The enormity of the tragedy in West Africa remains hard to appreciate even as Ebola begins to migrate into developed countries. In the U.S. mindless panic stoked by the 24 hour news cycle and fear-mongering politicians are not the only familiar phenomena. In important ways our “Ebola crisis” is only tangentially related to a malicious virus and has much more to do with the state of our health care system. Consider the following “Ebola issues”
Ebola has been marked by uncertainty as to federal and state responsibilities for infectious disease policy, prevention and reaction. Sadly, first impressions have been confirmed by the appointment of an Ebola “czar”, a sure sign that various branches of government have not been playing well together. Such regulatory fragmentation and lack of coordination is not new. Health care is our most regulated industry emanating from a bewildering array of legislation and regulation enforced by innumerable and frequently dysfunctional federal and state agencies.
That lack of coordination has been replicated at the local level between agencies and healthcare institutions and between multiple institutions. Regional or local planning appears to be missing or only reactive. In a post-Katrina, post-swine flu world it seems extraordinary that there were not cogent plans waiting to be executed. Of course “There are only four in the U.S. with special isolation units designed to contain biohazards like Ebola” but why weren’t there plans to utilize them? Even now how many localities have a plan to handle, say, a major outbreak by using a centralized, tertiary care facility? Continue reading →
Recent speculation about healthcare disruption seems to have moved away from HIT to mHealth (discussed here). Apple has fueled this trend with its launch of sensor-laden iPhones and the new Apple Watch, iOS 8’s Health app and the HealthKit API framework. The future, we are told, is in mHealth provided by our phones and wearables notwithstanding that we have yet to solve data protection and other issues associated with the new devices.
Over the last few days leaks have suggested that web behemoths Facebook and Google may have their own takes on the future of healthcare. Reuters reports that Facebook is doing, lets face it, what you would expect—creating online “support communities” for patients with similar conditions and diseases.and creating “preventative care” applications. Now, Engadget reports that Google is testing a new service that offers chats with doctors when a user searches for symptoms. The service seems related to Google Healthcare Helpouts, a video telemedicine platform that launched a year ago to some on-line speculation about healthcare disruption but which today seems limited to a small number of mostly non-physician therapists, family counsellors, coaches or other advisors. Continue reading →
In a post last week I compared Apple’s new mHealth App store rules with our classic regulatory models. I noted that the ‘Health’ data aggregation app and other apps using the ‘HealthKit’ API that collected, stored or processed health data would seldom be subject to the HIPAA Privacy and Security rules. There will be exceptions, for example, apps linked to EMR data held by covered entities. Equally, the FTC will patrol the space looking for violations of privacy policies and most EMR and PHR apps will be subject to federal notification of breach regulations.
Apple has now publicly released its app store review guidelines for HealthKit and they make for an interesting read. First, it is disappointing that Apple has taken its cue from our dysfunctional health privacy laws and concentrated its regulation on data use, rather than collection. A prohibition on collecting user data other than for the primary purpose of the app would have been welcome. Second, apps using the framework cannot store user data in iCloud (which does not offer a BAA), begging the question where it will be acceptable for such data to be stored. Amazon Web Services? Third, while last week’s leaks are confirmed and there is a strong prohibition on using HealthKit data for advertising or other data-mining purposes, the official text has a squirrelly coda; “other than improving health, medical, and fitness management, or for the purpose of medical research.” This needs to be clarified, as does the choice architecture. Continue reading →
On September 9 Apple is hosting its ‘Wish We Could Say More’ event. In the interim we will be deluged with usually uninformed speculation about the new iPhone, an iWatch wearable, and who knows what else. What we do know, because Apple announced it back in June, is that iOS 8, Apple’s mobile operating system will include an App called ‘Health’ (backed by a ‘HealthKit’ API) that will aggregate health and fitness data from the iPhone’s own internal sensors, 3rd party wearables, and EMRs.
What has been less than clear is how the privacy of this data is to be protected. There is some low hanging legal fruit. For example, when Apple partners with the Mayo Clinic or EMR manufacturers to make EMR data available from covered entities they are squarely within the HIPAA Privacy and Security Rules triggering the requirements for Business Associate Agreements, etc.
But what of the health data being collected by the Apple health data aggregator or other apps that lies outside of protected HIPAA space? Fitness and health data picked up by apps and stored on the phone or on an app developer’s analytic cloud fails the HIPAA applicability test, yet may be as sensitive as anything stored on a hospital server (as I have argued elsewhere). HIPAA may not apply but this is not a completely unregulated area. The FTC is more aggressively policing the health data space and is paying particular attention to deviance from stated privacy policies by app developers. The FTC also enforces a narrow and oft-forgotten part of HIPAA that applies a breach notification rule to non-covered entity PHR vendors, some of whom no doubt will be selling their wares on the app store. Continue reading →
The stakes were high in Sutter — under the California statute medical data breach claims trigger (or should trigger!) nominal damages at $1000 per patient. Here four million records were stolen.
Plaintiffs’ first argued the defendant breached a section prohibiting unconsented-to disclosure. The not unreasonable response from the court was that this provision required an affirmative act of disclosure by the defendant which was not satisfied by a theft.
A second statutory provision argued by the plaintiffs looked like a winner. This section provided, “Every provider of health care … who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.” Continue reading →
Privacy is never easy to think about. This week it became harder. Two pieces framed my week. First, Eben Moglen’s essay in The Guardian (based on his Columbia talks from late last year) took my breath away; glorious writing and stunning breadth combined to deliver a desperately sad (but not entirely hopeless) message about government and corporate overreaching in data collection and processing.
A wry speech posted by software developer Maciej Ceglowski also helped frame my thoughts. He wrote, “The Internet somehow contrives to remember too much and too little at the same time, and it maps poorly on our concepts of how memory should work.” There’s the problem in a nut. Ceglowski alludes to the divide between how human (offline) memory operates (it’s “fuzzy” and “memories tend to fade with time, and we remember only the more salient events”) and the online default of remembering everything. Government and Google and, for that matter, Big Data Brokers tell us that online rules now apply across the board and ‘that’s just peachy’ because we’ll have better national security, better searches, or more relevant advertising. But, that’s backwards. Continue reading →
A resident of Spain allegedly owed back taxes triggering attachment proceedings. The local newspaper published the details of an upcoming auction of his property in early 1998. At some point the issue was settled. However, the matter was not forgotten—the newspaper was online and a Google search of the gentleman’s name returned this history. He complained to the Spanish data protection agency (AEPD) that he had a right to have older, irrelevant information erased and that Google should remove the links. The AEPD agreed and Google sued for relief. The Spanish High Court referred the interpretation of the Data Directive (95/46) to the European Court of Justice in 2010 and in 2013 the Advocate-General issued an advisory opinion supportive of Google’s position. Somewhat surprisingly the European Court of Justice has now taken the opposite view (Case C‑131/12, Google Spain SL v. AEPD, May 13, 2014). Continue reading →