Red Flags Rule: The FTC piles on, because HIPAA, ARRA and overlapping state laws just weren't enough

After a couple of delays, the FTC Red Flags Rule will be effective August 1, 2009.  This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft.  If a red flag is triggered, the creditor must take steps to notify the consumer and correct any inappropriate information included the creditor's records.

As you probably already know, the FTC is extending its reach with this rule (among others) into the health care sector.  (Cf. the FTC's role in enforcing certain Son of HIPAA provisions.)  The AMA has all but dropped a draft complaint on the FTC's desk, citing assorted legal precedents in its correspondence with the FTC arguing that the Red Flags Rule should not apply to physician practices.  The FTC is unmoved -- except to the extent that it has been willing to delay the effective date twice (from November 2008 to May 2009 to August 2009).

At any rate, the August 1 effective date is around the corner, and affected health care entities need to develop and implement compliance plans now, if they haven't already.  (Even the AMA says so, and has published guidance and a sample policy for members.)

A few more general comments before stepping back and examining the language of the rule and its applicability to health care providers.

The federales are taking something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations.  Bank of America, N.A. and Springfield Medical Associates, P.C. will have very different compliance plans, because their potential red flags and the potential risks are vastly different.

Affected health care providers need to understand that the Red Flag Rule requirements overlap with HIPAA and state privacy law requirements (and looming Son of HIPAA requirements in ARRA), but will not be satisfied by implementation of existing privacy policies and compliance plans.  Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.

As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it.  The rule calls for regular monitoring of the plan and issues that arise by a senior manager.  Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.

Even if not clearly subject to the Red Flags Rule, providers should undertake to comply, for a couple of interrelated reasons:

• Good patient PR.  Data security is top of mind these days.  Much of the effort required under the rule should be expended anyway simply to respond to market pressures calling for improved data security.
• Potential liability.  The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information.  The incensed jury will go along.  The health care provider caught in the middle between thieves and victims may be the only perceived deep pocket available.

OK, so what is a "creditor" and what is a "covered account?"

Any entity that accepts payment other than payment in full at the time of service is a creditor.  Health care providers that go the cash-on-the-barrelhead route aren't creditors; all others are creditors.

The FTC Guide defines covered accounts as follows: either

• a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or

• any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

Any creditor with covered accounts must have a red flags rule compliance plan in place with policies and procedures for dealing with "red flags" -- i.e., signs that personal information may have been compromised.  The World Privacy Forum suggests that the following red flags are the ones most applicable in the health care context:

• A complaint or question from a patient based on the patient’s receipt of:
   o a bill for another individual
   o a bill for a product or service that the patient denies receiving
   o a bill from a health care provider that the patient never patronized or
   o a notice of insurance benefits (or Explanation of Benefits) for health services never received.
• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
• A complaint or question from a patient about the receipt of a collection notice from a bill collector.
• A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft.  Again, the World Privacy Forum notes:

There need to be uniform but appropriately flexible answers to these questions:

• What do we do when a patient claims fraud is in their files?
• What do we do when a patient says the bills are for services she did not receive?
• What do we do for patients and other impacted victims when we uncover a fraudulent operation?
• When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
• What do we do when a provider has altered the patient records?
• How do we handle police reports and requests for investigation from victims?

The answers to these questions need to viewed not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially.

There are a number of useful resources available for health care providers seeking to take stock of their situation, establish Red Flags Rule compliance policies and procedures, and undertake staff training on the subject.  For example, the FTC, the AMA and the World Privacy Forum have all released valuable guidance documents (all linked to above) that would assist any organization with coming into compliance. 

As with any effort of this sort, it is often valuable to have someone outside the organization come in to review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement.  The HealthBlawger and members of the HealthBlawger's virtual consulting network are available to come in and assess, plan and help implement compliance strategies for organizations large and small touched by the Red Flags Rule.

