The “Cromnibus” spending bill signed by the President on December 16 rightly upset Senator Warren and not just for providing luxury cars to a feckless Congress. However, in general the bill ignored healthcare. There was no new money for those ACA “villains” CMS and IRS and only a little more for NIH (resulting in net reductions all around given inflation). Of course constituencies have to be pandered to, so there was a symbolic $10 million cut from the moribund IPAB. Meanwhile, the CDC did well, HRSA picked up a few telemedicine dollars, but ONC didn’t get everything it wanted. However, look closer and it seems that during the convoluted legislative process someone threw a meaty wrench into the gears of an already flailing meaningful use program.
As I have discussed at length here and here the meaningful use subsidy program for EHRs may have delivered hundreds of thousands of mediocre electronic health records systems into provider offices but has failed to deliver effective data sharing. ONC knows this is an issue, is aware of and discussed the JASON report, has its own “10-year vision” and emphasizes interoperability in its recently released Health IT Strategic Plan (Disclosure: I serve on the HIT Committee Consumer Workgroup, but these views are mine alone). But, some kind of showdown has been brewing for a while. Have the HITECH billions been wasted? Was the regulatory problem in meaningful use or in certification? Are the HIT developers to blame or health care providers? (Answer: Yes). And, the AMA being “appalled” aside, what happens now that the meaningful use carrots have begun morphing into sticks? Continue reading →
Today’s order from Chief Judge LaVerdiere is available here. It removes restrictions on Kaci Hickox’s movements and essentially orders her to comply with the latest CDC guidelines that she was already following on a voluntary basis. According to this report the state troopers that had been posted outside her house have left. Two paragraphs at the end of the order are worth quoting in full.
First, we would not be here today unless Respondent generously, kindly and with compassion lent her skills to aid, comfort, and care for individuals stricken with a terrible disease. We need to remember as we go through this matter that we owe her and all professionals who give of themselves in this way a debt of gratitude.
Having said that, Respondent should understand that the court is fully aware of the misconceptions, misinformation, bad science and bad information being spread from shore to shore in our country with respect to Ebola. The court is fully aware that people are acting out of fear and that this fear is not entirely rational. However, whether that fear is rational or not, it is present and it is real. Respondent’s actions at this point, as a healthcare professional, need to demonstrate her full understanding of human nature and the real fear that exists.…
An interview with Ms Hickox suggested she was taking the judge’s advice, “I am sensitive… I don’t want to make anyone uncomfortable.” However, according to this recent report Governor LePage believes, “we don’t know what we don’t know about Ebola” and does not trust Ms. Hickox.
The enormity of the tragedy in West Africa remains hard to appreciate even as Ebola begins to migrate into developed countries. In the U.S. mindless panic stoked by the 24 hour news cycle and fear-mongering politicians are not the only familiar phenomena. In important ways our “Ebola crisis” is only tangentially related to a malicious virus and has much more to do with the state of our health care system. Consider the following “Ebola issues”
Ebola has been marked by uncertainty as to federal and state responsibilities for infectious disease policy, prevention and reaction. Sadly, first impressions have been confirmed by the appointment of an Ebola “czar”, a sure sign that various branches of government have not been playing well together. Such regulatory fragmentation and lack of coordination is not new. Health care is our most regulated industry emanating from a bewildering array of legislation and regulation enforced by innumerable and frequently dysfunctional federal and state agencies.
That lack of coordination has been replicated at the local level between agencies and healthcare institutions and between multiple institutions. Regional or local planning appears to be missing or only reactive. In a post-Katrina, post-swine flu world it seems extraordinary that there were not cogent plans waiting to be executed. Of course “There are only four in the U.S. with special isolation units designed to contain biohazards like Ebola” but why weren’t there plans to utilize them? Even now how many localities have a plan to handle, say, a major outbreak by using a centralized, tertiary care facility? Continue reading →
Recent speculation about healthcare disruption seems to have moved away from HIT to mHealth (discussed here). Apple has fueled this trend with its launch of sensor-laden iPhones and the new Apple Watch, iOS 8’s Health app and the HealthKit API framework. The future, we are told, is in mHealth provided by our phones and wearables notwithstanding that we have yet to solve data protection and other issues associated with the new devices.
Over the last few days leaks have suggested that web behemoths Facebook and Google may have their own takes on the future of healthcare. Reuters reports that Facebook is doing, lets face it, what you would expect—creating online “support communities” for patients with similar conditions and diseases.and creating “preventative care” applications. Now, Engadget reports that Google is testing a new service that offers chats with doctors when a user searches for symptoms. The service seems related to Google Healthcare Helpouts, a video telemedicine platform that launched a year ago to some on-line speculation about healthcare disruption but which today seems limited to a small number of mostly non-physician therapists, family counsellors, coaches or other advisors. Continue reading →
In a post last week I compared Apple’s new mHealth App store rules with our classic regulatory models. I noted that the ‘Health’ data aggregation app and other apps using the ‘HealthKit’ API that collected, stored or processed health data would seldom be subject to the HIPAA Privacy and Security rules. There will be exceptions, for example, apps linked to EMR data held by covered entities. Equally, the FTC will patrol the space looking for violations of privacy policies and most EMR and PHR apps will be subject to federal notification of breach regulations.
Apple has now publicly released its app store review guidelines for HealthKit and they make for an interesting read. First, it is disappointing that Apple has taken its cue from our dysfunctional health privacy laws and concentrated its regulation on data use, rather than collection. A prohibition on collecting user data other than for the primary purpose of the app would have been welcome. Second, apps using the framework cannot store user data in iCloud (which does not offer a BAA), begging the question where it will be acceptable for such data to be stored. Amazon Web Services? Third, while last week’s leaks are confirmed and there is a strong prohibition on using HealthKit data for advertising or other data-mining purposes, the official text has a squirrelly coda; “other than improving health, medical, and fitness management, or for the purpose of medical research.” This needs to be clarified, as does the choice architecture. Continue reading →
On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.
What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.
But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store. Continue reading →
The stakes were high in Sutter — under the California statute medical data breach claims trigger (or should trigger!) nominal damages at $1000 per patient. Here four million records were stolen.
Plaintiffs’ first argued the defendant breached a section prohibiting unconsented-to disclosure. The not unreasonable response from the court was that this provision required an affirmative act of disclosure by the defendant which was not satisfied by a theft.
A second statutory provision argued by the plaintiffs looked like a winner. This section provided, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.” Continue reading →
Privacy is never easy to think about. This week it became harder. Two pieces framed my week. First, Eben Moglen’s essay in The Guardian (based on his Columbia talks from late last year) took my breath away; glorious writing and stunning breadth combined to deliver a desperately sad (but not entirely hopeless) message about government and corporate overreaching in data collection and processing.
A wry speech posted by software developer Maciej Ceglowski also helped frame my thoughts. He wrote, “The Internet somehow contrives to remember too much and too little at the same time, and it maps poorly on our concepts of how memory should work.” There’s the problem in a nut. Ceglowski alludes to the divide between how human (offline) memory operates (it’s “fuzzy” and “memories tend to fade with time, and we remember only the more salient events”) and the online default of remembering everything. Government and Google and, for that matter, Big Data Brokers tell us that online rules now apply across the board and ‘that’s just peachy’ because we’ll have better national security, better searches, or more relevant advertising. But, that’s backwards. Continue reading →