see this putting of records into public hands as a concern when some patient advocacy groups who prefer to see rate of patient control of records.

Marc Rodwin:  Right, there are some people out there that talk about patients owning the data: that’s a proposal, that’s not what current law is and the current situation is that even if you would like patients to own data and stop others from doing anything with it that’s not happening now, and the law is not allowing it. And it’s not the public access that’s the problem; if there is a problem it’s private firms appropriating it without consulting them and without any oversight, and I think to the extent that this is made public it’s going to have to be done through a statute that will design what the limits are and the uses in confidentiality in a way that they can guarantee much more safety for patients and currently exists.

David Harlow:  Do you think that the current legislative debate on healthcare reform provides a vehicle for such a statute?

Marc Rodwin:  Well, it provides a vehicle for doing it but it’s not what's the focus of most people’s attention so it’s unlikely to. At this point the center of the debate in the editorials in the press and the like is elsewhere. It may well be that when there is, if there is, a major bill in Congress someone there will slip in something that relates to this but it’s not an issue that’s been debated at all, and that’s a little bit worrisome, because I think there is a significant chance that some groups that are doing well with the current situation will try to put in some kind of legislation to the do the opposite: to make it private, to not allow public access, and since a lot of the public is not aware of this issue yet they won’t see what's happening and they won’t be able to prevent that.

David Harlow:  All right -- so that could be a surprise. Well hopefully we don’t get a surprise like that. I appreciate very much you taking the time to discuss this issue with me, it is an interesting topic and a very interesting proposal, a valuable proposal and perhaps that can get some traction of the current environment as we are discussing this.

Marc Rodwin:  Well wherever you come out on it, it’s worth thinking about, it’s a major policy issue, it’s opening up, it’s new and it will make a big difference.

David Harlow:  Yes, well, Professor Marc Rodwin, thank you very much for taking the time with HealthBlawg today, I appreciate your thoughts and your insights and thank you again for being with us.

Marc Rodwin:  It’s my pleasure; thank you.

Large molecules, biosimilars, patent protection, and the cost of health care reform

As may be expected, interested parties are hard at work in our nation's capital lobbying key health care committee members and their staffs.  Today I want to share a small window into this usually closed-off world, informed in part by a conference call with a handful of bloggers yesterday, hosted by Jim Greenwood, President of BIO, the biotech industry association.

"Large molecule" biotech compounds used as next generation drugs for a whole range of diseases and conditions do not get the same sort of patent protection as "small molecule" drugs.  Small molecule drugs start the patent and FDA new drug application (NDA) process at the same time, with the usual effect that FDA approval for a new drug comes about 7 years after an initial application, thus giving the patent holder about 12 or 13 years of patent-protected time on the market before generic manufacturers can horn in.  Large molecules are not patented directly; the processes by which they are generated are.  Thus, a competitor may develop a means to generate a "biosimilar" -- a large molecule that has the same therapeutic effect as the original, even though its production and chemical formulation are not identical -- and market it without infringing on the innovator's patent.  The key to being able to do so is the ability to rely on the innovator's study data as part of its NDA.  The key to the innovator's ability to have the market to itself for the equivalent of the term of a patent in the small molecule world is a period of "data exclusivity" (when others can't use its data for their own applications regarding biosimilars) equal to the effective term of patent protection: 12 or 13 years.

Greenwood said yesterday that Peter Orszag and Nancy-Ann Min DeParle have suggested that 7 years' data exclusivity should be sufficient, and that the FTC opposes any data exclusivity.  Legislation filed in the last session supported by BIO would have provided 12 years of data exclusivity.  The Senate HELP bill provides for 9 years of data exclusivity, with the opportunity to get a 3-year extension in the case of a novel use for the product. 

While the arguments made by industry are reasonable, the issue must be placed in context.  Drugs and biologics, while undeniably a key component of our current health care system, have contributed greatly to the runaway cost inflation we have seen.  The proposed 21.5% cut to the Medicare Physician Fee Schedule -- the prospect of which horrifies not only physicians, but those of us who may ever want to obtain physician services in the future -- may be tempered by carving out physician-office-administered medications, which include some of the large molecule compounds at issue (an $87.5B line item, over 10 years).  Taking this expense out of the physician pot means it has to be dropped back in somewhere else; I mention this because it's an issue at the forefront of the debate, and the price tag (which is not the whole price tag for drugs and biologics) is a big number, which has the attention of policymakers.  The total annual cost of biologics has been pegged at $60B.  While the industry rightfully wants large molecule protection equivalent to small molecule protection, the public and the government are rightfully concerned about the ultimate cost of such protection, and are seeking an appropriate balance.

The lobbying on this and many other provisions continues in the Senate HELP Committee and other committees.  Many compromises lie ahead.

Update 7/16/09:  The Senate HELP Committee bill was reported out with 12 years of protection.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

2010 MPFS: CMS proposes 21.5% physician pay cut (yes, really)

Let's go down the rabbit hole with the federales. 

Remember the Sustainable Growth Rate, that congressional hedge against inflation of health care costs, specifically payments under the Medicare Physician Fee Schedule?  Well, the CY 2010 MPFS went on display yesterday, and is due to be published in a couple weeks.  As written, the rule would (among other things) fully implement the SGR by cutting physician payments 21.5% (see the press release).  That's because Congress has overridden every other cut mandated by the law since 2002, yet has not taken the time to rethink it -- even though it called for a review in 2005's DRA, and MedPAC obliged in 2007.  To cut to the chase, MedPAC recommended that Congress either (a) come up with another cockamamie formula or (b) repeal the SGR and develop incentives for providers to provide higher quality care at lower cost.  Yes, they've done a fine job so far . . . .

So, we all know that Congress will step in before the rule takes effect January 1, 2010; perhaps it will be in a systematic way this time, however, with a real replacement for the SGR wrapped into a broader health care reform bill.  The Tri-Committee bill in the House (see sec. 1121, p. 181) is the only leading bill that addresses this issue head-on, as far as I know (please let me know if I'm missing something), though it does not include a radical enough reformation and seems to fall in line with MedPAC recommendation (a).

As the WSJ Health Blog notes, another part of the crazy logic at work in the draft rule is a CMS proposal to carve out reimbursement for physician-administered drugs ($87.5B over ten years, per the CBO) from that which is subject to the SGR.  That would help with the narrow issue of how-many-percentage-points-of-the-SGR-can pass through the eye of a needle, but obviously doesn't address the fundamental systems issue.  (I'll take (b) for $2.4 trillion, Alex.)

There's plenty of other goodies in this draft rule -- especially around imaging -- but the big across-the-board cuts certainly deserve the headline.  For example:

• Capital reimbursement for physician-office diagnostic equipment was originally calculated by CMS based on the assumption of a 50% utilization rate.  Since the actual utilization rates are much higher, that assumption is now being formally thrown out the window.

• Under MIPPA, imaging providers will be subject to new accreditation requirements as of January 2012; accreditation organizations are identified in the rule, and additional controls will be forthcoming in separate rulemaking.

• Finally, more measures are being added to the PQRI set, and automatic EHR-to-CMS reporting is being explored (as is the case with hospital RHQDAPU reporting), as pay-for-reporting (in lieu of meaningful pay-for-performance) continues at the Federal level.

Bottom line: This is a complicated set of issues, but it is only one of many that Congress and the President hope to have all wrapped up neatly by November.  Perhaps a post-SGR approach to physician payment will help build the coalition necessary for meaningful systemic reform.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

David Harlow and John Moore talk with Gregg Masters about HITECH Act, Certified EHRs and Meaningful Use on Blog Talk Radio

John Moore and I spoke with Gregg Masters on Blog Talk Radio today about the HITECH Act provisions in ARRA, certification of electronic health records systems, and the meaning of "meaningful use."

The Meaningful Use "matrix" laying out the five-year plan, laying out care goals, objectives and measures across five health outcomes policy priorities is available on the Health IT at HHS website. Those policy priorities:

1. Improve quality, safety, efficiency and reduce health disparities
2. Engage patients and families
3. Improve care coordination
4. Improve population and public health
5. Ensure adequate privacy and security protections for personal health information

The alphabet soup of government workgroups is working fast to firm up these and other definitions, which will help break up the logjam in EHR investment and implementation.

