Privacy and Security
By Glen F. Marshall
The primary issue with healthcare privacy and security is the lack of ongoing risk management as a routine business practice, plus the failure to share data from existing risk analysis in a form that the general public can understand. For example, while anecdotal evidence says that provider employee snooping is the largest threat to privacy, real data are harder to find.
The evidence I have of this is anecdotal. I continually get questions from HIT people about what technology to implement or whether the latest gadget is a good thing to buy. If there was a body of risk analysis information to draw upon, the selection and implementation of mitigating technologies would more often be an informed business process. So would the selection and implementation of physical and administrative controls, e.g., locks on doors, privacy training for employees, or privacy-enhancing advisories for health care consumers.
It is more convenient for the general and HIT press to focus on sound-byte instances of breaches, versus the actual threats and outcomes in comparison to other threats to privacy. It is more readable to assess blame for breaches than identify and celebrate good privacy and security practices that provably prevent, detect, limit, and disclose breaches before damage occurs. The eagerness of the general public, provider community, and political leaders to consume this lazy news reporting amplifies the problem and crowds out the solutions.
Glen F. Marshall is the principal of Grok-A-Lot, LLC of Berwyn, PA.
Patient Privacy and Information Accessibility: A Necessary Balance
By John Tempesco
In the original HHS privacy rule, a core component of HIPAA’s purpose was the ability to protect patient privacy while at the same time allowing the sharing of personal health information to facilitate patient care. And while healthcare has finally been dragged, kicking and screaming, to a more comprehensive use of technology, a serious divide has emerged between advocates of patient privacy versus the free flow of data needed to improve patient care.
As EHRs become more widely used by physicians and health information exchanges (HIEs) become more commonplace, the debate between privacy and the sharing of information for the purpose of enhancing patient care and lowering the costs of care delivery will only intensify.
As guidelines continue to be developed, it will be important to consider the mechanisms of how patients will determine the exchange of their health information. If restrictions are too severe, the goals of ARRA and HITECH will be in jeopardy. Patients will be driven by policy to “sit on” their data which will nullify the ability of the healthcare system to achieve its goals of improving patient care and safety, and reduce costs. But if data is exchanged too readily, patient privacy will certainly be in jeopardy. This dichotomy is the essential conundrum.
Opt-Out most closely resembles the state of fair and controlled information exchange as it exists today. Opt-Out protects patient privacy and enables the sharing of health records unless the patient specifically opts out. The Opt-Out provision requires that the patient is given an adequate amount of time to make a decision about consent, including urgent need of care. It also requires a clear explanation of consent choice that must be provided by the physician or hospital as well as the consequences of opting out.
Opt-In, on the other hand, would stop the sharing of patient information unless the patient opts in to the system enabling the transmission of health data. This option not only severely restricts health information exchange, and limits the ability of health information technology to improve patient care and reduce costs, it demolishes many of the core benefits of health information technology, particularly the multi-organizational and multi-community benefits of HIEs.
The ONC is still deliberating a final ruling on information exchange. While patient privacy must be attended to, clearly the critical exchange of patient information through HIEs is a central and key component to achieving the reforms of ARRA and the HITECH Act. There are numerous studies that point to health information technology as providing the necessary tools which enable improved patient safety and the improved efficiencies desperately needed to lower healthcare costs.
Let’s not throw out the baby with the bath water. Let’s move forward with a rational, forward-thinking approach that will ultimately get us to where we want and need to be.
John Tempesco is chief marketing officer of Informatics Corporation of America of Nashville, TN.
HIStalk Written on an EMR
By Robert D. Lafsky, MD
Given the mixed feedback regarding the recent HIStalk format change, it occurs to me that all available options have not been explored. The following sample report represents a modest proposal, which if adopted would allow Mr. HIStalk to enjoy the same efficiencies utilized by most EMR users. Apologies to 1960s-era MAD magazine and the late Jonathan Swift.
“Cash flow problems”
The COMPANY is complaining of INSUFFICIENT INCOME. DATE OF ONSET: 1/15/2010. DURATION OF PROBLEM: 14 months. The problem is made worse by LOWER SALES. The problem is made better by HIGHER SALES. The problem is aggravated by EMR WORKFLOW ISSUES. The EMR WORKFLOW is felt to be SLOW. The EMR WORKFLOW is felt to be TEDIOUS. The problem is aggravated by EMR DESIGN ISSUES. The DESIGN is felt to be AWKWARD. The DESIGN is felt to be UGLY. The problem is aggravated by LEADERSHIP ISSUES. The LEADERSHIP is felt to be INCOMPETENT. The LEADERSHIP is felt to be INDIFFERENT TO USER COMPLAINTS. The LEADERSHIP is felt to be INDIFFERENT TO USER FEEDBACK.
1. Insufficient capitalization
2. Insufficient programmer staffing
3. History of SEC sanctions
1. Bank loans
2. Penny stock
3. Overdue payroll
CEO’s brother doing 3-5 in Allenwood for stock fraud
Revealing stories in HIStalk
REVIEW OF SYSTEMS
Obfuscatory logorrhea (last stockholder’s meeting)
Bilateral buttock pain (participants last board meeting)
Spastic torticollis (CFO explaining financial picture)
Chronic corporate latrocinosis
Blood pressure: 60/30
Neck: Horizontally positioned
Abdomen: Distended and firm along course of colon
Extremities: Erythematous from red ink stains
Genitalia: Numerous, especially CEO and CFO
537926 Corioliform Hydrodynamic Gravitational Descent (“Circling the Drain”)
872035 DDI: Database Design Defects, Congenital
472653 Ugly Interface Syndrome
PLAN OF TREATMENT
First class ticket purchases to BRAZIL for CEO, CFO
Cash transfers to OFFSHORE BANK ACCOUNT in CAYMAN ISLANDS
Urgent resume production by employees
Reduce thermostat settings in office during cold weather
Discontinue free coffee in break room
Robert D. Lafsky, MD is a gastroenterologist and internist in Lansdowne, VA.