HIPAA Audits: The Latest Oracular Prognostications

OMB cleared the HIPAA pre-audit survey late last week. (H/T LifeHealthPro.) That is one crucial prerequisite to OCR's initiation of the new round of HIPAA audits that have been the subject of all the Delphic prophecies we keep hearing (the survey is required to collect information about covered entities and their business associates, since this round of audits is supposed to include a look at business associates . . . and OCR won't know who's a business associate unless they ask covered entities).

OCR has apparently already identified "several hundred" covered entities (see "OCR supporting statement A") to which it would like to administer the questionnaire this time around (out of an estimated 3 million covered entities).

Lessons from the Anthem breach

Into the Breach

Anthem experienced a major data breach last week, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

ONC, Interoperability, and the 2/6/2015 #HITsm Tweetchat

I am pleased to be moderating the weekly #HITsm tweetchat this Friday, February 6, 2015 -- Beyond Meaningful Use: What’s next for ONC … and the rest of us. Join us at 12 noon Eastern Time.

Top of mind for the #HITsm twitterati this week are the ONC interoperability roadmap released at the end of last week, and the ONC conference taking place this week in DC. Check out the ONC liveblogging from Mark Scrimshire (aka @ekivemark), and the #ONC2015 tweetstream at large.

Here are the topics for this week's chat. I look forward to discussing them with you.

Privacy and Security and the Internet of Things

"Only Connect"

In the future, everything will be connected.

That future is almost here.

Over a year ago, the Federal Trade Commission held an Internet of Things workshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.

As in the case of the HITECH Act's attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report -- and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) -- seeks to increase the public's confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum -- I can't define it, but I know it when I see it (see Justice Stewart's timeless concurring opinion in Jacobellis v. Ohio).

HIPAA: Liability to Private Parties for Violations

This week, Connecticut joined at least nine other states (DE, KY, ME, MN, MO, NC, TN, UT, WV -- see cases cited in the opinion, linked to below) in recognizing that, while HIPAA does not create a private right of action for violation of privacy, it does constitute a standard against which the actions of a defendant in such a case will be judged. In other words, if a covered entity or business associate or downstream contractor releases PHI other than in accordance with HIPAA (i.e., for treatment, payment or health care operations purposes, or to or at the direction of the data subject or his or her legal representative), the breach of the HIPAA rule may be the basis for a finding of a breach of a duty of care in a state court negligence action.

As the Connecticut Supreme Court observed in its opinion in Byrne v. Avery Ctr. for OB GYN, which was released earlier this week:

[A]ssuming, without deciding, that Connecticut's common law recognizes a negligence cause of action arising from health care providers' breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances . . . .

Apple HealthKit - Epic Integration at Ochsner Health System - David Harlow Interviews Dr. Richard Milani

The first health system to announce that it had integrated HealthKit into its Epic EHR is Ochsner Health System in Louisiana. It is a 12-hospital, 40-clinic operation with over 900 physicians. I spoke recently with Dr. Richard Milani, Ochsner's Chief Clinical Transformation Officer. He was enthusiastic about the improvements in clinical outcomes realized to date through homegrown integrations of things like Withings scales, and sees significant expanded potential using the Epic-HealthKit integration including dissemination of data to clinicians for more efficient and effective management of care and presentation of data to patients in a way that may motivate behavior change to improve health status.

mHealth Fitness Trackers Have a Long Way to Go

A report on a survey regarding wearable fitness trackers arrived in the HealthBlawger's mailbox this week. An interesting dose of reality, after spending a few days in Silicon Valley recently with a cadre of early adopters.

Here are the highlights:

>> 74.9 percent of adults do not track their weight, diet, or exercise using a fitness tracking device or app
>> The most commonly cited reason for not tracking fitness or health is a general lack of interest (27.2 percent), followed by concerns over device cost (17.7 percent)
>> 43.7 percent respondents did not have a specific reason for not tracking their fitness
>> 57.1 percent of non-tracking adults said that the possibility of lower health insurance premiums would make them more likely to use a fitness tracking device
>> Less than half of respondents (44.3 percent) said that better healthcare advice from their physician would be an incentive to use a fitness tracker

Waiting for HIPAA Clarity? Who Has Time?

I recently read that the App Association (aka ACT) is lobbying Congress to promote clarity in HIPAA regulations for app developers, based in part on the experience that health care systems "don’t understand the intersection of HIPAA and mobile, and their reaction is to say ‘no’, [which means that] apps that improve outcomes don’t make it through the front door.”

Blaming the government for a regulated industry's failure to understand regulations, and suggesting that the government should publish its regulations through channels other than the official channels are interesting strategies. It seems to me that there are more productive ways of engaging with the issues.

HIMSS Privacy and Security Forum: Managing Social Media While Protecting Privacy and Security

I spoke at this week's HIMSS Privacy and Security Forum in Boston on the privacy and security issues surrounding the use of social media by health care organization workforce members. My slides and a few tweets are here for your viewing pleasure, after the jump.

OCR Audits: The Skinny

Linda Sanches, Senior Advisor, Health Information Privacy, at OCR, DHHS, spoke with Tom Sullivan (@GovHITeditor) at the HIMSS Media #HITprivacy and security conference in Boston today (September 9, 2014) about OCR HIPAA compliance audits. See the Storify after the jump.