Law in the Internet Society

View   r4  >  r3  ...
BrendanMulliganSecondPaper 4 - 26 Jan 2010 - Main.BrendanMulligan
Line: 1 to 1
 
META TOPICPARENT name="SecondPaper"
Changed:
<
<
WORK IN PROGRESS
>
>
Ready for review.
 
Deleted:
<
<
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.
 
Changed:
<
<

Establishing a Safe, Private Online Medical Database

>
>

Establishing a Private, Workable Online Medical Database

-- By BrendanMulligan?
 
Changed:
<
<
-- By BrendanMulligan - 09 Jan 2010
>
>
In its 1999 report, “To Err is Human: Building a Safer Health System”, the Institute of Medicine claimed that preventable medical errors cause as many as 98,000 deaths per year in the United States and upwards of $29 billion annually in lost income, lost production, disability, and additional health care costs. According to the report, decentralization and fragmentation of the health care system are major causes of these errors. Providers lack access to complete patient data at the point of care. Fewer than 2% of the nation's 5,000 non-VA hospitals have what could be considered a full-fledged system.
 
Changed:
<
<
In its 1999 report, To Err is Human: Building a Safer Health System, the Institute of Medicine claimed that preventable medical errors cause as many as 98,000 deaths per year in the United States and upwards of $29 billion annually in lost income, lost household production, disability, and additional health care costs. [http://en.wikipedia.org/wiki/To_Err_is_Human] According to the report, decentralization and fragmentation of the health care system are major causes of these errors. Providers lack access to complete patient data at the point of care. Medical errors only compose part of the picture. Hundreds of thousands die every year for improper medications, adverse drug reactions, infections that occur in hospitals. [http://demo.clear-health.com/dohcs2009/pt3.mp3]
>
>

Proprietary Contribution to a Broken System

Vendors’ commercial systems are proprietary and designed to not talk to other vendors' systems. Further, the Healthcare Information and Management Systems Society (HIMSS), which is a powerful healthcare organization focused on fostering the optimal use of information technology (IT) and management systems for the betterment of healthcare, is ostensibly independent, but acts as a lobby for proprietary owners. HIMSS hosts the largest and most well-publicized health IT conferences in the country. They charge large sums of money to buy space at conferences and limit the electronic health record vendor association to companies which “design, develop and market their own proprietary Electronic Health Record software application.”
 
Changed:
<
<
People die because the lack of infrastructure. But even though banking and retailers have successfully implemented electronic records, fewer than 2% of the nation's 5,000 non-VA hospitals have what could be considered a comparable full-fledged system. [http://online.wsj.com/article/SB124104350516570503.html] We need a health care IT system founded on two characteristics: (1) universal adoption of a routine means of digitization clinical information and (2) a system robust enough to protect the sanctity of medical information.
>
>
People are dying because we lack proper IT infrastructure and the government should take steps to catalyze this process by (1) incentivizing the use of VistA? public domain software to improve functionality and streamline formatting and (2) safeguarding privacy.
 
Changed:
<
<

Universality

We should—and I believe will—move to an open source base for our health IT system. Proprietary factors have long inhibited the development of a universal system (killing many people). Vendors’ commercial systems do not easily talk to other vendors' systems. Further, the stakeholders that matter, do not want to use open source software. The Healthcare Information and Management Systems Society (HIMSS) is a powerful healthcare organization exclusively focused on fostering the optimal use of information technology (IT) and management systems for the betterment of healthcare. HIMSS hosts the largest and most well-publicized health IT conferences in the country. HIMSS, though ostensibly independent, is completely dependent upon money from proprietary donors. http://vendor.himss.org/
>
>

Lip Service to Open Source Acceptance

The open source movement has gained some traction in relation to the government’s policy on health IT. First, the stimulus calls for a study on the availability of open source health IT systems to be completed by Oct. 1, 2010. This includes comparing the total cost of ownership of open source to existing proprietary commercial products, ideally providing open source systems with the opportunity to demonstrate much superior value to price ratios.
 
Changed:
<
<

Congressional Response

It has earmarked nearly $20 billion in stimulus funds as an incentive for hospitals to use electronic records by 2011. The most common response to this problem has been funding a nationwide health information network in which a variety of health care providers could update and access a singular database. For example, Section 937(f) of the Senate’s health care reform bill states: ‘‘[The government] shall provide for the coordination of relevant Federal health programs to build data capacity for comparative clinical effectiveness research, including the development and use of clinical registries . . . to develop and maintain a comprehensive, interoperable data network to collect, link, and analyze data on outcomes and effectiveness from multiple sources, including electronic health records.” (1683-1684 of the bill [http://www.forhealthfreedom.org/BackgroundResearchData/SenateHealthReform/SenateHealthReformBill_11-19-09.pdf.])
>
>
Second, the stimulus empowered the support the development and routine updating of qualified EHR technology. The government earmarked $20B to incentivize the switch to functional online databases. The provisions however, dictate that hospitals must only perform “one test of certified EHR technology's capacity to electronically exchange key clinical information.” See Table 2. The government set a much lower bar for interoperability and sharing information, despite the much higher bar for the way docs and hospitals use electronic systems internally.
 
Changed:
<
<

Potential Problems

A nationwide health information network comes with a host of issues. Much of the debate surrounding health care information centers on safeguarding data from being lost, stolen or mishandled. [http://www.huffingtonpost.com/2009/11/13/health-industry-winning-r_n_357476.html] See also, Robert A. Gerberry, Legal Ramifications of the Formation of Digital Hospitals, 14 Health Law 27, June, 2002. “Faced with stories of confidential medical records being accidentally posted on a web site, and being emailed to all members of a computer network, patients continue to fear the misuse of confidential medical information. Online providers need to protect against the electronic misappropriation of health information by complying with confidentiality laws that seek to protect patient information.” These concerns are legitimate. In a recent survey of IT professionals, seventy percent said senior management does not view privacy and data security as a priority. [http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Electronic%20Health%20Information%20at%20Risk%20FINAL%201.pdf] Eighty percent of respondent organizations had experienced at least one incident of lost or stolen electronic health information in the past year. [http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Electronic%20Health%20Information%20at%20Risk%20FINAL%201.pdf] Over the last few years, the personal health information of hundreds of thousands of people has been compromised because of security lapses at hospitals, insurance companies and government agencies. [http://www.nytimes.com/2009/01/18/us/politics/18health.html] However, security need not even be breached to release private health information. The dissemination of this information is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) medical privacy rule. HIPAA permits patients’ personal health information to be shared among more than 600,000 organizations without patients’ consent. 45 C.F.R. § 164.506 states that with limited exceptions “a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section.” Health care operations are defined extremely broadly, leaving almost no discernible restrictions. It includes activities such as business planning, management and administration, the sale or transfer of a covered entity, fundraising, and data analysis for plan holders or other sponsors. [link].
>
>
However, the government already developed the best comprehensive health IT system, VistA? , and did nothing to promote its use. The VistA? system, its interface, and all updates (500–600 patches per year) are provided as public domain software and used by many private hospitals. VistA? successfully integrates the databases throughout the Veteran's Health Administration, which runs the largest medical system in the US. In focusing on internal benchmarks, the government inexplicably misses its chance to create an operational system. The stimulus dollars should instead incent hospitals to integrate onto VistA? —which has been established for as little as “1/10th the price” of proprietary software.
 
Changed:
<
<
“However, because regional health information organizations could increase circumstances under which patient data may be inappropriately accessed, some parties have argued that regional health information organizations should adopt additional procedures to help ensure that data are used only for the intended purposes.”
>
>

Lost, Stolen, and Mislaid Private Health Information

Secondly, a health database must address concerns over medical privacy. Much of the debate surrounding health care information centers on safeguarding data from being “lost, stolen or mishandled.” See also, Robert A. Gerberry, Legal Ramifications of the Formation of Digital Hospitals, 14 Health Law 27, June, 2002. “Faced with stories of confidential medical records being accidentally posted on a web site, and being emailed to all members of a computer network, patients continue to fear the misuse of confidential medical information. Online providers need to protect against the electronic misappropriation of health information by complying with confidentiality laws that seek to protect patient information.” These concerns are legitimate. In a recent survey of IT professionals, “seventy percent said senior management does not view privacy and data security as a priority. Eighty percent of respondent organizations had experienced at least one incident of lost or stolen electronic health information in the past year.” Over the last few years, the personal health information of “hundreds of thousands of people” has been compromised because of security lapses at hospitals, insurance companies and government agencies.

The government responded to these concerns with changes to Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any time private health information is “accessed, acquired, or disclosed” by or to an unauthorized person,” the Department of Health and Human must be notified. If the breach affects more than 500 residents of the same state, major media outlets must be notified. This will be enforced by penalties of $50,000 for actions of willful neglect, undefined, but presumably the failure to adopt safeguards required by law.

Problems of HIPAA-Acceptable Private Health Information Sharing

The above change may increase hospital vigilance in protecting medical privacy (e.g., http://www.arkhospitals.org/calendar/calendarpdf/july%2030-09hitech%20changes.pdf), but it fails to stop the easiest breach of private health information. HIPAA permits patients’ personal health information to be shared among more than 600,000 organizations without patients’ consent. 45 C.F.R. § 164.506 states that with limited exceptions “a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section.” Health care operations are defined extremely broadly, leaving almost no discernible restrictions. It includes activities such as business planning, management and administration, the sale or transfer of a covered entity, fundraising, and data analysis for plan holders or other sponsors.

This rule is indefensible even with paper files, but increased access to personal health data on an integrated system makes it particularly dangerous. Therefore, any change to HIPAA should alter this provision. Congress could start by revisiting the House’s 2004 STOHP Act, which makes consent the core of disclosure. In effect, the change would require individuals to give or withhold consent before their personal health information is used or disclosed before each routine purposes, instead of a one-time consent as in effect now.

 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.

Revision 4r4 - 26 Jan 2010 - 05:55:45 - BrendanMulligan
Revision 3r3 - 25 Jan 2010 - 00:38:13 - BrendanMulligan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM