Red Flags Rule: The FTC piles on, because HIPAA, ARRA and overlapping state laws just weren't enough

After a couple of delays, the FTC Red Flags Rule will be effective August 1, 2009.  This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft.  If a red flag is triggered, the creditor must take steps to notify the consumer and correct any inappropriate information included the creditor's records.

As you probably already know, the FTC is extending its reach with this rule (among others) into the health care sector.  (Cf. the FTC's role in enforcing certain Son of HIPAA provisions.)  The AMA has all but dropped a draft complaint on the FTC's desk, citing assorted legal precedents in its correspondence with the FTC arguing that the Red Flags Rule should not apply to physician practices.  The FTC is unmoved -- except to the extent that it has been willing to delay the effective date twice (from November 2008 to May 2009 to August 2009).

At any rate, the August 1 effective date is around the corner, and affected health care entities need to develop and implement compliance plans now, if they haven't already.  (Even the AMA says so, and has published guidance and a sample policy for members.)

A few more general comments before stepping back and examining the language of the rule and its applicability to health care providers.

The federales are taking something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations.  Bank of America, N.A. and Springfield Medical Associates, P.C. will have very different compliance plans, because their potential red flags and the potential risks are vastly different.

Affected health care providers need to understand that the Red Flag Rule requirements overlap with HIPAA and state privacy law requirements (and looming Son of HIPAA requirements in ARRA), but will not be satisfied by implementation of existing privacy policies and compliance plans.  Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.

As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it.  The rule calls for regular monitoring of the plan and issues that arise by a senior manager.  Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.

Even if not clearly subject to the Red Flags Rule, providers should undertake to comply, for a couple of interrelated reasons:

• Good patient PR.  Data security is top of mind these days.  Much of the effort required under the rule should be expended anyway simply to respond to market pressures calling for improved data security.
• Potential liability.  The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information.  The incensed jury will go along.  The health care provider caught in the middle between thieves and victims may be the only perceived deep pocket available.

OK, so what is a "creditor" and what is a "covered account?"

Any entity that accepts payment other than payment in full at the time of service is a creditor.  Health care providers that go the cash-on-the-barrelhead route aren't creditors; all others are creditors.

The FTC Guide defines covered accounts as follows: either

• a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or

• any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

Any creditor with covered accounts must have a red flags rule compliance plan in place with policies and procedures for dealing with "red flags" -- i.e., signs that personal information may have been compromised.  The World Privacy Forum suggests that the following red flags are the ones most applicable in the health care context:

• A complaint or question from a patient based on the patient’s receipt of:
   o a bill for another individual
   o a bill for a product or service that the patient denies receiving
   o a bill from a health care provider that the patient never patronized or
   o a notice of insurance benefits (or Explanation of Benefits) for health services never received.
• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
• A complaint or question from a patient about the receipt of a collection notice from a bill collector.
• A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft.  Again, the World Privacy Forum notes:

There need to be uniform but appropriately flexible answers to these questions:

• What do we do when a patient claims fraud is in their files?
• What do we do when a patient says the bills are for services she did not receive?
• What do we do for patients and other impacted victims when we uncover a fraudulent operation?
• When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
• What do we do when a provider has altered the patient records?
• How do we handle police reports and requests for investigation from victims?

The answers to these questions need to viewed not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially.

There are a number of useful resources available for health care providers seeking to take stock of their situation, establish Red Flags Rule compliance policies and procedures, and undertake staff training on the subject.  For example, the FTC, the AMA and the World Privacy Forum have all released valuable guidance documents (all linked to above) that would assist any organization with coming into compliance. 

As with any effort of this sort, it is often valuable to have someone outside the organization come in to review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement.  The HealthBlawger and members of the HealthBlawger's virtual consulting network are available to come in and assess, plan and help implement compliance strategies for organizations large and small touched by the Red Flags Rule.

Whatever the size or nature of your business, please take a moment to consider how the Red Flags Rule may apply to its operations, and how it may relate to other regulatory schemes such as HIPAA and state laws.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Marc Rodwin, Suffolk University law professor, speaks with David Harlow about his proposal for public ownership of health data published in JAMA

I spoke with Marc Rodwin last week about his proposal that there should be public ownership of all de-identified health record data, to guarantee the availability of complete data in improving public health and advancing evidence-based medicine: goals of the Obama Administration articulated as part of the rationale for expanding the use of EHRs and promoting that expansion through unprecedented grants to providers for meaningful use of certified EHRs.  Professor Rodwin is on the faculty of the Suffolk University Law School; his piece on public ownership of health record data was published in JAMA earlier this month.

The audio file of my interview with Marc Rodwin (about 20 minutes long) is available for download/podcast.  A full transcript is at the end of this post (and in the linked transcript here). 

Rodwin's proposal, which would require legislative action, runs near the Declaration of Health Data Rights, which asserts individuals' control over their own health data.  The two initiatives should not be mutually exclusive. 

Rodwin notes that in the current flurry of health care legislative activity it's more likely that data mining firms will get legislative protection for the status quo than public ownership of health data will be recognized.  The resulting fragnmentation of control of, and access to, health data, would undercut the value of the pending investment in health data infrastructure in this country.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthBlawg Interview of Prof. Marc Rodwin, JD, PhD, Suffolk University Law School
July 7, 2009

David Harlow:  Hello. This is David Harlow on HealthBlawg and I have with me today Marc Rodwin, Professor at the Suffolk University Law School in Boston, who has a piece published in the current issue of JAMA, the Journal of the American Medical Association, regarding the case for public ownership of patient data. Good afternoon Marc.

