Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Good Decisions, EMR Sales, and Patient Data Availability

Written by:


This is true if the actors are well intentioned. I’ve found that most in healthcare have the right intentions. Although, many don’t have the right data that could help them make better decisions.


I’m going to have to chew on the idea of EMR sales being non-linear. An interesting observation by Chandresh. I’m excited to hear Chandresh share more of his experience with EMR sales at the Health IT Marketing and PR conference.


I’m not sure if this was the exact intent of this tweet, but it reminded me of a discussion I had with some really chronic patients. To a person (and the parents since these were kids), they couldn’t give a rip about privacy. They were more than happy to give up any and all privacy if it would help them find a cure or treatment for their child. This reminds me that context is really important when it comes to privacy.

March 9, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

IMS IPO and Health Data Privacy

Written by:

The following is a guest post by Dr. Deborah Peel, Founder of Patient Privacy Rights. There is no bigger advocate of patient privacy in the world than Dr. Peel. I’ll be interested to hear people comments and reactions to Dr. Peel’s guest post below. I look forward to an engaging conversation on the subject.

Clearly the way to understand the massive hidden flows of health data are in SEC filings.

For years, people working in the healthcare and HIT industries and government have claimed PPR was “fear-mongering”, even while they ignored/denied the evidence I presented in hundreds of talks about dozens of companies that sell health data (see slides up on our website)

But IMS SEC filings are formal, legal documents and IMS states that it buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally”. It buys and aggregates sensitive “prescription” records, “electronic medical records”, “claims data”, and more to create “comprehensive”, “longitudinal” health records on “400 million” patients.

* All purchases and subsequent sales of personal health records are hidden from patients. Patients are not asked for informed consent or given meaningful notice.
* IMS Health Holdings sells health data to “5,000 clients”, including the US Government.

These statements show the GREAT need for a comprehensive health data map—–and that it will include potentially a billion places that Americans’ sensitive health data flows.

In what universe is our health data “private and secure”?

January 7, 2014 I Written By

Obsolete Office Visits, Tracking Customer Behavior, and More — #HITsm Chat Highlights

Written by:

John did a full writeup on these topics before the #HITsm chat. Be sure to read his thoughts on Healthcare Unbound.

Topic One: So how long will it be before office visits are no longer the norm? (via Mark Blatt, MD, CMIO Intel)

Topic Two: What technologies will lead the way?

Topic Three: How will these at-home and mobile technologies integrate with existing systems?

 

Topic Four: Aetna’s CarePass will track customer behavior. Will this become the norm, is it a good thing?

June 22, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Patients Want to Share Their Medical Data

Written by:

During the recent Dell Healthcare Think Tank which I took part in, I had an idea that I think is incredibly powerful and not talked about nearly enough. In fact, I think its reasonable to say that if we want to get healthcare costs down, then we have to learn how to do this well.

The idea revolves around how we talk about privacy of health information with patients. Far too often, patients just hear news reports that talk about all of the reasons they should fear their health information getting out in the open. Instead, they almost never hear stories about how having their health information shared with the right people will actually improve their health.

The simple fact is that if you lead with all the bad things that could possibly happen with health information in the wrong hands, then of course no patient is going to want their patient information shared. However, if they know how sharing their health information with the right people will improve their care, then patients are more than willing to share away.

Basically, what I’m saying is that sharing healthcare data has been marketed wrong. The privacy advocates are well organized and have many people fearful for what will happen with their health information. I don’t have any problem with privacy advocates, because they help us to pause to take a reasonable look at the importance of privacy. However, the need for proper privacy controls doesn’t mean that we don’t share healthcare information at all.

The beauty of all of this is that the majority of people think this is how it happens in healthcare today. They don’t realize that quite often their healthcare information isn’t traveling with them to specialists and hospitals. In fact, when patients discover that it doesn’t they’re usually quite surprised and don’t understand why it doesn’t.

I hope we can work on the data sharing message. We can share your data with the people who need it so we can improve your care. If patients hear this message, healthcare data sharing will not be feared but embraced.

March 29, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

HIPAA Omnibus – What Should You Know?

Written by:

I had the great opportunity to sit down with HIPAA expert, Rita Bowen from HealthPort, at HIMSS 2013 and learn more about the changes that came from the recently released HIPAA Omnibus rule. The timing for this video is great, because today is the day the HIPAA Omnibus rule goes into effect. In the video embedded below, Rita talks about what you should know about the new HIPAA changes, the new business associate requirements, and restricting the flow of sequestered health information.

March 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

EMR Vendors, Patient Privacy, and Election Day — #HITsm Chat Highlights

Written by:

Topic One: When EMR vendors leave the marketplace or discontinue a product, how can usability be sustained?

Topic Two: How do we protect patient privacy with payer-based HIEs?

 

Topic Three: How can we draw attention to patient safety in the U.S. prison system?

Topic Four: Are we over the election and back to business as usual with healthcare?

November 17, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Patients Medical Record Posted to Facebook – HIPAA Violation

Written by:

I’ve generally been writing more about the EMR side of EMR and HIPAA lately. For the most part, it seems readers are more interested in EMR and EHR than they are in the details of HIPAA. Although, one of my top posts ever is from back in 2006 about HIPAA Privacy Examples and HIPAA Lawsuits. It seems that people are most interested in HIPAA when it has something to do with a HIPAA violation or lawsuit.

Today’s HIPAA violation could very likely become a HIPAA lawsuit. Plus, it is a word of caution to those about training your staff on HIPAA requirements and also on proper use of social media in healthcare.

Anne Steciw posted about the violation on Search Health IT. Here’s an excerpt from her post:

Details of the health data breach provided by the Los Angeles Daily News indicate that the employee, who was provided by a staffing agency, shared a photo on his Facebook page of a medical record displaying a patient’s full name and date of admission. The employee appeared to be completely ignorant of HIPAA laws.

I’m sure every hospital and healthcare administrator is cringing at this. I’m sure many could share stories of HIPAA issues related with staffing agencies as well. Although, it’s really hard for me to understand how someone even from a staffing agency could be so ignorant to the HIPAA laws. I’m not overstating how ignorant this person was in this situation. The above article explains something even more outrageous and unbelievable:

Even after being told by other posters that he was violating the patient’s privacy, the employee argued: “People, it’s just Facebook…Not reality. Hello? Again…It’s just a name out of millions and millions of names. If some people can’t appreciate my humor than tough. And if you don’t like it too bad because it’s my wall and I’ll post what I want to. Cheers!”

To me this is totally mind boggling. I’m sure many will argue that this person was exhibiting many of the characteristics of the Facebook generation of users. That’s a cop out and an excuse, but does make a larger point that many of the next generation have these outlandish views of what’s theirs and what’s ok and reasonable. Sadly, far too many people think when it’s humor it’s ok to do anything. It’s not and I’m sure those dealing with HIPAA violations won’t find it a reasonable excuse either.

One thing I really hate about stories like this is that they give a bad name to use of social media in healthcare. Social media is like most things which can be used for good or bad. It’s a shame if incidents like this discourage people from accessing the benefits of social media.

This is another good example of how our biggest HIPAA privacy vulnerability is people.

January 24, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

De-identified Healthcare Data – Is It Really Unidentifiable

Written by:

There’s always been some really interesting discussion about EHR vendors selling the data from their EHR software. Turns out that many EHR vendors and other healthcare entities are selling de-identified healthcare data now, but I haven’t heard much public outcry from them doing it. Is it because the public just doesn’t realize it’s happening or because the public is ok with de-identified data being sold. I’ve heard many argue that they’re happy to have their de-identified data sold if it improves public health or if it gives them a better service at a cheaper cost.

However, a study coming out of Canada has some interesting results when it comes to uniquely identifying people from de-identified data. The only data they used was date of birth, gender, and full postal code data. “When the full date of birth is used together with the full postal code, then approximately 97% of the population are unique with only one year of data.”

One thing that concerns me a little about this study is that postal code is a pretty unique identifier. Take out postal code and you’ll find much different results. Why? Cause a lot of people share the same birthday and gender. However, the article does offer a reasonable suggestion based on the results of the study:

“Most people tend to think twice before reporting their year of birth [to protect their privacy] but this report forces us all to think about the combination or the totality of data we share,” said Dr. El Emam. “It calls out the urgency for more precise and quantitative approaches to measure the different ways in which individuals can be re-identified in databases – and for the general population to think about all of the pieces of personal information which in combination can erode their anonymity.”

To me, this is the key point. It’s not about creating fear and uncertainty that has no foundation, but to consider more fully the effect on patient privacy of multiple pieces of personal information in de-identified patient data.

September 30, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

What Will Happen to Google Health Data After 2012?

Written by:

Let’s face it, I haven’t actually been nice to Google of late when it comes to healthcare (or maybe I have, just once). While I believe the criticisms are justified, I can see why some people might think I’m beating a dead horse, namely Google Health. But there are some unresolved questions in the area of privacy that Google really should answer.

Google’s ill-fated attempt at a PHR isn’t completely dead. The company won’t “retire” the online service until January, and will allow users to download their data through Jan. 1, 2013. Naturally, others have stepped up to try to fill the (tiny) void left by Google Health’s demise. To nobody’s surprise, Microsoft is helping the remarkably small number of Google Health users transition their accounts to HealthVault, Microsoft’s own overly hyped, underutilized PHR platform.

What concerns me is what will happen to data already on Google’s servers. Will records be archived? Will sensitive patient health data stay on Google’s servers in perpetuity? Nobody has said for sure.

Are records safe from Google’s data-mining juggernaut? Google has consistently said that it would not use health records for anything other than to steer traffic to its core search engine, but let’s face it, Google’s primary source of revenue is from algorithm-driven advertising.

But, you say, HIPAA protects patients from unauthorized uses of their data, right? Well, remember back to 2009, when the American Recovery and Reinvestment Act expressly made third-party data repositories, health information networks and, yes, personal health records, into HIPAA business associates, effectively holding them to the same rules as covered entities under HIPAA.

Wouldn’t you know, both Google and Microsoft came out and said they were not subject to this provision. No less an insider than former national health IT coordinator Dr. David Brailer, who was a part of the legislative negotiations, told me then that lawmakers had Google Health and HealthVault specifically in mind when they crafted the ARRA language. As far as I know, there haven’t been any reported data breaches involving either PHR platform, so there’s been no need to test whether ARRA actually does apply to them, but if I had my data on Google’s or Microsoft’s servers, I’d be concerned. I’d particularly want to know what Google plans on doing with the data it’s been holding once Google Health does shut down.

Perhaps it’s time for me to make some phone calls.

July 21, 2011 I Written By

Drug Mailings and Patient Privacy

Written by:

Many of you have quickly realized that I find it a lot more interesting to write about EMR than I do about HIPAA. Seems like most people prefer to read about EMR than they do HIPAA as well (except for this popular HIPAA Lawsuits post I did eons ago). However, I’m sure that many of you will find this article I found about privacy of medical data quite interesting. Here’s a quote from the beginning of the article which prefaces the health privacy situation quite well.

A pharmaceutical company, Bristol-Myers Squibb Co., sent him an eight-page brochure pitching another medicine, Abilify, used to treat patients “when an antidepressant alone isn’t enough.”

Lexapro was plenty for Spencer, but the mailing stuck in his craw. He has followed the recent debate over the utterly porous privacy of consumer data. But he thought his medical history, at least, was guarded by the special privacy protections of HIPAA, 1996′s Health Insurance Portability and Accountability Act.

Spencer asked a simple question: How did Bristol-Myers Squibb – or the “third-party list company” that the brochure said was the source of his name – know enough to send him that mailing?

The article goes through all the places that had the information that he was on the antidepressant Lexapro: the insurance company, his doctor, the pharmacy. Each of course denied having sold his information. After some digging, Bristol-Myers Squibb gave the actual way they got Spencer’s health information to be able to do a targeted mailing:

Maybe Spencer bought an over-the-counter depression remedy at a store where he has “frequent shopper” card? Maybe he called an 800 number for information? Maybe he answered a survey on health concerns?

I ran all these ideas by Spencer, and he rejected each.

‘Gotcha’?
On Friday afternoon, Bristol-Myers Squibb delivered a “gotcha.” Yes, Spencer was the source of his own privacy breach, according to spokeswoman Laura Hortas.

Hortas says Bristol-Myers Squibb bought the list in question from a reliable list broker. “We only work with list vendors that we know commit to observing U.S. privacy law,” she told me.

And how did the list vendor get Spencer’s name? Hortas says Spencer visited a site called www.WinningSurveys.com at 9:25 p.m. on Dec. 14 and replied to a prompt that said: “Please provide relevant information to me on the following ailments.”

“He selected depression,” Hortas says.

Of course, Spencer denies every having visited that site. The problem is that I bet Spencer is like most Americans and doesn’t really know what sites they’re visiting anyway. I’m still surprised how many people I talk to don’t know the difference between going to www.emrandhipaa.com and typing emrandhipaa in Google to find the site. I see the stats on my blog that show how many people don’t know the difference. I wouldn’t be surprised if Spencer is one of these people.

I’m not trying to defend sites like WinningSurveys.com. There’s a lot of JUNK on the internet that is absolutely terrible, deceptive and in many cases dishonest. It’s really easy to trap someone into providing their personal information to you online (although I don’t agree or use these methods). Many times without people even realizing they’ve done it. Is that a breach of someone’s privacy if they were deceived into giving up their information to win an iPad?

I’m also not saying that companies shouldn’t be held responsible for using health information inappropriately. They should be held accountable according to the laws. I just don’t see any violation of HIPAA laws in this case.

I do love the irony that someone so concerned about privacy of his health information now has an article on Philly.com with his name and his health information. That leads me to believe that Spencer isn’t as concerned about the privacy of his information as he puts on. Maybe he’s just mad that he didn’t have a winning survey. I wonder if he’d won an iPad from the survey if he’d be as concerned about the mailings.

June 1, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.