The Heartbleed web security exploit was first publicized several weeks ago. In the time since then, numerous web-based services have let their users know (some more clearly than others) whether and how their data security was compromised by this OpenSSL flaw that has been open for about two years. This is one flaw, one exploit, but on a scale of 1 to 10, it has registered as an 11 on our collective consciousness. Fred Trotter notes in the MIT Technology Review that other similarly worrisome exploits do not get our attention in the same way, and that more health data leaks are likely in our future. He also cites others' observations that many health IT vendors are not currently equipped to respond effectively to such exploits in a timely manner.
Efforts to reduce hospital readmissions have been focused on a handful of diagnoses and on government payors (primarily Medicare). In order to get a handle on the roughly 15% of the U.S. health care spend that goes to readmissions, it is vital to have a better understanding of what these readmissions are for, who is experiencing them, and why. Not every readmission is a preventable readmission -- though health reform wonks are pretty highly focused on preventable readmissions for specific diagnoses (starting with acute myocardial infarction, heart failure and pneumonia).
Here's the data from 2011, thanks to HCUP (the Healthcare Utilization and Cost Project) at AHRQ:
The HITECH Act made some significant changes to the HIPAA Privacy Rule, updating some provisions and increasing protections for individuals. Improvement of regulatory schemes that are a little long in the tooth is laudable, since technical and societal changes, of necessity, make for a perpetual game of catch-up. However, it is a challenge for regulators to pick the right battles to fight, and the challenge is made that much more difficult to navigate when, as in the case of the HITECH Act, Congress gets into the weeds with extremely detailed statutory language, thus limiting the regulators' range of discretion. Since it is often difficult for Congress to act, and even more difficult for it to act rationally, the detailed language of the HITECH Act hamstrings the regulators and the regulated community.
The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.
The report identifies four key priority areas and outlines next steps to take in each area:
I. Promote the Use of Quality Management Principles; II. Identify, Develop, and Adopt Standards and Best Practices; III. Leverage Conformity Assessment Tools; and IV. Create an Environment of Learning and Continual Improvement
This report should be read together with the FDA framework for regulation of mobile medical applications which was supposedly up in the air pending release of this report. It now seems that they are directed at related, but different, parts of the ecosystem. Both are part of a bigger story, including pending legislaton.
A Perspectives piece I wrote was published this week by iHealthBeat - Unlocking the Power of Health Data. In it I argue for patient-controlled sharing of rich data, as opposed to HIPAA-regulated stripping of identifiers in order to eliminate the risk to patient privacy as data is shared for research and other purposes. Googler Larry Page and Josh Stevens of Keas have argued recently in favor of broader uses of health data, but the issue of HIPAA keeps coming up in those conversations. Most connected patients seem comfortable with the idea of sharing health data, and as more of us get connected, this sentiment is only likely to spread.
As I wrote at iHealthBeat:
I have discussed the patient donation of data before, and the first objection I heard was from a data scientist who worried that the volume of patient records collected in this manner would be too small to yield any meaningful insights. While this may be true at first, I believe that over time patients will come to prefer to set their own limits on data sharing rather than be stuck with the one-size-fits-none approach available under HIPAA. In addition, the data made available through these repositories will be more valuable than that available as de-identified data for research precisely because there are more identifiers attached.
Are we ready for a new paradigm in data sharing and big data analysis?
On January 31, the Massachusetts Department of Public Health announced that it had identified twenty provisionally-approved applicants for certificates of registration to operate medical marijuana dispensaries. DPH is running point for the state under the medical marijuana law passed in Massachusetts by ballot question in November 2012.
Since the announcement, the local media have published innumerable stories raising questions about the medical marijuana dispensary application review process. Many of these stories are about local and state elected officials, public safety officials and disappointed applicants airing concerns about the process in a variety of different manners and forums, including a Boston City Council committee hearing, an inquiry into the process by leadership of the state legislature, and at least two appeals (1Releaf, Apex) filed in court thus far.
Well, the company has gone through a number of personnel changes at the top, plans to make some deep staffing cuts, and is working on restating its financials to account for earlier irregularities. The latest restated financials aren't ready to be filed -- they haven't been fully audited yet -- and as a result the company's stock is about to be delisted (but it may still be traded on the OTC market).
President Barack Obama is pushing his signature domestic program, enrollment in a health insurance plan via healthcare.gov by March 31, by shilling for it on the "Funny or Die" Zach Galfianakis mini talk show satire, "Between Two Ferns." I think it's hilarious, though not everyone thinks the humor involved befits a sitting president. Whether or not you appreciate the humor, I think you have to doff your cap to the Commander in Chief, because he is living by the maxim that you've got to fish where the fish are -- and choosing this website over network television, over White House-hosted online media, using video, using authority-subverting humor, has gotten the message out (including a clickable link) to the Young Invincibles in a way that other media just could not have done. The video was posted yesterday; it has already been viewed over 13 million times, and was associated with tens of thousands of click-throughs to the exchange website by the close of business yesterday.
Welcome to Health Wonk Review's In Like a Lion edition, wherein we consider the big questions of the moment.
It seems clear that March is coming in like a lion in most parts of the country. That much is not up for debate.
Our always incisive health wonks have raised numerous important questions over the past fortnight and have attempted to answer them, for their own satisfaction and yours, gentle reader. As they say, reasonable minds may differ -- and you'll see a range of opinions on some of the issues of the day.
So let's take a walk on the wild side and see if we can come up with some answers. Questions on the table include the following:
What's new in the world of Obamacare implementation, HITECH Act implementation, and our 50 laboratories, the states?
Is there a law of physics that can limit the fiction quotient in Obamacare press coverage?
What's the best way for the U.S. to pay for health care expenses?
What's the connection between Irish-American heritage and the Massachusetts gubernatorial race?
Why does February only have 28 days (usually)?
Why promote teamwork and collaboration?
Is there deep meaning in synchronicity, or is Roy Poses just messing with me?
