May 3rd, 2011 by DavidHarlow in News, True Stories
No Comments »
In recent years many health care providers and managers have told me, time and again, that the health care world is accustomed to managing confidential patient information, and therefore doesn’t need much in the way of social media training and policy development. This week brings news that should make those folks sit up and take notice. A physician in Rhode Island, who was fired for a Facebook faux pas, has now been fined by the state medical board as well. The physician posted a little too much information on Facebook — information about a patient that, combined with other publicly available information, allowed third parties to identify the patient. The details of the story are available here and here.
The key takeaway from this story — and the Johnny-come-lately approach to health care social media taken by the Rhode Island hospital in question and the Boston teaching hospital that the Boston Globe turned to for comment — is that prevention is the best medicine. Read more »
*This blog post was originally published at HealthBlawg :: David Harlow's Health Care Law Blog*
May 2nd, 2011 by DrWes in Opinion, True Stories
No Comments »
Not everything that counts can be measured.
Not everything that can be measured counts.
-Albert Einstein
Recently, a disturbing trend of monitoring physician quality and accountability has taken another ominous turn: tracking physician’s movements at scientific conferences (so called “tag and release”) using RFID tags imbedded in attendees name badges at national scientific sessions. Having had personal experience with the recent American College of Cardiology meeting, this technology will also be imbedded in the name badges for attendees at the upcoming Heart Rhythm Society meeting to be held in San Francisco in May.
On first blush, it shouldn’t be such a big deal, right? It was all just a great way for companies to obtain, for a fee, the names and institutions of people who visited their display booths and for the conference organizers to track the movements of attendees. (Heck, maybe they can partner with an industry sponsor to pick up our traffic tolls on the way to the conference hall or arrange other exciting activities for us! [Said tongue-in-cheek, of course])
Instead of “opting in” for tracking at scientific meetings, doctors must “opt out” from the use of tracking technology when registering for scientific meetings. At the upcoming Heart Rhythm Society meeting for instance, doctors had to “opt out” from the use of RFID technology tracking by checking a box that says:
Badge scanning technology will be utilized at this event in order to better understand attendee/delegate interests and preferences. The information collected will be used to improve future events to better address your preferences. No personal information is stored in the RFID badge, only an ID number. We encourage all participants to take part in this process to ensure the most accurate data is obtained. You may check this box to opt-out of the RFID data collection.
There’s full disclosure, doctor.
But to me, the default tracking of doctors is disturbing on several levels.
First, tracking was approved by our professional society organizers upon their own members. It is no secret that these societies make a significant portion of their operating revenues from industry sponsors at these meetings. By instituting tracking, the value of their membership’s privacy has taken a back seat to the income generated from tracking revenues. By NOT checking a box, we have implicitly “agreed” to this tracking. (Realize we MUST wear our badge to attend these conferences where we gain our REQUIRED continuing education credits.) Because we have “agreed” in this manner, the tracking data are now legally “discoverable.” At the risk of sounding like a conspiracy theorist, it is not too hard to imagine one’s credentials being called into question in court because a doctor did not demonstrate enough time in CME activities at the scientific sessions to quality for credit or because these data implicate a doctor in a purchasing agreement between a vendor and hospital system simply because a doctor visited a display booth.
Doctors have seen this sort of activity before when “only” our license and demographic information was sold by the American Medical Association (AMA). The AMA currently “licenses” physician state medical license numbers and demographic information to health care information organizations (HIOs), HIOs then collect and compile this information with prescribing data that contains the doctors’ license numbers (no names, mind you) and then sell the lists to pharmaceutical companies. The AMA tells its members it does “not collect, license, sell or have access to physician prescribing data” and this is true. But the AMA facilitates an intermediary’s ability to pair doctors’ license information to a their prescribing habits via a third party. One can only speculate how out prescribing and practice profiles are being developed by other similar health information companies with the use of our RFID tracking data.
Behind all of this is a bigger issue: doctors are frustrated by the increasing intrusion into our day-to-day practice of medicine to measure things. Take, as one example, our “quality performance measures” that have done little to facilitate patients office visits, but rather add burdonsome documentation requirements in the interest of government payments. A number of hospital administrators have confided in me that it costs more to collect this data than they make in government payments. In fact, whether these programs are ultimately are found to be cost-effective or improve the quality of care has been brought into question in our literature. Yet we continue to collect these measures and expand them. We are now dispatching legions of people to collect and compile data to “prove” that Electronic Medical Records are used in a “meaningful” way. But an honest appraisal of this policy discloses the reality: these measures permit health care systems to collect another $40,000 per doctor from the government because they are using computers, not because it improves patients’ care in any “meaningful” way. As proof of the overburdensome nature of all this data collection for the physician, doctors (or their health care systems) are increasingly employing “scribes” to relieve them of the data-entry burdens in the name of “efficiency.” How much, exactly, do these scribes cost our health care system? Few dare to ask the question since no one wants to deny themselves of that juicy $40,000 pot of gold being paid per doctor.