Whatever the size or nature of your business, please take a moment to consider how the Red Flags Rule may apply to its operations, and how it may relate to other regulatory schemes such as HIPAA and state laws.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Marc Rodwin, Suffolk University law professor, speaks with David Harlow about his proposal for public ownership of health data published in JAMA

I spoke with Marc Rodwin last week about his proposal that there should be public ownership of all de-identified health record data, to guarantee the availability of complete data in improving public health and advancing evidence-based medicine: goals of the Obama Administration articulated as part of the rationale for expanding the use of EHRs and promoting that expansion through unprecedented grants to providers for meaningful use of certified EHRs.  Professor Rodwin is on the faculty of the Suffolk University Law School; his piece on public ownership of health record data was published in JAMA earlier this month.

The audio file of my interview with Marc Rodwin (about 20 minutes long) is available for download/podcast.  A full transcript is at the end of this post (and in the linked transcript here). 

Rodwin's proposal, which would require legislative action, runs near the Declaration of Health Data Rights, which asserts individuals' control over their own health data.  The two initiatives should not be mutually exclusive. 

Rodwin notes that in the current flurry of health care legislative activity it's more likely that data mining firms will get legislative protection for the status quo than public ownership of health data will be recognized.  The resulting fragnmentation of control of, and access to, health data, would undercut the value of the pending investment in health data infrastructure in this country.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthBlawg Interview of Prof. Marc Rodwin, JD, PhD, Suffolk University Law School
July 7, 2009

David Harlow:  Hello. This is David Harlow on HealthBlawg and I have with me today Marc Rodwin, Professor at the Suffolk University Law School in Boston, who has a piece published in the current issue of JAMA, the Journal of the American Medical Association, regarding the case for public ownership of patient data. Good afternoon Marc.

Marc Rodwin:  Good afternoon, David. Nice to speak with you.

David Harlow:  Thank you for being with us. The case that you make is a compelling one and I wonder if you could lay it out in brief for our listeners and readers.

Marc Rodwin:  Sure, maybe I should give a little background.

David Harlow:  Thank you.

Marc Rodwin:  There is a new emerging market in patient data -- de-identified or anonymized data, aggregate data -- and it’s growing particularly because of the move to electronic medical records.  The significance of this is that it will now be much easier to do all sorts of analysis of public health, of marketing trends, of valuation of healthcare systems, of hospitals, epidemiological research and so it’s a very valuable development.

David Harlow:  Yes and that’s part of the background for the push to add electronic medical records to our healthcare system.

Marc Rodwin:  Right, but what hasn’t been discussed very much – it’s been overshadowed by the talk of confidentiality issues or technology or making this happen – is how to make this work for the public and for private parties too, and the main question that’s been ignored is who owns this data, who should own it and what is the consequence of the law on ownership in this area and in fact there is an area of great uncertainty because the law has really been established to decide ownership of medical records, tangible property in the past and there, there is a pretty clear resolution of records pretty much in most states owned by providers but patients have access to the records and their limits on provider use of it for confidentiality.  But with electronic data you don’t necessarily have exclusive ownership and it’s not really clear what its status is. There are a few parameters so it’s pretty clear from what's been said so far that this is not something that the law would normally allow to be copyrighted or patented because it doesn’t involve (the raw data on patients) creativity and it’s not an invention but there is some referring to data that comes from a billing record or a patient record something that’s been produced there and in that sense it’s not protected.  On the other hand, what has happened so far is people who have been selling the data they have both for-profit firms, not-for-profit hospitals, insurance companies and they have often used contracts in selling it to restrict others from using it and they have put the data in -.

David Harlow:  Just to be clear we are talking about aggregated de-identified data for the most part.

Marc Rodwin:  Yes, absolutely, I thought I said that up front. So there is an effort to really make this a private property and there have actually been some people out there in the policy world suggesting that it should be private, not public: The Heritage Foundation in a brief a while ago said that government shouldn’t have any privileged access and so they have to buy it and other groups that have looked it have said don’t think about ownership, just about access. But if there isn’t some provision set up to make it public, publicly available, then it’s going to be treated quite possibly as private property and that’s going to create problems most with the public and for private development is my argument.  Now for the public the problem is this: if individual insurance companies and hospitals have a right to own the data, they can restrict who uses it and they can not make it available, they can sell it only on terms that they want, and even if it’s made sellable to public health authorities it maybe simply to expensive to get.  The problem is larger than you might think, because the value of this data is particularly if you have a comprehensive database; so fracturing it into parts owned by lots of different entities makes it much harder to collect together and to use, and even the transaction cost -- if you have the money -- would impede use, so that would really limit many of the public health and research functions of it. We have seen this happen in other areas there has been some discussion of patenting genes, Lori Andrews and others have written about that and there is actually an economic literature that discusses what's called “the tragedy of the anti-commons” and the basic idea is that if you allow private ownership but such that the values are really downstream it becomes very hard for private owners to collect them together and get the beneficial uses. That’s what I am saying is going to occur here and why I recommend that there be a mandate to have reporting of certain aggregate data to say HHS or a new government entity and that that data then be made available to the public.  Now there actually are some precedents for that in limited ways: California requires hospital discharge data to be reported for all hospitals, Medicare requires all hospitals to report certain cost data -- so this is not a totally new approach or a radical approach. The other thing that is important to know is making this publicly available doesn’t impede commercialization of sorts, it just makes a better market for it because once that’s public you can have different firms take the data, analyze it and put it into software in different ways, do all the kind of things that make it valuable and usable, the only thing that happens when its public is you prevent these parties that analyze the data from having a monopoly and applying and kind of having that tie in with the data ownership in their analysis.

David Harlow:  So whatever the value they add in terms of analysis would be added in, and you create a market for that sort of analysis.

Marc Rodwin:  Sure so if Harlow and Rodwin Associates does very good graphics on the data and puts it into a usable friendly format, we could sell that.  But given that the data is out there and others could do it we wouldn’t be able to sell it with a monopoly profit based on our having the data or on having an inferior product that no one else could compete with.  Someone else down the street, Tom Jones, could say I can do that even better, or sell it with different unit pricing and make it and compete with you so you can actually have two or three folks developing the analysis and delivery in certain ways and none would be able to require that you only go to them for their services because you have to buy the services with the data.  So I can say a bit more, but why don’t I let you ask some questions.

David Harlow:  What I was going to ask next is: Would you see the sort of protection of rights or protection of the usability of this data, as something that could fit in with the framework for meaningful use that’s been articulated under the Recovery Act?

Marc Rodwin:  Well I don’t think it’s been sufficiently articulated yet and I think it’s yet to be articulated with regulation.

David Harlow:  There is a draft definition or working definition if you will out there for comment and I guess one of the ways that’s being framed is: What are the health outcomes or policy priorities that are going to be advanced by a definition of meaningful use and you have articulated a very important one which is the use of all of this data for population-based, evidence-based healthcare.

Marc Rodwin:  Yes, we will see what comes out in the regulations and how they develop, but what I am suggesting is a broadest possible definition, possible and that would require that it all be made available and what worries me is that “meaningful use” might significantly restrict it in different ways and the approach I am taking is that it’s all reported and made -- through a government entity -- available to everybody who wants to use it once it’s protected, and that would preclude anyone not making something available or making it available later or on less favorable terms and for broader than just population data, conceivably. While I am very interested in the public health uses, it would be also usable for a subpopulation, for the Boston area population or for studying of one hospital system or one HMO.

David Harlow:  Or for a particular disease.

Marc Rodwin:  That’s right and so I think there is a value to having some mandatory reporting which will certainly get the data out there in a way that’s saying the data has to be made available to those who request it or  in certain circumstances that puts the cost of collecting it elsewhere. Right now we have done this with Medicaid data in California and there are certain times you just have to report certain things and maybe there should be some compensation for that but basically we are talking about people reporting things that they already have and do report to others so if you have to turnover information already for billing or for Medicare cost data and the like, we are not talking about a lot more burden to make that same data available more broadly.

David Harlow:  Now in this piece you have highlighted the fact that some data sellers will draft agreements that limit buyers of the data from further disseminating that information and I guess the question I would have on that front is whether you are aware of law suits or decisions that have addressed the enforceability of those agreements?  Take the case that the work that’s done in manipulating that data doesn’t really create something that copyrightable. So the question is can the seller really enforce an agreement that requires someone to not disseminate that information further?

Marc Rodwin:  Right, well I am not aware of decisions that have ruled on it but there is a difference between the copyrightability and enforceability of a contract.  It could be, I assume, the evidence I have, it’s not copyrightable. A breach of copyright would mean someone could claim a copyright infringement for use and you have the remedies there, a breach of contract is a different matter and even if they can't copyright the data they might be able to, under the terms of the contract, have contract remedies.  It’s also quite possible that simply having that clause in contracts is going to chill and limit what different people do with their data and limit access there, and in addition what I have been reading about and told is that people are trying to put this data into software in ways to limit its access. But the tension is basically here: if the data really is available publicly, you are going to have less of a primary market in people buying it from others without the analysis and the fact is if you want to buy certain data now there are known sellers and they can deliver a database and certain kind of databases and there really aren’t a lot of alternatives at this point.

David Harlow:  Right, so you are talking about encouraging a much more robust secondary use of the data.

Marc Rodwin:  Yes, that’s what I think would be beneficial.

David Harlow:  Now, do you see patient rights activist is being opposed to this sort of approach?

Marc Rodwin:  Well you know it doesn’t fit into standard categories and I think a lot of people’s initial reaction is that you don’t want something public -- with the idea that it’s safer when it’s private, in the sense that it’s confidential.  But I think that misconstrues what's going on, because public doesn’t mean that it’s not protected in terms of confidentiality, nor does not public or private mean that it is.  In fact there are, of course, risks any time there is data available, whether it’s publicly available or private, on a private market, that there will be a breach of confidentiality.  If the data is not properly coded or if it’s broken down in certain ways and there’s other information you can combine with it, you might be able to then identify patient information, but my point is that that’s equally a problem if there is a private market where you can buy this data, where firms have exclusive ownership interests in the data and in a situation where it’s available through a government entity like HHS.  So it hasn’t really been broached; as far as I know much of the public and patient rights groups haven’t been talking about this so far, they have been talking about privacy as a separate issue.

David Harlow:  So we are talking about privacy and control of health records and I was getting at the question of whether you think some folks would see this putting of records into public hands as a concern when some patient advocacy groups who prefer to see rate of patient control of records.

Marc Rodwin:  Right, there are some people out there that talk about patients owning the data: that’s a proposal, that’s not what current law is and the current situation is that even if you would like patients to own data and stop others from doing anything with it that’s not happening now, and the law is not allowing it. And it’s not the public access that’s the problem; if there is a problem it’s private firms appropriating it without consulting them and without any oversight, and I think to the extent that this is made public it’s going to have to be done through a statute that will design what the limits are and the uses in confidentiality in a way that they can guarantee much more safety for patients and currently exists.

David Harlow:  Do you think that the current legislative debate on healthcare reform provides a vehicle for such a statute?

Marc Rodwin:  Well, it provides a vehicle for doing it but it’s not what's the focus of most people’s attention so it’s unlikely to. At this point the center of the debate in the editorials in the press and the like is elsewhere. It may well be that when there is, if there is, a major bill in Congress someone there will slip in something that relates to this but it’s not an issue that’s been debated at all, and that’s a little bit worrisome, because I think there is a significant chance that some groups that are doing well with the current situation will try to put in some kind of legislation to the do the opposite: to make it private, to not allow public access, and since a lot of the public is not aware of this issue yet they won’t see what's happening and they won’t be able to prevent that.

David Harlow:  All right -- so that could be a surprise. Well hopefully we don’t get a surprise like that. I appreciate very much you taking the time to discuss this issue with me, it is an interesting topic and a very interesting proposal, a valuable proposal and perhaps that can get some traction of the current environment as we are discussing this.

Marc Rodwin:  Well wherever you come out on it, it’s worth thinking about, it’s a major policy issue, it’s opening up, it’s new and it will make a big difference.

David Harlow:  Yes, well, Professor Marc Rodwin, thank you very much for taking the time with HealthBlawg today, I appreciate your thoughts and your insights and thank you again for being with us.

Marc Rodwin:  It’s my pleasure; thank you.