Marc Rodwin:  Good afternoon, David. Nice to speak with you.

David Harlow:  Thank you for being with us. The case that you make is a compelling one and I wonder if you could lay it out in brief for our listeners and readers.

Marc Rodwin:  Sure, maybe I should give a little background.

David Harlow:  Thank you.

Marc Rodwin:  There is a new emerging market in patient data -- de-identified or anonymized data, aggregate data -- and it’s growing particularly because of the move to electronic medical records.  The significance of this is that it will now be much easier to do all sorts of analysis of public health, of marketing trends, of valuation of healthcare systems, of hospitals, epidemiological research and so it’s a very valuable development.

David Harlow:  Yes and that’s part of the background for the push to add electronic medical records to our healthcare system.

Marc Rodwin:  Right, but what hasn’t been discussed very much – it’s been overshadowed by the talk of confidentiality issues or technology or making this happen – is how to make this work for the public and for private parties too, and the main question that’s been ignored is who owns this data, who should own it and what is the consequence of the law on ownership in this area and in fact there is an area of great uncertainty because the law has really been established to decide ownership of medical records, tangible property in the past and there, there is a pretty clear resolution of records pretty much in most states owned by providers but patients have access to the records and their limits on provider use of it for confidentiality.  But with electronic data you don’t necessarily have exclusive ownership and it’s not really clear what its status is. There are a few parameters so it’s pretty clear from what's been said so far that this is not something that the law would normally allow to be copyrighted or patented because it doesn’t involve (the raw data on patients) creativity and it’s not an invention but there is some referring to data that comes from a billing record or a patient record something that’s been produced there and in that sense it’s not protected.  On the other hand, what has happened so far is people who have been selling the data they have both for-profit firms, not-for-profit hospitals, insurance companies and they have often used contracts in selling it to restrict others from using it and they have put the data in -.

David Harlow:  Just to be clear we are talking about aggregated de-identified data for the most part.

Marc Rodwin:  Yes, absolutely, I thought I said that up front. So there is an effort to really make this a private property and there have actually been some people out there in the policy world suggesting that it should be private, not public: The Heritage Foundation in a brief a while ago said that government shouldn’t have any privileged access and so they have to buy it and other groups that have looked it have said don’t think about ownership, just about access. But if there isn’t some provision set up to make it public, publicly available, then it’s going to be treated quite possibly as private property and that’s going to create problems most with the public and for private development is my argument.  Now for the public the problem is this: if individual insurance companies and hospitals have a right to own the data, they can restrict who uses it and they can not make it available, they can sell it only on terms that they want, and even if it’s made sellable to public health authorities it maybe simply to expensive to get.  The problem is larger than you might think, because the value of this data is particularly if you have a comprehensive database; so fracturing it into parts owned by lots of different entities makes it much harder to collect together and to use, and even the transaction cost -- if you have the money -- would impede use, so that would really limit many of the public health and research functions of it. We have seen this happen in other areas there has been some discussion of patenting genes, Lori Andrews and others have written about that and there is actually an economic literature that discusses what's called “the tragedy of the anti-commons” and the basic idea is that if you allow private ownership but such that the values are really downstream it becomes very hard for private owners to collect them together and get the beneficial uses. That’s what I am saying is going to occur here and why I recommend that there be a mandate to have reporting of certain aggregate data to say HHS or a new government entity and that that data then be made available to the public.  Now there actually are some precedents for that in limited ways: California requires hospital discharge data to be reported for all hospitals, Medicare requires all hospitals to report certain cost data -- so this is not a totally new approach or a radical approach. The other thing that is important to know is making this publicly available doesn’t impede commercialization of sorts, it just makes a better market for it because once that’s public you can have different firms take the data, analyze it and put it into software in different ways, do all the kind of things that make it valuable and usable, the only thing that happens when its public is you prevent these parties that analyze the data from having a monopoly and applying and kind of having that tie in with the data ownership in their analysis.

David Harlow:  So whatever the value they add in terms of analysis would be added in, and you create a market for that sort of analysis.

Marc Rodwin:  Sure so if Harlow and Rodwin Associates does very good graphics on the data and puts it into a usable friendly format, we could sell that.  But given that the data is out there and others could do it we wouldn’t be able to sell it with a monopoly profit based on our having the data or on having an inferior product that no one else could compete with.  Someone else down the street, Tom Jones, could say I can do that even better, or sell it with different unit pricing and make it and compete with you so you can actually have two or three folks developing the analysis and delivery in certain ways and none would be able to require that you only go to them for their services because you have to buy the services with the data.  So I can say a bit more, but why don’t I let you ask some questions.

David Harlow:  What I was going to ask next is: Would you see the sort of protection of rights or protection of the usability of this data, as something that could fit in with the framework for meaningful use that’s been articulated under the Recovery Act?

Marc Rodwin:  Well I don’t think it’s been sufficiently articulated yet and I think it’s yet to be articulated with regulation.

David Harlow:  There is a draft definition or working definition if you will out there for comment and I guess one of the ways that’s being framed is: What are the health outcomes or policy priorities that are going to be advanced by a definition of meaningful use and you have articulated a very important one which is the use of all of this data for population-based, evidence-based healthcare.

