humani nil a me alienum puto

random rants about news, the law, healthcare law, economics and anything I find amusing

Rights to the Bits and Bytes in Your EHR

Back in 2001, right before the HIPAA privacy rules took effect, I wrote a law school student note entitled “The Emergence of the Health Care Information Trust.”  Pretty heady, and perhaps a bit Pollyanna-ish, stuff.  In the note I argued that to pull the hidden value of disparate health care information out of the islands of digital data that had been forming throughout the health care system, some form of clearing house for patients, with strong fiduciary obligation to individual patients participants, needed to emerge.  In fact, because of HIPAA’s soon to be finalized privacy regulations, without patients expressly vesting rights in something like a health care data aggregator,  it would be very difficult (if not impossible) to use the information commercially for purposes other than directly for healthcare treatment, payment, operations and certain research.  Further, the value in that data would not be able to accrue to the individual any other way.  My concept was to allow use of patient data, with defined limitations set by the patient, with micropayments to patients for such patient approved use by anyone seeking to access the aggregated data.

Anyway, the eight years since I wrote the article, I am not sure where the health care data market is going.  But there are some services that seem to be starting to emerge as potential aggregators.  Most notably, both Microsoft and Google have been taking initiatives in the area.  Of course, Microsoft and Google are not what I had projected; but it probably makes more sense in hindsight that the two biggest IT juggernaughts would be making headways into this this very young market with unknown potential.  If anything, the ability to pull good, useful and linkable health care information (except maybe healthcare claims data) is a monumental problem, and true electronic medical records are, at best, still in their infancy.  So, also, the immediate possibilities of wide-scale transfers to such aggregators.

One of the obvious limitations, even if and when health record data is transferable without impossibly difficult transactional barriers and costs, is the fact that the privacy regulations are really set up to address patient rights in principally paper records.   So, even if you wished to transmit electronic data to an aggregator service (be it my concept of a Healthcare Information Trust or, for that matter, Google or Microsoft), there are no express provisions addressing this.

So I found it interesting when I read about “A Declaration of Health Data Rights.”  In it, the organization specifically makes mention to access to records in “computable form.”  Also, in reading about the initiative in the NYT’s Bits blog, I took particular note that both Microsoft and Google have a role in it.  Ah, this makes some sense now.

For what its worth, the group desires:

A Declaration of Health Data Rights

In an era when technology allows personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. We the people:

1. Have the right to our own health data

2. Have the right to know the source of each health data element

3. Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form

4. Have the right to share our health data with others as we see fit

These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

via HealthDataRights.org.

Advertisements

Filed under: Health Law, HIPAA, , , ,

CVS Resolution Agreement with HHS Office for Civil Rights for HIPAA Violations

CVS Pharmacy, Inc. recently entered into a “Resolution Agreement” with the DHS Office of Civil Rights for a variety of business practices that were reported in the media concerning disclosure of protected health information (“PHI”).   There was a similar agreement with Providence Health System last year for a $100,000 amount and corrective action plan.

Of note is the size of the settlement – $2.25M.  I also took a look at the Resolution Agreement and the Corrective Action Plan (“CAP”) to note similarities/differences from Corporate Integrity Agreements from OIG.  I saw many similar parallel items from my experience with the CIA front.   Now that the bubble has burst on actual enforcement actions with significant settlement payment amounts, and with the recent HIPAA changes in the Stimulus law, you can bet that there will be both more plaintiff litigation on this front (i.e., HIPAA privacy regulations as the “standard of care” and state tort law as the actual suit mechanism) as well as enforcement action by the Office for Civil Rights.   It is also notable that the “trigger” here was media reports.  Perhaps no accident that the proposed HIPAA changes require media outlet reporting once a threshold of PHI is released.  You can check out the press release and the resolution agreement/CAP at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html

Filed under: CMP, Health Law, HIPAA, , , ,

Pages

October 2017
M T W T F S S
« Oct    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

HealthCounsel Tweets