Search the KHIT Blog

Saturday, December 8, 2012

G-A-T-C, meet SCOTUS

Whatever becomes of the REC initiative, the Really Big Picture Aim of health IT is obviously that of the interoperable provision of comprehensive and useful on-demand clinical information, both as it relates to the individual patient being seen by her physician, and, by extension, accruing data relevant to objectively improving population health. It is also argued that the foregoing will also serve to reduce per capita health care expenses (the 3rd leg of the much ballyhoo'ed "Triple Aim" stool).

A core component of the most finely-grained individual "health" data is that of one's DNA, and it is proffered that the next generations of EHRs be able to provided such data to clinicians. The incipient field of science known as "Personalized Medicine" is all abuzz with positive anticipation (I've posted on this topic before).

Above: from an FDA web page
Perhaps. But, given that truly "personalized" therapeutics will necessarily have a market potential of precisely one, cost will consequently be a major factor, will it not?

Among other things, we ought keep an eye on this:

Cert was granted November 30th, 2012:
Many patients seek genetic testing to see if they have mutations in their genes that are associated with a significantly increased risk of breast or ovarian cancer. Respondent Myriad Genetics obtained patents on two human genes that correlate to this risk, including any naturally occurring mutations of those genes, on the theory that simply by removing (“isolating”) the genes from the body, they have invented something patentable. Petitioners are primarily medical professionals who routinely use standard genetic testing methods to examine genes, but are prohibited from examining the human genes that Myriad claims to own. This case therefore presents the following questions:
1. Are human genes patentable?

2. Did the court of appeals err in adopting a new and inflexible rule, contrary to normal standing rules and this Court’s decision in MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118 (2007), that petitioners who have been indisputably deterred by Myriad’s “active enforcement” of its patent rights nonetheless lack standing to challenge those patents absent evidence that they have been personally and directly threatened with an infringement action?...
1. This case challenges the patenting of human genes. More specifically, it challenges patents awarded to Myriad Genetics on two genes, known as BRCA1 and BRCA2 because mutations of those genes correlate with an increased risk of hereditary breast and ovarian cancer. App. at 19a. Myriad claims exclusive control over the genes once they have been “isolated” – that is, removed from the body and other cellular material. Myriad and other gene patent holders have gained the right to exclude the rest of the scientific community from examining thousands of naturally-occurring human genes and to prevent patients’ access to their own genetic information. The practical consequence of these patents is that Myriad has the authority to stop standard clinical testing of and research on its genes. For those at risk of hereditary cancer, the effect is to prevent second opinions and to block access to alternative and potentially more comprehensive tests and lower cost options...
At once nominally narrow but, still, with inevitably broad import.

As noted yesterday on Health Affairs:

A Cure For Patent Pathology? The Supreme Court Reviews The Patentability Of Human Genes
by John Golden and William Sage

“Are human genes patentable?”  On November 30, 2012, the U.S. Supreme Court agreed to answer this single question in Association for Molecular Pathology v. Myriad Genetics.  Of course, the petitioners, including health care providers, professional associations, and patients, worded the question to favor the answer they want: “No, human genes are not patentable.”  For Myriad Genetics, the patent owner who would like its patent rights upheld, the question is better phrased as whether one can patent “isolated molecules of deoxyribonucleic acid that were identified and defined by human inventors.”

The practical stakes in the Court’s decision, which should come in the first half of 2013, are enormous.  The U.S. Patent and Trademark Office (USPTO) has issued tens of thousands of patents on genetic sequences over the past few decades, and the U.S. Court of Appeals for the Federal Circuit, the appellate court entrusted with hearing virtually all U.S. patent appeals, has never declared such sequences to be non-patentable subject matter.  For more than a century, patents have issued on isolated versions of naturally occurring substances other than DNA.

Many believe that gene patents are crucial to the modern biotechnology industry.  On the other hand, many researchers and clinicians feel that gene patents, particularly human gene patents, are commonly unnecessary to spur innovation and in fact interfere significantly with scientific and technological progress, whether by slowing or diverting research, impeding the provision of diagnostic tests, or generally increasing costs for clinical and scientific work.

The patents at issue in Myriad make such concerns particularly poignant.  These patents relate to BRCA1 and BRCA2, genes associated with a predisposition to breast cancer.  The obvious public interest in ready access to cancer diagnosis helps account for the fact that petitioners’ lead lawyers are not the normal high-priced advocates for a private company accused of patent infringement.  Instead, those lawyers work for the American Civil Liberties Union Foundation, an organization more commonly associated with battles for civil rights than rights in technological innovations...
Indeed. Just what I needed; another 475 pages of legal stuff to review. Though, I have to say that, in general, appellate level and SCOTUS writs, briefs, and decisions are far better reading than most legislative bills. Probably has to do with the function of the court: cleaning up the bloated, internally inconsistent, and vague messes the politicians foist upon us (yeah, I know, it's more complex than that).

Much to discuss.

BTW: I've posted before on the topic of health related "intellectual property."


Just got back from helping man our HealtHIE Nevada booth at this event.

I'd not really heard of this company before. Based here in Vegas. A subscription model physician "concierge" service sort of thing, I take it. Still digging to ID the Principals (no substantive "About Us" link on the website). The CEO is a very personable fellow by the name of Charles Tramont -- apropos, see also Ferus Creative).

They produce a pretty snappy full-bleed four-color mag, I have to say (registration required for a comp issue; worth it). Charles told me it's going print media release come January. Nice. It has that KNPR "Desert Companion" look & feel.



No HIPAA Omnibus Final Rule yet in the Federal Register. Tick, tick, tick...

iPad Lean App for healthcare.

This app is designed for anyone working in healthcare who wants to improve the work environment and the patient experience. Associates, Managers and Executives with either some or no experience with Lean will benefit from this app. If you are concerned about addressing current or future challenges in healthcare, this is a great introduction to Lean thinking that is packed with practical ways to introduce Lean in your hospital, clinic or practice.

The Lean Sensei in this app will help guide you on your Lean journey through:

• Audio, video and print content covering the history of Lean and how the Lean business model is beginning to influence the delivery of care

• Practical case studies and examples from a Surgical Suite, Emergency Department, Physician Practice, and a Hospital Laboratory

• An interactive Assessment and Improvement Guide that will help you communicate how Lean can impact the continuum of care financially and operationally

The app is narrated by Lean Sensei, Todd Sperl, an enthusiastic, creative speaker and process improvement expert who looks beyond today’s problems to find tomorrow’s solutions. As Owner and Managing Partner of Lean Fox Solutions, Todd’s vision is to improve the patient care experience from one health care touch point to the next. Along with facilitating numerous projects across the continuum of care (Physician Practices, Specialty Clinics, Hospitals and more), Todd lectures, blogs, and writes about Lean Healthcare.

Over the years healthcare has gone through an evolution of process improvement methodologies such as Quality Circles and CQI. Lean is a new way of thinking that encourages you to be creative, to question everything, to look beyond traditional metrics. To continuously assess what is over-valued and under-valued at your organization. Lean and it’s problem solving counterpart, Six Sigma, offer the healthcare community the opportunity to obtain long term, sustainable results. Look for more apps in our “Lean Sensei for Healthcare” series.
Requirements: Compatible with iPad. Requires iOS 5.0 or later.

I would buy this in a heartbeat. Mine is an older iPad, though. My affinity for the Lean approach is well established on the REC blog.


Nicely done, IMO.


FROM FierceHealthIT and Honeywell

mHealth's Impact on the Future of Meaningful Use
Now available for on-demand viewing. Duration: 1 hour 

Mobile health tools are rapidly being deployed throughout the healthcare industry, enabling providers to do their jobs faster, more efficiently, and essentially on-demand. Still, the role such tools play in helping providers to meet the federal government’s ever expanding Meaningful Use guidelines for the implementation of electronic health records remains unclear.

Mobile technologies and mHealth have huge potential to help providers meet Meaningful Use requirements. They offer clinicians fast and easy access to electronic health records data and can help engage patients in their own health data--both of which are requirements under the final Stage 2 rule and will continue to increase in importance in future stages...
Registration required, but otherwise free.

apropos of the topic, see this from SearchHealthIT:

Ed Burns, Dec 10th, 2012,
Mobile health tools, both consumer-facing and ones used by physicians, are contributing to the creation of more data related to patients' health than ever before. But this raises the question of who owns that data, and what kind of rights different parties have to access information. Attendees at the mHealth Summit 2012 had very different ideas about health data ownership.

The Health Insurance Portability and Accountability Act (HIPAA) and meaningful use rules state patients have a right to access their records. While physicians may hold the data, they cannot deny patients who ask to see it.

In a town hall session at the summit, members of the Office of the National Coordinator for Health IT (ONC) discussed data ownership issues related to the agency's Blue Button initiatives. The consumer engagement members of the office are encouraging more data holders to implement Blue Button functionality, which would allow patients to download their medical data.

According to Lygeia Ricciardi, acting director of the Office of Consumer eHealth at the ONC, once patients, providers and payers can all easily download medical records, the question of data ownership becomes less important. Rather than thinking about who owns the data, people should think about who has a right to download a copy.

"I'm not sure 'own' is quite the right for it in a digital world," Ricciardi said...
"Data ownership?"


Props to cousin Jojo for sending me that.

We're three weeks out from the end of the year, and we still don't know what funding mechanisms will be in place for 2013 across the breadth of federal programs and obligations?

Two words: Political Malpractice.

#ONC2012 is alive and tweeting

 Erick is our REC Manager. Great guy.


Americans living longer, but not healthier

By Peter Rudegeair, Reuters
Americans have longer, but not necessarily healthier, lives due to high rates of preventable chronic disease, according to an annual report on the nation's health released on Tuesday.

Gains in life expectancy contrast with Americans' unhealthy behaviors, which have led to a 28 percent adult obesity rate, a diabetes rate of nearly 10 percent and a high blood pressure rate of more than 30 percent, according to United Health Foundation's 2012 America's Health Rankings.

All three conditions are considered risk factors for cardiovascular disease.

Since 1990, premature deaths have declined by 18 percent, cardiovascular deaths have fallen 35 percent, and cancer deaths have slipped by 8 percent, the report said.

Americans' life expectancy was 78.5 years in 2009, 1.7 years above the level in 2000, the report said.

"As a nation, we've made extraordinary gains in longevity over the past decades, but as individuals we are regressing in our health," said Dr. Reed Tuckson, a medical adviser at the United Health Foundation and chief of medical affairs at the UnitedHealth Group...
So, is Health IT gonna help improve things? We have to "Bend the Cost Curve," recall?

I say "yes." But, of course, that could be seen as self-serving.


ONC 2012 Day 3 Session: "Grant Closeout process.
Purpose: Present how tips, useful hints and an overall walkthrough of the grant closeout process for Grantees as well as Project Officers.
  1. Explain the grant closeout process through the dissection of the Grants Management Memo and Grants Management Advisory on the process.
  2. Discuss forms and requirements due to ONC through the closeout process.
  3. Explain the process for filing for a no-cost extension for Grantees who elect to file for one.
Date and Time: 8:30 AM - 10:00 AM

WED DEC 12th:

 LINK here. I'm watching for a bit before heading to the office. There are some bandwidth / buffering issues.

7:26 a.m. PDT, Dr. Mostashari addressing ePHI privacy and security.
Have a seat, have a seat. Hi, everybody. So we're going to talk about one of the most important and critical issues for the success of the move towards using information and the power of data to improve health care, and that is making sure that we keep the health information private and secure.

I want to start off by acknowledging that that's one of the core expectations that patients have of their providers. That as they use their health information to take care of them, to share it responsibly, that they keep it private and secure.

This is going to take an all hands on deck approach. The responsibility clearly involves health care providers, there's also a role, an important role, for patients, protection of their own personal health information. There's more that vendors could do. Vendors of the IT systems, to make sure that their products don't introduce any vulnerabilities as we move towards electronic patient information, that they provide the tools to providers to keep their information private and secure, to comply with the HIPAA requirements.
Whether it's around authentication, whether it's around encryption, whether it's around audit logs, our regional extension centers, one of the most important things I believe that we've done is to work with those small practices. To not just make them aware of the requirements and meaningful use that a security assessment be done and that risks be assessed and mitigated, but to actually make that meaningful. We've work with national institute and standards and technology to create tools to figure create the security of those systems and our most important partner and our good friends and colleagues at the Office of Civil rights. And if there's anybody who can deliver the message that health care needs a little bit of a wakeup call, it's Leon Rodriguez. Leon. (Applause.)...
Thanks Farzad. So let me start, and Farzad did what he was supposed to do, he left me the clicker.

First of all I want to let everybody know that we carefully analyzed all of the confetti, it is free of any protected health information, so thank you. Whoever.

So it's a -- I had a root canal yesterday. And I feel fine, and I'm very pleased to be here. But it underscored that my experience as a patient has really been transformed by my role as the director for the office for civil rights. And some of you are from Washington, many of you are from elsewhere, but here in Washington, just about the first thing that anybody asks you is what do you do. What do you do for a living.
And so when you go to a health care provider as the lead HIPAA Enforcer for the country, it's always a touchy moment to decide what you're going to say. So for example, when I went to my opt moltion, I was frank with her. I said well, I'm the lead of HIPAA en fors ment. You mean for mayor, no for the United States. For the United States, really? But she shared with me that one of the challenges for health care providers is, well, not surprisingly, mobile devices.

