The Federal Trade Commission resolves its patient privacy complaint against free EHR vendor Practice Fusion, which encouraged patients to fill out satisfaction surveys about doctors using its EHR and then posted those reviews on its Patient Fusion website, sometimes exposing confidential information without the reviewer’s knowledge.
The order requires Practice Fusion make its privacy and security policies clear to consumers and to stop posting patient reviews on the Internet. The company will also face ongoing monitoring with penalties for future violations.
Practice Fusion sent “How was your visit?” emails to patients under their doctor’s name, pre-checking the “keep this review anonymous” box (which still placed the review on Practice Fusion’s site, but with “anonymous” instead of their first name) and with a warning not to include personal information. Despite those notices, patients entered detailed information and questions about their medications and treatments in the free text review box, sometimes including their names and phone numbers in somehow becoming confused into thinking that they were communicating privately with the practice.
Practice Fusion now appears to not display comments at all on its Patient Fusion site, probably figuring it was too much work trying to sort through all the junk patients were entering. The company was also getting a lot of criticism from its doctor users, who were upset that Practice Fusion was contacting their patients en masse using the practice’s name.
From Balance Bill: “Re: balance billing judgment. Virtually all hospitals and medical practices have a confidential charge master. They also make patients sign an agreement saying they are responsible for charges, without being able to say what the charges will be and without being able to show the amounts of any potential charges. This Virginia Judge just ruled that its not a valid contract when one party refuses to share critical information (such as the charge master). I’m not a lawyer, but I think that one of the foundations of American healthcare billing is beginning to crumble. I am hoping so.” Providers should be required to offer cash-paying patients the lowest price they accept from anyone. They should also tell patients (both insured and not insured) what those prices are so they can make responsible decisions at the point of care. It is absurd that people can be forced into bankruptcy because of a hospital’s bill at full charge master price that nobody actually pays except those with cash and no insurance. Every other industry offers cash discounts, not cash penalties. This kind of pushback might change the dynamic of insurance companies that are forced to negotiate individually with health systems as they haggle over price and volume and instead of just deciding whether they are willing to pay a given hospital’s published charges.
From Maria M: “Re: balance billing judgment. I worked for a medical center where a couple of cardiologists canceled all their insurance contracts and referred their Medicare patients to other doctors. The amounts they were charging for cath procedures, stents, and angiograms were staggering. They didn’t balance bill the patients, but instead went after the insurance companies, sometimes in court. The amounts these insurances were paying was unbelievable. They went so far as to hire a hospitalist so when cardiac patients came into the ER they were the first ones notified. This practice still continues today.” I’ve likewise heard of profit hospitals that intentionally took their entire ED out of network so they could stick the insurance companies of patients traveling outside their local areas with higher bills. I struggle with the fact that no matter how egregiously health systems and practice behave, they are operating legally within this mess of a non-system that we’ve created. It’s like tax loopholes – legal even if shameful.
From The PACS Designer: “Re: wireless heart pump. Swiss scientists develop a wireless heart pump that does not make any contact with the blood that it’s augmenting. The next phase will be capturing the wireless information from the pump so it can be viewed along with other information sources to improve treatment options.” The pump is wireless but still invasive – it controls a set of rings placed around the aorta that contract sequentially to help move blood through. The advantage is portability, lack of triggered coagulation response, and a reduced risk of infection where the wires would otherwise penetrate the skin. It seems like this could work for swallowing disorders – if you’ve ever seen a dysphagia patient whose nervous system can’t coordinate swallowing contractions, it’s pretty horrible.
From Holding On: “Re: McKesson. Did you lose them as a sponsor of HIStalk?” Yes. I had to cancel RelayHealth, McKesson, and McKesson’s Paragon business as sponsors because their ever-churning marketing departments left us without a valid contact or anyone there who even knows what HIStalk is. Of those thankfully few sponsors who don’t continue, probably 30 percent are for this reason (nobody at the company has a clue or is empowered to make a decision following turnover), 40 percent are due to acquisition by a company that already sponsors, 20 percent are because the company doesn’t have the money, and 10 percent are because they don’t see the value, usually stated by a junior marketeer who adores social media while not paying attention to what real executives read for business (i.e., not Twitter, Facebook, or Instagram).
