A new HHS report prepared for Congress notes the obvious fact that non-covered entities such as wearable and app vendors are not regulated by HIPAA, a situation it calls “a gap in oversight” that people (including vendors) don’t always understand. That gap can’t be addressed by HHS since it has no power to regulate anyone other than covered entities.
The report suggests that the FTC identify best practices. It notes that FTC’s authority includes protecting consumers from possible relevant unfair or deceptive company practices such as not following their own privacy policies, failing to disclose how consumer information is used, or failing to secure the consumer information they collect.
It’s surprising to me how often knowledgeable industry insiders cry “HIPAA violation” when the party involved is clearly not a covered entity, such as when ESPN ran a photo of an NFL player’s medical records. Anyone can violate your privacy, but only a covered entity or their business associate can violate HIPAA.
The report notes that people who share their information with non-covered entities aren’t clearly protected by federal law. It also references the little-known FTC Health Breach Notification Rule that requires PHR vendors that are not covered entities to report breaches of their systems.
From Lawson CIO: “Re: downtime. We experienced almost a week of downtime with our Lawson system running on Velocity Cloud starting July 1. It must have have hit many hospitals. How many others experienced it?” Affected readers using Velocity Technology Solutions are welcome to report. I reached out to the company but they declined to respond, saying they are contractually prohibited from disclosing information to anyone other than customers.
From Security Officer: “Re: The Dark Overlord’s most recent hack. The hacker gained access to a specific PilotFish dataset, but not for our environment. Do you have more information?” The Dark Overlord says he “used their [PilotFish’s] code to find exploits in all their clients … I signed a backdoor to get into their clients because I had access to their certificate signing. It got pushed out in an update a few weeks ago.” He also showed samples of the client EHR records he claims to have taken. The Dark Overlord has not previously overstated his accomplishments, so while there’s no proof so far that he breached every PilotFish client and took their PHI, I would operate under the assumption that he has and take action accordingly. I would expect his next move to be approaching those individual clients to demand payment since PilotFish turned down his demands. Confounding the issue is that some of PilotFish’s clients are HIEs and thus the information he claims to have stolen may have come from many providers, although maybe it cross-references a client table that he won’t bother linking to figure out the source.
From Kyle Smith: “Re: VA hiring KLAS to advise it on commercial EHRs. It was a sole-source selection, claiming that only KLAS can do the job. I’m sure KLAS loves the kind words, but this doesn’t really sound like an accurate reflection of the work of other folks in the industry.” What we taxpayers will get for our $160K VA payment to KLAS is a six-month membership and bringing in three KLAS people for four, half-day overview meetings. Apparently the VA thinks it needs KLAS to tell it to choose between Cerner and Epic. It is probably not realistic that they would just ask DoD how its Cerner implementation is going before deciding.
From Mr. Buyer Beware: “Re: Definitive Healthcare. For those using it as their hospital data source, they are doing automatic renewals, but they increase the price without notice. Thoughts, Mr. H?” I would have to see your agreement, but I would be surprised if it doesn’t include at least some provision for increases pegged to cost-of-living percentages or something like that. They can adjust the price however they want if the contract doesn’t name a fixed price for the agreement’s term, which then might be a good indication that you as a customer shouldn’t have signed it. Ditto the automatic renewal – if the contract doesn’t say it renews automatically, then you can refuse to pay assuming that you’re willing to stop using their services. Either way, it’s a nice courtesy (and good business) for a company let customers know about the new price well in advance so they can budget for it.
From Lifeline: “Re: taking time off from work. Like Dr. Jayne said, too many people associate their job with their identity and can’t give it up.” Job titles are like clothes – we hide behind them to prevent people from seeing us as we really are. When someone asks, “What do you do?” they are really asking, “Who are you?” with the assumption that your job defines your persona, and people often answer in that same mindset (especially executives who can’t bear the thought of not decisively differentiating themselves from us less-accomplished rabble). Folks who brag on being fully engaged in their jobs while on vacation have deathbed lessons to learn: (a) your employer and co-workers care much less about you than you think; (b) you are going to be devastated when you get fired or retire and realize all of that one-sided loyalty was misplaced as your work goes on without missing a beat in your absence; and (c) for the 99 percent of people who work at a particular job only because they need the money but would really rather be doing something else, spending more time working means spending less time living. It’s sad that people allow their identity to be subsumed into that of their employers in a form of self-enslavement. Employers have learned to maximize profits by swindling employees out of what should be their free time, now demanding their nearly undivided attention via an ankle bracelet posing as a smart phone and paying what seems like OK money for a job as long as you don’t do the per-hour math. We only think we’re immortal and the people crying graveside won’t be co-workers or customers (or in my case, readers). Welcome to the grand illusion.
HIStalk Announcements and Requests
The DonorsChoose grant request of Ms. Hughes from South Carolina was simple: her fourth graders just needed dry erase boards and markers, which we provided. She reports, “The resources provide an easy way for the students to practice drawing models, pictures, and equations all of which are used to solve a variety of math problems. The students were so excited to see the new materials when they arrived. They kept going on about how nice it was of someone to give them to us!”
Acquisitions, Funding, Business, and Stock
Cerner names its $4.45 billion, 10-building Kansas City office park that’s under construction the Innovations Campus. The first of 3,000 software engineers will move in next year, although the project won’t be finished for 10 years. The 4.7 million square foot complex — Cerner’s seventh campus outside its headquarters — was designed to house 16,000 workers. The company announced several campus design features:
- A staircase whose metal perforations contain quotes from Cerner’s founders in binary code form (I assume one of them won’t be “Tick, tock.”)
- A 100-person staircase “collaboratorium.”
- A metal panel for each of the company’s 340 patents.
- A 188-foot tall outdoor statue depicting DNA.
Sweden-based exercise and diet tracker Lifesum raises $10 million.
Alan Eisman (Information Builders) joins HBI Solutions as SVP of sales and business development.
Cerner hires Jeff Hurst (Florida Hospital) as SVP of RCM and president of RevWorks.
LifeImage names Janak Joshi (Deloitte) as CTO.
Santa Rosa Holdings promotes Tom Watford to CEO. He replaces company founder Rich Helppie, who will remain board chair. The company’s businesses include Santa Rosa Consulting, Santa Rosa Staffing, InfoPartners, and Fortified Health Solutions.
Gerald Greeley (Lahey Health) joins Signature Healthcare (MA) as CIO.
Janet Guptill (Tatum) joins the Scottsdale Institute as executive director. She replaces Shelli Williamson, who will become vice chair of the board.
Announcements and Implementations
In England, Wrightington, Wigan and Leigh NHS Foundation Trust goes live on Allscripts Sunrise.
Catalyze earns HITRUST CSF certification for Amazon Web Services.
Meditech implements Access Passport for its internal electronic forms and signatures.
Government and Politics
The VA awards Leidos a prime T4NG contract in which 24 contractors are eligible to compete for $22 billion worth of IT services, network engineering, cybersecurity, and other IT work. Leidos was not included in the original list of 21 winners announced in March 2016.
An American Hospital Association survey finds that 92 percent of hospitals allow people to view their medical records online, up from 43 percent in 2013. The most widespread adoption of technology for patients is the ability for them to pay their bills online, which is offered by 74 percent of hospitals, and two-thirds of hospitals say patients can securely message providers.
A Health Affairs blog post notes that while insurers can’t be required to submit their claims to a state’s all-payer claims database, many still will do so, giving researchers a good-enough set of information. It also notes that there never was an “all” claims database since they don’t include services for which insurance wasn’t billed.
AMIA warns FDA that while most providers are using EHRs, their data is not necessarily of research quality. AMIA suggests that FDA focus its research data collection on data warehouses, whose information has been better standardized and encoded, as opposed to relying on EHR information that was intended primarily to support individual patient encounters.
ONC offers a C-CDA Scorecard that evaluates an electronically submitted C-CDA document in two ways: providing a pass/fail score to indicate whether it meets 2015 Edition Health IT Certification for Transitions of Care, and (b) issuing a letter grade indicating conformance with HL7’s advanced interoperability rules, which means the system’s vendor is more likely to be able to support interoperability.
Drug maker GlaxoSmithKline launches a mobility study of 300 rheumatoid arthritis patients using Apple’s ResearchKit.
The San Francisco paper finds that UCSF Medical Center CEO Mark Laret earns an average of $556,000 each year from serving on the boards of two of the hospital’s vendors, Varian Medical Systems and Nuance Communications, who have paid him more than $5 million on top of his $1.6 million annual compensation from the hospital.
Eric Topol, MD answers tough questions about precision medicine and the $120 million in NIH grants his employer, Scripps Research Institute, has received to recruit volunteer study participants. He says about the idea of addressing patient-specific health risks instead of sequencing their genomes,
Look, we’ve had all this risk factor and lifestyle knowledge for decades. Do we have everybody practicing a healthy lifestyle? No. I don’t want to diminish the importance of it, but a lot of people have the healthiest lifestyle in the world and they get struck by things like autoimmune diseases and Alzheimer’s. It’s not either/or, but we need to take advantage of the fact that we can know so much about any given human being — what they are at risk for, or the environmental factor that’s causing the risk.
Kaiser Health News notes the upswing in micro-hospitals that offer EDs and primary care services but only a few inpatient beds. Sounds swell except they are usually built by big health systems trying to squeeze out competitors and bolster their bottom lines since companies that buy fancy medical equipment or build new buildings always find a way to create the demand to pay for them (not to mention the inherent inefficiency in staffing an always-open but potentially low volume building in the unfocused factory model). Walmart puts profit-boosting, scaled-down versions of their stores only where well-off people shop and hospitals are no different, so don’t expect to see mini-hospitals springing up in the downtrodden part of town. As one of my previous health system employers always said, we serve all, but market to few. As much as everyone likes to think it isn’t true, you won’t find the best hospitals and best doctors in poor or rural areas. Also true is that we’re all paying for those fancy health system buildings, the big salaries they hand out, and the enormous employee headcount that sucks up all the parking spaces for miles.
A report finds that 70 percent of physician assistants are working in specialties rather than primary care.
A drunk, off-duty NYPD officer is charged with running over four pedestrians, killing 21-year-old MIT student Drew Esquivel, who was also working on an EHR for underserved areas.
HIMSS is running a hospital CMIO’s video pitch that claims to answer the question of why being named EMRAM Stage 7 was valuable to the hospital. The answer: it let the hospital’s IT employees feel good about their accomplishments. In other words, the hospital received no value whatsoever except IT bragging rights, about which the locals who are footing the bill could not care less. Magazines and websites create a lot of vanity-driven contests and awards that providers puzzlingly don’t see as pointless.
Maine’s HHS typos the hotline number on the debit cards it gives to food stamp recipients, with the listed number actually ringing up a telephone sex line. Most surprising to me (beyond the fact that food stamps are now issued by debit card, which is a great fraud-tracking idea) is that such services still exist, although they apparently now charge directly via toll-free numbers instead of those 1-900 lines that funded a lot of late-night TV advertising in the 1990s.
- Bernoulli Enterprise is nominated for the Health 2.0 10-Year Global Retrospective Awards in the category of Tech Company.
- Besler Consulting releases a new podcast, “Skyrocketing Costs and the Emergence of Rate Setting.”
- CapsuleTech and Direct Consulting Associates will exhibit at MHealth + Telehealth World 2016 July 25-26 in Boston.
- The local business paper features CoverMyMeds in a profile on startup jobs and spending.
- Galen Healthcare Solutions publishes a new case study, “Critical Clinical Information Demystified with Database Training.”
- Healthfinch joins the Matter community of healthcare entrepreneurs.
- Meditech recaps its history in the acute care market in Canada.
- Forbes interviews Healthgrades SVP and Head of Digital Mayur Gupta.
- InstaMed publishes a new case study, “Pediatric Practice Automates 90 percent of Patient Payment Collections with InstaMed.”
- Medecision CMO Ellen Donahue-Dalton joins the Women Business Leaders of the US Health Care Industry Foundation’s advisory board.
- ITx honors Orion Health Product Strategist David Hay with the Excellence in Health Informatics award.
- Patientco funds treatment for six patients through a partnership with Watsi.
- The local business paper profiles the applicants for Cincinnati health commissioner, including Robyn Chatman of Sagacious Consultants.
- Stella Technology announces its rebranding.
- How Does the Cloud Reduce Data Loss Risk? (Catalyze)
- What Is Interoperability? (AdvancedMD)
- Wait Time Management: Why The Problem With Waiting Isn’t Waiting (Clockwise.MD)
- The Evolution of Device Management (AirWatch)
- The Final Word: Risk (Arcadia Healthcare Solutions)
- Navigating Healthcare for our Child: Things We’ve Learned (CareSync)
- A Focus on Enterprise Readiness, Not Just Getting Ready (Divurgent)
- Pediatric Post-Discharge Follow-Up: How to Get it Right (ECG Management Consultants)
- Top 3 Takeaways from #AAPL2016 (Evariant)
- Chronic Care Management: Steps in the Right Direction (CareSync)
- 7 Things to Know for Successful Provider Education (Hayes Management Consulting)
- On-Demand Access To vCISO Meets This Client’s Needs (Orchestrate Healthcare)
- Will Social Security Numbers Finally be Removed from Medicare Cards? (ID Experts)
- With Multiple EMRs, Care Management and Real Online Patient Engagement Can’t Happen (Influence Health)
- Healthcare Analytics in the Cloud: Delivering Answers “as a Service” (InterSystems)
- What does your “data-inspired future” look like? (Liaison Technologies)
- It’s Twice as Nice to be Named a 2016 Top Workplace (MedData)
- Sharing IT Insights Amid Rapid Change (Netsmart)
- A Recipe for CPOE Optimization (PatientKeeper)
- Patients Always Come First, Except When They Don’t (PMD)
- Alert: New E-Prescription Quality Guidelines (Surescripts)