Nearly half of data breaches not disclosed: report

Only 10% of healthcare leaders in a recent survey indicated their organizations would notify patients in the event of a data breach affecting them, but 56% of those respondents whose organizations actually had experienced a data breach indicated their patients were notified of the security lapse.

This according to a report issued Tuesday by HIMSS Analytics, a data-analysis unit of the Chicago-based Healthcare Information and Management Systems Society and Kroll Fraud Solutions, a unit of Kroll Inc., which is a wholly owned subsidiary of Marsh & McLennan Cos., New York.

The report was based in part on a survey of 263 healthcare industry sources—including information technology professionals (50%), health information management professionals (21%) and chief security officers (12%)—that was conducted by phone in January. Only one respondent per organization was allowed to participate.

Of them, 13% indicated there had been an actual security breach at their organization in the prior 12 months. Most commonly compromised were the patient’s name (65%) and “high level patient information, such as diagnosis,” (62%) the report said.

The authors note that “loopholes” in current federal privacy and security rules, including the Health Insurance Portability and Accountability Act of 1996, the Sarbanes-Oxley Act of 2002 and others “have enabled breach cases to go unreported, preventing an accurate report on frequency.”

But that period of grace is ending.

State legislatures are expected to once again follow the lead of California in the privacy and security area by mandating that data security breaches involving healthcare information become reportable events, the report said.

Since July 2003, California law has required that any government agency, person or business that maintains computerized data “shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is, reasonably believed to have been, acquired by an unauthorized person.”

Under the 2003 law, personal information was defined as a person’s Social Security number, driver’s license number or California identification card, as well as an account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account. Since then, about 40 states have passed similar data-breach notification laws.

Effective this January, however, California upped the ante, expanding the definition of personal information covered by its mandatory reporting law to include both medical information, such as a person’s medical history, treatment or diagnosis, mental or physical health condition; and what the law differentiates as “health information,” such as a person’s health insurance policy or subscriber number, application and claims history, as well as appeals records.

According to the HIMSS/Kroll report, recognizing that California regulations have inspired other states to introduce similar notification laws in the past, the enactment of a law extending reporting requirements to medical and insurance information “may reasonably be viewed as a harbinger of changes to come across the country.”

Under the new California law, “Virtually any loss or compromise of patient data will require patient notification,” the report said.

Medical information, it said, “is the most valuable and content-rich for fraudulent use and profitability.”

“In addition to name, Social Security number and date of birth (the golden combination), records in these facilities also contain mailing address, insurance policy information, medical history, and, in some cases, credit card and financial information to expedite billing and payment—more data in one record than those of any other source such as banks, schools or HR departments,” the report said.

RTI study raises a wide array of reactions

Reactions varied widely between technology vendors, privacy advocates and government and clinical IT leaders questioned about a federally sponsored study that calls for re-engineering electronic health record systems so they can be used by payers as fraud-fighting tools.

The report includes a call for a controversial requirement that EHR developers build into their systems’ portals that allow payers to access physicians’ EHRs and patients’ longitudinal medical records.

Government contractors and the top federal healthcare IT official were either enthusiastic or at least accepting of the proposals; healthcare information technology vendors were both critical and supportive; a physician IT leader had a mixed reaction; and privacy advocates were caustic and combative.

And in an ironic twist, one EHR company executive said the call for auditing access doesn’t go far enough, that the electronic peepholes insurance companies want installed in physician EHR systems should be placed in the payers’ IT systems as well.

{“This story shows that Dr. Kolodner, the National Coordinator for Health IT, and Michael Leavitt, Secretary of HHS, plan to press to open everyone’s entire electronic health records to prevent healthcare fraud. Bad idea. The cure for fraud is to eliminate the unfettered access to personal health information that HHS granted to over 4 million health-related businesses in 2002. Kolodner and Leavitt are faced with trying to prevent the rampant fraud that is inevitable if we build an electronic healthcare system without patient control of access to personal health records. Isn’t it time for Leavitt and Kolodner to reverse HHS’ disastrous decision to eliminate patient privacy? Leavitt was quoted as saying, ‘The topic of privacy often just runs head on with fraud.’ No, it does not. The patient’s right to privacy—the right to control access to his/her health records—is actually the best way to prevent fraud. ~ Dr. Deborah Peel, Patient Privacy Rights”}

Promoting patient safety top IT concern: study

Promoting patient safety while reducing medical errors continues to be the top reason for implementing information technology while a lack of financial and staffing resources continues to be the most significant barrier to implementation, according to the 18th annual Healthcare Information and Management Systems Society leadership survey released today.
Among the 360 healthcare IT leaders surveyed, 54% said reducing errors and promoting safety was their top IT priority in 2007, which is up from 50% in 2006. Next on the list was replacing or upgrading inpatient clinical systems at 48%, up from 29% last year. Added to the list of priorities this year was “business continuity and disaster recovery,” which was named by 35% of the respondents as a priority.
The lack of adequate financial support was named the top barrier to IT implementation for the seventh-straight year. This was named by 20% of the respondents, compared with 18% in 2006. This was followed by lack of staffing, at 16% compared with 17% last year; and “vendors’ inability to effectively deliver a product or service to satisfaction,” at 15% up from 12% last year.
Barely on the radar screen were two areas the federal government has been focused on: a lack of common data standards, named by only 2% of respondents as a significant barrier; and “laws prohibiting data sharing (such as Stark),” which was named as a significant barrier by less than 1% of the respondents. HIMSS President and Chief Executive Officer Stephen Lieber said during a news conference that the members of his organization had encouraged the federal government to reform Stark and maybe it was just too early to measure the effect of these efforts or that organizations haven’t “aggressively” taken advantage of new opportunities that are now available.
“It’s not necessarily a wrong place for government to focus,” Lieber said. “I don’t think we’ve seen the impact yet.”
Privacy and security concerns are definitely on the public’s mind these days, and, among those surveyed, 18% reported experiencing a security breach within the past six months. Also, internal breaches of security were named as the top data security concern by 57% of the respondents. In response to security concerns, 70% projected they were most likely to implement disaster-recovery technologies; 69% would use firewalls; 68%, user access controls; and 64% mentioned both the use of audit logs and single sign-ons as possible security measures.
HIMSS Board Chairman George Hickman noted “it’s clear that providers will be adopting multiple measures.”

National Consumer Health Privacy Survey 2005

In 1999, the California HealthCare Foundation (CHCF) released a groundbreaking study of Americans’ attitudes and behaviors concerning health privacy. The study found that nearly three out of four Americans had significant concerns about the privacy and confidentiality of their medical records. Now six years later, following implementation of national privacy protections under the Health Insurance Portability and Accountability Act (HIPAA), and the President’s push to adopt electronic medical records, a new CHCF survey plumbs consumers’ attitudes about the privacy of their health information.

Conducted by Forrester Research, the survey reveals that—despite federal protections under HIPAA—two in three Americans are concerned about the confidentiality of their personal health information and are largely unaware of their privacy rights.

In addition, one in eight patients reportedly engages in behavior to protect personal privacy, presenting a potential risk to their health. More than half (52 percent) of respondents are concerned that employers may use health information to limit job opportunities, highlighting the implications of the privacy issue.

Yet despite these concerns, consumers report a favorable view of new health technology, with a majority (59 percent) willing to share personal health information when it could result in better medical treatment.

As efforts to develop a nationwide health information network proceed, unaddressed concerns about personal privacy could have major implications.

The complete survey findings and an executive summary are available under Document Downloads below.

Survey Instrument

Executive Summary

Slide Presentation

Study Faults Follow-Up for Cancer Patients

With the help of powerful new drugs and surgical treatments, millions of Americans survive cancer, but doctors often ignore the patients’ needs after saving their lives, the National Academy of Sciences said on Monday.

The number of cancer survivors is growing rapidly, but their care is often haphazard and disjointed, so no one notices a recurrence of cancer or side effects that can occur months or years after treatment, the academy said in a new report.

One reason for the lack of appropriate follow-up care, it said, is that in many cases, insurance companies and health plans do not cover the necessary tests and examinations.

Dr. Sheldon Greenfield, chairman of a panel of 17 experts who conducted the study, said: “There are now 10 million Americans who have had cancer. Thanks to successes in cancer detection and treatment, as well as an aging population, their ranks are growing steadily.” But, Dr. Greenfield said, many survivors are lost in the health care system, “somewhere between active treatment and long-term follow-up.”

More than 6o percent of cancer survivors are 65 or older, so Medicare is “the primary payer of care for cancer survivors” in the United States, said the panel, established by the Institute of Medicine, an arm of the academy. It said government programs like Medicare, as well as insurance companies, should pay cancer specialists to prepare a comprehensive plan describing the follow-up care that ought to be provided to each person treated for cancer.

Cancer specialists should routinely provide such plans to internists and other primary care doctors, the panel said. At present, said Dr. Greenfield, a professor at the University of California, Irvine, “there is no organized system to link oncology care to primary care.”

Patricia Grullion, 46, of Los Angeles described what she experienced after being treated for breast cancer in 2001 and 2002.

“When my treatment ended,” Ms. Grullion said in an interview on Monday, “I was given a clean bill of health, but nobody gave me any real plan for the future, or any thoughts about what I could expect physically or emotionally. During the treatment, I focused on the task at hand, like a warrior. But after the treatment ended, I felt lost. I should have been elated, but I was scared, I was crying. Whenever I had a cold or an ache in my bones, I wondered, ‘Is the cancer coming back?’ “

The American Society of Clinical Oncology, which represents more than 20,000 cancer specialists, welcomed the academy’s recommendations and said it would try to carry them out. “The oncology community agrees” with the proposals, said Dr. Patricia A. Ganz, a breast cancer specialist who is on the society’s board and was a member of the panel that wrote the report.

“Millions of patients are living with cancer as a chronic condition and need good long-term follow-up care,” said Dr. Ganz, a professor at U.C.L.A. “An internist or family doctor may send hundreds of patients for mammogramsand colonoscopies, but in many cases they know little about the treatment their patients receive for cancer.”

An explicit written plan for follow-up care could save lives by increasing the probability that primary care doctors will detect a recurrence of the original cancer, development of a new cancer or “chronic preventable conditions” that follow treatment, Dr. Ganz said.

Cancer survivors often experience psychological problems, including depression, persistent anxiety, debilitating fatigue and fear that cancer will return. Patients treated with surgery, radiation and chemotherapy may suffer infertility or impairment of sexual function, and have an elevated risk of developing osteoporosis, congestive heart failure and other heart problems, strokes and blood clots. In some cases, the panel said, chemotherapy may cause leukemia or bladder cancer.

Cancer survivors sometimes find that they are uninsurable. In many states, the panel said, insurance companies refuse to sell individual health insurance policies to people with a history of cancer, or charge them much higher premiums than are paid by other subscribers.

In addition, “a majority of cancer survivors who worked before their diagnosis return to work following their treatment” but often face discrimination from employers, sometimes even losing their jobs, the report said.

In some cases, the discrimination may violate federal or state laws. But Janlori Goldman, a research scholar at the Columbia University College of Physicians and Surgeons, said, “Federal law is not entirely clear about whether employers can discriminate against a person who currently has cancer, has had cancer in the past or has a genetic predisposition to it.”

Kaiser Permanente’s experience of implementing an electronic medical record: a qualitative study

Objective To examine users’ attitudes to implementation of an electronic medical record system in Kaiser Permanente Hawaii.

Design Qualitative study based on semistructured interviews.

Setting Four primary healthcare teams in four clinics, and four specialty departments in one hospital, on Oahu, Hawaii. Shortly before the interviews, Kaiser Permanente stopped implementation of the initial system in favour of a competing one.

Participants Twenty six senior clinicians, managers, and project team members.

Results Seven key findings emerged: users perceived the decision to adopt the electronic medical record system as flawed; software design problems increased resistance; the system reduced doctors’ productivity, especially during initial implementation, which fuelled resistance; the system required clarification of clinical roles and responsibilities, which was traumatic for some individuals; a cooperative culture created trade-offs at varying points in the implementation; no single leadership style was optimal–a participatory, consensus-building style may lead to more effectiveadoption decisions, whereas decisive leadership could help resolve barriers and resistance during implementation; the process fostered a counter climate of conflict, which was resolved by withdrawalof the initial system.

Conclusions Implementation involved severalcritical components, including perceptions of the system selection, early testing, adaptation of the system to the larger organisation, and adaptation of the organisation to the new electronic environment.Throughout, organisational factors such as leadership, culture, and professional ideals played complex roles, each facilitating and hindering implementation at various points. A transient climate of conflict was associated with adoption of the system.