Saturday, June 30, 2007

eHealthRisk.com

I have set up a companion website to this blog at www.ehealthrisk.com. The website contains:
  1. A list of all links featured on the eHealthRisk Blog including all documents referenced on the blog and in the reference section of the eHealth Risk Report Card Methodology. I also indicate whether the materials are free or must be purchased (eHealth Risk Links).
  2. Downloads of the eHealthRisk Report Card Methodology and any supplementary materials, PowerPoint presentations given on the subject (Home page).
  3. Educational opportunities (Training page)
You can get to eHealthRisk.com by clicking the links in the eHealthRisk.com section in the left hand column of this blog.

Friday, June 29, 2007

Identity Theft

One of the factors considered when you conduct a threat and risk assessment is the motivation of the threat agent (i.e. bad person) who wants to steal the personal health information in your custody. This often leads some privacy naysayers to ask "who would want to steal my health information? There's nothing interesting there and even if they did, who cares?" There is a touch of truth to this. I can't imagine anyone getting off on my history of negative lab test results.

There is however the matter of identity theft. No one wants my lab tests, but they might be motivated by the opportunity to take over my bank accounts, credit cards and home mortgage. Health care databases are a rich source of data for identity thieves who are more interested in the state of my finances than the state of my health.

We must also recognize that health care is a valuable service that doesn't cover everyone, especially those living in the United States who might be motivated to scam some free health services. Stealing the identity of an insured person is one way of gaining access to free health care.

Gordon Atherley has written a white paper on identity theft in health care. I'll also point you to the article Diagnosis: Identity Theft from an earlier post on this blog. The World Privacy Forum has published a report titled Medical Identity Theft: The Information Crime that Can Kill You. Download and read these papers. Someone out there will be motivated to go after your databases not because they intend to misuse the health data, but because they want to rob us blind.

Thursday, June 28, 2007

Knowledge Centre

Dr. Gordon Atherley maintains a website called the Knowledge Centre for Privacy, Security and Safety of Information Technology. The Centre contains a large inventory of media reports and other information on many aspects of eHealth with a focus on privacy and security. In a telephone conversation with Gordon today, he told me that his objective is to publish information resources to support the public's right to know.

Its worth a look.

The Burden of eDiscovery

In an email to me yesterday, Dr. Scot Silverstein wrote: "You might want to add to your risks on eHealthRisk.com the new risk of eDiscovery. I just attended an AHIMA conference (Amer. Health Info Management Assoc.) where this was discussed. The infrastructure required to be able to respond effectively to eDiscovery requests will likely become increasingly burdensome to healthcare organizations."

The American Health Information Management Association (AHIMA) has published a summary of the Electronic Discovery Civil Rule and how it applies to healthcare organizations. While this applies to organizations in the United States, one will expect that similar issues will arise in all national jurisdictions. From the summary:

"As electronic health record (EHR) technology advances, sophisticated litigators are gaining a better understanding of the information they can obtain from e-mail messages, databases, software applications, computer logs, and metadata. Electronic discovery (e-discovery) is becoming a critical part in gathering and using evidence in legal proceedings, complementing traditional methods such as photocopies, printouts, and digital images of patient medical records.

New changes to the Federal Rules of Civil Procedure related to e-discovery will greatly affect how healthcare organizations manage their electronic records. This practice brief provides an overview of pretrial requirements in the e-discovery civil rule and reviews the relevance and application of each section of the rule to healthcare organizations. Additionally, it identifies the steps HIM professionals can take to prepare their departments and organizations for the challenges associated with e-discovery."


Wednesday, June 27, 2007

Health IT Horror Stories

Dr. Scot Silverstein of Drexel University has published a website titled Sociotechnologic issues in clinical computing: Common examples of healthcare IT failure. He provides an excellent overview of health IT issues and case examples illustrating a number of health IT horror stories. Only by understanding what's gone wrong can we make sure that our eHealth systems go right. Its worth taking a look.

Tuesday, June 26, 2007

EHR Information Governance

The best survey I’ve seen of information governance issues for EHR’s and eHealth in general is a white paper prepared by Canada Health Infoway titled Information Governance of the Interoperable Electronic Health Record (EHR). While the paper restricts its scope to privacy and security matters, it inevitably touches on governance issues that can be applied across the spectrum of eHealth risk. This is an important educational resource and essential reference for all students of eHealth risk management.

The paper raises many issues that need to be resolved before an interoperable EHR can become a reality. For example it acknowledges what I believe to be the biggest problem in privacy risk management - the problem of what to do with the results of privacy impact assessments.

“Although substantial expertise exists across Canada in the conduct of PIAs, few best practices or policies have been developed to monitor the implementation of privacy risk mitigation strategies and to integrate privacy monitoring and PIA revisions into the change management process. Developing programs to ensure continuous privacy management is an issue that will need to be addressed as part of effective EHR information governance.” (page 15)

The paper doesn't have all the answers, but it does ask the right questions. This is a must read.

Monday, June 25, 2007

eHealth Safety Issues - Focus on CPOE

Much of the literature on eHealth safety focuses on Computerized Physician Order Entry (CPOE) systems and their potential for reducing medical errors, particularly with respect to medications. However... the literature is split on the efficacy of CPOE systems and some evidence points to the potential for CPOE systems to contribute to errors. The following papers give pause for thought for those who want to barrel ahead with eHealth implementations.

J. Ash, M. Berg, E. Coiera, Some Unintended Consequences of Information Technology in Health Care: The Nature of Patient Care Information System-related Errors, JAMIA Mar/Apr 2004

Y. Han, J. Carcillo, S. Venkataraman, R. Clark, R. Scott Watson, T Nguyen, H. Bayir, R. Orr, Unexpected Increased Mortality After Implementation of a Commercially Sold Computerized Physician Order Entry System, Pediatrics Dec 2005

R. Koppel, J. Metlay, A. Cohen, B. Abaluck, A.R. Localio, S. Kimmel, B. Strom, Role of Computerized Physician Order Entry Systems in Facilitating Medication Errors, JAMA Mar. 9 2005

R. Berger, J.P. Kichak, Computerized Physician Order Entry: Helpful or Harmful? JAMIA, Mar./Apr. 2004

G. Kuperman, R. Gibson, Computer Physican Order Entry: Benefits, Costs and Issues, Annals of Internal Medicine, July 2003

A few thoughts after reading these articles:
  1. CPOE is undoubtedly a good thing... if implemented well.
  2. CPOE is not a magic bullet. Simple implementation of a CPOE system will not automatically result in reduced errors. In fact it may increase errors.
  3. All CPOE systems are not created equal. Some commercial products are better than others... which also means that some commercial products are worse than others.
  4. Software implemented badly, no matter how good it is, will result in a bad system that can hurt people.

Friday, June 22, 2007

FOI Request and Appeal for PIAs

In February I submitted an FOI request to the Ontario Ministry of Health and Long Term Care (MOHLTC) under the Freedom of Information and Protection of Privacy Act (FIPPA) for documentation associated with 3 major eHealth projects: the Ontario Lab Information System (OLIS), the Ontario Drug Benefit Drug Program Viewer (ODBDPV), and the Integrated Public Health Information System (iPHIS). The request included copies of the Steering Committee minutes and Privacy Impact Assessments for each of the 3 projects, and a copy of the Province's Strategic eHealth Plan.

The Ministry released redacted copies of the Steering Committee minutes but denied access to the PIA's and Strategic eHealth Plan.

Reasons for denying access to the PIA's included:

For OLIS - Section 12(1)(a) of FIPPA - Cabinet Records
For ODBDPV - Section 14(1)(i) of FIPPA - Law Enforcement, and 17(1)(a)(b)(c) of FIPPA - Third Party
For iPHIS - 12(1)(c)&(e) of FIPPA - Cabinet Records, and 14(1)(i) of FIPPA - Law Enforcement.

The Ministry found a 2004 eHealth Strategy document and denied access under Section 12 (Cabinet Records) of FIPPA.

I have appealed the denial of access to the PIA's to the Information and Privacy Commissioner for Ontario. I decided not to pursue the matter of the Strategic Plan as it appears that the Ministry does not have a current eHealth Strategic Plan.

The IPC has acknowledged receipt of my appeal.

I'll post updates on the Blog concerning the progress of this request.