privacy

Key players agree on PHR framework

Anne Zieger — Sun, 29 Jun 2008 12:37:17 -0400

A group of the leading lights in the PHR world have come together to endorse a PHR standard, potentially putting to bed the initial arguments over what a PHR actually is and shifting participants' energy to improving features. Connecting for Heath's "Common Framework for Networked Personal Health Information," which was developed over a number of years, has gotten the thumbs-up from Google, Microsoft, WebMD, Dossia, Aetna, the Blue Cross and Blue Shield Association and America's Health Insurance plans. A number of provider organizations were involved in the development of the framework and have endorsed the the final result, including Geisinger Health System, the VA and Partners HealthCare.

While the framework should help a great deal in creating interoperable health data sets, it won't resolve a key legal issue--whether these new patient data compilations should be protected under HIPAA. Right now, the majority of entities offering PHRs--such as Google, Microsoft and WebMD--aren't defined as "covered entities" by HIPAA, and so they aren't technically required to meet HIPAA standards. The players also face ongoing struggles over how to protect privacy, which isn't defined in the framework.

To learn more about the framework:
- read this Modern Physician piece (reg. req.)

Related Articles:
AHIMA demands better PHR privacy protections
Addressing ID verification could spur PHR adoption
HIPAA privacy officer job expanding quickly

Former House Rep. pushes for health IT bill

Mon, 09 Jun 2008 06:59:56 -0400

A former Congresswoman who once championed health IT legislation unsuccessfully two years ago has come back, this time as the head of a health IT coalition pushing new measures. Former Rep. Nancy Johnson (R-CT), who previously served as chairwoman of the House Ways and Means Health Subcommittee, has returned as head of the Health IT Now Coalition. Johnson is urging her former colleagues to act on HIT legislation this year, and not get sidetracked by "ancillary issues."

Among the Coalition's key goals is to further foster the process of government-backed groups setting health IT standards. Otherwise, she argues, health IT standards could end up more proprietary than open, something that could take benefits away from patients, she says. The group would also see federal legislation designed to help accelerate the pace of HIT development and use.

To learn more about the Coalition's efforts:
- visit the Coalition's website
- read this Modern Healthcare article (reg. req.)

Related Articles:
Health IT bill stalled in the Senate
Bill would tighten HIPAA privacy protections

Congress considers another HIT subsidy bill

Mon, 02 Jun 2008 06:59:56 -0400

Proposals to help doctors pay for EMRs and other cool patient care technology have bounced around the Hill for years now--but maybe this one will be the ticket. Members of the House's Committee on Energy and Commerce proposed a bill last week to help doctors pay for HIT, as well as to improve patient privacy protections. This effort would amend the Public Health Service Act to provide a roadmap for the federal government's role in healthcare IT adoption, while clarifying and strengthening patient privacy requirements.

Specifically, the draft proposal would give small group practices financial aid for acquiring healthcare IT, especially those in rural or medically-underserved areas, and provide federal subsidizes for low-interest private loans enabling HIT purchases. It also would support the development of RHIOs.

To learn more about the proposal:
- read this Healthcare IT News piece

Related Articles:
Federal bill would create HIT 'trusts'
MD group asks for federal help with EMRs
Consumer, biz groups push pro-EMR legislation
AMA endorses health IT tax credits

Group discourages far-reaching patient data use consents

Mon, 19 May 2008 06:59:55 -0400

While it may make health organizations feel better, it's not a good idea to ask patients to offer blanket consents for many levels of health data disclosure according to a new report by the Health Privacy Project of the Center for Democracy and Technology. Instead of building a health data sharing infrastructure by asking patients to give permission for all data uses, the group says, consumers are better served by a more tightly-controlled system. Health data sharing infrastructures should include audit trails, technical safeguards and systematic enforcement in addition to getting consent for data sharing and giving notice of where the data will go. To date, they warn, much of the discussion around sharing patient data has positioned privacy as an 'obstacle,' "but it's clear the opposite is true," says Deven McGraw of the CDT's Health Privacy Project. "Enhanced privacy and security...will bolster consumer trust and confidence and spur a more rapid adoption of health IT."

To learn more about the report:
- read this Healthcare IT News article

Related Articles:
Privacy concerns slow EMR push
Study: Better staff training could protect EMR privacy
Percentage of Medical Privacy Complaints Merit HHS Investigation
Study: States making headway on HIE privacy

Time to become a security advocate

Mon, 14 Apr 2008 06:59:59 -0400

Folks, please note, you're not going to open up FierceHealthIT and find that I'm arguing for hospitals to spend less time on HIPAA. While it's easy to argue the details in how it's implemented, I think that HIPAA compliance is a good thing for the industry. For one thing, if people don't trust that their data is safe even in their own provider's offices, health data exchanges are pretty much doomed.

That being said, the study summarized in today's issue makes an interesting point. In the study, researchers found that hospitals were spending so much time making sure that they were compliant with HIPAA privacy mandates, they were losing site of other key security risks.

If you're an HIT manager, it's entirely appropriate that you also spend part of your time making sure your systems can ensure that patient records are only being accessed by appropriate parties.

At the same time, I'm sure you spend a meaningful part of your professional life worrying about malicious intruders, lost laptops with unencrypted data and other potential security disasters. But with the huge burden that privacy compliance imposes on hospital executives, you might not.