A Declaration of Health Data Rights: Can't argue with it, but it's only a first step

I'm joining the party a day or two late, and am supporting:

A Declaration of Health Data Rights

In an era when technology allows personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. We the people:

• Have the right to our own health data
• Have the right to know the source of each health data element
• Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form
• Have the right to share our health data with others as we see fit

These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

So, my first reaction: This is obvious stuff, right?  Say what you will about The People's Republic of Massachusetts, local law requires prompt provision of medical records to patients at nominal cost, and in the vast majority of cases, the rules are followed and everyone's happy.  In my own little world here in Boston, MA, The Hub of the Universe, I've never had a problem getting health data -- or pathology slides, or anything else -- released to me or shared with other clinicians when needed.  But, then, I suppose I'm an outlier: my physician is part of a totally wired multispecialty group practice, which has been wired for years and years; and I'm both an industry guy and a lawyer, so I know how to speak up when I need something, and perhaps folks are more apt to listen.  (Reminds me of the semi-apocryphal story of a classmate of mine who saw the "law student" stamp across the top of his medical chart at Mass. General years ago.)

Upon reflection, I realized that not everyone -- whether in Massachusetts or elsewhere -- has the same ease of access, and while the declaration is sort of a no-brainer, it is important to put it out there, and I'm happy to join the folks who got this thing going, including Adam Bosworth, David Kibbe, Jamie Heywood and Gilles Frydman (forgive me for leaving other names off this short list).  I discussed the Declaration with Gilles Frydman, who agreed that it is just a first step, but a critically important one to take while the national dialogue is focused on electronic health records.

Additional steps down the path will have to include other common-sense guarantees that are already enacted into law here and there, including guarantees concerning the rights of patients to obtain test results through their physicians or otherwise, the ability of patients to correct errors in their records (so we don't have easily-accessible garbage), as well as easy access to interoperable electronic health records and non-tethered personal health records.

There are good reasons why some physician notes in some patient records should not be shared with patients or family members (a subject for another day), but this Declaration is focused on data -- not free-text notes -- so those notes would not be covered.

What other rights along these lines would you like to see guaranteed?

Update 6/27/09:  Many supporters have signed onto the Declaration.  One notable exception: Jen McCabe, who was in on some early drafts, but feels strongly that the darn thing doesn't go far enough.  Jen has blogged about her thoughts on the subject and has laid out her own more comprehensive patients' healthcare information rights manifesto.

I agree with Jen's sense that the Declaration is a first step, a baby step, and that there's a lot farther to go.  However, I see this first step less as a near-futile gesture, and more a real first step, a way to to get the conversation moving at a time when it can converge meaningfully with parallel conversations about implementation of ARRA / HITECH Act / Son of HIPAA provisions.  As the old saying goes: A journey of 1,000 miles begins with one step.

Here's what I would like to see providers who are prepared to sign onto the Declaration do as a next step: Without waiting for government action, initiate a campaign to amend their HIPAA Notice of Privacy Practices (NPP) (perhaps now, perhaps as part of the NPP amendment that will have to be rolled out once the Son of HIPAA regs are finalized by next February) to incorporate into a standard form contract that binds the providers the next steps that Jen calls for now and that most, if not all endorsers of the Declaration would also agree are necessary and important.  This simple, yet far-reaching step, would have a greater impact than an endorsement by a provider organization.  These should include guarantees of the "common sense" rights articulated above as well as the following patient rights:

• The right to correct erroneous data -- and a mechanism for noting disagreements with clinicians
• The right to control access to data -- access for all purposes: care, payment, secondary use (including clinical research and marketing)

In the past, non-standard NPPs were drafted and distributed by patient advocacy groups for patients to use and add to their providers' NPP forms.  However, patient-specific NPPs are unadministrable.  In order for this to work, there needs to be adoption form the provider side, either as a result of new regulation, or as the result of a populist follow-on to the Declaration.

As I wrote above: Please join in; what other rights would you like to see guaranteed as part of the Declaration?  What are your thoughts on this approach?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

#hcsm means Healthcare Communications and Social Media: Last night's legal edition was fast and furious

Tom Stitt and Dana Lewis host a weekly "tweetchat" on healthcare communications and social media, known as healthsocmed or hcsm.  Last night, Daniel Goldman, legal counsel at The Mayo Clinic, aka @danielg280, and I, aka @healthblawg, were lawyers-on-the-spot for a special legal edition.  There were interesting questions raised regarding social media, patients, providers, privacy, HIPAA, and lots more.  There were innumerable cross-conversations going on.  One participant noted later that over 900 tweets had been posted in the #hcsm tweetstream in the hour or so allotted (about twice the usual volume), which made it impossible to follow all of them in real time, unfortunately.  I had the chance to look over the stream afterwards, and offer some follow-up responses to questions not fully answered during the session. 

@HITshrink posted some organized excerpts from the stream on his blog; check them out for a more orderly taste of the experience.

Kudos to Tom and Dana for making this happen.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Peter Neupert and the latest on Microsoft HealthVault

I had the opportunity to speak with Microsoft SVP Peter Neupert today, on a conference call with a few other health care bloggers.  He was wrapping up the Microsoft connected health conference (check out the tweetstream at #msftchc, which this year brought the HealthVault developers and Amalga users together for the first time, and he seemed jazzed about the synergies. 

Neupert described himself as a "technology optimist," and described Microsoft's current phase of activity as "putting technology pillars in place" so that folks can build applications on the HealthVault open platform.  He acknowledged the difficulties in getting providers and patients to jump aboard, however, noting that physicians have concerns about the reliability of patient-entered data (which communication-enabled devices can now upload automatically) and patients have a variety of concerns about uploading personal health information online.

One of the panels at the conference included David Kibbe discussing the need for modular EHRs for small physician practices.  In response to a question, Neupert described some of his efforts together with the Markle Foundation to articulate a framework for "meaningful use" that would be more focused on outcomes than on the technology itself.  I've discussed before the problems of certification through a set of standards promoted by current market leaders -- it could stifle innovation and limit availability of tools appropriate for a variety of practice settings.  Neupert recounted an experience in California a number of years ago where promotion of e-prescribing by giving away computers and software to physicians resulted in only minimal adoption.  Adoption by physicians will occur if the tools are useful and can adapt to physician workflow, or if the case can be made that workflow ought to change.  Cleveland Clinic and Kaiser Permanente pilot projects have been exploring this issue.

Other issues raised included mHealth, to which Neupert responded that the HealthVault platform is device-agnostic, and that mobile developers were represented at the conference, and HIPAA concerns as a potential barrier to provider and patient adoption.  Neupert joked, "I've never heard of HIPAA; I don't know what that means."  He then noted that the HIPAA conversation comes at different points in the dialogue, depending on whether the dialogue is with providers (comes earlier) or patients (comes later).

Bottom line: It's early yet, folks, but HealthVault has significant promise as an open platform for health care records and their many uses.  We'll see how long it takes to realize that potential.

Update 6/25/09: Archived presentations and videos from the 2009 Connected Health Conference are now available on line.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Blog Talk Radio: David Harlow featured in health care reform discussion on Gregg Masters' Net Health Reform

I had the pleasure of discussing the current crop of health care reform policy options with Gregg Masters and a number of callers today on Blog Talk Radio.  The hour-long show is available for your listening pleasure here (streaming or download).  Please let me know if you like the content and/or format.  Gregg (aka @2healthguru on twitter, where we first met) and I plan to produce future shows and are interested in your comments and suggestions on focused topics for discussion.

Thanks for listening and for your feedback.

For further reading, some of the materials we discussed include the three Senate Finance Committee policy options reports and related materials, Obama's letter to Senate Democrats, his radio/internet address from last weekend, Senator Kennedy's draft Affordable Health Choices Act, and the Tri-Committee draft released by the House Committees on Ways and Means, Energy and Commerce and Education and Labor.  There are a number of milestones on the march through committees and to the floors of both chambers, and on to the President's desk in October/November.  And finally, a useful tool for those of you keeping score at home is the Kaiser Family Foundation health reform proposal comparison.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

The Virginia prescription record security breach: The big picture, and using this case as a learning experience

The Virginia Department of Health Professions is having a bad week. Apparently, a hacker downloaded personal health information of eight million individuals, including 35 million prescription records, and then replaced the information on the state website with a crude "ransom" note demanding $10 million in exchange for unlocking the encrypted file containing what is supposedly the only copy of the patient information seized.  (Screenshot of hacked website with notice posted here; see Bob Coffield's post on the story for a good roundup of the facts and review of some HIPAA/ARRA/HITECH implications.)  This has gotten the attention of the digerati and the blogerati, and even of some folks beyond the echo chamber of the blogosphere and twitterverse, out in the real world (like Virginia officialdom, which has gotten communications on this incident off to a slow start).

Update 6/5/09: Virginia security breach notices are going out -- a month after the fact -- to over 500,000 individuals whose social security numbers were part of their prescription records.  Too little, too late? 

So, this episode raises a few questions for me of broader application:

1. What is the scope of personal data insecurity in this country?
2. What preventive maintenance and design steps must or should be taken by all holders of personal data in order to minimize the likelihood of a breach?
3. In the event of a security breach, what communication is required by law, and what should "best practices" communications strategy look like, beyond what is required by the letter of the law?

Let's hack away (unconscious choice of words while typing) at these questions one at a time.

Scope of the Problem The scope of the issue is, not to put too fine a point on it, real broad, and getting broader daily. The issue is relevant to financial and other data, but for purposes of this post, I'll confine my observations to personal health data ("protected health information," "PHI" or "individually identifiable health information" in HIPAA-speak). In the bad old days (which are perhaps coming to a close one of these years thanks to the $19 billion HITECH Act handout), PHI insecurity was limited to the problem of folks who might wander into a file room and get a hold of your medical records without having a good reason to do so. Thanks to the computerization of medical records in a desktop computer, laptop, server, storage device, or "in the cloud" (now that's a whole other can of worms), millions of records are out there for the hacking. Given the lackadaisical attitude that some have towards data security, these records are accessible to bad-intentioned identity thieves as well as to recreational hackers. The scope of the issue may be glimpsed through a visit to the Privacy Rights Clearinghouse site, A Chronology of Data Breaches, a wonderful compendium of data security breach incidents (beginning January 2005) and related resources (not yet updated as of this writing to include a reference to the Virginia debacle). This chronology is not limited to health care data breaches; a quick scan seems to confirm that the Virginia incident is among the largest health care data breaches, but it is not the first breach of a state agency system.  (And remember the Express Scripts ransom hacker case a little while back?)

Prevention  Data security and privacy protections applicable to PHI have been ratcheted up a couple notches this year with the Son of HIPAA provisions thrown into ARRA, the FTC Red Flags Rule and some parallel state rulemaking activity (see, e.g., Massachusetts data security rule). With all these recent changes, new comprehensive preemption analyses will have to be undertaken, but I'll offer a couple of observations: It is imperative that all health care providers and business associates undertake privacy and security audits of their current operations. This includes a review of policies and procedures (and the adoption of policies and procedures later this year by business associates, which were not required to have them in place pre-ARRA), to ensure compliance with HIPAA, Son of HIPAA, FTC Red Flags Rule (if applicable; it relates to businesses that extend credit, defined very broadly, and snaps into effect August 1, after a couple of delays), and state privacy laws. All policies and procedures need to be beefed up as appropriate. Hardware, software and wetware must be tested for compliance and must also be beefed up as needed. In my community, when faced with a computer problem, we always say: "Ask a teenager!" In addition to the usual trusted advisors, it might not hurt to spot-check security systems by challenging a reliable computer-savvy teenager (or twentysomething) to hack into a system.

Breach Notification  ARRA Sec. 13402 (p. 146) technically doesn't require a breach notification to be sent to affected folks in the Virginia matter because the regs aren't out yet (they're due out by August, effective 30 days later).  Guidance on what makes data unreadable by unauthorized folks has been released for public comment -- if Virginia made the data secure according to the definitions in this guidance, then its release would not be considered a breach, and would not trigger notification requirements.  These guidelines are something to consider in designing secure environments for data -- they address both data in use and data at rest, and incorporate by reference some NIST standards.  Adhering to the guidance not only has the PR benefit of allowing an entity to avoid having to make a breach notification, it could even help in preventing breaches in the first place.  It would be interesting to learn whether the Virginia data was protected in the manner called for in this guidance.

