Health IT and Electronic Health Activate your FREE membership today |  Log-in

Health IT Pulse

August 22, 2014  10:26 AM

When will U.S. healthcare learn to safeguard patient data?

Posted by: DonFluckinger
data breaches, health data security, HIPAA, patient data, patient privacy

The revelation this week that a Community Health Systems, Inc. patient data breach affected 4.5 million people was difficult to accept.

What’s harder to accept is that it was caused by Heartbleed, a well-documented, headline-grabbing OpenSSL data security vulnerability that opens up legacy systems to hackers. Through the back door Heartbleed creates, thieves can decrypt login credentials and run wild through data systems. Legacy systems are vulnerable because they’re no longer getting security updates. Whoops! Sorry, patients, even though this was all well known, we chose not to address it.

Sources we talk to explain the reasons these situations happen in U.S. healthcare, most are nested in cost arguments. Because legacy systems are stable, in the IT sense, providers worry about disturbing employee workflows if they were to upgrade to newer applications. Huge data migration costs of switching to new billing, coding, research, lab, radiology, EHR, and other data systems also come with new data systems. And only the richest health systems have the capital to stay current with IT, as payers tighten already thin margins and CFOs veto new purchases by saying “if it ain’t broke, don’t fix it.” The list of “whys” goes on, including vendor indifference to old products. They’ve moved on, and they want providers to, too, whether they can afford it or not.

Somehow, we’re imagining the 4.5 million Community patients are unlikely to accept those arguments as valid. Also, we’re guessing the folks in charge of cleanup and remediation would attest that it’s way more expensive to fix the situation now than it would have been to update their legacy system before Chinese hackers put their organization in the news. And made them subject to HIPAA fines, inspections and audits down the road. And extremely public scrutiny on their network architecture and data security compliance risk mitigation plan — and checkups on how they’re executing it.

The marketing and media relations staff likely aren’t happy with the fallout from the breach, either, as they try to assure patients that things will be okay, and attempt to persuade them not to go to other healthcare providers.

Fortunately, for healthcare providers who take this week as an omen or, perhaps inspiration to look over their own compliance strategies on both the patient privacy and data security sides of the HIPAA coin, there’s a way to get current information from the top authorities in the country: The Safeguarding Health Information conference Sept. 23-24, jointly sponsored by the National Institute of Standards and Technology and HHS’s Office of Civil Rights. Together they will present strategies for securing EHRs, building tight business associate agreements, implementing encryption, locking down mobile devices, advice for CIOs to convince fellow c-suite dwellers to invest in HIPAA compliance, patient data security in the cloud, and many other related topics.

While the event will take place in Washington, D.C., it will also be webcast live. So there’s no excuse to miss it. None, whatsoever.

August 20, 2014  4:15 PM

FDA issues gender guidance in medical device testing

Posted by: ShaunSutner
demographic reporting, draft guidance, FDA, medical devices

The FDA has waded into gender issues in studying the safety of medical devices.

The agency – which effectively deregulated consumer health devices and apps with draft guidance rules earlier this summer – now has issued draft guidance on using sex-specific data in medical device clinical studies, which remain heavily regulated.

The guidance makes specific recommendations for using gender during the clinical trial design stage to improve consistency of analysis and demographic reporting, according to an FDA advisory.

Among the recommendations to the medical device industry and FDA staff are: methods for designing and carrying out clinical studies to encourage enrollment of both men and women; methods for analyzing demographic data;  approaches for reporting demographic data in labeling and in public documents for approved devices; and decision frameworks for study design and accounting of sex-specific data when evaluating overall study outcomes, including when more data may be needed.

The 26-page measures set was accompanied by an action plan. Its introduction, written by FDA commissioner Margaret Hamburg, M.D., spells out the rationale for the new rules.

“When a more diverse population participates in clinical trials, we increase the potential to know more about the extent to which different subgroups — males and females, young and old, people of various racial and ethnic backgrounds, and patients with differing comorbid diseases and conditions – might respond to a medical product,” Hamburg writes. “And when subgroup data are analyzed, we have available more information about the product that can be communicated to the public. The result is greater assurance in the safety and effectiveness of the medical products used by a diverse population.”

As usual with draft guidance, the FDA notes that it is non-binding.

In reality, though, such moves usually carry the heft of the big regulatory agency, and in this case clearly signal that FDA officials felt that not enough importance was being given to gender in the medical device industry.

August 19, 2014  10:19 AM

Protected health information breach exposes data of 4.5 million patients

Posted by: adelvecchio
data breach, PHI

Hackers compromised the protected health information of 4.5 million patients of Franklin, Tennessee-based Community Health Systems, Inc. in April and June of this year, the 206-hospital health system spanning 29 states reported. The hospital system — along with cybersecurity firm Mandiant Corp. — believes a group from China used sophisticated malware and technology to breach the Community’s IT network.

The hackers were able to copy and transfer data that included patient names, addresses, birthdates, telephone numbers and social security numbers, but not credit card or clinical information, as detailed in Securities and Exchange Commission filings.

A breach that affected members of the State of Tennessee Group Insurance Program exposed similar data sets as the Community Health System incident, and avoided exposure of medical information, social security numbers and employee ID numbers. The attack gained access to an old online scheduler — which hadn’t been in use since the fall of 2013 — between January 4, 2014 and April 11, 2014, according to a letter sent to members of the insurance program. Affected members will receive one free year of identity theft protection.

Healthcare data breaches that put protected health information at risk haven’t been limited to a few instances. More than half (61%) of respondents to a 2013 EMC survey said their organization experienced a security breach, data loss, or unplanned down time in the 12 months preceding the survey. Nearly one-fifth (19%) reported security breaches in that same timeframe, costing them an average of $810,189.

Healthcare lags behind retail, utilities and finance as the industry with the lowest-rated security in a study done of those four markets. The analysis — performed by BitSight Technologies  — put healthcare’s security score at 660, on a scale of 250 to 900, at the conclusion of the first quarter. That number was nearly 100 points fewer than the score finance earned.

August 13, 2014  1:36 PM

Office of Civil Rights readies second round of HIPAA audits

Posted by: ShaunSutner
HIPAA, HIPAA compliance audits, OCR, Open Payments

The U.S. Dept. of Health and Human Services’ Office of Human Rights is preparing to launch a second, more ambitious round of HIPAA audits. For the first time the audits will include business associates of HIPAA covered entities. They also could result in enforcement penalties for violators.

Over the summer, OCR had planned to send pre-audit surveys to between 550 and 800 entities in preparation for what it calls “Phase 2 audits,” which are begin in this fall. These follow Phase 1, a pilot round of audits of 115 entities conducted over the past year.

The pilot audits did not include business associates, carried no penalties, and were performed by subcontractors. The upcoming audits are expected to be done primarily by OCR staff, according to the National Law Review.

However, the new audits will be desk audits rather than on-site visits, the National Law Review said. Auditors won’t be able to seek clarification or additional data, and they will only take into consideration data submitted on time.

From the pre-audit review, the OCR is expected to select about 400 covered entities for the actual HIPAA audits.

Of those, about 350 are supposed to be covered entities – 232 healthcare providers, 109 health plans and nine healthcare clearinghouses. The rest, about 50, are expected to be business associates.

In addition to being performed by OCR staff and not contractors, the second round of audits will differ from the pilot audits in targeting HIPAA standards, including the Privacy Rule and patient access to personal health information (PHI). The first audits revealed a high non-compliance rate with the standards.

The National Law Review reported that OCR will audit 100 entities for compliance with the Privacy Rule, including Notices of Privacy Practices and PHI. Another 100 entities will be audited for content and timeliness of notifications under the Breach Notification Rule, and 150 will be audited on the risk analysis and management standards of the Security Rule.

Business associate audits will cover only risk analysis and management, as well as breach reporting to covered entities.

August 12, 2014  4:12 PM

New site to collect feedback on healthcare interoperability plan

Posted by: adelvecchio
health information exchange, health IT policy committee, Interoperability, Karen DeSalvo

In an act of teamwork in line with their goal of industry-wide cooperation, Karen DeSalvo, M.D., the national coordinator for health IT, and Erica Galvez, the ONC’s interoperability and exchange portfolio manager, co-authored a blog post introducing an interactive Website built to solicit public input on the ONC’s healthcare interoperability plan.

The site builds on the ONC’s 10-year interoperability plan which was issued in June. Any feedback received by September 12, 2014 will be considered in a draft to be presented to ONC advisory committees in October. After that review, ONC expects the first version of their interoperability plan to be posted for public comment in early 2015.

The ONC’s healthcare interoperability map is separated into three, six, and ten-year markers to delineate the escalating goals of the program. By year three, participating providers should able to send and receive information to improve care quality. The six-year agenda is to improve care quality while lowering costs and the ten-year goal is to build a nationwide health IT infrastructure that improves information sharing at all levels of healthcare.

A draft report from the Senate Appropriations Committee is directing the Health IT Policy Committee (HITPC) to conduct and submit a report “regarding the challenges and barriers to interoperability.” They state the assessment should be given to the Senate Committees on Appropriations and Health, Education Labor, and Pensions within a year after the draft of the 2015 appropriations bill is enacted. The HITPC’s report should explain the financial, operational and technical barriers to interoperability, according to the Senate committee’s recommendations.

A presenter at a recent mHealth conference offered some reassurance to those struggling with healthcare interoperability issues. Lixin Tao, chair of the computer science department at Pace University, said computer professionals have been dealing with digital information exchange incompatibility problems for 20 years and that the Health Level 7 protocol (HL7) can facilitate data exchange between providers. Tao did caution that the two most recent versions of HL7, versions two and three, each offer unique benefits. The most recent HL7 v2 is dated – based on a spec more than 26 years old – but it’s backwards-compatible, meaning it works with older v2 editions. HL7 v3 is more powerful and current but lacks backwards compatibility.

August 7, 2014  11:02 AM

The potential of mHealth apps — in stats

Posted by: DonFluckinger
mHealth, mHealth applications, mobile technology

BOSTON — Adam Landman, M.D., chief medical information officer at Brigham and Women’s Hospital, is convinced of the potential of mHealth apps. He’s also in favor of establishing strong data security protocols and for vendors and healthcare providers to vet apps for patient safety — whether the FDA intervenes or not.

That was his introduction to a panel at the mHealth + Telehealth World 2014 conference he moderated. In setting up the panel discussion, he offered some startling facts from recent market research that put the importance of safety and security in perspective:

  • 80% of the world’s population have a mobile phone; 20% of them are smartphones.
  • In the U.S., saturation has reached 85%, with 50% of them being smartphones.
  • Furthermore, more than 25% of U.S. patients have a tablet.
  • In the Apple App Store, there are 44,000 apps classified as “health” related.
  • A recent study determined that 20,000 of them are actually mis-typed and not health-related.
  • Of the remaining 24,000 apps, roughly two-thirds of them or 16,000 are for patients, and the remaining 8,000 are for healthcare practitioners and other provider employees.

The device saturation numbers came from a 2012 Pew Research Center study, and he expects more current numbers to indicate even deeper adoption of smartphones and tablets. “There’s no other healthcare device or healthcare initiative [other than the phone] that reaches that many people,” Landman said.

August 6, 2014  10:24 AM

Bipolar disorder most popular health mobile search

Posted by: ShaunSutner
bipolar disorder, desktop search, mobile search

Mobile searchers look for information about bipolar disorder more often than any other medical issue, according to new research by Internet marketing firm PageScience.

