Personal Health Records: Is Unraveling Inevitable?

June 9, 2011 by Frank Pasquale · Leave a Comment
Filed under: EMR, Electronic Medical Records

I look forward to reconnecting with everyone who is attending the health law professors conference in Chicago. My presentation will be applying some of the ideas of Scott Peppet (on self-quantification and unraveling) to personal health records. I found these ideas from Peppet’s post on biometric identification particularly interesting:

The biometric technologies firm Hoyos (previously Global Rainmakers Inc.) recently announced plans to test massive deployment of iris scanners in Leon, Mexico, a city of over a million people. . . . [T]he company’s roll-out strategy is explicitly premised on the unraveling of privacy created by the negative inferences & stigma that will attach to those who choose not to participate. Criminals will automatically be scanned and entered into the database upon conviction. Jeff Carter, Chief Development Officer at Hoyos, expects law abiding citizens to participate as well, however. Some will do so for convenience, he says, and then he expects everyone to follow: “When you get masses of people opting-in, opting out does not help. Opting out actually puts more of a flag on you than just being part of the system. We believe everyone will opt-in.” (For the full interview, see Fast Company’s post on the project.)

I’ve previously looked at the limits of individualist accounts of autonomy in work on pharmaceuticals (here and here), and scholars like Robert Ahdieh are questioning individualism in law & economics generally. As Nic Terry has argued, many of the critiques of CDHC apply to PHRs, and vice versa.

As of a few years ago, “it wasn’t illegal to hire and fire people based on their smoking habits” in 21 states. I think there will be many difficult questions raised in coming years by the growth of medical records of all types, and how many secondary uses of them are permitted. For example, some dating sites will now verify the income and assets of their users. How soon before they (and other certification and evaluation intermediaries) start vouching for health profiles? Does law have a role in these situations? I’ll try to explore these questions, and I’ll post more details about the presentation after getting some feedback.

Tags: Electronic Medical Records, EMR, Health Care Reform, Health Reform, HIT, Identitiy, Privacy, Self-Quantification, Unraveling

Rethinking IMS Health v. Sorrell: Privacy as a First Amendment Value

April 25, 2011 by Frank Pasquale · 1 Comment
Filed under: Health Law, Privacy

Today the Supreme Court will hear oral arguments in IMS Health v. Sorrell. The case pits medical data giant IMS Health (and some other plaintiffs) against the state of Vermont, which restricted the distribution of certain “physician-identified” medical data if the doctors who generated the data failed to affirmatively permit its distribution.* I have contributed to an amicus brief submitted on behalf of the New England Journal of Medicine regarding the case, and I agree with the views expressed by brief co-author David Orentlicher in his excellent article Prescription Data Mining and the Protection of Patients’ Interests. I think he, Sean Flynn, and Kevin Outterson have, in various venues, made a compelling case for Vermont’s restrictions. But I think it is easy to “miss the forest for the trees” in this complex case, and want to make some points below about its stakes.**

Privacy Promotes Freedom of Expression

Privacy has repeatedly been subordinated to other, competing values. Priscilla Regan chronicles how efficiency has trumped privacy in U.S. legislative contexts. In campaign finance and citizen petition cases, democracy has trumped the right of donors and signers to keep their identities secret. Numerous tech law commentators chronicle a tension between privacy and innovation. And now Sorrell is billed as a case pitting privacy against the First Amendment.
Read more

Tags: Data Mining, Electronic Data, First Amendment, Health Care Reform, Health Reform, IMS Health v. Sorrel, Patient Rights, Prescription Drugs, Privacy

Can Suspicious Activity Reports Trigger Health Data Gathering?

December 22, 2010 by Frank Pasquale · 1 Comment
Filed under: EMR, Privacy

In an article entitled “Monitoring America,” Dana Priest and William Arkin describe an extraordinary pattern of governmental surveillance. To be sure, in the wake of the attacks of 9/11, there are important reasons to increase the government’s ability to understand threats to order. However, the persistence, replicability, and searchability of the databases now being compiled for intelligence purposes raise very difficult questions about the use and abuse of profiles, particularly in cases where health data informs the classification of individuals as threats.

First, a little background. We traditionally think of law enforcement as needing some kind of probable cause to ground or justify the pursuit of an investigation. However, with the rise of the new Information Sharing Environment (often enacted by fusion centers, which provide one-stop shopping for access to data), a much broader set of law enforcement prerogatives is emerging. Fusion centers have promoted a domestic intelligence apparatus, which is designed not merely to solve crimes but also to generate a wide range of knowledge which could lead to the deterrence and detection of “all threats, all crimes, all hazards.”

The Department of Homeland Security has taken a number of innovative steps to deputize monitoring of individuals, asking personnel ranging from local law enforcement to cable repairmen to hotel cleaners to be on the alert for suspicious activity. Once such activity is detected, the detector can in some cases file a persistent Suspicious Activity Report. These SARs are entered into an FBI database, and quite possibly inform many other counterterror, intelligence, and even private sector initiatives. Arkin & Priest’s story gives a sample Suspicious Activity Report, and speculates about how its creation may affect the object of the profile:

The FBI is building a vast repository controlled by people who work in a top-secret vault on the fourth floor of the J. Edgar Hoover FBI Building in Washington. This one stores the profiles of tens of thousands of Americans and legal residents who are not accused of any crime. What they have done is appear to be acting suspiciously to a town sheriff, a traffic cop or even a neighbor.

[For an example of what might go in the database, consider] Suspicious Activity Report N03821 says a local law enforcement officer observed “a suspicious subject . . . taking photographs of the Orange County Sheriff Department Fire Boat and the Balboa Ferry with a cellular phone camera.” The confidential report, marked “For Official Use Only,” noted that the subject next made a phone call, walked to his car and returned five minutes later to take more pictures. He was then met by another person, both of whom stood and “observed the boat traffic in the harbor.” Next another adult with two small children joined them, and then they all boarded the ferry and crossed the channel.

All of this information was forwarded to the Los Angeles fusion center for further investigation after the local officer ran information about the vehicle and its owner through several crime databases and found nothing. Authorities would not say what happened to it from there, but there are several paths a suspicious activity report can take:

At the fusion center, an officer would decide to either dismiss the suspicious activity as harmless or forward the report to the nearest FBI terrorism unit for further investigation. At that unit, it would immediately be entered into the Guardian database, at which point one of three things could happen:

The FBI could collect more information, find no connection to terrorism and mark the file closed, though leaving it in the database. It could find a possible connection and turn it into a full-fledged case. Or, as most often happens, it could make no specific determination, which would mean that Suspicious Activity Report N03821 would sit in limbo for as long as five years, during which time many other pieces of information about the man photographing a boat on a Sunday morning could be added to his file[.]

