Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Saturday, September 24, 2016

Weekly Overseas Health IT Links – 24th September, 2016.

Note: Each link is followed by a title and few paragraphs. For the full article click on the link above title of the article. Note also that full access to some links may require site registration or subscription payment.
-----

Task force recommends improvements for Blue Button Connector

Published September 16 2016, 6:59am EDT
A website that helps consumers find their health information online has been given a mixed review by a federal advisory task force charged with assessing the tool.
Launched in 2014 by the Office of the National Coordinator for Health IT, the Blue Button Connector is designed to enable consumers to determine which healthcare providers offer electronic access to their health records.
In addition, the online resource is also meant to help developers find out what type of electronic health data is being shared with people, so they can build apps that utilize the data to enable consumers to better understand and use their health information.
-----

'VICTORY' key to robust health breach management

Sep 16, 2016 11:20am
When talking about cybersecurity and breach management, Ty Faulkner, chief commercial officer at Rural Health Information Technology Corporation, focuses on one acronym: VICTORY.
It stands for vigilant, inspection, communicate, timeliness, ownership, rules and you.
“It goes from the business leader all the way to the [IT] gatekeeper that we really need to understand what it is we’re responsible for and what the rules are” when it comes to security, Faulkner said at the 25th National HIPAA Summit on Friday.
-----

Why the healthcare industry is a 'sitting duck' for data loss

Sep 16, 2016 9:59am
Data loss is increasing across industries, and traditional efforts to stop it are ineffective, according to a new McAffee Labs security report.
In particular, the report dubs healthcare providers and manufacturers with outdated systems and vulnerable medical devices “sitting ducks.”
The report includes an analysis of recent ransomware attacks against healthcare organizations, concluding that while most didn’t pay to meet hackers' demands, some did, to the tune of around $100,000. It concludes that despite the fact that these attacks were fairly unsophisticated, the healthcare provider victims were easy targets.
-----

American Well adds psychiatry services to telemedicine lineup

Consumers now can see psychologists and psychiatrists on Amwell, a telehealth app that enables visits with caregivers via video technology.
September 15, 2016 08:55 AM
American Well has announced that its clinical care partner, Online Care Group, has added psychiatry services to the lineup of medical services available via the American Well Amwell app for video doctor visits.
The company said that the new services bring self-scheduling for patients, a multi-way video app with which patients can invite participants, such as family members, into a live visit, and features for coordinating physicians who are part of the multi-specialty Online Care Group.
 “Every year nearly one in four people will deal with a mental health disorder, yet less than half of these individuals will actually receive treatment,” said American Well’s vice president of behavioral health, Zereana Jess-Huff, MD. “Mental healthcare is in desperate need of real solutions and tele-mental health can bridge that gap. With our reach and network telehealth will continue to serve as a real solution to severe access issues for mental healthcare.”
-----

Health information exchanges are coming of age and proving their worth

By Joseph Conn  | September 15, 2016
The wobbly credibility of third-party health information exchange organizations got a boost after Texas Health Resources signed up to share patient data in a highly competitive healthcare market.
The 14-hospital system will join 32 other providers that are sending data to Healthcare Access San Antonio, an exchange whose territory stretches from the Oklahoma border in the north to Corpus Christi south on the Gulf Coast, the organizations said this week in a news release. HASA handles nearly 2.2 million patient records and supports about 2,400 HIE users.
HASA is one of nine health information exchange organizations in Texas and about 150 nationwide.
-----

Pulse Check: Aneesh Chopra says health care's data revolution has arrived

09/15/16 05:40 PM EDT
Aneesh Chopra thinks we're telling the wrong story about health care data.
The nation's first chief technology officer told POLITICO's Pulse Check podcast that there's too much pessimism about vendors blocking information and the inadequacy of electronic health records. He believes the health care industry is finally answering the call for interoperability — and patients are starting to see the benefits.
Not seeing the podcast? Click here to listen on Soundcloud and click here to subscribe on iTunes.
"What's happening now [is] so exciting," Chopra enthused. "There's all this negative energy … vendor this, who's bad, who's good. All that is silly. We're in a great place, on our way to greater places."
Chopra pointed to the Argonaut Project as an example of how rivals like Epic and Cerner are joining forces to share code and agree on common standards. "I love how vendors are collaborating," he said. While some critics have suggested otherwise — a recent Health Affairs study concluded that electronic record vendors are hoarding data to turn a profit — Chopra thinks it's partly a reality of business.
-----

HIT Think How to shore up networks to thwart intrusion attempts

Published September 14 2016, 2:00pm EDT
While there are processes and regulations in place for sharing and protecting data in the healthcare industry, there is no single prescription for monitoring the array of networks across which data travels within hospitals and among healthcare organizations. According to an independent research organization, 90 percent of health organizations have experienced some type of data breach in the last two years, and almost half have had five or more breaches.
The information in the databases that hospitals and health networks maintain is especially attractive to hackers, so the need for effective network monitoring and complete network visibility has never been greater for the healthcare IT professional. What’s the best way for a healthcare organization to approach network monitoring and security?
-----

Healthcare rife with flash software vulnerabilities

Published September 14 2016, 1:21pm EDT
A software security vendor recently analyzed 250,000 mobile devices and laptops/PCs used in the healthcare industry and found half of the devices were running on outdated versions of Flash, a programming software product to create web applications.
The vendor, Duo Security, sells software to verify the identity of users and the security status of their medical devices before they access applications. Flash is particularly prevalent in healthcare where it is found in twice as many computing devices compared with Flash use in other industries, according to Mike Hanley, director of the Duo Labs research and analysis unit.
-----

Study: Success of Meaningful Use program 'mixed'

Sep 14, 2016 11:06am
The HITECH Act and its Meaningful Use program have met with some success, but its achievements have fallen short of hopes, according to a new study in Milbank Quarterly.
The study, conducted by Mathematica Policy Research as part of a larger project funded by the Office of the National Coordinator for Health IT, found that electronic health records exist in some form in most professional practices and hospitals, more information is being shared electronically and the focus of attention has evolved from EHR adoption to the use of health IT to improve healthcare delivery and outcomes.
However, it has been hard to move Meaningful Use beyond the low bar set by Stage 1 of the program. Providers’ dissatisfaction with the ability of EHRs to integrate with their workflow created opposition to future stages of Meaningful Use. EHRs vary in ability to support more advanced functionalities, and many barriers to interoperability persist.
-----

Special Report: Portals

Portals have become ever more sophisticated, but there are still debates about their limits. Lyn Whitfield reports.
“The days of saying: ‘there are lots of useful pieces of information out there, and you can join them up and then view them through a portal’ are over,” says Colin Henderson from Orion Health. “People have moved on from that.”
This is a theme that soon emerges from talking to integration and portal suppliers. All of them argue, with some nuances, that portals have become more technologically sophisticated, are being required to support new and complex workflows and are set to evolve further into platforms into which a range of information sources can play.
Clinical portals
Paul Sanders, general manager for health at Civica, says it is “as more and more systems have been brought into portals” that it has become clear what a portal should be – something that enables people to both “find and use information” – and do that securely and safely via features such as single sign-on.
-----

Editor's Corner: Patient access to records far from reality

Sep 15, 2016 8:28am
The current brouhaha about the release of the presidential candidates’ medical records has inadvertently shed light on an important issue: the ability of patients to assemble a complete set of their medical data.
Two recent reports highlight the problem.
One is the Office of the National Coordinator for Health IT's latest data brief announcing that there has been a “dramatic” and “significant” increase in the number of hospitals offering patients access to their electronic medical records. The brief reports that the rate of U.S. nonfederal acute care hospitals that enable a patient to view his or her records jumped from 24 percent in 2012 to 95 percent in 2015. The percentage of hospitals that enable patients to not only view, but also download and transmit records grew almost seven-fold between 2013 and 2015, from 10 percent to 69 percent.
The number and variety of other patient engagement functionalities also continued to rise, according to the data brief.  For example, the percentage of patients who could submit patient-generated data increased from 13 percent in 2013 to 37 percent in 2015. The percentage who could pay their bills electronically rose from 55 percent in 2013 to 74 percent in 2015.
-----

Francis Collins: Privacy a priority for Precision Medicine Initiative

by Dan Bowman 
Sep 15, 2016 2:19pm
Speaking Wednesday at an event hosted by The Washington Post, National Institutes of Health Director Francis Collins discussed both the potential of and the challenges surrounding the Precision Medicine Initiative.
In particular, Collins said, privacy is a priority, especially given the program’s size--1 million participants--and the current climate in the industry regarding cybersecurity.
“We have thought about [privacy] a lot, and if there’s one thing that wakes me up at night when I’m thinking about how cool this could be, but also thinking about all the ways that this might not go well, is if we have some kind of terrible security breach,” Collins said. “People are being asked to make available their electronic health records and there’s a lot of personal, private information in it, with the expectation that that’s going to be a trusted donation that will be handled with great care and will not be falling into the hands of bad people.”
-----

HIT Think 4 ways in which SaaS is transforming IT departments

Published September 15 2016, 3:24pm EDT
While on-premise, perpetual license software certainly isn’t going away anytime soon, it’s hard to deny at this point that software as a service tools are gaining ground and will eventually overtake their on-premise counterparts.
According to a Forrester report, IT budgets for on-premise applications dropped by 13 percent between 2012 and 2013 while SaaS budgets increased by 53 percent. And this trend has only accelerated since then. The SaaS market is expected to reach $12 billion in 2016 and $55 billion by 2026. At this point, it’s not a question of if your SaaS budget will surpass on-premise, but when.
But while much of the focus thus far has been on how SaaS will improve the way you do business, less attention has been given to how your IT department must change to adapt to this new environment. CIOs are quickly learning that the skills, infrastructure and processes that have governed their fields for the past two decades are becoming obsolete, and a shift to SaaS necessitates a radical re-evaluation of how they approach their jobs.
-----

3 lesser-known pitfalls to avoid when changing EHRs

Sep 13, 2016 4:53pm
Many providers are familiar with some of the downsides when replacing EHRs, such as interoperability issues, training and costs of the transition. But there also are lesser known pitfalls of which providers should be aware.
Two physicians, Cynthia Croy, a solo practitioner in Joplin, Missouri, and Albert Fuchs, of a three-person practice in Beverly Hills, California, shared their lessons learned when changing EHRs in a recent article for Medical Economics. They warned about several lesser known risks, including:
  • The selection process: Don't rush it, Croy said. You may end up unhappy and getting rid of the new system fairly quickly. Croy ran into this problem with her second EHR system, and said she learned to spend six to eight weeks conducting research before going all in.
-----

How are Healthcare Data Breach Victims Affected by Attacks?

By Elizabeth Snell on September 13, 2016

Healthcare data breach prevention requires the input of cyber risk management professionals and more comprehensive oversight, according to ICIT.

The large fiscal cost to individual victims stemming from medical identity theft is just one of the key ways that healthcare data breaches affect patients, according to a recent report from the Institute for Critical Infrastructure and Technology (ICIT).
Healthcare cybersecurity attacks are much more prevalent and common because the industry typically has weaker approaches to data security, states “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims.”
 “Vulnerable legacy systems and devices that lack the ability to update and patch are Frankensteined into networks possessing newer technologies that can be updated and patched,” the report’s authors wrote. “As a result, the organization’s IoT microcosm becomes collectively vulnerable as effective layers of security cannot be properly implemented.”
Furthermore, executives often make “budget-line decisions that shift the risk of compromise onto the patients,” which could then put their personal data at risk.
-----

Cyber 'Smear': Hackers Publish Olympians' Medical Records

  • By Brian Ross
  • Lee Ferran
Sep 13, 2016, 2:13 PM ET
In what a U.S. official said was a "smear" attack on American Olympians, hackers have posted online medical and drug testing records for top athletes including gymnast Simone Biles, tennis players Serena and Venus Williams and basketball player Elena Delle Donne.
The World Anti-Doping Agency (WADA) announced online today that hackers, who were previously linked to the Russian government, are believed to have breached one of their systems and then leaked the information publicly.
The group, calling itself Fancy Bear, alleged that the records they pilfered show the U.S. athletes had "regularly used illicit strong drugs justified by certificates of approval for therapeutic use." The records themselves show that the athletes were permitted to take the medication for existing conditions.
-----

Don't let online health sites turn you into a 'cyberchondriac'

From CNET Magazine: The internet is a great source of information to keep us healthy. Sometimes, though, we take it to extremes.
Internet
September 13, 20163:01 PM PDT
Feeling poorly? Chances are, you've already checked out a few of the thousands of websites, medical papers and news stories out there on the internet to try to figure out why you feel the way you do.
There's also a good chance your brain glommed onto something frightening (CANCER!) before deciding on a more likely cause. And you know -- just know! -- you're having a heart attack and not heartburn, despite scarfing down three bowls of two-alarm chili in a single sitting.
There's actually a word for this: "cyberchondria." It refers to unfounded heightened concerns about common symptoms after reading medical websites and online articles.
A 2008 report published by Microsoft Research, in fact, said almost 40 percent of the people it studied became more anxious after researching their symptoms online. That reaction is so common that comedian John Oliver in May even joked that WebMD's motto should read, "Everything Causes Cancer."
-----

Epic reveals R&D spending outstrips Apple, Google and its competitors

CEO Judy Faulkner discussed her company’s research and development totals for the first time. She also said Epic’s spending outpaces rivals Allscripts, athenahealth and Cerner in R&D.
September 13, 2016 07:01 AM
Epic CEO Judy Faulkner said that research and development is her sweet spot because she has a technical background and added that is among the reasons her EHR company spends so much on R&D. 
VERONA, WISCONSIN— Epic Systems founder Judy Faulkner told Healthcare IT News in a recent interview at the company’s headquarters that the EHR giant invests 50 percent of its operating expenses on research and development.
She pointed out that three rival health IT companies spend less, with Allscripts coming in at 34 percent, Cerner at 19 percent and athenahealth at 10 percent—numbers that Healthcare IT News verified in SEC filings.
As a private company, Epic does not have to file an income statement as the publically traded companies like her competitors are required to do. So Faulkner cut to the chase. “I know what we spend,” she said.
-----

ONC: Most hospitals offer patients access to their electronic records

Sep 13, 2016 10:18am
There has been a “significant” increase in the percentage of hospitals that provide patients with the ability to view, download and/or transmit data in their electronic health records, according to statistics shared this week by the Office of the National Coordinator for Health IT.
The rate of U.S. nonfederal acute care hospitals that enable a patient to view his/her records has jumped from 24 percent in 2012 to 95 percent in 2015, a new data brief reveals. The percentage of hospitals that enable patients to view, download and transmit grew almost seven-fold between 2013 and 2015, from 10 percent to 69 percent. Moreover, in 2013 no states had 40 percent or more of their hospitals providing view, download and transmit capability; by 2015, all states boasted 40 percent or more of their hospitals doing so.
-----

Ability of patients to access electronic records rises dramatically

Published September 14 2016, 6:52am EDT
The number of U.S. hospitals that enable patients to electronically view, download, and transmit their health information grew nearly seven times between 2013 and 2015, according to data gathered by the Office of the National Coordinator for Health IT.
The results, published in a new ONC data brief, show that last year:
  • 95 percent of the nation’s hospitals provided patients with the ability to view their health information electronically.
  • 87 percent provided individuals with the ability to download their health information.
  • 71 percent offered patients the ability to transmit their health information.
  • 69 percent of hospitals provided individuals with the ability to view, download, and transmit their health information.
-----

From Standalone to Enterprise-Wide

Labs Take the Leap to Integrated Information Systems

Author: Julie Kirkwood  // Date: SEP.1.2016  // Source: Clinical Laboratory News
Two years ago, the University of Arkansas for Medical Sciences in Little Rock took what chief medical information officer Thomas Powell, MD, calls the “big bang” approach to changing software throughout its hospital and clinics. Every department simultaneously converted to Epic, including the laboratory, which switched to Epic Beaker. “We were actually, I believe, one of the early major institutions in the U.S. to go with Beaker as our laboratory system,” Powell said.
This transition was not seamless, as laboratory staff noticed problems immediately. Beaker lacked some basic functionality, such as recognizing duplicate orders. “They were wasting a lot of reagent doing a second version of a test that had already been run,” Powell said. Beaker has since improved, according to Powell, and though it is not perfect, healthcare systems are increasingly converting their laboratories to enterprise-wide systems like Epic and Cerner for one important reason: integration. “The big push in healthcare is to bring access to all of the relevant data concerning the patient into one location,” he added.
-----

mHealth App with Coaching Support Aids Diabetic Weight Loss

By Nathan Boroyan on September 12, 2016

An mHealth app that uses the same principals as the National Diabetes Prevention Program may be just as effective as traditional in-person programs at helping diabetics lose weight.

An mhealth app that uses the same principals as the National Diabetes Prevention Program (NDPP) effectively helped overweight Americans, diabetics and pre-diabetics lose weight, according to a study published in the British Medical Journal.
A research team observed 43 overweight or obese adults diagnosed with prediabetes participating in a 24-week virtual Diabetes Prevention Program with human coaching delivered through a mobile app. The program followed guidelines that are similar to the NDPP, the first diabetes chronic disease management program eligible for Medicare reimbursement.
-----

Opioid epidemic must also be a call to arms for healthcare IT

In a rare open letter to the nation’s doctors, U.S. Surgeon General, Vivek Murthy sounded a rallying cry to engage their greater participation in the opioid-abuse crisis afflicting our country. Missing from the Murthy’s commendable call to arms, though, was mention of the role technology plays in reducing drug diversion and doctor shopping, and providing ready access to services to support patients.
Those of us in healthcare IT know that technology is critical to this cause. Unfortunately, providers aren’t adopting as quickly as they could the substance abuse-fighting technologies that are widely available to them.  This includes a variety of technology solutions such as:
·         E-prescribing technology, particularly EPCS to support the electronic prescribing of controlled substances, which is key to helping providers more efficiently deploy and monitor prescription medicines.  EPCS can also reduce the public stigma for opioid-addicted persons who would be now be able to use their local pharmacies instead of being required to go to specially-designated facilities.
·         Medication adherence monitoring technology that lets providers gauge in real time a patient’s level of compliance with drug therapy
·         Clinical decision support that helps doctors avoid adverse drug events and medication errors
·         State-run prescription drug monitoring programs (PDMPs) designed to help law enforcement track the use of controlled substances and help prescribers identify those seeking illicit access to controlled substances
-----

Nearly half of cloud-based malware delivers ransomware

Published September 13 2016, 3:12pm EDT
Concerns over ransomware have grown considerably this year, and for good reason. A new study finds that nearly half of all cloud-based malware now delivers ransomware applications.
That is the finding of the September Netskope Cloud Report, which looks at the prevalence of ransomware and how it spreads through cloud applications within an organization. The study found that 43.7 percent of malware found in enterprises cloud apps have delivered ransomware, and that 55.9 percent of malware-infected files found in cloud apps are shared publically.
To put the threat in perspective, the report says the typical organization has 26 pieces of malware found in cloud apps. Of the 43.7 percent that deliver ransomware, those typically involve common ransomware delivery vehicles, including Javascript exploits and droppers, Microsoft Office macros and PDF exploits.
-----

HIT Think How healthcare can play safe in the data lake

Published September 13 2016, 3:16pm EDT
We're seeing more healthcare organizations get serious about big data. Even in the boardroom, healthcare leaders are asking, “How can we use big data to help us improve outcomes?”
What's driving this trend? Other industries have benefitted enormously from big data; how do we in healthcare do the same? And most importantly, what do we need from big data to make it not just a promising technology, but a means towards affordable, patient-centric care?
Currently, healthcare organizations are struggling to get their heterogeneous data all in one place. They're battling to breakdown data silos and make all their information locked in patient records and other disparate systems available for analysis. And that’s just within a single hospital or system. While Healthcare Information Exchange projects have made a dent in the broader problem, they really haven’t solved the silo issue.
-----

Stealth plan to sell UK patient health data

The UK government just scrapped a plan to sell health data without patient consent. Now it’s considering a similar new one.
By  Helen Collis 
8/22/16, 6:32 PM CET
LONDON — The British government is considering plans to sell health data to private firms without patient consent, weeks after a public outcry over privacy forced it to scrap a similar scheme.
Buried in new guidelines on how to handle patient data, and barely mentioned by the Department of Health, is a recommendation that all patient data be collected from U.K. family doctors and stored centrally.
It also says that “in due course, the opt-out should not apply” — meaning that patients would no longer be given the choice to prevent their information being stored and sold. The fear for health and privacy campaigners is that the data could be sold on to private firms, including consultancies that help pharmaceutical companies penetrate the market.
-----

IT adoption boosting quality of care in nursing homes

Published September 12 2016, 7:24am EDT
Although nursing homes play a critical role in healthcare, they do not receive the same financial incentives as hospitals to adopt information technology systems. Nonetheless, IT-based resident care is becoming more widespread and is having a positive impact on patient outcomes as seen in quality measures.
There are about 16,000 nursing homes across the country providing care to more than 1 million Americans, according to Greg Alexander, professor in the University of Missouri’s Sinclair School of Nursing, who led the first national study of resident care linking IT sophistication and quality measures.
The study, supported by a grant from the Agency for Healthcare Research and Quality, evaluated national survey data measuring IT sophistication, including IT capabilities, the extent of IT use and IT integration, in three domains of healthcare—resident care, clinical support, and administrative activities.
-----

Cybersecurity expert says 'almost everything can be hacked' and endpoint protection is not enough

Healthcare organizations need to implement high-end network monitoring and network anomaly detection, according to Core Security general manager Chris Sullivan.
September 07, 2016 07:03 AM
Core Security general manager Chris Sullivan predicted that in one or two years information security professionals and healthcare executives will realize that endpoint protection and agents are not always practical. 
The average consolidated total cost of a data breach grew from $3.8 million in 2015 to $4 million in 2016, according to the 11th Annual Cost of Data Breach Study from the Ponemon Institute and IBM. The study also found the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158.
Digital records of healthcare information have become quite valuable to cybercriminals, and healthcare is widely considered to be behind other industries in figuring out and implementing the best tactics and technologies to protect its data. What’s more, healthcare has some fairly unique security problems, including unusual variables in personnel access control, the challenges of mobile health, and dated, hackable equipment such as drug pumps.
-----

Privacy expert shares tips for preventing visual hacking

Visual hacking’s low-tech nature flies under the radar of chief information security officers and chief privacy officers. But there are simple technology and physical fixes, Kate Borten of the Visual Privacy Advisory Council explains.
September 09, 2016 07:09 AM
When the Ponemon Institute released its 2016 Global Visual Hacking Experiment, the research firm found that 91 percent of visual hacking attempts are successful.
Visual hacking applies to spying on physical items, like someone’s desk, computer screen or mobile device, even paper records. These attacks not only happen very quickly but they are also very difficult to detect when it does happen.
-----

For kids with asthma, telemedicine is as successful as in-person visits

Written by Erin Dietsche (Twitter | Google+)  | September 08, 2016 
The best treatment solution for children with asthma is to visit an allergist, but not every child lives close to one. A new study revealed why a telemedicine visit may be just as effective as an in-person visit to an allergist.
The study was published in the American College of Allergy, Asthma and Immunology's publication, Annals of Allergy, Asthma and Immunology.
The researchers identified patients who scheduled an appointment for asthma-related concerns at Kansas City, Mo.-based Children's Mercy Hospital's allergy clinic. The patients were given two options: keep their original in-person appointment or change it to a telemedicine visit, that latter of which involved going to a local clinic where a registered nurse or respiratory therapist operated the telemedicine equipment.
-----

92% of Nurses Dissatisfied with EHR Technology, Health IT

By Sara Heath on September 08, 2016

A recent survey shows that most nurses have a negative view of EHR technology, despite the tool's ability to improve patient safety.

Although EHR technology has improved patient safety and team-based healthcare, nurses still report negative opinions of the tools, according to a recent survey from the Adventist University of Health Sciences.
The survey questioned nurses about their opinions of EHR technology and how it has fit into their clinical workflows. Overwhelmingly, nurse respondents had negative views of EHRs, with 92 percent of them reporting dissatisfaction in 2014.
Eighty-four percent stated that EHRs disrupted their clinical workflows and productivity, while 85 percent said their tools consistently had flaws and glitches. Eighty-eight percent of respondents stated that high-ranking hospital officials were to blame for the glitches, alleging that they had invested in cheap technology.
-----

Enjoy!
David.

Friday, September 23, 2016

This Article Provides A Useful Summary Of myHR Breach Management. It Is Mandatory To Report Breaches!

This appeared last week:

Mandatory Breach Reporting For Health Records – What You Need To Know

Last Updated: 13 September 2016
Most Read Contributor in UK, August 2016                                           
Mandatory data breach reporting is the buzz word in privacy and cyber risk circles. Many Australian governments (including the incumbent) have sought to introduce legislation requiring all Australian businesses to report data breaches that compromise personal information collected or held by those businesses. But no government has yet succeeded. Except that is, for certain health service providers, who should take note – if you're handling certain types of health records, you may already be required to report such breaches.

What is 'mandatory reporting' – and is it relevant for my business?

The Privacy Act applies to Australian individuals and businesses with a turnover of over AUD 3 million, and to those providing a health service and who hold health information irrespective of turnover. Currently, the Privacy Act does not require that your customers or the Office of the Australia Information Commissioner (OAIC) be notified of a data breach that compromises their personal information. That is likely to change in time – and draft legislation could (if implemented) extend such mandatory reporting obligations to all businesses subject to the Privacy Act. In the meantime, notifications are encouraged by the OAIC as part of a data breach response plan, where the disclosing party thinks there may be a real risk of serious harm to the individual as a result of the breach.

I run a health services business – how does this affect me?

In addition to the requirements of the Privacy Act, healthcare providers accessing, processing and storing 'My Health Records' are subject to a mandatory data breach reporting regime. This regime has been in place since the inception of the My Health Record scheme in 2012 and requires notification, in certain circumstances to the My Health Record System Operator (i.e. the Secretary of the Department of Health) and the OAIC, of data breaches affecting an individual's My Health Record.

What is My Health Record?

Essentially, it is the future of digital health in Australia.
My Health Record is described by Government as "a secure online summary of your health information". It is an opt-in scheme, operating from an online platform, which stores in one place important health information relating to individuals. Healthcare providers including doctors, specialists and hospital staff can access these details online from anywhere, at any time, for the purpose of providing healthcare and in accordance with access controls set by the individual patient or default access controls, as the case may be.
Considering the sensitive nature of an individual's health information that is being stored in the individual's My Health Record, the provisions relating to mandatory breach reporting have been seen as an important element of the system and a safeguard for those providing their details for storage in the system.
However, the slow uptake of the system by Australian health providers and practitioners means that industry awareness of the mandatory reporting requirements attaching to the My Health Record platform is unlikely to be widespread.

Why is this now more important than ever?

A digital health records system has been on the radar for many years.
In June 2016, the My Health Record "opt-out" trials commenced in the Nepean region of Western Sydney and North Queensland where 1 million individuals have been provided with a My Health Record. Trials are due to close in October 2016 and reports indicate that there has been a very low opt-out rate.
In July 2016, the National E-Health Transition Authority became the Australian Digital Health Agency, and is expected to become the system operator for the My Health Record system. In August 2016, the Government appointed as the agency's CEO, the former National Director for Patients and Information in the UK National Health Service (NHS) who was responsible for the digital transformation of the NHS. And, the Government has launched a public consultation on the development of a framework for secondary use of My Health Record data, which opened in late August / early September 2016 and will close in November 2016.
It seems to us that this shift of focus and the move towards widespread implementation of the My Health Record system is indicative of the Government's continued support for the expansion and development of digital health in Australia. While important building blocks in the digital health system (such as universal use of secure messaging and standardised system interoperability) may be several years away, we believe that mandatory adoption and use, in the short to medium term, of the My Health Record system across health service providers in Australia is inevitable.
Lots more here:
Also very useful is this part of the article alerting providers what they must do:

What can healthcare providers do?

Digital health is coming and healthcare providers should start preparing now. All healthcare providers, in particular those operating in the My Health Record system, should consider the following:
  • Review how your organisation manages its data: Know the kinds of data your organisation handles, and the value of the data. Know where it is stored, who has access to it and how it is secured.
  • Know your obligations in operating within the My Health Record system: What obligations are imposed under the Privacy Act and under the My Health Record system on you as a business handling such sensitive information?
  • Identify and understand relevant risk frameworks suited to your business: Consider different risk frameworks that may apply to your business. Decide on a framework, implement it and use it to evaluate your cybersecurity. Test the framework regularly and consider how it can be improved.
  • Be prepared: Have a breach response plan in place. Consider the different types of breaches your business could suffer. Your plan should set out roles within your breach response team, and identify third parties or experts (IT security, legal, public relations) that will assist you in a critical situation.
  • Consider insurance options available to your organisation: The terms of professional indemnity, public liability or other specialist classes of policy may not provide coverage for cyber related losses. Health practitioners and healthcare providers are advised to consult with their brokers or insurers to consider whether there are other products such as cyber policies that may provide the necessary cover.
The bottom line here is that practices must take the risk of even a single record breach seriously and be able to show that they have taken reasonable steps to minimise breach risk.
In passing I would note I do not agree with the Authors on the inevitability of adoption and use of the myHR but that said the article is well worth a close read!
David.