Marc Rodwin:  Yes, we will see what comes out in the regulations and how they develop, but what I am suggesting is a broadest possible definition, possible and that would require that it all be made available and what worries me is that “meaningful use” might significantly restrict it in different ways and the approach I am taking is that it’s all reported and made -- through a government entity -- available to everybody who wants to use it once it’s protected, and that would preclude anyone not making something available or making it available later or on less favorable terms and for broader than just population data, conceivably. While I am very interested in the public health uses, it would be also usable for a subpopulation, for the Boston area population or for studying of one hospital system or one HMO.

David Harlow:  Or for a particular disease.

Marc Rodwin:  That’s right and so I think there is a value to having some mandatory reporting which will certainly get the data out there in a way that’s saying the data has to be made available to those who request it or  in certain circumstances that puts the cost of collecting it elsewhere. Right now we have done this with Medicaid data in California and there are certain times you just have to report certain things and maybe there should be some compensation for that but basically we are talking about people reporting things that they already have and do report to others so if you have to turnover information already for billing or for Medicare cost data and the like, we are not talking about a lot more burden to make that same data available more broadly.

David Harlow:  Now in this piece you have highlighted the fact that some data sellers will draft agreements that limit buyers of the data from further disseminating that information and I guess the question I would have on that front is whether you are aware of law suits or decisions that have addressed the enforceability of those agreements?  Take the case that the work that’s done in manipulating that data doesn’t really create something that copyrightable. So the question is can the seller really enforce an agreement that requires someone to not disseminate that information further?

Marc Rodwin:  Right, well I am not aware of decisions that have ruled on it but there is a difference between the copyrightability and enforceability of a contract.  It could be, I assume, the evidence I have, it’s not copyrightable. A breach of copyright would mean someone could claim a copyright infringement for use and you have the remedies there, a breach of contract is a different matter and even if they can't copyright the data they might be able to, under the terms of the contract, have contract remedies.  It’s also quite possible that simply having that clause in contracts is going to chill and limit what different people do with their data and limit access there, and in addition what I have been reading about and told is that people are trying to put this data into software in ways to limit its access. But the tension is basically here: if the data really is available publicly, you are going to have less of a primary market in people buying it from others without the analysis and the fact is if you want to buy certain data now there are known sellers and they can deliver a database and certain kind of databases and there really aren’t a lot of alternatives at this point.

David Harlow:  Right, so you are talking about encouraging a much more robust secondary use of the data.

Marc Rodwin:  Yes, that’s what I think would be beneficial.

David Harlow:  Now, do you see patient rights activist is being opposed to this sort of approach?

Marc Rodwin:  Well you know it doesn’t fit into standard categories and I think a lot of people’s initial reaction is that you don’t want something public -- with the idea that it’s safer when it’s private, in the sense that it’s confidential.  But I think that misconstrues what's going on, because public doesn’t mean that it’s not protected in terms of confidentiality, nor does not public or private mean that it is.  In fact there are, of course, risks any time there is data available, whether it’s publicly available or private, on a private market, that there will be a breach of confidentiality.  If the data is not properly coded or if it’s broken down in certain ways and there’s other information you can combine with it, you might be able to then identify patient information, but my point is that that’s equally a problem if there is a private market where you can buy this data, where firms have exclusive ownership interests in the data and in a situation where it’s available through a government entity like HHS.  So it hasn’t really been broached; as far as I know much of the public and patient rights groups haven’t been talking about this so far, they have been talking about privacy as a separate issue.

David Harlow:  So we are talking about privacy and control of health records and I was getting at the question of whether you think some folks would see this putting of records into public hands as a concern when some patient advocacy groups who prefer to see rate of patient control of records.

Marc Rodwin:  Right, there are some people out there that talk about patients owning the data: that’s a proposal, that’s not what current law is and the current situation is that even if you would like patients to own data and stop others from doing anything with it that’s not happening now, and the law is not allowing it. And it’s not the public access that’s the problem; if there is a problem it’s private firms appropriating it without consulting them and without any oversight, and I think to the extent that this is made public it’s going to have to be done through a statute that will design what the limits are and the uses in confidentiality in a way that they can guarantee much more safety for patients and currently exists.

David Harlow:  Do you think that the current legislative debate on healthcare reform provides a vehicle for such a statute?

Marc Rodwin:  Well, it provides a vehicle for doing it but it’s not what's the focus of most people’s attention so it’s unlikely to. At this point the center of the debate in the editorials in the press and the like is elsewhere. It may well be that when there is, if there is, a major bill in Congress someone there will slip in something that relates to this but it’s not an issue that’s been debated at all, and that’s a little bit worrisome, because I think there is a significant chance that some groups that are doing well with the current situation will try to put in some kind of legislation to the do the opposite: to make it private, to not allow public access, and since a lot of the public is not aware of this issue yet they won’t see what's happening and they won’t be able to prevent that.

David Harlow:  All right -- so that could be a surprise. Well hopefully we don’t get a surprise like that. I appreciate very much you taking the time to discuss this issue with me, it is an interesting topic and a very interesting proposal, a valuable proposal and perhaps that can get some traction of the current environment as we are discussing this.