Whether or not a notice is required, careful consideration should be given to developing a communications plan for alerting patients to any breach, and to explaining what is being done to minimize the risk of similar (or dissimilar) breaches occurring in the future.  This may be a delicate dance (the folks in Virginia have been saying they can't comment becasue an FBI investigation is underway), but it seems to me that a criminal investigation does not need to bar any and all communications with patients and the public at large about the situation.

As the remaining ARRA rules come out and covered entities and others have a clearer roadmap before them, it will be imperative that they undertake the steps outlined above so that they can maintain compliance with these new requirements, ensure privacy and security of PHI, and stay out of the regulators' sights.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthCamp Boston / SocialPharmer Boston Twitterstream via Cover It Live

HealthCamp Boston and SocialPharmer Boston are taking place today.  For those of you on site, please live tweet using hashtags #hcbos or #socpharm.  For those of you following along at home, please follow those hashtags in your reader of choice, or right here.  Separate windows are provided for #hcbos and #socpharm (each will have more than one thread, so mashing them together seemed too unwieldy).  The twitterstream will be archived here for future reference.  Information on audio and video archives will be available via the event website at some point in the future.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthCamp Boston April 21 - Come join in the fun, or follow along at home

HealthCamp Boston and SocialPharmer Boston are happening tomorrow, April 21.  If you can't make it in person and would like to follow the events of the day, check back here at HealthBlawg for CoverItLive windows: one will be set to follow the #hcbos twitterstream, the other, the #socpharm stream.  If you are on twitter, use your reader of choice.  The tweets will be archived here for future reference.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Draft guidance on rendering PHI unusable or indecipherable posted; comment period runs through May 21

The federales posted today, for a brief comment period, proposed guidance on how to render PHI unusable, unreadable or indecipherable to unauthorized individuals.  (This keys into the FTC's proposed interim breach notification rule, released yesterday, as well.) In addition to input on the technical specifications reproduced below, the agency is soliciting comments (as set forth further below) on a broad range of policy issues - rendering PHI unreadable, but also on breach notification provisions generally.  The full notice is linked to from the page linked above, but here is the meat of the proposal:

B. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
ii) Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.

b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

III. Solicitation of Comments

A. Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

The Department is seeking comments on its guidance regarding the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals for purposes of section 13402(h)(2) of the Act. In particular, the Department is interested in receiving comments on the following:

1. Are there particular electronic media configurations that may render PHI unusable, unreadable, or indecipherable to unauthorized individuals, such as a fingerprint protected Universal Serial Bus (USB) drive, which are not sufficiently covered by the above and to which guidance should be specifically addressed?
2. With respect to paper PHI, are there additional methods the Department should consider for rendering the information unusable, unreadable, or indecipherable to unauthorized individuals?
3. Are there other methods generally the Department should consider for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals?
4. Are there circumstances under which the methods discussed above would fail to render information unusable, unreadable, or indecipherable to unauthorized individuals?
5. Does the risk of re-identification of a limited data set warrant its exclusion from the list of technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals? Can risk of re-identification be alleviated such that the creation of a limited data set could be added to this guidance?
6. In the event of a breach of protected health information in limited data set form, are there any administrative or legal concerns about the ability to comply with the breach notification requirements?
7. Should future guidance specify which off-the-shelf products, if any, meet the encryption standards identified in this guidance?

B. Breach Notification Provisions Generally

In addition to public comment on the guidance, the Department also requests comments concerning any other areas or issues pertinent to the development of its interim final regulations for breach notification. In particular, the Department is interested in comment in the following areas:

1. Based on experience in complying with state breach notification laws, are there any potential areas of conflict or other issues the Department should consider in promulgating the federal breach notification requirements?
2. Given current obligations under state breach notification laws, do covered entities or business associates anticipate having to send multiple notices to an individual upon discovery of a single breach? Are there circumstances in which the required federal notice would not also satisfy any notice obligations under the state law?
3. Considering the methodologies discussed in the guidance, are there any circumstances in which a covered entity or business associate would still be required to notify individuals under state laws of a breach of information that has been rendered secured based on federal requirements?
4. The Act’s definition of “breach” provides for a variety of exceptions. To what particular types of circumstances do entities anticipate these exceptions applying?

Comments will be accepted through May 21.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting