Thursday, April 16, 2015

Data Security versus HIT Interoperabilty

The HealthLeaders Media article, "EHR Data 'Blocking' Hobbles HIT, Says ONC", points out a tension between data security concerns and health information technology interoperability.

Find the article here: John Commins, for HealthLeaders Media , April 13, 2015 -

The byline reads: "Technology vendors, hospitals, and health systems restrict data access under the guise of security and confidentiality, but it can be challenging to identify and differentiate information-blocking from more benign impediments"

Highlighting the issue is a report by the Office of the National Coordinator for Health Information Technology.

Part of the problem derives from concerns about competition.  The HealthLeaders Media reports that "The federal government's $28 billion investment in health information technology interoperability is undermined by vendors and providers who don't want to share data with perceived competitors."

The ONC report says that "information blocking" is a problem that will likely get worse.  Technology itself is an enabler, and the ONC finds -

"However, based on the evidence and knowledge available, it is apparent that some healthcare providers and health IT developers are knowingly interfering with the exchange or use of electronic health information in ways that limit its availability and use to improve health and health care."

Here is one source of the problem according to the ONC finding -

"Some EHR developers allegedly charge a substantial per-transaction fee each time a user sends, receives, or searches for (or "queries") a patient's electronic health information. EHR developers may also charge comparatively high prices to establish certain common types of interfaces—such as connections to local labs and hospitals. Many providers also complain about the costs of extracting data from their EHR systems for their own use or to move to a different EHR technology."

But the report finds providers can also share some of the blame, or a misunderstanding by providers of what federal and state law requires of them -

"Such constraints are not information blocking insofar as they are consistent with the requirements and policies established by federal and state law that protect patients' electronic health information," ONC said. "But it has been reported to ONC that privacy and security laws are cited in circumstances in which they do not in fact impose restrictions."

Example: A provider cites HIPPA privacy rules to deny the exchange of electronic protected health information for treatment purposes, even though HIPPA specifically permits such disclosures.

Of particular interest is the question raised: Who Owns the Data?

Health records belong to the patient.  So says Chris Van Gorder, president/CEO of San Diego-based Scripps Health.

And Consider the power of that ownership in this New York Times article: The Healing Power of Your Own Medical Records:

As reported by HealthLeaders Media -

"The only legitimate concern providers have with patient data exchanges is confidentiality, Van Gorder says, because providers are liable for any release of confidential patient data to anyone other than the patient."

What do you think?  When is data blocking legitimate and not contrary to the interests of the patient?  When does data blocking exceed legitimate legal and business concerns and become an impediment to the patient?

Theft of paper and electronic health data exceeds computer hacking

6 in 10 Health Data Breaches Due to 'Criminal Activity' - Researchers discover that in the majority of incidents, the security and privacy of patient health data is compromised by the theft of paper or electronic medical records rather than computer system hacking.

This from the HealthLeaders Media article here:  Cheryl Clark, for HealthLeaders Media , April 15, 2015 -

Find the full report in the Journal of the American Medical Association here - 

HealthLeaders Media reports -

"Theft, illegal hacking, and other breaches of protected health information have compromised 29 million medical records in 949 incidents between 2010 and 2013, spelling out a crying need for better data security", according to a report published in JAMA."

According to the study's author, "theft of paper or electronic records accounted for the majority" of the incidents. "Protecting the security and privacy of patient data needs to be a priority in many different venues, and with all types of patient data, including paper records."

Five states, California, Texas, Florida, New York, and Illinois, accounted for 34% of all reported breaches.

Of the 949 incidents encompassed within the study, 273 involved an external vendor, such as a healthcare system partner, an insurer, or a business that uses the data for analytics or quality reporting.

Associated with the JAMA study is an editorial coauthored by David Blumenthal, MD, of the Commonwealth Fund and former National Coordinator for the Office of the National Coordinator, that charges that policy makers are partly to blame.

Find the editorial, also by Deven McGraw here -

"They should create stronger penalties and incentives for organizations to be more careful with the data, [Blumenthal] says, acknowledging that it's a difficult task because they're "still trying to influence providers and organizations to understand that we live in a different age."

According to Blumenthal and McGraw, more than 80% of the data breaches reported by Liu result from a "mundane and correctible problem: the failure of covered entities to observe what might be called good data hygiene" such as:

·         Failure to encrypt their own data

·         Allowing storage of patients' personal health information on employees' personal devices

·         Not requiring sound practices to authenticate authorized users

Complicating the solution is the lack of clarity provided by federal rules on data protection,
Health Insurance Portability and Accountability (HIPAA) and the Health Information Technology for Economic and Clinical Health Acts (HITECH), and the desire of the health care providers and IT ventures not to be further regulated. 

Read the entire article.  It further highlights Blumenthal and McGraw and suggests that if the federal government doesn't step in, various states will.  It ends with a Blumenthal prediction - 

"But I suspect we'll have some scandals and events that outrage people before this happens. That's regrettable, but it's the way our democracy works. And in the meantime, you can pretty much anticipate that due to inattention and lack of care, and to a lesser extent hacking, there will be large data breaches of increasing size and concern."


Monday, April 13, 2015

Patient Identification Called "Paramount" to the formation of an Interoperable Learning Health System.

So say the College of Healthcare Information Management Executives (CHIME) and the Association of Medical Directors of Information Systems (AMDIS). 

A joint statement sent by CHIME and the Association of Medical Directors of Information Systems to the ONC is asking that patient identifiers be included in the interoperability draft roadmap.

Earlier this year The Office of the National Coordinator for Health IT released for public comment its shared nationwide roadmap for interoperability.
Find the CHIME/AMDIS statement.
"Without a standard patient identifier, the creation of a longitudinal care record, composed of data and created through disparate systems, geographies and chronology is simply not feasible," the statement said. The American Hospital Association has asked the federal government to at least allocate funding to study consumer views about the patient identification system.  
You can read more at FierceHealthIT

In the same vein, the American Hospital Association (AHA) has called the need for a standard patient identifier urgent, notwithstanding the congressional law now on the books for over a decade that prevents the U.S. Department of Health and Human Services from creating a unique patient identifier.

The main themes of the CHIME/AMDIS statement are summarized at the beginning of their submission:
1. Patient identification is paramount if we are to make any progress toward an interoperable Learning Health System (LHS).  Foundational to the vision espoused by the Roadmap is the ability of providers to accurately and consistently match patients with their data. A national approach to patient identification is prerequisite for interoperability and the lack of a standard patient identifier only serves to aggravate our industry’s technical challenges. Without a standard patient identifier, the creation of a longitudinal care record, composed of data created through disparate systems, geographies and chronology is simply not feasible. Future drafts of this roadmap must enable development of a standard patient identifier.

2. CHIME and AMDIS are supportive of the process established by this Roadmap to prioritize standards across several important domains. We also support the concept of a common clinical data set that adheres to clear, enforceable national standards.

3. We caution against being overly ambitious with the development of a nationwide governance mechanism and encourage focused prioritization through ingrained collaboration among private and public sector stakeholders. In our view, interoperability in the service of high quality, safe patient care should remain the principal focus of the near-term.

4. CHIME and AMDIS support the need for additional testing tools, including scenario-based testing and exception handling, and we agree that their development and use are critical actions for stakeholder assurance that HIT is interoperable. We also underscore the need to have a post-certification surveillance program steeped in assuring conformance to requirements established by certification.

5. CHIME and AMDIS also encourage policymakers to think more critically about how to recognize the vital role that patients and their family play as a point of integration of disparate health information. Patients can be powerful mediators of their own medical records and care plans towards the synchronization of services delivered across different settings of care. We believe it is an operational necessity for policymakers to enable patients to be conduits of information towards better, safer care delivery.
Good food for thought for all of us, including policy makers.  What do you think? 

Friday, April 10, 2015

NAHAM's Patient Identity Integrity Toolkit

Did you miss the April 3 NAHAM webinar that rolled out the new NAHAM Patient Identity Integrity Toolkit? 

If so, go here for a replay:

This webinar, just under an hour, with Q&A, highlights the main features and elements of the toolkit.  These include question sets and checklists to help focus your Patient Access Staff, sample patient identity policies and procedures, such as newborn naming conventions, and numerous journal articles that highlight the importance of patient identity integrity strategies in our organizations. 

If you are a NAHAM member, you may also access the PII Toolkit, as well as NAHAM's Joint Commission Survey Toolkit and NAHAM's CMS Survey Toolkit.

Start here to explore the PII Toolkit:

Special thanks to the NAHAM Public Policy Development and Government Relations Committee for developing the PII Toolkit!  And special thanks to Committee Chair Michael Sciarabba, MPH, CHAM, and Committee members Nancy Farrington, CHAM, FHAM, and Carmen Voelz, FHAM, CHAM, FHFMA for participating as webinar presenters!

For even more exposure to NAHAM's thought leadership on patient identity integrity, plan to attend the preconference Patient Identity Symposium at NAHAM's 41 Annual Education Conference & Exposition, at the J.W. Marriott, Indianapolis, Indiana, April 19 to 22.  The preconference Patient Identity Symposium runs from 2:45 to 5:00 on Sunday, April 19.  For more information go here:

The full conference schedule may be found here: and here:

To register, start here:

Tuesday, March 31, 2015

Medical identity theft - fastest growing indentity crime in the U.S.

A NAHAM member found this article for us on Medical identity theft is fastest-growing identity crime in the U.S.

You may find the article here:

Medical identity theft has impacted over 2.3 million Americans. The ramp up in this type of identity theft makes it the fastest growing identity crime in the U.S.  The authors make note of the recent Anthem data breach and conclude that one in three Missourians are impacted by medical identity theft.
In February, Anthem, the nation’s second-largest health insurer, announced that its systems had been the target of a sophisticated external cyber-attack. This attack, one of the largest data breaches in U.S. history, impacted one in three Missourians, according to state officials. Since the breach involved health insurance information as well as Social Security numbers, the affected individuals are at true risk of medical identity theft.

 The two most common forms of medical identity theft?

The two most common include an individual posing as someone else in order to secure medical goods, prescriptions or services; or an individual billing someone else’s insurance, Medicare or Medicaid without their knowledge.
As with other types of identity theft, the victim often doesn't realize what has happened. But the risks associated with healthcare can be significant.
The affected person does not realize fraudulent activity has occurred. Electronic health records could be fraudulently changed, meaning anything from incorrect allergies to preexisting conditions. This could lead to a future misdiagnosis or inappropriate medical treatment.

Healthcare providers should take note.  There is a patient expectation that providers are proactive in guarding against identity theft.

Health care providers without effective security measures should take note: 48 percent of consumers said they would consider changing health care providers if their medical records were lost or stolen, according to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft. Consumers expect health care providers to be proactive in preventing and detecting medical identity theft. Forty percent say that if a breach occurs, it is important to receive immediate notification by the organization responsible for protecting their health care information.

So what is a provider to do?
While medical identity theft is most harmful to a consumer, organizations that handle personal health information (PHI) can suffer costly legal ramifications as well as a tarnished brand if they are the source of the data breach. To be less susceptible to these and other liabilities, cyberattack prevention and cyber insurance plans should be in place. While there are several components that make up an effective cybersecurity strategy, the following can be the key lines of defense against an attack or when facing ramifications:

Encryption — Data at rest and data in motion should be encrypted to at least the levels recommended by HIPAA legislation. This will help minimize the risk that data is compromised.

Data leak prevention (DLP) — Also known as data loss prevention, DLP is a data security technology that monitors data in use, in motion and at rest in order to detect potential data breaches in a timely manner and prevent them. A DLP system configured properly handles careless data leaks by internal sources as well as intentional data theft by external hackers or malware.

Cyber insurance — Organizations that store or transmit personally identifiable information (PII) should review the insurance options for cyber protection. A variety of insurance policies cover things like the cost of fines, notification that PII has been compromised, liability and business interruption. Cyber policies vary greatly and an independent insurance consultant can help review the best coverage option.

Do you have any best practices or policies to share?  Please let us know.

Hospital Efforts to Improve Patient Satisfaction

Kaiser Health News reported earlier this month on hospital efforts to improve patient satisfaction.  See the report Hundreds Of Hospitals Struggle To Improve Patient Satisfaction, which also had a 4 minute air on National Public Radio.

The report notes the growing importance of patient satisfaction surveys, driving in large part by the prospects of pay levels from Medicare and some private insurers.

Since Medicare began requiring hospitals to collect information about patient satisfaction and report it to the government in 2007, these patient surveys have grown in influence.  For the past three years, the federal government has considered survey results when setting pay levels for hospitals. Some private insurers do as well.

Read the article in full and search for hospital patient satisfaction survey results.

Hospitals randomly survey former patients to learn about the quality of their stays. These surveys are collected and information from them is published by the U.S. Centers for Medicare & Medicaid Services, which also uses the results when setting Medicare pay rates.

Follow the link to the article above and use the imbedded tool to see how patients rated hospitals across the country on 11 topics and how each hospital compares with state and national averages. These scores reflect responses from patients who were discharged between January 2013 and December 2013. They include responses from adult patients and are not restricted to those on Medicare. 


Wednesday, February 25, 2015

What's at stake with Affordable Care Act challenge in the Supreme Court?

The Supreme Court has already ruled on the Affordable Care Act based on an early constitutional challenge.  But the law is back at the Court based on a challenge that hinges on just four words in the 2012 law.

CNN provides an easy to understand primer on what's at stake this time around.  Find the article, "The latest Obamacare challenge: What you need to know" here.

The article explains that the law establishes the creation of exchanges "through which individuals can purchase competitively priced health insurance".  Sixteen states and the District of Columbia have set up their own exchanges. Folks living in the other 34 states must use the exchange run by the federal government.  And the law provides federal tax credits to income eligible individuals "to help offset the cost of the policies". 

Most of us remember all of this.  States set up their exchanges where you shop for your healthcare coverage.  Lots of governors or state legislatures chose not to create their own exchanges, so their citizens go to the exchange run by the federal government.  And because everyone is supposed to sign up if they don't have coverage elsewhere, the Affordable Care Act provided federal tax credits to help lower income individuals and families buy coverage. 

Simple enough.  Except, those bringing the case that is now before the Supreme Court say the law did not authorize those tax credits for those having to use the federal run exchange.  That's where the four words in the law passed by Congress comes in. 

A synopsis from the CNN article:

The health care law provides for the establishment of "exchanges" through which individuals can purchase competitively priced health insurance. It also authorizes federal tax credits to low- and middle-income Americans to help offset the cost of the policies. Currently 16 states plus the District of Columbia have set up their own exchanges; the remaining 34 states rely on exchanges run by the federal government. Those bringing the case say that the words "established by the State" in a subsection of the law make clear that subsidies are only available to those living in the 16 states that set up their own exchanges. If the court says the IRS rule is invalid, absent some kind of action by the states or Congress, more than 5 million individuals will no longer be eligible for the subsidies, shaking up the individual market.
So this time around the law in its entirety is not at stake.  But apparently the help through tax credits for 5 million individuals is at stake.  (CNN reports that in 2014, more than 5.3 million individuals selected an insurance plan through the federal exchange.)  We'll find out if Congress goofed or not.
Here is how CNN explains it:
Those challenging the law this time say: Congress limited the subsidies in order to encourage the states to set up their own exchanges. But when only a few states acted, the IRS tried to "fix" the law and wrote a rule allowing subsidies for those living in states with state-run exchanges as well as states with federally run exchanges.
The government, defending the law, says: the language at issue is a "term of art" and that Congress always intended the subsidies to be available to everyone. ... it was clear that some states would not establish their own exchanges.
There is a little technicality that is also interesting.  Challenges must have standing - that is to say that have to show that they are being harmed by the law.  The challengers in this case are residents of Virginia, one of the 34 states that did not create their own exchange.  So these Virginia residents don't get the tax credits.  Without the tax credits they can't afford health care coverage offered through the federal exchange.  So sounds like they want the tax credit.  Apparently not.  Remember the "individual mandate" part of the Affordable Care Act - if you don't get coverage, you get a penalty? 
As CNN explains:
The crux of their argument is that if it were not for the tax credits for premiums, they could not afford health insurance and thus would be exempt from the individual mandate to purchase health insurance.