Tag: HIPAA

Jan 25
2013

Outlook on Data Privacy and Security in 2013

Guest post by: Drew Gantt, Partner, Cooley LLP.

As 2013 gets underway, we are in the midst of a health information revolution. As many healthcare providers continue to struggle to implement electronic health record systems and meet meaningful use requirements, the promises of this revolution may seem distant, even non-existent. Indeed, many providers rightly complain that implementing EHR systems has only brought increased expense and declining productivity as they adjust to the new systems. The promises of interoperability, better outcomes, reduced medical errors and lower costs in many cases have not yet been realized.

For others, the promised benefits of electronic health information may be closer at hand.  For example, The Wall Street Journal recently reported that two big names in healthcare – UnitedHealth Group, Inc. and Mayo Clinic – will form a new research company to mine de-identified health data from millions of health claims and medical records to identify best practices.  This seemingly reflects a realization of one of the touted benefits of electronic health information – to change the way healthcare is provided and to reduce costs by analyzing health outcomes information.

Notwithstanding the electronic growing pains within certain quarters of the provider community, digital health is flourishing and driving the health information revolution.  While the provider and payor communities were formerly the sole source of health information, consumer demand for digital health and control over health information is moving the center of the health information universe more toward individuals (the new paradigm) and away from providers and payors (the old paradigm). Both patients and providers report increased use of the Internet to diagnose medical conditions. Digital health services provided via the Internet, smart phones, cable, Bluetooth-enabled devices and other wireless technologies are putting health information at consumers’ fingertips and unlocking it from the confines of providers and payors.

Consumers want their devices to do more, and make health information and services available to them as easily as they may use their phones to search for a restaurant. Smart phone chip manufacturer Qualcomm has established a $10 million prize to develop a mobile medical computing device, inspired by the tricorder device from “Star Trek.” Smart phones and many medical devices now include multiple sensors that can be employed for a variety of health-related purposes and health-related sensors are increasingly being incorporated into clothing and home monitoring equipment. These activities are generating massive amounts of digital health information, facilitated by declining costs of data storage available through the cloud and other low-cost digital storage media.

While providers may no longer be relied upon as the sole source of medical information, they will continue to be relied upon for their medical judgment. Because of the exponentially increasing availability of health information, including genomics information, which is relevant to clinical decision-making, providers will have a significantly higher burden to digest and analyze this available information and manipulate it in the clinical setting. Look for increased use of and demand for data analytics tools in the clinical setting.

In the meantime, our regulatory regime for data privacy and security, including HIPAA and HITECH, is based on the old paradigm and severely inhibits the health information revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so, in part, because it assumes that health information rightly resides with providers and payors (HIPAA-covered entities), rather than with their business associates (including many digital health companies) or consumers. Indeed, with limited exceptions, HIPAA requires that any business associate of a HIPAA-covered entity either return to the covered entity or destroy patient information where feasible when the relationship between the business associate and the covered entity ends.

That requirement effectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it difficult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies. The more than 500 pages of new HIPAA Omnibus regulations that were issued on January 17, 2013, do not change this underlying assumption or effectively address the new paradigm of a patient-centered health information universe.

At the same time, increased use of mobile media by healthcare providers continues to challenge those who are responsible for protecting that health information. Theft or loss of mobile media, including smart phones, laptops, tablets and flash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specific guidance on how to use such devices in compliance with HIPAA. (See,

This guidance recommends limiting offsite use of mobile media that may contain health information.  While this position is understandable, it reflects the old paradigm view that information remains within the control of the providers and payors and ideally not leave the controlled environment of their facilities. Healthcare facilities and other companies that use mobile media containing patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime.

Drew Gantt leads Cooley LLP’s Health Care and Life Sciences Regulatory Practice. Gantt is a partner in Cooley LLP’s Business Department and a member of Cooley’s Life Sciences Practice Group. His practice focuses on healthcare and life sciences regulatory counseling, complex transactions and strategic business advice.

Related

Nov 12
2012

We Live In a Database World and No Matter How Meaningful We Use It, There’s Still Much to Be Desired

The meaningful use of data collected in an electronic health record continues to be the stump speech of Farzad Mostashari, National Coordinator for Health Information Technology.

He’s been pushing the message for months: those achieving or working toward meaningful use attestation need to get beyond just the financial incentives of the program, he says.

Physicians and their healthcare systems need to dig deeper and realize the importance of the data that they have at their hands. They need to realize just how to leverage the data to improve their patient’s health outcomes and lead those in their care down an educational path about the importance of their involvement in their care and how electronic systems can help improve their interaction with their care providers.

For meaningful use to work, those in the community need to make sure they’re using the data collected meaningfully. Meaningful use is a tool and it should be used as one; but unlike a simple jack knife, it’s a multi-purpose, multi-blade, do-it-all Swiss Army knife.

If used correctly, as a means for change rather than a singular solution for incentives, Mostashari believes that meaningful use can actually lead to population health management (the real reason behind meaningful use), more patient engagement (this is yet to be determined) and the creation of health information exchanges (yes, but we need interoperable systems before we see wide spread use of data outside their silos).

His ambitions are correct, and collectively, there is a fundamental agreement that meaningfully using EHRs will help accomplish all of these goals (though patient engagement may remain the stickiest of wickets). The problem here, though, seems to be that even though most physicians want to dive into the deep pool of big data, but they just don’t seem to be able to catch their breath.

In all walks of life we face the day-to-day grind of ongoing and seemingly never ending tasks that drive us further away from our goals. However, it’s different in healthcare. I just can’t seem to think of any other professional group (other than members of the military and police forces) under so much constant pressure to produce positive, long-term results for the people they serve.

In addition to making life and death decisions, our physicians and healthcare leaders are constantly facing the deluge of regulation and reform (meaningful use, ICD-10, HIPAA and even to a certain extend malpractice and 5010).

Healthcare professionals are overrun by details that have taken them into the weeds. Their days are long and their time is short. We can argue if electronic health records actually save them time and money. Depending with whom you speak, each person has an opinion as to its effect. Add everything I previously mentioned and it’s simply overwhelming.

I firmly believe that in a best case scenario, we’d be able to meet all of Mostashari’s proposed goals. Big data would (and can) lead to a changed system and provide real and personal stories of improved health outcomes. I believe that if we could clear away the clutter, we could begin building upon the foundation and create the best, most comprehensive, patient-serving healthcare system that produces results and actually changes lives.

But, for now, we live in a database world where no matter how meaningful we use them there’s still much left to be desired.

Related