RTI study raises a wide array of reactions

Reactions varied widely between technology vendors, privacy advocates and government and clinical IT leaders questioned about a federally sponsored study that calls for re-engineering electronic health record systems so they can be used by payers as fraud-fighting tools.

The report includes a call for a controversial requirement that EHR developers build into their systems’ portals that allow payers to access physicians’ EHRs and patients’ longitudinal medical records.

Government contractors and the top federal healthcare IT official were either enthusiastic or at least accepting of the proposals; healthcare information technology vendors were both critical and supportive; a physician IT leader had a mixed reaction; and privacy advocates were caustic and combative.

And in an ironic twist, one EHR company executive said the call for auditing access doesn’t go far enough, that the electronic peepholes insurance companies want installed in physician EHR systems should be placed in the payers’ IT systems as well.

{“This story shows that Dr. Kolodner, the National Coordinator for Health IT, and Michael Leavitt, Secretary of HHS, plan to press to open everyone’s entire electronic health records to prevent healthcare fraud. Bad idea. The cure for fraud is to eliminate the unfettered access to personal health information that HHS granted to over 4 million health-related businesses in 2002. Kolodner and Leavitt are faced with trying to prevent the rampant fraud that is inevitable if we build an electronic healthcare system without patient control of access to personal health records. Isn’t it time for Leavitt and Kolodner to reverse HHS’ disastrous decision to eliminate patient privacy? Leavitt was quoted as saying, ‘The topic of privacy often just runs head on with fraud.’ No, it does not. The patient’s right to privacy—the right to control access to his/her health records—is actually the best way to prevent fraud. ~ Dr. Deborah Peel, Patient Privacy Rights”}

DHS Data Mining Program Suspended After Evading Privacy Review, Audit Finds

A controversial Homeland Security data mining system called ADVISE that dreamed of searching through trillions of records culled from government, public and private databases analyzed personal information without the required privacy oversight, may cost more than commercially available alternatives and has been suspended until a privacy review has been completed, according to an internal audit.

The Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement program, one of twelve DHS data mining efforts, hit the trifecta of civil libertarians concerns about data mining programs invasiveness, secrecy and ineffectiveness, according to a recent DHS Inspector General report.

DHS hoped the data sifting tool would help analysts “detect, deter, and mitigate threats to our homeland and disseminate timely information to its homeland security partners and the American public.” The idea was to build a generic toolset that could find hidden relationships in massive amounts of data and provide the tool to groups working with data sets as divergent as intelligence and newspaper reports to WMD sensor data.

Started in 2003, the program has gotten $42 million in funding through 2007. But the data-mining program faces a troubled future, due to revelations that its tests did not simply use fake data as the DHS Science and Technology section publicly said they did.

{“Yet another example as to why we cannot simply “trust” the government to protect our privacy.”}

Download DHS Inspector General Report

Privacy breaches force online bill-payment company out of business

Last April when a network technician working for Bellevue, Wash.-based Web content-management company Verus failed to set up a firewall properly as part of an online bill-payment service for hospitals, the mistake exposed patient data from at least a half-dozen hospitals across the country.
Until the mistake was discovered over a month later, patient information that had been stored by Verus on behalf of Concord Hospital in New Hampshire; St. Vincent Indianapolis Hospital in Indiana; Stevens Hospital in Edmonds, Wash.; and Sky Lakes Medical Center in Klamath Falls, Ore., among others, could be openly accessed on the Web. And it was, at least by Google bots that indexed it for search.
“Our data on about 9,200 patients was exposed for about five weeks on the Internet,” says Bruce Burns, CFO at Concord Hospital. “We were made aware it had been indexed by Google. We think a patient from Stevens Hospital was the first to discover it.”
Verus owned up to the security mistake but Concord Hospital, along with other medical-care institutions forced to explain the data breach to the public, dropped the Verus bill-paying service like a hot potato. Verus figured prominently in their press releases as the culprit behind the fiasco.
{Verus, an otherwise respected and experienced technology company, has been forced to shut its doors in response to a string of privacy breaches. After having mistakenly left a firewall unprotected for months, Google searchbots found and indexed thousands of patient records from numerous hospitals across the country. As we move forward with an electronic health system let Verus act as a reminder to those that champion the benefits of EHRs. Protecting patient privacy must be just as high a priority as the potential convenience of an electronic health system. Apparently Verus, and the hospitals that hired them, did not full comprehend the task at hand. To quote Bruce Burns, CFO of Concord Hospital, “We need to better understand what’s entailed.” Without legislation that includes stiff penalties for breaches of health data, hospitals will continue to view patient privacy as a burden and not a responsibility.}

Privacy is true price of healthy worker discounts

The latest fad in American health care is to give discounts to workers who are healthy. Many corporate CEOs and their benefits department managers are showing enthusiasm for the idea that workers who don’t take care of themselves ought to pay more for health insurance.

Like a lot of temptations, this one is attractive. Why should you pay the same rate for insurance as that bloated, pasty oaf of a co-worker down the hall?

But cupcakes, beer and cheeseburgers are not the only temptations you should try to resist. Paying less for being healthy is an enticement you ought to oppose as well.

The plan just announced by the giant HMO UnitedHealthcare is a good example of why some bosses are licking their chops at the fad. Workers can lower their annual deductible (the amount you pay each year for health care or drugs before insurance kicks in) if they take company-administered tests every year to check blood pressure, cholesterol levels, and weight and to see if they smoke. For each health goal employees meet, $500 is knocked off their deductible.

This bright idea comes all dressed up in the attractive language of personal responsibility. Who could possibly be against that? If your boss wants to pay you to stop unhealthy behavior, how could that be bad? You win, the boss wins, the insurance company wins. So what’s the problem?

{The idea that your boss or insurance company wants you healthy just because they care is, upon serious reflection, dumb. What your boss cares about is that you get to work, work hard, stay late and don’t jack up the price of the health plan. And the insurers may just be looking for a way to shift exploding health care costs.

If you ski, fly a private airplane, drive go-karts, ride a motorcycle without a helmet, engage in risky sexual behavior, forgo a flu shot, sunbathe, eat rare meat, kayak, scuba dive or own a gun, you are defying medical wisdom and choosing to engage in unhealthy behavior. ~ Arthur Caplan, as quoted in the article}

Record-sharing stalls

Cash, privacy issues halt effort to electronically link patient information Creating a system for local hospitals and physicians to electronically share medical records could save lives and millions of dollars in health care costs every year.

Knowing that, a Portland group of health care leaders has been working to make it happen.

But a year after the group began its work, the project has stalled — a victim of technological issues, and also of some overbearing financial disincentives: Some of the entities being asked to pay for the system can make a lot more money when the system isn’t in place.

The plan, which would make electronic patient records instantaneously available to all health care providers through a regionwide health information exchange, has been a major focus of the nonprofit Oregon Health Care Quality Corp. since 2003.

{The Portland OR regional health information exchange has stalled over costs, projected lost income from duplicate tests, and the lack of privacy: patients would not control access to their medical records.  According to Jody Pettit, MD, health information technology coordinator with the state’s Office for Oregon Health Policy and Research, the business council’s plan, which would sometimes allow hospitals and physicians to exchange patient health records without the permission of the patient, did not adequately protect patient privacy.  Pettit said she prefers a model that would allow patients to maintain their own electronic medical records and to decide to whom they want to release the data. ~ Dr. Deborah Peel, Patient Privacy Rights}

RTI report includes controversial EHR requirement

he Bush administration has signed off on 14 recommendations in a federally funded report by RTI International on how to use electronic health-record systems to detect healthcare fraud and to gather evidence for fraud prosecutions.
The 115-page report, enigmatically titled Recommended Requirements for Enhancing Data Quality in Electronic Health Record Systems, is posted on the RTI Web site. It includes a controversial call for requirements that EHRs be designed to provide payers, acting as fraud auditors, remote access to patient records, including the records of a patient over a period of time and not just to verify care for a specific claim.
The work was funded by a $488,000 contract awarded in October by the Office of the National Coordinator for Health Information Technology at HHS, which reviewed and approved the recommendations. The report carries a May 2007 date, but was released by RTI last week.
While the stated objectives of the RTI study were to identify certification requirements for EHR systems that would help increase data validity, accuracy and integrity, overwhelmingly, the focus of the report was on fraud detection and prevention. Specifically, it laid out a series of proposed requirements for EHRs to be picked up and incorporated into the activities of two separate, federally funded IT promotional organizations, the Healthcare Information Technology Standards Panel, and the Certification Commission for Healthcare Information Technology.
{Fraud prevention is not the purpose of the initiative. More likely, it’s meant to cajole a resistant public and worried policymakers. Who can argue against fraud prevention? The focus on fraud prevention is meant to impede public resistance to broad data collection and access. There’s a burgeoning health data industry dependent on access to everyone’s information.
Data provides profits and power over patient care, sometimes both at the same time. If the NHIN succeeds, or if electronic medical records are mandated (as in Minnesota), except for intrepid doctors who will not bend, succumb to pressure or be compromised, there will be nowhere to get medical treatment outside the watchful eyes of ‘the system.’ EHR system data will be used to ration care. The decisions will be called ‘data-based.’ ~ Twalia Brase, president of the Citizens’ Council on Health Care, as quoted in the article}
Download RTI Report

Authorization forms let insurance companies peek into your personal life

I often am hired to represent a client several months after the accident. The client has already signed a medical authorization for the insurance company to obtain medical records. Medical and personal issues that an individual would not disclose to anyone but their doctor are now open for scrutiny.

I then send the insurance company a letter canceling the medical authorization and requesting them to send me all records obtained from the authorization. Over the years, here is what I have found:

1. The insurance company has obtained highly personal records unrelated to the accident. Subject matter such as long ago miscarriages, abortions, suicide attempts, marital problems, etc. is now in the hands of the insurance company.

