You are here

Electronic health records

Small-Scale Violations of Medical Privacy Go Unpunished

Small-scale breaches of patients' medical privacy are going unpunished because officials at the federal office for Civil Rights focus on voluntary compliance as the remedy, ProPublica's Charles Ornstein reports. Many people also cannot turn to their own lawsuits for redress. The Health Insurance Portability and Accountability Act doesn't allow for a private cause of action, and states vary on how much protection tort law provides for medical privacy.

Indiana courts have ruled that healthcare providers are liable for employees who snoop in medical records, but courts in Ohio, Minnesota and New York, as well as other states, have rejected those types of claims, Ornstein reports.

Small-scale breaches of medical privacy can cause the most harm, Ornstein reports. For example, an employee at a New Jersey hospital disclosed that an 11-year-old boy had attempted suicde. The revelation caused him to be bullied at his school, Ornstein reports. In another example, a dental assistant had a former friend post on Facebook that she had the STD human papillomavirus.


Obama Administration Slams Electronic Health Records

The Obama administration's Office of the National Coordinator for Health Information Technology has taken vendors of electronic health records "to task for making it costly and cumbersome to share patient information and frustrating a $30 billion push to use digital records to improve quality and cut costs," The Wall Street Journal's Melinda Beck reports.

For example, vendors are requiring customers to use proprietary platforms and making it too expensive to switch systems. Even though nearly 80 percent of doctors and 60 percent of hospitals have converted from paper files to EHRs, only 20 to 30 percent of providers are able to share records with other providers, Beck reports.

ONC could decertify EHR systems that block data-sharing, but the report says that would unduly penalize customers, Beck reports.

Fines Rare for Healthcare Data Breaches

ProPublica's Charles Ornstein reports that federal regulators are rarely fining health care organizations for data breaches. There have been more than 1,140 large breaches affecting more than 41 million people in the last 5.5 years. But there have been fines levied just 22 times, even though the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, has required healthcare providers to report breaches involving at least 500 patients since 2009.

The Problem with Government-Mandated Electronic Health Records

Peter Suderman, writing on Reason's blog, piggybacks off the concerns that Dr. Jeffrey Singer made about the government mandate for electronic health records in the Wall Street Journal's op-ed section. Singer pointed to research that found that physicians think that electronic health records drive up healthcare costs because, among other reasons, of high implementation costs, which is particularly burdensome for small private practices. A bigger concern is that current health IT systems are not interoperable and don't operate across multiple provider networks, Suderman also notes.

FDA to Expand Electronic Health Records Pilot to Track Product Safety

According to a report in iHealthBeat, the Food and Drug Administration is going to expand a pilot that is using electronic health records, as well as claims data, to monitor the safety of medical devices the agency regulates: "Specifically, FDA said the [Mini-Sentinel] system can examine: More than 350 million person years of observation; Four billion pharmaceutical dispensings; and 4.1 billion patient meetings." Now, the pilot is being rolled out on a full scale.

Healthcare Sector Makes Up 1/3 of Data Breaches

Ruth Reader, writing for VentureBeat, reports that, in 2014, healthcare providers made up nearly one-third of all data breaches: "Hot medical identities can sell for as little as $50, according to a report issued earlier this year by the FBI. With more and more hospitals moving to electronic health records and healthcare breaches on the rise, its hard to see how this problem won’t become more widespread in the coming year." Reader also points out that, unlike for financial breaches, it is much harder to prove that a consumer didn't receive medical services on their records.

Draft Bill Would Limit FDA Oversight of Electronic Health Records

U.S. Senators Michael Bennett and Orrin Hatch are circulating a draft bill to exempt some electronic health records, including medical charts and health histories, from the FDA's oversight, Reuters' Christina Farr reported last week. Medical technology that is classified as posing a low risk to patient safety would be exempt from FDA regulation. Bradley Merrill Thompson, an FDA-specialist with the Washington D.C.-based legal firm Epstein Becker & Green, told Reuters the bill would have unintended consequences.

FDA Pushes for Cybersecurity for Medical Devices, Health Information Technology

Submitted by Amaris Elliott-Engel on Sat, 10/25/2014 - 11:25

What if hackers caused medical devices to malfunction? Disrupted healthcare services? Accessed patient information or electronic health record data? Those are examples of potential digital security pitfalls for the healthcare industry. Here's a piece I wrote for the National Law Journal about the need to develop industry standards for cybersecurity for medical devices and other health information technology: 

A cybersecurity framework for medical devices and health-care technology needs to be developed in a partnership between the government, manufacturers and health-care providers, officials from across the public and private sectors during a workshop convened by the U.S. Food and Drug Administration.

“Right now, for cybersecurity, we’re all in a reactive mode,” said Deborah Kobza, executive director of the National Healthcare Information Sharing and Analysis Center. “We need to change that to be in a preventive mode.”

The concern is that hackers could cause medical devices to malfunction, disrupt health-care services or steal patient information and electronic health records. The FDA, along with the Department of Health and Human Services and the Department of Homeland Security, sponsored the two-day workshop this week.

The Advanced Medical Technology Association’s Jeffrey Secunda said that, “for devices that are facing the Internet, you do have the risk of advanced persistent threats.”

How the FDA is going to approach cybersecurity, including evidence that devices have led to patient harm, “is exactly why we’re convening this meeting,” said Suzanne Schwartz, director of the FDA’s emergency preparedness/operations and medical countermeasures in the Center for Devices and Radiological Health.

Workshop participants said they were unsure how much tolerance there is for the risk that patients information could be breached in the effort to make electronic health records and health information technology “interoperable” and more accessible to patients.

Dr. William Maisel, the FDA’s chief scientist and deputy center director for science at CDRH, said there are 100,000 medical devices on the market and the technology changes rapidly. The FDA doesn’t view it as a solution to take in all the information about digital security vulnerabilities in medical devices and pass it on to the community, he said.

Instead, federal regulators want an “ecosystem where that information is being shared,” such safe harbors for medical device manufacturers and health-care providers to make reports about cybersecurity breaches without incurring liability, he said.

Participants said that providers don’t report digital security breaches for fear or exposure during litigation.

The National Healthcare Information Sharing and Analysis Center’s Kobza noted that her group has entered a memorandum of understanding with the FDA to develop a protocol about sharing information about medical devices.

Electronic Health Records Unreliable to Use as Legal Evidence?

According to Medscape Medical News' Ken Terry, several experts says that electronic health records need to be verified before being admitted into evidence. Terry, reporting on a law review article in Ave Maria Law Review, writes that "the central contention of the authors, Barbara Drury, Reed Gelzer, MD, MPH, and Patricia Trites, MPA, is that EHRs are designed to maximize payments to providers and therefore do not necessarily reflect the care that was actually provided to patients." Without verification, electronic health records are hearsay, the authors said. One takeaway is that there should be an audit function in all EHRs and healthcare providers shouldn't be able to turn that function off or erase audit logs.

Doctors Find Electronic Health Records Hard to Share

The New York Times' Julie Creswell reports on how doctors are finding barriers to sharing electronic health records because computer programs made by different companies don't share records with each other: "Doctors and hospital executives across the country say they are distressed that the expensive electronic health record systems they installed in the hopes of reducing costs and improving the coordination of patient care — a major goal of the Affordable Care Act — simply do not share information with competing systems." Doctors who are getting federal funds in support of their electronic health records must show that they can share patient data or face cuts in their Medicare reimbursements, Creswell further reports. 

One of those companies is Epic Systems, which charges a fee to send data to some non-Epic systems, Creswell notes. Epic's founder, in a rare interview, "offered muted criticism of regulators for, essentially, failing to create what she did — a contract to help providers connect to one another and a way to authenticate that only the correct person could view the patient information." Regulators are in the process of developing a standard to make health information technology interoperable.


Subscribe to RSS - Electronic health records