EPtalk by Dr. Jayne 7/12/18

California’s new data privacy law comes under fire from tech companies that want to modify its impact before it goes into effect in 2020. The California Consumer Privacy Act of 2018 (CCPA) is one of the most stringent data privacy laws in the US. Under the law, Californians can access and delete the data that various companies collect on them, and can opt out of the sale of their data. The law is aimed at businesses with more than $25 million in annual revenue, or that amass data on more than 50,000 persons, or that generate more than 50 percent of their revenue from selling consumers’ personal information. Although this protects small businesses, it draws in a large number of entities.

One of my favorite privacy advocates was just at a seminar covering the General Data Protection Regulation (GDPR) enacted by the EU and notes many similarities between it and the CCPA. The so-called “right to be forgotten” is similar, along with the rights of data access and portability. However, the CCPA includes a provision for explicit damages in the event of a breach. The CCPA covers “consumers” who are California residents and also addresses metadata through the use of categories of personal data, categories of data sources, and categories of third parties with whom data may be shared. The CCPA also includes more prescriptive language about explanations that cover what data will be used for and requires businesses to add an opt-out link to their web page.

The CCPA also has a provision that allows the attorney general to prosecute on behalf of a consumer, along with some language that may limit class action lawsuits. There will be a public consultation period in 2019 where modifications may be made before the law goes into effect. Given the large number of tech companies in California, there’s a lot of lobbying going on for the likes of Google, Uber, Amazon, and Facebook, that are worried that the law will impact their operations. The Internet Association trade group has indicated it will be part of negotiations over coming months. The passage of the law prior to a June 28 deadline ended a movement for a ballot action in November, so it will be interesting to see what consumer groups think of industry lobbyists and whether the law will stay in its current state as it goes into effect. Critics note the speed at which the law was passed (one week) compared to its impact.

While tech companies hope to limit its impact, the American Civil Liberties Union of Northern California feels it hasn’t done enough and that it “fails to provide the privacy protections the public has demanded and deserved,” noting that it was “hastily drafted and needs to be fixed.” California is progressive in a variety of ways, so we’ll have to get out our “fifty nifty” scorecards and see who is ready to follow suit.

It’s a sign of our times: GoFundMe’s CEO tells Minnesota Public Radio that medical bills and related expenses now account for one-third of GoFundMe campaigns. There are over 250,000 medical requests launched each year, with more than $650 million raised. The campaigns include both uninsured and underinsured individuals, and request assistance for high medical bills, travel to specialty care facilities, and procedures denied or uncovered by insurance.

JAMIA publishes a study titled “Research use of electronic health records: patients’ perspectives on contact by researchers.” The authors note that “researchers will almost certainly discover discrepancies in EHRs that call for resolution, and in some cases, raise the ethical dilemma of whether to contact patients about a potentially undiagnosed or untreated health concern” and set out to “explore patients’ attitudes and opinions about potential contact by researchers who have had access to their EHRs.” Researchers used focus groups where situations were described and discussed. Many patients did feel researchers should act if a current health issue was identified, but felt that communicating through the patient’s physician was the best way to handle notification. Rural participants had a strong preference for researchers to take action compared to urban participants. The authors conclude that study construction should allow for addressing discrepancies found in the EHR and communicating with patients. The article is worth a read to see some of the actual patient comments noted in the focus groups.

The various federal rules that have come out over the last year are so large that I never make it through any of them in their entirety. I missed the fact that CMS intends to force adoption of the NCPDP SCRIPT Standard, Version 2017071 beginning on January 1, 2020. Although some may think it’s just another item to mark off on a checkbox, it adds significant benefits for many providers. My favorite improvement closes out an “enhancement” request I made back in 2003, when I implemented Medical Manager’s OmniChart product which used ProxyMed for e-prescribing. If you’re a provider who has ever had to prescribe a complicated prednisone taper or give detailed instructions for migraine medications, you’re going to be happy. Once the transition to the new standard is complete, providers will be able to send instructions that are larger than the current 140-character limit. They’re giving us a full 1,000 characters to play with, but there will be issues during the transition if provider systems are upgraded but pharmacies are not. In those cases, if instructions of more than 1,000 characters are sent, they will be rejected on the pharmacy side.

I’m looking forward to being able to spell out my favorite treatment for severe poison ivy without resorting to error-prone abbreviations. Until then, you’ll have to take your prednisone 3 PO TID for three days, then 2 PO TID for three days, then 1 PO TID for three days. And remember to wear long sleeves and long pants and also wash with Fels-Naptha soap when you come in from the woods.

What’s your favorite custom SIG for medication instructions? Are your providers going to do a happy dance? Leave a comment or email me.

Email Dr. Jayne.