Marc Rodwin:  Well wherever you come out on it, it’s worth thinking about, it’s a major policy issue, it’s opening up, it’s new and it will make a big difference.

David Harlow:  Yes, well, Professor Marc Rodwin, thank you very much for taking the time with HealthBlawg today, I appreciate your thoughts and your insights and thank you again for being with us.

Marc Rodwin:  It’s my pleasure; thank you.

David Harlow and John Moore talk with Gregg Masters about HITECH Act, Certified EHRs and Meaningful Use on Blog Talk Radio

John Moore and I spoke with Gregg Masters on Blog Talk Radio today about the HITECH Act provisions in ARRA, certification of electronic health records systems, and the meaning of "meaningful use."

The Meaningful Use "matrix" laying out the five-year plan, laying out care goals, objectives and measures across five health outcomes policy priorities is available on the Health IT at HHS website. Those policy priorities:

1. Improve quality, safety, efficiency and reduce health disparities
2. Engage patients and families
3. Improve care coordination
4. Improve population and public health
5. Ensure adequate privacy and security protections for personal health information

The alphabet soup of government workgroups is working fast to firm up these and other definitions, which will help break up the logjam in EHR investment and implementation.

Have a listen and let us know what you think.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

A Declaration of Health Data Rights: Can't argue with it, but it's only a first step

I'm joining the party a day or two late, and am supporting:

A Declaration of Health Data Rights

In an era when technology allows personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. We the people:

• Have the right to our own health data
• Have the right to know the source of each health data element
• Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form
• Have the right to share our health data with others as we see fit

These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

So, my first reaction: This is obvious stuff, right?  Say what you will about The People's Republic of Massachusetts, local law requires prompt provision of medical records to patients at nominal cost, and in the vast majority of cases, the rules are followed and everyone's happy.  In my own little world here in Boston, MA, The Hub of the Universe, I've never had a problem getting health data -- or pathology slides, or anything else -- released to me or shared with other clinicians when needed.  But, then, I suppose I'm an outlier: my physician is part of a totally wired multispecialty group practice, which has been wired for years and years; and I'm both an industry guy and a lawyer, so I know how to speak up when I need something, and perhaps folks are more apt to listen.  (Reminds me of the semi-apocryphal story of a classmate of mine who saw the "law student" stamp across the top of his medical chart at Mass. General years ago.)

Upon reflection, I realized that not everyone -- whether in Massachusetts or elsewhere -- has the same ease of access, and while the declaration is sort of a no-brainer, it is important to put it out there, and I'm happy to join the folks who got this thing going, including Adam Bosworth, David Kibbe, Jamie Heywood and Gilles Frydman (forgive me for leaving other names off this short list).  I discussed the Declaration with Gilles Frydman, who agreed that it is just a first step, but a critically important one to take while the national dialogue is focused on electronic health records.

Additional steps down the path will have to include other common-sense guarantees that are already enacted into law here and there, including guarantees concerning the rights of patients to obtain test results through their physicians or otherwise, the ability of patients to correct errors in their records (so we don't have easily-accessible garbage), as well as easy access to interoperable electronic health records and non-tethered personal health records.

There are good reasons why some physician notes in some patient records should not be shared with patients or family members (a subject for another day), but this Declaration is focused on data -- not free-text notes -- so those notes would not be covered.

What other rights along these lines would you like to see guaranteed?

Update 6/27/09:  Many supporters have signed onto the Declaration.  One notable exception: Jen McCabe, who was in on some early drafts, but feels strongly that the darn thing doesn't go far enough.  Jen has blogged about her thoughts on the subject and has laid out her own more comprehensive patients' healthcare information rights manifesto.

I agree with Jen's sense that the Declaration is a first step, a baby step, and that there's a lot farther to go.  However, I see this first step less as a near-futile gesture, and more a real first step, a way to to get the conversation moving at a time when it can converge meaningfully with parallel conversations about implementation of ARRA / HITECH Act / Son of HIPAA provisions.  As the old saying goes: A journey of 1,000 miles begins with one step.

Here's what I would like to see providers who are prepared to sign onto the Declaration do as a next step: Without waiting for government action, initiate a campaign to amend their HIPAA Notice of Privacy Practices (NPP) (perhaps now, perhaps as part of the NPP amendment that will have to be rolled out once the Son of HIPAA regs are finalized by next February) to incorporate into a standard form contract that binds the providers the next steps that Jen calls for now and that most, if not all endorsers of the Declaration would also agree are necessary and important.  This simple, yet far-reaching step, would have a greater impact than an endorsement by a provider organization.  These should include guarantees of the "common sense" rights articulated above as well as the following patient rights:

• The right to correct erroneous data -- and a mechanism for noting disagreements with clinicians
• The right to control access to data -- access for all purposes: care, payment, secondary use (including clinical research and marketing)

In the past, non-standard NPPs were drafted and distributed by patient advocacy groups for patients to use and add to their providers' NPP forms.  However, patient-specific NPPs are unadministrable.  In order for this to work, there needs to be adoption form the provider side, either as a result of new regulation, or as the result of a populist follow-on to the Declaration.