[That data includes] employment, financial and residential histories; multiple phone numbers; audio files; video from the dashboard-mounted camera in the police cruiser at the harbor where he took pictures; and anything else in government or commercial databases “that adds value,” as the FBI agent in charge of the database described it. That could soon include biometric data, if it existed; the FBI is working on a way to attach such information to files. Meanwhile, the bureau will also soon have software that allows local agencies to map all suspicious incidents in their jurisdiction.

Given the expansive reservoirs of data already accessible to fusion centers, I would not be surprised if they took the position that health records “add value” to the data gathering. Civil libertarians can object to many types of data gathering, but for purposes of this post, I would like to focus on healthcare data. First, to what extent can a health condition itself give rise to a Suspicious Activity Report? Secondly, are there any concerted efforts to deputize medical personnel to report on suspicious activity? Finally, and I believe most importantly, how is the vast store of healthcare data presently associated with individuals utilized by the data mining programs of the surveillance state?

We daily learn of troubling data gathering practices online. For example, Arvind Narayanan has described rather indiscriminate data gathering by third parties:

The Facebook “like” button is a prominent . . . example[] of third-party tracking not directly related to behavioral advertising. . . . Facebook can keep track of all the pages you visit that incorporate the button, whether or not you click it. Did you know, for example, that the UK National Health Services website has the like button, among other trackers, on all their disease pages?

One need only visit the Wall Street Journal’s recent series on privacy to realize that all manner of health-related data can be generated about an individual with little to no restrictions imposed by HIPAA or effectively enforced by the FTC. To take one example, consider the scraping (copying) of data at a site called PatientsLikeMe:

At 1 a.m. on May 7, the website PatientsLikeMe.com noticed suspicious activity on its “Mood” discussion board. There, people exchange highly personal stories about their emotional disorders, ranging from bipolar disease to a desire to cut themselves. It was a break-in. A new member of the site, using sophisticated software, was “scraping,” or copying, every single message off PatientsLikeMe’s private online forums.

Who knows how many incidents like this go unreported each year? Finally, the government itself is keeping a record of prescription drug use, which apparently was used after the Virginia Tech shooting. Law enforcement exceptions to HIPAA (and, presumably, HITECH) may give an official imprimatur for similar activities even if they involve “covered entities.”

The clash of intelligence prerogatives and health privacy always raises difficult issues. For now, I would just like to make one claim about the need for the government to be forthright about whether it is collecting health care data while profiling citizens. Such data gathering should not be what David Pozen calls a “deep secret;” that is, citizens should not be “in the dark about the fact that they are being kept in the dark.” Rather, we need to understand whether this very personal and important data is being commandeered to fight an “enemy within.”

There are broader principles for fair disclosure of the workings of the surveillance state. First, people are all too eager to sign up for new health “apps” and affinity groups without having any sense of how these activities and affiliations can affect their future. There is still a lazy public/private distinction affecting far too much of consumer conduct; I hear so-called internet experts wondering why anyone would worry about data stored by a private company because “they’re not the government.” Arkin & Priest have consistently shown that the public/private distinction is evanescent at best, a confounding development in social affairs that leaves libertarians sounding like communists.

Julie Cohen’s recent article in Social Research observes that there is a much larger political economy of surveillance that has accelerated both data gathering and profiling:

Devaluation of privacy is bound up with our political economy and with our public discourse about information policy in important ways that have little or nothing to do with official conduct. . . . Flows of data are facilitated by corporate data brokers like ChoicePoint, Experian, and Axciom. To help companies (and governments) make the most of the information they purchase, an industry devoted to “data mining” and “behavioral advertising” has arisen; firms in this industry compete with one another to develop more profitable methods of sorting and classifying individual consumers.

In the United States, a number of federal agencies have awarded multimillion dollar contracts to corporate data brokers to supply them with personal information about both citizens and foreign nationals. Privacy restrictions that limit the extent to which the government can itself collect personal information generally do not apply to such purchases at all. The government has deployed secrecy to great effect where these initiatives are concerned, with the result that we still understand too little about many of them. Legal regimes purporting to guarantee official transparency are in fact indeterminate on how much openness to require.

These processes let important decisionmakers in both the private and public sectors exist behind a “one way mirror.” Even if full transparency would compromise data gathering, citizens must know whether certain critical information (including health data) is being commandeered by the domestic intelligence apparatus.

Tags: Cybersecurity, Electronic Medical Records, EMR, Health Care Reform, Health Reform, Internet, Personal Health Records, PHR, Privacy

Privacy Paradigms: From Consent to Reciprocal Transparency

October 25, 2010 by Frank Pasquale · 1 Comment
Filed under: EMR, Electronic Medical Records, IT

frank-pasquale-cropped-dsc_6024-2 Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyrightholders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.

If individuals had enough time to manage their personal data the way they manage their checkbooks and gardens, perhaps the consent paradigm would be a good foundation for addressing public concerns about privacy. If applicants could easily bargain with would-be employers over privacy, or patients with hospitals, perhaps we could rely on them to protect their interests. But actual occurrences of such acts of self-assertion and self-protection are rare. Given the frequently abstract benefits that privacy and reputational integrity afford, they are often traded away for competitive economic advantage. This process further erodes societal expectations of privacy.

A collective commitment to privacy is far more valuable than a private, transactional approach that all but guarantees a race to the bottom. If such a collective commitment does not materialize, record systems will only deserve trust if they become as transparent as the patients and research subjects they profile. Given corporate assertion of trade secrecy (and even privacy rights), reciprocal transparency will not be easy to achieve. Nevertheless, repeated breaches, fraud, and data meltdowns in the US should provoke an alliance of socially responsible researchers to lobby the US government to set minimal standards of reciprocal transparency and auditing. Consumers can only trust innovators if they can understand what is being done with data. As we become “transparent citizens” (as Joel Reidenberg puts it), we should demand that the corporate, university, and governmental authors of that trend reciprocate, and become more open about the data they gather.

Fortunately, as a recent presentation by Deborah Peel reminded me, there is significant audit authority built into the recent HITECH act which may curb some abuses. Audits will become increasingly important as a “wild west” of health data is excavated by scrapers, marketers, and other data miners.

Consider, for instance, the following scenario: contributors to the medical website PatientsLikeMe.com found that “Nielsen Co., [a] media-research firm . . . was ‘scraping,’ or copying, every single message off PatientsLikeMe’s private online forums.” Had the virtual break-in not been detected, health attributes connected to usernames (which, in turn, can often be linked to real identities) could have spread into numerous databases. A reciprocal transparency paradigm would require all those harboring health data to have some certified indication of its legitimate provenance. Data would not be allowed to persist without certification of its provenance.

Unforeseen spread of inaccurate or inappropriate health data is not just a problem for those who want to avoid getting solicitations for burial plots after a sensitive appointment. Given law enforcement exceptions to medical privacy laws and regulations, it should come as little surprise that the government claims that “a 2005 law authorizes it to monitor and record all prescription drug use by all citizens via so-called “Prescription Drug Monitoring Programs.” Such programs may just be the tip of an iceberg of new domestic intelligence programs that rely on private companies to act as “big brother’s little helpers.”

Whenever health data is fed into an evaluative profile of an individual, there should be safeguards in place to assure that the data is accurate, and that the resulting profile is, if at all possible, not used to harm or disadvantage the individual. Without assurances like these, we can count on continued resistance to the development of health data infrastructures.

Tags: Electronic Medical Records, EMR, Health Care Reform, Health Reform, HIPAA, HIT, Privacy

CVS & HHS: Partners in Compromising Your Privacy

June 28, 2010 by James Christiano · Leave a Comment
Filed under: Health Law, Prescription Drugs, Privacy

cvs-receipt On January 16, 2009, the Department of Health and Human Services (HHS) and CVS entered into a resolution agreement requiring CVS to pay a $2.25 million fine and implement a corrective action plan for “potential violations of the HIPAA [The Health Insurance Portability and Accountability Act of 1996] privacy rule.” Why? CVS had allegedly been placing prescription bottles and labels into dumpsters that were accessible to the public. The bottles/labels contained protected health information (PHI), which CVS was required to safeguard under federal law.

Although HHS appears to regard the settlement as a success, given its prominence on the HIPAA enforcement section of HHS’s website, it is nothing of the sort. The agreement provides that CVS “expressly den[ies] any violation of HIPAA or the Privacy Rule, and further den[ies] any wrongdoing,” while HHS does not concede that CVS is “in compliance with the Privacy Rule.” HHS did agree with itself, however, releasing an FAQ (accompanying the press release) stating that under its Privacy and Security Rules: “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

Why is this old news important? This week I had a prescription filled at my local CVS pharmacy in Livingston, New Jersey. While standing at the pharmacy I noticed that all of the filled prescriptions were stored directly behind the counter in plain view of any customer. Each prescription was inside a small bag to which a customer receipt was attached. The receipts in the front row of the storage bins were readable from the counter. The receipts contain protected health information (PHI) that is subject to the Privacy and Security Rules of HIPAA including:

1) Full name,

2) Address,

3) Telephone number,

4) Day and month of birth,

5) Drug name and dosage, and

6) Prescriber.

HHS maintains the authority for civil enforcement of violations of the Privacy and Security Rules promulgated pursuant to HIPAA. So, why is it that CVS allows the public to view its customers’ PHI in violation of HIPAA even while still subject to the corrective action plan for its prior alleged violations? Well, I asked the pharmacist on duty. The pharmacist acknowledged that it was a problem that the PHI could be viewed from the counter. However, CVS was expecting to remodel and “hopefully” the shelf would be placed farther away to render the PHI unreadable. Upon requesting the contact information for CVS’s privacy officer, the pharmacist readily provided such information and stated that she would “appreciate” someone actually reporting the apparent violation.

HHS was recently provided with additional enforcement tools under the HITECH provisions of the American Recovery and Reinvestment Act of 2009. Unfortunately, it does not appear that HHS is serious about enforcing its own regulations or resolution agreements; nor, if the flagrantly violative placement of prescriptions is indicative of mindset, is CVS serious about HIPAA compliance.

Tags: Health Care Reform, Health Reform, HIPAA, Prescription Drugs, Privacy, Protected Health Information, The HITECH Act Compliance

RFID Tags for Nurses, then Everybody?

June 22, 2010 by Frank Pasquale · 1 Comment
Filed under: Privacy, Research, Transparency

survselfhelplittle The recent City of Ontario v. Quon decision has had a mixed reception among privacy advocates. Though many are disappointed that employees’ privacy rights have once again been narrowed, some have discerned helpful dicta in the case. However, I worry that, whatever the drift of thought among swing justices, economic imperatives and cultural shifts will mean a lot less privacy in the workplace of the future. Health care in particular offers a few interesting bellwethers.

As an opinion piece by Theresa Brown explains, maintaining proper staffing levels in hospitals is becoming increasingly difficult. Surveillance systems are offering one way to address the problem; work can be performed more intensively and efficiently as it is recorded and studied. But such monitoring has many troubling implications, according to Torin Monahan (in his excellent book, Surveillance in a Time of Insecurity):

The tracking of people [via Radio Frequency Identification Tags] represents a . . . mechanism of surveillance and social control in hospital settings. This includes the tagging of patients and hospital staff. . . . When administrators demand the tagging of nurses themselves, the level of surveillance can become oppressive. . . . [because nurses face] labor intensification, job insecurity, undesired scrutiny, and privacy loss. . . . To date, such efforts at top-down micromanagement of staff by means of RFID have met with resistance. . . . One desired feature for nurses and others is an ‘off’ switch on each RFID badge so that they can take breaks without subjecting themselves to remote tracking. (122)

Like the “nannycam” employed by many a wary parent, the nurse-cam may be seen as a way to protect the vulnerable. It may also increase the accuracy of evidence in malpractice cases. On the other hand, inserting a tireless electronic eye to monitor what is already an extremely stressful job may create many unintended consequences, or deter people from going into nursing altogether. Even advocates of pervasive surveillance recognize these difficulties.

The increasing pressure to monitor what happens inside hospitals reminds me of a recent article by Thomas Goetz in Wired (no link yet) on Google co-founder Sergey Brin’s quest to find a cure for Parkinson’s disease. As Goetz describes it, a new form of “high-speed science” depends on rapid accumulation of as much data as possible:

In Brin’s way of thinking, each of our lives is a potential contribution to scientific insight. We all go about our days, making choices, eating things, taking medications, doing things—generating what is inelegantly called data exhaust. . . . With contemporary computing power, that data can be tracked and analyzed. “Any experience that we have or drug that we may take, all those things are individual pieces of information. Individually, they’re worthless, they’re anecdotal. But taken together they can be very powerful.” In computer science, the process of mining such large data sets for useful associations is known as a market-basket analysis.

Goetz has promoted this as a new way to “do science in the petabyte age.”
Read more

Tags: EMR, Health Care Reform, Health Reform, Privacy, Reality Mining, RFID

Patient Safety and Quality Improvement: Civil Money Penalty Inflation Adjustment

May 14, 2010 by Guest Blogger · 1 Comment
Filed under: EMR, Electronic Medical Records

By: Constantina Koulosousas

The first manned balloon ascent on October 15, 1783, to a height of 25 meters. This ascent was made by the Marquis d'Arlandes and Pilatre de Rozier. In: "Histoire des Ballons et des Aeronautes Celebres," by Gaston Tissandier, 1887, p. VII.

The Patient Safety and Quality Improvement Rule was amended, effective November 23, 2009, by the Department of Health and Human Services to adjust the maximum civil money penalty amount for violations of the confidentiality provisions. The amount was adjusted for inflation to comply with the Federal Civil Penalties Inflation Adjustment Act of 1990. This amendment was carried out through direct final rule making, as HHS expected no significant adverse comments to the rule.

The Patient Safety and Quality Improvement Act of 2005 created a voluntary program for health care providers to share what is known as “patient safety work product” (PSWP), or any information relating to patient safety events and concerns with each other and Patient Safety Organizations (PSOs). The Department of Health and Human Services is required to maintain a listing of all PSOs.

The Act amended Title IX of the Public Health Service Act for the purpose of improving patient safety and quality of care. As with attorney work product, this information is privileged and confidential. While the program may be voluntary, a knowing or reckless violation of the confidentiality requirements of the Act can result in a civil money penalty of up to $10,000 for each violation, as assessed by the Office for Civil Rights.

The deterrence effect of the civil money penalties had been reduced by inflation. This caused Congress to enact the Inflation Adjustment Act. This Act requires Federal agencies to issue regulations adjusting each civil money penalty found within the Public Health Service Act within their jurisdiction, for inflation. The agencies are required to issue these regulations at least once every four years from July 29, 2005, the date of its enactment. The inflation amount is adjusted through a three-step process.

First, the agency must calculate an increase in the penalty amount by a “cost-of-living adjustment.” “Cost-of-living adjustment” is defined in the act as the percentage for each civil monetary penalty by which the Consumer Price Index for the month of June of the calendar year preceding the adjustment, exceeds the Consumer Price Index for the month of June of the calendar year in which the amount of such civil money penalty was last set or adjusted pursuant to law.

Second, the amount of increase must be rounded based on the size of the penalty as set forth in section 5(a) of the Act. Since the penalty in this case is $10,000, the increase is $1,000, making the final maximum penalty amount $11,000. Finally, the third step requires that a first adjustment be limited to 10 percent of the penalty amount. Accordingly, an $11,000 adjusted penalty is appropriate.

One great benefit of the Act is to make sure that the penalties assessed for such violations provide adequate deterrence to potential violators. This is done by periodically increasing the violation amount to account for inflation over time. Especially now in the wake of the massive health care reform and improvements in the use of Electronic Health Records, it is important to ensure patients that their personal health information remains confidential and that a breach of this confidentiality requirement will result in steep monetary penalties.

On the contrary, many may argue that the increase in the penalty amount is not adequate. Since the Act imposes a 10% cap in addition to a standard chart for calculating the inflation, it may not always be completely in sync with the current economic environment. Further, these penalty amounts are only updated every four years, which leaves a significant gap in time.

Additionally, the slight increase in money penalties assessed will not do much to comfort patients that their health information is protected and confidential. Once the information gets out, there is no amount of money assessed as a violation that can remedy the breach and the damage which may have already been done. Further, to many of the entities involved in such violations, a $10,000 penalty may seem like an insignificant slap on the wrist.

The Act only punishes a “knowing or reckless” violation of the confidentiality provisions, so breaches that occur unintentionally will not subject physicians or PSOs to liability. This mental state requirement is especially important as electronic health record software gets ironed-out, to get rid of any technical issues or glitches that may arise in the course of implementing such a national electronic system.

Conversely, the “knowing or reckless” standard may pose some difficulties enforcing liability under the Act, as it may not always be easy to prove that the confidentiality breach was done with such a state of mind, or even where the disclosure came from.

Tags: EMR, Health Care Reform, Health Reform, Patient Safety and Quality Improvement Act of 2005, Privacy

HIPAA, The HITECH Act, and How Google May Still Be Able to Distribute, and Profit From, Your Personal Health Info

August 6, 2009 by Jordan T. Cohen · 7 Comments
Filed under: EMR, Electronic Medical Records, IT

Photo by Jonathunder

Below I will explore what seems to be a gaping hole in the HITECH Act. However, as with any new legislation, it is often necessary to reexamine the laws that preceded it, which in this case is HIPAA. This is particularly true given that the HITECH Act does not replace HIPAA. Rather, it provides–amongst other things–additional security and privacy safeguards with respect to health information. To that extent, at least a cursory reexamination of HIPAA is required before understanding HITECH and the importance of comprehensive legislation.

HIPAA was a product of the 1990’s–an era triggering nostalgic memories of grunge music for some, and the (in)famous Macarena dance for others. For a large part of this period, the Internet was accessed by a handful of tech savvy individuals who dialed into services like CompuServ, Prodigy, and AOL. It was during this transition that Congress felt the need to make health insurance more portable, as well as standardize the variegated electronic systems that were conducting nonstandard healthcare-related transactions. There was a concomitant concern that health information needed better protection. Thus, in 1996 Congress adopted the Health Insurance Portability and Accountability Act (HIPAA), providing HHS with the responsibility to enforce it. However, the regulation enforcing privacy and security of health information would not be implemented until years later.

HIPAA’s Privacy Rule, which describes the appropriate use and disclosure of certain health information, came into force on April 14th, 2001, updated in 2002, with compliance required by April of 2003. The Security Rule, which establishes the policies and best practices for securing health information, came into force in 2003. Thus, the Privacy and Security Rules (referred to below as HIPAA) came to life in a period of technological transition. New technologies like residential broadband Internet access and Wi-Fi networks were becoming the norm. Electronic Health Record (EHR) systems had been developed, but had only marginal penetration within certain academic medical centers and government entities. Consequently, the threats to patient privacy from early EHRs was much smaller than it is today, since these systems were not widespread and did not often share data over disparate regions. Thus, access to the systems was not necessarily available outside of the intranets where the servers were located.

Acronyms of HIPAA & HITECH

Acronym	Phrase	General Definition (see 160.103 for regulatory language)
PHI	Protected Health Information	Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.
CE	Covered Entity	A group of entities whose use, disclosure, and protection of PHI is regulated by HIPAA and HITECH. CEs are comprised of: 1) Health care provider (e.g. physicians) that submit transactions electronically. 2) Health care plans (e.g. HMOs) 3) Health care clearinghouses (which are public or private entities, including a billing service, repricing company, community health management information system, etc… that processes or facilitates the processing of health information received from another entity in nonstandard form into standard form, or from standard form to non-standard form.
BA	Business Associate	Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.
EHR	Electronic Health Record	An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.
PHR	Personal Health Record	An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Given the historical context of HIPAA’s passage, it is easy to appreciate HIPAA’s missteps in not specifically focusing on EHRs or PHRs. Rather, HIPAA regulates protected health information at a broader level, focusing primarily on the “use and disclosure” of PHI by CEs, and the best practices and policies for securing the PHI itself. To be fair, the Security Rule does focus on PHI that is stored and transmitted electronically. However, even the most stringent best practices and policies are useless if the corresponding privacy regulations are inadequate.

But the times they are a-changin’–sort of.

Buried on page 112 of the American Recovery and Reinvestment Act (ARRA)–also known as the Stimulus Bill–is Title VIII of the bill, known as the Health Information Technology for Economic and Clinical Health Act, or more commonly, the HITECH Act. One (of the many) purposes of the HITECH Act is to fill in the gaps that have emerged since the Privacy and Security rules came into force. But like before, we are in a transition period. Whereas HIPAA’s passage coincided with a period of generalized transition towards digital information, HITECH has coincided with its own transition: the implementation of personal health records (PHRs). Unfortunately, the current HITECH Bill and regulations have serious flaws in how they protect patient information stored in PHRs. However, before discussing the problems, it is only fair to discuss the benefits to privacy and security that HITECH’s passage has provided.

Specifically, HITECH introduces breach notification requirements. HITECH’s provisions govern the procedures which CEs and BAs must follow if health information has been compromised. HITECH also empowers the FTC to promulgate regulations pertaining to the notification procedures of PHR vendors (as well as those who offer services to PHR vendors). The FTC’s proposed breach notification requirements can be found here. Thus, CEs, BAs, and PHR vendors are, for the first time, required by law to notify individuals if their unsecured PHI has been accessed by unauthorized individuals. Surprisingly, this was not required under HIPAA. CEs were obligated to notify individuals only insofar as the CEs were required by HIPAA to mitigate damages. But now, with the passage of HITECH, breach notification is no longer amorphous, but is spelled out in detail in HITECH’s regulations.

Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements that CEs have had to abide by. Before HITECH, a BA, such as an attorney reviewing the PHI of a CE, was required to sign an agreement promising to protect the PHI that they were accessing, but were not themselves regulated by HIPAA. Thus, BAs had only contractual liability to the CE if the BA violated the rules of the agreement. On the other hand, if a CE violated HIPAA, it was subject to specific penalties and fines by the government.

Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.

HITECH also offers other benefits, such as increased enforcement of violations, a strengthening of the requirement that only the minimum necessary information is disclosed to other CEs or BAs, a more thorough framework of accounting for uses and disclosures, as well as a certain prohibitions on the sale of PHI.

The last benefit of HITECH–the prohibition on the sale of PHI–is a perfect springboard for discussing the potential pitfalls of HITECH. The benefits of HITECH may well be sufficient to shore up HIPAA’s gaps when it comes to regulating CEs and BAs. However, as HITECH’s regulatory language makes clear, there remains a gaping hole:

(d) Prohibition on Sale of Electronic Health Records or Protected Health Information-

(1) IN GENERAL- Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization

The emphasis is added to underscore that PHRs are not included in this provision. There is no corresponding provisions in the FTC’s proposed regulations which concern breach notification. The upshot of this is that, as of the date of this posting, PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition, nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose–and possibly even sell–an individual’s health information outside of the HIPAA and HITECH regulations. This problem underscores a larger issue: PHRs are not regulated by HIPAA, and only regulated by HITECH insofar as the FTC’s interim rule requires certain breach notification procedures. Read more

Tags: Add new tag, Electronic Medical Records, EMR, FTC, Google, Health Care Reform, Health Reform, HIPAA, Personal Health Records, PHR, Privacy, Proposed Legislation, The HITECH Act

LoJacking Grandma and “Reality Mining,” or “Daddy, What was Anonymity?”

February 7, 2009 by Michael Ricciardelli · 4 Comments
Filed under: Electronic Medical Records, IT

photo by mrsmartino via flickr

Mark Heftler, a geriatric care manager who is slated to begin study at Seton Hall Law in the Fall, has written an interesting article on RFID (Radio Frequency Identification) and its potential usage as a means of early diagnosis of dementia among the elderly. Researchers at the University of South Florida have developed and tested an RFID technology which assesses the walking patterns of those which it monitors.

By monitoring the movements of the elderly within geriatric facilities, “the researchers hope to be able to diagnose the onset Alzheimer’s in their patients. Sudden veers, long pauses, and a tendency to wander are all indicators of dementia.”

As MIT’s Technology Review notes, “Drugs that are currently available can only slow the progression of related diseases, so the earlier dementia is caught, the better a patient’s treatment will be.”

Technology Review also notes, “In particular, dementia increases the risk of injury caused by a fall… ‘That’s a huge problem for assisted-living facilities,’” said William Kearns, an assistant professor who researches aging and mental health at USF.

Not Just Grandma

Although one can readily see the positive cost/benefit and quality of life implications of warding off the falls of the elderly, as Frank Pasquale recently noted on both this blog and Concurring Opinions, the proliferation of “personal” electronic data is not without its danger.

The Technology Review article provides a link to another article which points out that RFID technology is also being harnessed to gather social networking information through what is referred to as “reality mining,”

“…a field that Tanzeem Choudhury pioneered as a PhD student at the MIT Media Lab. Working at Intel after graduation, she created a pager-size sensor pack–loaded with software plus microphones, accelerometers, and other data-gathering devices–to collect and analyze data about human interactions and activity. For instance, by processing verbal utterances, she can identify the most influential people in a social network.

Now an assistant professor of computer science at Dartmouth, Choudhury is conducting experiments with the sensor-laden iPhone. Within a few years, she says, simple versions of her software could be available for cell phones.”

Tags: Alzheimer's, Blogs, Concurring Opinions, dementia, Elderly, EMR, Health Policy Community, IT, Privacy, Professional Geriatric Care Manager's Blog, Reality Mining

Recent Posts

Reorganization of UMDNJ to be Implemented this Year

Navigating the New Field of International Health Law, Featuring Gian Luca Burci, Legal Counsel for WHO

Research, the Avian Flu and Bioterrorism

Bill Requiring Licensure of One-Room Ambulatory Surgery Centers In New Jersey Dies in Gov. Christie’s Pocket

Online Graduate Certificate Programs

Professor Frank Pasquale featured in The Record on ‘A Constitutional Right to Health Care’

New Evidence on Smoking Marijuana and Lung Function; Update on New Jersey’s Nascent Medical Marijuana Program

The Good News is that Health Care Spending is Down

Medicare Payment, a System in Need of Fixing

The Needle (Exchange) and the Damage Done

Physician Payment Sunshine Act Proposed Regulations Out

Of provident kidney stones, health insurance and a CT Scan that may have saved my life

Defining Essential Health Benefits

The Nirvana Fallacy Among Health Care Cost Cutters

Money Out of Politics?

Venture Capitalists Complain of ‘Regulatory Challenges,’ FDA Responds

Will Durant, The Story of Civilization, and Immunization and Human Subject Research, or “I Never Promised You a Rose Garden”

A Call for Improved Guidance on Research with Pregnant Women

Secret Prices: Free Market Triumph or Tragedy?

Update Report, Africa Surgery, Inc., Tom Johnson, Jr., Sierra Leone, December, 2011.

Dr. Donald M. Berwick, Formerly of CMS: an Exit Interview Worth Considering

School-based Health Centers, Mental Health Care and the ACA

Recommended Reading: Recent Scholarship on Drug and Device Regulation

Recent Comparative Studies of Health Systems

Health Affairs on Community Development

Constitutional Mortality: Precedential Effects of Striking the Individual Mandate

Still Alive and Well

A Constitutional Right Not to be Bankrupted by Health Care Costs

Does the Fee Imposed by Section 9010 of the Affordable Care Act Apply to Stop-Loss Coverage?

The Global Burden of Stillbirth

Are Fat Taxes All the New Rage?

Places Cited

Posts from Health Reform Watch have been cited by media sources throughout the country, including The New York Times, Washington Post, L.A. Times, Kaiser Health News, The Health Care Blog, NPR's Planet Money Blog, Duke Univ. Med. Center News, American Health Line Alerts, BusinessWeek.com, Concurring Opinions, Balkinization, The New England Journal of Medicine, Harvard's Nieman Foundation for Journalism, Las Vegas Sun, Maggie Mahar, Ezra Klein, Tom Geoghegan, and the official homepage of the Office of the Democratic Majority Leader of the House of Representatives, Steny Hoyer.
Recent Comments
Audio Presentations

Click on the blue links to play, click again to pause:
Hatch-Waxman "Pay for Delay Audio: Panelists included Michael Kades, Attorney Advisor, Federal Trade Commission; Charles A. Gallia, Counsel, Gibbons P.C.; Anastasia Winslow, Assistant General Counsel, Bristol-Myers Squibb; and David Opderbeck, Associate Professor of Law and Director, Gibbons Institute of Law, Science & Technology.
Hunt Lecture: From the original post: During his week-long visit to Seton Hall Law School, Paul Hunt, Professor of Law, University of Essex School of Law, provided several lectures to students and faculty ...Read More
Maizel Lecture: From the original post: A noted expert in the restructuring of health care business debts, both in and out of court, Sam Maizel treated Seton Hall to a one hour crash course on the fiscal crisis ...Read More
PPACA Discussion: From the original post: On Friday, April 9th, Seton Hall was treated to an expert round table discussion on the new health reform measures. Visiting professor Tim Greaney ...Read More
Kaiser
The Commonwealth Fund
- Achieving Equity in the Health System: The Commonwealth Fund's Vulnerable Populations Program
  Vulnerable populations have more difficulty obtaining health care, receive worse care, and experience poorer health outcomes than other groups. This blog post looks at the new Vulnerable Populations program, which aims to help achieve equity in the U.S. health system.
- Incorporating INTERACT II Clinical Decision Support Tools into Nursing Home Health Information Technology
  This Commonwealth Fund–supported study examined some of the steps necessary to incorporate the the INTERACT clinical transition tools into nursing homes' health information technology systems.
- Wellness Incentives, Equity, and the Five Groups Problem
  This Commonwealth Fund–supported study explores the equity concerns associated with wellness incentives, an increasingly popular way for employers to encourage participation in prevention programs, which can both improve workers' overall health and reduce costs.
- Paying for "End-of-Life" Drugs in Australia, Germany, and the United Kingdom: Balancing Policy, Pragmatism, and Societal Values
  This brief analyzes British, Australian,and German policies on coverage of "end-of-life" drugs.
- Bending the Health Care Cost Curve: New Era in American Health Care?
  Health care spending in 2009 and 2010 grew at the slowest rates in 50 years. This startling news was largely attributed to the shrinking economy. In a new blog post, Commonwealth Fund president Karen Davis suggests that lower longer-term projections point to a shift in the health system.
RWJF Health Reform News
- Digital Doctoring
  Among the most common reasons why people come to an emergency room are bouts of heart failure or pneumonia. Note: Viewing this article may require a subscription.
- Study: Hospitals Overpay for Devices
  Some hospitals pay thousands of dollars more than others for big-ticket medical devices such as defibrillators and hip replacements, and a portion of the higher costs could be passed on to the federal Medicare program, a new government report says. Note: Viewing this article may require a subscription.
- Health Care Payers Push Back Against Costs
  In a paper, “Divide et Impera: Protecting the Growth of Health Care Incomes (Costs),” published this month in the British journal Health Economics, I summarize themes touched on here and there in several earlier posts on this blog.
- Taking Another Shot At The Flu Vaccine
  Despite nearly 20 years of recommendations that health workers get flu shots, the most recent data from the Centers for Disease Control and Prevention show that less than 64 percent of them do. Consumer and business groups met in Washington Thursday to show their support for a recommendation from the National Business Group on Health (NBGH) that hospitals re […]
- Cervical Cancer: There's An App for That
  When Mary Jo Payne hears about efforts to educate the public about cervical cancer, she thinks back to her own encounter with the disease at age 38.
ACA Litigation Blog
NY Times Health Policy
- Komen Reverses Stance on Planned Parenthood Grants
  The Susan G. Komen for the Cure foundation apologized for its decision to cut grants to Planned Parenthood for cancer screening and said it would restore the funding.
- The Texas Tribune: Texans Lead Battle for Women’s Health
  In the skirmish between Susan G. Komen for the Cure and Planned Parenthood that intensified over the past week, all roads led to Texas.
- National Briefing | Health: Officials Recommend the HPV Vaccine for All Boys
  Federal health officials recommended on Thursday that all boys be routinely vaccinated against infection with human papillomavirus, or HPV.
- F.D.A. Approves Cystic Fibrosis Drug
  The Food and Drug Administration called Kalydeco a “breakthrough therapy” because it treats the underlying cause of the genetic disease, rather than just the symptoms.
- Non-Specialists Expand Into Lucrative Cosmetic Surgery Procedures
  With declining insurance reimbursements, more doctors are expanding their practices to include things like breast augmentation and liposuction paid for out-of-pocket by patients.
WaPo Health
- Redskin London Fletcher’s fitness regimen
  Let’s say your job is to take off at a sprint, get moving about 20 mph and slam yourself full speed into a brick wall — 60 times in a single afternoon. We’d give you a helmet and lots of padding to protect yourself. Because of the toll this would take on your body, we’d make you do it only once a week. And we’d reward you handsomely. Read full art […]
- Keep your New Year’s fitness resolution without hitting the gym
  This is it. This is the year you finally get in shape, shed those pounds or meet that fitness pledge you made at 11:59 p.m. on Dec. 31. But do you have to build the new you in a hot, stuffy gym, cheek by jiggly jowl with a dozen other sweaty resolutionaries awaiting their turn on the elliptical machine? Read full article >>
- My workplace fitness resolution
  I’m not saying my co-workers are fat. In fact, a fair number of them are toothpick skinny — including, unfairly, the guy who brings in his latest cupcake creation every other day. Many of them are also super-active, always running, biking and yoga-ing in their free time. Read full article >>
- Guys: Stretch now or pay later
  Listen up, ladies, because it’s confession time, and as you may know, this is not my gender’s forte. So let’s get this over with: Although we are bigger, stronger and faster than you are, we must acknowledge that when it comes to flexibility, most of us are pretty much outclassed. We aren’t built like you, and we don’ t bend like you do. Read full […]
- Ways to get kids to eat quinoa
  When people ask me to list my favorite healthy foods, quinoa always tops the list. And not just because the National Restaurant Association named it the hottest trend in side dishes in 2010. My boys think I like quinoa because when it was first discovered it was named “the mother grain.” Yes, I am proud to be a mother myself, but check out all the real […]
Fierce Healthcare
- FDA commish counters industry critics on expert conflict rules
  There's been an ongoing debate in biopharma circles over the impact a shortage of drug experts is having on the FDA's panel review process. But anyone looking for the�agency to welcome changes in the rules governing conflicts of interest--which have been keeping some of the experts at bay--can rule out any support from FDA Commissioner Margaret Ham […]
- Scoring winners and losers in Japan pharma M&A bout
  Japan's biggest pharma players have been roaming the world in recent years in a restless search for new acquisitions. They've been looking for deals to put an extra oomph into their earnings. Now The Wall Street Journal is reviewing the biggest buyers and seeing�who scored the juiciest gains, and�who harvested bitter losses. Astellas�Pharma, which […]
- Idenix gets good news on hep C trial, but can't compete with Gilead
  Idenix put out the news this morning that the FDA had lifted a partial hold on its hepatitis C drug IDX184--and then watched its share price slide. In a sign of just how volatile the whole hepatitis C arena has become after back-to-back blockbuster buyouts, the key focus today is on Gilead's ($GILD) surprise acknowledgement that its new hep C favorite s […]
- AstraZeneca's R&D chief in China lays out $100M strategy
  One of the hottest trends in the global R&D business in recent years has been Big Pharma's huge investment in China. Among all the emerging countries, China's massive, fast-growing economy has been a magnet for drug developers determined to tap a whole new market. Steve Yang, AstraZeneca's vice president and head of R&D for Asia and […]
- Gilead shares surge as hep C drug scores a cure for big patient population
  Gilead Sciences ($GILD) received its first bonus from the monster $10.8 billion deal to acquire Pharmasset ($VRUS) after CSO Norbert Bischofberger told analysts yesterday evening that PSI-7977 combined with ribavirin cured a group of genotype 1 hepatitis C patients after four weeks of therapy. The analysts already knew that the same treatment had performed w […]
- Threshold, Merck KGaA strike $525M licensing deal for promising cancer drug
  The dealmakers at South San Francisco-based Threshold Pharmaceuticals ($THLD) have crafted a $525 million licensing pact with Merck KGaA covering its late-stage cancer drug TH-302. Threshold snagged a $25 million upfront, a promise of $35 million in near-term paydays and a $20 million reward if upcoming pancreatic cancer data come in positive. And the biotec […]
- U.S. funding drop threatens San Diego life sciences industry
  The life sciences job juggernaut in metro San Diego expanded through the ongoing economic downturn and will produce another 6,000 jobs through 2014, according to a new report. But a big drop in government science funding and a continued decline in venture funding could threaten future growth. Ominously, grants from the National Institutes of Health to greate […]
- Is Lilly betting the farm on its high-stakes Alzheimer's gamble?
  Now that the patent cliff has arrived right on time for Eli Lilly ($LLY), the big question this year is whether or not its massive gamble on the Alzheimer's drug solanezumab will pay off. That's Reuters' theme as it delves into the murky science involved in trying to treat the memory-wasting ailment. And even the most optimistic projections ca […]
- AB soars on promising survival data from Phase II tumor study
  Shares of Paris-based AB Science shot up yesterday after the drug developer reported strong efficacy results from a midstage study of its experimental drug for gastrointestinal tumors. The treatment, masitinib, not only outperformed Sutent, it also appeared to be better tolerated. Investigators in the trial divvied up 44 Gleevec-resistant, advanced-stage pat […]
- Czechs beef up investment in biotech research
  The Czech Republic is substantially boosting its investment in biotechnology research, with plans to build a massive research center near Prague set to employ 600 people, the Prague Daily Monitor is reporting. Plans call for spending 2.4 billion crowns (more than $120 million U.S.) on the project, with the investment drawn from EU funds. It will take two yea […]
Boston Globe Health Blog
- MIT professor wins prestigious chemistry prize
  By Carolyn Y. Johnson, Globe Staff Robert Langer, a biomedical engineer at MIT best known for his contributions in the fields of tissue engineering and drug delivery, has been named the winner of the 2012 Priestley Medal, a prestigious prize...
- Daily check up: New York Times points to Mass. public opinion on health care mandate as a model
  In an editorial today, the Times says support for the national mandate could follow the recent trend in Mass. and grow
- Brigham and Women's performs face transplant on woman mauled by chimp
  Jonathan Wiggs / Globe Staff Photo Steve Nash, brother of Charla Nash, who received a full face transplant at Brigham and Women's Hospital late last month, appeared at a press conference today with his wife, Kate. Charla Nash did not...
- Poll: Public supports mandatory physical education
  In a survey of 501 Mass. residents, 87 percent said the state should require 30 min. of physical activity each school day
- Immigrant health care back in court
  Immigrant advocates had hoped for a quick decision, but the state plans to file a motion that would delay the process
LA Times Health Blog
Health Affairs Blog
- What Is “Sustainable” Health Spending?
  As we embark upon a presidential campaign season, we can anticipate many lively debates on the topics of taxation and spending in this nation. As health spending in the Unites States accounts for 18 percent of our gross domestic product – a rate often called unsustainable – it is critical that we be clear-eyed in [...]
- Latest Wonk Review Highlights HA Blog Post On Bay State Reform
  At the Colorado Health Care Insider, Louise Norris hosts the latest edition of the Health Wonk Review. Louise includes Sharon Long’s Health Affairs Blog post clarifying the facts about health reform in Massachusetts. Check out Sharon’s post and all the great posts in Louise’s Wonk Review.
- Trusting Government: A Tale Of Two Federal Advisory Groups
  Americans increasingly distrust what they perceive as poorly run and conflicted government. Yet rarely can we see far enough inside the federal apparatus to examine what works and what doesn’t, or to inspect how good and bad decisions come to pass. Comparing the behaviors of two influential federal advisory bodies provides valuable lessons about how [...]
- Passing The Torch: A Day In The Life Of An Attending Physician
  November 9, 2011. Time fell back three days ago, leaving me one less hour of daylight to enjoy on a gorgeous Indian summer Wednesday. I’m the attending physician on a busy family medicine inpatient service, and it’s been a long week of patient care and meetings. I rush out of the hospital somewhere near 5 pm, [...]
- Health Policy Briefs: Accountable Care Organizations
  In April 2012 a number of accountable care organizations (ACOs) will begin their contracts with the Centers for Medicare and Medicaid Services (CMS) under Medicare’s Shared Savings and Pioneer ACO programs. The latest health policy brief from Health Affairs and the Robert Wood Johnson Foundation provides an overview of ACOs, their origins, and the current […]

Center News, Programs & Papers

Livestream Podcast, Seton Hall Law Review ACO Symposium

Symposium: Implementing the Affordable Care Act: What Role for Accountable Care Organizations?

Distinguished Guest Practitioner Mark Swearingen Lectures on Trends in Healthcare Law Enforcement

Online Graduate Certificate Program in Pharmaceutical & Medical Device Law to Begin in May 2011

New Jersey’s Commissioner of Health and Senior Services Discusses Medical Marijuana and Two Other Regulatory “Case Studies” at Seton Hall Law

The Limits of Disclosure as a Response to Finanacial Conflicts of Interest in Clinical Research

Fourth Annual Student Health Law Conference To Be Held at Seton Hall Law on October 22nd

Seton Hall University School of Law Launches European Healthcare Compliance Certification Programme in Paris

Seton Hall Law Announces Frank Pasquale as the Schering-Plough Professor in Health Care Regulation and Enforcement

Former UN Special Rapporteur Paul Hunt on International Law & Health as a Human Right & the Human Rights Responsibilities of Pharmaceutical Companies

Recording of Sam Maizel’s Discussion of Distressed Hospitals

Recording of Professors Tim Greaney, John Jacobi, Frank Pasquale, and Sidney Watson Discussing Health Reform

Seton Hall Announces Summer Study Abroad International Health Law Program

Online Graduate Certificate Program in Health & Hospital Law to Launch in April 2010

Seton Hall Law School’s Center for Health & Pharmaceutical Law & Policy Issues White Paper Calling for Major Reforms in the Financing and Oversight of Clinical Research

Risks to Directors and Trustees of Health Care & Life Sciences Companies: Corporate Compliance in a Distressed Economy

Third Annual Student Health Law Conference, Friday, October 16th at Seton Hall Law

Position Paper In Support of the “New Jersey Compassionate Use Medical Marijuana Act”

Seton Hall Law School’s Center for Health & Pharmaceutical Law & Policy Releases White Paper Recommending Reform of Drug and Device Promotion

Tags
Accountable Care Organizations ACO Center for Health and Pharmaceutical Law & Policy Chronic Conditions CMS Conflicts of Interest Constitutional Cost Control Drug & Device Drug and Device Electronic Medical Records EMR FDA Health Care Health Care Reform Health Economics Health Law Health Policy Community Health Reform HHS HIT Hospital Finances Individual Mandate Medicaid Medical Malpractice Medicare National Newspapers & Media Obama Administration Pharma pharmaceutical industry Physician Compensation PPACA Prescription Drugs Private Insurance Proposed Legislation Public Health Public Option Public Plan Quality Improvement Reform Rodeo Seton Hall Law State Initiatives Think Tanks Unconstitutional Uninsured
Meta

Acronym

Phrase

General Definition (see 160.103 for regulatory language)

PHI

Protected Health Information

Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.

CE

Covered Entity

BA

Business Associate

Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.

EHR

Electronic Health Record

An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.

PHR

Personal Health Record

An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Recent Posts

Categories

Health Reform Law (PPACA) Complete Text

News Sources

Noteworthy Blogs

Of Interest

Resources

Wordpress

Places Cited

Recent Comments

Audio Presentations

Center News, Programs & Papers

Tags

Meta

General Definition
(see 160.103 for regulatory language)