In reading an account of the recent attack on Community Health Systems that netted the bad guys 4.5 million patient records and earned CHS a prominent spot on the Wall of Shame, I was struck by the notion put across in the article that all we have to do is work harder to patch vulnerabilities, that with a better defense we can win the game against a skilled quarterback.
I think that we have to come to terms with the notion that privacy is a thing of the past, and that it is not a question of if, but a question of when, any particular system may be hacked. As in the case of the Heartbleed exploit, a back door may be propped open for years before anyone notices, and some exploits may leave no fingerprints.
Health information exchange is one arrow in the quiver that may lead to promised improvement in the coordination, efficiency and effectiveness of health care services based on the sharing of data contained in individual patients' electronic health records.
An article in the current issue of Medical Economics examines some of the technical, legal and ethical issues around patient consent to the collection and transmission of protected health information by health information exchanges.
1. Most people are unaware that they are leaving their personal data behind and that some of this information is not protected by HIPAA. Data brokers are able to build dossiers on individuals to sell to marketers, while consumers lack recourse to obtain or correct their information.
2. Clinical researchers, health plans, and others use the information to enhance individuals' health as well as to benefit public health. Larger and speedier clinical trials are made possible by the quantity of data available.
3. Different types of information — such as historical claims data and consumer-generated data — can be combined and used for statistical modeling for health or financial risk-profiling. Such information is purchased by hedge funds, hospitals, large provider networks, payers, pharmaceutical companies, and others.
I recently spoke with Jon Schumacher and Michael Bloom on Health Jams -- a Google HOA series on marketing for health care entrepreneurs. This installment is a primer on health care social media, online marketing and use of online tools (including telehealth) by folks in the healthcare space and just over the line in other domains as well.
Please feel free to connect here or elsewhere on line to continue the conversation.
I spoke at the HxRefactored conference in Brooklyn this week. The title of my talk was Dancing with HIPAA and it was intended as an introduction to health care data privacy and security regulations, practical concerns and -- most important -- practical solutions to privacy and security issues whether subject to HIPAA or not. Many issues for this audience will be triggered by data not gleaned from a health record maintained by a health care provider or payor. Instead, such data may be released by an individual (and therefore no longer covered by HIPAA) and mashed up with data feeds from personal trackers and manually inputted data, put through a health behavior modification recommendation engine, and -- voila! -- behavior change recommendations are delivered to an individual. In this context, the health data is being held in a special-purpose PHR, not an EHR, so HIPAA rules don't apply and therefore OCR enforcement should not be of concern -- though the FTC breach notification rules apply and, as we know, the FTC asserts broad parallel jurisdiction to enforce HIPAA as well.
Why is it time for a HIPAA reality check? Because (1) Data breaches are a constant threat; (2) OCR audits reveal many health care providers are not in compliance; (3) Workforce members pose a significant risk for HIPAA liability; (4) Patients are aware of their right to file a complaint; (5) OCR is increasing its focus on HIPAA enforcement; and (6) HIPAA compliance is not an option, it’s the law. Read this white paper to learn the facts and understand if you are doing enough to mitigate the risk of a breach or HIPAA violation.
The Heartbleed web security exploit was first publicized several weeks ago. In the time since then, numerous web-based services have let their users know (some more clearly than others) whether and how their data security was compromised by this OpenSSL flaw that has been open for about two years. This is one flaw, one exploit, but on a scale of 1 to 10, it has registered as an 11 on our collective consciousness. Fred Trotter notes in the MIT Technology Review that other similarly worrisome exploits do not get our attention in the same way, and that more health data leaks are likely in our future. He also cites others' observations that many health IT vendors are not currently equipped to respond effectively to such exploits in a timely manner.
The HITECH Act made some significant changes to the HIPAA Privacy Rule, updating some provisions and increasing protections for individuals. Improvement of regulatory schemes that are a little long in the tooth is laudable, since technical and societal changes, of necessity, make for a perpetual game of catch-up. However, it is a challenge for regulators to pick the right battles to fight, and the challenge is made that much more difficult to navigate when, as in the case of the HITECH Act, Congress gets into the weeds with extremely detailed statutory language, thus limiting the regulators' range of discretion. Since it is often difficult for Congress to act, and even more difficult for it to act rationally, the detailed language of the HITECH Act hamstrings the regulators and the regulated community.