As I wrote above: Please join in; what other rights would you like to see guaranteed as part of the Declaration?  What are your thoughts on this approach?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

#hcsm means Healthcare Communications and Social Media: Last night's legal edition was fast and furious

Tom Stitt and Dana Lewis host a weekly "tweetchat" on healthcare communications and social media, known as healthsocmed or hcsm.  Last night, Daniel Goldman, legal counsel at The Mayo Clinic, aka @danielg280, and I, aka @healthblawg, were lawyers-on-the-spot for a special legal edition.  There were interesting questions raised regarding social media, patients, providers, privacy, HIPAA, and lots more.  There were innumerable cross-conversations going on.  One participant noted later that over 900 tweets had been posted in the #hcsm tweetstream in the hour or so allotted (about twice the usual volume), which made it impossible to follow all of them in real time, unfortunately.  I had the chance to look over the stream afterwards, and offer some follow-up responses to questions not fully answered during the session. 

@HITshrink posted some organized excerpts from the stream on his blog; check them out for a more orderly taste of the experience.

Kudos to Tom and Dana for making this happen.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Peter Neupert and the latest on Microsoft HealthVault

I had the opportunity to speak with Microsoft SVP Peter Neupert today, on a conference call with a few other health care bloggers.  He was wrapping up the Microsoft connected health conference (check out the tweetstream at #msftchc, which this year brought the HealthVault developers and Amalga users together for the first time, and he seemed jazzed about the synergies. 

Neupert described himself as a "technology optimist," and described Microsoft's current phase of activity as "putting technology pillars in place" so that folks can build applications on the HealthVault open platform.  He acknowledged the difficulties in getting providers and patients to jump aboard, however, noting that physicians have concerns about the reliability of patient-entered data (which communication-enabled devices can now upload automatically) and patients have a variety of concerns about uploading personal health information online.

One of the panels at the conference included David Kibbe discussing the need for modular EHRs for small physician practices.  In response to a question, Neupert described some of his efforts together with the Markle Foundation to articulate a framework for "meaningful use" that would be more focused on outcomes than on the technology itself.  I've discussed before the problems of certification through a set of standards promoted by current market leaders -- it could stifle innovation and limit availability of tools appropriate for a variety of practice settings.  Neupert recounted an experience in California a number of years ago where promotion of e-prescribing by giving away computers and software to physicians resulted in only minimal adoption.  Adoption by physicians will occur if the tools are useful and can adapt to physician workflow, or if the case can be made that workflow ought to change.  Cleveland Clinic and Kaiser Permanente pilot projects have been exploring this issue.

Other issues raised included mHealth, to which Neupert responded that the HealthVault platform is device-agnostic, and that mobile developers were represented at the conference, and HIPAA concerns as a potential barrier to provider and patient adoption.  Neupert joked, "I've never heard of HIPAA; I don't know what that means."  He then noted that the HIPAA conversation comes at different points in the dialogue, depending on whether the dialogue is with providers (comes earlier) or patients (comes later).

Bottom line: It's early yet, folks, but HealthVault has significant promise as an open platform for health care records and their many uses.  We'll see how long it takes to realize that potential.

Update 6/25/09: Archived presentations and videos from the 2009 Connected Health Conference are now available on line.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Blog Talk Radio: David Harlow featured in health care reform discussion on Gregg Masters' Net Health Reform

I had the pleasure of discussing the current crop of health care reform policy options with Gregg Masters and a number of callers today on Blog Talk Radio.  The hour-long show is available for your listening pleasure here (streaming or download).  Please let me know if you like the content and/or format.  Gregg (aka @2healthguru on twitter, where we first met) and I plan to produce future shows and are interested in your comments and suggestions on focused topics for discussion.

Thanks for listening and for your feedback.

For further reading, some of the materials we discussed include the three Senate Finance Committee policy options reports and related materials, Obama's letter to Senate Democrats, his radio/internet address from last weekend, Senator Kennedy's draft Affordable Health Choices Act, and the Tri-Committee draft released by the House Committees on Ways and Means, Energy and Commerce and Education and Labor.  There are a number of milestones on the march through committees and to the floors of both chambers, and on to the President's desk in October/November.  And finally, a useful tool for those of you keeping score at home is the Kaiser Family Foundation health reform proposal comparison.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Grand Rounds Vol. 5, No. 37: The June Is Bustin' Out All Over Edition

June is bustin' out all over . . . .  Lord knows my nose knows it, thanks to all the pollen in the air these days.  Check out the classic movie rendition of this set piece (well worth the eight-minute investment), let your coffee and/or antihistamines kick in, and then let's dive into the past week's medblogging, loosely categorized into insights of patient bloggers, provider bloggers, bloggers I've met in real life (the number keeps growing), bloggers following the money trail through the health care thicket, and bloggers who are or should be dancing and/or shirtless (watch the whole movie clip . . . on second thought, let's leave it at dancing).

  

Last time I hosted Grand Rounds, we delved into the origins of Valentine's Day, so even though we're a couple weeks shy of the vernal equinox, since June is bustin' out all over, the historian in me feels the need to touch on an ur-Spring nugget or two before we get going.  Where do these celebrations of Spring come from?

Attis was a Phrygian god, whose annual death and resurrection were mourned and celebrated at a Spring festival.  (On the other hand, the death and rebirth of the Sumerian Tammuz was a summer solstice thing rather than a vernal equinox thing.)  James Fraser, in The Golden Bough, wrote:

The annual death and revival of vegetation is a conception which readily presents itself to men in every stage of savagery and civilisation: and the vastness of the scale on which this ever-recurring decay and regeneration takes place, together with man's most intimate dependence on it for subsistence, combine to render it the most impressive annual occurrence in nature, at least within the temperate zones. It is no wonder that a phenomenon so important, so striking, and so universal should, by suggesting similar ideas, have given rise to similar rites in many lands.

What I best remember from The Golden Bough, though, is the tale of the king-for-a-year, who ascends the throne as a result of a cultic regicide, and ends his term the same way.  Great stuff.

For further reading linking The Golden Bough, The Holy Grail, Wagner's Parsifal, and T.S. Eliot's The Waste Land, check out Derrick Everett's article on The Waste Land.

I'm not certain that Rogers and Hammerstein had these themes in mind when writing Carousel.  Heck, who knows what they had in mind; they threw in a happy ending that wasn't in their source material (but hey, that's show business).  You, dear reader, certainly didn't have these themes in mind when you tuned in to today's edition of Grand Rounds.  Nevertheless, on with today's show.

Provider Bloggers

At Musings of a Distractible Mind, Dr. Rob discusses Atul Gawande's recent New Yorker piece on health care cost variations across the country (a good read, well worth the time), which focuses on McAllen, TX, a small border town that consumes far more than the average annual per capita amount of health care services.  Gawande loops in the Dartmouth Health Atlas folks, asks the hard questions about physician-owned facilities and financial incentives, and concludes that outfits like Geisinger, Intermountain, Kaiser Permanente and Mayo -- not-for-profit integrated delivery systems with salaried docs -- have the model we should strive to emulate systemwide.  Dr. Rob recounts his own experience with physician-owned facilities.  His conclusion is a folksy twist on Gawande's:

How do we fix it?  There are lots of good answers, and lots of dumb ones as well.  The bottom line is the bottom line, though.  How you pay docs will determine what happens.  It’s America, after all.  It’s what makes us great.  Right?

Right.  The thing is, guys, we've known this for at least forty years.

ACP Hospitalist reports on Sid Wolfe's new Public Citizen campaign to get hospitals to step up reporting of physician wrongdoing.  Bob Wachter, at Wachter's World, delves deeper into the problem, and says:

I’m proud to say that over the past five years, my hospital (UCSF Medical Center) has taken Leape’s challenge to heart, withdrawing clinical privileges (and filing accompanying NPDB reports) in several cases for behavior that, I’m quite confident, would have been tolerated a decade ago. This is progress. As Kissinger once said, “weakness is provocative.” As more hospitals take this tougher stance, I think we’ll see the boundaries of acceptable behavior shift everywhere. And patients will be safer for it.

Bongi, at other things amanzi, recalls a suboptimal experience in his training, when the "see one, do one, teach one" approach was reduced to "read an article about one, do one immediately afterwards."

At Providentia, Romeo Vitelli looks at the historical precursors to Jenny McCarthy and the current crop of anti-vaccinationists. 

Ken Cohn, a physician and consultant (who I know in real life [IRL]), recounts a (positive) experience in asking health care administrators to consider ethics in physician-hospital relationships.

I take a baby aspirin a day, and Doc Gurley says I should keep on doing so, because I'm better off puking up blood than having a heart attack.

Seizures and how they have been misunderstood (epilepsy vs. demonic possession) is the subject of this week's selection from Mind, Soul and Body.

Suddenly becoming a first responder at 35,000 feet? On Your Meds' Barbara Olson takes you there.  (The blog is part of Medscape, so free registration is required).

NurseAusmed recounts difficulties in handling patient communications and managing patient expectations at Nursing Handover.

How to Cope With Pain takes a page from a book offering guidance to those who have lost their spiritual way and turns the advice to use for those facing physical, rather than spiritual, pain.

Web 2.0 meets the health care establishment, and KevinMD [IRL] observes that since health care is largely a business, this should not be surprising.  For a window into social media use by health care provider organizations, check out healthsocmed.

The anonymous author of Notes of an Anesthesoboist says it's hard for women doctors to make friends . . . perhaps they should introduce themselves as drug pushers instead?

John Crippen wants to, but the NHS Blog Doctor just can't look away from the kids pushed onto TV talent shows by 21st century stage mothers.

Paul Levy [IRL] goes another round with SEIU Local 1199 at Running a Hospital.

At UDM Solutions, David Siwicki provides a clinical perspective on deciding whether to prescribe opioids for chronic pain patients who use marijuana.

Nancy Brown offers sound advice on talking to teens about alcohol at Healthline's Teen Health 411.

Follow the Money

DrRich, at the Covert Rationing Blog, always follows the money, and this week the trail leads to the following unlikely destination: the American College of Surgeons encouraging malpractice suits -- against overseas surgeons offering services to medical tourists.

Big Pharma also always follows the money, and David Williams, at the Health Business Blog, remains perplexed over Pharma's failure to engage with the public via twitter.  (GSK has already responded to David's post, but in a way that doesn't exactly undercut his point.)  For a window into Pharma's engagement with social media, look no further than Shwen Gwee, who organized the Social Pharmer unconference in conjunction with the HealthCamp Boston unconference I co-organized in late April.  Speaking of social media, feel free to follow me on twitter: @healthblawg.  

Last week, I took a look at the proposed Medicare Inpatient Prospective Payment System (IPPS) updates for FFY 2010.  Among other things in the rule (including payments cut to the bone), I was surprised to see tucked away in there a tacit acknowledgement that the whole "no pay for never events" thing isn't really saving anybody that much money.

Lots of hospitals are touting new private rooms these days.  Seems to help patient care (lower infection rates, better sleep, more privacy), but despite the benefits, Jeffrey Seguritan at nuts for healthcare observes that the private room is being pushed by the AIA, and wonders whether health care dollars really ought to be spent these days on capital projects such as these.  (My brief response: these days, they really aren't, given the tight financial markets).

In a medblogosphere first, The Happy Hospitalist has publicly described an entry in the $10 million X Prize competition:

How do you [reduce health care costs dramatically]?  Here's my theory.  You can do more to affect health care costs by getting 10,000 people to change their lifestyle habits than you can by getting a few hundred docs to change how they document and collect data and prescribe some pills.

So here's what you do.  You bribe the public.  People are inherently lazy, but they respond well to piles of money.

For a fuller introduction to the X Prize competition: Scott Shreve [IRL] posted his twitterview on the X Prize with Bertalan Mesko (@berci) at Crossover Health.  Learn more about it there.

The big HITECH Act pot of money that everyone in health IT is itching to get their hands on is going to have some strings attached: chief among them are going to be definitions of "meaningful use" and "certified EHR."  Them that are likely to be certifying -- CCHIT -- have been the target of some possibly well-deserved pot-shots, and the gloves have come off.  See Gilles Frydman's [almost met IRL at the Health 2.0 conference in Boston a month or so ago] framing of the debate at e-patients.net and John Moore's [IRL] take at Chilmark Research.  

Health technology research and development yielded two bits of news this week: FDA approval of a handheld ultrasound unit, via Vijay Sadasivam's scan man's notes, and Ves Dimov's post at Clinical Cases and Images on the Rovio - a WiFi-enabled mobile webcam, which may be more attractive to medical users given the recent study that found patient satisfaction, physician satisfaction and diagnostic agreement (measured both between face-to-face and virtual vists, and between two face-to-face visits) to be similar for face-to-face and virtual visits.  (Yesterday's Boston Globe took a closer look at this study, virtual visits in general, and American Well in particular.)    

The health IT crowd is working on interoperability and portability of health information.  Google Health is one of the platforms that may enable folks to reach this holy grail.  Brian Dolan at mobihealthnews says that Google Wave, an open-source tool for communication and collaboration, looks like a killer tool for enabling Google Health to do more in terms of provider-provider and patient-provider collaboration.

Evan Falchuk's observation at See First on prevention: it ain't cheap; treatment of preventable disease is more expensive than the savings from avoided disease and complications, so we need to be talking about more than cost-effectiveness.  [Supposed to meet IRL soon.]

Patient Bloggers

For some reason, diabetics are very well-represented among Grand Rounds' usual suspects.  This week, they're turning into media critics as well, following President Obama's nomination of Sonia Sotomayor to the Supremes.  Amy Tenderich [who I also almost met IRL at Health 2.0] touched on the media frenzy regarding the nominee's Type 1 diabetes at The Diabetes Mine, as did Six Until Me's Kerri Morrone Sparling.  Not to leave Type 2 diabetes unattended, Rachel Baumgartel offers tips for the newly diagnosed Type 2 diabetic at Diabetes Daily.  (For those who care to immerse themselves in The Politics of the Sotomayor Nomination, the good folks at SCOTUSblog say come on in, the water is fine.)  For a taste of the difficulties faced by some diabetics traveling through airports with needles and curious liquids, head on over to Tim Brown's post at Shoot Up or Put Up. 

At Getting Closer to Myself, Leslie offers her reflections as a twentysomething with auto-immune disease, specifically a feeling of how she can't go home again to an idealized summer retreat.

Barbara Kivowitz describes a good day at In Sickness and In Health, and invites all of us to do the same.

Bloggers Who Are or Should Be Dancing

Val Jones [IRL] is pretty pleased with her high-deductible health plan (HDHP) - cash-only PCP combo.  I hope her husband is dancing after the office procedure scheduled on a dime last weekend . . . and I hope Dr. Val has all the releases for those photos stashed away somewhere.  It's a good solution for those with no chronic conditions, young kids, or other sources of regular interactions with the medical-industrial complex.  And no less a luminary than Clay Christensen says we're 5-6 years away from the tipping point (to mix metaphors) on HSA/HDHP combos, at which time we're likely to see a significant change in the economics of healthcare (with or without significant movement in DC).  For one example of where this may play out, see my recent post on retail health clinics.

No dancing for you if you're susceptible to one of the side effects of Cipro and its relatives (fluoroquinolones): tendon rupture.  There's a black-box warning regarding this, but many clinicians and patients are unaware, says Paul Auerbach at Healthline's Medicine for the Outdoors.

InsureBlog's Bob Vineyard shares good news for Cuba's pre-op transsexual population: coverage is here.  Surely cause for someone (patients, if not bloggers) to dance.

Well, that's the last dance . . . for this week.  See you around the medblogosphere, and next week at the next edition of Grand Rounds. 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

The Virginia prescription record security breach: The big picture, and using this case as a learning experience

The Virginia Department of Health Professions is having a bad week. Apparently, a hacker downloaded personal health information of eight million individuals, including 35 million prescription records, and then replaced the information on the state website with a crude "ransom" note demanding $10 million in exchange for unlocking the encrypted file containing what is supposedly the only copy of the patient information seized.  (Screenshot of hacked website with notice posted here; see Bob Coffield's post on the story for a good roundup of the facts and review of some HIPAA/ARRA/HITECH implications.)  This has gotten the attention of the digerati and the blogerati, and even of some folks beyond the echo chamber of the blogosphere and twitterverse, out in the real world (like Virginia officialdom, which has gotten communications on this incident off to a slow start).

Update 6/5/09: Virginia security breach notices are going out -- a month after the fact -- to over 500,000 individuals whose social security numbers were part of their prescription records.  Too little, too late? 

So, this episode raises a few questions for me of broader application:

1. What is the scope of personal data insecurity in this country?
2. What preventive maintenance and design steps must or should be taken by all holders of personal data in order to minimize the likelihood of a breach?
3. In the event of a security breach, what communication is required by law, and what should "best practices" communications strategy look like, beyond what is required by the letter of the law?

Let's hack away (unconscious choice of words while typing) at these questions one at a time.

Scope of the Problem The scope of the issue is, not to put too fine a point on it, real broad, and getting broader daily. The issue is relevant to financial and other data, but for purposes of this post, I'll confine my observations to personal health data ("protected health information," "PHI" or "individually identifiable health information" in HIPAA-speak). In the bad old days (which are perhaps coming to a close one of these years thanks to the $19 billion HITECH Act handout), PHI insecurity was limited to the problem of folks who might wander into a file room and get a hold of your medical records without having a good reason to do so. Thanks to the computerization of medical records in a desktop computer, laptop, server, storage device, or "in the cloud" (now that's a whole other can of worms), millions of records are out there for the hacking. Given the lackadaisical attitude that some have towards data security, these records are accessible to bad-intentioned identity thieves as well as to recreational hackers. The scope of the issue may be glimpsed through a visit to the Privacy Rights Clearinghouse site, A Chronology of Data Breaches, a wonderful compendium of data security breach incidents (beginning January 2005) and related resources (not yet updated as of this writing to include a reference to the Virginia debacle). This chronology is not limited to health care data breaches; a quick scan seems to confirm that the Virginia incident is among the largest health care data breaches, but it is not the first breach of a state agency system.  (And remember the Express Scripts ransom hacker case a little while back?)

Prevention  Data security and privacy protections applicable to PHI have been ratcheted up a couple notches this year with the Son of HIPAA provisions thrown into ARRA, the FTC Red Flags Rule and some parallel state rulemaking activity (see, e.g., Massachusetts data security rule). With all these recent changes, new comprehensive preemption analyses will have to be undertaken, but I'll offer a couple of observations: It is imperative that all health care providers and business associates undertake privacy and security audits of their current operations. This includes a review of policies and procedures (and the adoption of policies and procedures later this year by business associates, which were not required to have them in place pre-ARRA), to ensure compliance with HIPAA, Son of HIPAA, FTC Red Flags Rule (if applicable; it relates to businesses that extend credit, defined very broadly, and snaps into effect August 1, after a couple of delays), and state privacy laws. All policies and procedures need to be beefed up as appropriate. Hardware, software and wetware must be tested for compliance and must also be beefed up as needed. In my community, when faced with a computer problem, we always say: "Ask a teenager!" In addition to the usual trusted advisors, it might not hurt to spot-check security systems by challenging a reliable computer-savvy teenager (or twentysomething) to hack into a system.

Breach Notification  ARRA Sec. 13402 (p. 146) technically doesn't require a breach notification to be sent to affected folks in the Virginia matter because the regs aren't out yet (they're due out by August, effective 30 days later).  Guidance on what makes data unreadable by unauthorized folks has been released for public comment -- if Virginia made the data secure according to the definitions in this guidance, then its release would not be considered a breach, and would not trigger notification requirements.  These guidelines are something to consider in designing secure environments for data -- they address both data in use and data at rest, and incorporate by reference some NIST standards.  Adhering to the guidance not only has the PR benefit of allowing an entity to avoid having to make a breach notification, it could even help in preventing breaches in the first place.  It would be interesting to learn whether the Virginia data was protected in the manner called for in this guidance.

Whether or not a notice is required, careful consideration should be given to developing a communications plan for alerting patients to any breach, and to explaining what is being done to minimize the risk of similar (or dissimilar) breaches occurring in the future.  This may be a delicate dance (the folks in Virginia have been saying they can't comment becasue an FBI investigation is underway), but it seems to me that a criminal investigation does not need to bar any and all communications with patients and the public at large about the situation.

As the remaining ARRA rules come out and covered entities and others have a clearer roadmap before them, it will be imperative that they undertake the steps outlined above so that they can maintain compliance with these new requirements, ensure privacy and security of PHI, and stay out of the regulators' sights.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthCamp Boston / SocialPharmer Boston Twitterstream via Cover It Live

HealthCamp Boston and SocialPharmer Boston are taking place today.  For those of you on site, please live tweet using hashtags #hcbos or #socpharm.  For those of you following along at home, please follow those hashtags in your reader of choice, or right here.  Separate windows are provided for #hcbos and #socpharm (each will have more than one thread, so mashing them together seemed too unwieldy).  The twitterstream will be archived here for future reference.  Information on audio and video archives will be available via the event website at some point in the future.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting