ONC Releases New Guide on Buying EHR

Last month, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) released a new guide for prospective buyers of Electronic Health Record systems (EHRs).  ONC provides detailed information and suggestions that merit the serious consideration of anyone that contracts or plans to contract with an EHR vendor.

ONC begins with a broad introduction that explains what kinds of options exist and offers advice on how to select an appropriate system. Then, ONC provides detailed advice on a number of important topics, including safety and security, system performance, data rights, interoperability, IP, risk management, dispute resolution, and transitions.  For each of these topics, ONC identifies common pitfalls and provides buyer friendly form contract language.  Sprinkled throughout the guide are descriptions of common pitfalls and advice about how to avoid them.  Some of these points are worth further emphasis.

ONC notes that some buyers have complained about inconsistencies between vendor demonstrations and their actual products. It is important to remember that marketing materials and demonstrations are not necessarily reliable.  ONC suggests requiring that any such materials presented to a buyer be attached and incorporated into the final EHR contract.  Furthermore, core service and performance obligations should be memorialized with express warranties.  This should provide some security against falling victim to a bait and switch.

Continue Reading

GAO Recommends that HHS Strengthen Privacy and Security Guidance and Oversight

Earlier this week the Government Accountability Office released a report critiquing the U.S. Department of Health and Humana Services’ (HHS) oversight of and guidance related to health information security and privacy. (The report is available here.)

GAO cited the increasing incidence of hacking and other breaches, which affected over 113 million health records in 2015, as a key reason to ensure that HHS provides appropriate guidance to and oversight of covered entities and business associates. Hacking and other breaches may result in identify theft, fraud, disruption of health care services, and even national security threats.

GAO’s concerns fell into two primary categories: those related to HHS’s guidance to covered entities and business associates, and those related to oversight efforts. Continue Reading

JAMA Study Finds Low Rate of Digital Health Technology Use Among Seniors

A research letter published this month in the Journal of the American Medical Association reported that only a small fraction of seniors in the United States use digital health technology. The authors applied statistical analysis to data gleaned from a nationally representative sample of Medicare beneficiaries age 65 and older. In 2011, 16% of seniors obtained health information, 8% filled prescriptions, 7% contacted clinicians, and 5% handled insurance using digital health technology. For comparison, 64% of seniors used computers and 43% used the internet. By 2014, among the respondents who survived and could be reached for follow up, the numbers remained largely constant (with none increasing by more than a few percentage points).

The study thus shows that digital health “is not reaching most seniors” and accordingly is not improving health care quality, cost, and safety as much as possible. “Future innovations,” the authors conclude, “should focus on usability, adherence, and scalability to improve the reach and effectiveness of digital health for seniors.”

UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions

The UK Government has opened a consultation, running until September 7, 2016, regarding how UK National Health Service (NHS) patient data should be safeguarded, and how it could be used for purposes other than direct care (e.g. scientific research).

The consultation comes after two parallel-track reviews of information governance and data security arrangements in the NHS found a number of shortcomings, described below.  The  Care Quality Commission (CQC) and the National Data Guardian (NDG, led by Dame Fiona Caldicott) made a range of recommendations, including new security standards, stronger inspection and enforcement around security lapses and re-identification of anonymized patient data, and an eight-point process around assuming and respecting patient consent decisions.

Following the public consultation, the new security standards could eventually be required and audited by government inspectors from the CQC, and imposed under revised standard NHS England contract terms.  CQC inspectors could potentially act on tip-offs from NHS Digital (formerly known as the NHS Health and Social Care Information Centre, ‘HSCIC’).  Those tip-offs could be based on low scores obtained by organizations in their annual NHS Information Governance Toolkit (IGT) self-assessments.  The IGT, which the reviewers said should be redesigned, applies both to NHS bodies and their commercial vendors.

The new consent model, meanwhile, could provide more streamlined, system-wide consents for use of patient data for purposes including quality assurance and research.

The CQC and the NDG’s findings and twenty-four recommendations were jointly presented in a covering letter to the UK government, available here, and fuller reports, available here and here (CQC and NDG, respectively).  This post provides a brief summary of their main findings and recommendations.  For the consultation questions themselves, see here. Continue Reading

New EU Medical Device Guidance on Standalone Software

On 15 July 2016, the European Commission updated MEDDEV 2.1/6 (the “MEDDEV Guidance), its medical device guidance on the qualification and classification of stand alone software used in the healthcare setting. The updated version replaces an earlier version of MEDDEV 2.1/6 issued by the European Commission in January 2012.

MEDDEV 2.1/6 generally stands as a valuable resource to assist software developers in the assessment of whether software is a medical device. However, some have expressed disappointment that the updated guidance did not go further in clarifying the picture, particularly those operating within the mobile health (mHealth) space.

Indeed, the main changes consist of additions to the definitions section of the MEDDEV Guidance. There is now a definition to clarify that “software” is a “set of instructions that processes input data and creates output data“. There are also accompanying definitions of “input data” and “output data”. Continue Reading

ONC Report to Congress Identifies Gaps in Oversight of Privacy and Security of mHealth Technologies and Health Social Media

Earlier this month the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC), released a report to Congress highlighting “large gaps” in policies and oversight surrounding access to and security and privacy of health information held by certain “mHealth technologies” and “health social media.”

mHealth technologies may include wearables, such as fitness trackers, as well as personal health records and other cloud- or mobile-based tools that collect health information from consumers. The report defines health social media to include websites providing consumers with “specific opportunities” to share their health information and experiences, such as patient support portals or sites allowing patients to share their experiences with a particular health condition.  The report notes that 27 percent of internet users have tracked their personal health indicators online (such as weight, diet, exercise, or symptoms).

The ONC report highlights a number of concerns with mHealth technologies and health social media, primarily centered around the fact that many entities offering these technologies are not subject to the Health Insurance Portability and Accountability Act (HIPAA). These “non-covered entities” (NCEs) therefore need not comply with HIPAA privacy and security requirements and need not provide individuals with the same level of access to and control over their health information as that guaranteed by HIPAA.  The report also notes that non-covered entities are not subject to HIPAA limitations on the re-use and further disclosure of health information, such as HIPAA limitations on the use of such information for marketing.

With respect to data security, the report notes that many non-covered entities do not appropriately secure their users’ information. Specific concerns included lack of encryption, lack of methods to verify users’ identities, and inconsistent or inappropriate risk assessment and audit capabilities.  Although not a central focus, the report also notes that the expanded collection of health information by numerous entities without consistent security protections increases the risk of cybersecurity attacks targeting health information.

Finally, the report highlights gaps in information and understanding. For example, consumers using technologies offered by non-covered entities may not realize that the health information they provide is not protected by HIPAA.  The report also expressed concern that many NCEs lack “appropriate and understandable” privacy policies and notices, citing a study suggesting that only 30% of the most common mHealth apps have a privacy policy.  When non-covered entities do have privacy policies, the report states that the policies may be difficult to understand, may use undefined or imprecise terminology, or may change without notice.

The report does not recommend specific actions, but urges that gaps identified by the report “should be filled.” In a blog post announcing the report’s publication, the National Coordinator for Health Information Technology, Karen DeSalvo, described the report as “the first step in a conversation about these important issues.”  She noted that ONC looks forward to engaging with stakeholders in the coming weeks about how to address the gaps the report identifies.

Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

Continue Reading