Have a listen and let us know what you think.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

A Declaration of Health Data Rights: Can't argue with it, but it's only a first step

I'm joining the party a day or two late, and am supporting:

A Declaration of Health Data Rights

In an era when technology allows personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. We the people:

• Have the right to our own health data
• Have the right to know the source of each health data element
• Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form
• Have the right to share our health data with others as we see fit

These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

So, my first reaction: This is obvious stuff, right?  Say what you will about The People's Republic of Massachusetts, local law requires prompt provision of medical records to patients at nominal cost, and in the vast majority of cases, the rules are followed and everyone's happy.  In my own little world here in Boston, MA, The Hub of the Universe, I've never had a problem getting health data -- or pathology slides, or anything else -- released to me or shared with other clinicians when needed.  But, then, I suppose I'm an outlier: my physician is part of a totally wired multispecialty group practice, which has been wired for years and years; and I'm both an industry guy and a lawyer, so I know how to speak up when I need something, and perhaps folks are more apt to listen.  (Reminds me of the semi-apocryphal story of a classmate of mine who saw the "law student" stamp across the top of his medical chart at Mass. General years ago.)

Upon reflection, I realized that not everyone -- whether in Massachusetts or elsewhere -- has the same ease of access, and while the declaration is sort of a no-brainer, it is important to put it out there, and I'm happy to join the folks who got this thing going, including Adam Bosworth, David Kibbe, Jamie Heywood and Gilles Frydman (forgive me for leaving other names off this short list).  I discussed the Declaration with Gilles Frydman, who agreed that it is just a first step, but a critically important one to take while the national dialogue is focused on electronic health records.

Additional steps down the path will have to include other common-sense guarantees that are already enacted into law here and there, including guarantees concerning the rights of patients to obtain test results through their physicians or otherwise, the ability of patients to correct errors in their records (so we don't have easily-accessible garbage), as well as easy access to interoperable electronic health records and non-tethered personal health records.

There are good reasons why some physician notes in some patient records should not be shared with patients or family members (a subject for another day), but this Declaration is focused on data -- not free-text notes -- so those notes would not be covered.

What other rights along these lines would you like to see guaranteed?

Update 6/27/09:  Many supporters have signed onto the Declaration.  One notable exception: Jen McCabe, who was in on some early drafts, but feels strongly that the darn thing doesn't go far enough.  Jen has blogged about her thoughts on the subject and has laid out her own more comprehensive patients' healthcare information rights manifesto.

I agree with Jen's sense that the Declaration is a first step, a baby step, and that there's a lot farther to go.  However, I see this first step less as a near-futile gesture, and more a real first step, a way to to get the conversation moving at a time when it can converge meaningfully with parallel conversations about implementation of ARRA / HITECH Act / Son of HIPAA provisions.  As the old saying goes: A journey of 1,000 miles begins with one step.

Here's what I would like to see providers who are prepared to sign onto the Declaration do as a next step: Without waiting for government action, initiate a campaign to amend their HIPAA Notice of Privacy Practices (NPP) (perhaps now, perhaps as part of the NPP amendment that will have to be rolled out once the Son of HIPAA regs are finalized by next February) to incorporate into a standard form contract that binds the providers the next steps that Jen calls for now and that most, if not all endorsers of the Declaration would also agree are necessary and important.  This simple, yet far-reaching step, would have a greater impact than an endorsement by a provider organization.  These should include guarantees of the "common sense" rights articulated above as well as the following patient rights:

• The right to correct erroneous data -- and a mechanism for noting disagreements with clinicians
• The right to control access to data -- access for all purposes: care, payment, secondary use (including clinical research and marketing)

In the past, non-standard NPPs were drafted and distributed by patient advocacy groups for patients to use and add to their providers' NPP forms.  However, patient-specific NPPs are unadministrable.  In order for this to work, there needs to be adoption form the provider side, either as a result of new regulation, or as the result of a populist follow-on to the Declaration.

As I wrote above: Please join in; what other rights would you like to see guaranteed as part of the Declaration?  What are your thoughts on this approach?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

America's Agenda: Health Care For All - Conversation with Dick Gephardt on bipartisan business-labor-payor coalition prodding policymakers into action

I had the opportunity to speak with Dick Gephardt and Mark Blum yesterday, courtesy of America's Agenda: Health Care For All.  Mark is the organization's Executive Director.  Dick Gephardt is a board member and is also . . . Dick Gephardt.  The organization has been engaged in some bipartisan efforts to promote health care reform at the state level (e.g., Vermont), and is now trying its hand at the national stage, having sponsored a series of "summit conversations" over the past few months.  This is one of a new breed of political action committee, which strives to bridge gaps between Democrats and Republicans (Tommy Thompson is also a board member), Big Labor and Big Business and Big Healthcare (members range from SEIU to IBM to PhRMA to Catholic Healthcare West), and promote health care reform.  As is true of many proposals on the table these days, the group's consensus document on national health reform takes the mom-and-apple-pie approach, endorsing a federal disease prevention initiative, a national strategy to improve efficiency and coordination of chronic disease care, strengthening comprehensive primary care, improving evidence for practice guidelines and quality standards, aligning incentives to promote best practices, promoting HIT to reduce waste and enable care coordination, and guaranteed access to care.  The $2.4 trillion question remains: How do we pay for all this health care goodness?

Gephardt was in a leadership position in Congress during the "HillaryCare" campaign in 1993-94.  In his view, comprehensive reform stands a better chance now because the Obama Administration has set out basic goals to be achieved that are straightforward and positive, and has turned it over to Congress to work out the details -- in contrast to the HillaryCare plan drafted in private by a panel of experts and dumped on legislators' desks.  "In the end, the only thing that matters is votes in the House and Senate," Gephardt said, and the only way to secure those votes is to engage Senators and Representatives in the development and drafting of the bills, which was not done in the Clinton era.  His other observations: Stakeholders in the process have remained engaged this time around; in the '90s, many big stakeholders opted out early and just attacked the process.  In order to succeed, a health reform plan needs to offer tangible benefits to the 85% or so of the population who already have health insurance (e.g., savings or efficiencies); otherwise there can’t be a successful political outcome.  "We can't just talk about who do we tax to cover the uninsured; we need to talk about savings for everyone."

I asked Gephardt whether and how the spirit of bipartisanship that we see these days among many prominent former government officials "reaching across the aisle" could be instilled into current political leaders.  His observation: it's hard, given the degree to which the parties have become polarized, yet some Republicans, notably Senators Grassley and Enzi (ranking minority members on key committees), are able to engage in policy discourse.  Gephardt noted that given the range of views within the Democratic Party, there needs to be as much attention paid to keeping the conservative and progressive wings of the party engaged as there is to keeping lines of communication open across the aisle.  Gephardt and Blum both said that there seems to be more common ground this time around because business, labor and provider communities are all feeling pain and recognize that reform is needed.  However, it seems to me that shared pain does not guarantee shared views on the right prescription to ease that pain.  The prescription involves a lot of money, and the stakeholders under various plans floating around Congress these days are weighing in, making swift passage seem less likely as time goes on.  See, e.g., the letter from AHIP to Sen. Kennedy, as reported in the Wall Street Journal.

Blum pointed to the organization's success in helping garner support for the Vermont health care reform plan enacted a couple of years ago.  After the plan was initially vetoed by the governor, and his approval ratings didn't budge, America's Agenda came to town and recommended taking a different tack, based on polling data showing that the key issue for Vermonters (most of whom were already insured and were unmoved by the rhetoric about universal coverage) was concern about being able to continue to pay for one's own health care in the future.  Focusing on that angle led to passage of the bill and its signing by the governor, Blum said.  A more recent model for success is the West Virginia five-year plan, enacted within the past month.  Again, local conditions dictated strategy and tactics.  And again, it will be very interesting to see whether and how the broad promise enacted will ultimately be funded and implemented.

Translating this success to the national stage requires identifying the health care delivery system reforms that can drive down costs, according to both Blum and Gephardt.  If everyone's covered, they say, we can spread costs over more premium payors and manage chronic conditions more effectively and efficiently.  I pushed on this point, given the evidence demonstrating that preventive care doesn't necessarily save money in the long run, because (a) preventive care for all is more expensive than treating the small numbers of cases of any illness or injury that could have been prevented and (b) the people who benefit from such care tend to live longer and eventually suffer from costly illnesses.  Blum insisted that employers such as IBM have found that given a long enough time horizon (10-15 years), the savings are there, and preventive care pays off (4:1).  I am not convinced; I think that given an even longer time horizon -- e.g., into retirement -- the costs will spike, but then that's no longer IBM's problem . . . it's everyone's problem.  Now, I'm not opposed to primary and preventive care; I would just prefer that the trade-offs and consideration of all costs and benefits be explicit.  This is a big social policy issue, not just a health care issue, given the amount of money that's at stake and the potential for rationing engendered by the price tag.

Other topics touched on included the question of whether for-profit insurance companies should be permitted to reap the financial benefit of health care expenditure savings (Gephardt pointed to legislative language calling for community rating, limitation of pre-existing condition exclusions and, in the House Tri-Committee health care reform bill released as a discussion draft within the past week, regulation of medical loss ratios so as to prevent windfalls to commercial insurers; this last provision seems destined for the dustbin of history sooner rather than later).  In addition, I asked whether contributors to America's Agenda's campaigns are skewing their focus (Blum said the $12 million contributed by PhRMA to the SCHIP fight was firewalled away from the current campaign regarding health care reform).

Bottom line: America's Agenda has done a good job of bringing the policy debate out of the back rooms and onto the internet, and has also made important contributions to enabling state-level reforms.  It remains to be seen whether this new stripe of activism will gain significant traction in Washington, or whether the business-labor-payor alliance will simply break down as we get closer to the massive financial issues at stake in the debate.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

#hcsm means Healthcare Communications and Social Media: Last night's legal edition was fast and furious

Tom Stitt and Dana Lewis host a weekly "tweetchat" on healthcare communications and social media, known as healthsocmed or hcsm.  Last night, Daniel Goldman, legal counsel at The Mayo Clinic, aka @danielg280, and I, aka @healthblawg, were lawyers-on-the-spot for a special legal edition.  There were interesting questions raised regarding social media, patients, providers, privacy, HIPAA, and lots more.  There were innumerable cross-conversations going on.  One participant noted later that over 900 tweets had been posted in the #hcsm tweetstream in the hour or so allotted (about twice the usual volume), which made it impossible to follow all of them in real time, unfortunately.  I had the chance to look over the stream afterwards, and offer some follow-up responses to questions not fully answered during the session. 

@HITshrink posted some organized excerpts from the stream on his blog; check them out for a more orderly taste of the experience.

Kudos to Tom and Dana for making this happen.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Peter Neupert and the latest on Microsoft HealthVault

I had the opportunity to speak with Microsoft SVP Peter Neupert today, on a conference call with a few other health care bloggers.  He was wrapping up the Microsoft connected health conference (check out the tweetstream at #msftchc, which this year brought the HealthVault developers and Amalga users together for the first time, and he seemed jazzed about the synergies. 

Neupert described himself as a "technology optimist," and described Microsoft's current phase of activity as "putting technology pillars in place" so that folks can build applications on the HealthVault open platform.  He acknowledged the difficulties in getting providers and patients to jump aboard, however, noting that physicians have concerns about the reliability of patient-entered data (which communication-enabled devices can now upload automatically) and patients have a variety of concerns about uploading personal health information online.

One of the panels at the conference included David Kibbe discussing the need for modular EHRs for small physician practices.  In response to a question, Neupert described some of his efforts together with the Markle Foundation to articulate a framework for "meaningful use" that would be more focused on outcomes than on the technology itself.  I've discussed before the problems of certification through a set of standards promoted by current market leaders -- it could stifle innovation and limit availability of tools appropriate for a variety of practice settings.  Neupert recounted an experience in California a number of years ago where promotion of e-prescribing by giving away computers and software to physicians resulted in only minimal adoption.  Adoption by physicians will occur if the tools are useful and can adapt to physician workflow, or if the case can be made that workflow ought to change.  Cleveland Clinic and Kaiser Permanente pilot projects have been exploring this issue.

Other issues raised included mHealth, to which Neupert responded that the HealthVault platform is device-agnostic, and that mobile developers were represented at the conference, and HIPAA concerns as a potential barrier to provider and patient adoption.  Neupert joked, "I've never heard of HIPAA; I don't know what that means."  He then noted that the HIPAA conversation comes at different points in the dialogue, depending on whether the dialogue is with providers (comes earlier) or patients (comes later).

Bottom line: It's early yet, folks, but HealthVault has significant promise as an open platform for health care records and their many uses.  We'll see how long it takes to realize that potential.

Update 6/25/09: Archived presentations and videos from the 2009 Connected Health Conference are now available on line.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Health Care Reform edition of Health Wonk Review is up

Joe Paduda does a great job pulling together the best of recent policy posts from the health blogosphere -- and tops it off with some insightful wonkishness of his own -- in today's edition of Health Wonk Review at Managed Care Matters.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting