Editorial: A Duty to Share Patient Information

by Vince Kuraitis and Leslie Kelly Hall, Senior Vice President, Policy, Healthwise.

The sharing of patient information in the US is out of whack — we lean far too much toward hoarding information vs. sharing it. While care providers have an explicit duty to protect patient confidentiality and privacy, two things are missing:

  • the explicit recognition of a corollary duty to share patient information with other providers when doing so is the patient’s interests, and
  • a recognition that there is potential tension between the duty to protect patient confidentiality/privacy and the duty to share — with minimal guidance on how to resolve the tension.

In this essay we’ll discuss

  1. A recent recognition in the UK
  2. The need for an explicit duty to share patient information in the US

  3. Implications of an explicit duty to share patient information in the US


1) A recent recognition in the UK

Last week a long-awaited study commissioned by the Department of Health was released. Here are a few key findings from The Information Governance Review Report (Caldicott Review):

…safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception.

List of Top 10 Health Plan Issues — Out of Whack!

Healthcare IT News just published its list of top issues for health plans in 2011:

1. Administrative Mandates (Compliance HIPAA 5010, ICD-10, etc.).
2. Care Management, Data Analytics, and Informatics.
3. Health Insurance Exchanges and Individual Markets.
4. New Provider Payment & Delivery Systems (ACOs, PCMHs, etc.).
5. Bend the Cost Trend.
6. Medicare and Medicaid.
7. Health Information Exchanges and EMRs.
8. Consumer’s Role in the Modernization of Healthcare.
9. Reform Uncertainties.
10. Payer/Provider Interoperability.

Dear health plan colleagues,

Wake up! The order of this list is totally out of whack.

#2: Care Management, Data Analytics, Informatics. Good…sounds about right.


#2 can’t happen before you address:

#7: HIEs and EMRs

#10: Payer/Provider Interoperability

Health plans can’t analyze the data and assist in care management unless they first have access to it. Payers need access to clinical data, and they are at risk of being cut out of the loop.


Please also take a look at priority #1: Administrative Mandates (Compliance HIPAA 5010, ICD-10, etc.). This is completely reactive!

In these times of great change, is this how health plans want to posture themselves in the community?

Crowdsourcing the Future: Health 2.0 and HIPAA

Deven McGraw is the Director of the Health Privacy Project at the Center for Democracy & Technology. 


The Health 2.0 movement has seen incredible growth recently, with new tools and services continuously being released. Of course, Health 2.0 developers face a number of challenges when it comes to getting providers and patients to adopt new tools, including integrating into a health system that is still mostly paper-based. Another serious obstacle facing developers is how to interpret and, where appropriate, comply with the HIPAA privacy and security regulations. 

Questions abound when it comes to Health 2.0 and HIPAA, and it’s vital we get them answered, both for the sake of protecting users’ privacy and to ensure people are able to experience the full benefits of innovative Health 2.0 tools. We can’t afford to see the public’s trust in new health information technology put at risk, nor can we afford to have innovation stifled.

To help solve this problem, the Center for Democracy & Technology (CDT) has launched a crowdsourcing project to determine the most vexing Health 2.0/HIPAA questions.

This is where you come in:

Walled Gardens vs. the Open Web: A Central Debate in Tech Finally Coming to Healthcare

The September issue of Wired magazine and an article in last Sunday’s New York Times illustrate a central debate in technology circles. The debate is not new — it’s being going on for two decades — but it has newfound vibrancy. The essence of the debate is about competing tech/business models: walled gardens vs. the open world wide web (web).





The debate is highly controversial and nuanced. There are “experts” on both sides.

My point today is not to take sides (although I’ll admit my canine partiality to the open web), but rather:

  • to point out that the debate is occurring 
  • to explain what the discussions are about
  • to suggest that competition between walled gardens vs. the open web is creating healthy competition and providing consumers with great choices (e.g., Apple iPhone as a walled garden vs. Google Android OS as a more open approach)
  • to point out that health care has not had much to say in this debate…until very recently.

A while back I started writing a series “Healthcare Crosses the Chasm to the Network Economy” . This essay continues that series.

