Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Fitbit Data Being Used In Personal Injury Case

Posted on December 8, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Lately, there’s been a lot of debate over whether data from wearable health bands is useful to clinicians or only benefits the consumer user. On the one hand, there are those that say that a patient’s medical care could be improved if doctors had data on their activity levels, heart rate, respirations and other standard metrics. Others, meanwhile, suggest that unless it can be integrated into an EMR and made usable, such data is just a distraction from other more important health indicators.

What hasn’t come up in these debates, but might far more frequently in the future,  is the idea that health band data can be used in personal injury cases to show the effects of an accident on a plaintiff. According to Forbes, a law firm in Calgary is working on what may be the first personal injury case to leverage smart band data, in this case activity data from a Fitbit.

The plaintiff, a young woman, was injured in an accident four years ago. While Fitbit hadn’t entered the market yet, her lawyers at McLeod Law believe they can establish the fact that she led an active lifestyle prior to her accident. They’ve now started processing data from her Fitbit to show that her activity levels have fallen under the baseline for someone of her age and profession.

It’s worth noting that rather than using Fitbit data directly, they’re processing it using analytics platform Vivametrica, which uses public research to compare people’s activity data with that of the general population. (Its core business is to analyze data from wearable sensor devices for the assessment of health and wellness.) The plaintiff will share her Fitbit data with Vivametrica for several months to present a rich picture of her activities.

Using even analyzed, processed data generated by a smart band is “unique,” according to her attorneys. “Till now we’ve always had to rely on clinical interpretation,” says Simon Muller of McLeod Law. “Now we’re looking at longer periods of time to the course of the day, and we have hard data.”

But even if the woman wins her case, there could be a downside to this trend. As Forbes notes, insurers will want wearable device data as much as plaintiffs will, and while they can’t force claimants to wear health bands, they can request a court order demanding the data from whoever holds the data. Dr. Rick Hu, co-founder and CEO of Vivametrica, tells Forbes that his company wouldn’t release such data, but doesn’t explain how he will be able to refuse to honor a court-ordered disclosure.

In fact, wearable devices could become a “black box” for the human body, according to Matthew Pearn, an associate lawyer with Canadian claims processing firm Foster & Company. In a piece for an insurance magazine, Pearn points out that it’s not clear, at least in his country, what privacy rights the wearers of health bands maintain over the data they generate once they file a personal injury suit.

Meanwhile, it’s still not clear how HIPAA protections apply to such data in the US. When FierceHealthIT recently spoke with Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, she pointed out that HIPAA only regulates data “in the hands of, with the control of, or within the purview of a medical provider, a health plan or other covered entity under the law.”  In other words, once the wearable data makes it into the doctor’s record, HIPAA protections are in force, but until then they are not.

All told, it’s pretty sobering to consider that millions of consumers are generating wearables data without knowing how vulnerable it is.

OCR Didn’t Meet HIPAA Security Requirements

Posted on December 27, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Oops — this doesn’t sound good. According to a report from the HHS OIG, the agency’s Office for Civil Rights has failed to meet the requirements for oversight and enforcement of the HIPAA security rule.

The 26-page report spells out several problems with OCR’s enforcement of the security rule, which was expanded by the HITECH ACT of 2009 to demand regular audits of covered healthcare organizations and their business associates. The vulnerabilities found leave procedural holes which could harm OCR’s ability to do its job regarding the security rule, the OIG said.

What was OCR failing to do? Well for one thing, the report contends, OCR had not assessed the risks, established priorities or implemented controls for the audits to ensure their compliance. Another example: OCRs investigation files didn’t contain the required documentation supporting key decisions made by staff, because the staff didn’t consistently follow the offices procedures by reviewing case documentation.

What’s more, the OCR apparently hasn’t been implementing sufficient controls, including supervisory review and documentation retention, to make sure investigators follow policies and procedures for properly managing security rule investigations.

The OIG also found that OCR wasn’t complying with federal cyber security requirements for its own information systems used to process and store data on investigations. Requirements it was neglecting included getting HHS authorizations to operate the system used to oversee and enforce security rule. OCR also failed to complete privacy impact assessments, risk analyses or system security plans for two of its three systems, the OIG concluded.

All told, it seems that if the OCR is going to oversee the privacy rule properly, it had better get its own act together.

100% Interoperability, Quantified Self Data, and Data Liquidity – #HITsm Chat Highlights

Posted on March 30, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Topic 1: Do you think the healthcare system WANTS 100% interoperability & data liquidity? Why/why not?

 

Topic 2: As consumer, what are YOUR fears about your health data being shared across providers/payers/government?

 

Topic 3: What do you think payers will do with #quantifiedself data if integrated into EHR? Actuarial/underwriting?

 

Topic 4: Could there be a correlation between your fear of data liquidity and your health?

 

Topic 5: What could assuage your fears? Education? Legislation? Regulation? Healthcare system withdrawal?

Sending PHI Over SMS

Posted on February 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently was talking with a doctor who told me about a healthcare communications company called YouCall MD. The doctor liked many of the features that YouCall MD provided. He loved that they would answer your Live Calls, transcribe a message to you and send you that message by SMS. Well, he loved all of it except the part that YouCallMD was using insecure SMS messages to send protected health information (PHI).

I wrote about this before in my post called “Texting is Not HIPAA Secure.” I know that many doctors sit on all sides of this. I heard one doctor tell me, “They’re not going to throw us all in jail.” Other doctors won’t use SMS at all because of the HIPAA violations.

While a doctor probably won’t get thrown in jail for sending PHI over SMS, they could get large fines. I think this is an even greater risk when sending PHI over SMS becomes institutionalized through a service like YouCallMD. This isn’t a risk I’d want to take if I were a doctor.

Plus, the thing that baffles me is that there are a lot of secure text message services out there. Using these services would accomplish the same thing for the doctor and YouCall MD and they wouldn’t put a doctor or institution at risk for violating HIPAA. Soon the day will come when doctors can send SMS like messages on their phones in a secure way and they won’t have to worry about it. I just think it’s a big mistake for them to be using their phone’s default SMS.

Privacy Group Seeks Rules For Healthcare Clouds

Posted on January 4, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

It’s time for HHS’ Office for Civil Rights to release “strong guidance” on cloud computing in healthcare, according to a letter sent by advocacy group Patient Privacy Rights. The letter, sent by PPR president Deborah Peel, argues that the transition to EMRs will be hampered if patients aren’t confident that their medical information is protected wherever it goes, including the cloud.

“More specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds,” Peel writes.

Peel suggests that HHS rely on lessons learned from the recently-settled Phoenix Cardiac Surgery case, in which a medical group was fined $100,000 for HIPAA violations including exposing clinical and surgical appointments on a publicly-available Internet calendar.

Specifically, Peel recommends the following standards be established:

Security Standards: Security standards must be implemented that are consistent and
compatible with standards required of federal agencies including the HIPAA Security
Rule and the HITECH breach notification requirements.

Privacy of Protected Health Information: Standards must be included that establish the
appropriate use, disclosure, and safeguarding of individually identifiable information,
which take into account stronger state and federal requirements, Constitutional rights to
health information privacy, and the fact that HIPAA is the “floor” for privacy protections
and was never intended to replace stronger ethical, or professional standards or “best
practices.”

BAA Requirement and Standardization: Consistent with prior OCR guidance, any
software company given access to protected health information by a HIPAA-covered
entity to perform a service for the covered entity is a business associate. Thus, as OCR
representatives have publicly stated on several occasions, a Business Associate
Agreement (BAA) is required between a cloud computing provider and any customer
entity that uses or discloses protected health information or de-identified health
information. It is imperative that these BAA standards promote the protection of privacy
and security of health information to ensure public trust in health IT systems and promote
quality health care, health care innovation and health provider collaboration.

I was particularly interested to note her suggestion that software companies given access to ePHI sign Business Associate Agreements.  My guess is that some cloud providers would fail miserably if asked to uphold HIPAA standards, simply because they aren’t prepared.  If Peel’s recommendations were enacted, in other words, it could shake up the cloud services industry.  Maybe that’s a good thing, but it won’t be a pleasant one for some.

Disaster Planning, Horrors of Generic HIT Training, and Snap.MD: Around Healthcare Scene

Posted on November 25, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

EMR and HIPAA

Disaster Planning and HIPAA

Unfortunately, it appears that far too many healthcare providers don’t follow this rule. There aren’t very many that even have an emergency plan in place. However, this will soon need to be remedied. HIPAA security general rules state that not only must a patient’s privacy be protected, but the ePHI is available at all times — even in the case of an emergency. All healthcare providers, regardless of size, will need to implement some kind of disaster planning, regardless of their situation, in order to be in compliance with these regulations.

EMR Add-On’s that Provide Physician Benefit

MedCPU is a part of the inaugural NYC Digitial Health Accelerator class. They have developed a new concept that will likely to very helpful to many. It analyzes free text notes and structured data, and checks for compliance with rules and to identify any deviances. The company described one hospital using the services the company provides as a benefit given to doctors who use EHR. This is just one of many add-ons available, but some are seeing them to be a large reason why some doctors want to adopt EMRs.

Hospital EMR and EHR

Video: The Horrors of Generic HIT Training

Need a break from the day-to-day monotony? Be sure to check at this video on the horrors of generic HIT Training. It “offers a wry take on what happens when EMR training isn’t relevant for the doctor who’s getting the training. In this case, we witness the plight of a heart surgeon who’s forced through a discussion on primary care functions that she neither wants nor needs.”

Study: EMR ROI Stronger In Low-Income Setting

A recent study revealed something interesting. Hospitals in low-income areas actually may have a decent return on investment when an EMR is integrated. Three different areas were looked at and analyzed, and it was found that after five years of having an EMR, the hospital examined had a net benefit of over $600,000. Not all hospitals will benefit this much, but it’s encouraging to see more EMR success stories popping up.

Smart Phone Healthcare

Get Peace of Mind and Avoid the ER With Snap.MD

It’s the middle of the night, and your child breaks out in a rash all of his or her body. The doctor’s office doesn’t have middle of the night, on-call doctors, so the only option is the ER, right? Maybe not for long. Snap.MD, a new telemedicine system, may help parents decide if the Emergency Room is the best course of action. Parents of pediatric patients are connected to physician, who will help evaluate the situation via video conferencing.

Our Health Privacy Paranoia

Posted on November 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Katherine’s recent post on using EMR data to Market to patients got a lot of really interesting discussion about how this data should be used and if it’s ok to use the EMR data for marketing. The majority of comments were quite scared of the idea of EMR data being used for marketing. Most saw that their could be benefits, but saw it as a slippery slope and we should be careful going down that path. Most wanted an opportunity to opt out from such a policy.

Mark H. Davis offered a little different view in his comment about the need for privacy in this and other healthcare situations. Here’s what Mark said:

And now for a slightly different take…

I have no issues with my hospital using its knowledge of my health situation to provide me with targeted opportunities that might be beneficial. I see it as potentially a positive and proactive outreach. They will need to be sensitive in doing this, however, but in my region, the hospital system is pretty tightly woven into the community, anyhow, and would be rather affected by any backlash. And honestly, sometimes I feel like we make an overblown fuss about health data privacy just because everybody else is making a fuss about it, without stepping back and examining the actual impacts. For example, my mailman, with only slight observation, could easily deduce the health issues my wife, children and I have been treated for. The folks behind me in line at the drug store could do the same. Even most doctor’s offices I visit do a poor job of protecting privacy within the office itself. Just last week, I had to forcibly ignore the conversation taking place in an adjacent examination room. It was easily audible. Anyone who signs in at their PCP can see who has checked in earlier, for what doctor, for what time. Anyone who signs the pharmacist waiver form at the CVS can see who has signed in front of them. The prevalence of OTC meds makes it easier to tell what your fellow shoppers’ ailments are just by looking at their shopping cart. And somehow, we still co-exist. I’m not saying we shouldn’t protect ourselves against a massive data breach that could have dire consequences in the form of identity theft and other fallout. I’m just asking everyone to be honest about how serious they really are about privacy. It’s easy to pick on a hospital system without recognizing other areas where we turn a blind eye.

Mark does a great job articulating how many healthcare situations expose our healthcare data without any major issues. Yet, people tend to get far more worked up over the potential idea of an EMR data breach.

Certainly I’m not advocating for reckless behavior when it comes to healthcare data and securing it properly. We need to make a thoughtful effort to ensure that patient data is kept secure and private. However, let’s be reasonable in our expectations about what’s possible and reasonable.

Clinical Data Access, New Open Source EHR, and Striiv – Around Healthcare Scene

Posted on October 28, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Hospital EMR and EHR

Call Me Maybe at #CHIME12

One of the most popular songs among teens recently is “Call Me Maybe.” Well, at CHIME 2012, a music video of this song was created, featuring many of the participants in #CHIME12. It’s a fun little video, and the song sure is catchy.

Senators Join Initiative to Scrutinize Meaningful Use

After four GOP leaders have demanded that HHS Katherine Sebilus account for “failures” they found with Meaningful Use. Recently, a few senators have joined in the fight as well. Several questions were raised about EMRs, Medicare, and Meaningful Use. Is this the push that was needed in order to get Congress interested in the future of EMRs?

EMR and HIPAA
SXSW Accelerator Event for Health Startups

SXSW has long been known as an amazing music, film and now IT event. In fact, many people laud the event as a great place where creative people from all industries come together. This year SXSW has a whole health IT campus and a section of their Startup Accelerator competition that’s just devoted to healthcare IT startups. It will be a great place for healthcare IT to mix with the rest of the IT startup world. Plus, I expect a number of very interesting health IT companies to launch in the SXSW accelerator.

Access to Clinical Data Too Easy Via Phone

Most doctor’s offices will verify information by asking for a name and birthdate. However, this system could easily be compromised. Is there a better way to verify this type of information, before discussing medical issues? This post talks about different ideas, and how patient portals might be the solution.

New Open Source (Free) EHR Offering Developed by A Doctor

A new open source EHR is about to be released. And it was developed by a physician. Michael Chen, MD,  the doctor behind it, was interviewed on EMR and HIPAA. He discusses why he wanted to create an open source EHR, future plans, and any challenges that might be associated with it in this post.

Happy EMR Doctor

EMR Use Improves Primary Care: New Study

While there has been some debate about if EMR improves patient care, a recent study indicates that it does; at least in some health specialties. Over 7000 patients with coronary artery disease and diabetes were studied over the course of nine months, and the results ruled in the favor of EMRs. Dr. Michael West has found in his own personal observations, EMR does indeed improve patient care as well.

Smart Phone and Health Care

Five Challenges of mHealth

While mHealth has many advantages and has improved health care in many ways, there have been some challenges that have come about. These challenges include privacy, data security, and funding.

Striiv Ups the Standard for Pedometers — Games, Challenges, and Charity Incorporated

A new generation for the classic pedometer has been created. Striiv recently released a $99 pedometer that really gives the old kind a makeover. It incorporates fitness games, goals, and a charity to convince people to get walking. For those that don’t want to spend $99 on a pedometer, the (free) mobile app is available for the iPhone, and has a lot of the same functions.

HIMSS Pushes For National Patient Identifier System

Posted on October 2, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Well, here’s some trade organization efforts that aren’t just a lot of smoke and mirrors and self-interest. Apparently, HIMSS is pushing Congress hard to establish a national patient identifier system usable for sharing digital records between facilities.

HIMSS execs estimate that as many as 14 percent of all medical records include wrong, potentially dangerous information due to patient misidentification, a problem which is likely to get worse as more systems transition data from paper to EMRs, according to a story in InformationWeek magazine.

As if that wasn’t bad enough, HIMSS says, when organizations begin to share data under Meaningful Use Stage 2, the problem is likely to get much worse. (And doesn’t a system that makes mismatches and lost data likely more or less completely defeat the purpose of setting up HIEs in the first place?)

In reality, a single patient identifier won’t do the job on its own. In fact, it could contribute to errors of its own, HIMSS notes, so adding biometrics and probabilistic matching records will be necessary to really get things right. But getting moving on the identifier is a start.

To get things standardized, HIMSS would like to see Congress request a report from the Government Accountability Office on the subject to help legislators better understand the issues. (They got so far as getting the House to file a resolution in support of the concept last year, but no further.)  HIMSS has since been working with other associations, think tanks, CMS and ONC to raise awareness of the issue.

To get what it wants, HIMSS will have to convince Congress to change existing law, reports InformationWeek. Since 1999, it’s been illegal to establish such an identifier, as Congress apparently felt the public would view it as a privacy risk.

EMR Security, Afghanistan EMR, and Regina Holliday EMR Video

Posted on August 26, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time once again for our roundup of interesting tweets from around the EMR twittersphere. We really go around the world with one of these tweets. Hopefully you find them useful and interesting.

I don’t think most of you know that I’m also working on a redesign of my websites. It’s still got a little ways to go, but I think it’s coming together nicely. It’s going to add some features I’ve wanted for a while and make the design look a lot better. I’ve had the current design for more than 6 years, so it was time. One of the best features of the new website is Twitter embeds. I can’t wait!

Without further ado, a few EMR and health IT tweets with some of my own commentary:


I always love when people talk about the huge EMR security risk. When you look at the breach list and the healthcare data security issues, EMR barely shows up. There are so many other security issues with medical practices that are much more vulnerable. Not that we should give EMR security a pass, but EMR security is likely one of the most secure things in a medical office. So, this is good advice.


I always love to hear how the military uses EMR. They use EMR in some of the most challenging places imaginable. I think we can learn a lot from their experiences.


I think this is a really interesting contest by ONC. I’m looking forward to see more of the videos that are created. My fear is that most of the videos will be EHR companies that push their power EMR users to make something. We’ll see how it turns out.