First lawsuit filed against a Business Associate under HIPAA / HITECH

The first HIPAA enforcement action against a business associate has been filed by the Minnesota Attorney General's office.

In part, it's the same old sloppy story: unencrypted laptop loaded with PHI stolen out of a rental car ... sheesh, when will they ever learn?  (See: Privacy and Security: Joke or No Joke?)  Cleaner policies and procedures, and internal enforcement, would have made this a non-event, not reportable, off the front pages, and out of court.  Instead, the buisiness associate and the covered entity have gotten plenty of negative publicity, which will include a trip to the Wall of Shame.  Perhaps the advent of the HIPAA audits by government contractor KPMG, together with unpredictable actions of state attorneys general will motivate business associates and covered entites to get with the program.

Here are the twists in this case:

1. The federales have said that they're not going to go after business associates until they finally finalize their regs (they've missed the HIPAA / HITECH deadline), but State AGs have been given enforcement authority under HIPAA / HITECH, and they've jumped the gun.  (For more on state AG enforcement, see: HIPAA enforcement by state attorneys general: The shape of things to come.)

2. The Minnesota AG is also going after the business associate on the unfair and deceptive business practices front -- for failing to disclose to patients the way in which they use their data (they make one set of disclosures to patients, another to Wall Street). See full complaint against Accretive Health (PDF).

As I've been saying for a while, we're going to see more aggressive HIPAA enforcement from beyond the Beltway; this case is an exemplar of just one manifestation of the phenomenon.  Another is the growth of private lawsuits bootstrapped on violations of HIPAA or related state laws (this, despite HIPAA's clear statement that it does not provide for third-party lawsuits).

In addition to the HIPAA issues, there's the predictive modeling and consumer transparency side of the case: Accretive, a management consultant to a hospital system, was being paid based on a percentage of cost savings, and was using PHI in its predictive model of patient-specific health care costs.  The complaint alleges that this use was not made clear to the patients, though I don't beleive the allegation was made that such use would be improper if appropriate disclosures were made.  

Should more explicit disclosures about the uses of health data be made even if not required by federal or state law?  I sometimes counsel clients to be more proactive than may be strictly necessary in this department, in order to be sensisitve to the "man on the street" perception of privacy rights -- even in situations where the law does not require that certain data be handled as protected health information subject to HIPAA.  The benefit is broader than compliance and risk mitigation; it signals a sensitivity to a hot-button issue that may improve customer relations and improve risk management.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting  

Health Care Social Media – How to Engage Online Without Getting into Trouble (Part II)

I have been asked to write up some of the core takeaways from the health care social media presentations I have been giving recently, so I am sharing a version of this narrative on HealthBlawg, in two parts.  You may wish to begin with Part I.  

Professional responsibility and malpractice liability

The American Medical Association has promulgated a social media policy; so has the Veterans Administration.  The two represent very different approaches.  The AMA essentially advocates proceeding with caution, and being cognizant of the damage that one’s own social media activities – and one’s colleagues’ – may do to the profession.  The VA, on the other hand, is out in front on this issue – just as it was with electronic health records – encouraging the use of social media tools to disseminate information and engage patients and caregivers in productive dialogue likely to improve overall wellbeing and health care outcomes.

Patient care should not be provided in open social media forums, but appropriate disclaimers on blogs, Facebook pages, YouTube channel pages, and the like, should be sufficient protection for providers seeking to use these tools for sharing of general advice and information.

As in other settings, there are emergency exceptions.  If the only way to communicate lifesaving information to a patient is via a public social media channel, then a clinician should not refrain from doing based on a concern about a privacy violation.

Daily deal websites

Groupon, Living Social and other daily deal websites are being used by health care providers -- though thus far mostly by those that are not covered by traditional commercial or governmental health insurance (e.g., dental, chiropractic, acupuncture services).  This may change as the health insurance landscape changes over time.  There are a number of legal issues, and their resolution will depend, in part, on where you are situated, since many of the relevant rules are state laws, which vary.  For example:

• Groupon collects 50% of the price of the groupon as its fee; is that illegal fee-splitting under applicable state law?
• Is the 50% fee an illegal kickback in exchange for a referral?  Are you subject to federal laws in this area in addition to any state laws?
• Do provider agreements with third party payors prohibit the offering of discounts to plan subscribers?  (If you can get over the first two issues, you may need to screen out patients who are insured by carriers who limit your ability to discount or risk being in default under an agreement with your biggest customer.)
• There is at least one more issue to consider, as well:  State laws on gift certificates and their requirements touching on expiration dates.  Lawsuits have been filed alleging that the relatively short life of the daily deal violates state gift certificate laws. 

With the proliferation of high-deductible health plans, and FSAs, HSAs and the like, the general public is becoming more price sensitive in paying for health care services; while health care providers need to become more creative in order to address this issue, they must also remember that they are subject to a wide-ranging set of regulations above and beyond other consumer-facing businesses.

Social Media Policies and Procedures

Despite the legal landscape, it is possible for a health care provider to develop a robust social media program.  The critical first step is developing a set of policies that respects the legal and regulatory limits, and that is consistent with the organization's level of readiness to engage through social media.  Establishing clear guidelines will allow clinicians and staff to participate in the online conversation without having to review individual posts on a regular basis with legal and regulatory advisors. An existing policy from another organization may be used as a starting point in the development process, but local customization is key. 

An external-facing social media policy should set limits and expectations for people who come to the organization's web properties – web site, Facebook page, blog, YouTube channel, Twitter stream, etc. -- so that, for example, a poster who violates the terms of service will be on notice that a hospital whose staff should be monitoring social media accounts at least daily may decide to take down a post (on a forum such as Facebook) if it does not comply with the policy.

An internal set of policies and procedures is also needed to address internal operational and policy issues for both official and unofficial channels. Staff need to be sensitive to the fact that they are, in effect, brand ambassadors on a 24/7 basis, and that if they mention their employer in their own posts on their personal Twitter accounts or Facebook pages, they should do so consistent with company policy – noting that “tweets are my own” or words to that effect.  Some organizations may desire to insist on all employees' “radio silence” except for designated spokespersons.

The best policies are those that are developed through an inclusive process, rather than a top-down process, so that the employees most likely to be active on social media may offer input to the process sand also feel ownership of the final product in a way that will promote adherence.

No matter what the tenor of an individual organization’s policies may be, they must be implemented – they do no good up on the shelf.  Staff must be trained on the policies, and are retrained as policies are updated on at least an annual basis.  Adherence to the social media policies should be a condition of employment, just the same as adherence to any other employer policy, and the distribution of policy documents and training may be integrated with a broader employment process within your organization.

Sine this is a rapidly changing arena – and since social media comfort levels in an organization may change relatively rapidly – social media policies should be reviewed on a regular basis, at least annually.

Conclusion

The cat is out of the bag.  Even if you wanted to avoid social media entirely, it is simply too late to attempt to do so.  Even if your practice or institution does not have an active social media presence, it is likely that others are already discussing you on line.  It is important to set up a social media monitoring program right away, if you do not already have one in place, so that you may respond in the real world to issues flagged in cyberspace.

You can become an active participant in health care social media and stay on the right side of the law, and these days it is becoming more and more imperative to use this toolset for marketing, patient communication and care management.

 

Be sure to check out Part I of this two-part series on health care social media, which lays out the range of issues and concerns and goes into greater detail on HIPAA issues.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting  

Health Care Social Media – How to Engage Online Without Getting into Trouble (Part I)

I have been asked recently to write up some of the core takeaways from the health care social media presentations I have been giving recently, so I am sharing a version of this narrative on HealthBlawg, in two parts.  Check back later this week for Part II. 

Introduction

“Why do you rob banks?”

“That’s where the money is.”

The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation.  A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line.  Why be active in on line social networks?  That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more.  Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids.  In today’s wired society, on line social networking is the new word of mouth.  Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.

Over half of Americans rely on the internet when looking for health care information.  Many on line searches are conducted on behalf of another person.  Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed.  In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.

Only about twenty percent of U.S. hospitals have a social media presence, and likely a similar proportion of other health care providers.  Thus, while some health care providers have been using social media for years, there is still an opportunity to reap the benefits of being an early adopter.  Whether or not a provider is on line, others are likely discussing that provider – on review sites, on Facebook, even on Twitter – so whether or not one establishes a social media presence, it is imperative to establish a listening post to keep abreast of what is already being posted on line – complaints, recommendations and other information will come to light, and steps may be taken in the real world to ameliorate situations giving rise to complaints and to capitalize on praise and referrals.

Finally, health care reform is pushing health care providers into social media.  The Meaningful Use regulations will soon require that providers seeking incentive payments for adoption of electronic health records must make greater use of personal health record portals, and programs like the Medicare Shared Savings Program, or Accountable Care Organization program, require patient-centeredness and patient engagement, which in this day and age require the use of online social tools.

With all of these motivating factors, why are health care providers reticent, and slow to adopt the use of social media tools?  There are numerous legal and regulatory issues triggered by the use of social media and some health care providers are put off by the perception of the risk involved.  However, there are legal and regulatory risks (and attendant market and business risks) to the decision to remain uninvolved.

The key issues for consideration include the following:

• Privacy and security rules, under HIPAA as well as other federal and state laws, and the ever-diminishing ability to fully de-identify protected health information
• Professional responsibility codes, including both professional society codes of ethics and state regulations promulgated by boards of registration in medicine
• Malpractice liability for professional advice rendered via social media
• Issues raised by daily deal sites such as Groupon and Living Social, including anti-kickback, fee-splitting, insurance contracts, state insurance laws and gift certificate laws
• Liability under Federal Trade Commission rules for failure to disclose a financial relationship in conjunction with an online rating, review or other commentary
• Trouble with the National Labor Relations Board if employee discussion of working conditions in unreasonably limited (even in non-union shops)

If not managed appropriately, it is clear that these issues may lead to significant liabilities, ranging from civil and administrative fines, to negative publicity, to private lawsuits predicated on HIPAA or state law violations.  (Even though HIPAA does not provide for third-party liability some state laws do, and creative lawsuits may seek to bootstrap private liability on a HIPAA violation as well.)

However, it is possible to manage all of these issues through the development of comprehensive social media policies – both outward-facing (i.e., to patients and the general public) and inward-facing (i.e., to physicians, other clinicians, and other staff) that are tailored to a specific medical practice or other health care organization.  The policies themselves must be tailored to local conditions, because each practice, each health care organization is at a slightly different point on its own health care social media journey, its comfort level with social media tools, and its thoughts about how to use these tools, and to what end.

Here is further detail about several of the key categories of legal issues identified above:

HIPAA and other privacy concerns

Privacy concerns arising from HIPAA and state privacy laws start from the proposition that only a patient has the right to authorize the release of his or her own private health information.  Thus, while an individual patient is free to blog about her medical condition or experience with the health care system without implicating HIPAA or other privacy rules, provider-generated social media content with identifiable patient information used without consent would raise red flags.  Provider discussions of cases on social media should follow the “elevator rule” or the “coffee shop rule” – If you wouldn’t say it in a crowded elevator or coffee shop, don’t post it online.

As one emergency room physician recently learned the hard way (she was dismissed by her employer and sanctioned by her state medical board), even a de-identified Facebook post about a patient may easily be re-identified using information from third-party sources.  The HIPAA rules list eighteen categories of identifying information that must be stripped from a record or patient story in order for it to be considered de-identified. Number eighteen is, essentially, anything else that may be used to re-identify the de-identified information.  Since we are, collectively, doubling the amount of information posted online on a regular basis, that which is de-identified today may well be easily re-dentified tomorrow. 

Thus, the best practice would be to write about composite/fictionalized patients, or simply get patient consent.  Providers may wish to rewrite their HIPAA NPPs (notice of privacy practices) to include some level of consent to communication with or about a patient on Facebook, for example, if that is something that would make sense, and that might happen on a regular basis. 

Other disclosures made inadvertently may lead to difficulties as well.  For example:

• A cell phone photo taken in a hospital emergency room of a friend proudly displaying a newly-stitched wound may inadvertently capture the image of another patient in the background. That post may be a HIPAA violation attributable to the hospital, even if it did not post the photo. 
• An employee of a public hospital tweets her displeasure in seeing a clinic staffed up for the convenience of a political figure seeking service off-hours.  Her public sharing of identifiable health information led to her being fired.
• Positive test results posted by a patient on Facebook might invite response on a human level, but the response must be more measured.  For example, if a patient posts on a hospital Facebook wall after getting some good test results, “I'm cancer free one year later,” hospital staff can't post much more than “Congrats; everyone should check out our cancer center's web page.”  Even in a situation like this, where the patient self-identifies first, there is no consent to unlimited public discussion of his condition.

 

Please check back later this week for Part II, which will touch on professional responsibility and malpractice issues, daily deal sites and the development of policies and procedures for provider organizations engaged in the use of health care social media.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Privacy and Security: Joke or No Joke?

The Wall of Shame welcomes Sutter Health. Another computer with unencrypted protected health information on over 4 million patients - gone. Now, those guys are pretty smart, so why don't they encrypt all computers with PHI?  One of life's persistent questions.  I mean, I can accept the fact that a health plan operator like Cignet Health might have issues with getting a grip on HIPAA compliance, but Sutter Health?What were they thinking? Can't happen here?  Encryption is a drag?  It's an easy way to avoid major egg-on-face and to avoid spending significant coin on PR, credit reporting services, and potentially on court judgments -- all in addition to significant administrative fines payable to HHS and state regulators.

So the federales are piloting the HIPAA audit program. I know it's required by the HITECH Act, but who believes that it will motivate behavior change?  Anyone?  Sutter Health was clearly not motivated to seek a safe harbor that would have made the loss of 4 million patient records a non-event.  I know encryption can be a drag, but I'm not a techie. If you are, I invite you to educate me (and the other non-techies out there) on the question of how miserable it really is to have to deal with encrypted data; if you're really a techie, write a program to enable light-touch encryption that doesn't interfere with use of data.

Whether or not encryption is miserable, we should be asking: Why is this data on a barely secured computer (password-protected desktop) in the first place? Shouldn't it be stored on a server that stays in a secure facility, or in a secure private cloud?

Furthermore, as data loss incidents like this keep happening -- even among other industry leaders (see, e.g., Mass General) -- perhaps we need a new framework for thinking about access to health information. If we knew for sure that employment and insurance decisions would not be affected by the availability of otherwise private health record information, perhaps we would be more sanguine about their release. Perhaps government resources would be better spent on beefing up education and enforcement in those arenas (vs. auditing and enforcing compliance with privacy and security standards).

David Harlow 
The Harlow Group LLC
Health Care Law and Consulting 

David Harlow quoted on HIPAA and Health Care Social Media in AIS Health's Health Business Daily and Report on Patient Privacy; Speaking at HANYS Social Media Conference Today

I was interviewed for an article on AIS Health that came out last week. The title of this article -- on health care social media and regulatory and legal issues that health care providers may face in using these tools -- struck me as being tinged with hysteria (hence the selection of the artwork accompanying this post):

HIPAA Dangers Lurk on Facebook; Ongoing Policy Revisions Are Advised

Cooler heads should prevail.

There are clearly things to be concerned about when embarking upon the implementation of social media tactics in the service of broader strategies and organizational goals.  Decisions about goals must be made.  Terms and conditions for staff, on the one hand, and patients, families and caregivers, on the other, need to be clear and comprehensive.  And expectations regarding employee use of social media, whether as an "official" voice of the organization, or as a person known to be associated with the institution and therefore acting as a brand ambassador whenever on line or in real life, need to be carefully developed and communicated.

I'm speaking today at the Healthcare Association of New York State (HANYS) social media conference, about these and related issues.  Just this morning, in my hotel-delivered newspaper, there's a front-page story on Facebook and privacy concerns.  These issues are persistent, no matter what platform you are using, or are considering using. As I have said before, at a policy level, your approach needs to be platform-agnostic.

Overall, careful planning will improve the chances that a health care provider will be able to effectively leverage the reach of social media for its message without running afoul of legal and regulatory land mines.

David Harlow 
The Harlow Group LLC
Health Care Law and Consulting 

OCR HIPAA Audits Finally Kick Off - Do They Matter?

The HITECH Act called for stepped-up HIPAA privacy and security and breach notification rule enforcement with respect to covered entities and business associates, to be accomplished by spot-check audits.  This month, the first 20 of a planned 150 audit subjects will be getting notices from the U.S. Department of Health and Human Services Office of Civil Rights' contractor, KPMG, saying that their numbers are up. These early test cases will be a proving ground for the auditors and the audit process, as much as for the covered entities to be audited (no business associates in the first 20, or even in the whole batch of 150, apparently).  The first round of 20 audits -- and a review of the audit protocols -- is slated to take about five months.  Up to 130 other audits will follow, in the final eight months of this pilot. Each audit is supposed to take about 30 business days, and will include on-site interviews and investigations.  Document requests are to be turned around in ten days, and KPMG will give 30-90 days advance notice of site visits. In theory, audits may bring to light issues that do not surface in the course of complaint investigations, and are expected to yield OCR guidance and highlighting of best practices.

Will this audit program change behavior of covered entities and business associates?

In general, the regulated community seems to get a free pass for about a year after a new regulatory schema is rolled out, before real enforcement kicks in.  It's been longer that for HIPAA (well, most of HIPAA, anyway), and there have been enforcement actions initiated by the federales (and by state attorneys general under the HITECH Act).  Many of these enforcement actions -- largely initiated by complaints filed by the public -- have generated more heat than light.  (Consider the Harvard teaching hospital and its paper records left on the subway, or T; consider the judgment-proof, bankrupt incompetence of a company that couldn't, or wouldn't, provide requested information to patients, led by someone who perhaps whould not have been allowed to hold such a position. Is either a relevant example that will cow an otherwise recalcitrant covered entity or business associate into compliance?) The "Wall of Shame" reports of significant data breaches, as a whole, do not seem to have motivated behavior change -- behavior change like encrypting a laptop or portable hard drive containing protected health information, for example, which encryption would mean its loss would not have to be reported on the Wall of Shame.  In sum, since the reputational and operational dislocations caused by reportable breaches to date have not yielded a significant change in behavior by covered entities and business associates, generally, it is unclear whether a small-scale -- or even a large-scale -- audit program will yield meaningful increases in HIPAA compliance.  Living through a reportable data breach, and fixing privacy and security policies and their implementation after the fact, is probably at least as painful as going through an OCR audit, yet many covered entities have yet to adopt and implement data encryption and other policies and procedures that would eliminate the possibility of that happening to them.

Here's hoping we don't have to wait until after December 2012 to get some guidance and best practices from the auditors based on their work.  Will we see an army of HIPAA auditors in 2013?  And when will OCR start auditing business associates?

The $64,000 question is: Will all this have an impact on the privacy and security of protected health information (PHI)?  

I am skeptical, at best.  ONC is rolling out an educational message to let individuals know more about privacy and security and that, together with hiring bands of auditors, may build towards having some effect.  But we need to consider the range of data whose release would be considered a data breach, and perhaps revisit the general approach.  It may be that the default setting for some information should be public, or that some easy sharing options should be built in.  Consider the "green button" and "rainbow button" initiatives (riffing on the VA's Blue Button).  Rolling out these initiatives could have the effect of lessening the amount of data that must be kept 100% private and secure, and could have some beneficial effects, as well. Finally, consider the radical proposal to reverse the presumption of privacy entirely.

While we are not yet in a utopian society where release of health information will have no negative effects on an individual (think: employment, insurance, to name two key domains where this is an issue), perhaps we could devote more resources to reaching that ideal, and fewer to the ultimately futile attempt to assure 100% compliance with the privacy and security requirements applicable to an ever-increasing universe of PHI -- because not only is the volume of data out there ever-increasing, but information that may be considered de-identified (and therefore beyond the reach of the regs) today, may become easily re-identifiable tomorrow as more and more data, from diverse sources, is shared on line.

Meanwhile, metaphorically speaking, be sure the doors and windows are locked before KPMG and OCR come knocking.

David Harlow 
The Harlow Group LLC
Health Care Law and Consulting 

Health Care Social Media Summit - Mayo Clinic Center for Social Media - Wrapup

I'm back from my pilgrimage to Rochester, MN for the Third Annual Health Care Social Media Summit at the Mayo Clinic, presented by Ragan Communications.  I had a great time, and want to share the experience with you.  So please take a look at the archived #mayoragan tweets, my presentation on health care social media and the law, and my blog posts about the pre-conference and the summit itself posted at HealthWorks Collective.  Here are some excerpts:

Mayo Ragan Social Media Summit Pre-Conference: 

A recurring theme in my hallway conversations [today] was that it is impossible to transplant a successful program from one location to another without taking into account myriad local conditions (social media program, heart transplant program – same problem).  As I always say to folks who just want to copy, say, the Mayo Clinic’s, or the Cleveland Clinic’s, social media policy, change the names and be done with it, it is critical to take the measure of local conditions and customize an approach.  As I discuss[ed] in my presentation later in the conference, there are risks – manageable risks – inherent in the use of health care social media, but the risk tolerance of each organization is different, born of a whole host of factors, and those differences must be respected.

Mayo Ragan Social Media Summit:

This was multimedia day at Mayo Clinic.

Lee Aase, Director of the Mayo Clinic Center for Social Media, kicked off the meeting with a rundown of the Mayo Clinic’s experience with social media, highlighting the “MacGyver” (i.e., jerry-rigged) approach he advocates, using free and low-cost tools.

He then premiered a soon-to-be viral video produced as part of the Mayo clinic's Cardiac health "Know Your Numbers" campaign:

Know Your Numbers Video

Chris Boyer closed out his presentation with a little song he wrote (he accompanied himself on the ukulele), about social media ROI.

Mayo Ragan Social Media Summit - Final Day

My gloss on the imperative to pursue [the] lofty goals [articulated by e-Patient Dave in his closing keynote, summarized in an understated way as "Let Patients Help"] is born of a stark economic reality: in the future (the very near future), health care providers will have to do more with less.  (Consider, for example, impending deep Medicare cuts.)  [Consider, also, the patient-centeredness and patient engagement laid out in the final ACO regulations.]  In order to do so successfully, they will need to work collaboratively with patients – and with each other -- in ways that many have not (in large part) to date, because economic incentives to do so have not necessarily been there.  Social media will be a part of the solution to this problem.

I enjoyed meeting up with my fellow MCCSM external advisory board members, and I look forward to continuing the conversation with so many of you whom I met in person at the conference, including many folks whom I've known for years - but only online.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

David Harlow speaks at Third Annual Health Care Social Media Summit

I am speaking today on legal and regulatory issues related to health care social media at the Mayo Clinic Health Care Social Media Summit.  I look forward to keeping in touch with folks I've had the opportunity to meet in real life this week at Mayo.  For my take on the rest of the conference, please see my posts here and here.  Feel free to peruse the #mayoragan tweetstream, too.

Here are my slides:

Health Care Social Media - The Lawyers Don't Always Say No

View more presentations from David Harlow

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Lab Results for All! Of Data Liberation, Participatory Medicine, and Government 2.0

On September 14, HHS released for comment draft lab results regulations that will, if finalized, effectively bathe the Achilles’ heel of health data in the River Styx of ¡data liberación!  All lab results will be made available to patients, just like all other health data.  (See the HHS presser and YouTube video from the recent consumer health summit.  Todd Park, HHS CTO, is also the chief activist for what he calls ¡data liberación!)

Forgive me for mixing my metaphors (or whatever it is I just did), but even though there are just a couple dozen words of regulations at issue here, this is a big deal.

When HIPAA established a federal right for each individual to obtain a copy of his or her health records, in paper or electronic format, there were a couple of types of records called out as specifically exempt from this general rule of data liberation, in the HIPAA Privacy Rule, 45 CFR § 164.524(a)(1): psychotherapy notes, information compiled for use in an administrative or court proceeding, and lab results from what is known as a CLIA lab or a CLIA-exempt lab (including  “reference labs,” as in your specimens get referred there by the lab that collects them, or freestanding labs that a patient may be referred to for a test; these are not the labs that are in-house at many doctors’ offices, hospitals and other health care facilities — the in-house labs are part of the “parent” provider organization and their results are part of the parents’ health records already subject to HIPAA).

(“CLIA” stands for the Clinical Laboratory Improvement Amendments of 1988, which established quality standards for certain laboratory testing.)