Digital Medical Office of the Future Conference. Las Vegas, Sept. 9-10


Healthcare providers face critical choices in selecting and implementing Electronic Health Records (EHRs). In addition, physicians and hospitals will need to develop the capacity to exchange clinical information in order to meet Meaningful Use requirements. This program will offer detailed and practical information on EHR selection and implementation, as well as strategies for creating a sustainable health information exchange (HIE). The program also features sessions on legal/regulatory issues, clinical platforms and applications as well as strategies for optimizing workflow in order to accelerate clinical transformation.

Distinguished Speakers Include:

Steve Adams, Executive Vice President, Collaborative Care, Alere & President, Clinical Groupware Collaborative
Mark R. Anderson, FHIMSS, CPHIMS, CEO & Healthcare IT Futurist, AC Group, Inc.
Beverly Bell, RN, MHA, CPHIMS, FHIMSS, Partner, Clinical Implementation Practice Director, CSC Healthcare Group
Soma Bulusu, MS, CIO, Marin General Hospital
Proteus Duxbury, Managing Consultant, PA Consulting Group
Andrew Ganti, MSIE, Principal, Workflow IT Solutions
Kennedy Ganti, MD, Virtua Lumberton Family Physicians & Chair, New Jersey Health Information Technology Commission
Arthur Gasch, Founder, Medical Strategic Planning, Inc. & Author of Successfully Choosing Your EMR: 15 Crucial Decisions (Wiley Press)
David C. Kibbe, MD MBA, Senior Advisor, American Academy of Family Physicians & Principal, The Kibbe Group LLC
Vince Kuraitis, JD, MBA, Principal, Better Health Technologies, LLC
Arien Malec, Coordinator, NHIN Direct, Office of the National Coordinator for Health Information Technology
Debbie Newman, MBA, CPHIMS, Director of Process Improvement, Licking Memorial Health Systems
Gordon Norman, MD, MBA, EVP & Chief Innovation Officer, Alere
Keith Parker, Regional Extension Center, Nevada
Deborah Smith, PhD, Chief Strategic Planning and Quality Officer, Alaska Native Tribal Health Consortium
Carlos Vigil, DO, Internal Medicine Physician & CEO, United Hospitalist Group

Platinum Sponsor: Ingenix
Silver Sponsors: AC Group, Inc., Medical Strategic Planning, Inc., NextGen Healthcare
Bronze Sponsors: Cerner Ambulatory, EHS


For additional information, please contact TCBI:
Ph: 310-265-2570               Email: info@tcbi.org

Is HITECH Working? #7: Where’s Plan B? Congress and ONC need to address major flaws in HITECH.

by Vince Kuraitis JD, MBA and David C. Kibbe MD, MBA

Pop quiz: Among early-stage companies that are successful, what percentage are successful with the initial business model with which they started (Plan A) vs. a secondary business model (Plan B)?

Harvard Business School Professor Clay Christensen studied this issue.  He found that among successful companies, only 7% succeeded with their initial business model, while 93% evolved into a different business model.

So let’s take this finding and reexamine our human nature. In light of these statistics, what makes more sense:

  • Defending Plan A to your dying breath?
  • Assuming Plan A is probably flawed, and anticipating the need for Plan B without getting defensive?

We question many of the assumptions underlying HITECH Plan A. We also want to talk about the need and content for Plan B in a constructive way.

In this essay we’ll discuss:

1) The Need for HITECH Plan B

2) Questioning Assumptions — Issues to Reconsider in Plan B

a) Rewarding Incremental Progress
b) Addressing Root Causes for Non-adoption of EHR Technology
c) Questioning Health Information Exchanges (HIEs) as Building Blocks for the Nationwide Health Information Network (NHIN)
d) Catalyzing Movement Toward Modular EHR Technology
e) Focusing Incentives on High Leverage Physicians
f) Recalibrating Expectations for EHR Technology Adoption
g) Getting Bang-for-the-Buck in Achieving Meaningful Use Objectives
h) Comprehensively Revamping Privacy/Security Laws vs. Tweaking HIPAA
i) Maximizing Sync Between HITECH and PPACA
j) Leveraging Potential for Patient-Driven Disruptive Innovation
k) Promoting EHR Adoption Beyond Hospitals and Physicians, e.g., long-term care, home health, behavioral health, etc.
l) Dumping Certification

3) Summing Up

Complimentary Webinar: Introduction to Clinical Groupware and the Clinical Groupware Collaborative


BrightTALK is sponsoring a complimentary Electronic Health Record Summit this Tuesday, October 20, 2009.

David C. Kibbe MD, MBA and I will be presenting “Introduction to Clinical Groupware and the Clinical Groupware Collaborative”

Clinical groupware is a new and evolving model for the development and deployment of health information technology (HIT) platforms and applications having the following characteristics:

  • Use of the Internet and the web for EHR technology.
  • Explicit design for information sharing and online communication among providers and patients/consumers.
  • A modular or component architecture upon which applications can be aggregated to meet specific clinical and workflow tasks.
  • Patient/consumer engagement tools that facilitate ongoing health management and care coordination.
  • Interface and data exchange standards for information sharing that emerge in a market-driven manner.

The Clinical Groupware Collaborative is in a formative stage organization. To date, representatives from over 50 companies have expressed interest. We are working to be formally incorporated in November 2009.

To register, attend live, or view afterward on-demand, click the following link:  http://www.brighttalk.com/webcasts/6114/attend  

Here’s a full listing of the other Electronic Health Record Summit presentations:   

Kaiser Permanente’s Journey and Ultimate Success with Health IT, Andrew M. Wiesenthal, The Permanente Federation

Prescribing the Best Security for Your EHR System, Andrew Klein, Product Management at SonicWALL

Business Associates Now and Then: HIPAA, EHRs and the HITECH Act, Susan Miller, Security & Privacy Workgroup Chair, WEDI

Fraud & Abuse in the EHR, Jean Bishop, J Bishop Consulting

New HIPAA Rules and EHRs: ARRA & Breach Notification, Raj Goel, Brainlink International; Jim Sheldon-Dean, Lewis Creek Systems

Three Forcing Factors of Electronic Healthcare Records, Kim Singletary, McAfee

How Great EHRs Empower Participatory Medicine, e-Patient Dave deBronkart, Society for Participatory Medicine co-chair

Privacy Law Showdown? Legal and Policy Analysis.

#2 in a series — Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

by Deven McGraw JD, MPH, Center for Democracy & Technology


There has been considerable discussion lately about whether or not the stimulus legislation (ARRA) extends HIPAA coverage to commercial vendors of personal health records (PHRs) any time they contract with entities already covered by HIPAA like hospitals, health plans or physicians groups.  (For those of you who don’t know, HIPAA is the Health Insurance Portability and Accountability Act of 1996.  The HIPAA privacy and security regulations form our national health privacy and security rules.)

The provision in question (Section 13408) states that “each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record” is required to enter into a business associate agreement with the covered entity.   Under ARRA, business associates must comply with key provisions of the HIPAA privacy and security regulations. 

In this post, I argue that PHR vendors should be covered under HIPAA only under certain circumstances.  PHRs should be governed by a comprehensive framework of privacy and security protections, but HIPAA would provide inadequate privacy protection for people using these tools (at least as the HIPAA rules are currently structured).  As a result, I argue that this provision in ARRA should not be read to require the automatic application of HIPAA to PHR vendors any time they contract with covered entities to offer a PHR.   Instead, I suggest that HIPAA should cover a PHR vendor’s activities when the nature of the relationship between the vendor and the covered entity (hospital, health plan, physician office) primarily concerns the vendor performing a service for the covered entity. 

However, where the contractual relationship is primarily about improving the value of the PHR to the consumer, HIPAA should not apply.  (I know, not an easy line to draw – but I do suggest some factors that should influence the decision.) 

Finally, I urge the prompt adoption of separate, targeted privacy provisions to protect consumers using PHRs so that the choice is not HIPAA or limited protections under other federal laws. 

Why Not HIPAA – Isn’t it Better Than Nothing?

Table of contents for the series--Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

  1. Privacy Law Showdown? Setting the Stage
  2. Privacy Law Showdown? Legal and Policy Analysis.

Privacy Law Showdown? Setting the Stage

Today’s post is the first in a series entitled:

Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

We’ll explore how recent changes in privacy provisions of  ARRA/HITECH Federal stimulus legislation affect personal health information (PHI) platform companies (e.g., HealthVault, Google Health,  Dossia) and personal health record (PHR) companies.

Health IT expert and journalist Neil Versel described the issue in the April 7 issue of BNET Healthcare:

Although Google and Microsoft have gotten plenty of attention for their Web-based personal health records, both companies have long maintained that they’re not bound by the privacy protections of a 1996 federal law known as HIPAA. And despite a recent HIPAA change — one intended to extend its privacy provisions to services like Google Health and Microsoft’s HealthVault — both companies still insist they’re not bound by the law.

…“Our understanding is that HITECH, which is the jargon for [the health IT] part of the legislation, did not change the definition for a covered entity or a business associate, so our service is offered directly to the consumer,” Google Health Product Manager Roni Zeiger told Modern Healthcare last month. “[O]ur understanding is that we are neither a covered entity nor a business associate,” he continued. “We’re providing a service directly to the consumer or a patient.”

Microsoft offered a similar assessment at the annual Healthcare Information and Management Systems Society conference in Chicago. “We’re still outside [of HIPAA],” said David Cerino, general manager of Microsoft’s Health Solutions Group.

Not everybody agrees with Microsoft and Google. Versel commented in his own blog:

Excuse me? I’ve been struck since Day 1 with the arrogance Google seems to be exhibiting with its entry into healthcare …  it seems to me Zeiger is intimating that the law doesn’t apply to Google.

In the BNET article, Versel also quotes David Brailer, the first head of the Office of the National Coordinator for Health Information Technology at HHS:

Table of contents for the series--Modifications to HIPAA Privacy Laws: Impact on Microsoft HealthVault, Google Health, and other PHRs

  1. Privacy Law Showdown? Setting the Stage
  2. Privacy Law Showdown? Legal and Policy Analysis.

Dogged Optimism: Five Innovative Aspects of HITECH

HEBHITECH1 If you’re a dog (an innovator), what’s there to smile about over HITECH?  Quite a bit.

In the first post of this series, I suggested that HITECH favors cats by about 60/40 and noted that the single most cat-like feature of HITECH is providing incentives for physicians and hospitals to acquire and implement EHRs  — but only EHRs. Reader “Mark” commented:

“How does this work out to 60/40? Looks to me like 100% cats.”

Let’s look a bit deeper to see how HITECH creates opportunities for disruptive innovation . (As a refresher, the cat POV is that HITECH stimulus funds should simply pay directly for EHR technology — that providers will figure out how to use the technology to improve quality and outcomes; the dog POV is that HITECH should pay for improved quality and outcomes — change incentives and IT will naturally follow. See the first post for more detailed explanations.)

The next three posts in this series will examine various aspects of HITECH from differing points-of-view:

  • What’s dog-like (innovative)?  — today’s post.
  • What’s cat-like (protecting incumbents)?
  • What’s yet to-be-determined (TBD) or unclear?

The Need for Innovation

Lack of innovation is the heart of the problem in today’s health IT marketplace. Writing specifically about the market for hospital EHRs, my colleague David Kibbe and I have previously characterized the prevalent HIT business model:

  • Proprietary, non-interoperable software
  • Low volume, high margin sales (there are only about 5,000 hospitals in the country)
  • Customers (hospitals) have high needs for installation support and customization. Customization for individual customers further challenges opportunities for creating interfaces and achieving interoperability.
  • High costs of purchase and installation result in high switching costs and customer lock-in.

We questioned whether interoperability was in the economic interests of current health IT vendors:

  • Interoperability will tend to commoditize data and reduce opportunities for high margin pricing
  • Interoperability will reduce customer needs for software customization
  • Interoperability will reduce switching costs and potential for lock-in
  • Although it might seem contradictory…hospital customers aren’t asking for it

The market for physician EHRs is very similar.

What’s needed are technology and business models that will create disruptive innovation  in today’s HIT marketplace.

How Does HITECH Create Potential for Disruptive Innovation?

Here are five aspects of HITECH that lay groundwork for future innovation in health care: