Thursday, May 28, 2009

Ted Eytan, MD's Photo Friday

Thanks to Ted Eytan, MD for featuring Jane Sarasohn-Kahn and me as the "Photo Friday" models of the week. The photo was taken at the start of our testimony before NCVHS on the future of PHRs.

NCVHS: Report of Hearing on "Meaningful Use" of Health Information Technology

The National Committee on Vital and Health Statistics (NCVHS) has issued its initial Report of Hearing on "Meaningful Use" of Health Information Technology.

The May 18,2009 report is directed to David Blumenthal, MD, National Coordinator of Office of the National Coordinator for Health Information Technology. The cover letter indicates that NCVHS will be sending additional observations related to the hearing.

The Hearing on "Meaningful Use" of Health Information Technology was held on April 28-29, 2009. More information about the hearing can be found at the NCVHS website, including a copy of the hearing transcript and copies of the individual written testimony submitted by those individuals who testified at the hearing. You can also listen to a recorded version of the hearing in the NCVHS hearing archives.

Tuesday, May 26, 2009

ONC Developing Online Project To Educate Consumers About PHRs

Government Health IT reports that the the Office of the National Coordinator (ONC) is developing an online model containing information for consumers about personal health records (PHRs) and the privacy policies related to their use. ONC's effort appears targeted at engaging consumer to make more informed decisions about the use of PHRs.

The Office of the Secretary for HHS issued a notice of Agency Information Collection Request and 30 day Comment Request, 74 Federal Register 24012 (May 22, 2009), providing details of the proposed project.

If others have additional information on this project -- please leave a comment.

The abstract in the Federal Register notice states:
A new health information technology, the personal health record (PHR), seeks to provide consumers with the capability to directly manage their own health information. Although PHRs can exist in different formats or media (i.e., paper or electronic), the term usually refers to an online record containing an individual’s personal health information. PHRs typically include information such as health history, vaccinations, allergies, test results, and prescription information. Given the newness of the electronic PHR concept, the different ways to establish PHRs, and the sensitivity of personal health information, ONC is taking steps to establish that useful facts about PHRs and PHR privacy policy information be made available to consumers so they can make informed decisions about selecting and using PHRs. Toward this end, ONC has a project to develop an online model for PHR providers.

The model will be developed to:

› Allow presentation of important PHR facts and policies to consumers,

› Allow consumers to understand and consistently compare PHR service provider policies with others, and

› Focus on the key information that may influence decisions and choices of PHR service provider.

The project includes iterative rounds of in-depth consumer testing during April–October 2009 to assess and analyze consumer understanding and input about the model. The model will be iteratively revised to design a final template that will allow PHR vendors to convey useful and understandable facts to consumers about their privacy, security, and information management policies. Testing will be conducted in six locations that cover the four geographic census regions and will include 90-minute, one-on-one, cognitive usability interviews with six to seven participants at each of six sites, for a total not to exceed 42 interviews. In addition, each participant will have been recruited through a 15-minute screening interview. The participants will be recruited according to U.S. census statistics for race/ethnicity, age, marital status, gender, and income. Also, the sample will include participants both familiar and unfamiliar with PHRs and participants who manage chronic health issues or a disease for themselves or others.

X PRIZE: $10M Incentive to Innovate In Health Care (Reform)

Scott Shreeve, MD, Senior Health Advisor at the X PRIZE Foundation sent out a call last week to all health care bloggers to participate in a blog rally to promote the idea and effort behind the Healthcare X PRIZE competition. Below is a message from Dr. Sheeve being post around the blogosphere today. Please spread the word via your blog, Facebook, Twitter or the old fashion way -- telling someone face to face.

We are entering an unprecedented season of change for the United States health care system. Americans are united by their desire to fundamentally reform our current system into one that delivers on the promise of freedom, equity, and best outcomes for best value. In this season of reform, we will see all kinds of ideas presented from all across the political spectrum. Many of these ideas will be prescriptive, and don’t harness the power of innovation to create the dramatic breakthroughs required to create a next generation health system.

We believe there is a better way.

This belief is founded in the idea that aligned incentives can be a powerful way to spur innovation and seek breakthrough ideas from the most unlikely sources. Many of the reform ideas being put forward may not include some of the best thinking, the collective experience, and the most meaningful ways to truly implement change. To address this issue, the X PRIZE Foundation, along with WellPoint Inc. and WellPoint Foundation as sponsor, has introduced a $10M prize for health care innovators to implement a new model of health. The focus of the prize is to increase health care value by 50% in a 10,000 person community over a three year period.

The Healthcare X PRIZE team has released an Initial Prize Design and is actively seeking public comment. We are hoping, and encouraging everyone at every opportunity, to engage in this effort to help design a system of care that can produce dramatic breakthroughs at both an individual vitality and community health level.

Here is your opportunity to contribute:
  1. Download the Initial Prize Design
  2. Share you comments regarding the prize concept, the measurement framework, and the likelihood of this prize to impact health and health care reform.
  3. Share the Initial Prize Design document with as many of your health, innovation, design, technology, academic, business, political, and patient friends as you can to provide an opportunity for their participation
We hope this blog rally amplifyies our efforts to solicit feedback from every source possible as we understand that innovation does not always have a corporate address. We hope your engagement starts a viral movement of interest driven by individual people who realize their voice can and must be included. Let’s ensure that all of us - and the people we love - can have a health system that aligns health finance, care delivery, and individual incentives in a way that optimizes individual vitality and community health. Together, we can ensure the best ideas are able to come forward in a transparent competition designed to accelerate health innovation. We look forward to your participation.

This post was written by Scott Shreeve, MD in behalf of the X PRIZE Foundation.
Special thanks to Paul Levy for both demonstrating the value of collaborative effort and suggesting we utilize a blog rally for this crowdsourcing effort.

Tuesday, May 19, 2009

Modern Day Hatfield-McCoy: Google Health and Microsoft HealthVault

The Hatfields and McCoys, a metaphor for a modern day high-tech industry rivalry centered on personal health records (PHRs) involving Google Health, Microsoft HealthVault and other PHR vendors. An image that a West Virginia health care lawyer can really appreciate.

Thanks to a tweet by @2healthguru for pointing out the CNET article, Microsoft, Google in healthy competition. The article provides a good overview of the developing PHR movement and some insight into the future. However, I'm a bit concerned by the accuracy of the article when I see two of the individuals mentioned in the article (Matthew Holt and Dave deBronkart) tweeting (here and here) that they weren't really interviewed for the article.

Later this week I will be in D.C.along with others testifying at the Hearing on Personal Health Records before the National Committee on Vital and Health Statistics (NCVHS), Subcommittee on Privacy, Confidentiality and Security . The Subcommittee is looking at the future of the PHR marketplace and consumer-facing health information technology.

The story of the Hatfield-McCoy feud is woven into the fabric of southern West Virginia lore along the Tug River and well known by all West Virginians. Above is a photo of the West Virginia Hatfield clan around 1897, led by Devil Anse Hatfield, second from the left. For more history and photos check out the West Virginia Division of Culture and History.

Note: If you are into off-road vehicle trails, come visit West Virginia and check out the modern day version -- the Hatfield-McCoy Trails.

Monday, May 18, 2009

ONC Releases HIT ARRA Implementation Plan

The Office of the National Coordinator for Health Information Technology (ONC) has released an operating plan titled the Health Information Technology American Recovery and Reinvestment Act (ARRA) Implementation Plan.

The operating plan is included on the DHHS Agency Wide Plan page under the "List of Recovery Programs within HHS."

The operating plan outlines immediate actions to meet statutory requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the ARRA. The

The topic headings for the operating plan include:

A. Funding Table
B. Objectives
C-E. Activities, Characteristics and Delivery Schedules
F. Environmental Review Compliance
G. Measures
H. Monitoring/Evaluation
I. Transparency
J. Accountability
K. Barriers to Effective Implementation
L. Federal Infrascructure Investment

Thanks to Jim Tate (@jimtate) and John Chilmark (@john_chilmark) for pointing out the report.

Saturday, May 09, 2009

Blog World New Media Expo 2009: Medical and Health Care Bloggers

Today I received the speaker list for the MedBlogger Conference associated with Blog World New Media Expo 2009 from Kim McCallister of Emergiblog, co-organizer of the event along with Dr. Val of Better Health.

Blog World New Media Expo 2009 will be held October 15-17 in Las Vegas. The MedBlogger Sessions will be held on October 15. A special thanks to Johnson & Johnson and MedPage Today who are sponsors of the MedBlogger Sessions. More information along with how to register for the conference will be available on the Blog World website in the coming weeks.

I was honored to be invited to be a part of the event and look forward to participating in a great discussion at the conference. Below are the panels and speakers confirmed for the MedBlogger Sessions.

Panel #1 The State of the Health Blogosphere: We've Come A Long Way, Baby
Moderator: Kim McAllister, Emergiblog
Panelist: Kevin Pho, Kevin MD
Panelist: Nick Genes, Blogborygmi
Panelist: Kerri Sparling, SixUntilMe

Panel #2 Staying On The Good Side of HIPAA: Safe and Ethical Blogging Practices
Moderator: Mike Sevilla, Doctor Anonymous
Panelist: Rob Lamberts, Musings of a Distractible Mind
Panelist: Debra Farber, IBM
Panelist: Bob Coffield, Health Care Law Blog

Panel #3 Blogging For Change: How To Influence Healthcare Through Blogging
Moderator: Val Jones, Better Health
Panelist: Gary Schwitzer, Schwitzer Health News Blog
Panelist: Terri Polick, Nurse Ratched's Place
Panelist: Gene Ostrovsky, Medgadget

Panel #4 The Value of Blogs To Hospitals, Industry, and News Organizations
Moderator: Gary Schwitzer, Health News Review
Panelist: Marc Monseau, Johnson & Johnson 's JNJBTW Blog
Panelist: Bob Stern, MedPage Today
Panelist: Paul Levy, Running A Hospital

Thursday, May 07, 2009

Virginia Department of Health Professions Issues Statement on Potential Breach of Security for Prescription Monitoring Program

Virginia Department of Health Professions has issued a News Release regarding the potential breach of security for the Prescription Monitoring Program. The statement also indicates that there is an ongoing criminal investigation into the breach which occurred on April 30.

Also, the Virginia Department of Health Professions has issued a related Questions and Answers document.

I have been following the story the last couple of days and provide some analysis of the potential breach in this previous blog post.

UPDATE (5/13/09): iHealthBeat provides a good news update on the status of the data breach and  investigation.The article references articles from the Richmond Times-Dispatch, "Inquiry continues into hacking of state computers," and "FBI expects Va. Hacker probel to take two more weeks."

Wednesday, May 06, 2009

Update On HIT Policy and Standards Committees

Last week the Federal Register (April 29, 2009) contained a Notification of the Establishment of the HIT Policy Committee and HIT Standards Committee. I had previously posted about the creation of these committee and recommended suggested members.

More information will be made available via the "new" Health Information Technology website of the Office of the National Coordinator.

The summary of the notice on establishing the HIT Policy Committee states:
This notice announces the establishment of the HIT Policy Committee. The American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), section 13101, directs the establishment of the HIT Policy Committee.

The HIT Policy Committee (also referred to as the "Committee'') is charged with recommending to the National Coordinator a policy framework for the development and adoption of a nationwide health information technology infrastructure that permits the electronic exchange and use of health information as is consistent with the Federal Health IT Strategic Plan and that includes recommendations on the areas in which standards, implementation specifications, and certification criteria are needed. The HIT Policy Committee is also charged with recommending to the National Coordinator an order of priority for the development, harmonization, and recognition of such standards, specifications, and certification criteria.
The notice outlines the criteria for members of the HIT Policy Commitee and states that the appointments shall be made in the following manner:
  • 1 member shall be appointed by the majority leader of the Senate;
  • 1 member shall be appointed by the minority leader of the Senate;
  • 1 member shall be appointed by the Speaker of the House of Representatives;
  • 1 member shall be appointed by the minority leader of the House of Representatives;
  • Such other members as shall be appointed by the President as representatives of other relevant Federal agencies;
  • 13 members shall be appointed by the Comptroller General of the United States of whom-
  • 3 members shall be advocates for patients or consumers;
  • 2 members shall represent health care providers, one of which shall be a physician;
  • 1 member shall be from a labor organization representing health care workers;
  • 1 member shall have expertise in health information privacy and security;
  • 1 member shall have expertise in improving the health of vulnerable populations;
  • 1 member shall be from the research community;
  • 1 member shall represent health plans or other third-party payers;
  • 1 member shall represent information technology vendors;
  • 1 member shall represent purchasers or employers; and
  • 1 member shall have expertise in health care quality measurement and reporting.
  • Non-federal members of the Committee shall be Special Government
  • Employees, unless classified as representatives.

The summary of the notice on establishing the HIT Standards Committee states:
This notice announces the establishment of the HIT Standards Committee. The American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5), section 13101, directs the establishment of the HIT Standards Committee. The HIT Standards Committee (also referred to as the "Committee'') is charged with making recommendations to the National Coordinator on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information for purposes of adoption, consistent with the implementation of the Federal Health IT Strategic Plan, and in accordance with policies developed by the HIT Policy Committee.
The notice outlines the criteria for members of the HIT Standards Commitee and states that the appointments shall be made in the following manner:
The HIT Standards Committee shall not exceed thirty (30) voting members, including a Chair and Vice Chair, and members are appointed by the Secretary with input from the National Coordinator. Membership of the Committee shall at least reflect providers, ancillary healthcare workers, consumers, purchasers, health plans, technology vendors, researchers, relevant Federal agencies, and individuals with technical expertise on health care quality, privacy and security, and on the electronic exchange and use of health information and shall represent a balance among various sectors of the health care system so that no single sector unduly influences the recommendations of the Committee. Non-Federal members of the Committee shall be Special Government Employees, unless classified as representatives.
Thanks for the tip on the issuance of the notice to John Halamka at Life as a Healthcare CIO: Next Steps on the HIT Policy and Standards Committees.



UPDATE (5/7/09): Brian Ahier (@ahier) provides the latest update on with information on the first meetings of the HIT Policy Committee on May 11 and HIT Standards Committee meeting on May 15. Brian also provides links to the announcment by the GAO of 13 of the members of the HIT Policy Committee.

The announcment includes a list of the 13 members appointed by the Acting Comptroller General covering 10 different categories:

Advocates for Patients or Consumers

1. Christine Bechtel, Washington, D.C. (3 year term)
Vice President, National Partnership for Women & Families

2. Arthur Davidson, M.D., Denver Colorado (2 year term)
Denver Public Health Department; Director, Public Health Informatics; Director, Denver Center for Public Health Preparedness; Medical epidemiologist; Director, HIV/AIDS Surveillance, City and County of Denver

3. Adam Clark, Ph.D., Austin, Texas (1 year term)
Director of Research and Policy, Lance Armstrong Foundation

Representatives of Health Care Providers, including 1 physician

4. Marc Probst, Salt Lake City, Utah (3 year term)
Chief Information Officer, Intermountain Healthcare

5. Paul Tang, M.D., Mountain View, California (2 year term)
Vice President and Chief Medical Information Officer, Palo Alto Medical Foundation

Labor Organization Representing Health Care Workers

6. Scott White, New York City, New York (1 year term)
Assistant Director, Technology Project Director, 1199 SEIU Training and Employment Fund

Expert in Health Information Privacy & Security

7. LaTanya Sweeney, Ph.D., Pittsburgh, Pennsylvania (3 year term)
Director, Data Privacy Lab, Associate Professor of Computer Science, Technology and Policy, Carnegie Mellon University

Expert in Improving the Health of Vulnerable Populations

8. Neil Calman, M.D., New York City, New York (2 year term)
President and CEO, The Institute for Family Health, Inc.
Research Community

9. Connie Delaney, R.N., Ph.D., Minneapolis, Minnesota (1 year term)
Dean, School of Nursing, University of Minnesota

Representative of Health Plans or Other Third-Party Payers

10. Charles Kennedy, M.D., Camarillo, California (3 year term)
Vice President, Health Information Technology, Wellpoint, Inc.
Representative of Information Technology Vendors

11. Judith Faulkner, Verona, Wisconsin (2 year term)
Founder, CEO, President, Chairman of the Board, Epic Systems Corporation
Representative of Purchasers or Employers

12. David Lansky, Ph.D., San Francisco, California (1 year term)
President and CEO, Pacific Business Group on Health

Expert in Health Care Quality Measurement and Reporting

13. David Bates, M.D., Boston, Massachusetts (3 year term)
Medical Director for Clinical and Quality Analysis, Chief of General Internal Medicine, Partners HealthCare/Brigham & Women’s Hospital

More information on the upcoming meetings:

Health 2.0 Boston: Tweet Stream Analysis

Chris Hogg does a great job of capturing the metrics of the Twitter discussion that occurred during the recent Health 2.0 Boston conference. Check out his slide show analysis of the Tweet Stream from the conference.
As someone who tweets at conferences that I attend I found the analysis very interesting. Some of what interested me the most from the slides:
  • There were over 3,000 tweets from 344 people attending the conference. Don't know what the total attendance of the conference -- but I suspect the 344 number is a relatively large percentage of the total attending.
  • Loved the use of the Wordle clouds to visually represent the discussion that occurred via Twitter.
  • Great to see the word "patient" as the second most tweeted word.
  • Slide 10 shows a mapping of those in the Health 2.0 network. Would love to see a blown up version of this slide to see the connections in more detail.

Tuesday, May 05, 2009

Virginia Department of Health Professions Breach: Extortion Demand Regarding 8M Patient Records and 35M Prescriptions

Information Week is covering a story involving an extortion letter sent last week to the Virginia Department of Health Professions seeking $10M to return more than 8M patient records and 35M prescriptions allegedly stolen from the Virginia Department of Health Professions.

The extortion demand was posted on WikiLeaks. The WikiLeaks website states:

May 3, 2009
Summary
On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand:
"I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
The site, https://www.pmp.dhp.virginia.gov/pmpwebcenter/login.aspx appears to have been entirely disabled and is presently unavailable.
The linked file provides the full ransom message.
The PMP is used by pharmacists and others to discover prescription drug abuse.
The PMP declined to comment, although when contacted, appeared to be aware of the issue, instantly referring inquiries to the director of the DHP, who is presently unavailable.

The Virginia Department of Health Professions website indicates that they are "currently experiencing technical difficulties which affet computerand email systems."

Sandra Whitely Ryals, Director of Virginia Department of Health Professionals, responded to the inquiry by Information Week stating that "a criminal investigation is under way by federal and state authorities."

The Washington Post Security Fix blog is also covering this story. Follow more news on this story via Google News.


UPDATE (5/5/09):
At the bottom of his follow up post, John Chilmark asks the question: "Now the question is, under HIPAA, does the VDHP have to send out breach notifications to all consumers whose records have been compromised?

Here is my quick assessment. The HIPAA privacy rule (pre-ARRA HITECH) does not contain provisions that require a covered entity to notify individuals impacted by an alleged breach. However, when I have assisted clients with these types of data breach situations in the past I typically discuss with the client whether it is good practice to provide notification. The HIPAA privacy rule provisions do contain a requirement that a covered entity should mitigate potential harm to patients/individuals when there is a violation of the privacy rule. My interpretation is that this might, under certain circumstances, include providing notice to such individuals whose data has been compromised. Also, a question that factors into the equation is whether or not the Virginia Department of Health Professsions qualifies as either a covered entity or business associate under the HIPAA privacy rule. Handling these situations are very fact specific and depend upon a number of factors.

The new federal breach notification requirements contained in the HITECH section of the American Recovery and Reinvestment Act (ARRA) do not apply because the provisions do not go into effect until 30 days after the Department of Health and Human Services (HHS) publishes the interim final data breach notification regulations which has not yet occurred. The new federal breach notification law will be implemented in conjunction with the Federal Trade Commission's (FTC) proposed health breach notification rule that will apply to PHRs, PHR related vendors and other third party providers. The proposed rule is currently out for comment.

The regulations are currently in the works and HHS has now issued initial guidance on what data is classified as unsecured protected health information (not secured by technology that renders it "unusable, unreadable or indecipherable"). See the April 27, 2009 guidance for more on what this means. The guidance outlines the types of technologies that, if used, create a safe harbor for HIPAA privacy covered entities adn business associates to avoid having to provide notice in a situation where there has been a breach.

Also, the VDHP will likely have to assess the Virginia Data Breach Act (state-by-state survey of state breach laws by the National Conference of State Legislatures) to see whether notification or other action is required under state law.Over 40 states now have distinct state laws governing breach notification that extend to and cover everything from traditional personal information (name, social security number, etc.) to health related information. I've not dealt nor reviewed the Virginia Act but suspect a strong likelihood that notification will be required.

UPDATE (5/6/09): The Roanoke Times provides an update on the status of the pending investigation with comments from Governor Tim Kaine. The article states:
Gov. Tim Kaine said today that a hacker’s reported access to patient prescription records from a state database was “an intentional criminal act against the commonwealth by somebody who was trying to harm others” . . .

The FBI and the Virginia State Police are investigating the matter. Kaine said he could not discuss the probe.

“Right now our goal is to make sure that the investigation and criminal process works so that the person who is responsible is caught and prosecuted . . . and that we protect people whose data has been compromised,” Kaine said this morning.

The article also indicates that under Virginia law notification is required and that Virginia's breach notification law requires, like many state laws, that notice must be provided "without unreasonable delay."
The article also indicates that Virginia law requires notification of individuals whose personal information may have been accessed due to a computer security breach. The law states that notification must be provided “without unreasonable delay.”

Charleston FestivALL 2009: A City Becomes A Work Of Art

The preliminary lineup of events for Charleston FestivALL 2009 was announced today. Ten days of music, art, theater, entertainment, creativity and fun bring the city of Charleston alive from June 19 - 27, 2009. Where the city become a work of art!

As many of my friends, colleagues and regular readers know I love the Charleston FestivALL (my past posts) and am already excited about this years expanded ten day event. The event highlights why I love West Virginia and its creative powers and people. To experience a visual understanding of this feeling check out FestivALL from 2006-2009 through the eye of Rick Lee.

The image above will be a part of the official FestivALL 2009 poster. This year's poster, conceived and designed by Alex Morgado, is a symbol of the FestivALL idea. Local artists have contributed designs for letters. At the opening ceremonies, each letter will be taken to a different part of the city where it will be displayed during the ten days of FestivALL. At the end, they will be gathered and displayed together.

Check out the schedule of events (and pre-festival events) by FestivALL Executive Director, Larry Groce. Also, the lineup was announced in today's Charleston Gazette. Last year there were 83 different events featuring 169 performances, exhibitions and presentations by 378 companies, troupes and individual artists.

UPDATE (5/12/2009): FestivALL has launched its new web site which includes a full 2009 schedule. The web site has a cool and creative roll over of the artwork, "A City Becomes A Work Of Art." Check it out.