If you're even peripherally related to IT security, this is a pretty big deal. HIPAA and HITECH have an enormous impact on how businesses work. With the expansion of the security rule, some SaaS startups are going to have to at least pay attention, because they might be on the hook now.
However, I think the parent was commenting about the quality of this specific article, not on the meritless basis of a discussion about HIPAA.
This post doesn't do a very good job at all at explaining what's going on. I'm still not entirely sure what the new rules actually are after reading it.
Ah, I see your point. I think the article was trying to distill the changes down to one key fact: the security rule now applies to anyone who interacts with health care organizations, even if you're a few degrees removed as a contractor.
Seems absurd that if everything is digital now, we still have to fill out paper forms every time we visit a new doctor’s office, and it's difficult to get a digital copy of results. Inconsistent protection without much added convenience.
I have a similar feeling towards financial institutions. When you apply for a mortgage, you have to send your entire financial history, by mail (or perhaps worse, by email), to an underwriter. There's no indication as to what happens to all that sensitive stuff afterwards. It's a complete black box.
I think there's a huge opportunity for some sort of app that gives the customer/patient visibility of their data during its entire lifecycle and gives them controls to revoke access, delete data, etc. (Kinda like I can revoke an OAuth token.)
To be fair, re: the financial data, most institutions are required by SEC/FINRA to determine your net worth/assets at the time of application. So, to some degree, it makes sense you have to fill it out every time.
There's no reason it has to be on paper, though...
More to the point: what happens to that mound of sensitive data? Does it sit in a filing cabinet? If it's digital, does my underwriter forward it to her Gmail account so she can do the review on her couch?
That's what we're doing at PatientsKnowBest.com -- patient-centered medical records where the patient can decide who can see their records, and revoke access if they want. No one can revoke the patient's access.
Putting the patient at the helm has a few wonderful effects -- among them: all of the red tape around transferring patient medical records from one doctor/institution to another pretty much disappears. They're all about making sure the patient's private data doesn't go to someone the patient wouldn't want to see it. The only reason they need all of those laws is because the patient isn't even in the loop, normally.
We have the core webapp UI; we also have a REST/JSON API for letting apps (and third parties) work with the patient's data (if given permission, of course).
It's a really interesting space to be in. (I'm sure reading the about raises lots of "but what about when" questions; we have answers ...mostly!)
Edit: I should have said: that's what we're doing w/ medical records (not with financial data)
You guys are providing a service I'm interested in. I checked out your website and, as an interested (American) patient, I could be further convinced if a couple of questions were answered:
1. Which doctors and insurance plans does PatientsKnowBest work with?
2. Where is my data stored? What happens if I decide to stop using PKB?
I should add that I didn't want to spend the time to watch the 20 second videos, but perhaps I'm not the kind of customer you're trying to capture at the moment
Great point! A lot of people in the clinical world and health IT world completely agree with you. The real difficulty is opening the channel for secure communication between practices and hospitals, electronic health record vendors, and health information exchanges.
Stealing data (it is not stealing I know) is much easier when the document is digital and this is exactly the kind of abuse that HIPPA is trying to address and is why you still have to use paper.
Just say stealing. Pedants say "stealing is to deprive a person of their property..." If you read the definition of stealing, it doesn't say deprive. It says take. You can't argue that nothing is being taken. It's ridiculous to pretend that either of records or intellectual property cannot be stolen.
It's not easier to steal a person's records when the documents are digital. Especially if it's done properly (the storage, the privileges, the interchange...)
What's easier in the digital case, that I will concede, is to steal the entire filing cabinet. It's easier to steal a piece of paper than to do either of these other things; breaking encryption to access the records once you've stolen the entire filing cabinet, or gaining unauthorized access on a system that is supposedly audited and access controlled.
It looks like he's arguing that ideas, art, and smells should be freely shared.
He says that data moves like smells. The only thing is, there are laws that are meant to protect you from having your medical records smelled by arbitrary folks who shouldn't / snoops with no right to do it.
I do not expect to have my medical records performed in a public setting by third parties, and I would not accept any amount as compensation in the form of royalties if they did. Those people should go to jail!
I have no argument with Paul Graham's position on smells and data. There's a difference between a thing that is sold and published, and a thing that is shared under confidence. That is the whole idea of HIPAA and other data privacy laws.
I am on the fence about copyright in general. That is not what's at issue here.
There's historically been three hurdles to EHR adoption.
Doctors make purchasing decisions. They're very conservative. Younger doctors embrace the computers. So it's just a matter of the old guard retiring.
Who pays? A paper medical record is fine for a clinical practice. Electronic records are good for interchange. But that doesn't help the doctor or the hospital. The early adopter hospitals of our RHIO system were motivated by attracting their area doctors, so used our system as a loss leader to encourage admissions.
EHRs suck. Huge. Imagine a whole universe of suckage and multiple it by infinite suckage. They're expensive, super complicated, and have no ROI. If it weren't for the federal push for electronic medical records, the carrot of block grants and "meaningful use" stick to punish non-participants, no one would adopt an EHR without a business case.
The original article is very dense... as someone who's marginally interested in HIPAA (as in, does it affect my future app), the blog summary helped me determine the new reach.
Surely a better post can be made, with a more comprehensive summary, but the current blog post is not without value.
Although not expressly in the linked content, I believe the change apropos beyond healthcare providers is the change for cloud providers (SaaS, storage, etc.) Now, companies which store Protected Health Information (PHI) in the cloud are considered business associates of the healthcare provider. In turn, the companies are now regulated entities & will be required to meet the security & privacy standards of patient data. No longer is a storage provider considered an unassociated 'conduit.' This is a significant change for healthcare providers and all their (remote) technology partners. Ideally, this will create the regulatory impetus sufficient to prevent your healthcare providers from transitioning over to relatively insecure services such as Gmail for sensitive patient data.
This rule clarification is good in that it acknowledges the participation of third parties. Yay!
But it doesn't change the fact that HIPAA is just kabuki (for show).
I worked on some of the first RHIOs (regional health information exchanges) on the market. We all had yearly HIPAA training. All platitudes and very little actionable advice. As devs, we all had full access to millions of patients.
Accidental disclosure is inevitable. So many participants, so many systems, the weakest link and all that. We all figured it was a matter of time before something bad happened.
I care about privacy. A lot. I researched what's what, legal and technical. Because I want to do a good job. And I have skin in the game (my own medical history).
The month I started on the electronic medical records project, a local hospital had just settled for allowing 100,000s of complete patient records leak. (A stolen laptop.) So I contacted the lawyers on both sides. Verdict? Try harder next time.
Pretty much nothing has changed (improved) since. Except the disclosure requirements, I guess.
This is a long topic, so I'll just skip to the conclusion:
We will not, cannot protect patient privacy until we assign a universal unique identifier for every single person. This means something something akin to RealID.
To protect patient privacy, we need to encrypt the data. But that's not feasible without globally unique identifiers. Because patient demographic data is dirty and mismatched record can be fatal. So you have matching algorithms that have to look at the original plaintext. And the heuristics are wrong enough that the process requires human oversight.
If we (the USA) had unique identifiers, then we could transition to translucent database designs. That'd be very cool.
About once a year, I go to a "future of healthcare IT" event. I desperately want to hear that patient privacy is being addressed. Hope springs eternal. Mostly, no one knows what I'm talking about. Until you've worked on the systems and tried to actually implement privacy safeguards, people just don't grok the problem domain, and continue to believe it's a trivially solvable problem.
Most of the recent events have been mixer events sponsored body shops (recruiters) hoping to get some business. Put "HL7" and "ICD-10" in your resume and I'm sure you'll get called.
The last "meaty" one I attended was a local MIT Enterprise Forum featuring local healthcare IT professionals. The panel had a device startup, a personal healthcare portal, some consulting goons, and the CIO for a local HMO (she was the only one who made any sense).
I just attended a legislative action committee meeting for my state. Our elected reps touched on what was happening at the state level to implement ACA (aka Obamacare, mostly "meaningful use" stuff and patient eligibility, really basic stuff).
Every state now has a board of some sort for implementing their state and regional healthcare information exchanges per ACA. The meetings are public. That's probably a good way to find your local players.
It's been a few years since I lurked healthcare IT blogs. There might be some good ones to follow.
I can't find any contact info for you; do you mind posting your email/website? I'd love to chat about your experience in health IT! Thanks. (Not a recruiter…)
32 comments
[ 2.5 ms ] story [ 67.7 ms ] threadHowever, I think the parent was commenting about the quality of this specific article, not on the meritless basis of a discussion about HIPAA.
This post doesn't do a very good job at all at explaining what's going on. I'm still not entirely sure what the new rules actually are after reading it.
I think there's a huge opportunity for some sort of app that gives the customer/patient visibility of their data during its entire lifecycle and gives them controls to revoke access, delete data, etc. (Kinda like I can revoke an OAuth token.)
There's no reason it has to be on paper, though...
That way it looks like crap by the time it gets back to you.
Putting the patient at the helm has a few wonderful effects -- among them: all of the red tape around transferring patient medical records from one doctor/institution to another pretty much disappears. They're all about making sure the patient's private data doesn't go to someone the patient wouldn't want to see it. The only reason they need all of those laws is because the patient isn't even in the loop, normally.
We have the core webapp UI; we also have a REST/JSON API for letting apps (and third parties) work with the patient's data (if given permission, of course).
It's a really interesting space to be in. (I'm sure reading the about raises lots of "but what about when" questions; we have answers ...mostly!)
Edit: I should have said: that's what we're doing w/ medical records (not with financial data)
1. Which doctors and insurance plans does PatientsKnowBest work with?
2. Where is my data stored? What happens if I decide to stop using PKB?
I should add that I didn't want to spend the time to watch the 20 second videos, but perhaps I'm not the kind of customer you're trying to capture at the moment
Have you heard of RHEx (http://wiki.siframework.org/RHEx, https://github.com/project-rhex/simple_rhex)? It's an open source implementation of hData (http://www.projecthdata.org) and provides a RESTful, secure way to transmit patient data.
It's not easier to steal a person's records when the documents are digital. Especially if it's done properly (the storage, the privileges, the interchange...)
What's easier in the digital case, that I will concede, is to steal the entire filing cabinet. It's easier to steal a piece of paper than to do either of these other things; breaking encryption to access the records once you've stolen the entire filing cabinet, or gaining unauthorized access on a system that is supposedly audited and access controlled.
He says that data moves like smells. The only thing is, there are laws that are meant to protect you from having your medical records smelled by arbitrary folks who shouldn't / snoops with no right to do it.
I do not expect to have my medical records performed in a public setting by third parties, and I would not accept any amount as compensation in the form of royalties if they did. Those people should go to jail!
I have no argument with Paul Graham's position on smells and data. There's a difference between a thing that is sold and published, and a thing that is shared under confidence. That is the whole idea of HIPAA and other data privacy laws.
I am on the fence about copyright in general. That is not what's at issue here.
Doctors make purchasing decisions. They're very conservative. Younger doctors embrace the computers. So it's just a matter of the old guard retiring.
Who pays? A paper medical record is fine for a clinical practice. Electronic records are good for interchange. But that doesn't help the doctor or the hospital. The early adopter hospitals of our RHIO system were motivated by attracting their area doctors, so used our system as a loss leader to encourage admissions.
EHRs suck. Huge. Imagine a whole universe of suckage and multiple it by infinite suckage. They're expensive, super complicated, and have no ROI. If it weren't for the federal push for electronic medical records, the carrot of block grants and "meaningful use" stick to punish non-participants, no one would adopt an EHR without a business case.
This blog post seems like spam.
Surely a better post can be made, with a more comprehensive summary, but the current blog post is not without value.
But it doesn't change the fact that HIPAA is just kabuki (for show).
I worked on some of the first RHIOs (regional health information exchanges) on the market. We all had yearly HIPAA training. All platitudes and very little actionable advice. As devs, we all had full access to millions of patients.
Accidental disclosure is inevitable. So many participants, so many systems, the weakest link and all that. We all figured it was a matter of time before something bad happened.
I care about privacy. A lot. I researched what's what, legal and technical. Because I want to do a good job. And I have skin in the game (my own medical history).
The month I started on the electronic medical records project, a local hospital had just settled for allowing 100,000s of complete patient records leak. (A stolen laptop.) So I contacted the lawyers on both sides. Verdict? Try harder next time.
Pretty much nothing has changed (improved) since. Except the disclosure requirements, I guess.
This is a long topic, so I'll just skip to the conclusion:
We will not, cannot protect patient privacy until we assign a universal unique identifier for every single person. This means something something akin to RealID.
To protect patient privacy, we need to encrypt the data. But that's not feasible without globally unique identifiers. Because patient demographic data is dirty and mismatched record can be fatal. So you have matching algorithms that have to look at the original plaintext. And the heuristics are wrong enough that the process requires human oversight.
If we (the USA) had unique identifiers, then we could transition to translucent database designs. That'd be very cool.
http://www.amazon.com/Translucent-Databases-Peter-Wayner/dp/...
About once a year, I go to a "future of healthcare IT" event. I desperately want to hear that patient privacy is being addressed. Hope springs eternal. Mostly, no one knows what I'm talking about. Until you've worked on the systems and tried to actually implement privacy safeguards, people just don't grok the problem domain, and continue to believe it's a trivially solvable problem.
The last "meaty" one I attended was a local MIT Enterprise Forum featuring local healthcare IT professionals. The panel had a device startup, a personal healthcare portal, some consulting goons, and the CIO for a local HMO (she was the only one who made any sense).
I just attended a legislative action committee meeting for my state. Our elected reps touched on what was happening at the state level to implement ACA (aka Obamacare, mostly "meaningful use" stuff and patient eligibility, really basic stuff).
Every state now has a board of some sort for implementing their state and regional healthcare information exchanges per ACA. The meetings are public. That's probably a good way to find your local players.
It's been a few years since I lurked healthcare IT blogs. There might be some good ones to follow.
A patient could have multiple identifiers that's only known to him/her.
Think a model like 1Password.