Adding insult to injury, all doctors will soon be required to disclose if we receive anything over $100 from industry representatives. Like the public, most of us recognize the pernicious nature of industry influence upon our profession. Yet we now find we are being used. Should our professional organizations be any less forthright with their industry dealings and the use of our demographic data at national scientific sessions? How much is at stake?
Finally, we see more and more onerous licensure requirements and fees paid to the same tag-and-release operatives at considerable cost to ourselves. We now spend thousands of dollars to remain “credentialed.” We wonder how much the RFID “return on investment” to industry sponsors adds to our annual membership fees. Could it reduces them? Who knows? Maybe, like other IT models, we should insist our membership fees be waived if we agree to being RFID tagged and released because most of us realize someone’s making money on this deal.
In summary, doctors increasingly find the imperative to guard the privacy of our patients without regard to our own personal and professional privacy with the very same patients disturbing. Everything about doctors is being measured these days and it’s taking its toll on patient care. We are frustrated with the governmental bureaucratic standards that threaten our time with patients. But time with patients does not pay bills. Meeting data-collection milestones do. Our government and employers have lost sight of the main issue here: improving and expanding our contact with (and the ability to do good for) our patients.
But as long as there is money to be made with our personal information, it is clear that there will be those that will try to capitalize upon it, whether we realize it or not. Only by demanding constant accountability and transparency from the collectors of this information be they government bureaucrats or our professional society appointees, can we hope to maintain any modicum of professionalism in our tenuous doctor-patient relationships of the future.
*This blog post was originally published at Dr. Wes*
March 31st, 2011 by Elaine Schattner, M.D. in Opinion
No Comments »
The Times ran an intriguing experiment on its Well blog yesterday: a medical problem-solving contest. The challenge, based on the story of a real girl who lives near Philadelphia, drew 1379 posted comments and closed this morning with publication of the answer.
Dr. Lisa Sanders, who moderated the piece, says today that the first submitted correct response came from a California physician; the second came from a Minnesota woman who is not a physician. Evidently she recognized the condition’s manifestations from her experience working with people who have it.
The public contest – and even the concept of using the word “contest” – to solve a real person’s medical condition interests me a lot. This kind of puzzle is, as far as I know, unprecedented apart from the somewhat removed domains of doctors’ journals and on-line platforms intended for physicians, medical school problem-based learning cases, clinical pathological conferences (CPC’s) and fictional TV shows. Read more »
*This blog post was originally published at Medical Lessons*
March 26th, 2011 by DavidHarlow in Health Policy, News
No Comments »
Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.
The data privacy and security concerns surrounding the transfer of de-identified data are significant. To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations. However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.
Is this the basis of the lawsuit brought against Walgreens? An objection to trafficking in health information that should remain private? No. The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data. Read more »
*This blog post was originally published at HealthBlawg :: David Harlow's Health Care Law Blog*
March 17th, 2011 by DavidHarlow in Health Policy, Opinion
No Comments »
HealthNet either lost, or had stolen from it, computer hard drives with PHI of 1.9 million subscribers that had been in a California facility. This latest HealthNet data security breach, which may have included names, Social Security numbers, addresses, health information and financial information comes a little over a year after a widely-reported data security breach by HealthNet in Connecticut which resulted in the first state Attorney General action under the HIPAA amendments contained in the HITECH Act. HealthNet is notifying affected individuals and is offering two years of no-cost credit monitoring and fraud resolution services, and credit restoration and identify theft insurance as needed.
It’s both surprising and unsurprising that this has happened again to HealthNet. In these cases, and in recent cases in Massachusetts (Mass General Hospital HIPAA settlement) and Maryland (Cignet HIPAA violations and CMPs), we have seen examples, collectively, of individual sloppiness, of ineffective corporate policies and procedures, and possibly of gross neglect/fraud/incompetence. The question arises: Is HIPAA the right instrument to address all three sorts of problems? Since it seems that it is not having an effect on any of them, I would suggest that the answer is no. Read more »
*This blog post was originally published at HealthBlawg :: David Harlow's Health Care Law Blog*