Tuesday, May 31, 2005

Stand and Deliver

From Healthcare IT News--- HHS Secretary Mike Leavitt (you know, the one who isn't Tommy Thompson) gave a speech last Monday that could have been made any time in the last 5 years, except for this part:
"The agency will provide early deliverables within the next six months, Leavitt said, specifically the development of adverse drug event records, the electronic transmission of lab test results, and the elimination of the “medical clipboard” for patient admittance. Although he spoke of unique patient identifiers that would eliminate errors and speed patient admission, Leavitt said patient identifiers would require more discussion and study."
No surprise that the individual identifiers are on hold, but the rest is an interesting hint. Full story here.

Get Back

Here is a little pushing back from the public, in this case an editorial from the Lufkin (Texas) Daily News:
"If the state attorneys prevail who are arguing that HIPAA (the popular acronym for the Federal Health Insurance Portability and Accountability Act) overrides state FOI laws, the public will be denied information we believe it is entitled to have. Here are just a few examples of how HIPAA stymied attempts to get basic information:
---The names of victims of auto accidents, assaults and fires would not be released.
---Coaches wouldn't be able to talk about injured football players, or even name them.
---Ministers would not be able to find out if church members were in the hospital and in need of solace.
---People can't call and find out the condition of friends who have been hospitalized. "
Of course, the arguments here are the same we have heard before. As a former newspaper reporter, I can sympathize with the editor's frustration. Information is a newspaper's stock in trade. But is the public, or in this case a newspaper's need to know more important than the individual's privacy?
The four bullet points are easily answered with questions: Does the public right to know trump the individual's right to privacy in the case of an auto accident? (I don't think that HIPAA covers fires, unless there is a medical condition attached, either injury or exacerbation of an existing condition.) Coaches, of course can talk about injured players, because a coach is not a covered entity, so we will dismiss this one as hyperbole. Does the right of a minister to minister override the individual's right to privacy? And how, exactly, is the minister finding out? By calling the hospital and asking for a list? And the last one is the meat of the matter. The privacy rule allows the individual or the individual's representative to be in control of who knows what is going on with the individual's health information. It protects us all from snoopy neighbors, gossiping churchmembers, and anyone who wants to identify themselves as a friend, neighbor, minister, or newspaper reporter. We all are annoyed sometimes by what we have to do to be compliant. That annoyance is tempered, usually, by knowledge that our privacy is ours to control.
Sunshine laws are important, but I think the editor here has forgotten their purpose. They were enacted to protect the public from the government and its agencies using secrecy to hide wrongdoing, shady deals, cronyism, and blundering, not to provide free information to anyone who asks about anyone they care to ask about. I have great sympathy for any working reporter who has to do his or her job, obstructed by just about every rule or regulation that a suspicious public institution can throw in the way. That sympathy doesn't extend to allowing free access to my health information.

Tuesday, May 24, 2005

Transparent Love

I spent an hour yesterday in a meeting with a group who represent a significant number of healthcare providers in our state. The meeting was largely productive, and as a bonus one of the participants mentioned something that set off an interesting train of thought. What she did was paraphrase a classic IT tech support call--- the one that starts with “I don’t know anything about computers…. And I don’t want to know.”

For a computer user the issue is that the process needs to be transparent. The user doesn’t care about the hardware and how it works. To her it is just a tool, like a toaster or a lawnmower, something that helps to get the work done, not the work itself. Good systems have a high degree of user transparency.

Here’s what she was trying to say. The same skills that made her a good nurse made her resistant to HIPAA regulations. Anything that seems in anyway to interfere with caring for the patient, or even requires her attention during the process is an aggravation. For her, the system is not transparent, and so she resents it.

There was a lot of talk among providers and other interested parties about the recent AHIMA survey, and most of us noticed the 18% in compliance number, but maybe the most important overlooked fact was that the number one pain for most providers was education and training. Front line providers resent and fear HIPAA, often overreact to warnings, and soon burn out on trying to figure out what they are supposed to do or not do, and lapse back into their old habits and judgments.

To combat this, make certain your training is done in a fashion that is engaging and relevant. If the training answers the basic question “What’s in it for me?” in a positive and usable way, and provides an open exchange of ideas, questions, and examples that are instantly recognizable and applicable to those on the front line, then the training will succeed, and the process of everyday compliance will become transparent to the provider.

Another aspect of this transparency thing is making certain that the systems for compliance are designed with this same transparency in mind. Anything that requires extra steps or judgments from the front-liner steals from this goal. The ROI on properly set up systems, whether technical or organizational is clearly demonstrable with the simplest of napkin-back calculations, but for some reason there is a blind spot for many of us when it comes to any kind of regulation compliance. HIPAA privacy in particular was designed to allow compliance with common-sense measures. There is no need for convoluted, Byzantine structures to comply. One of the examples I use in trainings is a company that sells sound reduction equipment to pharmacies. The Plexiglas barriers, phone baffles and white-noise generators cost thousands of dollars, and no doubt provide near bullet-proof protection from accidental oral disclosure of PHI. But so does a tape line and a hand made sign that reads “Please wait behind this line.”

Design your systems and training with transparency in mind, and you will reduce your workforce frustration and resistance, and increase the quality of your care, which in the long run is why you got into this business to start with.

Friday, May 20, 2005

Back Up Off Me

Nice piece on data storage, appropriately enough from Enterprise Storage Forum:
"Backing up data is a double-edged sword. On one hand, you want to make sure that if the system fails, you can reliably and quickly get all of you data back. On the other hand, once the data leaves your environment, the possibility grows that someone will access the data who should not. So what is an administrator to do?" Full article here.
The answer to this and other questions at the link.

Three Mile Smile

From Genetic Engineering News (okay, I go to a lot of ...unusual places) comes an interesting report about Delta Dental's new online services. As many of you know, California is one of the states which have stricter privacy laws than HIPAA requires, and so the more restrictive rules apply. If you follow current events, you will recall that privacy violations in California result in pretty severe penalties and required remediation. Delta is attempting to remove the employer from the PHI loop by allowing their enrollees direct web access to their records.
My first thought was the obvious one, and was answered by this:

"New encryption software, launched last month, encodes all e-mails that contain electronic protected health information (ePHI) sent by Delta Dental to enrollees, benefits managers, brokers, dentists -- anyone receiving ePHI. This encoding will protect private information from being accidentally read or misused if an e-mail is intercepted by an unauthorized individual."

Full story here.

Wednesday, May 18, 2005

Policy of Truth

For those of us who do consulting, here are some great tips from Kevin Beaver, over at SearchSecurity.com ---

"If you develop and maintain sound security policies, plans and procedures, you win two-thirds of the compliance battle. Don't forget information security standards (types of security tests to perform, encryption required, permitted authentication systems, access levels and so on), IT frameworks (ISO 17799, COSO, etc.), and audit parameters (when, by whom, etc.) that are crucial to security management as well. Make it standard operating procedure to periodically check security policies, plans, procedures and standards for omissions, discrepancies, contradictions and overlap.

Also, develop your documentation at the highest level feasible so you can apply as many policies and procedures to as broad a range of regulations as possible. Having separate policies for each regulation is an exercise in futility. "

Documentation is a favorite hobby-horse of mine. It sometimes feels like I am the only person who understands that it is important to write everything down. And not just policies--- document your hardware, your software, your software licenses, your maintenance calls, your user interactions, everything, everything, everything. A simple Access database can make your life instantly easier not just when the regulators come calling, but the next time you need to know just what lived on that newly dead workstation in your remote clinic in Outer Innerstanniavilleburg.

Monday, May 16, 2005

Secure Yourself

From the shameless self-promotion department:

"I have been asked a lot recently about wireless networks, and how to secure them. On this subject there is good news and bad news. Sadly sometimes its the same news. So let's do some FAQ's here, and see if I can clear up a few questions."

From my new blog on small practice security.

Trip My Wire

From Wireless Newsfactor comes this timely report:
"The patient population has become more computer literate," says Bruce Robison, executive information technology director for CoxHealth, based in Springfield, Mo., which launched a wireless service for patients in February.
"Wireless networks meet a growing need for patients and families to access the Internet for communication, work and entertainment."
This of course opens the same can of worms that has been the topic of so much concern lately--- how do you secure such systems, and how do you control usage by people you have little or no authority over. Jeff at HIPAA blog addresses that here.

Just an Old Fashioned Love Song...

This from Healthcare IT News:

"The federal government will seek proposals to develop a prototype for a nationwide health information network architecture, according to information posted Wednesday on a government Web site. The government also plans to assess state laws and business policies on privacy and security that hamper health information exchange, develop and test certification of electronic health records and create a process to harmonize standards in healthcare software applications." Full story here.
Not a bad idea. Just that it raises a lot of questions, as did HIPAA. Questions like-- Who pays for it? And Who regulates it? And Who secures it? But I like the harmony part.

You Are Not Alone

It is somehow comforting to know that while others are struggling with the same issues you are, there are some who seem to have a good perspective:

"Scramble is a strong word," Koelsch said. "It suggests disarray. This is more about priorities and funding. It seems that now hospitals are getting their footing. I compare it to Y2K. The bulk of preparation for Y2K happened in 1999. We knew about the threat 10 years in advance. [HIPAA] doesn't carry the same sense of urgency as Y2K did at the time. Hospitals have other priorities, like keeping people alive." From searchsecurity.com Read more here.

Friday, May 13, 2005

Treat Me Right

This has been an interesting day for me.
We have been dealing with a medical software vendor whose product is woefully under-documented. Now, I know that this is a common complaint. Which, paradoxically, is why it shouldn't be. Documentation is vital to understanding just exactly what is going on, and what has been done successfully in the past to deal with whatever problems you may encounter.
It is not enough to tell the end user that "Oh, yes, this is HIPAA compliant" without being able to explain what exactly makes it HIPAA compliant, or even a clear understanding of what HIPAA is. And as users, we should not allow vendors to brush us off in this fashion.
Remember, it is you who is ultimately responsible for compliance. Knowing what is going on with your software, or it at least being possible for your IT people or consultants to advise you based on software documentation rather than personal opinion is a very good idea.
Had a similar experience? Are you a vendor who can explain why your product lacks proper documentation, or wants to brag about how well your stuff is supported? Please let us know in the comments. I promise you will be treated..... gently.

Thursday, May 12, 2005

If You Have to Ask

Massive FAQ from Tiburon Technical:

30 Days Out

From ComputerWorld comes this charming and "Oh, yeah!" provoking account of Security manager C.J. Kelly's frantic 30 day HIPAA compliance assist to the agency's ISO.

"You can't just write a policy, put it in a binder, label it "HIPAA Security Rule Compliance" and call it a day. And you can't assume that the physical safeguards are administrative in nature. For example, in the area of device and media controls, how do you keep someone from carrying off EPHI (that's electronic protected health information) using one of those little USB flash devices? Do you disable USB ports on all computer systems, or can you disable the use of such devices through Active Directory or third-party software? " Full story here.

Got a similar story? Please share it in the comments. We'd love to hear from you!

This Door Swings Both Ways

I suppose it was only a matter of time, but from the Grand Rapids Press comes a disturbing report of a health plan provider and an employer using HIPAA to police their attendance policy.

"Delphi Corp. does not want to snoop in its employees' medical records, a spokeswoman said Wednesday. But it can, based on a sweeping new consent form.

Although Delphi said it wants limited access to confirm doctor's visits, the Consent to Release Medical Information form appears to grant much broader powers. It asks employees to choose between authorizing release of all records, all records within a range of dates, or records for a specific illness or injury. "

The United Autoworkers are understandably upset by this, because for the last 20 years workers have been able to document sick leave with a doctor's note. This new consent form appears to grant sweeping access in ways that seem to many to be very invasive.
"Employee angst is understandable, privacy lawyer Norbert Kugele said, but the plan appears legal because HIPAA rules impact a company's dealings with its health plan provider.
"If Delphi is careful in the way they set this up, they can probably do this," Kugele said. "The employer is saying, 'You may not be able to get full sick leave benefits if we can't verify that you are actually sick.' That is not related to the health plan."
This is one that bears close watching. Full story here.

Wednesday, May 11, 2005

Jersey Thursday

"The New Jersey Department of Banking and Insurance launched an effort Wednesday to create a statewide electronic medical records system. The system would allow physicians to share patients' medical records statewide."
Because the New Jersey State Department of Healthcare Information Networks and Technologies (HINT) and Health Insurance Portability and Accountability Act (HIPAA) Task Force will be spearheading this, it should serve as a model for other state systems. Or at least a horrifying warning. We hope for the best.
Full story in the Philadelphia Business Journal.

Roll Out My Business

From ComputerWorld comes this nice little piece on Business Associate Agreements:

"...as with any expanding trend, there are growing pains.
In the medical field, the apparent complexity of the do's and don'ts of using patient information has become an increasing cause of concern among physicians and their IT vendors. The perceived density of the Health Insurance Portability and Accountability Act of 1996 and its related regulations has
contributed to this concern. When the acronym "HIPAA" is used, eyes roll and then glaze over. " Full article here.

Clearly, this was written by a lawyer, which isn't really a bad thing. Administrators, lawyers, care providers, IT, and educators, we are all in this gigantic HIPAA mind-meld together. What eventually
emerges will be a clearer understanding of what needs to be done. Or at
least a better recipe for bloody marys.

Tuesday, May 10, 2005


This from the Daytona Beach News-Journal:
"Florida Hospital Memorial System -- including Florida Hospitals Flagler, Oceanside and Ormond Memorial -- will begin using a system May 31 that's designed to be HIPAA violation-proof. Halifax Medical Center has been doing it for a year.
Information about a patient -- beyond a one-word description of their condition -- will be given out only if the caller has a patient identification number. This way, hospital personnel will be relieved of the burden of having to figure out whether the caller is really the patient's aunt or uncle calling from out of town."
Whether or not any system will be "HIPAA violation-proof" is problematic, but this looks like a move in the right direction. Anecdotally, one of the most common complaints I hear from health-care staff, especially in hospitals, is that they can't discuss conditions with relatives. This should at least address that issue.
See the full item here.

We've Only Just Begun

For many of us, this HIPAA thing is old hat, but for many others, it is a big churning mass of indigestible flotsam cast adrift in a sea of confusion and mixed metaphor.
For those who would like a quick overview of what this whole thing is about, our friends at the Washington State Medical Association have compiled a very nice little primer at http://www.wsma.org/memresources/hipaa.html .
Like a lot of these sources, it was put together before the final Security rule, and so is a little sketchy in some places, but overall it is a great way to at least get an idea of what's going on.

Monday, May 09, 2005

Start Me Up

Everybody loves HIPAA, right?
But not everybody is confident that they are loving it in the best way.
Compliance is a major issue for many of us, and understanding just how things like the new Enforcement Rule, and the Security deadline affects us is a major headache.
The recent study from Information Technology Solution Providers Alliance shows that only 30 percent of health plans and 18 percent of health care providers are in compliance. Chances are, you are working for one of those 82 percent who are not in compliance, else you wouldn't be here.
Those kind of numbers tell me one thing--- in the words of the great HIPAA guru Benjamin Franklin, "We must hang together or we shall surely hang separately."
So come hang with me--- let's see if over the next little while we can define our main issues, work some solutions, and just generally figure out what to do and where to go with this new relationship!