Mobile searchers look for information about bipolar disorder more often than any other medical issue, according to new research by Internet marketing firm PageScience.

Next for mobile searches, in descending order, are lupus, gastroesophageal reflux disease, and blood disorders.

PageScience’s search methodology uses impressions, not clicks, as the most accurate measure of whether information is being viewed.

The data contrasts mobile search behavior and results for health info searches with how consumers use personal computers to look for the same kind of info. In the desktop and laptop worlds, cancer and weight loss come in the two top slots, with obesity taking third place.

Filling in the top 10 most popular health conditions and issues that mobile users search for are: allergies; hepatitis C; heartburn; myasthenia gravis; birth control; sleep disorder; and anxiety.

The remainder of the top 10 for desktop searchers: restless leg syndrome; diet; HIV-AIDS; dry eye; dental; insomnia; and psychology.

Bipolar disorder registered 3.8 million mobile impressions during a 10-day period in late June analyzed by PageScience, compared to just 600,000 impressions on desktops. And cancer got just 2.6 million impressions on mobile, but 148 million on PCs.

Those patterns reflect clear differentiation in age-based platform preferences, according to Janet Taylor, M.D., a New York City psychiatrist quoted in PageScience’s release on its survey.

Taylor noted that the average age of people with bipolar disorder is 25, with women outnumbering men in having such mood disorders. And women in their 20s are also big mobile users, so they turn to their smartphones for research into symptoms, treatment and prevention, the doctor pointed out. Young people with psychological issues may also prefer using phones rather than computers because they offer better privacy and more convenience.

Other points of interest highlighted in the survey are that health conditions such as allergies vary by location and season, so consumers seek information about them on their mobile devices as they travel, and conditions such as heartburn are episodic and can appear suddenly.

The figures compiled by PageScience were based on 516.5 million total health-related impressions.

Also included in the PageScience info is a spreadsheet of 82 physical health conditions and their breakdown by device, plus bar graphs on mental health and episodic health conditions by device.

August 5, 2014  12:06 PM

Majority of U.S. providers ready to meet ICD-10 deadline

Posted by: adelvecchio
CMS, ICD-10 delay, ICD-10 implementation, ICD-10 readiness, WEDI

The decision to delay the ICD-10 deadline may prove advantageous for U.S. providers. Just over half of providers (51%) said they already have the proper resources and technology in place and are ready for the Oct. 1, 2015 deadline. The remainder are going to use outsourced technology and clinical documentation improvement programs, rather than rely solely on internal IT resources and staff training. Fewer than a quarter of hospitals currently outsource clinical documentation audits, a number that is expected to rise to 71% by the third quarter of 2015, according to a survey of 650 hospital technology and physician leaders done by Black Book Rankings.

Black Book isn’t alone in attempting to quantify where providers stand in their race to the ICD-10 deadline. The Workgroup for Electronic Data Interchange (WEDI) released an ICD-10 readiness survey, seeking responses from providers, health plans, vendors and clearinghouses. Respondents have until Aug. 21 to complete the survey. “Since 2009 WEDI has been conducting these surveys, allowing us to gain a broad perspective on the readiness status for different sections of the industry, and to gauge how quickly they are progressing,” said Jim Daley, WEDI chairman and ICD-10 Workgroup co-chair, in a WEDI release.

The Centers for Medicare and Medicaid Services recently finalized next October as the compliance date for healthcare providers and health plans to transition to ICD-10. CMS’ official news release states the deadline gives providers, insurance companies  and the rest of the industry time to ensure their systems and business processes  are adjusted to work with ICD-10 codes.

The decision to delay ICD-10 until 2015 could be among the first of the obstacles facing implementation of the coding set.  Two U.S. senators and four representatives sent a letter to CMS Administrator Marilyn Tavenner, asking her for “additional information and ongoing communication” as the compliance date gets closer. The letter pointed out that CMS expressed confidence that providers would be prepared to meet the previous Oct.1, 2014 deadline.