From Gidget: “Re: DataBreaches.net. You mention them specifically in your security updates. Do you have a business arrangement with them?” No. I simply think they are doing fantastic work and it’s only fair to credit them as my source, even if they refer to a source of their own. I’m just about the only publication to give them credit, I’ve noticed. That’s pretty sleazy and self-serving for alleged journalists who are paranoid that their audience might realize how little actual reporting they do and therefore try to hide that fact by passing off someone else’s legwork as something they sleuthed out themselves. It bugs me that plenty of sites get their story ideas from HIStalk without giving credit, so I won’t do it to someone else. I use only original sources (never other health IT sites since all they do is summarize press releases and journal articles while adding no value) and I always provide a link.
From Marquis Stanley: “Re: KLAS. How they are allowed to continue on without any kind of question or reproach is remarkable. They’re as direct a beneficiary of the billions of federally infused HITECH dollars as any vendor, with no scrutiny or oversight. To Mr. H’s point, the overall lack of transparency related to survey and analysis processes and vendor relationships is curious at best – especially with KLAS being linked to the VA and DoD procurements.” There’s no second-guessing their success as long as the market for their services continues to exist.
From PM_From_Haities: “Re: KLAS. It’s better than the alternatives. Empirical evidence of good evaluations of good products aside, vendors that are not deemed Best of KLAS are of course going to grumble. I’ve never heard anyone raving about help they received by Black Book or any of the other ratings. Some of the small samples are the best you can do as some HIT software is only installed in select locations. KLAS is one data point in a good vendor evaluation. The move to MU should add commodity features that people will come to appreciate as certified vendors will have to meet some minimum bar.” I’ll be interested to see what Vince and Elise say in future installments of their “Rating the Ratings” series, which draws from responses to my own recent survey.
HIStalk Announcements and Requests
This week on HIStalk Practice: Aledade opens a new ACO in Arkansas. Modernizing Medicine announces California expansion plans. VITL partners with OhMD to offer Vermont MDs secure texting. Medicaid hassles prompt some independent practices to throw in the towel. Hello Health’s Krista Sultan offers advice on making CCM work for your practice. GE Healthcare reports on EHR use in Rio. Medina Innovation Holdings rebrands, creates new telemed subsidiary. YMCA’s Matt Longjohn, MD outlines the ways in which healthcare technology are enabling the Y’s Diabetes Prevention Program. Signature Medical Group and Heritage Medical Systems form new population health management venture.
Listening: new from long-time Nick Cave collaborator Mick Harvey, who released the third album in which he translates the work of long-dead French musician Serge Gainsbourg. You would expect something that weird from one of the always-intense Bad Seeds, which to me were like a resurrection of the dark but strangely alluring poetry of The Doors. One might logically jump from there to the little-known, baritone-led Tindersticks.
August 24 (Wednesday) 1:00 ET. “Surviving the OCR Cybersecurity & Privacy Pre-Audit: Are You Truly Prepared?” Sponsored by HIStalk. Presenter: John Gomez, CEO, Sensato. Many healthcare organizations are not prepared for an OCR pre-audit of their privacy and security policies. This webinar will provide a roadmap, tools, and tactics that will help balance policies and budgets in adopting an OCR-friendly strategy that will allow passing with flying colors.
Acquisitions, Funding, Business, and Stock
Data breach and identity fraud protection firm ID Experts recapitalizes itself in bringing in two private equity firms for $27.5 million in funding and cashing out unnamed current owners. The deal values the 88-employee Tigard, OR company at $50 million.
Pregnancy wearable and tracking app vendor Bloomlife raises $4 million in a seed funding round with investors that include Salesforce founder Marc Benioff. The company’s Belli app monitors contractions during the third trimester at a price of $29 per week.
Denver-based patient engagement app vendor NextHealth Technologies closes $8.5 million in Series A funding, increasing its total to $9.5 million. CEO Eric Grossman came from TriZetto.
Nuance acquires radiology data mining analytics provider Montage Healthcare Solutions, a former Nuance partner. William Boonn, MD and Woojin Kim, MD of Montage have updated their LinkedIn profiles with titles of CMIO at Nuance.
The state of Kansas awards a $215 million Medicaid claims system contract to HP Enterprise, which will bring in Cerner’s HealtheEDW data warehouse and population health management tool to allow care managers to optimize the treatment of Medicaid patients in near real time.
University Hospital (OH) names Joy Grosser (UnityPoint health) as CIO, replacing interim CIO Sue Schade.
Announcements and Implementations
A new Peer60 report covers HCAHPS data collection and analysis vendors, finding that the just-acquired Press Ganey dominates, while PRC and JL Morgan also score well in satisfaction.
Extension Healthcare announces Extension Mobile 5.0 as an enhancement to Extension Engage, which is in production at Parkland Memorial Hospital (TX).
Salesforce announces a two-way video chat telehealth solution for Salesforce Health Cloud that also automatically displays the patient’s medical profile to providers.
Sunquest announces GA of Vue 1.0, a diagnostic workstation that integrates clinical and anatomic pathology information for pathologists.
The HIMSS-SIIM Enterprise Imaging Workgroup releases another white paper, this one titled “Workflow Challenges of Enterprise Imaging.”
Government and Politics
Kaiser Permanente, unlike most of the for-profit insurers bailing out on the ACA exchange business, says it won’t do the same and is actually making a small profit on that business. CEO Bernard Tyson says,“The idea that I would turn my back on a segment of the American population who really needs the coverage and the care—I’m in for the long haul. The discussion is interesting, as big insurers claim they’re getting hit hard financially by sicker-than-expected customers who unfairly use special enrollment periods to sign up for insurance only when they’re getting sicker, while others say ACA markets are doing exactly what they should in weeding out higher-priced insurers who lose business to more aggressive competitors (the national insurers who are dropping out were nearly always are getting beaten on price). ACA business could be shored up quite a bit by stiffening the penalties for people who fail to buy insurance (just like for car insurance), clamping down on people who buy or change insurance mid-year for questionably documented reasons, and extending insurer and consumer commitments beyond today’s one-year period to settle the market down. Perhaps the biggest unexpected event that hurt the exchange insurance business is that companies didn’t stop offering health insurance to their employees as experts predicted, making the ACA marketplace smaller and riskier.
New, expensive cholesterol-lowering drugs will add up to $120 billion per year to US healthcare costs, an economic analysis finds, as the healthcare economics debate will be fueled by insurers who refuse to pay for widespread use of drugs they say are unproven. One of the drugs, Praluent, costs $15,000 per year and must be taken for life by the millions of Americans who could be clinically eligible to receive it. Cost-effective drugs are defined as costing no more than $100,000 per year of life saved, which is how Praluent is priced in Europe (a fraction of the US price) since the governments there are allowed to negotiate drug prices. That brings up an unstated philosophical argument – if a patient could live 20 more years if they take Drug A, should the rest of us happily pay $2 million to fuel the profits of drug companies whose price will always be the maximum the market supports?
Privacy and Security
Security firm FireEye notes a rapid uptick in email campaigns attempting to spread Locky ransomware, with US healthcare systems leading the number of affected sites. The latest variant uses Microsoft Word .DOCM attachments (often labeled as invoices or images) that launch macros when opened. Locky can also encrypt Microsoft OneDrive files and unmapped network shares.
- A recent district court opinion in a healthcare breach case serves as a reminder that while big breaches spawn a lot of class action lawsuits from those whose information was exposed, courts are not usually sympathetic unless those filing the suit can prove that their data was used in a way that harmed them.
- The Center for Neurosurgical and Spinal Disorders (LA) notifies several hundred patients that it found a hacker-installed keylogger program its office manager’s PC that was capturing keystrokes and taking scheduled screen shots. The practice quickly and commendably responded: it notified the FBI, sent notification letters, hired a forensics firm to analyze the hard drive, notified consumer credit reporting companies, and offered free identity theft and restoration services to those affected. It also announced plans to report the breach to OCR. Congratulations to the unnamed in-house IT person who figured out what was happening and addressed it.