This carveout of lab results from patient-accessible records has long been a thorn in the side of the e-patient.  This month, the federales announced that they would step forward as Androcles to the e-patient lion (to jumble a reference or two), and pull out the thorn, by proposing to amend both the CLIA regs and the HIPAA regs.  The HIPAA regs include the exception described above: all records must be made accessible upon request except labs and a couple others.  The lab results exception will be deleted from the HIPAA regs if the change is finalized.  The CLIA regs prohibit lab delivery of results directly to patients.  The proposed amendment says that the labs “may” release the results directly to patients.  The net effect is that patients will have the right to request the results, and since labs will be permitted to release them, they will have to do so.

As some readers will recall, HIPAA regs were subjected to a state-by-state “pre-emption analysis” when they came out.  (Generally speaking, Federal law “pre-empts” state law unless state law is more protective of an individual’s rights or health.)  The feds note in the preamble to the proposed rule:

A number of States [most, actually] have laws that prohibit a laboratory from releasing a test report directly to the patient or that prohibit the release without the ordering provider’s consent. If adopted, the proposed changes to § 164.524 [of the HIPAA regs] would preempt any contrary State laws that prohibit the HIPAA-covered laboratory from directly providing access to the individual.

Thus, labs in most states have some work to do in figuring out how they will actually release results directly to patients once the regs are finalized and effective (which could be about a year, gang, so sit tight).

Here’s where it gets fun, folks:

While individuals can obtain test results through the ordering provider, we believe that the advent of certain health reform concepts (for example, individualized medicine and an individual’s active involvement in his or her own health care) would be best served by revisiting the CLIA limitations on the disclosure of laboratory test results.

CMS goes on to say that the HIT Policy Committee at ONC, established by the HITECH Act, says that “CLIA regulations are perceived by some stakeholders as imposing barriers to the exchange of health information.  These stakeholders . . .  believe that the individual’s access to his or her own records is impeded, preventing patients from a more active role in their personal health care decisions ” … so we’re going to change them.  [Paraphrase and emphasis mine.]

Let me restate this, folks: the regs are being changed to give greater patient access to health data not because of a recent change in the law, but because patients and patient advocates spoke up, and the HIT Policy Committee got the message.  

I had the opportunity to hear Dr. Farzad Mostashari (National Coordinator for Health IT), Lygeia Ricciardi (Senior Policy Advisor for Consumer eHealth), and Jodi Daniel (Director, Office of Policy & Planning) speak at an ONC town meeting at last week’s Health 2.0 conference in San Francisco and they are nothing if not passionate about promoting patient access to health data. Please take a look at my mini video interviews with Dr. Mostashari and Ms. Ricciardi, if you need any confirmation.  For the wonks and insomniacs: you may be interested in listening to all or part of the ONC town hall meeting at Health 2.0 conference.  It is an unofficial recording, about 45 minutes long, and will start when you click the link; it offers a further window into the thinking of Mostashari, Ricciardi and Daniel, as they discuss ONC's broadening of focus from providers to include patients (the very beginning of recording is clipped, but you didn’t miss much).  Another way in which this broader focus is demonstrated is by the redesign and expansion of the HealthIT.gov website, which now includes more robust patient-focused content. (“Putting the “I” in Health IT” … You can take the pledge to empower individuals to be partners in their health through health IT.)

This change may improve patient access to lab results, but only if the right to obtain the results is ushered in together with an education campaign that alerts patients to this new right, and if the results are presented in a manner that includes some minimal level of interpretation (and I recognize that too much interpretation will cross the line into the communication that needs to take place between the patient and his or her clinician).  On the question of how lab results should be presented to patients, at Health 2.0, Thomas Goetz, of Wired magazine, presented a patient-friendly lab report tool, to be rolled out soon by his company, 1 + 1 Labs.  Other approaches, of course, are possible, since numerous institutions already provide this data directly to patients.

A certain percentage of lab results never make their way to the patient — and the patient education piece of the rollout could result in that percentage being reduced, or even eliminated.

There is opposition to the proposed rule by some providers, who express a concern that a patient who receives lab results directly may well (a) misintepret a value that is “normal” for the population at large but that might not be “normal” for her and/or (b) fail to communicate with the clinician who ordered the test.  In our fee-for-service world, some cynics may say that some clinicians are being inappropriately incentivized to seek another billable patient encounter for discussion of results.  In the future of bundled, episodic, prospective payment systems, this would not be a concern.  In fact, since we will be asking the entire health care system to be doing more with less as a result of the nation’s fiscal and political environments, frictionless sharing of information should be welcomed by providers.  Providers will continue to receive lab results, and will continue to be expected to discuss them with their patients.

Comments on the draft rule are invited.

If you get a charge out of reading this post and thinking about the changes coming down the pike in access to health data, and you'd like to take part in future grassroots activity that can lead to real change, please consider joining up as an active member of the Society for Participatory Medicine -- which is composed of poviders as well as patients -- and also consider beocming active in the broader Patients 2.0 community.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

A version of this post first appeared on e-patients.net, the blog of the Society for Particpatory Medicine.  I serve as Chair of the Society's Public Policy Committee.

Health 2.0 Fall 2011

I attended Health 2.0 in San Francisco this week, and participated in the new Health Law 2.0 pre-conference, moderating a lively panel discussion about reviews posted on listings and ratings websites, featuring attorneys and an entrepreneur.

Please take a look at the posts I've written about the conference, here at HealthBlawg, and on HealthWorks Collective:

Health 2.0 San Francisco, September 2011, "Son et Lumiere"

"This post comes to you from the Health 2.0 conference in San Francisco.  The main conference kicks off today, but it has been preceded by a week of code-a-thons and a variety of other events, including HealthCamp and the four-track pre-conference yesterday (Health Law 2.0, Patients 2.0, Doctors 2.0, Employers 2.0).  I moderated one of the Health Law 2.0 panels, and shook up some of my brothers and sisters at the bar by wearing my new Regina Holliday jacket -- I've joined the Walking Gallery.  (Follow the links, including the walking gallery back story, to learn more about who Regina is, and what this means.) ..."  (Read more on the Health 2.0 pre-conferences.)

Health 2.0 Kicks Off in San Francisco

"Todd Park, the HHS CTO, is a vigorous champion of data liberation.  He has moved the government to open its vast repositories of data (e.g. Medicare claims data) to sharing with the public to solve health care problems.  Data liberation is one of the watchwords of the participatory medicine movement, and is a goal that will be reached more easily through the proliferation of online tools that will facilitate health information exchange.  While we would hope that, in the future, this would be a core functionality of interoperable EHRs, It seems we just aren’t there yet.  Meanwhile, however, there are Health 2.0 companies ready to bridge the gap, and ensure that data from whatever source regarding an individual patient will be available to her clinicians...."  (Read even more on the Health 2.0 pre-conferences.)

Health 2.0 - Focus on High Quality, Low Cost & Connectivity

"The health care payor and provider worlds are concerned with access, cost and quality.  The federal government adds a population health gloss, and calls it the Triple Aim – better care for individuals, better health for populations, at reduced per-capita costs.  Those fundamental drivers are now having a clearer effect on the Health 2.0 ecosystem.  The demos and discussions I’ve observed thus far at this year’s conference are more consistently focused on addressing these issues than they have been in the past.  Early-stage, and more established, companies’ products are also notable in that they are focused on connectivity in a broader sense than before – whether that’s connectivity for data, so that sensors can share data with your personal tracking software, your doctor or your community, or connectivity for individuals, who can use online social tools to improve their own health status through online interactions in a number of different ways...." (Read more on Health 2.0 Day 1.) 

       Health 2.0 Conference: Data Liquidity Can Improve Care and Reduce Cost

"On the last day of Health 2.0, the key takeaway was this: data liquidity can improve health care and health status, and reduce cost.  Hey, we knew this already; the cool thing about hearing this message at Health 2.0 is that you get to hear it (1) while seeing the tools that will actually create that data liquidity that are ready for prime time, or almost ready for prime time and (2) from federal officials who are visibly excited about this stuff...." (Read more on Health 2.0 Day 2.)

In addition, please take a look at the Health 2.0 Fall 2011 vlog with David Harlow, featuring 18 mini-interviews on Health 2.0 and "data liberation" with some of your favorite Health 2.0 and ONC figures -- including Matthew Holt, Jane Sarasohn-Kahn, Farzad Mostashari and Lygeia Ricciardi -- and some new faces as well.

The conference was jam-packed, and of course there were many more worthwhile demos and presentations that I was not able to include in these brief collections of highlights.  I hope to see more of you at the next conference.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting