Data Breaches: A Growing and Alarming Trend and a Potential Safe Harbor

Since the data breach notification regulations by HHS went into effect in September 2009, 385 incidents affecting 500 or more individuals have been reported to HHS, according to its website. A total of 19 million individuals have been affected by a large data breach since 2009. The regulations require a covered entity that discovers a reportable breach affecting 500 individuals or more to report the incident to the HHS Office of Civil Rights immediately. After an investigation, HHS publicly posts information about the reported incident on its website on what has become known as the “Wall of Shame.” Of the 385 reported incidents, there are six separate incidents each affecting a million individuals or more. In its 2011 annual report to Congress, HHS reported that in 2009 covered entities notified approximately 2.4 million individuals affected by a breach and 5.4 million individuals the following year. This number grew in 2011 and it will likely continue to grow in 2012. To date, the largest breach took place in October 2011 at Tricare, the health insurer of American military personnel, which affected 4,901,432 individuals after storage tapes containing protected health information (PHI) were stolen from a vehicle. These numbers are staggering, but fortunately more can be done and should be done to prevent data breaches.

Data breaches can cause great harm to the affected individuals, providers and institutions. Individuals may experience embarrassment and harassment because sensitive health information was released. Individuals are vulnerable to identity theft and financial fraud if personal information such as social security numbers were accessed. More frequently, institutions are offering credit monitoring services to affected individuals to monitor for potential fraud. Similarly, data breaches carry a very high cost for institutions that will have to spend great sums to investigate and report a breach to HHS, the media and the affected individuals. An institution or provider’s reputation can also be harmed through negative publicity and the loss of consumers. More institutions are hiring public relations teams after a breach to minimize the amount of fallout and negative publicity. The threat of litigation and class action lawsuits following a breach is also present and very real. Stanford Hospital, Tricare, and Sutter Health are all facing million and billion dollar class action lawsuits  for their 2011 data breaches.

The bad news is that data breaches are impossible to predict and it is impossible to protect against every type of possible breach. Unfortunately, even the strongest policies, precautions and security measures cannot protect an entity from a hacker, thief or an employee or business associate’s honest mistake. As more providers and institutions adopt electronic health record systems and digitize their records, data breaches will continue to occur and large breaches will be spotlighted by the media. Pursuant to the regulations, a covered entity must alert a prominent media outlet if a reported breach affects more than 500 people of that state. Based on the events of last year alone, it is clear that the media loves to report on data breaches and will continue to do so. Hopefully this public exposure will serve to increase accountability to the public rather than instill fear in the public and hurt consumer confidence in the EHR movement.

The good news is that more can be done by providers and institutions to prevent harmful and costly data breaches. Data security and patient privacy should be the focus of the industry in the upcoming years because it is just as important as meaningful use certification. The benefits flowing from the Medicare incentive payments that an institution may receive under the Affordable Care Act can be canceled out in the event of a large and debilitating data breach. It would be wise for covered entities to focus on preventing data breaches as much as achieving meaningful use.

There is no easy solution to preventing breaches, but encryption is one surefire way an entity can better protect itself from a costly breach. As entities become more familiar with EHR systems and recognize the risks involved in storing and transferring PHI data, implementing encryption technology should become a top priority for each entity.

Encryption of PHI is a major step a provider or institution can take to secure its sensitive patient data. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. According to a Guidance from HHS, if an entity encrypts its data in accordance with the National Institute of Standards and Technology standards for encryption, then any breach of the encrypted data falls within a safe harbor and does not have to be reported. This is an incredibly important safe harbor that could save an entity a lot of money. It is shocking that more entities, especially those with the means and resources to install a qualifying encryption system, do not utilize encryption technology on any of their electronic devices, especially  portable devices.

Of the 385 reported breach incidents, thirty-nine percent involved a lost or stolen laptop or other portable media device containing unencrypted PHI. A report recently released by Redspin, an IT security firm, states that data breaches stemming from employees losing unencrypted devices spiked 525 percent in the last year alone.  This statistic confirms that devices, including laptops, tablets and smartphones, pose a very high risk for a data breach. Redspin reported that eighty-one percent of healthcare organizations now use smartphones, iPads, and other tablets, but forty-nine percent of respondents in a recent healthcare IT poll by the Ponemon Institute said that nothing was being done to protect the data on those devices. At the very least, these reports and the statistics on HHS’s “Wall of Shame” should encourage entities to encrypt their portable electronic devices that contain sensitive PHI.

There are of course costs associated with adopting encryption technology in an EHR system. There are costs to install the system and maintain it with the help of an IT expert. Encryption of information can also slow down the processes used in sharing information. After all, one of the main goals of an EHR system is to make it easier for providers to share health information about their patients. An entity should work with an IT expert to determine what information should be encrypted in order to maximize the efficiencies of an EHR system. Despite the costs, the money and resources spent implementing encryption technology can be well worth it and are a smart investment for any entity with an EHR system. In a study published in 2011, the Ponemon Institute found that the cost of a data breach was $214 per compromised record and the average cost of a breach is $7.2 million. In light of the large data breaches that have been reported, it is clear that the costs of a breach can be much higher than the costs to implement encryption technology.

Under the HITECH Act and HHS’s interim final rule, encryption of health information is not mandatory. It remains to be seen whether HHS will impose a mandatory encryption policy on all devices or, at the very least, all portable devices capable of storing or transferring PHI, when it releases the final version of the data breach notification regulations sometime this year. The health care industry’s lack of encryption for patient information has drawn attention on Capitol Hill. At a November 2011 hearing before the Senate Judiciary Committee’s panel on Privacy, Technology and Law, Deven McGraw of the Center for Democracy and Technology testified that “we know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the healthcare industry appears to be rarely encrypting data.”  At the hearing, Senator Tom Coburn, a physician himself, and Senator Al Franken, the chair of the panel, both voiced their concern over patient privacy protection and the current regulatory scheme. Senator Franken has said that he is contemplating legislation to encourage encryption by providers, although no action has been taken.

In the interim, it is reasonably clear that most, if not all, entities can benefit from implementing encryption technology when considering the costs and headaches associated with a data breach. When encryption is done properly, it has the potential of saving an entity a large sum of money, perhaps millions of dollars, in costs and fines — and that should be reason enough for entities to start taking this step in EHR technology.

Beyond Innovation and Competition, Health IT Edition

Last year I published a piece called “Beyond Innovation and Competition,” questioning the dominance of those values. Economists celebrate innovation and competition as the main source of future growth. Innovation has become the central focus of Internet law and policy. While leading commentators sharply divide on the best way to promote innovation, they routinely elevate its importance. Business writers have celebrated search engines, social networks, and tech startups as model corporations, bringing creative destruction and “disruptive innovation” in their wake. Maximum innovation is the goal, and competition is billed as the best way of achieving it. Players in the vast and dynamic tech marketplace are supposed to constantly strive to innovate in order to attract consumers away from rivals.

In the piece, I explain how both competition and innovation can be as destructive as they are constructive. There are many social values (including privacy, transparency, predictability, and stability), and companies can compete for profits in ways that erode those values. In an era of inequality and hall-of-mirrors stock market valuations, innovations of marginal or negative impact on society at large can be vastly overvalued by a stampede of fickle investors.

The shortcomings of the innovation and competition story also play out in health information technology. Stimulus legislation in 2009 provided many carrots and sticks for doctors to digitize their recordkeeping systems, ranging from bonuses now to reimbursement haircuts later this decade if they fail to implement the technology. Congress structured the incentives to encourage a competitive and innovative marketplace in health information technology. But many doctors are shying away from implementation, in part because they fear that the fast and loose ethics of the market can’t mesh with a medical culture of constant commitment to quality care.

Susan Jaffe’s article for the Center for Public Integrity examines doctors’ fears about adopting any given software suite. According to Jaffe, “570 different electronic health systems certified by private organizations for non-hospital settings may be used to qualify for the” stimulus funds. The long-term consequences of the choice make the jam-shopping examples in Barry Schwartz’s book The Paradox of Choice seem quaint:

The systems can vary in appearance, content, organization and special features. Some can be customized by users in different ways, at no cost or some cost, or not at all. Some are compatible with other systems now, eventually or, some critics say, maybe never. . . . The costs of the systems remain daunting, despite the bonuses, particularly in areas that have been hit hard by an ailing economy.

The pricetag varies widely depending on the type and size of the medical practice, whether new computers are purchased and the extent of customization, among other things. Software alone can cost from $2,000 to $10,000 per doctor. All told, the cost jumps to about roughly $20,000 per doctor, according to a regional extension center consultant who advises physicians in northeast Ohio. On top of that, manufacturers charge hefty annual fees for technical support and periodic upgrades that together can amount to about 35 percent of the upfront costs. The systems are priced in a way that does not make comparison shopping “easy or necessarily valid,” said Dottie Howe, a spokeswoman for the Ohio regional extension center. There is no basic price because each company offers different components, features, options, and level of technical support. . . .

Most manufacturers will also charge the doctors to move the information in their current system to the new one. There could be extra [ongoing, monthly] charges to connect to other systems too.

Doctors have also been burned by sharp operators that emphasize slick salesmanship over solid service:

[T]he Southwest Family Physicians group is worried . . . They bought an electronic health record system five years ago that is now nearly obsolete. The manufacturer was taken over by another company that provides minimal technical support . . . “The salesman said ‘you’re buying a Cadillac, this is going to be the greatest thing,’ ” [one doctor] recalled. But that system can’t display an X-Ray image or send a prescription electronically to a pharmacy. “We’ve got the Model T Ford,” he said.