- A California dentist notifies patients that unencrypted hard drives containing backups from his practice’s system were stolen from his car. The dentist downplayed the exposure in his notification letter, telling affected patients that the information was unlikely to be usable. However, a security expert says the system he appears to use employees the MySQL database, which can be easily accessed given a physical copy. The dentist responded that he’s not worried after talking to the software vendor because their product is “HIPPA compliant.” There’s usually a lesson to be learned from a breach and here’s this one – if you run MySQL databases (which many or most websites and web apps do), get an expert to check its security settings.
A Wall Street Journal article notes that patients are receiving false-positive warnings from genetic testing because older studies that found genetic correlation with disease states had non-diverse participants, making those correlations inconsistent to the population as a whole.
The former CFO of Sonoma West Medical Center (CA) joins the hospital’s former CNO in suing the hospital for wrongful termination, both claiming they were fired for complaining about the hospital’s EHR. The hospital uses EHR software developed and marketed by one of its physician executives in partnership with the hospital’s board chair. The hospital, whose average inpatient census is 13, is the only US user of the software, which has no paying customers among six non-US sites that are piloting it. Both executives say the software mixed up patient records, miscalculated medication schedules, failed to update quickly, and delayed billing.
In Denmark, the doctor’s union says rollout of a new EHR in Copenhagen’s busiest hospital should be delayed until problems with its communication with the Danish health card are fixed. Previous go-lives at other hospitals in Denmark in May and June caused medication errors and treatment delays, according to doctors there.
A JAMA editorial by three Stanford doctors says EHRs haven’t kept up with the technologies used by other industries. The authors say that billing-focused EHRs distract doctors, adding that “de-implementing the EHR could actively enhance care in many clinical scenarios” (although the authors fail to note how many of those enhanced practices would shut their doors within a year in the absence of EHR-powered billing). EHR shortcomings include:
- They haven’t integrated predictive algorithms into offering treatment suggestions based on patient parameters.
- They don’t use insurer-developed algorithms that identify high-risk patients to support the delivery of preventive care.
- They can’t identify a patients similar to the one being treated to suggest treatments based on past experience.
- They don’t triage alerts well to prevent fatigue and workflow interruptions.
- They don’t take advantage of graphical data display that could help doctors make faster decisions and communicate to families better.
- They don’t capture social and behavioral factors from patients themselves, i.e. the “patient story,” in limiting themselves to medical data.
Weird News Andy says he likes this “alot.” A grammar-persnickety blogger that reminds WNA of me soothes her frustration created by the grammar mistakes of others in picturing a mythical creature called an “alot” when someone writes things like, “I watch alot of TV.”
- Intelligent Medical Objects will exhibit at HIMSS Asia-Pac August 23-26 in Bangkok.
- Meditech will exhibit at the Mid-South Critical Access Hospital Conference August 19-21 in Nashville.
- The local business paper profiles Netsmart’s general manager of Netsmart Homecare, Dawn Iddings.
- Obix Perinatal Data System will exhibit at AWHONN August 21-23 in Jekyll Island, GA.
- Experian Health will exhibit at HFMA Region 8-MASI August 24-26 in Minneapolis.
- PMD makes the 2016 Inc. 5000 list of fastest-growing private companies in America for the fifth year in a row.
- The SSI Group will exhibit at CAHAM 2016 August 28-29 in La Jolla, CA.
- SyTrue will present “A Data Refinement Framework for Fueling Health Innovation” at South Georgia Radiology Associates August 27.
- The Chartis Group creates the Chartis Physician Leadership Institute.
- Direct Consulting Associates is recognized as one of the best places to work in Ohio.
- Maximizing Reviews to Enhance Your Reputation Online (Influence Health)
- Organizing Clinical Optimization Teams to Support Post-Live Optimization Efforts (Impact Advisors)
- Four Ways Consumers are Demanding Changes in the Healthcare Payments Experience (InstaMed)
- What Amazing Gymnasts and Patient Payment Processes Have in Common (Navicure)
- It’s Prime Time for Neural Nets in Speech Recognition (NVoq)
- Don’t Compromise Data at the Point-of-Sale (Patientco)
- Lessons Learned from HP (PatientKeeper)
- Fast, Efficient, and Fun PMD Travel (PMD)
- Tackling the Integration Challenge: A New Breed of Analytics in Healthcare (Orion Health)