July 31, 2014  1:53 PM

Behavioral health providers lobby Congress for meaningful use inclusion

Posted by: DonFluckinger
AMA, behavioral health, certified EHR technology, EHR incentive program

While some lobbyists and healthcare associations such as the American Medical Association are using meaningful use rollouts, schedules, criteria and incentive program administration as a political battering ram this summer, behavioral health providers are knocking on the door of the federal EHR incentive program and asking to be included in the Medicare and Medicaid sides.

In various reports from sources as diverse as Politico and the McKeesport (Pennsylvania) TribLive website, two Senate bills and three House bills were introduced in 2013 to bring these providers into the meaningful use fold. The Behavioral Health IT Coalition, backed by the American Psychological Association has been fighting for that cause for four years, and sent some of its representatives to Capitol Hill to renew their arguments for inclusion in a briefing before Senate staffers.

Not only do bills such as H.R. 2957 (since rolled into H.R. 3717) include behavioral health providers in the “carrot” of meaningful use, but also may subject them to the “stick” of Medicare penalties for not implementing ONC Certified EHR technology.

Providers made their case not only by pointing out the technology gap between behavioral health and the less resource-strapped acute and ambulatory providers, but also by enumerating the ways behavioral patients typically require better care coordination. Not only do they typically have other health conditions such as diabetes and asthma, the providers said, but — because of their diagnoses — can have trouble keeping up with medication adherence.

EHRs would help bridge the gap between such patients’ providers and help improve outcomes for the patients and cut costs from bad outcomes brought on from the lack of data systems on the behavioral health side, they added.

July 30, 2014  12:48 PM

VNA CIO discourses on future of telehealth

Posted by: ShaunSutner
data analytics, homecare, smart beds, telehealth

Hugh Hale, CIO and senior vice president, information technology, of Visiting Nurse Service of New York, a veteran of three decades in the healthcare and tech businesses, says about the pace of technological advancement in telehealth and medical care today: “This is the most seismic amount of change I’ve seen not only in home care, but in healthcare overall,” Hale told an audience at the mHealth + Telehealth World 2014 conference in Boston.

This visiting nurse association (VNA) group — the biggest nonprofit home healthcare agency in the country — takes care of the urban population of the five boroughs of New York and parts of suburban Westchester and Suffolk counties.

That’s more than 70,000 patients, 2.2 million home visits — in total, 35,000 visits a day by the VNA’s 18,000 employees.

Telehealth is important to the VNA, Hale said, because “everything we do is aimed at keeping patients out of the hospital.”

Toward that goal, the New York VNA depends heavily on the backbone of population health: data analytics. The VNA mines data to see which patients have family histories of chronic disease, how many patients are making frequent trips to hospital emergency rooms, and who is showing up for doctor’s visits, among other trends.

Traditionally, Hale said, the nurses’ group has built its own applications, but in a major overhaul of the VNA’s technological infrastructure that is going on now, “we’re shifting from a build to a buy” with an emphasis on best of breed products.

In April, the VNA chose Delta Health Technologies, a homecare-specialized EHR vendor, to handle workflow using integrated clinical support and revenue cycle management.Recently, the VNA decided to swap out thousands of tablets used by nurses in the field in favor of new models. The[new tablets were chosen by a panel of nurses whom Hale and other managers picked specifically because they were the most critical of the old devices.

As for the future of telehealth, Hale sees the horizon populated with super-advanced wearable devices that can instantaneously detect falls and “smart beds” that monitor a range of vital signs. There are smart beds on the market, such as one made by Vista Medical, that use pressure mapping to detect ulceration and other maladies that afflict bed-bound patients.

In a conversation with SearchHealthIT after his presentation, Hale said he expects smart beds to also be able to reliably monitor blood pressure, heart rate and sleep patterns.

“They are the wave of the future,” he said.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: