The first health system to announce that it had integrated HealthKit into its Epic EHR is Ochsner Health System in Louisiana. It is a 12-hospital, 40-clinic operation with over 900 physicians. I spoke recently with Dr. Richard Milani, Ochsner's Chief Clinical Transformation Officer. He was enthusiastic about the improvements in clinical outcomes realized to date through homegrown integrations of things like Withings scales, and sees significant expanded potential using the Epic-HealthKit integration including dissemination of data to clinicians for more efficient and effective management of care and presentation of data to patients in a way that may motivate behavior change to improve health status.
A report on a survey regarding wearable fitness trackers arrived in the HealthBlawger's mailbox this week. An interesting dose of reality, after spending a few days in Silicon Valley recently with a cadre of early adopters.
Here are the highlights:
>> 74.9 percent of adults do not track their weight, diet, or exercise using a fitness tracking device or app >> The most commonly cited reason for not tracking fitness or health is a general lack of interest (27.2 percent), followed by concerns over device cost (17.7 percent) >> 43.7 percent respondents did not have a specific reason for not tracking their fitness >> 57.1 percent of non-tracking adults said that the possibility of lower health insurance premiums would make them more likely to use a fitness tracking device >> Less than half of respondents (44.3 percent) said that better healthcare advice from their physician would be an incentive to use a fitness tracker
I recently read that the App Association (aka ACT) is lobbying Congress to promote clarity in HIPAA regulations for app developers, based in part on the experience that health care systems "don’t understand the intersection of HIPAA and mobile, and their reaction is to say ‘no’, [which means that] apps that improve outcomes don’t make it through the front door.”
Blaming the government for a regulated industry's failure to understand regulations, and suggesting that the government should publish its regulations through channels other than the official channels are interesting strategies. It seems to me that there are more productive ways of engaging with the issues.
Since issuing its mobile medical applications guidance, the FDA has offered a number of clarifying statements, intended to give the regulated community a clearer idea of whether and when to expect any particular mHealth application to be considered a device.
Mobile apps that allows a user to collect, log, track and trend data such as blood glucose, blood pressure, heart rate, weight or other data from a device to eventually share with a heath care provider, or upload it to an online (cloud) database, personal or electronic health record. [Added June 11, 2014].
I spoke at the HxRefactored conference in Brooklyn this week. The title of my talk was Dancing with HIPAA and it was intended as an introduction to health care data privacy and security regulations, practical concerns and -- most important -- practical solutions to privacy and security issues whether subject to HIPAA or not. Many issues for this audience will be triggered by data not gleaned from a health record maintained by a health care provider or payor. Instead, such data may be released by an individual (and therefore no longer covered by HIPAA) and mashed up with data feeds from personal trackers and manually inputted data, put through a health behavior modification recommendation engine, and -- voila! -- behavior change recommendations are delivered to an individual. In this context, the health data is being held in a special-purpose PHR, not an EHR, so HIPAA rules don't apply and therefore OCR enforcement should not be of concern -- though the FTC breach notification rules apply and, as we know, the FTC asserts broad parallel jurisdiction to enforce HIPAA as well.
The report identifies four key priority areas and outlines next steps to take in each area:
I. Promote the Use of Quality Management Principles; II. Identify, Develop, and Adopt Standards and Best Practices; III. Leverage Conformity Assessment Tools; and IV. Create an Environment of Learning and Continual Improvement
This report should be read together with the FDA framework for regulation of mobile medical applications which was supposedly up in the air pending release of this report. It now seems that they are directed at related, but different, parts of the ecosystem. Both are part of a bigger story, including pending legislaton.
OCR planning for the next round of HIPAA compliance audits continues.
A new information collection request will be filed soon (two months from now or so), according to the HIPAA audit questionnaire burden estimate published Monday, February 24. (H/T Art Gross, HIPAA Secure Now.) The filing shows that OCR intends to administer 1200 questionnaires to a mix of covered entities and business associates. The questionnaires are estimated to take 30 minutes to complete.
Once those questionnaires hit the street, the full force of OCR will not be far behind. In light of the latest multimillion dollar HIPAA penalty -- this one levied by the Puerto Rican government against an organization that might actually be around long enough to cough up the big bucks, as opposed to Cignet (and there's no telling what OCR might do in addition to that) -- let's just say it behooves all covered entities and busienss associates out there that have not yet put their house in order from a HIPAA/HITECH compliance perspective to do so now.
With new developments over the past year in the realms of telehealth, mobile health and health data privacy and security, and opportunities for accountable care organizations, integration of connected health and implementation of HIPAA compliance plans, there is plenty of material for prognosticators.
Kate Ackerman, Editor-in-Chief at iHealthBeat asked 13 experts three questions.
Here are the questions and my answers; follow the link above to read 12 other perspectives.
For years, I have been helping covered entities, business associates and downstream contractors understand HIPAA and other federal and state health care data privacy and security laws and regulations, and develop and maintain policies and procedures that will help them comply with the law. These businesses range from startups with consumer-facing or health care provider-facing apps and web-based services, to big data analytics shops to health care providers of all sorts. Now that OCR -- the federal HIPAA policeman -- is enforcing the HIPAA / HITECH omnibus rule through random audits, complaint investigations and sanctions, it is more important than ever for covered entities, business associates and downstream contractors to maintain a robust HIPAA compliance program. HIPAA enforcement efforts will likely be stepped up in 2014 (see the November 2013 OIG report on OCR's enforcement efforts, and OCR's response including its plans for the future.)
The Harlow Group is pleased to announce the first of a number of HIPAA-related partnerships with ...The HIPAA Survival Guide. (Keep reading for discount information.)