Report: HIEs failing at true interoperability

See a summary of the report by Mike Miliard at GovHeathITHIEs failing at true interoperability

· Healthcare organizations “must unlock the patient data in EHR silos of hospitals and affiliates to better coordinate and improve quality of care delivered. Health Information Exchange technology is the enabler.”

· Until EHR vendors incorporate a shared set of standards, HIEs will remain in a state of stunted development, said Moore: “Across the board, legacy systems fail to support true interoperability, and vendors are doing little to remedy this situation.”

· The report will also look to the future as to how this [Health Information Exchange or HIE] market will grow and evolve over the next several years as meaningful use requirements take hold, healthcare reform brings forth changes in reimbursement models, access to health data moves to mobile platforms and the consumer takes on a larger role.”
The quotes above show that the health technology industry and the government are beginning to face key facts:

· Data silos endanger patient health and safety: obviously we need our doctors to see relevant parts of our medical records held by other doctors/hospitals.

Electronic Health Records companies, hospitals, and the many other corporations that hold our electronic health information want to continue to “own”, control, and sell our personal health data. They built this system of “silos” that PREVENT data exchange (also called “interoperability”).  Corporations fiduciary duties to make profits for shareholders trump exchanging health information to save patients’ lives and reduce costs!

· Consumers = patients. If we say so, our health records must be shared with our physicians or other health professionals. This is matter of law.

No matter which corporations or health professionals hold our electronic health data, we are entitled to electronic copies. If you say your health data should be sent to another physician or health professional, the data holder must send it. ONLY individual patients or “consumers” have clear rights to control personal health information and have it sent to the other physicians and health professionals who are treating them.

· HIEs, data exchanges where patients have no meaningful control over who can copy and use their health information, are not the answer.

How “Direct” exchange works (via the “Direct Project”): a participant (like our physicians) can send secure, encrypted health information directly to a known, trusted recipient over the Internet. Unlike the case with HIEs, personal health information can’t be “pulled” from the 10, 20, or 100 places that hold our health records. Using the “Direct” method, someone has to decide to send one patient’s data to another person.

We ["consumers"] are the ONLY ones who can quickly, easily, and legally get and “exchange” our own health records at will. Hippocrates Oath, the foundation of the physician-patient relationship, states that sensitive health information should ONLY be shared with the patient’s consent.  Data exchanges like the Direct Project

The only way electronic health systems can work and earn the public’s trust is if data flows are controlled by patients, with very rare legal exceptions.

The Depressing State of HIEs

See the full article at Hospital EMR and EHR: The Depressing State of HIEs

Yes, the state of Health Information Exchanges (HIEs) in the US is depressing, because many don’t work well for patients or doctors. They enable hundreds or thousands of strangers who work for hospitals, insurers, health IT companies, etc to exchange, use, or sell our sensitive medical records without our consent.

The safe way to exchange health information is to use secure email and patient consent, this is called the “Direct Project”. See: http://directproject.org/ . It enables us to share our health information between two health professionals and email physicians. The Direct Project enables “participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.”

Patient Privacy Rights (PPR) endorses the “Direct Project” as the ONLY legal, ethical, and secure way for sensitive patient information to be exchanged.  The public will not trust HIEs or national data exchange models unless patients control the disclosures of their sensitive health records.

A quote from the story below shows financial interests of Accountable Care Organizations (ACOs) can trump patients’ interests: “Some ACO providers are now blocking access to their data so competitors can’t get to it”—-that means doctors who are not part of the ACO but who treat ACO patients can’t see their test results and treatment records–even when these patients want them to have that information.

Some ACOs and other businesses view HIEs as vehicles to get more patient data, rather than as a means to serve patients’ needs for care coordination, to avoid duplicate tests, to ensure better treatment, or enable them to give consent for research use of their data.

Many corporations and businesses that HOLD patient data imagine they own it, so they use and sell it without patient consent. US law and medical ethics still require meaningful, informed patient consent before physicians or data holders can disclose anyone’s health information. “HIPAA compliance” actually does NOT get data holders off the hook for asking patients for consent before disclosing data. According to the HIPAA Privacy Rule, it’s “the floor” for data privacy protection, not the ceiling. 67 Fed. Reg. at 53,212 (August 14, 2002).  HIEs designed to further business interests over patients’ interests will continue to fail, because the public will not support them.

It turns out that the only person who can easily, cheaply, and legally make patient data flow for all the right reasons (treatment, research), to all the right all the people (a specific doctor or researcher) at the right time is YOU.

Only you can tell an ACO to send your data to an outside clinician —- and the ACO must send it, whether it gives competitors an advantage or not. Only you can make your data “fluid”, because patients are the only people with clear, longstanding Constitutional, legal, and ethical rights to disclose personal health information.

In PPR’s recent comments about building a Nationwide Health Information Network (NwHIN), we urged the Office of the National Coordinator for Health IT (ONC) to address the fatal privacy and security flaws in current systems and state and federal data exchanges. We urged ONC to certify that HIEs and data exchanges protect privacy by verifying that only patients decide when/where personal data flows.  “Multi-stakeholder” public-private governance at the state and federal level has failed to gain public trust.  Public-private governance assures that industry, research, and government interests trump the public’s rights to health information privacy. See: http://tiny.cc/e1v0gw for more information.

