patient data

Group discourages far-reaching patient data use consents

Mon, 19 May 2008 06:59:55 -0400

While it may make health organizations feel better, it's not a good idea to ask patients to offer blanket consents for many levels of health data disclosure according to a new report by the Health Privacy Project of the Center for Democracy and Technology. Instead of building a health data sharing infrastructure by asking patients to give permission for all data uses, the group says, consumers are better served by a more tightly-controlled system. Health data sharing infrastructures should include audit trails, technical safeguards and systematic enforcement in addition to getting consent for data sharing and giving notice of where the data will go. To date, they warn, much of the discussion around sharing patient data has positioned privacy as an 'obstacle,' "but it's clear the opposite is true," says Deven McGraw of the CDT's Health Privacy Project. "Enhanced privacy and security...will bolster consumer trust and confidence and spur a more rapid adoption of health IT."

To learn more about the report:
- read this Healthcare IT News article

Related Articles:
Privacy concerns slow EMR push
Study: Better staff training could protect EMR privacy
Percentage of Medical Privacy Complaints Merit HHS Investigation
Study: States making headway on HIE privacy

Identity thieves getting better at stealing patient data

Mon, 12 May 2008 06:59:57 -0400

Where they once focused on banking data and credit card statements, identity thieves have become increasingly focused on breaking into patient data systems, observers say. Medical records offer a rich trove of information for an identity thief, often including not only health insurance account numbers and billing addresses, but also dates of birth, Social Security numbers and even credit information. That's particularly the case with hospitals which, since they offer costly services, may do more credit research on a patient.

Security industry researchers note that many hospitals haven't taken adequate steps to prevent malicious clinical data breaches, perhaps unaware that in addition to posing great risk to patients, each intrusion can cost $200 per record and $6.3 million per incident. Instead, many hospital IT departments are focused more on implementing or supporting EMR rollouts, according to a survey announced at HiMSS '08.

To learn more about medical record theft:
- read this USA Today article

Related Articles:
The growing problem of medical identity theft
NY hospital worker charged with massive file theft
California expands health data breach rules
U.S. hospitals have security 'blind spot'

ALSO NOTED: Medicare launches SC-based PHR pilot; Mayo Clinic deploys wireless network; and much more...

Mon, 12 May 2008 06:59:50 -0400

> Medicare announced that it was launching a South Carolina-based pilot project encouraging Medicare beneficiaries to use a PHR. Article

> The Mayo Clinic has deployed a Cisco-based wireless network across all of its facilities, which it says is intended to improve care and boost efficiency. Article

> Connecticut's state medical society has begun offering a hosted on-demand practice management service to its members. Article

> A group of 11 Oklahoma hospitals have set plans for their emergency rooms to share patient data. Article

And Finally... Some people just won't let a debt go... even a 32-year-old debt. Article

NJ flunks Medicaid data security audit

Mon, 05 May 2008 06:59:58 -0400

A new audit has concluded that New Jersey has not put adequate security measures in place to protect sensitive Medicaid program data. The review, conducted by the New Jersey Office of the State Auditor, concluded that the program isn't monitoring access to data such as Social Security and tax identification numbers, DEA numbers and birth dates. This information could be used against, not only the more than one million patients covered by the New Jersey Medicaid program, but also physicians who participate in the program. Officials with the state Department of Human Services, which runs the Medicaid program, told New Jersey legislators that employees can only access areas in which they work, which limits the systems' vulnerability. However, they admitted that they don't know which records employees view.

To learn more about the audit:
- read this Philadelphia Inquirer article

Related Articles:
CMS security holes expose patient data
Maine struggles with Medicaid billing system

WellPoint data may have been compromised

Mon, 21 Apr 2008 06:59:57 -0400

While it's not clear what happened, it looks as though clinical and personal data on 130,000-odd WellPoint beneficiaries may have been accessed through the web. WellPoint has announced that during the past year, two servers operated by a vendor weren't properly secured, leaving pharmacy records, Social Security numbers, claims information and more exposed to the public. To date, WellPoint has not become aware of any identity thefts resulting from access to that data (though patients potentially could have suffered identity theft and failed to connect it to the breach). In response, WellPoint is offering potentially affected beneficiaries one year of free credit-monitoring services. It's also tightened up its security measure with help from an outside consultant.

To learn more about the breach:
- read this Chicago Tribune piece

Related Articles:
Johns Hopkins investigates data breach
Massive data loss at HCA
VA pledges better data security
Allina suffers patient data theft

A new paradigm for EMRs--publishing

Mon, 07 Apr 2008 06:59:59 -0400

Over the last year or so, an aggressive little health IT startup in San Francisco has drawn a fair amount of press for its size, including a mention in the New York Times. The company, Practice Fusion, has taken its share of lumps in the blogosphere for its approach, which offers doctors access to a free EMR and practice management system in exchange for accepting targeted advertising.

I understand why people would be concerned that private patient data could somehow leak into advertisers' hands, despite the company's stated commitment to keeping such data private.

That being said, now that the market has gotten used to the idea of advertiser-supported EMRs--much of the bloggish outrage dates from about a year ago, when Practice Fusion first started getting attention--I think it's time to give this model another, more detached look.

Don't get me wrong, I already made it clear that I think Practice Fusion itself is a fairly hot company in and of itself when I named it one of our Health IT Innovators last year. However, my real point is that with virtually all physicians needing EMRs (but few in a position to pay for one) this one company is unlikely to remain alone in this category for much longer.

In fact, to be honest I'm surprised that Google, WebMD or Microsoft hasn't swooped down and recreated Practice Fusion's model using its own tools already. Perhaps this hasn't happened yet because a smaller company like PF can do a better job of building trust (and allaying privacy fears) than a multi-billion-dollar giant. Also, if Google or its peers tried this and got a black eye, it would be far more public and painful than if PF stumbles.

Whatever the current barrier to entry is, though, it won't last forever. Within the next year or two, I believe that ad-supported EMRs will become as accepted as ad-supported magazines, with the ads themselves given equally little attention or concern. After all, looked at another way, patient data is just content--like the words in this newsletter--and running advertising against it is simply an age-old publishing technique. Of course, patient records require extra respect and protection, but it's still content.

That being said, I know not everyone agrees with me. Do you think ad-supported EMRs are appropriate, and are they likely to achieve widespread acceptance? Write to me and let me know.- Anne

NIH security breach includes data on U.S. Rep

Mon, 07 Apr 2008 06:59:58 -0400

Now this must be a little embarrassing for officials at NIH. As it turns out, Rep. Joe Barton (R-TX) was one of 3,000 patients involved in a cardiac MRI study whose records were possibly lost when a laptop computer was stolen from the agency. Not only is the loss of records on a U.S. Representative a faux pas, Barton happens to be a founder of the Congressional Privacy Caucus, which focuses on educating other Congressional offices and staff members on individual privacy issues. Though the laptop was stolen in February, Barton learned of the breach a couple of weeks ago, and didn't know his data might be involved until late March. Now Barton and colleagues are asking HHS's Inspector General to investigate why the data wasn't encrypted on the laptop, and why the agency didn't notify people sooner of the breach.

To learn more about the data theft:
- read this Modern Healthcare piece (reg. req.)

Related Articles:
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report

Rural LA hospitals launch HIE

Mon, 07 Apr 2008 06:59:56 -0400

A group of rural Louisiana hospitals have gone live with a health information exchange, using an open system platform allowing the hospitals to conduct teleconsultations. The exchange includes seven of the 24 members of the Louisiana Rural Hospital Coalition. The hospitals will be linked with not only with each other, but also with the Louisiana State University Health Sciences Center. The shared platform, which was developed by vendor Carefx in cooperation with CA, IBM and Initiate Systems, will give clinicians access to a portal-based view of patient data, while the data itself remains housed in disparate applications across the hospitals.

To learn more about the project:
- read this Healthcare IT News item

Related Articles:
HIE may work best if starting small. Report
Joint Commission calls for national HIE. Report
RHIOs/HIEs are states' top HIT priorities. Report
Study: RHIOs/HIEs backed by states will win. Report
Report offers HIE keys to survival. Report
What is the business model for sustaining a RHIO? Column

ALSO NOTED: SC hospitals to get EDIS makeovers; Alliance's Wallace steps down; and much more...

Mon, 31 Mar 2008 07:59:50 -0400

> Perlegen Sciences' plans to work with an EMR vendor to use patient data for genetics research have made some in the medical community upset. So what does Perlegen have to say? Article

> EDIS's at two South Carolina hospitals are about to get a makeover. Article

> Alliance CEO Wallace steps down to pursue 'new health technology ventures.' Article

> Governor Edward G. Rendell announced today that he has signed an executive order creating the Pennsylvania Health Information Exchange, which is a framework that will give health care providers improved access to clinical data and lead to safer and more efficient patient-centered care. Release

And Finally... Bringing the pharmacy to you. Article

UCLA staff accused of viewing Britney Spears' records

Mon, 24 Mar 2008 07:59:56 -0400

In what is unfortunately an all-too-predictable episode, UCLA Medical Center executives have said that they're investigating 13 staff members who seem to have accessed Britney Spears' medical records without authorization. The staff members are accused of viewing her non-medical records during her psychiatric stay in January. The Los Angeles Times reported that none of the staff members involved in the incident were physicians, but that they would be fired and that 12 others--including some doctors--would be disciplined. This incident follows on another, taking place in mid-2007, when two dozen employees at a New Jersey hospital were suspended without pay after viewing the medical records of actor George Clooney without authorization.

To learn more about the episode:
- read this article from Healthcare IT News

Related Articles:
Union fights suspensions for workers viewing star's records. Report
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report