S U P R A S P I N A T U S

The New York Health Information Security and Privacy Collaborative (NYHISPC) has released two reports, available here. NYHISPC is participating as a subcontractor in the Federal government-sponsored Health Information Security and Privacy Collaborative. The NYHISPC has completed four major phases of work over the course of ten months, including: (i) Assessing Variations in Business Practices and the Law Related to the Secure Exchange of Health Care Information; (ii) Developing Solutions to Support Secure Electronic Exchange of Health Care Information While Preserving Patient Privacy; (iii) Developing a Plan to Implement the Solutions; and (iv) Finalizing the Assessment, Analysis and Implementation Plans.

A study reported in today's Washington Post suggests that electronic medical records do not in and of themselves improve patient care:

Electronic medical record systems are no guarantee that diabetes patients will get better care, a new study finds.

When used in a primary-care setting, "having an electronic medical record is not sufficient for insuring the quality of diabetes care," said study author Jesse C. Crosson, from the Department of Family Medicine at UMDNJ-New Jersey Medical School. "It really isn't going to change care by itself, it has to be implemented in a context in which people are trying to improve the quality of care."

Most interesting, the study suggests that EMRs can have a negative impact:

To measure the impact of electronic medical record systems on the quality of care, Crosson and his colleagues collected data on the care of 927 diabetic patients in 50 doctor's offices.

They found that in offices that used electronic medical records actually offered poorer quality of care compared with those doctors who didn't use them. Patient care in the 37 offices that didn't use electric medical records was more likely to meet guidelines for treatment and intermediate outcomes compared with the 13 offices using a computerized medical record system, Crosson's group found.

Conclusion?

"Just having electronic medical records is simply not enough," added Dr. John Hsu, a physician scientist in the division of research at Kaiser Permanente in Oakland, Calif. "How you integrate it into clinical practice is critical."

The full WaPo article can be accessed here.

UPDATE: The full article can be viewed in the Annals of Family Medicine, here.

According to this article posted June 14 on the Capital District Business Review's website,

Capital District Physician's Health Plan has distributed more than $3 million in incentive funds to primary care doctors and specialists who have implemented electronic medical record systems in their offices.

The full article is accessible on the Business Review's website here.

Disclosure: The author of this post is employed by CDPHP.

An article published yesterday on the Computerworld website discusses the first known HIPAA security audit.

In March, Atlanta's Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of the Health Insurance Portability and Accountability Act (HIPAA).

The audit was conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and is being seen by some in the health care industry as a precursor of similar audits to come at other institutions.

Neither Piedmont nor HHS officials have publicly confirmed the audit or spoken about it. That silence has sparked considerable curiosity about why Piedmont was targeted as well as the scope of the audit and the kind of information HHS was seeking.

A document obtained by Computerworld from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days.

For a full list of the 42 items click through to the Computerworld article here.

From the DOH website, August 8, 2007:

Health Commissioner Richard F. Daines, M.D., today announced the launch of a comprehensive health information technology program, part of Governor Eliot Spitzer's agenda to advance patient-centered care and enable improvements in health care quality, affordability and outcomes for each person, family and business in New York.

An initial $106 million will be invested in the health care community during 2007-2008 to support the implementation of health IT tools to allow portability of patients' medical records and new tools to assess and target improvements in health care quality.

Lots more detail below the fold.

From today's New York Times:

Microsoft is starting its long-anticipated drive into the consumer health care market by offering free personal health records on the Web and pursuing a strategy that borrows from the company's successful formula in personal computer software.

See the full article here. Link directly to healthvault here.

UPDATE 10/10 - The Privacy Place has taken a dim view of HealthVault:

The hype surrounding HealthVault's privacy protections among those in the medical community must be balanced with the reality of the information security and privacy practice expressed in its public privacy statements. It is critical to address these privacy concerns in the design of PHR systems before we deploy them with vulnerabilities that will ultimately lead to yet another rash of data breaches.

Over at ZDNet, Dana Blankenhorn commends Privacy Place's sendup and suggests "[i]t's the kind of fiasco that could set the movement toward electronic health records back years." That's an odd statement, however, considering that electronic health records ("EHR") and personal health records ("PHR") are very distinct creatures living in very different markets.

Scott v Beth Israel Med. Ctr. Inc.
2007 NY Slip Op 27429 (October 17, 2007)
Supreme Court, New York County
Ramos, J.

Dr. Scott argues that the e-mails are privileged under both the attorney client privilege and work product doctrine. BI counters that the e-mails were never protected by the attorney client privilege because Dr. Scott could not have made the communication in confidence when using BI's e-mail system in violation of BI's e-mail policy. BI also argues that both privileges were waived by Dr. Scott's use of BI's e-mail system.

BI wins.

This raises some very interesting questions - - such as, whether the same result would obtain when the employer is not also the defendant in the lawsuit (as is the case here). Let's say, for example, that Dr. Scott had sued his former employer, Hospital Z, or vice versa. Could Hospital Z discover all of Dr. Scott's e-mails to his lawyer concerning the suit that had been sent on BI's system?

Charity Navigator (a 501 ( c ) (3) non-profit organization) works to guide intelligent giving by providing information on over 5,000 charities, evaluating the financial health of each one in order to advance a more efficient and responsive philanthropic marketplace. (1.)

Founded in 2001, Charity Navigator observes that it has become the nation's largest and most-utilized evaluator of charities-- professional analysts have examined tens of thousands of non-profit financial documents, using this knowledge to develop an unbiased, objective, numbers-based rating system to assess the financial health of over 5,000 of America's best-known charities. Charity Navigator notes that last year alone more than 4 million donors used the site that TIME Magazine called "One of America's 50 Coolest Websites for 2006."

Charity Navigator ranks the Foundation for the National Institute of Health with an overall top score of 69.72 (and four stars) in comparison to other highly ranked Charities Performing Similar Work. (2.)

The Foundation for NIH fosters public health through scientific discovery, translational research, and the dissemination of research results through specially-configured, high-impact public-private partnerships consistent with NIH priorities. (3.)

The Foundation helps to underwrite biomedical initiatives that might not be attractive for private funding alone, or for one reason or another are not appropriate for wholly public funding. The foundation may take on projects that are particularly risky in terms of the likelihood of success or where companies may be willing to forgo profits because of early stage nature of the program or in the case of some global health initiatives due to the charitable nature of the project. Foundation projects tend to be longer-term, operating on a time scale that can be unattractive for private investors. At the same time the foundation is capable of responding quickly and nimbly to funding needs that are immediate and pressing. (3.)

Public-Private Partnerships Lead the Way for Critical Biomedical Initiatives. (4.)
Major projects include: The Genetic Association Information Network, The Biomarkers Consortium (with its policies/procedures to comply with relevant requirements of antitrust and other federal law.), and Grand Challenges in Global Health.

See footnoted links and read more below

Over at the Health Care Renewal blog contributor MedInformaticsMD has posted a contrarian's viewpoint on electronic medical records. The piece is interesting in that he doesn't take the curmudgeon's path of resisting change for the sake of resisting change, but actually marshals some published authority in favor of his points, which in rough summary are:

• Healthcare IT is a field that unless brought back to sanity will transfer countless dollars to the IT sector that healthcare and patients cannot afford
• EMR's are still an experimental technology and should be thought of as such
• The majority of information systems developments in most sectors are unsuccessful
• The "cost of ownership" puts a big doubt upon EMR projects as a cost-reducing endeavor
• With regard to effectiveness of EMR's in actually improving healthcare quality, even that is doubtful

Useful reading, even if you disagree with the arguments. Link to the full post here.

FDA launched an e-mail alert service on December 3 that alerts subscribers whenever information is updated on certain FDA webpages—using it only for a week, I find it is just great. It’s a good check and balance to browsing through the website that covers such a big field. If the updated info provided in a particular email alert is not so important to you, there is little time wasted to delete it because the emails are very brief. And, importantly, you find out about info. that you are interested in and sooner rather than later. From the FDA News:

The service is free and available for a wide variety of FDA's Web pages, including food safety protection, medical product approvals and consumer health information… Andrew C. von Eschenbach, M.D., Commissioner of Food and Drugs [reports that] "E-mail is the leading use of the Internet, and this service strengthens FDA's ability to keep its audiences informed quickly and effectively." To receive e-mail alerts, subscribers need only click on the red envelope icon located on participating Web pages. Each e-mail update includes a direct link to the FDA Web page that has been updated. Powered by GovDelivery, a private sector e-mail subscription management system used by several other federal agencies, the service allows subscribers the flexibility to personalize the information most important to them. A full list of currently available topics can be found at www.fda.gov/emaillist.html).

The New York Health Information Security and Privacy Collaboration (NYHISPC) has produced a proposed "Standardized Consumer Consent Policies and Procedures for RHIOs in New York State" which is now posted on the DOH website. (Link here.)

