I noticed today on Med Tech Sentinel that Google is about to begin experimentation with electronic patient medical records. Douglas Cress writes: “the Cleveland Clinic will facilitate Google’s potential domination of the electronic personal health record (PHR) space. Google chose the Clinic because they offer 100,000 patients the tools to manage their medical records online and coordinate with doctors using a PHR suite called eCleveland Clinic MyChart. An invitation will be extended to 1,500 – 10,000 of these users.” Google will use this trial to determine the level of its security in exchanging “patient medical record data including prescriptions, conditions, and allergies.” C. Martin Harris, Chief Information Officer of the Cleveland Clinic, said: “this collaboration is intended to help Google test features and services that will ultimately allow all Americans (as patients) to direct the exchange of their medical information between their various providers without compromising their privacy.
I believe the term of the day is: “HIPAA compliance.” This two word phrase is beginning to make the news in a big way. On one hand you have the CMS (Centers for Medicare and Medicaid Services) ready to conduct stringent HIPAA security audits of hospitals, and now on the other hand you have Google looking to become the top player in the electronic medical records arena. At the root of Google’s potential conquest is the technology and desire for patients to manage their personal health care records. This need is owed in large part to HIPAA, which ensures that the privileged relationship between doctor and patient is upheld. According to HIPAA, electronic patient health care data must be retained and kept secure in order for a health care provider to be deemed HIPAA compliant. However, providers such as the Cleveland Clinic have begun offering personalized tools for patients to manage their health records online. This new trend is certainly a fine idea and on part with a continuously evolving society, but are there some risks to be noted here? Are there reasons to be cautious of what Google is doing?
Firstly, what is in this for Google? I mean, nothing this noble could come for free, right? Of course not, and the concept to be aware of here is called “targeted marketing.” I am posting an additional excerpt from Douglas Cress below because I think it is important to read:
“Anyone who has spent any time on the Internet (or sorting through spam in their email in-box) should have a sense of how profitable medicine is on the Internet. Based on some cursory keyword research, and my rough calculations, Google is earning $20 million in annual revenues from the keyword ‘Viagra’ alone. ‘Ambien’ costs $2.43 -$3.65 per click; local queries like ‘Brooklyn dentist’ cost $3.71 – $4.98 per click. If Google delivers on their promise of a web portal with 24/7 access to health care information – and they’re certainly well positioned to, with their global web-based architecture and a focus on security – the upside could be tremendous. Google will have the ability to offer a free service supported by advertisers. Think GMAIL for medicine – with ads for doctors, pharmacies, drugs, and devices peppered beside your personal health records and delivered using the same contextual advertising Google is known for.”
This means that much to the delight of health care advertisers your medical records information will be used to assist in the campaign of targeted ads. There is also the issue of Google security here, is a simple password alone really enough to make you feel confident that your electronic health care data cannot be breached? What if your information is hacked? It’s true that it is possible for any system to be tampered with but would you feel more confident in a security provider that specializes solely in that field, or a gigantic corporation that merely uses it as an additional service? Will Google work on encryption? Will Google’s program only be compatible with health care providers that currently offer patients with the tools to manage medical records? If not, how would it work? If Google succeeds and takes this mainstream, how will this affect the email archiving industry? Will health care professionals flock to Google for their HIPAA email compliance needs? Stay tuned.
Permalink
Leave a Comment
According to report on patient privacy (RPP), the industry’s most practical source of news on HIPAA patient privacy provisions, the compliance reviews which began last month “are separate and unrelated to audits being conducted by the HSS Office of Inspector General (OIG).” Tony Trenkle, director of the CMS Office of E-Health Standards and Services, told RPP that “the focus is broader than just hospitals, although they are included. In the future we may work with OIG, but these are two separate proceses.” Trenkle’s senior policy advisor, Lorraine Tunis Doo, added: “we will interview the people who are appropriate to the documentation and policy and procedures that we need to evaluate. Whoever is relevant will need to be there. It could be different at every review.” In regards to the 283 security complaints logged by the CMS as of December 2007, Trenkle said: “the majority of allegations are of inappropriate access and risk of inappropriate disclosure.”
Well, as the Centers for Medicare and Medicaid Services (CMS) start to integrate the compliance review process there are a bunch of pertinent questions that come to my mind. Firstly, how will the CMS reviews impact the current state of electronic patient health care data and email management? Would a serious HIPAA violation change the way that electronic information is managed by health care providers? What is the difference between a HIPAA security compliance review and an OIG audit? Would the agency doing the testing (OIG or Office of E-Health Standards and Services) impact the stringency required for the security and privacy of an email archiving system? Will the OIG and CMS Office for E-Health Standards and Services be working together in the future? If the answer is yes, would this create a uniform policy and method for testing electronic patient health care data? Would the OIG merely be setting the stage for Tony Trenkle by doing preliminary investigation work? How many entities will be reviewed? What other health care providers and facilities will be subject to HIPAA email compliance regulations besides hospitals? Stay tuned for updates.
Permalink
1 Comment
In this entry I would like to focus on the cost of an in-house email archiving solution versus that of an outsourced service. Firstly, which one is more cost efficient? This question is an important one for most small to mid-sized businesses as they need to keep email archiving within a tight IT budget. Organizations will be pleased to know that the answer is an outsourced service, and it is usually by a significant amount. But why? Why are in-house solutions so much more expensive? It all comes down to the sheer amount of work that is required to keep the in-house solution up and running. The IT team is responsible for monitoring all incoming and outgoing electronic communications, maintaining email archiving appliances, and ensuring proper systems integration. There is also the issue of storage space, which could add up in a hurry if your business has thousands of emails entering and leaving the archive daily. Outsourced services retain all of your email messages for you and present you with advanced search options to quickly retrieve specific emails that have been captured in the archive. However, the big question that I am posing here is: are there any distinct advantages to an in-house email archiving solution that would justify the high cost to maintain and integrate? Why do some organizations PREFER the higher cost?
In one word, the answer is trust. Companies simply do not feel comfortable trusting an outsourced email archiving service to sift through their email and have access to private information. But is that really what happens? Do email archiving services take such advantage of their clients? No, they don’t. Why not, you might ask? Roles based permission access, industry regulation authorities, and business reputation are three critical factors that ensure outsourced email archiving safety. Are there any distinct advantages to an in-house email archiving solution that would justify the high cost to maintain and integrate? There are some loose arguments to be made in favor of an in-house solution, but stay tuned for part II for more information.
Permalink
Leave a Comment
I noticed on the HIPAA Blog that Horizon Blue Cross and Blue Shield, New Jersey’s largest health insurance company, had a laptop computer stolen earlier this month in Newark along with the personal information of 300,000 of its members. Jeff Drummond reports that the laptop contained the names and social security numbers for “about 10% of the 3.3 million customers in New Jersey.” The first question that popped into my mind is: did Horizon Blue Cross and Blue Shield commit a HIPAA violation? Since there is no question that names and social security numbers are considered protected health information under HIPAA, the real issue becomes one of security. Who is in charge of enforcing HIPAA security regulations? That would be the CMS (Centers for Medicare and Medicaid Services), who would need to take action in determining if the laptop was reasonably secured at the time it was stolen. According to an editor on Realtime IT Compliance, they would need to conduct “an independent audit of the situation to reveal whether or not this was truly a violation of HIPAA.”
Well, what are people to think now? Do the 300,000 NJ members who had their information subject to potential identity theft feel confident in HIPAA security? How often are HIPAA audits conducted in the first place? I would be curious to know when the last time Horizon Blue Cross and Blue Shield was audited for adequate security and privacy measures. If protected health information such as social security numbers and names can be stolen, what about emails and electronic documents? Health insurance privacy & security professionals will have to give careful thought to email management and email archiving systems in the coming months, as the success of one thief could lead to a string of incidents to see how far HIPAA security breaches can be pushed.
Permalink
Leave a Comment
Simplicato's Weblog 