The truth is, security is one of those painful issues that only seems important to non-specialists once a disaster happens. When a bridge collapses, everyone wants to increase infrastructure funding. And when a health data system break-in happens? By God, go ahead and buy the latest and greatest security suite, Mr./Ms. HIT manager!

The problem is, as you folks know, it's really imprudent to wait until something bad happens to shore up your security infrastructure. Once a break-in happens, your organization could face consequences for years to come. Not only that, since security threats evolve daily, you can't just patch it and forget it the way you could a collapsed beam or broken pipe--so it's critical to think about security systematically. My impression is that hospital CEOs, in a word, don't.

So, HIT pros, I think it's time for you to engage in some serious and systematic research on the problem. By all means, print articles like the one I cited below. Gather statistics on the pervasiveness of HIT threats. And gather a few security nightmare scenarios in your pocket--what could happen to your facility if you're unlucky, and what it would cost. The truth is, if you don't advocate for tough security, it seems nobody will. - Anne

NIH security breach includes data on U.S. Rep

Mon, 07 Apr 2008 06:59:58 -0400

Now this must be a little embarrassing for officials at NIH. As it turns out, Rep. Joe Barton (R-TX) was one of 3,000 patients involved in a cardiac MRI study whose records were possibly lost when a laptop computer was stolen from the agency. Not only is the loss of records on a U.S. Representative a faux pas, Barton happens to be a founder of the Congressional Privacy Caucus, which focuses on educating other Congressional offices and staff members on individual privacy issues. Though the laptop was stolen in February, Barton learned of the breach a couple of weeks ago, and didn't know his data might be involved until late March. Now Barton and colleagues are asking HHS's Inspector General to investigate why the data wasn't encrypted on the laptop, and why the agency didn't notify people sooner of the breach.

To learn more about the data theft:
- read this Modern Healthcare piece (reg. req.)

Related Articles:
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report

New Hampshire EMR privacy rule struck down

Mon, 17 Mar 2008 07:59:57 -0400

This week, the New Hampshire House rejected a measure that would have added new privacy protections to EMRs. The bill, which was opposed by providers and hospitals, would have allowed patients to block access to their EMRs and see who has viewed their records. The law would also have allowed patients to restrict the transfer of their EMR to a physician, as well as restricting the use of their EMR data in marketing efforts. Bill supports said that the bill wouldn't improve big costs, that the restrictions wouldn't be difficult to administer and that patients would have had to to pay for audits. However, critics said the measure would complicate work for physicians, add bureaucracy to the process and impose as-of-yet unknown costs.

To learn more about the bill:
- read this iHealthBeat piece

Related Articles:
Privacy concerns slow EMR push. Report
Health data schemes skimp on privacy. Article
GAO reports numerous security breaches. Article
Ehealth record privacy report coming. Article

Aetna enters PHR market with medical info option

Mon, 17 Mar 2008 07:59:55 -0400

Aetna has become the latest in a crowded field of PHR contenders, going up against everyone from Google and Microsoft to giant employer coalitions Dossia and WebMD. Aetna's model, called SmartSource, gathers data from patient claims records to form a personal record, then using this information, helps guide consumers to educational material that could potentially help them research their conditions and vulnerabilities. Before rolling the product out, Aetna tested SmartSource on 35,000 of its own employees, and now hopes to roll out to its 1.68 million commercial enrollees. In so doing, Aetna is following in the footsteps of some other health insurance companies, including UnitedHealth and WellPoint, who have also pulled together basic PHRs using internal claims data.|

To learn more about Aetna's new product:
- read this piece from The New York Times

Related Articles:
Microsoft kicks off PHR initiative. Report
Google unveils details of PHR. Report
AHIMA promotes PHR use. Report
Giant employers move ahead with PHR project. Report
A PHR turning point. Editorial
AHIMA demands better PHR privacy protections. Report
Blue plans, health industry group plan PHR. Report

SPOTLIGHT: Are physician blogs compromising patient privacy?

Mon, 17 Mar 2008 07:59:52 -0400

In a recent episode of NPR's "Morning Edition," physicians got to together discuss whether candid blog entries could violate patient privacy by being traced back to individual patients Curious how physicians are solving this dilemma? Check into the NPR broadcast. Broadcast

HHS plans surprise HIPAA audits

Mon, 03 Mar 2008 06:59:58 -0500

According to survey data released at HIMSS last week, 25 percent of hospitals surveyed had seen a security breach within the past year. Even worse, research firm SecureWorks has seen an 85 percent increase in the number of attempted break-ins directed at its healthcare clients, climbing from 11,146 per client per day in the first half of 2007 to an average of 20,630 per day in the last half of 2007 through January 2008.

Now, HHS wants to find out whether this is because hospitals aren't providing adequate security to protect patients' HIPAA rights. (Given the above break-in stats, it's hardly surprising that HHS hasn't taken an interest sooner, in fact.) While the audit results will be posted online by the agency, the facilities won't be named unless HHS finds evidence of serious problems. Regardless, I'm sure hospitals that get audited will be sweating bullets--and I'm betting that HHS will find far more serious breaches than CEOs expected.

To learn more about the audits:
- read this Network World piece

Related Articles:
Group to create health data security protection standard. Article
HIT group offers medical data security standards. Article
AHIMA demands better PHR privacy protections. Article
More hospital data security breaches. Article