The purpose of this document from the New York HISPC team is to put forth for public comment recommended policies and guidelines governing consumer consent for the exchange of personal health information in a technology-enabled health care environment facilitated by Regional Health Information Organizations (RHIOs) in New York State in order to protect privacy and strengthen security. Comments received will be reviewed and considered during the development of final policy guidance that will be issued by the New York State Department of Health.

Link to the NYHISCP "Phase II" page here, where you can also access the comment form for submitting comments to the draft policy.

Here is an interesting bit from the far west in today's San Francisco Chronicle:

California residents must now be notified when their electronic medical information or health insurance information has been exposed.

AB1298, which took effect Tuesday, expands California's data-breach notification law to include unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses.

Also covered under the law are unencrypted insurance policy or subscriber numbers, any applications for insurance, claims histories and appeals.

The full article is here. New York has data breach laws (see, for example, General Business Law sec. 899-aa and also State Tech. Law sec. 208) but the Cal. scheme seems far more extensive.

Government HealthIT reported yesterday:

The Centers for Medicare and Medicaid Services will begin on-site reviews of hospitals' compliance with security rules mandated by the Health Insurance Portability and Accountability Act of 1996.

CMS officials said at a workshop on HIPAA security yesterday that they expect to review 10 to 20 hospitals in the next nine months.

Link to the online article here.

Today's Chicago Tribune reports:

U.S. Health and Human Services Secretary Mike Leavitt proposed a $150 million incentives plan Thursday to expand physicians' use of electronic medical records.

Read the full article here.

Atlantic Information Service's "Health Business Daily" for today includes an update on the CMS reviews previously mentioned in this post.

Officials from the CMS Office of E-Health Standards and Services intend to visit covered entities (CEs) "for the foreseeable" future to ensure they are complying with the security rule, the director of the office, Tony Trenkle, tells RPP.

Trenkle says the visits, of which there will be 10 to 20 between now and September, are being considered "compliance reviews" rather than audits. However, entities found to have committed violations could be subject to fines, corrective action plans and other enforcement actions.

Importantly, CMS clarified that, contrary to prior reports, the upcoming reviews will not be limited only to hospitals and, also, that the reviews are not "audits":

Trenkle first spoke of the initiative at a HIPAA security compliance workshop co-sponsored by CMS and the National Institute of Standards and Security held outside Washington, D.C., on Jan. 16. But he tells RPP that his comments were misconstrued by those who thought he was referring to hospitals only and to Piedmont-type audits. It was also reported that large hospitals are a focus, but Trenkle denies saying so.

. . .

The targeted entities for the CMS reviews are those for which CMS has already investigated a security complaint, says Trenkle. "These are not audits. They are not random," he says.

CMS calls these organizations "filed against entities," or FAEs, says Lorraine Tunis Doo, the senior policy advisor in Trenkle's office, who also spoke with RPP.

As of December 2007, CMS had received a total of 283 security complaints and had closed 191. The majority of security complaints are allegations of "inappropriate access and risk of inappropriate disclosure," Trenkle says.

Finally, CMS provides some detail in to the substance of the review:

The reviews will re-examine efforts entities took to address the initial complaint that brought them to CMS's attention, as well as take a global look at all of the entities' security practices to identify possible compliance failures.

Some entities have been asked to have a corrective action in place as a result of violations, Doo says. The reviewers will determine if the plan was implemented correctly.

In addition, they will focus on a checklist of general security rule requirements. CMS intends to post the checklist on its Web site within the next month, Trenkle says, to give entities a heads up. It also is meant to help educate the health care community about where to focus their security compliance efforts.

Read the full AIS article here.

The Sedona Conference®, a nonprofit law and policy think-tank based in Sedona, AZ, has announced the Tenth Annual Sedona Conference® on Complex Litigation: Health Law and Medical Products Litigation—Common Ground, to be held at the Hilton Sedona, in Sedona, AZ, on Thursday and Friday, April 17-18, 2008.

This year’s topics include:

• eDiscovery (and records management) challenges;


• Dealing with the Government: How to Handle Governmental Investigations and the Role of the Anti-Kickback Statutes and the False Claims Act;


• Dealing with Private Plaintiffs:Whistleblower Litigation/Qui-Tam Actions;


• Public Relations and Health Care/Medical Products Litigation: Legal and Ethical Issues;


• Conducting an Internal Investigation/Regulatory and Compliance Issues; and


• Ethical Issues in Conducting Internal Investigations.

For more information including the complete agenda and faculty bios, visit The Sedona Conference website and click on the Conference title in the upper-right hand corner.

Here's a lead from today's New York Times online:

After two years of planning and a public investment of more than $60 million, Mayor Michael R. Bloomberg said on Monday that New York City was ready to equip doctors with computer software that can track patients' medical records in order to provide better preventive care.

Read more here.

There's been a bit of buzz recently about Google's plan to host medical records, as in this clip from Retuers:

Google Inc has unveiled a plan to help U.S. patients gain control of their medical records and is working with doctors' groups, pharmacies and labs to help them securely share sensitive health data.

The company's long-rumored entry into the highly sensitive field came when Chief Executive Eric Schmidt introduced Google Health at a health-care conference in Florida on Thursday.

Google said it has signed deals with hospitals and companies including medical tester Quest Diagnostics Inc, health insurer Aetna Inc, Walgreens and Walmart Stores Inc pharmacies.

Read the Reuters article here.

Today, March 11, 2008, the Center for Democracy & Technology ("CDT") announced the launch of a major project to develop and promote privacy policy solutions for personal health information. To fulfill an ambitious agenda CDT is joining forces with the Health Privacy Project.

It is widely recognized that developments in health information technology (HIT) have the potential to improve health care quality, reduce costs and empower consumers to play a greater role in their own care. However, little progress has been made on resolving the privacy issues associated with the growing liquidity of personally identifiable health information.
CDT's Health Privacy Project will take on key policy questions, including: the proper role of notice and consent, the right of patients to access their own health records in electronic formats, identification and authentication, secondary uses, and enforcement mechanisms. It will address both the traditional exchange of records among providers and payers, as well as new consumer access services and Personal Health Records.

Deven McGraw, new director of the Health Privacy Project stated that:

This is a critical time for health information privacy. Technologies are being deployed and systems are being designed that will have a far-reaching impact on how personal health information is accessed, stored, and shared. Consumers want the benefits of HIT-enabled healthcare and they want assurances that their privacy will be protected. We can and must move forward on both fronts....
One of our first priorities is to analyze and respond to the HIT-related bills pending before Congress. These bills offer an opportunity to take some critical first steps in improving health information privacy. Then we will work over the next year to develop and build support for a more comprehensive set of policy proposals that address the complex reality of integrating information technology into healthcare.

Core Privacy Principles-- derived from Fair Information Practices:
openness and transparency,
purposes specification and minimization,
collection limitation,
use limitation,
individual participation and control,
data integrity and quality,
security safeguards and controls,
accountability and oversight,
remedies.

Visitors to the CDT website can sign up for many thoughtful and timely +email alerts.(3)

(1) http://www.cdt.org/press/20080311press.php
(2) http://cdt.org/healthprivacy/20080221consentbrief.pdf
(3) http://www.cdt.org/

From today's New York Times online:

In step toward personalized online medical information, Aetna plans to announce Wednesday a new service that draws upon a patient's own medical history to help answer questions about symptoms and treatments.

The Aetna offering, called SmartSource, has been tested by the company's 35,000 employees. It will be offered to employers that provide worker health benefits through Aetna, in a gradual introduction across the country that will begin in August.

Link to the full article here.

Looking for one thing on the Internet, sometimes an interesting surprise is unearthed. Here is one thought in reflecting on one I had today.
For the Supra biotech section generally, I focus on various laws in the making through policy debates and legislation, enacted laws and science-- so much is happening and often developments occur at a speed where events occur and who knows that they did?
I ask myself how is it best to write this or that post using text which comprises relatively little space as compared to a law review/journal paper, who might the audience be who has the time to read it sooner-- or later-- and what might be of interest to readers? What can I offer in doing so to be of service and contribute one small effort to the huge endeavor we point to as lawyer professionalism. Well, you never know.

So today I hoped to find some interesting Supreme Court opinions to write about in regard to cases previously mentioned in my posts. Clicking over to the Scotus website, I found:

Monday, March 31st, 2008 12:01 am, Ben Winograd wrote that at 10 a.m., the Court is expected to release one or more opinions, as well as orders from the Justices' private conference last Friday. We will post copies of both as soon as they become available. (1)

March 28, 2008 While we'd be honored if Justice Scalia read the Law Blog, we sure hope he didn't have us in mind yesterday. In D.C., at a conference of the Food and Drug Law Institute, Scalia reportedly took the news media to task for failing to focus on the text of the laws the High Court interprets. In some instances, said Scalia, the news media leave the impression that no ruling based on the text of a law 'is even possible'.

