Friday, April 28, 2006

Trust Your Mechanic

A fascinating multi-part interview with Dr. William Yasnoff on health records and patient control:

What I'm proposing is patient-centric in the sense that the proposal, which is called an eHealthTrust, involves the establishment of a lifetime health record for each person that is paid for and controlled by the person. They decide who has access to which parts when, and no one else decides that.

How can this be implemented? Through HIPAA, of course, which on the surface seems like just another way to make layers of busy-work, but as you drill down and see what he has to say, really makes a lot of sense.

A Plan for U

Great HIPAA article by Ross Armstrong in ComputerWorld written from a record-handling and storage POV:

Securing access to stored information — as well as ensuring data availability — puts considerable pressure on health care IT to conform to HIPAA requirements. It also presents an opportunity to establish best practices that will serve the organization for years to come.

While compliance is usually a cost center, it still can be combined with practices and procedures that can save your organization money in the long run by streamlining operations and by mandating such things as a Disaster Recovery Plan.

Tuesday, April 25, 2006

Everybody Plays the Game

You know, you just can't make up stuff like this:

The 2006 General Accounting Office (GAO) Report has focused on the Department of Health and Human Services (HHS) and claims there are “significant” weaknesses in their information systems, making it vulnerable to hackers and identity thieves.

Requested by Sen. Charles Grassley (R-Iowa), the 46-page report found instances of anti-virus software not installed or up to date; employees hired without proper background checks; computer passwords that are not properly updated or controlled; and a lack of physical controls such as security cameras that do not work.

It isn't even a case of who will watch the watchmen--- this has a Salavador Dali painting edge to it.

*thanks for the tip, Lisa

Monday, April 24, 2006

Don't Bogart That Joint, My Friend

Sometimes I love opening my email:

A Palm Desert medical marijuana dispensary is being required to turn clients' names over to authorities, and client advocates say that violates their privacy rights.
Palm Desert city attorney David Erwin said the deal between the city and the CannaHelp dispensary on El Paseo, is merely meant to ensure that the dispensary is obeying state law.
The agreement, negotiated by Erwin and James Warner of San Diego, a lawyer for the CannaHelp dispensary, requires the dispensary to turn over clients' names and state ID card numbers to the Riverside County Sheriff's Department.

See, the sheriff's department wants all of the clinic's patient names. Because they most likely would like to find out who is smoking pot. And I imagine they want this for both the reasons they state, and becuase they would like to know who to bust next time the spinner stops on "Medical Marijauna= Illegal" --- needless to say, the users are a little shy about this.

This is one of the subjects I wish it was possible to discuss rationally. As a privacy issue, I would have to say that if it is being dispensed as medicine, and by a doctor's perscription, then it should be covered under HIPAA. If the clinic does not qualify as a provider, then the physician should extend to them a BA agreement, as PHI is used to determine if a patient qualifies and the amount to be dispensed.

Give It to Me One More Time

This is alarming:

The association surveyed 1,117 hospitals and health systems, asking officials at the facilities about compliance with Health Insurance Portability and Accountability Act (HIPAA) rules. Although 91 percent said in 2005 that they were mostly compliant, that number dropped to 85 percent this year.
“A slight drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning to the industry that compliance should not be taken for granted,” AHIMA President Jill Callahan Dennis said in a written statement.

Clearly, as the article states, for most facilities the security rule is easier to implement, simply because so many of its initiatives don't rely on human interaction. And that security rule compliance has risen dramatically is probably the result of it being implemented by technical people, who are far less likely to see it as something that interferes with their primary function, unlike front-line caregivers who are interested in providing care and not so interested in extra rules that feel like they interfere with that.
Still, the fact that privacy rule compliance has fallen is not a good sign. Sooner or later, someone is going to get caught big-time, and it ain't gonna be pretty. Please do what you can to make sure it isn't you.

Wednesday, April 19, 2006

Feelin' Alright

Here is the right way to implement a new program:

"When I came to Children's in 2001, I brought the philosophy that if we do things right, then issues like [the Health Insurance Portability and Accountability Act] will take care of themselves," says Albert Oriol, IS program office director and data security officer at The Children's Hospital in Denver, an integrated health delivery system affiliated with the University of Colorado. His philosophy has paid dividends, including cost savings by enabling the hospital to combine disaster recovery and fail-over and simplify its upcoming move to a new state-of-the-art facility seven miles away.

Compliance does not need to be separate, incredibly painful process.

Doctor, Doctor, Give Me the News

Here is a stunning example of how not to implement a program:

Today, more than a year later, it's fair to say that the Maine Medicaid Claims System project has been a disaster of major proportions. Since the new system went live, it has cost the state of Maine close to $30 million. The fallout has been broad and deep. In December 2005, Jack Nicholas, the commissioner of the DHS who oversaw the project, resigned.

As of press time, Maine is the only state in the union not in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—a striking irony given that the new system was designed to facilitate that compliance. Although federal authorities have said they will work with the state in extending the deadline, the failure has been a black eye on Maine's ability to manage the health of hundreds of thousands of its residents. And it has become an issue in this year's race for governor.

As always, there are lessons to be learned from the failure of others--- we can add to the standard "...classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against a Sicilian when death is on the line!", this new one: if you only get two bids for your new end-to-end system, and they are radically different, maybe you have conceptual issues to iron out before you proceed.

Sweet Lies

A right-on rant from Deborah Peel in Government Health IT:

If people believe they do not have medical privacy, they will lie about their medical illnesses or omit mentioning critical tests and details rather than have the information flow to any number of health-related businesses. Such firms are allowed under the Health Insurance Portability and Accountability Act (HIPAA) to receive medical information about patients without their knowledge and consent.