It does appear that regional extension centers are doing some work to keep pricing reasonable. Jaffe’s article focuses on Ohio, where five “preferred vendors” “agreed to charge prices ‘as good as or better than’ prices offered to other regional extension centers, to provide onsite assistance when a practice turns on its electronic health record system for the first time, offer technical support for at least six years, and limit annual cost increases for continuing technical support, among other things.” But consider the bizarrely proprietary nature of pricing data:

Whether the five preferred vendors offer a better deal than their non-preferred competitors is not known because the state regional extension center doesn’t have pricing information from non-preferred vendors, said Howe, the spokeswoman for the state’s regional extension center. Pricing from the preferred vendors are confidential, she said. And despite their preferred status, the five companies do not guarantee that eligible health care providers who purchase their systems will receive the government’s bonus payments.

I discussed the troubling degree of secrecy in health care before, and I’m very sad to see it persist here. The doctors in Jaffe’s story are making reasonable demands: to be able to understand the nature of the commitment they are making, to avoid big financial losses, and not to be burned by fly-by-night operators attracted only by the government subsidy money. They want to assure that the basic health care values of access, cost-control, and quality are reflected in the software they use.

We are seeing the opening stages of a battle between a medical sector committed to maintaining its own autonomy and traditions, and a tech sector that wants to commoditize health data in as standardized a form as futures markets homogenized corn grades, or credit scores tranched residential mortgage backed securities. Commenting on the demise of Google Health, an informatics expert said that “Google is unwilling, for perfectly good business reasons, to engage in block-by-block market solutions to health-care institutions one by one, and expecting patients to actually do data entry is not a scalable and workable solution.” To be sure, the company can’t expect to make the same profit margins in the health sector as it does in the online ad business. But the “instant millions” ethos of Silicon Valley doesn’t fit well with a sector where we are in principle committed to serving everyone, regardless of ability to pay.

Economist John Van Reenen has observed that the US has a particularly innovative economy in part because our markets are so good at crushing badly run firms. It’s probably good that garden equipment suppliers, toothpaste makers, and pie bakers know they can be out of business in a month or two if they’re “off their game” for a short time. But if I just entrusted three years of medical records to a vendor who suddenly went out of business, I’d take little comfort in the idea that a marginally better competitor had knocked it out of the market. The transition to a new vendor can be slow and costly—doctors in Jaffe’s story speak of seeing 1/3 to 1/2 less patients over weeks or months as they learn a new system.

At a Yale SOM Health Care conference in 2009, the Chief Medical Officer of a major player in the field once remarked to me that choosing an HIT vendor is “like a marriage—you don’t end the relationship lightly.” I first thought that remark was self-serving. But the more one examines the HIT field, the more important it appears to get standard recordkeeping, support capabilities, and interoperability right at the outset, rather than leaving doctors to negotiate the wreckage of several generations of battling systems. Think about how chaotic online music sales seemed before iTunes. Perhaps Apple (whose iPads are already beloved by many docs) is going to bring a swift and highly profitable order to this field, too. I hope the ONC and other decisionmakers will well-regulate whatever behemoth eventually emerges, vindicating the public values that competition and innovation are unlikely to promote.

Photo credits to  Aleksandar Šušnjar, Jakub Halun and loki11.

Personal Health Records: Is Unraveling Inevitable?

I look forward to reconnecting with everyone who is attending the health law professors conference in Chicago.  My presentation will be applying some of the ideas of Scott Peppet (on self-quantification and unraveling) to personal health records.  I found these ideas from Peppet’s post on biometric identification particularly interesting:

The biometric technologies firm Hoyos (previously Global Rainmakers Inc.) recently announced plans to test massive deployment of iris scanners in Leon, Mexico, a city of over a million people. . . . [T]he company’s roll-out strategy is explicitly premised on the unraveling of privacy created by the negative inferences & stigma that will attach to those who choose not to participate. Criminals will automatically be scanned and entered into the database upon conviction. Jeff Carter, Chief Development Officer at Hoyos, expects law abiding citizens to participate as well, however. Some will do so for convenience, he says, and then he expects everyone to follow: “When you get masses of people opting-in, opting out does not help. Opting out actually puts more of a flag on you than just being part of the system. We believe everyone will opt-in.” (For the full interview, see Fast Company’s post on the project.)

I’ve previously looked at the limits of individualist accounts of autonomy in work on pharmaceuticals (here and here), and scholars like Robert Ahdieh are questioning individualism in law & economics generally.  As Nic Terry has argued, many of the critiques of CDHC apply to PHRs, and vice versa.

As of a few years ago, “it wasn’t illegal to hire and fire people based on their smoking habits” in 21 states. I think there will be many difficult questions raised in coming years by the growth of medical records of all types, and how many secondary uses of them are permitted.  For example, some dating sites will now verify the income and assets of their users.  How soon before they (and other certification and evaluation intermediaries) start vouching for health profiles?  Does law have a role in these situations?  I’ll try to explore these questions, and I’ll post more details about the presentation after getting some feedback.

The Normative Meets the Practical: Who Should Can Lead ACOs

One of the many $64,000 questions in the accountable care organization (ACO) debate has been who should lead these organizations.  In a policy adopted in November 2010, the American Medical Association (AMA) made clear its view that ACOs must be physician-led.  The American Hospital Association (AHA) refrained (at least in its public letter to CMS) from asserting its entitlement to the ACO helm, based, for example, on its management experience and pools of capital.  Instead, it simply urged CMS to “defer details of the organization, such as leadership and management structure, to each ACO.”

CMS seems to have heeded the AHA’s advice because its recently released proposed rule does not directly take on this normative debate.  (See Summary of CMS Proposed Rule on Accountable Care Organizations recently posted by Jordan T. Cohen for an overview of the proposed rule.)  While “ACO participants must have at least 75 percent control of the ACO’s governing body” to be eligible for participation in the Shared Savings Program (proposed Section 425.5(d)(8)), the definition of “ACO participant” in the proposed rule includes physicians and hospitals, among others (proposed Section 425.4).

Similarly, the proposed rule simply requires that the “ACO’s operations must be managed by an executive, officer, manager, or general partner whose appointment and removal are under the control of the organization’s governing body and whose leadership team has demonstrated the ability to influence or direct clinical practice to improve efficiency processes and outcomes” (proposed Section 425.5(9)(ii)). The proposed rule does not address who or what would make the best such leader.

The proposed rule, however, clearly preserves a role for physicians to form and lead ACOs. For example, it recognizes that ACOs may be comprised of professionals in group practice arrangements and networks of individual practices, independent of hospitals (proposed Section 425.5(b)).

In addition, “[c]linical management and oversight [of the ACO] must be managed by a full-time senior-level medical director . . . who is a board-certified physician . . .,” and “[a] physician-directed quality assurance and process improvement committee must oversee an ongoing action-oriented quality assurance and improvement program” (proposed Sections 425.5(9)(iii) and (iv)).

The proposed rule also builds in a preference for ACOs comprised of all physicians or physician groups with fewer than 10,000 assigned beneficiaries by proposing to exempt them from the 2 percent net savings threshold adjustment under the one-sided model (proposed Section 425.9(c)(4)(i)).  It also proposes to vary confidence intervals, which affect the minimum savings rate, by the size of the ACO in the one-sided model “to improve the opportunity for groups of solo and small practices to participate in the Shared Savings Program” (Preamble to proposed rule at Section II.F.10).

But on a practical level, the specifics of CMS’ proposal may — unintentionally, perhaps — give hospitals the greater chance to take the reins, at least initially.  An apparently leaked CMS internal discussion document reflects some level of concern that physicians may have a hard time taking the lead with ACOs.

The proposed rule’s regulatory impact analysis estimates that the average start-up investment and first year operating expenditures for an ACO in the Shared Savings Program will be $1,755,251.  In addition, the proposed rule uses a 6-months claims run-out (proposed Section 425.7(a)).  Presumably, that means ACOs — assuming they satisfy all program requirements — will not see a dime of shared savings for more than eighteen months.  CMS also proposes to withhold 25 percent of any earned shared savings accrued in a given year to ensure repayment of any losses to the Medicare program in subsequent years of the three-year ACO agreement (proposed Section 425.5(d)(6)(iii)).

Even if private physicians can amass the capital to make these upfront investments, there of course is no guarantee they will regain their outlays. A recent study published online by the New England Journal of Medicine, as reported by the American Medical Association, found that participants in CMS’ Physician Group Practice Demonstration did not recoup, at least in the initial years of the demonstration, all of the money they invested to establish ACOs.  As the AMA summarized:

Early adopters, for the most part, did not recoup their set-up costs in the first three years of operation.  The 10 integrated health systems that were studied spent an average of $1.7 million to take part in the demonstration project.  Eight received no shared savings payments in the first year of the project.  Six got a payment in the second year, and five received a bonus in the third year.

The Everett Clinic in Washington, for example, reportedly spent approximately $1 million on infrastructure for its ACO but recouped only $129,268 in shared savings during the first four years of the demonstration project.

According to a 2007 report from the National Center for Health Statistics (NCHS), in 2003-04, 80.6 percent of office-based medical practices in the United States consisted of one or two practitioners and 94.8 percent had five or fewer practitioners.  The risks associated with forming an ACO are considerable for these smaller practices to absorb, especially when, at best, the ACO will see 75 percent of its portion of any shared savings upwards of eighteen months down the road and could instead be responsible for its share of losses.  It is not clear how many small practices are willing and able to assume these risks without some substantial financial or management support.  Not surprisingly, the AMA’s statement on the proposed ACO rule specifically identifies “the large capital requirements to fund an ACO” as a significant barrier that must be addressed if physicians in all practice sizes and settings will be able to successfully lead and participate in ACOs.

Another aspect of the proposed rule that may present a particular challenge to independent physicians is proposed Section 425.11(b)’s requirement that “[a]t least 50 percent of an ACO’s primary care physicians must be meaningful [Electronic Health Records (EHR)] users, using certified EHR technology as defined in §495.4, in the [Health Information Technology for Economic and Clinical Health (HITECH)] Act and subsequent Medicare regulations by the start of the second performance year in order to continue participating in the Shared Savings Program.”

Physician practices indisputably have increased their use of EHR systems in recent years.  According to the National Ambulatory Medical Care Survey conducted by NCHS (reported here), only 17 percent of physicians in 2008 reported that they had a “basic” EHR system (which is defined as having electronic patient demographic information, patient problem lists, patient medication lists, clinical notes, orders for prescriptions, and laboratory and imaging results).  Recent NCHS data (reported here) show that that number has climbed nearly 50 percent to 24.9 percent of office-based physicians.

But basic use of EHRs is not sufficient under the proposed rule, which requires “meaningful use.”  Survey data from the Office of the National Coordinator for Health Information Technology, as reported here, show that only 41.1 percent of office-based physicians plan to apply for billions of federal dollars in EHR incentive payments that are available to Medicare and Medicaid providers under the HITECH Act, compared with 80.8 percent of acute care non-federal hospitals.  Additionally, as reported here, a recent survey from the Medical Group Management Association (MGMA) found that only 13.6 percent of medical practices that have adopted EHRs and plan to apply for the EHR Meaningful Use incentives currently are able to satisfy the fifteen core criteria necessary to establish that they are meaningful users.   Medical practices have a long row to hoe.

But the news is not all bad for physicians.  The MGMA survey also found something that suggests this issue is far from resolved on a theoretical or practical level.  As reported here, “almost 20 percent of responding independent medical practices that owned EHRs said that they had optimized their uses of EHRs” whereas “[o]nly 8.8 percent of responding hospitals — or [integrated delivery system (IDS)] — owned practices with EHRs said they had optimized their EHR use.”

Almost certainly, it is not just a coincidence that physicians are devoting their energy to becoming meaningful EHR users just as the first EHR Meaningful Use incentive payments are available. If CMS or private foundations develop additional incentive programs to help smaller practices cover the start-up costs associated with forming an ACO, the individual physician could still be in this game.  Notably, the AMA’s brief statement on the proposed ACO rule reiterates its recommendation to CMS to increase access to loans and grants for small practices as part of this puzzle.  It remains to be seen if any such programs are viable in this fiscal climate.

As promised, future posts will address the normative question of who should lead ACOs.

Doctors Wary of New Health IT

The Washington Post recently featured Lena Sun’s reporting on why many physicians are wary of adopting an electronic medical records system.  As noted in the piece,

Many are aware that beginning this year, health-care professionals who effectively use electronic records can each receive up to $44,000 over five years through Medicare or up to $63,750 over six years through Medicaid.  But to qualify, doctors must meet a host of strict criteria, including regularly using computerized records to log diagnoses and visits, ordering prescriptions and monitoring for drug interactions. And starting in 2015, those who aren’t digital risk having their Medicare reimbursements cut.

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, complains that, despite all these requirements, patient confidentiality concerns are being neglected:

But no federal regulations clearly require that doctors turn the data encryption on or prevent those who don’t do so from getting paid. . . . “This is a point of frustration,” said McGraw, who sits on an advisory group that sought unsuccessfully to prevent those who violate privacy regulations of the federal Health Insurance Portability and Accountability Act, or HIPAA, from getting incentive money.

Some older doctors may find it easier to retire than to get on board with new EMR systems.  We frequently hear complaints about Luddite doctors resisting technology that has long been adopted by other sectors.   But, as one commentator recently insisted, a doctor is not a bank.  To get a sense of how frustrated doctors can become because of the new health IT (and the legal contracts that accompany it), check out this parody website for the faux firm Extormity.  It announces a memorable experience for doctor clients/conscripts:

At the confluence of extortion and conformity lies Extormity, the electronic health records mega-corporation dedicated to offering highly proprietary, difficult to customize and prohibitively expensive healthcare IT solutions. Our flagship product, the Extormity EMR Software Suite, was recently voted “Most Complex” by readers of a leading healthcare industry publication.

I loved this description of a firm committed to maximizing the value of it’s intellectual property:

The Extormity EMR Software Suite is built on a proprietary software model renowned for its complexity. This proprietary platform and all of its components must be procured and implemented as a complete package we call the Extormity BundleTM (which describes both our comprehensive package and its associated cost).

Operating the Extormity Bundle requires a phalanx of servers, which of course need to be replicated for redundancy. Fortunately, Extormity acts as a value-added reseller of these servers, which we pre-load with operating software. This allows us to mark-up the cost of the servers and charge for server configuration. In addition, the server software carries with it steep annual license fees.

Let’s hope the ONC’s ongoing regulatory process can help reduce the risk of Extormity-style raw deals for doctors. Given the recent flap over the FDA’s effective imprimatur for an extreme drug price increase, no DC agency should set in motion a process that could lead to prohibitively expensive fees for an essential aspect of health care.

X-Posted: Health Law Prof Blog.

From Viral Marketing to Medical Profile Contagion

As ACA implementation lumbers ahead, and challenges to it slouch toward the Supremes, the U.S. health care system’s arbitrary old ways continue to mystify and frustrate. Consider this story on one person’s quest to obtain insurance:

Most employees assume that if they lose their job and the health coverage that comes along with it, they’ll be able to purchase insurance somewhere. . . .My husband, teenage daughter and I were all active and healthy, and I naïvely thought getting health insurance would be simple. . . .

Then the first letter arrived — denied. . . .What were these pre-existing conditions that put us into high-risk categories? For me, it was a corn on my toe for which my podiatrist had recommended an in-office procedure. My daughter was denied because she takes regular medication for a common teenage issue. My husband was denied because his ophthalmologist had identified a slow-growing cataract. Basically, if there is any possible procedure in your future, insurers will deny you. . . .

As I filled out more applications, I discovered a critical error in my strategy. The first question was “Have you ever been denied health insurance”? Now my answer was yes, giving the new companies reason to be wary of my application. I learned too late that the best tactic is to apply simultaneously to as many companies as possible, so that you don’t have to admit to a denial.

As was recently reported, “50 to 129 million (19 to 50 percent of) non-elderly Americans have some type of pre-existing health condition.” The “health care market” is sending a strong signal: don’t step out of the system if you have any continuing need for even minor care.

But what’s more worrisome are the types of information circulating about you that you aren’t even aware of. Consider this story from Businessweek about the profiling of insurance applicants by third-party intermediaries:

Most consumers and even many insurance agents are unaware that Humana, UnitedHealth Group , Aetna (AET), Blue Cross plans, and other insurance giants have ready access to applicants’ prescription histories. These online reports, available in seconds from a pair of little-known intermediary companies at a cost of only about $15 per search, typically include voluminous information going back five years on dosage, refills, and possible medical conditions. The reports also provide a numerical score predicting what a person may cost an insurer in the future. . . .

[A] 57-year-old safety consultant in the oil and gas industry, says he tried to explain that the medications weren’t for serious ailments. The blood-pressure prescription related to a minor problem his wife, Paula, had with swelling of her ankles. The antidepressant was prescribed to help her sleep—a common “off-label” treatment doctors advise for some menopausal women. But drugs for depression and other mental health conditions are often red flags to insurers. Despite his efforts to reassure Humana, the phone interview with the company representative “just went south,” Walter recounts. He and his wife remain uninsured [as of 2008].

Health-related data from a wild west of unregulated intermediaries may spread to employers and other decisionmakers, just as credit scores have migrated from the bank context to influencing insurance pricing, and credit histories now influence employers. Sharona Hoffman has observed that “It is not uncommon for employers to obtain applicants’ and employees’ medical records. According to one source, every year, over ten million authorizations for release of medical information are signed by workers prior to the commencement of employment.” She has predicted disturbing possibilities arising out of that access to data:

Existing laws, including the ADA, GINA, HIPAA, and their state counterparts, provide important assurances to applicants and employees but are insufficient to guarantee that they will suffer no ill consequences as a result of EHR disclosure to employers. Employees may be especially concerned in times of recession, knowing that financial pressures make workers with health problems particularly unattractive to employers. Employers or their hired experts may develop complex scoring algorithms based on EHRs to determine which individuals are likely to be high-risk and high-cost workers. In addition, in times of financial difficulty, limited resources may be available to implement technology and policies that will secure EHR confidentiality.

Secondary uses of health data could be a very lucrative niche for profilers of the future.

Given these possibilities, individuals should at least have the right to access and correct the health data that intermediaries have compiled about them. The FTC recognized this right, and “forced the [insurance] industry to begin disclosing the use of prescription information under . . . the Fair Credit Reporting Act. . . . Copies of prescription reports are supposed to be available to consumers at no charge under federal law.” This is a small step forward. But if the “scores” assessing individual risk are compiled according to proprietary algorithms, the consumer may still feel “in the dark,” unable to adequately influence the presentation of herself to the insurer.

As Esther Dyson has stated in another context, mysterious data flows can jeopardize individual autonomy:

The comforting thing about the kind of data that Facebook primarily deals with is that it’s public. If your friends and other people can see it, so can you.

More troubling is the data you don’t even know about – the kind of data about your online activities collected by ad networks and shared with advertisers and other marketers, and sometimes correlated with offline data from other vendors. By and large, that’s information you can’t see – what you clicked on, what you searched for, which pages you came from and went to – and neither can your friends, for the most part. But that information is sold and traded, manipulated with algorithms to classify you and to determine what ads you see, what e-mails you receive, and often what offers are made to you. Of course, some of that information could go astray.

Online advertisers already slice and dice population segments (and distribute opportunities & exposure to ads) via marketing discrimination. Will the “e-health revolution” bring their methods out of cyberspace, and into the deadly serious business of offering employment and insurance based on estimates of health status that applicants can’t understand or challenge?

Can Suspicious Activity Reports Trigger Health Data Gathering?

In an article entitled “Monitoring America,” Dana Priest and William Arkin describe an extraordinary pattern of governmental surveillance. To be sure, in the wake of the attacks of 9/11, there are important reasons to increase the government’s ability to understand threats to order. However, the persistence, replicability, and searchability of the databases now being compiled for intelligence purposes raise very difficult questions about the use and abuse of profiles, particularly in cases where health data informs the classification of individuals as threats.

First, a little background. We traditionally think of law enforcement as needing some kind of probable cause to ground or justify the pursuit of an investigation. However, with the rise of the new Information Sharing Environment (often enacted by fusion centers, which provide one-stop shopping for access to data), a much broader set of law enforcement prerogatives is emerging. Fusion centers have promoted a domestic intelligence apparatus, which is designed not merely to solve crimes but also to generate a wide range of knowledge which could lead to the deterrence and detection of “all threats, all crimes, all hazards.”

The Department of Homeland Security has taken a number of innovative steps to deputize monitoring of individuals, asking personnel ranging from local law enforcement to cable repairmen to hotel cleaners to be on the alert for suspicious activity. Once such activity is detected, the detector can in some cases file a persistent Suspicious Activity Report. These SARs are entered into an FBI database, and quite possibly inform many other counterterror, intelligence, and even private sector initiatives. Arkin & Priest’s story gives a sample Suspicious Activity Report, and speculates about how its creation may affect the object of the profile:

The FBI is building a vast repository controlled by people who work in a top-secret vault on the fourth floor of the J. Edgar Hoover FBI Building in Washington. This one stores the profiles of tens of thousands of Americans and legal residents who are not accused of any crime. What they have done is appear to be acting suspiciously to a town sheriff, a traffic cop or even a neighbor.

[For an example of what might go in the database, consider] Suspicious Activity Report N03821 says a local law enforcement officer observed “a suspicious subject . . . taking photographs of the Orange County Sheriff Department Fire Boat and the Balboa Ferry with a cellular phone camera.” The confidential report, marked “For Official Use Only,” noted that the subject next made a phone call, walked to his car and returned five minutes later to take more pictures. He was then met by another person, both of whom stood and “observed the boat traffic in the harbor.” Next another adult with two small children joined them, and then they all boarded the ferry and crossed the channel.

All of this information was forwarded to the Los Angeles fusion center for further investigation after the local officer ran information about the vehicle and its owner through several crime databases and found nothing. Authorities would not say what happened to it from there, but there are several paths a suspicious activity report can take:

At the fusion center, an officer would decide to either dismiss the suspicious activity as harmless or forward the report to the nearest FBI terrorism unit for further investigation. At that unit, it would immediately be entered into the Guardian database, at which point one of three things could happen:

The FBI could collect more information, find no connection to terrorism and mark the file closed, though leaving it in the database. It could find a possible connection and turn it into a full-fledged case. Or, as most often happens, it could make no specific determination, which would mean that Suspicious Activity Report N03821 would sit in limbo for as long as five years, during which time many other pieces of information about the man photographing a boat on a Sunday morning could be added to his file[.]

[That data includes] employment, financial and residential histories; multiple phone numbers; audio files; video from the dashboard-mounted camera in the police cruiser at the harbor where he took pictures; and anything else in government or commercial databases “that adds value,” as the FBI agent in charge of the database described it. That could soon include biometric data, if it existed; the FBI is working on a way to attach such information to files. Meanwhile, the bureau will also soon have software that allows local agencies to map all suspicious incidents in their jurisdiction.

Given the expansive reservoirs of data already accessible to fusion centers, I would not be surprised if they took the position that health records “add value” to the data gathering. Civil libertarians can object to many types of data gathering, but for purposes of this post, I would like to focus on healthcare data. First, to what extent can a health condition itself give rise to a Suspicious Activity Report? Secondly, are there any concerted efforts to deputize medical personnel to report on suspicious activity? Finally, and I believe most importantly, how is the vast store of healthcare data presently associated with individuals utilized by the data mining programs of the surveillance state?

We daily learn of troubling data gathering practices online. For example, Arvind Narayanan has described rather indiscriminate data gathering by third parties:

The Facebook “like” button is a prominent . . . example[] of third-party tracking not directly related to behavioral advertising. . . . Facebook can keep track of all the pages you visit that incorporate the button, whether or not you click it. Did you know, for example, that the UK National Health Services website has the like button, among other trackers, on all their disease pages?

One need only visit the Wall Street Journal’s recent series on privacy to realize that all manner of health-related data can be generated about an individual with little to no restrictions imposed by HIPAA or effectively enforced by the FTC. To take one example, consider the scraping (copying) of data at a site called PatientsLikeMe:

At 1 a.m. on May 7, the website PatientsLikeMe.com noticed suspicious activity on its “Mood” discussion board. There, people exchange highly personal stories about their emotional disorders, ranging from bipolar disease to a desire to cut themselves. It was a break-in. A new member of the site, using sophisticated software, was “scraping,” or copying, every single message off PatientsLikeMe’s private online forums.

Who knows how many incidents like this go unreported each year? Finally, the government itself is keeping a record of prescription drug use, which apparently was used after the Virginia Tech shooting. Law enforcement exceptions to HIPAA (and, presumably, HITECH) may give an official imprimatur for similar activities even if they involve “covered entities.”

The clash of intelligence prerogatives and health privacy always raises difficult issues. For now, I would just like to make one claim about the need for the government to be forthright about whether it is collecting health care data while profiling citizens. Such data gathering should not be what David Pozen calls a “deep secret;” that is, citizens should not be “in the dark about the fact that they are being kept in the dark.” Rather, we need to understand whether this very personal and important data is being commandeered to fight an “enemy within.”

There are broader principles for fair disclosure of the workings of the surveillance state. First, people are all too eager to sign up for new health “apps” and affinity groups without having any sense of how these activities and affiliations can affect their future. There is still a lazy public/private distinction affecting far too much of consumer conduct; I hear so-called internet experts wondering why anyone would worry about data stored by a private company because “they’re not the government.” Arkin & Priest have consistently shown that the public/private distinction is evanescent at best, a confounding development in social affairs that leaves libertarians sounding like communists.

Julie Cohen’s recent article in Social Research observes that there is a much larger political economy of surveillance that has accelerated both data gathering and profiling:

Devaluation of privacy is bound up with our political economy and with our public discourse about information policy in important ways that have little or nothing to do with official conduct. . . . Flows of data are facilitated by corporate data brokers like ChoicePoint, Experian, and Axciom. To help companies (and governments) make the most of the information they purchase, an industry devoted to “data mining” and “behavioral advertising” has arisen; firms in this industry compete with one another to develop more profitable methods of sorting and classifying individual consumers.

In the United States, a number of federal agencies have awarded multimillion dollar contracts to corporate data brokers to supply them with personal information about both citizens and foreign nationals. Privacy restrictions that limit the extent to which the government can itself collect personal information generally do not apply to such purchases at all. The government has deployed secrecy to great effect where these initiatives are concerned, with the result that we still understand too little about many of them. Legal regimes purporting to guarantee official transparency are in fact indeterminate on how much openness to require.

These processes let important decisionmakers in both the private and public sectors exist behind a “one way mirror.” Even if full transparency would compromise data gathering, citizens must know whether certain critical information (including health data) is being commandeered by the domestic intelligence apparatus.

Patient Autonomy and Personal Health Records

I recently gave remarks as part of a panel at the roundtable “Personal Health Records: Understanding the Evolving Landscape,” sponsored by the Office of the National Coordinator for Health Information Technology (ONC). There were many interesting speakers, including some of the leading businesses in the PHR space and regulators from FTC, HHS, and the California state Office of Privacy Protection. The roundtable exposed the promise–and limits–of a personalized health record model. Databases may help both public health and patient care, but the many stakeholders in PHR’s may have very different views about how much control patients should have over the presentation of their medical selves in everyday life.

Discussions about health records can get forbiddingly abstract and technical, but a real-world dilemma can help concretize the problem. As Lisa Wangsness’s Boston Globe article shows, at least one individual feels “burned” by his effort to quickly port past data into a PHR:

When Dave deBronkart, a tech-savvy kidney cancer survivor, tried to transfer his medical records from Beth Israel Deaconess Medical Center to Google Health, a new free service that lets patients keep all their health records in one place and easily share them with new doctors, he was stunned at what he found. Google said his cancer had spread to either his brain or spine — a frightening diagnosis deBronkart had never gotten from his doctors — and listed an array of other conditions that he never had, as far as he knew, like chronic lung disease and aortic aneurysm. A warning announced his blood pressure medication required “immediate attention.” “I wondered, ‘What are they talking about?’ ” said deBronkart . . .[He] eventually discovered the problem: Some of the information in his Google Health record was drawn from billing records, which sometimes reflect imprecise information plugged into codes required by insurers.

According to one doctor consulted by the Globe, “an inaccurate diagnosis of gastrointestinal bleeding on a heart attack patient’s personal health record could stop an emergency room doctor from administering a life-saving drug.” For the critically or chronically ill, the record is literally a life-or-death matter.

Admittedly, the level of personal control an individual has over a PHR also offers a solution to this problem. If we follow the same model as credit reporting, patients should be able to review their reports without charge, and make corrections. The Markle Foundation has done a superb job highlighting the importance of accountable health technology. But, as the Center for Democracy and Technology argues, rulemaking on EHRs will need to build in a number of consumer safeguards to assure that other stakeholder interests do not trump patients’ interests.

The CDT recommends that HHS require “PHR providers to provide opportunities for consumers to amend, correct or annotate information in a PHR,” and “to have policies for handling disputes concerning information in the PHR.” CDT expands on the obligation in these paragraphs:

Many PHRs contain data from two categories of sources: copies of information obtained from members of the traditional health system (including health care providers, insurers, etc.) and data generated or acquired by consumers themselves, whether directly entered by them, or fed into the PHR by devices or
other sources that are not part of the traditional health care system (including data from a monitoring device that the consumer operates, from a commercial Web site, or from a consumerʼs own health-related observations).

Policies governing disputes about the validity of data should draw a distinction between these different categories of data. With respect to copies of data that users might not be permitted to change directly (including but not limited to data that originates with members of the traditional health system), users should be given a way to attach notes or complaints to the PHR disputing the validity of the data – and the note should remain appended to the data any time it is disclosed from the PHR. (This is similar to how the HIPAA Privacy Rule treats patient amendment of data in covered entity records.) PHR vendors also should consider mechanisms for communicating patient disputes about data back to the original source for consideration.

Even in a world where PHR’s are ubiquitous, there’s almost certainly going to be some “objective health record” in the medical system about any individual. (And, if key software engineers get their way, there will be a unique “personal health identifier” for everyone once health records systems are up and running.) So why should the integrity of PHRs matter to anyone other than the person recording them?

First, the more legible, portable, and useful PHRs are, the more they may displace other records of patient information. Emergency rooms may only have a chance to look at one HR–the one given to them by the patient they are treating.

Second, we can assume that as PHR’s become a bigger part of larger employers’ cost-control programs, they are going to want to make sure that “quantified selves” are accurately reporting their health efforts and achievements. Health reform has taken a “preventive turn,” and the ACA gives employers new latitude to reward and punish employees:

Although it prohibits insurers from charging higher premiums based on an individual’s health risks, it allows them to charge a smoker as much as 50 percent more than a nonsmoker. It also permits employers to increase rewards for participation in wellness and disease-prevention programs from 20 percent to 30 percent of the costs of insurance premiums.

To verify participation, an employer may want access to an employee’s PHR, particularly if it is much easier for its own computer systems to read and understand than the “objective health record” existing in the health care system itself. Yet the employer may also want to ensure that the PHR is populated by materials validated by third parties (such as doctors’ offices, fitness clubs, scales, or blood sugar monitors). Presently, this is not a major issue; as Nicolas Terry warns, “sharing or exchange of data between PHRs and providers or their EMRs is as speculative as it is controversial.” However, technological advances could promote PHRs with inputs from providers, apps, and even RFID chips. What happens if the employer tries to condition participation in a wellness program on an employee’s agreement not to try to change whatever is reported by those “trusted” third parties?

The CDT suggests some principles that should guide this situation as well. They recommend that:

Employers, health plans, and others should be explicitly prohibited from requiring individuals to open PHR accounts as a condition of employment, membership, or for any other reason. PHR accounts should also not be routinely opened for consumers who do not explicitly activate them, as this can expose personal data to uses not necessarily anticipated by the consumer. Similarly, consumers should not be compelled to disclose the information held within the PHR, or whether they are using a PHR, without due process of law.

I believe these “compulsion” points should go beyond the decision to open a PHR, to the more granular rights and responsibilities associated with the maintenance of one. However many times employers sing the praises of contract law, the truth remains that employees in this tight labor market have very little bargaining power. That’s one reason why Nicholas P. Terry’s recommendation of inalienable rights to control data in the PHR context was one of the most provocative and compelling comments at the roundtable.

I am not here advocating for complete autonomy of the patient over records in all contexts. As Sharona Hoffman has argued, in the realm of treatment, there are important rationales for prioritizing the independent medical judgment of professionals whose first obligation is to maintain health:

If patients are empowered to opt out of EHR use or to disallow treating physicians’ access to their records, they may lose much of the benefit of computerization. Many clinicians would continue to care for patients in ignorance of essential facts that could make the difference between appropriate and inappropriate treatment decisions. For example, it might seem at first blush that most physicians would not need access to a patient’s psychiatric records. However, a psychiatric diagnosis may help other specialists better understand the patient’s symptoms, and the patient’s complete drug list, including psychiatric drugs, is vital for purposes of safely prescribing additional medications.

Some commentators at the roundtable also offered creative solutions for the “sensitive health data” conundrum raised by Hoffman; for example, a patient could include an “envelope” in their EHR or PHR that would only be opened in case of emergency, or when authorized directly by the patient. Regardless of how one feels about this issue, outside the treatment context, it is critical for consumers to have reasonable opportunities to review, correct, and withhold their personal health records.

When all is said and done, people have to “buy in” to EHR for it to work effectively, and rational individuals are going to avoid any system where medical history can be as effective as credit history at denying them opportunities. One commentator at the roundtable said that her patients “didn’t care” about health data or security; they just wanted some quick and dirty method of digitizing their records. However compelling this perspective may seem for those “on the front lines,” the perils of “wikileaked world” should end any complacency about the use and misuse of computer records. We should avoid the temptation of letting cut-rate or subpar EHR and PHR systems develop, especially since they are likely to target the most vulnerable patients. Robust regulatory requirements can spark a race to the top for data privacy and security.

In the film Sleep Dealer, a laborer encounters a “memory recorder,” a computerized transcription machine that translates past experiences into video re-enactments. The machine occasionally blanks out as the laborer narrates his story, and its operator chides him to “be more truthful,” to hew closer to the actual truth of the matter. The film is ambiguous as to whether the machine, its operator, or the laborer himself have real access to what actually happened. In the treatment context, best practices may inevitably consign us to a messy, multi-stakeholder effort to set forth the “real truth” of a health record. However, the personal health record should be primarily a project of the person it describes, with no undue influence from the growing number of reputation raters and shapers with a pecuniary interest in particular representations of that person.

Online Health Data in Employers’ and Insurers’ Predictive Analytics

Did you know that buying generics instead of brands could hurt your credit? Or that a subscription to Hang Gliding Monthly could scare off life insurers? Or that certain employers’ access to electronic health records could lead them to classify you as “high-risk” or “high-cost”?

In all these cases, firms use “predictive analytics” to maximize profits. Consumers are the guinea pigs for these new “sciences” of the human. As Scott Peppet argues, it becomes more difficult to opt out of analytics systems as more people use them. What type of world are they leading us to?

Credit Analytics: Should Frugality be Punished?

One credit analytics company determined that buyers of cheap automotive oil were “much more likely to miss a credit-card payment” than those who paid for a brand-name oil. Spending on therapy sessions may also be a red flag. Appearing too frugal, too anxious, too spendthrift—all might lead to higher interest rates or lower credit limits. One R&D head at a credit analytics firm bragged that they consider over 300 characteristics to discover delinquency risk. He was not nearly as forthcoming about how the data is aggregated. Analyzing millions of transactions, the companies observe customers as a gardener might observe a rose garden: weeding out unpromising specimens, and giving a boost to incipient flourishers.

Many have complained about inaccuracy in these new forms of profiling, and consumers’ inability to review and correct digital dossiers collected about them. But let’s just assume that this profiling is correct, and choosing a generic really does correlate with increased credit risk. What’s the social value of this discovery? Maybe credit card companies can reduce rates infinitesimally (and increase profits) by burdening the generic buyers. But I’d be willing to bet that, for every few people whose generic purchases indicate financial trouble, there is another shopper who’s wisely frugal and increasing her chances of successfully repaying all her loans. It seems very odd to penalize the financially responsible merely because they happen to engage in an activity shared by the distressed.

The Dream of the Perfect Profile

Ahh, predictive analysts might reply, you just oversimplify our process. We would never reduce the credit line of someone who purchases generics if that person also, say, has a subscription to Travel and Leisure, or drives a Nexus, or gives over $1,000 a year to the Republican National Committee. They’re not desperate—they’re just careful shoppers. The more information we have, the more fair and accurate we can be. (I can only propose this response, since the industry is so careful about protecting its trade secrets. But this seems like a plausible counterargument.)

Just as free speech advocates often say that the answer to “bad speech” is more or “counter” speech, predictive analysts may argue that the cure for the mistreatment of any given individual is more information about the person’s true motives or opportunities. If privacy advocates are worried that certain surveillance practices will unfairly tarnish the reputation or profile of an individual, the answer is more, not less, information, on that person. The more comprehensive a picture that firms can develop of the individual, the better they are able to properly target resources.

Whatever the merits of this approach, it appears to me that it only applies to one dimension of the credit analytics example above. Rewarding “brand buyers,” in general, is not that likely to alter behavior in ways that could seriously undermine someone’s quality of life. But effectively punishing those who seek therapy or marriage counseling creates a different set of concerns, showing once again the ways in which health care decisionmaking needs to be distinct from the Procrustean forces of market pressures.

Stressed by Sickness in the Risk Society

A recent article by Sharona Hoffman illuminates some problems with pervasive use of health data in predictive analytics.

Employers may obtain and process EHRs [electronic health records] for a variety of reasons. Many require applicants who have received employment offers to provide authorizations for release of medical records in order to verify the individuals’ fitness for duty. At times, employers require records for purposes of workers’ compensation claims, reasonable accommodation requests by individuals with disabilities, or Family Medical Leave Act (FMLA) requests. Employers who are self-insured also process employees’ medical data in order to pay insurance claims.

EHRs will likely provide employers with unprecedented amounts of data. . . . Employers or their hired experts may develop complex scoring algorithms based on EHRs to determine which individuals are likely to be high-risk and high-cost workers. . . . Employers with access to EHRs containing a wealth of medical information may be sorely tempted to exclude certain individuals from the workforce because of concerns about the employees’ future productivity, absenteeism, or medical costs. To disguise unlawful conduct, employers may not act immediately to withdraw a job offer or terminate an employee, but rather, decide not to promote an individual with a disability or to select her for a layoff at a later time.

In other words, predictive analytics in health can lead to more “death spirals” for the sick: lost employment, lost insurance due to that lost employment, and future inability to find work due to poor health. Hoffman’s concerns about employers sidestepping relevant regulations were reflected in today’s WSJ article on insurance profiling, too:

[G]iant data-collection firms . . . sort details of online and offline purchases to help categorize people as runners or hikers, dieters or couch potatoes. They scoop up public records such as hunting permits, boat registrations and property transfers. They run surveys designed to coax people to describe their lifestyles and health conditions. Increasingly, some gather online information, including from social-networking sites.

For insurers and data-sellers alike, the new techniques could open up a regulatory can of worms. The information sold by marketing-database firms is lightly regulated. But using it in the life-insurance application process would “raise questions” about whether the data would be subject to the federal Fair Credit Reporting Act, says Rebecca Kuehn of the Federal Trade Commission’s division of privacy and identity protection. The law’s provisions kick in when “adverse action” is taken against a person, such as a decision to deny insurance or increase rates. The law requires that people be notified of any adverse action and be allowed to dispute the accuracy or completeness of data, according to the FTC. Deloitte and the life insurers stress the databases wouldn’t be used to make final decisions about applicants. Rather, the process would simply speed up applications from people who look like good risks.

Many aspects of FCRA have been rendered irrelevant by the all-importance of credit scoring—it’s hard to care too much about one’s ability to “correct” one’s credit report if the only thing that really matters is a score whose calculation only contingently depends on any given piece of information in the report. But I had not heard before Deloitte’s assurance that information would “simply speed up” applications, and not “be used to make final decisions.” Quite the creative lawyering behind that distinction.

Relating the Real and the Digital Body

Dan Solove has written extensively on the “digital person,” and perhaps we can see predictive health analytics as an effort to create a “digital body.” As the WSJ reports, we are reaching a point where online “data can reveal nearly as much about a person as a lab analysis of their bodily fluids.” The least we can ask is for the purveyors of data-driven decisionmaking to be much clearer about how they profile individuals. Moreover, in the case of employment, we should seriously consider expanding disability discrimination laws to prevent employers from stratifying employees based on health data. Profits are important, but they shouldn’t come at the expense of sick people who already have enough problems to contend with. As HHS implements PPACA’s promotion of “wellness programs” at workplaces, they should also try to avoid the “Orwellness” of data-driven health profiling.

X-Posted: Concurring Opinions.

Privacy Paradigms: From Consent to Reciprocal Transparency

Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyrightholders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.

If individuals had enough time to manage their personal data the way they manage their checkbooks and gardens, perhaps the consent paradigm would be a good foundation for addressing public concerns about privacy. If applicants could easily bargain with would-be employers over privacy, or patients with hospitals, perhaps we could rely on them to protect their interests. But actual occurrences of such acts of self-assertion and self-protection are rare. Given the frequently abstract benefits that privacy and reputational integrity afford, they are often traded away for competitive economic advantage. This process further erodes societal expectations of privacy.

A collective commitment to privacy is far more valuable than a private, transactional approach that all but guarantees a race to the bottom. If such a collective commitment does not materialize, record systems will only deserve trust if they become as transparent as the patients and research subjects they profile. Given corporate assertion of trade secrecy (and even privacy rights), reciprocal transparency will not be easy to achieve. Nevertheless, repeated breaches, fraud, and data meltdowns in the US should provoke an alliance of socially responsible researchers to lobby the US government to set minimal standards of reciprocal transparency and auditing. Consumers can only trust innovators if they can understand what is being done with data. As we become “transparent citizens” (as Joel Reidenberg puts it), we should demand that the corporate, university, and governmental authors of that trend reciprocate, and become more open about the data they gather.

Fortunately, as a recent presentation by Deborah Peel reminded me, there is significant audit authority built into the recent HITECH act which may curb some abuses. Audits will become increasingly important as a “wild west” of health data is excavated by scrapers, marketers, and other data miners.

Consider, for instance, the following scenario: contributors to the medical website PatientsLikeMe.com found that “Nielsen Co., [a] media-research firm . . . was ‘scraping,’ or copying, every single message off PatientsLikeMe’s private online forums.” Had the virtual break-in not been detected, health attributes connected to usernames (which, in turn, can often be linked to real identities) could have spread into numerous databases. A reciprocal transparency paradigm would require all those harboring health data to have some certified indication of its legitimate provenance. Data would not be allowed to persist without certification of its provenance.

Unforeseen spread of inaccurate or inappropriate health data is not just a problem for those who want to avoid getting solicitations for burial plots after a sensitive appointment. Given law enforcement exceptions to medical privacy laws and regulations, it should come as little surprise that the government claims that “a 2005 law authorizes it to monitor and record all prescription drug use by all citizens via so-called “Prescription Drug Monitoring Programs.” Such programs may just be the tip of an iceberg of new domestic intelligence programs that rely on private companies to act as “big brother’s little helpers.”

Whenever health data is fed into an evaluative profile of an individual, there should be safeguards in place to assure that the data is accurate, and that the resulting profile is, if at all possible, not used to harm or disadvantage the individual. Without assurances like these, we can count on continued resistance to the development of health data infrastructures.

iPhone Apps for Health Providers, a Path Emerging?

Last year we did a series of posts on Electronic Medical Records and Electronic Medicine. One of those articles, “Electronic Medicine, iPhones and Path-Dependence” noted the emergence in Electronic Medicine of the iPhone and the Blackberry. We also noted that the iPhone and Blackberry constitute “an advantaged path” (already in the pockets of roughly 64% of doctors, early popularity further attracting skilled labor, financing, and support) and that these platforms might be capable of playing a part in allowing us to avoid building a costly high tech Tower of Babel: offering “flexibility, interoperability, liquidity of information, and the ability to substitute technologies as the need arises.”

We wrote the following:

A Washington Post article, “New Tool in the MD’s Bag: A Smartphone,” states that “Nationally, about 64 percent of doctors are now using smartphones, according to a recent report by the market research company Manhattan Research.” Georgetown’s medical school has recently begun requiring them, and Ohio State’s is handing out the iPod Touch (sans phone) to its students. Mike McCarty, the chief network officer at John Hopkins Health Systems, “believes that smartphones will soon assume a permanent place in medicine.”

As such, designers have engineered applications to suit the needs of those doctors. And as a matter of path-dependence, presumably they will continue to do so. WaPo states that “the iTunes app store lists 674 applications related to medicine available.” There are iPhone and Blackberry apps to “pull up instructional diagrams and videos for patients, write electronic prescriptions and check basic information,” “look up drug-to-drug interactions, to view X-rays and MRI scans,” and even determine pill names derived from physical descriptions.

As we posted a while back,

In the words of Dr. Farzad Mostashari,  an assistant commissioner in New York City’s health department and head of the much heralded Primary Care Information Project (which is functioning as a sort of I.T. Department for many of the City’s doctors using EMR),  “There’s no way small practices can effectively implement electronic health records on their own. This is not the iPhone.”

Later, we noted that in their NEJM article,  No Small Change for the Health Information Economy, Kenneth D. Mandl, M.D., M.P.H., and Isaac S. Kohane, M.D., Ph.D. suggest that it should be. That

As do Professors Sharona Hoffman and Andy Podgurski, the authors of “No Small Change…” stress the need for flexibility, interoperability, liquidity of information, and the ability to substitute technologies as the need arises.  To do this they propose governmental encouragement of the use of a platform with interoperable applications (blog builders, think: “plug ins” and “widgets”)

similar to the iPhone.

We also noted in that post, “Electronic Medical Records: It’s Not too Late to Build the Tower on an Interoperable Platform,” that

Perhaps the good news here is that the relative scarcity of EMR implementation thus far means that we can yet still devise an interoperable system without rendering substantial but incompatible investments obsolete. Which is to say that we are not yet too far down nine different non-intersecting roads and that “a communicative Tower” can still be built, and sustained, on a Platform.

Now, it seems the path is beginning to emerge–and that interoperable system may actually be the iPhone and Blackberry platforms–which, it seems, are already sitting in doctors’ pockets.

And now via email from NursingSchools.net, an interesting list:

The 15 Most Forward Thinking iPhone Apps for Doctors & Nurses

It’s amazing how much we use our phones for anything but phone calls. The widespread use of applications, driven by the explosion of iPhone sales, has helped to redefine just what we’re able to do with our phones in all walks of life and work. The medical profession has been one of the biggest beneficiaries of iPhone app development, with life-changing tech showing up in nursing schools and hospitals nationwide. Some gather information from patients in new ways, while others help medical professionals better sort and understand that information. They’re all designed to help those in the medical field do their jobs in revolutionary ways. Here are some of the most forward-thinking and revolutionary iPhone apps out there for doctors and nurses:

1. e-911: Emerging Healthcare Solutions is developing an app called e-911, which would allow a user to store critical personal medical information that’s sent to health care providers when they dial 911 from their iPhone. The benefits are clear and enormous: Instead of wasting time discovering a medical history, first responders would know instantly what the victim’s medical past looked like.
2. Epocrates: One of the most popular free medical apps available for the iPhone, gives doctors and nurses up-to-date information on thousands of drugs, lets them identify pills by physical description, and describes the effects of combining different drugs. A Stanford university doctor even made a video about how much he loves it. (Free)
3. ICD9 Consult: Never go hunting through a book to find a code again. This app lists ICD9-CM diagnosis codes and lets you search and browse by category. It includes more than 21,000 individual codes, making it a phenomenal portable tool for medical professionals. ($14.99)
4. Human Body Advanced Encyclopedia 3D Anatomy: Don’t let the clunky title fool you: Doctors and nurses everywhere should have this app on their iPhones. The app includes three-dimensional renderings of the body’s 14 anatomical systems as well as the ability to see all sides and angles of organs. It’s like having an anatomy textbook in your back pocket. ($3.99)
5. Medscape: From the WebMD people, this is a fantastic all-purpose app that’s packed with information on brand-name and generic drugs, clinical procedures, and more than 150 videos. (Free)
6. iRadiology: This app for students is also a good resource for doctors and nurses who’ve been working for years. It features more than 500 images designed to help users hone their detection skills and become better at reading film, CT, and MRI images. It’s a smart, progressive app because it operates under the assumption that knowledge is something you constantly build, and it helps medical pros stay at the top of their game.
7. Reach MD CME: This is an awesome app for doctors and nurses looking to further their education in unique and time-saving ways. Reach MD CME is an accredited app for continuing medical education that lets you download and listen to medical programs and then take the certification test all on your iPhone. (Free)
8. NeuroMind: NeuroMind is a smart, thorough app that helps residents and surgeons by acting as an index for a variety of brain-related surgical topics. It also provides a checklist of Safe Surgery items from the World Health Organization. (Free)
9. Drug Trials: If you’re a doctor or nurse, you need this app. Drug Trials is all about the latest drug tests, whether it’s an established drug being tested in new ways or an entirely new product being tested for the first time. This is one of the best ways to stay informed about what’s happening in drug research, and it also includes facts like eligibility requirements. (Free)
10. Informed RN Pocket Guide: The $9.99 cost is more than most apps, but nurses get a lot for that price with this in-depth app. The Informed RN Pocket Guide is a PDF version of the printed book, and it features a ton of helpful information nurses need to know, including metric conversions, pain assessment tools, pediatric care information, and even Spanish translations. Worth the buy.
11. Nursing Central: I take it back: This app is the pricey one. Nursing Central requires a subscription payment of $159.95 before you can view the content, but if you can afford it, it’s a worthwhile purchase. The constantly updated database covers more than 5,000 drugs, and it features info on all manner of diseases and treatments plus a dictionary with more than 60,000 (!) entries. If you don’t know it, this app does.
12. Nursing Pharmacology: A handy app for nurses that features flash cards designed to teach you the ropes of nursing pharmacology. Basic features, but helpful. ($0.99)
13. PubMed on Tap: This is the full version, not the lite one. The PubMed on Tap app searches PubMed for reference info and then lets you store PDFs or e-mail the results to yourself or someone else. For medical pros on the go, or those who need to do some quick research away from the computer, this app is a life-saver. ($2.99)
14. Skyscape’s Medical Bag: Call it the digital version of the classical little black doctors’ bag. This app includes a number of helpful tools, including more than 100 medical calculators and multiple articles on life support. ($1.99)
15. iMurmur 2: This app is a great fit for practicing doctors as well as med students. It’s got a library of actual recordings of different heart sounds, complete with accompanying descriptions and phonocardiograms. A must-have for cardiologists or any pro looking to brush up on the heart. ($2.99)

The Community Health Data Initiative Launched

[Ed. Note: HRW is pleased to introduce Katherine Matos to the blog. Katherine is a 3^rd year student at Seton Hall Law and the principle inventor on a patent application in the field of medical imaging, resulting from her research as a student at Stevens Institute of Technology, from which she  graduated with degrees in biomedical engineering and history. She has published work in Health Law Outlook and now serves as an Editor. Read more]

On June 2, Health and Human Services (HHS) Secretary Kathleen Sibelius and Institute of Medicine (IOM) President Harvey Fineberg launched the Community Health Data Initiative (CHDI) at the IOM sponsored Community Health Data Forum in Washington.[i] The CHDI resulted from a March 11 roundtable between HHS and IOM regarding HHS health data usefulness in developing consumer-based electronic health care applications.[ii] As one of five HHS Flagship initiatives, the CHDI is a public-private effort to “help Americans understand health and health care performance in their communities — and to help spark and facilitate action to improve performance.”

Ultimately, a network of community health data suppliers (beginning with HHS) and data appliers (private innovators) will work together to create applications that:

“(1) raise awareness of community health performance,

(2) increase pressure on decision makers to improve performance, and

(3) help facilitate and inform action to improve performance.”

U.S. Department of Health & Human Services, HHS Open Government Plan, page 60, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

To begin the process, HHS will launch a new online Health Indicators Warehouse by the end of the year to provide the public with community health data, free of charge or any intellectual property constraint.[iii] “In every science-based endeavor, data are the key to the effective action,” said Dr. Fineberg at the Community Health Data Forum. “We need to make more creative and vigorous use of the data we generate now, and we need to create a demand-and-use cycle that will bring about even better information in the future.”[iv] While the National Center for Health Statistics continues to develop the Health Indicators Warehouse, an interim site with one downloadable data set has been made available on the CDC website.

When completed, hundreds (ultimately, thousands) of measures of health care quality, cost, access and public health will be downloadable in a standardized, structured format. “National, state, regional, and county health performance  on indicators such as rates of smoking, obesity, diabetes, access to healthy food, utilization of health care services” will be accessible in a single location.[v] Also, users will be able to sort data according to age, gender, race/ethnicity and income where available.

HHS is committed to personal privacy protection and confidentially “as a fundamental principle governing the collection and use of data.” In any public data releases, individual identifiable information will be protected. Furthermore, HHS will incorporate new approaches to protect confidentiality while maintaining public access into its data release policies.[vi]

To complete the network, HHS is working with private parties, including technology innovators, researchers, companies, and health advocacy groups to utilize the data and provide feedback.  ”As a nation, we can and should harness the exploding creativity in our information technology and media sectors to help us get the most public benefit out of our data investments,” stated Secretary Sebelius.[vii]

In preparation for the Community Health Data Forum, developers such as Microsoft, Google, and Ingenix created software platforms for the presentation of health data.[viii] The Forum featured demonstrations of Web tools for citizen access to health performance data, dashboards for civic leaders to ascertain and improve community health, an online game for learning local health status facts, an enhanced internet search engine that integrates hospital performance data with search results, and mobile phone applications.[ix]

Finally, White House Chief Technology Officer, Aneesh Copra, announced that the administration would host the 2010 Health 2.0 Developer Challenge with the support of HHS and the CHDI.[x] Health 2.0 will host a series of events including multi-disciplinary “code-a-thons,” culminating in the final Challenge at the Health 2.0 Annual Conference October 6-9, 2010.

References:

U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

---

[i] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

[ii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[iii] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html. U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf.

[iv] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[v] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html.

[vi] U.S. Department of Health & Human Services, HHS Open Government Plan, April 7, 2010, available at http://www.hhs.gov/open/plan/opengovernmentplan/ourplan_openhhs.pdf, page 2.

[vii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[viii] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

[ix] U.S. Department of Health & Human Services, News Release: Putting Data and Innovation to Work to Help Communities and Consumers Improve Health, June 2, 2010, available at http://www.hhs.gov/news/press/2010pres/06/20100602a.html

[x] Genevieve Douglas, HHS Launches New Data Initiative Focused on Improving Community Health, BNA’s Health Care Daily Report,  June 3, 2010, available at http://news.bna.com/hdln/HDLNWB/split_display.adp?fedfid=17265216&vname=hcenotallissues&fn=17265216&jd=a0c3g8b4c1&split=0.

Breach Notification for Unsecured Protected Health Information

By: Michael R. Spaltro

Gordon Moore, Intel co-founder, famously predicted that the speed of technology will double about every two years. Between 1981 and 1991, “computer processing speed increased tenfold, the instruction execution rate a hundred fold, system memory grew a thousand times, and system storage expanded by a factor of 10,000.” That was just the beginning. Intel has kept that pace for nearly 40 years, now introducing the world’s first 2-billion transistor microprocessor. The development of fundamental computer technology has translated into ubiquitous information technology infrastructure. Deploying information technology within the healthcare industry is significantly complicated by the indispensability of life and health to everything else we do. The privacy of electronic health records (”EHR”) that contain personally identifiable health information (”PHI”) is one area of particular concern.

Health care providers, health care plans, health care clearinghouses, and their business associates across the country are currently using EHRs as an efficient method to locally store patient records.[1] EHRs may contain patient treatment history, social and demographic data, and a multitude of other personal health information (”PHI”).[2] If the underlying computer technology continues to grow at the staggering pace predicted by Moore’s Law, the function of EHRs will expand to “assume a key roll in medical diagnosis and treatment management.”[3] Moreover, the Food and Drug Administration, in collaboration with public, academic, and private entities, is expected to use EHRs to link and analyze medical safety data from over 100 million patients by July 2012.[4] The resulting electronic network of interoperable healthcare data is of a scale never before contemplated in the industry. Personally identifiable health information, such as the data contained across local provider EHRs, health plan claims databases, and Medicare databases, will be remotely transmitted, stored, accessed, and analyzed.

Transmitting EHRs between an originating entity and the entity/infrastructure involved in research, development, and storage of EHRs, creates an increased potential for internal and external breach. Moreover, as EHRs become populated in local and remote institutions across the country, the incidence of breach ostensibly increases. In the event of breach, an individual may be exposed to a number of dangers. EHRs contain personal information of high value to computer hackers, such as social security numbers or payment information.[5] Furthermore, an otherwise legitimate entity could potentially use health information in a less nefarious way that nonetheless breaches individual privacy. How can we legally protect privacy while realizing the benefit of electronic health information technology?

The Health Insurance Portability and Accountability Act (”HIPAA”) shores up unauthorized access to protected health information. The HIPAA Security Rule and Privacy Rule require an entity such as a health plan, health care provider, business associate, or a health care clearinghouse, to safeguard all protected health information. Civil and criminal penalties are enforced against entities that fail to comply. The FDA’s qualified contractors[6] will similarly be subject to HIPAA under the Health Information Technology for Economic and Clinical Health (”HITECH”) Act by 2017.[7] Therefore, the entire electronic network of EHRs will be covered by the Privacy Rule and the Security Rule. Within covered entities, protected health information is to be stored with any security measure that allows an entity to reasonably and appropriately implement all safeguard requirements. The Security Rule approves that a covered entity may use firewalls and other access controls (such as passwords) to safeguard PHI in its electronic form. Without this intangible structure protecting EHRs, unauthorized parties could easily access PHI and PHI could easily flow out to any individual, device, or system that interoperates with EHR databases. The HIPAA Security Rule therefore assures that a covered entity is reasonably protecting an individual’s privacy by safeguarding personal health information.

Firewalls and other reasonable access controls are not impermeable. Earlier this year, an ultra sophisticated hack attack on Google penetrated the multi-billion dollar corporation, causing it to later withdraw from China. Merck & Co. and Cardinal Health Inc. were among others infiltrated in the attack. The extent of information exposed is still not fully understood. Thus, breaches occur even if reasonable and appropriate safeguards are required. The access controls required by HIPAA in the Security Rule are not sufficient to protect a vast network of interoperable EHRs. Further data encryption and/or secure data destruction will eventually be required to protect individual privacy.

Pursuant to the Privacy section of the HITECH Act, Title XIII Division A, Subtitle D, the Department of Health and Human Services (”HHS”) was required to promulgate breach notification for unsecured protected health information rules and regulations (”Breach Rule”). HHS issued a final rule, effective September 23, 2009, requiring all entities and business associates covered under HIPAA to provide notification in the cases of breaches of unsecured protected health information. Presumably, an individual who is made aware that his personal information was compromised is better equipped to mitigate identity theft or other harms that could arise.

The provisions in Section 13402 of the HITECH Act are consistent with HIPAA definitions of a “covered entity” and “protected health information.” The Act defines breach as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of that information. In other words, if a firewall or reasonably appropriate access control is breached — a covered entity must report that breach to all of the individuals affected. Importantly, notification of breach is only required for unsecured personal health information. If a covered entity is in the practice of encrypting and/or destroying PHI in accordance with the National Institute of Standards and Technology (NIST), then that entity does not have to report a breach of their firewalls or access controls. It is only necessary to provide notice if “unsecured protected health information that is not secured through the use of technology or methodology specified…” is breached. The rationale is obvious. If a covered entity encrypts PHI in accordance with NIST standards, then the data is unusable in the event of a breach, and notification would be superfluous.

Consequently, a covered entity has two choices: (1) secure all EHRs that contain PHI; or (2) report breaches of PHI. The Breach Rule encourages cover entities to take the former approach. To secure EHRs that contain PHI, an entity must regularly perform two standard procedures. First, the NIST published standards recommend a “one pass” method of data deletion for most applications.[8] When electronic data is deleted, it is only removed from the file system. The “image” of the data physically remains on the hard drive of the device. Software and hardware methods of recovering deleted data are available to the public. Therefore, “deleted” PHI data could be recovered by an unauthorized entity in the event of a breach. The NIST recommends that one data overwrite be performed on the deleted data, as to render it unrecoverable. Depending on the method used and size of the database, data deletion can take up to an hour.

Second, and perhaps less straight forward, the NIST recommends data encryption using one the following four methods: full disk encryption; volume encryption; virtual disk encryption; or file/folder encryption.[9] The capital expenditure necessary to install and maintain encryption software/hardware throughout a covered entity is immense. Furthermore, encrypting millions of EMRs will tax computer processors and networks, and will additionally hamper interoperability. When data is encrypted it losses all functionality, and therefore must be decrypted by the authorized end-user before each use. It would be additionally problematic to transfer encrypted data throughout an electronic network, like that contemplated by the FDA, unless all systems were equip to recognize and decrypt the data. Thus, under either of the encryption methods above, the net result is a loss of productivity and interoperability. Moreover, encrypted data may not be mean secure data. The end-user authorized to access encrypted data will likely decrypt it during the course of a work day. Therefore, so-called encrypted PHI would be exposed to the same daily risks as unsecured PHI. Consequently, the nature of data encryption may not even provide the security and privacy that the Breach Rule contemplates.

While some covered entities are voluntarily choosing to encrypt and secure PHI, the impracticality and cost of data encryption is prohibitive. Covered entities were allowed 180 days to become compliant with the Breach Rule. That period has expired, and most covered entities have not opted to encrypt PHI. Instead, covered entities have put reasonable systems in place to detect breaches, as required by the Breach Rule. The Breach Rule requires notification without unreasonable delay once a covered entity learns of a breach. A majority of states already had breach notification laws in place, and thus covered entities had respective systems in place to detect and report breaches.

Reporting breaches under the Breach Rule still requires some capital expenditure. In some cases, notification to popular media outlets and the Secretary is required. This notification could potentially detract business and invite legal action. Of greater concern, a major breach and broadcast resulting in legal action may dissuade industry players from adopting EHR systems that could potentially reduce medical error and healthcare costs.[10] However, the burden of encrypting PHI is overwhelming, and perhaps ultimately ineffective. Consequently, the Breach Rule has done little to foster the actual security of PHI. In practice, covered entities merely provide notification of breach. It is unclear how this may or may not benefit a patient whose privacy has been breached. Deploying new EHR technology throughout the healthcare industry presents a risk to individual privacy that is not adequately addressed by the Breach Rule and HIPAA.

Privacy concerns should positively correlate with the volume of online EMRs. Pursuant to the FDAAA, 100 million EHRs will be linked within the FDA’s seminal network by July 2012. The sensitive and valuable nature of robust EHR databases will likely attract the attention of unauthorized parties around the world, and should therefore warrant a heightened level of security. Within two years, encryption technology may prove to be significantly smarter, cheaper, and more efficient. The concerns that bar covered entities from adopting data encryption may be lifted. While absolute data security is not likely attainable under any standard, software operating systems that integrate on-the-fly encryption would be ideal and foolproof. Rules and regulations should proportionately reflect advances in computer technology and the quantity of EMRs over the next two years. To protect public privacy and trust in our healthcare system, all PHI should eventually be encrypted by covered entities and their business associates.

---

[1] Hoffman and Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech 103.

[2] Id. at

[3] Id. at

[4] Food and Drug Administration Act of 2007 (FDAAA), 21 U.S.C. 355(k)(3).

[5] See, Hoffman, surpa note 1, at 113.

[6] 21 U.S.C. 355(k)(3). A qualified contract is similar to a business associate. The FDA contracts with entities that are deemed “qualified” within the meaning of the Act.

[7] See, HITECH, Pub. L. No. 111-5 Section 13401 and 13404.

[8] Special Publication 800-88, available at http://csrc.nist.gov.

[9] Special Publication 800-111, available at http://csrc.nist.gov.

[10] See, Hoffman, surpa note 1, at 104.

Reform Rodeo: Latest News & Interviews; CER; the Constitution; HIT; Robotic Surgery

1. News: Kaiser Health News keeps you up to date by rounding up various stories on the Dems’ latest down-to-the-wire push on health reform. Their coverage of Representative Dennis Kucinich’s (and other reluctant Dems’) endorsement of the bill is here.

2. Betting on Health Care: The New York Times asks health wonks for opinions on the chances of passing health reform. Respondents include Robert Reich, former secretary of labor Gail Wilensky, Project Hope; Paul Starr, professor of public policy;  James C. Capretta, Ethics and Public Policy Center; Karen Davenport, Center for American Progress; Jacob S. Hacker, political science professor.

3. Evidence-based Medicine: A group at the New England Journal of Medicine proposes 5 steps to advance one of the most promising–yet often ignored–means of reforming our health care system: comparative effectiveness research.

4. Deem and Pass: Jonathan Adler at the Volokh Conspiracy discusses the constitutionality of the “deem and pass.” Regardless of its constitutionality, Ezra Klein exposes some factual inaccuracies in recent reporting on the tactic.

5. The Blues: The Pittsburgh Post-Gazette alerts us to a lawsuit by Highmark Inc. against the Pennsylvania Department of Insurance, which claims that the Department exceeded its authority when challenging Highmark’s proposed merger with Independence Blue Cross.

6. Meaningful Use Partial Credit: John Halamka at Life As A Healthcare CIO discusses the aggressive thresholds for meaningful use that have been set in the most recent rules, and what the HIT Policy Committee is doing to assuage those concerns.

7. Wild Card: A new TED talk about the current state of robotic surgery. An article covering the topic can be found here.

Reform Rodeo! The Summit, Speed Dating, and More.

1. Summit!: Fretting about how to get your dose of tomorrow’s “summit”? Don’t worry, CSPAN has got you covered for the Health Care Summit that is kicking off at 10am.

2. Managed Care Meltdown?: Joe Paduda at Managed Care Matters points out that the Anthem rate increases have shown an inability for private insurers to control costs.  What Paduda is missing in his piece is advice to private health insurers about how to manage costs without another “managed care backlash” like we had in the 1990s.

3. The Cost Conundrum’s Conundrum, or Just a Canard?: Maggie Mahar has a beef with the New York Times’ channeling of Dr. Bach’s New England Journal of Medicine article, where Dr. Bach criticized the  Dartmouth Atlas researchers’ methodology by claiming that they failed to risk adjust. Dr. Atul Gawande also believes the criticism is misplaced.

4. Health Care and Reconciliation are BFFs: NPR reports on a somewhat cozy relationship between reconciliation and previous health care initiatives.

5. What do speed dating and OB/GYN docs have in common? Kevin MD discusses how hospitals are utilizing speed dating techniques to match obstetricians with potential patients.

6. HIT, Yeah You Know Me: Dr. John Halamka with a slew of handouts from the HIT Policy Committee’s recent meeting, as well as notes from a recent meeting of the HIT Standards Commitee.

Next Page »