The referenced and linked AP news story (3) reported in part that:

At a conference of attorneys in Washington, Scalia said news organizations often fail to focus on the text of the laws the court interprets, citing accounts of last month's 8-1 decision that made it harder for consumers to sue makers of federally approved medical devices.

I remember trying to write a post on that case, and ultimately selected a few quotes from the decision that I liked in order to show different sides of the controversy. It was a challenge to communicate through bits and pieces, but I guess you might say that this is a product of poetic license, not legal reporting, offered to the Supra audience which is made up of other lawyers who share certain education and experience.

So, while I think that by sharing the gist of selected legal happenings, through what is written, and what is not written, blog posts can be meaningful to readers, I personally look to various editorials for various opinions. Well reasoned ones are more persuasive.
Some opinions of the news media never grow old. I often re-read one or the other of the Federalist papers, ( published 1787-1788, primarily in two New York state newspapers:
The New York Packet and The Independent Journal. They were reprinted in other newspapers in New York state and in several cities in other states).
Here is one of many, many ideas and observations as discussed in their opinions:

On the subject of the liberty of the press, as much as has been said, I [Hamilton] cannot forbear adding a remark or two: ...What is the liberty of the press? Who can give it any definition which would not leave the utmost latitude for evasion? I hold it to be impracticable; and from this I infer, that its security, whatever fine declarations may be inserted in any constitution respecting it, must altogether depend on public opinion, and on the general spirit of the people and of the government. [3] And here, after all, as is intimated upon another occasion, must we seek for the only solid basis of all our rights.

(1)http://www.scotusblog.com/wp/
(2)http://blogs.wsj.com/law/2008/03/28/scalia-to-news-media-focus-on-the-text/?mod=WSJBlog
(3)The AP news story it is based on is linked via http://hosted.ap.org/dynamic/stories/S/SCOTUS_SCALIA?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT
(4) http://thomas.loc.gov/home/histdox/fed_84.html Federalist No.1 & 84
(5) http://thomas.loc.gov/home/histdox/abt_fedpapers.html

Just out: FDA's "Prescription Drug User Fee Act (PDUFA) IV Drug Safety Five-Year Plan"
draft document dated March 2008.(1)

FDA will use this plan to communicate strategies FDA will follow for using PDUFA IV drug safety resources; communicate our current activity and establish measures to reports progress; and provide FDA leadership and management a foundation for understanding planned PDUFA IV drag safety activities.

A big change: FDA states that FDAAA for the first time recognizes FDA's critical role in assuring the safe and appropriate use of drugs after they are marketed, providing new resources for medical product safety, along with a variety of regulatory tools and authorities.

The Congress, consistent with many recommendations made over the past two years by the [IOM], the GAO, and a multitude of others, directs FDA to shift its regulatory paradigm to recognize that ensuring marketed drugs are used as safely and effectively as possible is equally important as getting new safe and effective drugs to market quickly and efficiently. With the goal of maintaining a systemic and scientific approach to the evaluation of benefit/risk throughout the product lifecycle, FDA must build the scientific and administrative capacity needed to become active and collaborative players in the U.S. healthcare delivery system.

FDA's PDUFA IV strategy includes improving collection and analysis of adverse event data, implementing epidemiology best practices, expanding database acquisition and use for targeted post marketing surveillance and epidemiology, strengthening risk managment and communication tools improving post market information technology systems.

(1) http://www.fda.gov/cder/pdufa/PDUFA_IV_5yr_plan_draft.pdf

March 28, , Governor Paterson announced that $105 million in grants have been awarded to 19 leading community-based health information technology (IT) projects. The grants are central to the state's strategy to ensure that clinical information is in the hands of clinicians and their patients to help guide medical decisions and support the delivery of more coordinated, patient-centered care. Governor Paterson stated that:

Electronic health records will begin to repair our fragmented delivery system by making sure that accurate patient information is quickly available so that we can improve health care quality and efficiency. Electronic health records represent a cornerstone in the transformation of our health care system. They will boost our efforts to improve the delivery of preventative care while maintaining appropriate safeguards to protect patient privacy.

The recipients will build a technical infrastructure that will support health care improvements for all New Yorkers, while ensuring the privacy and security of health information.

One aspect of the New York strategy focuses on Medicaid-reimbursed prescription/preferred drugs:

linking Medicaid data to interoperable electronic health records so that clinicians may electronically receive a patient's Medicaid-reimbursed prescriptions, Medicaid eligibility and recertification period, as well as Medicaid's preferred drugs. This will allow clinicians to prescribe medications electronically and make informed decisions about appropriate and lower-cost therapeutically equivalent medicines at the time the prescription is ordered. It will also provide clinical decision support alerts, such as drug interactions, to improve care and reduce costs.

(1) http://www.state.ny.us/governor/press/press_0328081_print.html

One of 3 interesting editorials from Nature's recent issue is entitled: "Ready or not, Transparency and honesty are essential if the genetic-testing industry is to live up to its potential".(1)
Observing that genome-wide association studies,

...pour out of labs, linking the blips in our genetic make-up to risks of developing particular medical conditions...the ink on the research papers is barely dry before companies unveil commercial versions of the tests....

Following almost as quickly are the concerns being raised about some of the use of such tests....if consumers are to reap the benefits that genetic testing can offer, they need understandable information about the basis , validity, and limitations of the tests.
One proposed structure for providing this information is a publicly accessible registry into which test-makers would be required to upload data about their tests and the studies that back them. This information should be updated as genetic risks are changed or refined , as inevitably they will be....

It is also worth noting that the scientists who have driven this revolution need to assume a prominent role in ensuring that its benefits are not mishandled. Those who start companies, or advise them, can and must lead the way in ensuring that their enterprises are transparent and valid....

(1) http://www.nature.com/nature/journal/v452/n7188/pdf/452666a.pdf
(2) http://www.nature.com/nature/journal/v452/n7188/pdf/452665a.pdf

Nature online at www.nature.com, Vol 452 Issue no. 7188 April 10, 2008

Another security breach in the news, the Chicago Tribune says:

Medical information such as Social Security numbers, pharmacy records and other personal health data from about 130,000 people covered by health insurance giant Wellpoint Inc. may have been accessed via the Internet, the health insurance giant confirmed.

Read the full story here.

If you will indulge a little prognostication, consider that all forms of authenticating a human involve one of three things: something you "have" (like an office key, or a passcard); something you "know" (like a password, or your mother's maiden name); or something you "are" (like a fingerprint or retinal scan). Stronger authentication processes involve combinations of these, say, a passcard AND a password.

It occurs to me that the migration of vast stores of personal information into electronic stores and the subsequent raiding of those stores (whether lawfully or unlawfully) is going to rapidly diminish the value of something you "know" as an authentication tool. Right now, anyone reasonably accomplished on the internet can figure out my full name, date of birth, city I was born in, my mother's maiden name, and possibly the name of my dog growing up, all without violating any laws or paying any money. It's all out there, and I don't even have a personal blog, a Myspace page or an account on Friendster. If I did, it would be even easier. And once there is a generation of inviduals whose entire life is online - - everything, somewhere - - then relying on something one "knows" to prove identity will become a paltry authenticator indeed. If you peg the birth of the web around 1992, those folks are turning 16 this year - - time already for car purchases and credit cards, and soon enough off to college.

That leaves something you "have" and something you "are" to carry the task. But something you "have" was already the weakest and rapidly diminishing in prominence. Keys work just as well for thieves as they do for their rightful owners. The ATM card, for example, only gets you in the door to the ATM, then you have to have the PIN to get any money.

So my guess is that the next ten years will see "something you are" come to fore as the predominant and utlimately sole authenticator of human identity. Point-of-service thumbscans and point-of-contract eyescans may well become the norm. Or perhaps we will return to that quintessential method of signing contracts, sealing deals by affixing the DNA signature present in a drop of our own blood. And even that may fall by the wayside as cloning gains ground in mainstream reproductive methods.

Or, if you really want to carry the ball forward, come up with a next category of authenticator. "Somehow we think?" Seems like we'll need it soon enough.

Update (4/22/08): The University of Miami announced that thousands of computer records have been stolen from the company UM used to store their offsite records.

A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported. Law enforcement is investigating the incident as one of a series of petty thefts in the area.

Shortly after learning of the incident, the University determined it would be unlikely that a thief would be able to access the back-up tapes because of the complex and proprietary format in which they were written. Even so, the University engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of back-up tapes.

. . .

Anyone who has been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.

Another source, Florida Healthflash, pegged the total number of records stolen at 2.1 million. The 47,000 is the number of records containing billing information.

Read the University's statement here.

From IOM's website-chock full of important projects (1): IOM's Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule- is investigating the effects on health research of the Privacy Rule regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) section on Administrative Simplification. As data and evidence allow, the needs and benefits of patient privacy will be balanced against the needs, risks, and benefits of identifiable health information for various kinds of health research. The committee will formulate recommendations for alterations or retention of the status quo accordingly and prepare a report.
Several helpful powerpoint presentations from the Feb. meeting are archived on the website.
More specifically, this Committee plans to consider/review:
-the range of study types (clinical trials, epidemiologic designs, research using tissue repositories and databases, public health research, and health services research);
-research carried out by a full range of sponsors (government, public/private academic, for-profit sectors, including the pharmaceutical, biotechnology,medical device industries);
-provisions of the Privacy Rule relevant to health research, including those dealing with authorizations and accounting for disclosures of personal health information, de-identification of data, reviews preparatory to research, and others;
-issues of interpretation/implementation of the Privacy Rule and overlapping provisions of the Common Rule/FDA regulations (in existence much longer);
-potential impact of the Rule on: public health research, recruitment of research subjects for studies, conduct of research internationally, research using data and biomaterials in databases and tissue repositories; and
-needs for privacy of identifiable personal health information and the value of such privacy to patients and the public.
Another project underway: IOM's Forum on the Science of Health Care Quality Improvement and Implementation; their goals are to (i)advance the understanding of the value and appropriate role of research philosophies, cultures, and methods and (ii) develop greater awareness and support for appropriate approaches and methods by key stakeholder groups.
Also, an IOM ad hoc committee will undertake a comprehensive review/analysis of the health consequences of lacking health insurance coverage including, for example, the effect on morbidity/mortality for the uninsured population overall and for certain vulnerable groups such as persons with chronic disease and older adults in the years preceding Medicare eligibility (12-month study).
(1) http://www.iom.edu/ Established in 1970 under the charter of the National Academy of Sciences, IOM provides independent, objective, evidence-based advice to policymakers, health professionals, the private sector, and the public. IOM's mission embraces the health of people everywhere.

Over at the NYSBA General Practice Blog Len Sienko has scooped me on this:

Google Health has launched in beta, providing free, online storage in one location for all of your health records.

Read more there.

The CBO recently released a paper titled "Evidence on the Costs and Benefits of Health Information Technology." The upshot:

The potential of health IT to reduce spending for health care depends in large part on its ability to make care more efficient by cutting the cost of delivering services, avoiding redundant services, and improving providers' productivity. Evidence from the literature on health IT, however, does not uniformly support the possibility of such savings.

The potential for savings appears to depend heavily on their source and whether that source is in a hospital or in an ambulatory care setting (such as a clinic or a physician's office). In addition, savings are difficult to assess because the trimming of costs in one area of a physician's practice, for example, may be offset by increased costs or reduced efficiency in another area.

The CBO director commented on the paper in his blog (which Supraspinatus also links to in the right-hand column):

Research does indicate that in some instances, health IT appears to have reduced the cost of providing health care, helped eliminate inappropriate services, and improved the quality of care. In general, however, health IT appears to be necessary but not sufficient to generate cost savings; that is, health IT can be an essential component of an effort to reduce cost (and improve quality), but by itself it typically does not produce a reduction in costs.

The paper itself is worth reading for anyone that deals with progressive health IT issues.

May 22, 2008, HHS Secretary Mike Leavitt announced new FDA/CMS efforts that will complement each other to improve patient safety and the quality of medical care.(1) Read more about the big picture and how CBO sees the Federal government's Activities fit in at CBO's Report, pp24-27(2) and Supra Paul Gillan's post of yesterday on CBO below.

This [FDA] initiative will tremendously increase the FDA's capacity to monitor the use of medical products on the market...moving from reactive dependence on voluntary reporting of safety concerns -- to proactive surveillance of medical products on the market. In addition, Medicare data on prescription drug use will be available to help government agencies and academic researchers improve the safety, quality and efficiency of health care services.(1)

With the Sentinel System we will no longer have to wait years to see how a drug or medical device is affecting millions of people...The era of 'wait and see' is going to become the era of 'tell me right now.' By harnessing the world's most powerful information technologies, and by partnering with CMS, the VA and DoD, and an array of private health care organizations, we will have the ability to monitor a product's performance in millions of patients in real time. The Sentinel System will give us an unprecedented ability to detect problems as they first begin to surface.

There's a clear nexus between the data collected through Medicare's prescription drug program and the FDA's role in protecting the public from adverse events.

Today's New York Times online reports on a partnership between Kaiser Permanent and Microsoft to open data flows between Kaiser's electronic records and Microsoft's personal health record application.

Kaiser Permanente, the nation's largest nonprofit health maintenance organization, is endorsing the drive toward consumer-controlled personal health records in a partnership with Microsoft.

The partnership, announced Monday, will begin with a pilot project open to Kaiser's 156,000 employees, which will run until November. If successful, the product linking Kaiser's patient information with Microsoft's Health Vault personal health record service will be offered to Kaiser's 8.7 million members in nine states and the District of Columbia.

. . .

Both Microsoft and Google have previously announced collaborative pilot projects with other health providers. For Microsoft, they include the Mayo Clinic and NewYork-Presbyterian Hospital. For Google, they include the Cleveland Clinic and Beth Israel Deaconess Medical Center.

But the Kaiser move, analysts say, is significant given the California-based health company's size and its reputation as an innovative user of information technology.

Read the rest here.

Yesterday's online edition of the Congressional Quarterly included an announcement that Medicare will spend some additional money on physicians deploying EHR technology:

The Bush administration announced on Tuesday a new program providing bonuses to doctors using electronic health records — part of a broader push that may yet include new legislation by year’s end.

Health and Human Services Secretary Michael O. Leavitt said that the new program will provide through Medicare about $150 million extra over five years to physicians in selected areas who replace paper medical records with electronic versions. The announcement marks the latest in a series of efforts by the government to encourage the adoption of what is known as health information technology, or health IT, since President Bush issued an executive order creating an office to supervise the issue in 2004. There has also been some recent progress on health IT bills in both the House and Senate.

Read more here.

Update (12:24p) According to a CMS press release, the icentive payments will apparently be limited to certain areas, of which New York is not one.

The communities selected to work with the Centers for Medicare & Medicaid Services (CMS) on the EHR demonstration project range from county- and state- level to multi-state collaborations. They include:

Alabama
Delaware
Jacksonville, FL (multi-county)
Georgia
Maine
Louisiana
Maryland/Washington, DC
Oklahoma
Pittsburgh, PA (multi-county)
South Dakota (multi-state)
Virginia
Madison, WI (multi-county)

The press release is here.

June 3, 2008 Andrew J.Vickers of MSKCC (1) shares his personal perspective from his experience working in a major cancer center in the USA (although other authors have drawn similar conclusions)

[It] is for the reader to judge the degree to which they are applicable to other countries or to non-academic settings.

It is obvious to me that we should prefer a single 10,000 patient randomized trial comparing primary treatment for prostate cancer to having 20,000 patients join the sort of early phase trials that typically go nowhere. We need...more patients on the right sorts of trials.

The American Medical Association has picked up the results of a survey showing that very few patients use online rating sites to choose their physicians.

For all the concern and mistrust over physician rating sites, recent research shows that, for now, few patients are using them to decide where to get their care.

A Harris Interactive poll commissioned by the California HealthCare Foundation found that although more than 80% of the state's adults turn to the Internet for health-related information, less than one-quarter have looked at physician ratings sites. Only 2% of those surveyed made a change in physicians based on information posted on a rating site.

The low numbers aren't really surprising. Physician ranking sites - - where they even exist - - are new and do not have the history and reputational cachet of, say, Zagat, or Consumer Reports. And rating sites are useful primarily for those who are already looking to change physicians.

For my own part, I have a regular physician and I am happy with his services, and I don't have any pressing health issues and am not planning to move my residence or change my employment anytime soon. So even though I have an interest in online physician ranking sites, I have zero need to look at one.

In contrast, my kids are constantly coming home with sniffles, coughs, cuts, bruises, bites, rashes and you name what else. Going online to do some quick research before deciding whether to set in an appointment is second nature.

Besides that, one would hope at least that the majority of information put online about licensed, practicing physicians would confirm an inquiring patient's view that the physician is a competent and trustworthy practitioner. If the rest of the oversight system is operating as it should, physicians who are not worthy of a license for whatever reason should not be available to patients to begin with.

The online rating site should really serve to point out which characteristics of a physician or the physician's practice most closely align with the patient's personal values. For example, does a patient prefer a practitioner with a curt bedside manner or one who is more affable and chatty? Will patients endure longer wait times for physicians who will spend an unplanned half hour discussing a problem, or would they rather bypass the waiting room to get their ten minutes - - but only ten minutes - - quickly?

Although AMA downplays the survey results, I find them interesting for two reasons:

According to the survey of 1,007 Californians conducted by Harris Interactive between Nov. 5, 2007, and Dec. 17, 2007, the number of people who said they had looked at physician rating sites grew from 14% in 2004 to 22% in 2007.

First, a quarter of all patients is nothing to sneeze at. Second, the 2007 numbers are a 150% increase over the 2002 numbers. If the trend continues, by 2010 the number of online users will reach 1/3 of all patients. With the proliferation of rating sites by payors, consumer groups, advocacy groups and government agencies, my guess is that we will get to 1/3 long before 2010.

Read AMA's news article here.

News from CDT's Policy 14.9 June 24, 2008, Privacy and Security Principles for Health Information Technology (1). CDT joined prominent health care providers, Internet companies, insurers, and other consumer advocates in endorsing a set of practices for new Internet services that allow individuals to access and maintain their personal health information. The framework, developed in a collaborative process organized by the Markle Foundation, recommends a detailed and comprehensive set of practices that can help protect the privacy and security of Personal Health Records (PHRs) and other services.
Of interest to Supra biotech readers: Consumer Technology 1 ('CT1') under 'Technology Overview' -this document provides scenarios designed to illustrate electronic data streams for the most common transaction in health care: a drug prescription.

The first scenario describes a common and simplified set of transactions stemming from a small clinical practice. The second scenario adds sophistication and complexity, depicting transactions that are less common today (although they may become more common in the emerging electronic environment).(2)

Connecting to Health accepts that much of our valuable personal health data is stored in and managed by numerous entities. The next key challenge is to establish the rules and techniques that establish trust among participants over a 'network of networks'. Policy rules will be needed in a number of areas, including patient consent, secondary use, and data management.

Identity has quickly emerged as a primary problem in network access...our desire to stimulate national progress in addressing this particular obstacle to consumer's access to networked use of personal health records....we hope that this paper contributes to a growing consensus that the path forward on consumer authentication requires careful thinking, new research, and innovative approaches.(3)

Connecting for Health is a public-private collaborative with representatives from more than 100 organizations across the spectrum of health care stakeholders. Its purpose is to catalyze the widespread changes necessary to realize the full benefits of health information technology (HIT), while protecting patient privacy and the security of personal health information.(4)

This work was originally published as part of a compendium called The Connecting for Health Common Framework for Networked Personal Health Information and is made available subject to the terms of a license (License) which may be viewed in its entirety at: http://www.connectingforhealth.org/license.html. You may make copies of this work; however, by copying or exercising any other rights to the work, you accept and agree to be bound by the terms of the License. All copies of this work must reproduce this copyright information and notice.

For stargazers who visit Supra, here is a weekly publication I have found useful over time--it is grounded in business. The 'Business Digest' newsletter from the Pharmaceutical Business Review (1) published weekly, originates in the UK. With due respect to posting about it on the Supra blog as it is likely to be of interest and helpful to visitors by its nature, the newsletter contains unique content and is edited by Chris Eatough and it may be subscribed to (2). As one function of their other "Business Review" websites, it offers content that is produced by a dedicated team of journalists and global industry experts. In addition to the free content made available on the sites, an intelligence store ($$$) offers premium market analysis reports from the leading global suppliers of market research and industry analysis.
How is this related to the health care law? The newletters show a comprehensive and reliably current context on the subjects it covers-- legal references are sprinkled throughout. Invariably I would expect that you will find their 'Regulatory Developments' section interesting; it often focuses on the US Federal agencies. Or also, their 'Analyst's View',(about a page of reading sectioned into the newsletter itself) will contain US 'legal' material. For example, in this week's (July 8, 2008) 'Analyst's View' (reference to several Datamonitor reports from the intelligence store), they opine in part:

Following the controversy with Vioxx in 2004, US legislators were prompted to significantly expand the FDA's authority by passing the FDA Amendments Act of 2007. Although it is not yet certain to what extent the FDA will use its new powers, this crucial legislation changes the balance of power between pharmaceutical companies and the FDA, giving the agency greater powers to impose additional safety studies both prior to and post-approval. Thus, the legislation has the potential to increase development costs, reduce market penetration and impact upon approval rates. However, the new FDA power to demand post-marketing studies may actually be beneficial for certain drugs that would not be approved otherwise. Additionally, in recent years, the duration of clinical trials has increased so that, despite swifter approval times, the duration between the start of Phase I clinical trials and approval is becoming longer.

AP reports:

Beginning Jan. 1, the federal government will boost Medicare's payments to doctors that send prescriptions electronically to a pharmacy rather than writing them out on paper and handing them to the patient.

Read the AP release here.

Today's FDA webpage show key initatives in their 'Spotlight' focus. This provides a nice overview of what is happening here in recent history and links to the respective website that focuses on each initiative.

Through specially targeted initiatives, FDA intensifies efforts to ensure the safety of America’s food supply, and to make safe, effective, and affordable medical products available to the public, whether imported or made in the USA.

A study of health care providers' blogs conducted by Dr. Tara Lagu of the Robert Wood Johnson Foundation yielded some interesting findings:

We identified 271 medical blogs. Over half (56.8%) of blog authors provided sufficient information in text or image to reveal their identities. Individual patients were described in 114 (42.1%) blogs. Patients were portrayed positively in 43 blogs (15.9%) and negatively in 48 blogs (17.7%). Of blogs that described interactions with individual patients, 45 (16.6%) included sufficient information for patients to identify their doctors or themselves. Three blogs showed recognizable photographic images of patients.

The abstract of the article is available free online at SpringerLink.
The LA Times covered the article August 4, 2006, here.

August 2008.

FDA recently launched a new Health Professionals web page as part of a larger effort by the agency to increase interactions and communications with health professional organizations. The webpage provides useful, timely, and accessible information to the nation's physicians, nurses, pharmacists, and other members of the health professional team.

Through this communications column on the FDA Web site, Commissioner for Food and Drugs Andrew von Eschenbach will discuss weekly FDA issues of interest to the American consumer and occasionally preview upcoming FDA issues and events.

(1)http://www.fda.gov/healthprofessionals/
(2)http://www.fda.gov/oc/vonEschenbach/andys_take/default.html

Posted here on Supra a general news item about law blog events.
From the ABA Journal Website newsletter, Martha Neil reports that 'RIAA Seeks Sanctions for N.Y. Lawyer’s ‘Vexatious’ Blog Posts of Case Filings'.

A lawyer who is known for defending individuals accused of peer-to-peer sharing of copyrighted works over the Internet is now on the hot seat himself.
The Recording Industry Association of America is seeking sanctions against a New York attorney in a federal court case in New York, claiming that he has engaged in 'obstructionist tactics' and provided 'misinformation.' Its filing is based in part on the attorney's postings on his blog, Recording Industry vs The People, explains Legal Blog Watch.
The Legal Blog Watch post is based an earlier post on Wired magazine's Threat Level blog about RIAA's claims that the attorney engaged in 'vexatious' litigation tactics.
Wired provides a copy of the 31-page motion motion (PDF).

'Finding Reliable Health Information Online' , a webpage from an NIH educational initiative provides tips with links (1), and presents a good organizational tool to frame a health info query.
For example, in relating back to an orphan drug inquiry, NIH observes:

As Internet users quickly discover, an enormous amount of health information is available online. Finding accurate and reliable information on genetic and rare diseases among the millions of online sources is a difficult task for almost everyone. We hope these tips will help you perform searches more easily.

Articles discussing treatment:These articles discuss the effects in humans of various treatments that have been tested or used in a specific disease. Articles that discuss treatment may be about many different types of studies that are conducted in humans. Some of the more common studies include clinical trials, case-control studies, cohort studies and case reports.
Treatment articles in published scientific literature report human studies with negative outcomes as well as those with positive outcomes. In other words, some articles report studies where a treatment was deemed to have beneficial effects, while others report studies where a treatment was not deemed to have beneficial effects and/or may have been associated with side effects, some of which could be severe.
Some studies report on the safety of a particular treatment, and do not directly address whether the treatment was actually deemed to have had a beneficial effect. The treatment discussed may be already in use, or it may be experimental and not widely available (or not available at all).
Interpreting the results of studies and weighing the evidence can be a very complex task. Because of this complexity, and because of the technical nature of these articles, we strongly recommend that you discuss with your physician any articles that interest you.

The University at Albany Libraries (1) developed the Internet Tutorials site to provide information on how search engines work and how they perform these searches. The site provides users with names of search engines, and also offers information and tutorials on using and searching the Web, browsers, research guides and subject directories.All tutorials are maintained by Laura Cohen. She is emeritus faculty at the University at Albany, SUNY, where she served on the faculty of the University Libraries for many years.

CMS is responsible for oversight of the "security" provisions of the federal Health Insurance Portability and Accountability Act ("HIPAA"). The HHS Office of Inspector General ("OIG") recently reviewed CMS' enforcement activity. In a nutshell:

[OIG] found that the Centers for Medicare and Medicaid Services (CMS) had taken limited actions to ensure that covered entities adequately implemented the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. The HIPAA Security Rule requires a covered entity, such as a health plan or health care provider that transmits any health information in electronic form, to (1) ensure the integrity and confidentiality of the information, (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information, and (3) protect against unauthorized uses or disclosures of the information.

The rest of the executive summary and a link to the complete report is on the OIG website here.

Public awareness note: FDA news today reports that FDA is warning consumers about a fraudulent scheme to extort money from consumers by callers who falsely identify themselves as 'FDA special agents' or other FDA officials. (1) Several instances have been reported to the FDA of calls enticing consumers to purchase discounted prescription drugs by wiring funds to one of several locations in the Dominican Republic. No medications are ever delivered. A subsequent call is received from a fraudulent 'FDA special agent' informing the consumer that a fine of several thousand dollars is required to be sent to an address in the Dominican Republic to prevent incarceration or other legal action. Michael Chappell, the FDA's acting associate commissioner for regulatory affairs advises:

The public should note that no FDA official will ever contact a consumer by phone demanding money or any other form of payment. FDA officials always present identification in person when conducting official business.

The newly released 2009 edition of the International Compilation of Human Subject Protections (85 pp) is a compilation, prepared by the Office for Human Research Protections of the U.S. Department of Health and Human Services,designed for use by IRBs, researchers, sponsors, and others involved in human subject research around the world.
This Compilation lists the approximately 1,100 laws, regs, and guidelines that govern human subjects research in 92 countries as well as standards from a number of international and regional organizations. Additions from the 2008 Edition include info regarding 7 more countries: Burma, Egypt, Gambia, San Marino, South Korea, Sudan and Vietnam. While reasonable efforts have been made to assure the accuracy and completeness of the info provided, OHRP cautions that researchers and other individuals should check with local authorities and/or research ethics comittees before starting research activities.
Under each country, information is provided under the headings:
General i.e. applicable to most or all types of human subjects research,
drugs,
privacy/data protection,
human biological materials,
genetic,
embryos, stem cells and cloning.
The information also provides info regarding the key organizations that issue the regs/guidelines or serve in a national oversight role for human subjects research, in addition to info regarding the legislation, regs, and guidelines.
The on line document provides links to listed web addresses, in most cases the linked dox are in English or otherwise are an English non-official version of the document.
Clearly this is a valuable resource.
(1)http://www.hhs.gov/ohrp/international/HSPCompilation.pdf

FDA and WebMD announced a collaboration that expands consumers' access to the agency's timely and reliable important health information. WebMD, which attracts nearly 50 million unique visitors each month, provides consumers with credible and timely health news and information. (1) The partnership includes:
-A new online consumer health information resource on WebMD.com (www.webmd.com/fda);
-FDA Consumer Updates will also be featured at least 3 times a year in WebMD's bimonthly magazine (distributed to physician office waiting rooms across the country).

Consumers have increasingly consulted all types of sources to find health information, and the Internet is their fastest growing resource, according to a national study released in August 2008 by the Center for Studying Health System Change. Researchers found that 32 percent of American consumers—70 million adults—conducted online health searches in 2007, compared with 16 percent in 2001. The study also found that most consumers who researched health concerns reported positive outcomes. More than half of those surveyed said the information changed their overall approach to maintaining their health. Four in five said the information helped them better understand how to treat an illness or condition.

From the December 3 GovernmentHealthIT:

As part of its certificate of need process, New York state is requiring that hospitals investing in major clinical information technology systems enable those systems to communicate with the developing Statewide Health Information Network for New York (SHIN-NY).

The new requirement will have its first effect Dec. 11 when the State Hospital Review and Planning Council is expected to approve an application by Mount Sinai Hospital in New York City to spend more than $34 million on a new inpatient medical records system.

Read the rest here.

Hat tip to Maureen Blazowski for suggesting this article. Thanks, Maureen!

From CDT, here is an up to date and concise resource-- a helpful frame of reference about some of the issues regarding online medical records and related privacy concerns. CDT observes that:

The public has significant privacy concerns about having their medical records on-line. That mistrust of health IT poses a serious obstacle to its widespread adoption. We need to build on the privacy rules already found in HIPAA and create new protections leading to a comprehensive privacy and security policy framework for the evolving e-health environment. But persistent myths about HIPAA's privacy provisions create obstacles to moving forward with workable policy solutions. [CDT's] "HIPAA and Health Privacy: Myths and Facts-Part II" paper debunks some of the most common myths, clearing the way for more productive discussions about the policies needed to build the public's trust in health IT.
The January 2009 paper notes that we cannot have a meaningful dialogue about how to improve the HIPAA Privacy Rule and build a more comprehensive privacy framework until we have a shared and clear understanding of what protections exist in current law and where the law falls short.

From today's AP wire:

Doctors in western New York have a new, electronic way to access patient records with the hope of reducing medical errors and avoiding costly duplicative tests.

The HEALTHeLINK Western New York Clinical Information Exchange is a step toward Gov. David Paterson's goal of creating a unified statewide system where doctors can access records that are now scattered among different clinics and offices.

Read more here.

From the U.S. Senate Daily Digest, 1/28/09: The Senate agreed on Wed. to S. Res. 25, expressing support for designation of 1/28/09, as ``National Data Privacy Day''.(1)

The recognition of 'National Data Privacy Day' will encourage more people nationwide to be aware of data privacy concerns and to take steps to protect their personal information online.

[The] Internet and the capabilities of modern technology cause data privacy issues to figure prominently in the lives of many people in the United States at work, in their interaction with government and public authorities, in the health field, in e-commerce transactions, and online generally. [Many] individuals are unaware of data protection and privacy laws and of specific steps that can be taken to help protect the privacy of personal information online....
[National] Data Privacy Day constitutes an international collaboration and a nationwide and statewide effort to raise awareness about data privacy and the protection of personal information on the Internet. [Government] officials from the U.S. and Europe, privacy professionals, academics, legal scholars, representatives of international businesses, and others with an interest in data privacy issues are working together on this date to further the discussion about data privacy and protection.
[Privacy] is a central element of the mission of the FTC and the Commission will need to continue to educate consumers about protecting their personal information. Their consumer education campaigns should be part of a National effort.
The Senate encourages individuals across the Nation to be aware of data privacy concerns and to take steps to protect their personal information online.

Simple resolutions are designated H.Res. and S.Res., followed by a number. A simple resolution addresses matters entirely within the prerogative of one house, such as revising the standing rules of one Chamber. Simple resolutions are also used to express the sentiments of a single house, such as offering condolences to the family of a deceased member of Congress, or it may give "advice" on foreign policy or other executive business. Simple resolutions do not require the approval of the other house nor the signature of the President, and they do not have the force of law.(2)

From Government Computer News ("GCN") online:

If you want another good reason to make sure your sensitive data is adequately locked down, look no farther than the Veterans Affairs Department, which last week agreed to pay $20 million to settle a class action lawsuit over the 2006 loss of a laptop containing records with personal information about up to 26.5 million veterans and active duty personnel.

That’s a lot of money, and it will be paid from taxpayers’ dollars, but VA got off lucky. The suit originally asked for $1,000 for each person whose data was exposed, which could have been more than $26 billion. That’s nearly enough to bail out a good-sized bank.

Read the rest here.

From Martha Neil's article (published 3/4/09, the ABA Journal Newsletter online) flagging a New York Times report on the apparent upward trend in copyright infringement lawsuits directed at bloggers and other on line publishers: How Much Excerpting is Too Much? 'Scraping' Suits May Hone Fair Use Rules (1):

It is considered a clear fair use of copyrighted material when bloggers excerpt a quotation and link to the online publication that initially printed it....If federal lawmakers don't act to revise the statutory fair-use standard, copyright litigation is likely to develop the specific rules that apply to Internet republication.

The legal disputes are emblematic of a larger question that has emerged from the Internet’s link economy. The editors of many Web sites, including ones operated by the Times Company, post excerpts from competitors’ content from time to time. At what point does excerpting from an article become illegal copying? Courts have not provided much of an answer. In the United States, the copyright law provides a four-point definition of fair use, which takes into consideration the purpose (commercial vs. educational) and the substantiality of the excerpt...[by Brian Stelter published 3/1/09]

Web scraping (or Web harvesting, Web data extraction) is a computer technique of extracting information from websites using specially coded software programs. Usually, such software programs simulate human exploration of the Web by either implementing low-level Hypertext Transfer Protocol (HTTP), or embedding certain full-fledged Web browsers, such as the Internet Explorer (IE) and the Mozilla Web browser. Web scraping is closely related to Web indexing, which indexes Web content using a bot and is a universal technique adopted by most search engines. In contrast, Web scraping focuses more on the transformation of unstructured Web content, typically in HTML format, into structured data that can be stored and analyzed in a central local database or spreadsheet. Web scraping is also related to Web automation, which simulates human Web browsing using computer software. Exemplary uses of Web scraping include online price comparison, weather data monitoring, website change detection, Web research, Web content mashup and Web data integration. (3)

The New York TImes and Int'l Herald Tribune are launching a new joint website: the Global Edition at global.nytimes.com combining their international reporting and voices from a distinctly global perspective.
Thanks to TV5MONDE for their news report.(2)
(1)http://www.nytimes.com/marketing/globaledition/
(2)http://www.tv5.org/TV5Site/info/afp_article.php?rub=med&idArticle=newsmlmmd.8051fee3429ac9e75dd298cdedf0b49d.221.xml&titre=Nouvelle+formule+web+et+papier+pour+l%27International+Herald+Tribune

From today's New York Times online:

NewYork-Presbyterian Hospital, whose centers and clinics provide about 20 percent of the health care in New York, is the first large institution to move beyond the pilot stage this week as it begins to offer consumer-controlled health records for patients, and its experience will be closely watched in the industry.

NewYork-Presbyterian has been working with Microsoft for more than a year, not only on technical matters but also ease-of-use concerns with patients. The introduction will be gradual, beginning with heart patients, who will be told of the potential benefits of personal health records when they visit a NewYork-Presbyterian hospital or outpatient clinics.

See the rest here.

Excerpts from (FDA) CDER news 4/6/09. AERS, the Adverse Event Reporting System,contains over 4 million reports of adverse events and reflects data from 1969 to the present. Data from AERS are presented here (1) as summary statistics covering data received over the last 10 years. (updated 4/6/09)

Reports Received and Reports Entered into AERS by Year;
Domestic and Foreign Reports by Year;
Reporting by Healthcare Providers and Consumers by Year;
Patient Outcomes by Year. Serious outcomes include death, hospitalization, life-threatening, disability, congenital anomaly and/or other serious outcome.

AERS is a useful tool for FDA which uses it for activities such as looking for new safety concerns that might be related to a marketed product, evaluating a manufacturer's compliance to reporting regulations and responding to outside requests for information. The reports in AERS are evaluated by clinical reviewers in CDER and CBER to monitor the safety of products after they are approved by FDA. If a potential safety concern is identified in AERS, further evaluation might include epidemiological studies. Based on an evaluation of the potential safety concern, FDA may take regulatory action(s) to improve product safety and protect the public health, such as updating a product’s labeling information, restricting the use of the drug, communicating new safety information to the public, or, in rare cases, removing a product from the market.(3)

-there is no certainty that the reported event was actually due to the product. FDA does not require that a causal relationship between a product and event be proven, and reports do not always contain enough detail to properly evaluate an event.
-FDA does not receive all adverse event reports that occur with a product. Many factors can influence whether or not an event will be reported, such as the time a product has been marketed and publicity about an event. Therefore, AERS cannot be used to calculate the incidence of an adverse event in the U.S. population.

The Washington Post reports online today on a major heist of electronic medical information that happened last week and has been kept remarkably quiet.

Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents.

The state discovered the intrusion April 30. Read the full Post story here.

This is an interesting bit.

[Children's Medical Center Dallas] posted live updates on Twitter, or "tweeted", throughout a pediatric kidney transplant. It is one of the most recent healthcare organizations to tweet live during surgery—a growing trend in hospitals that started when Henry Ford Health System in Detroit tweeted a robotic partial nephrectomy on February 9, garnering the organization a great deal of media coverage.

Two things occur to me when I read this.

The first is, this is all great when the surgery goes smoothly. But the cynic in me knows that surgeries can and do go wrong, sometimes horribly. Will the surgical team tweet throughout the entire crash? Can you imagine the family getting tweets like, "BP falling rapidly" or "SPO2% below 80, she's turning blue" or "applying the paddles @300 joules" or - - - even worse, perhaps - - suddenly no more tweets at all?

The second is a whole raft of practical and legal questions. Are hospital tweets part of the patient record? If not, should they be? And if so, how are they captured, if at all? If they are captured, how are they stored and recovered? And what use might they be either in discovery or at trial?

Finally, are lawyers (for ANY of the parties involved) ready for this?

HHS has released a new report on health care disparities in America. Pulling together with many grassroots and community representatives who shared yesterday (1) important information and experiences about the nature of health care disparities which exist in our current health care system, HHS Secretary Kathleen Sebelius participated in a White House Health Care Stakeholder Discussion on the importance of reform that reduces such disparities and works towards health equity.Throughout the discussion, participants voiced concerns about the existence of and need to fill many voids in 'data collection' in order to support better health policy decisions and overall the health reform initiative.

On another note, below are excerpts from a public policy briefing developed by CDT (2) on the subject of PHR.(3)

Personal health records (PHRs) — records that are managed, controlled, and shared by individuals rather than their healthcare providers—hold the potential to transform healthcare by empowering consumers and patients to become key, informed decision-makers in their own care. These records increase individual control over personal data and permit individuals to record, store, and share relevant health information, including data that may be missing from official medical records, such as pain thresholds in performing various daily activities, details on the side effects of medication, and daily nutrition and exercise logs.
However, the public will be reluctant to use PHRs without reasonable privacy and security measures in place to protect their data. To date, no comprehensive set of privacy and security rules effectively governs PHRs. Congress has taken a step toward addressing this problem as part of the recent economic stimulus legislation: [HHS] and [FTC]are tasked with drafting joint recommendations regarding PHR privacy and security requirements by February 18, 2010 for those records not covered under the privacy and security regulations of HIPAA. In addition, PHR vendors are covered by new federal requirements that they notify individuals in the event of a breach of health data. However, more action is needed to build public trust in PHRs.
In this policy post, CDT advocates for the adoption of consistent policies to govern all PHRs. CDT also identifies the deficiencies of the current HIPAA Privacy Rule as applied to PHRs and offers some recommendations for establishing privacy and security protections for these tools.

EVENT NOTE: THE HEALTH LAW SECTION'S SPECIAL COMMITTEE, E-HEALTH & INFO SYSTEMS, Chaired by Raul Tabora, Jr., presents on JUNE 18 2009 some of the practical issues affecting health info technology in New York State. Anna Colello, Esq. will moderate, NYS Office for Technology and DOH initiatives presented by Susan Beaudoin, Esq, GC (OFT ) and Dr. Patricia Hale, Deputy Director (OHITT at DOH)

Commissioner Hamburg recently presented the new FDA.gov website (1-see the video).
The new website is easier to read and navigate around due to changes in space methods and an improved, helpful organization. It's a better guide and the space and content work well together.
Also, the new FDA Transparency Blog shows q's posted along with news items and notices-- readers' responses to FDA posts are steadily being posted and shared by many in the know. The comments make some good points. One comment posted on the blog indicated that a window can be transparent in order to see what is going on inside but it is more important to understand the meaning of what one sees and to establish trust about what you are seeing. (**)

The purpose of this Transparency Blog is to discuss various ways in which the [FDA] could provide information to the public about what FDA is doing, the bases for FDA’s decisions, and the processes used to make agency decisions. The blog is expected to run for the next 6 months (June through November 2009)....FDA provides blog posts and updates over the coming weeks asking for your feedback on these topics.

For the biotech part of Supra, I'd hoped to develop a reference tool in part.
At Year #2 for biotech postings, continued here and in the following post are 2 dox for archive purposes.
Read below the fold for the--
BIOTECH ARCHIVE INDEX FOR POSTINGS JULY 13, 2008 TO JULY 14, 2009 (9 PAGES)
POSTING ENTRY TITLE, DATE AND FIRST SENTENCE.

Here is a second document for archives purposes which I also hope will be helpful.
This index shows the weblinks visited and referenced via the Supra weblink per posting for this last year of biotech posts.
BIOTECH ARCHIVE INDEX OF WEBLINKS PER POSTING JULY 13,2008 TO JULY 14,2009 (11 PAGES)
See below the fold.

Today's New York Times reports:

North Shore-Long Island Jewish Health System plans to offer its 7,000 affiliated doctors subsidies of up to $40,000 each over five years to adopt digital patient records.

Read the full article here.

Reported on Boston.com, a laptop containing unencrypted physician contracting files for every physician contracted with a Blue Cross Blue Shield affiliate was stolen from the BCBS employee holding the data.

The breach involves "tens of thousands" of physicians nationwide, although the precise number is unclear, according to a national Blue Cross-Blue Shield spokesman. Thirty-nine affiliates feed information about providers into a database maintained by the association's national headquarters.

. . .

Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians nationwide are in its network - encrypts all of its information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The laptop was stolen after the employee left headquarters with it.

Read the full article on boston.com here.

The Privacy Rights Clearinghouse puts the number of physician files at 850,000, with about 185,000 of those files containing the social security number of the subject physician.

The federal government and the technology industry have teamed up to prepare straightforward, plain-language materials that you can use to help computer users be on guard against Internet fraud, secure their computers, and protect their personal information. (1)

OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information.....Going online can be a convenient way to research health care products and find answers to health-related questions. But taking your health online also requires some extra investigative effort on your part....

Expand your cyber vocabulary by perusing our glossary of Internet terms, or, for some hands-on knowledge, watch a tutorial on such topics as spam filtering and wireless security.(3)

(1)http://www.onguardonline.gov/about-us/how-to-spread-word.aspx
(2)http://www.onguardonline.gov/topics/overview.aspx
http://www.onguardonline.gov/topics/your-health-online.aspx
(3)http://www.onguardonline.gov/tools/overview.aspx

12/14/09 Gov. Paterson accepted the final report from the Task Force on Diversifying the New York State Economy through Industry-Higher Education Partnerships (1). Key recommendations to create an "innovation ecosystem" focus on University practices that raise awareness of entrepreneurship and Industry-collaboration opportunities on and off campus and Industry practices that leverage open innovation principles and university expertise to stay on the cutting edge. Another Key Recommendation focuses on Critical Mass in Strategic Areas that invests in fields where New York can be a world-leader-health care and life sciences, energy, nanotechnology, and agriculture and the food industry among others.
Among many different kinds of initiatives delving into the nature of collaboration and competition in university and industry research and development is one convened by the National Academies-- the University-Industry Demonstration Partnership (UIDP) (2). UIDP's mission is to enhance the value of collaborative partnerships between universities and industry in the U.S. Its core member organizations consist of companies and universities, including ones from New York .

The UIDP members work in concert to accomplish the organization’s strategies for enhancing the value of university-industry partnerships in the U.S....UIDP provides a forum for representatives from universities and industries to come together to discuss intellectual property and other issues over which disagreements are likely to arise. These conversations might otherwise never take place, and they help each side come to the table with a better understanding of their counterpart’s culture and interests. While the UIDP does develop and test tools that streamline university-industry license agreements, it does not perform any licensing for organizations.

What is TurboNegotiator?
UIDP has concluded that, as opposed to a universal model agreement, a process in which negotiators could quickly craft a unique agreement that fits the characteristics of the project at hand while satisfying the mission-critical needs of both partners would be more effective. If the process were embodied in a software tool, the improved approach could be easily replicated and disseminated. This concept has been nicknamed “TurboNegotiator.”
The TurboNegotiator software will use interview questions to define the unique situation of the user and automatically deliver candidate clauses in response to a series of defining questions. The software will be refined based on concrete experiences to address such variables as the type and size of the university and company involved; the level of confidentiality needed; national security concerns; if student thesis work may result; or even the amount of funding anticipated.

On January 13, 2010, CMS published a proposed rule to implement ARRA provisions related to incentive payments to health care professionals and hospitals that adopt electronic health record technology. In 169 Federal Register pages, CMS addressed, among other things, criteria that a professional or hospital must meet to qualify for the payments, calculation of payment amounts, and payment adjustments for professionals and hospitals that adopt but do not meaningfully use EHR technology.

Read the proposed rule here.

In an article at Forbes magazine, Andy Greenberg looks for the next big issue in health reform:

In a study released Monday by the privacy-focused Ponemon Institute, Americans registered a deep distrust of anyone in either the federal government or private industry who might store digital health records like those that the Obama administration has encouraged hospitals to create.

The article provides some interesting statistics on public perception around electronic health records and how government agencies, health care providers, and private businesses should use or have access to such information.

To get to the good stuff, however, you have to navigate past both an annoying ad page and Greenberg's equally annoying (not to mention non-sequitur) lede:

As President Obama has learned over the last year, Americans tend to get angry when you try to fix the country’s dysfunctional health care system.

You could have fun thinking up the many different responses to that kind of statement, if the subject matter itself wasn't so darn serious. For my own part, I tend to get angry when someone tries to sell me something that isn't what they say it is. If, for example, I took my car to the shop because the brakes were working poorly, I would get angry if they proposed to "fix" the brakes by installing a large and expensive sail on the roof of the car to create extra drag, thereby slowing down the car and "solving" the braking problem. Perhaps Americans are likewise angry that the current reform proposals address symptoms instead of problems, are expensive, and don't "fix" much of anything.

From the DOH website Friday, Feb 19:

Governor David A. Paterson and State Health Commissioner Richard F. Daines, M.D., today announced three major federal funding awards totaling $70 million through the American Recovery and Reinvestment Act (ARRA) for health information technology in New York.

. . .

The U.S. Department of Health and Human Services has awarded the New York eHealth Collaborative (NYeC) $26,534,999 as the State's designated entity for statewide health information exchange.

. . .

NYeC will [also] receive $22,364,782 and the New York City Department of Health and Mental Hygiene (NYCDOHMH) will receive $21,754,010 to support more than 9,000 primary care physicians who select and implement electronic health records (EHR) systems and qualify for federal incentive payments.

Read the DOH press release on the DOH website.

NY Times Global Edition (1) reports:

[3] Google executives were convicted of violating Italian privacy laws …, the first case to hold the company's executives criminally responsible for the content posted on its system.... Still, the upshot of the ruling, if it prevails on appeal, is that Google will be expected in Italy to monitor the content it hosts.... the Google spokesman, said that would be impossible considering that 20 hours of video are uploaded to its site every minute.

Governments and citizens must have confidence that the networks at the core of their national security and economic prosperity are safe and resilient. Now this is about more than petty hackers who deface websites. Our ability to bank online, use electronic commerce, and safeguard billions of dollars in intellectual property are all at stake if we cannot rely on the security of our information networks….The freedom to connect to these technologies can help transform societies, but it is also critically important to individuals. I was recently moved by the story of a doctor – and I won’t tell you what country he was from – who was desperately trying to diagnose his daughter’s rare medical condition. He consulted with two dozen specialists, but he still didn’t have an answer. But he finally identified the condition, and found a cure, by using an internet search engine. That's one of the reasons why unfettered access to search engine technology is so important in individuals’ lives….

Franklin Roosevelt built on these ideas when he delivered his Four Freedoms speech in 1941. Now, at the time, Americans faced a cavalcade of crises and a crisis of confidence. But the vision of a world in which all people enjoyed freedom of expression, freedom of worship, freedom from want, and freedom from fear transcended the troubles of his day….That's why today I'm announcing that over the next year, we will work with partners in industry, academia, and nongovernmental organizations to establish a standing effort that will harness the power of connection technologies and apply them to our diplomatic goals. By relying on mobile phones, mapping applications, and other new tools, we can empower citizens and leverage our traditional diplomacy.…Let me give you one example. ...
We'll be asking Americans to send us their best ideas for applications and technologies that help break down language barriers, overcome illiteracy, connect people to the services and information they need. Microsoft, for example, has already developed a prototype for a digital doctor that could help provide medical care in isolated rural communities. We want to see more ideas like that. And we'll work with the winners of the competition and provide grants to help build their ideas to scale.

(1)http://www.nytimes.com/2010/02/25/technology/companies/25google.html?ref=europe see news article for EU directive info electronic commerce info
(2)http://www.state.gov/secretary/rm/2010/01/135519.htm The Newseum,Washington, DC.
(3)http://blogs.state.gov/index.php/site/entry/ghi_pepfar
Below- note on US Dept of State, the Global Health Initiative.

4/8/10- A White House press release announced that (1) President Obama released the names of 10 individuals whom he intends to appoint to the recently created Presidential Commission for the Study of Bioethical Issues.

The President previously named the chair and vice chair of the Commission—University of Pennsylvania President Amy Gutmann and Emory University President James Wagner—in exploring bioethical issues anticipated to emerge from advances in biomedicine and related areas of science and technology.

the selected Commissioners are highly diverse in terms of professional backgrounds, geography, and experience. In a break from past practice, most are not professional bioethicists, but rather have worked and demonstrated extraordinary proficiency in an array of fields burdened with difficult challenges at the intersection of science, technology, and ethics….[reflecting] a growing society-wide recognition that many of today’s most difficult decisions at the boundaries of science and society are not just about biology and medicine but involve hardware, software and related technologies such as robotics.

From HHS news-7/8/10-HHS Secretary Kathleen Sebelius announced important new rules and resources to strengthen the privacy of health information... (1)From the Joint Statement:

[The] proposed regulations under HIPAA of 1996 would expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization.... strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions.(1)

The Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) selected two companies to test and certify new electronic health record (EHR) systems as eligible for federal reimbursement. The Certification Commission for Health Information Technology (CCHIT) and The Drummond Group will work with vendors and developers to assure that EHR systems conform to the standards set forth in federal regulations, including the meaningful use criteria released in July 2010. Read the HHS press release here.