2. The client has no control over what happens to this information. Is this information left in the auto accident file or put in a national database of accident claimants? You simply do not know.

3. This highly personal information is used to discredit you as an injured claimant. Our policy is to obtain all of the relevant, current and prior, medical records. If some of the information is deemed not relevant and highly personal, we discuss these issues confidentially with our client.

{This blog is absolutely spot on.  Do not ever sign a blanket release to allow anyone access to your entire medical records after an injury—-specify that ONLY the records from specific dates at the few places where you were treated for that injury be released, NOTHING ELSE. ~ Dr. Deborah Peel, Patient Privacy Rights}

How do you get a secret username and password out of an IRS employee? … Just ask.

The IRS is fairly diligent when it comes to warning citizens about IRS-related phishing scams, IRS-related malware, and IRS-related rip-off artists. What they’ve needed to be doing, though, is warning us about IRS employees.
Turns out that the carelessness and gullibility of that bunch of nincompoops may represent at least as great a threat to the safety of taxpayers’ digital information as the phishers, virus writers and con men.
From an Associated Press report:
IRS employees ignored security rules and turned over sensitive computer information to a caller posing as a technical support person, according to a government study.
Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service. The caller asked for assistance to correct a computer problem.
{This should be a warning sign to consumers who value the confidentiality and privacy of their health records.  If IRS employees turned over sensitive information to a caller pretending to be a computer support person, will Medicare and Medicaid employees do the same thing? If you believe you, and only you, own your health records and want Congress to act, contact your Senator and tell them to protect the privacy of your health records. ~ Dr. Deborah Peel, Patient Privacy Rights}

Zix Corporation Delivers for Non-profit Health System

Zix Corporation, the leader in hosted services for email encryption and e-prescribing, today announced that the Franciscan Missionaries of Our Lady Health System has chosen to renew its 4,000-seat license of ZixCorp’s policy-based Email Encryption Service for the next three years. ZixCorp boasts a 100 percent renewal rate in its Email Encryption business, measured on a revenue basis.

The Franciscan Missionaries of Our Lady Health System was organized in 1984 as a non-profit Louisiana corporation to operate three major medical centers in Louisiana. The organization originally deployed ZixCorp’s Email Encryption Service in April 2005. The service provides an easy and cost-effective way to ensure patient privacy and regulatory compliance for corporate email. As the leading email encryption service provider with more than 8 million protected email recipients, ZixCorp’s vast encryption directory allows seamless encrypted email delivery to healthcare organizations, insurers, financial institutions and regulators, including the federal banking regulatory agencies. This solution is ideal for the Franciscan Missionaries of Our Lady Health System, which encompasses more than 7,000 team members as well as 17 specialty hospitals and outpatient joint ventures.

“Safeguarding the privacy of patients’ health information is of utmost importance to our customers,” said Rick Spurr, chief executive officer for ZixCorp. “With our Email Encryption Service, organizations like the Franciscan Missionaries of Our Lady Health System can easily communicate with one another, their partners and their patients with the confidence that any emails containing personal health information will be protected.”

{The patients at Our Lady Health System should rest easy knowing that email communication is safe and secure. Unfortunately many of these emails contain personal health information that patients have not given consent to be disclosed or have any way of knowing to whom it is disclosed. Insuring that communication is locked down and secure is NOT the first step; giving patients control over access to their health records should be first. Why does the healthcare system violate patients’ rights to control who can see personal health information? ~ Dr. Deborah Peel, Patient Privacy Rights}

Co-defendant in patient-ID theft scheme gets prison term

The co-defendant in an extensive identity-theft scheme that targeted hospital patients was sentenced today to two years and three months in prison. Linda D. Williams was the “inside” person for Richard Yaw Adjei, providing him with detailed personal information about hundreds of people who had their hospital bills processed through a Delaware company where she worked.

Williams, 32, apologized in court. Her defense attorney, Federal Public Defender Edson Bostic said that, at the time of the crimes, Williams was going through hard times and suffering from depression.

But Chief District Judge Gregory M. Sleet dismissed those excuses, noting Williams held a stable job and had a new place to live when she conspired with Adjei, and knew that she was taking the identities of vulnerable people.

Assistant U.S. Attorney Beth Moskow-Schnoll said one victim recalled having to tell her 9-year-old child that she was suffering from a brain tumor and that there would be no Christmas presents that year because she didn’t have her tax-refund money to buy gifts.

{Many believe that electronic health systems will prevent insiders like office clerks from being able to steal information from our medical records. But today no federal laws require our permission before a clerk or a doctor can access our personal health records. Unless Congress makes ironclad consumer privacy control over health information the foundation of the digital health system, criminal identity thefts using data from our health records will massively increase. ~ Dr. Deborah Peel, Patient Privacy Rights}