Because patients want to text their doctors, they want to call their doctors on their cell phones, and the security needs have not caught up to the patients' demands to communicate with their doctors in this way.

On the other hand, yesterday when I went for a root canal and I knew that somebody was going to be drilling around my mouth, I simply said that I was an attorney. And I did not -- I did not elaborate. On what my role was.

But all of this points to the two basic roles that we play in the office for civil rights. First, as a 100 percent right improbably first and foremost a patient advocate. And as among other things from the personal experience of finding that so far we are not coordinating care in the way that particularly fits patients needs. Often family members with of varying levels of sophistication varying levels of education varying levels of economic viability are the wounds who find themselves coordinating their family member's care.

And we need to get to a better place.

And so the work that you're doing holds out that promise for America's patients. And my role, my office's role as I've described it before, is very much like the role of the Securities and Exchange Commission for the stock market.

People trust the stock market because they know that there is a watchdog, because they know that there are a set of rules of the road that in most instances ensure the integrity of what goes on in the stock market. So as you're lot on this safety role on which you've embarked it's important that patients have trust in the work that you're doing, and we are looking to be your partner in that role.
Now, high tech has led to a transformation in the way that we enforce the health care privacy laws. Until high tech came along most of our work was what I would call reactive. A patient complaint. A patient said somebody disclosed my information to my ex-husband. I heard somebody gossiping in the waiting room about my health information.

I saw my health information in a dumpster outside my doctor's waiting office.

High tech changed it. High tech changed it because it created a critical mechanism to look behind what the patient sees, to look at the overall picture of what we are doing to make sure that patients' health information is confidential and secure. And so we're doing this in three ways that I'm going to elaborate on in the coming moments. One is to reach notification, in other words requiring health care providers who have had some improper disclosure of health information to report that to their patients, to report it to the office for civil rights, and in certain cases to report it to the media.
We're doing it through audit. In other words Randomly selecting certain entities. And for high clients for privacy of clients, and we're doing it through the oh use of the far more powerful enforcement tools that the high tech statute gave us that we didn't have before.

So let's talk a little bit about breach notification to begin with.
First of all we've been doing this since about 2009, we've received about 500 reports. Significantly for today's discussion, in excess -- nearly 4 million of those individuals affected by theft of laptops or other electronic devices were for mobile devices. So critical for the discussion that we're going to be having today.

Also important to understand as you talk to people about electronic health information, it's not the technology that's failing. It's people that are failing. Okay?

So if you look at the top types of breaches, we're talking about theft, we're talking about unauthorized access and disclosure, we are talking about loss. In other words, things that people either choose to do or they do by neglect.

And so that means that it is not only about building better and stronger technology, but making sure that the people who have protected health information understand and live by the rules of the road, to make sure that that information is safe.

These two charts which are in your materials will give you a good sense of how these issues break down. Significantly, about a quarter of the breaches are actually paper records.

A quarter of the breaches are paper records. Meaning that they are not -- not as completely from the health electronic environment as some would have you believe. And here are some examples of some of the more serious breaches.

So talking now about audits. So the high tech -- high tech statute gave us the authority to conduct audits. This year we are in the middle of a pilot audit that's covering 115 entities. There is a wide variety of entities involved, from small doctors and dentists' offices all the way up to large health care clearinghouses, health plans, large health systems.

And we have made a number -- learned a number of interesting things from this first round of audit activity.

First of all, when we talk about privacy, there is no single type of deficiency that stands out. It runs the gambit.

And so any given provider will have sort of a different menu and range of deficiencies than any other provider.

On the other hand, when we talk about security, and I'm going to forward it over to those issues, we do see particular issues bubbling to the top, and this is actually the first 20, we've now done 115, and so I've learned some interesting additional things.

Certainly, a big issue is monitoring of activity. Okay, looking at what disclosures and uses are being made, and reviewing, at least in some sort of periodic way, what's happening with the health information that's being used as an entity. But probably the single thing that bubbles to the top and you're going to find this interesting when we talk about our enforcement, is risk analysis. The very first thing that you need to do when you're setting up a medical records system from a compliance standpoint, and the thing that we found the greatest -- where we found the most consistent deficiencies, was in the area of risk analysis. In other words, looking at your entire bills process, looking at your entire technology setup, and assessing where the vulnerabilities are, assessing what your resources are to address those vulnerabilities, and then taking the steps to have those vulnerabilities addressed.

And it's not only -- not only the completeness of that risk analysis at any single point in time, but it's also the fact that this is an ongoing exercise. What the HIPAA regulations, what the high tech regulations expect, is that on a periodic basis, a year for example is a good rule of thumb for most types of entities, you are reexamining where you are, you are looking at how you've changed your business process, you're looking at what technology you've added to your business. In order to assess what new steps to ensure the privacy and security of those items need to be taken.

The other issue we saw in a number of cases were issues with policies and procedures. And my favorite one were folks who actually printed policies and procedures off the internet on the day they got the letter from our auditors. And it actually showed the date line from the internet as being when the policies and procedures were issued.

But what's really critical about this is although we encourage encryption, although encryption is clearly, for example, for security purposes, the preferred way to secure health care information, we are really far more concerned about the process. We're really far more concerned about that road map that the HIPAA and high tech rules give you as to what you need to do to assess risk and then to avoid risk. So we're talking about risk analysis, we're talking about training and education of staff, we're talking about disciplinary policies that are actually applied with respect to employees who breach information. We're talking about incident response. When you have a breach, whether it's one that's reportable to OCR or not, that you take steps to analyze that breach, to understand what vulnerabilities led to that breach occurring.

Because as we begin to talk about enforcement, and ume see that enforcement is getting tougher, and tougher as time goes on, what we're looking at less and less is what brought you through the door, what brought you to our attention in the first place. Instead, what we're looking at what was the weakness in your business process that caused a particular issue to occur. That's what we are looking at.

And so you'll see how our -- the various deficiencies that we find in our enforcement cases track the kinds of things that we're finding in the audit process, track the kinds of things that we're learning from our breach cases.

So we are talking about -- we are talking about failure to conduct the risk analysis, we are talking about absence of training, we are talking about failure to have adequate policies and procedures.
We're talking about all those common sense things that we're seeing in audit, that we're seeing in the breach environment.

So one of the lessons of this is that we will be continuing our audit program. And one of the ways that that is funded is in fact from these very recoveries.

So one of the authorities that the hi tech statute provides is to use those recoveries in these cases and to put it right back into enforcement. So that will create our ability no matter what the budget is to do these kinds of cases.

Now, you should take a close look not only at the specific deficiencies that we found, but also at the range of entities that were affected. So uch Phoenix cardiology associates you have a physician practices you have hospitals you have health plans, there is no single kind of entity that has been able to -- that doesn't end up becoming subject those sorts of deficiencies and enforcement.

I also want to call your teengs to the biggest of the cases because it points to another issue that's really important. The biggest case that we did, the one that resulted in the most serious fine, was not about privacy requirements, it was not about security requirements, it was about access requirements. It was a provider who filed to give patients access to their records, and then chose not to cooperate with our investigation.

So that is as much an issue from OCR's perspective as privacy and security. And as I've said before, HIPAA is a valve, not a blockage. It is at the end of the day meant to ensure that what health records are used for is for the benefit of the patient. That means the patient needs to get the records when they need them, it means the patient's other providers need to get them when they need them, it just means they need to be private and secure from anybody who doesn't need them for the health care of the patient or for the health care operations of a particular covered entity.

So the last thing I want to talk about, I think my time is coming to a conclusion, is having said all of that, we want to make sure that the industry has in its hands what it needs to be able to effectively comply. And I will be transparent with you that in both audit and in our overall enforcement work, one of the particular areas of vulnerability that we have found is with smaller providers. It's with that individual doctor's office or with that small medical practice or that small pharmacy. And so we understand that the burden on us is to make sure that we are effectively reaching and educating that part of the industry.

So on the one hand we talk about enforcement, but at the same time we're talking about education.
So here there's ryrchs to some videos that OCR has prepared you're going to see some additional materials that ONC and OCR together have prepared, and there is extensive material on both our website, ONC's website, and other resources available to be able to comply. And we want to continue in a dialogue with you, to make sure that those are the materials that you need.

Because I'd rather go out of business. I'd rather not have to be in this business. And I actually believe that the time will come where this will be so second nature in the industry that we will no longer be talking about million and 2 million dollar recoveries. We'll be talking about a very different environment.

So thank you for your time, it is now my pleasure to introduce Catherine martricini from the office of the national coordinator for health information and technology. I asked her what her title was, and she would not tell me. So I have designated her a title. She is today the guru of health privacy for the office of the national coordinator. So welcome, please, Catherine. (Applause.)

Gotta run.


More to come...

1 comment:

  1. Nice blog..This blog is very informative.. You have discussed very good points overhere...
    To get any help about skin care you can consult Gulf coast Dermatologist.