Linda Sanches, Senior Advisor, Health Information Privacy, at OCR, DHHS, spoke with Tom Sullivan (@GovHITeditor) at the HIMSS Media #HITprivacy and security conference in Boston today (September 9, 2014) about OCR HIPAA compliance audits. See the Storify after the jump.
Health information exchange is one arrow in the quiver that may lead to promised improvement in the coordination, efficiency and effectiveness of health care services based on the sharing of data contained in individual patients' electronic health records.
An article in the current issue of Medical Economics examines some of the technical, legal and ethical issues around patient consent to the collection and transmission of protected health information by health information exchanges.
1. Most people are unaware that they are leaving their personal data behind and that some of this information is not protected by HIPAA. Data brokers are able to build dossiers on individuals to sell to marketers, while consumers lack recourse to obtain or correct their information.
2. Clinical researchers, health plans, and others use the information to enhance individuals' health as well as to benefit public health. Larger and speedier clinical trials are made possible by the quantity of data available.
3. Different types of information — such as historical claims data and consumer-generated data — can be combined and used for statistical modeling for health or financial risk-profiling. Such information is purchased by hedge funds, hospitals, large provider networks, payers, pharmaceutical companies, and others.
Since issuing its mobile medical applications guidance, the FDA has offered a number of clarifying statements, intended to give the regulated community a clearer idea of whether and when to expect any particular mHealth application to be considered a device.
Mobile apps that allows a user to collect, log, track and trend data such as blood glucose, blood pressure, heart rate, weight or other data from a device to eventually share with a heath care provider, or upload it to an online (cloud) database, personal or electronic health record. [Added June 11, 2014].
I had the opportunity to speak with Roy Schoenberg about the model policy recently adopted by the Federation of State Medical Boards (FSMB): Model Policy for the Appropriate Use of Telemedicine Technologies in the Practice of Medicine. The model policy is offered as a means for state medical boards to get up to speed quickly and to access standards of care that are both protective of patients' interests and, frankly, are baselines against which physician behavior may be judged by an individual board. Roy distinguishes between telemedicine (doc-to-doc communication) and telehealth (patient-to-doc communication). The latter, particularly using a secure live video platform is a disruptive innovation in a way that the former is not: it allows patients to access medical advice at their convenience, without the need for an office visit or a trip to a specialist.
#H2NYC Meetup - May 12, 2014. Thirteen demos and a whole lot of conversation with the health tech innovation community in NYC Monday evening. I enjoyed dropping in on the H2NYC meetup preceding the HxRefactored conference. Tweets from the event after the jump.
Why is it time for a HIPAA reality check? Because (1) Data breaches are a constant threat; (2) OCR audits reveal many health care providers are not in compliance; (3) Workforce members pose a significant risk for HIPAA liability; (4) Patients are aware of their right to file a complaint; (5) OCR is increasing its focus on HIPAA enforcement; and (6) HIPAA compliance is not an option, it’s the law. Read this white paper to learn the facts and understand if you are doing enough to mitigate the risk of a breach or HIPAA violation.
The Heartbleed web security exploit was first publicized several weeks ago. In the time since then, numerous web-based services have let their users know (some more clearly than others) whether and how their data security was compromised by this OpenSSL flaw that has been open for about two years. This is one flaw, one exploit, but on a scale of 1 to 10, it has registered as an 11 on our collective consciousness. Fred Trotter notes in the MIT Technology Review that other similarly worrisome exploits do not get our attention in the same way, and that more health data leaks are likely in our future. He also cites others' observations that many health IT vendors are not currently equipped to respond effectively to such exploits in a timely manner.
The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.