Texas Error Exposed Over 13 Million Voters’ Social Security Numbers

See the full article in DataBreaches.net: Texas Error Exposed over 13 Million Voters’ SSNs

This story shows it’s easy to disclose the social security numbers of 13 million people at once. The data came from Texas’ voter registration data base, which was attached to a court report, BUT security breaches of the personal health information of millions of patients is also very common (see recent Utah and BCBS of TN breaches). Today’s electronic systems enable many new ways to breach data security and expose personal information.

The story below is about a government employee who attached over 13 million SSNs to a report and sent it to a 3rd party without anyone else reviewing his/her actions before the data was disclosed.  Where should the bar be set for disclosing personally identifiable information in any report?  At 1 million records? At 100 million records?

Most of the US health care system lacks effective protocols and procedures to protect data security and to prevent inappropriate data release and data breaches. Health data privacy and security require comprehensive and meaningful protections. We have a long way to go. Vastly expanding health IT systems before these problems are solved is a prescription for more data

Harvard’s Data Privacy Lab launching health record bank

Read the full article at: http://www.nhinwatch.com/perspective/harvard’s-data-privacy-lab-launching-health-record-bank

Some key points from the story:

“In a major new development in the world of health IT, the Data Privacy Lab in the Institute of Quantitative Social Science at Harvard University will soon unveil a health record bank (HRB) that allows anyone to own and manage a complete, secure, digital copy of their health records and wellness information with a free account. This is the first time that a prominent academic institution is hosting an HRB for use by the general public and communities nationwide.”

“This launch is important for health IT because an HRB can provide and sustain all the capabilities of a fully functional health information infrastructure (HII):
1. It allows access to comprehensive individual electronic patient records, aggregation of population information for public health and medical research, and record searching to facilitate patient-specific notifications;
2. Privacy is protected since each patient determines who can access which portions of their own health records;
3. Collecting patient information is assured – since patients request their records, all providers must supply them (under HIPAA and for Stage 2 Meaningful Use);
4. It is inexpensive to operate since it obviates the need for the complex and costly real-time record locator services necessary when each patient’s records from all sources are not centrally stored;
5. Patient consent enables innovative applications linked to HRB accounts, providing compelling value to consumers and other stakeholders (e.g., reminders and alerts), thereby ensuring more than enough revenue for financial sustainability. HRBs could even fund permanent, ongoing EHR incentives to office-based providers to help further promote widespread adoption and standards compliance. The HRB at Harvard therefore represents a feasible and readily achievable HII paradigm that can be utilized by individuals and communities nationwide.”

Health privacy issues can be resolved without obstructing care

See full article in FierceHealthIT: Health privacy issues can be resolved without obstructing care

Ken Terry writes about the big issues with patient privacy today and possible solutions.

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices.
Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.”

PPR in the Wall Street Journal

The Journal Report of The Wall Street Journal featured Patient Privacy Rights’ founder in a debate about Unique Patient Identifiers (UPIs). Deborah C. Peel, MD, founder & chair of Patient Privacy Rights, opposes UPIs, pointing out there are better electronic records systems that allow patients to control data exchanges for treatment and other approved uses.

You can read both sides of the debate at this link: “Should Every Patient Have a Unique ID Number for All Medical Records?”

While voting remains open, the scores have remained fairly static over the past month showing a clear victory. Deborah Peel, MD has won the debate for Patient Privacy Rights, exposing the dangers of UPIs in electronic health record systems. If you have not already, you can still vote “No” to UPIs, and help protect patients, privacy, and progress toward patient-controlled electronic health records. If you are in the main article, voting takes place on the left side of the screen below the picture of Michael Collins. You can also use this direct link to vote after reviewing the full debate.

To dispel the myths of UPIs:

  • Trying to separate UPIs from financial records would be like trying to separate SSNs from everything they have been linked to, including medical records!
  • UPIs will give government, industry, data miners, and others greater ability to collect all health information on individuals. Imagine giving everyone a unique financial identifier that they would use for all credit cards, banks, retailers, and other financial institutions. Would you feel your money was secure?
  • A surprising amount of patients already do not trust a paper-based system, and fear for their privacy even more with expanding Health IT. Having a UPI takes away the idea of patient control and consent, creating one very easy and obvious way for anyone with the means necessary to look up a patient’s full health record. Patients will only accept a system they can control.

We do our work to improve health care by protecting patient privacy. We encourage you to protect your own privacy rights by voting now.

National experts to meet at HIMSS to promote health record banks

See the full article at: http://www.nhinwatch.com/perspective/national-experts-meet-himss-promote-health-record-banks

Experts are planning to meet at HIMSS to discuss “strategies to promote and accelerate development and adoption of HRBs – community-based personally controlled repositories of electronic health records.”

Some key points:

  • -“HRBs can provide effective and efficient health information infrastructure (HII) in communities by simultaneously addressing the interdependent requirements of privacy, stakeholder participation and financial sustainability.”
  • -“HRB allows patients to readily and conveniently manage their access permissions in one place. In addition to being an effective approach to privacy, patient control also ensures that stakeholders make information available.”

The article goes on to list the cost and efficiency revenue advantages of HRBs as well as the privacy implications.

Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

See full article at Loeb & Loeb, LLP Privacy Law Alert: Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies

“Planned changes to the European Union’s Data Protection Directive (EU Directive), some of which are directed at non-EU companies, may significantly impact how U.S.-based entities that interact with EU consumers can collect, store and use consumer data.

The revised EU Directive will give consumers more control over their personal data, including requiring explicit user consent before companies can use data and giving consumers the right to delete data, especially data they posted themselves, otherwise known as the “right to be forgotten.”  The proposed changes also will likely include increased transparency for data processing – providing greater information about when and how data is collected, stored and used, and making it easier for consumers to indicate their privacy preferences.”

Open-Source Health Care Software

It’s a great read and critical viewpoint. To view the full article, please visit Open-Source Healthcare Software.

Key Quotes:

  • -“Unlike devices and services, most medical software is not regulated, placing the burden of safe and effective use on the physician.”
  • -“Despite the obvious benefits, open-source software is still rare in medical practice because, as with music and other information-based products, it is easy to copy.”
  • -“As medical software begins to offer decision support, risk management, performance rating, and analytic features, physicians should not accept black boxes and secret formulas that constrain sharing and intimately affect patient care and remuneration.”
  • -“Software creators will not switch to producing open-source products voluntarily because they stand to lose money by doing so. Only physicians can drive this change, and this paper describes the reasons why doing so is important to our profession and our patients.”
  • -“The Direct Project hosted by the Department of Health and Human Services is open-source software for secure e-mail to replace the fax as the primary means of communication between practices and even with patients. Direct Project has many unique features as a result of its noncommercial open-source design, including universal addressing that is not tied to a particular vendor or institution. Universal addressing, like modern e-mail, does not restrict communications to members of a particular exchange.”
  • -“Open-source software offers the same benefits in medicine as it does in other fields. These include ethical advantages, access, innovation, cost, interoperability, integration, and safety.”
  • -“As physician income becomes increasingly tied to patient outcomes and dependent on coordination of care, lack of interoperability, integration, and standardization has begun to impact clinical practice. It is hardly surprising that interoperability and integration costs related to proprietary health care software are extremely high and that the true value of health care services is difficult to measure and compare.”
  • -“The broad ability of users to adopt and improve software creates diverse, global communities on the Internet with significant incentive to help each other.”
  • -“Proprietary software puts the physician at the mercy of the vendor, who is often more interested in acquiring new customers than serving locked-in customers”

Resolution of Disapproval in Supreme Court Decision in Sorrell v. IMS Health Case

Lawmaker, author of health privacy protections in economic recovery act, declares privacy rights of doctors, patients should trump commercial interests

WASHINGTON, D.C. – On Friday July 8, 2011, Congressman Edward J. Markey (D-Mass.), co-chairman of the Congressional Bi-Partisan Privacy Caucus and senior member of the House Energy and Commerce Committee, introduced H.Res. 343, a resolution expressing disapproval of the recent Supreme Court decision in Sorrell v. IMS Health. In its decision, the Court struck down a Vermont state law that banned the sale of doctors’ drug prescriptions records if the records are used for commercial purposes without the doctors’ permission.

Rep. Markey’s resolution states that the Court erred in applying free speech protections to a Vermont law that lawfully regulated a purely commercial interest. Before the Vermont law was enacted, data-mining companies would purchase information about doctors’ prescription drug information from pharmacies and then resell the data to pharmaceutical companies. The pharmaceutical companies could use the information – without the doctors’ consent – for the commercial purpose of targeting their sales messages and marketing more expensive, brand-name drugs to physicians.

“In this case, the Supreme Court tipped the scales of justice in favor of big drug companies at the expense of patients and their doctors,” said Rep. Markey. “The privacy of the doctor-patient relationship should outweigh the ability of pharmaceutical companies to mine data simply so they can market expensive drugs to providers and reap huge profits. States should be able to regulate pharmaceutical companies in a way that protects the privacy of their residents and prevents pharmaceutical companies from having undue influence on doctors’ prescribing habits.”

Dissenting in the Supreme Court’s 6-3 decision, Justice Stephen Breyer wrote that the Vermont state law in question “adversely affects expression in one, and only one way. It deprives pharmaceutical and data-mining companies of data…that could help pharmaceutical companies create better sales messages.” The dissent, which was joined by Justices Ruth Bader Ginsburg and Elena Kagan, stated that the Vermont statute is a “lawful governmental effort to regulate a commercial enterprise…The far stricter, specially ‘heightened’ First Amendment standards that the majority would apply to this instance of commercial regulation are out of place here.”

Dr. Deborah Peel, a national health privacy expert and founder of the non-profit Patient Privacy Rights, praised the Markey resolution. “With a Supreme Court that stands up for the interests of pharmaceutical companies, it’s reassuring to know that Congressman Markey is looking out for patients and doctors who value the privacy of their prescription drug information.”

Text of the resolution can be found HERE.