Reconsidering hospital EHR adoption at the dawn of HITECH: implications of the reported 9% adoption of a "basic" EHR.

OBJECTIVE: In 2009, a prominent national report stated that 9% of US hospitals had adopted a "basic" electronic health record (EHR) system. This statistic was widely cited and became a memetic anchor point for EHR adoption at the dawn of HITECH. However, its calculation relies on specific treatment of the data; alternative approaches may have led to a different sense of US hospitals' EHR adoption and different subsequent public policy. MATERIALS AND METHODS: We reanalyzed the 2008 American Heart Association Information Technology supplement and complementary sources to produce a range of estimates of EHR adoption. Estimates included the mean and median number of EHR functionalities adopted, figures derived from an item response theory-based approach, and alternative estimates from the published literature. We then plotted an alternative definition of national progress toward hospital EHR adoption from 2008 to 2018. RESULTS: By 2008, 73% of hospitals had begun the transition to an EHR, and the majority of hospitals had adopted at least 6 of the 10 functionalities of a basic system. In the aggregate, national progress toward basic EHR adoption was 58% complete, and, when accounting for measurement error, we estimate that 30% of hospitals may have adopted a basic EHR. DISCUSSION: The approach used to develop the 9% figure resulted in an estimate at the extreme lower bound of what could be derived from the available data and likely did not reflect hospitals' overall progress in EHR adoption. CONCLUSION: The memetic 9% figure shaped nationwide thinking and policy making about EHR adoption; alternative representations of the data may have led to different policy.

California Takes the Lead on Data Privacy Law.

In the early 1970s, Congress considered enacting comprehensive privacy legislation, but it was unable to do so. In 1974, it passed the Privacy Act, applicable only to information in the possession of the federal government. In the intervening years, other information privacy laws enacted by Congress, such as the Health Insurance Portability and Accountability Act, have been weak and sector specific. With the explosion of information technology and the growing concerns about an absence of effective federal privacy laws, the legal focus has shifted to the states. Signaling a new direction in state data privacy and consumer protection law, the California Consumer Privacy Act establishes important rights and protections for California residents with regard to the collection, use, disclosure, and sale of their personal information. The CCPA is certain to spur similar legislation and to affect national and international businesses that collect data from California's residents. Understanding the new law is important for all data-driven industries, including health care.

Regulatory Disruption and Arbitrage in Health-Care Data Protection.

This article explains how the structure of U.S. health-care data protection (specifically its sectoral and downstream properties) has led to a chronically uneven policy environment for different types of health-care data. It examines claims for health-care data protection exceptionalism and competing demands such as data liquidity. In conclusion, the article takes the position that healthcare- data exceptionalism remains a valid imperative and that even current concerns about data liquidity can be accommodated in an exceptional protective model. However, re-calibrating our protection of health-care data residing outside of the traditional health-care domain is challenging, currently even politically impossible. Notwithstanding, a hybrid model is envisioned with downstream HIPAA model remaining the dominant force within the health-care domain, but being supplemented by targeted upstream and point-of-use protections applying to health-care data in disrupted spaces.

The Medical Science DMZ.

OBJECTIVE: We describe use cases and an institutional reference architecture for maintaining high-capacity, data-intensive network flows (e.g., 10, 40, 100 Gbps+) in a scientific, medical context while still adhering to security and privacy laws and regulations. MATERIALS AND METHODS: High-end networking, packet filter firewalls, network intrusion detection systems. RESULTS: We describe a "Medical Science DMZ" concept as an option for secure, high-volume transport of large, sensitive data sets between research institutions over national research networks. DISCUSSION: The exponentially increasing amounts of "omics" data, the rapid increase of high-quality imaging, and other rapidly growing clinical data sets have resulted in the rise of biomedical research "big data." The storage, analysis, and network resources required to process these data and integrate them into patient diagnoses and treatments have grown to scales that strain the capabilities of academic health centers. Some data are not generated locally and cannot be sustained locally, and shared data repositories such as those provided by the National Library of Medicine, the National Cancer Institute, and international partners such as the European Bioinformatics Institute are rapidly growing. The ability to store and compute using these data must therefore be addressed by a combination of local, national, and industry resources that exchange large data sets. Maintaining data-intensive flows that comply with HIPAA and other regulations presents a new challenge for biomedical research. Recognizing this, we describe a strategy that marries performance and security by borrowing from and redefining the concept of a "Science DMZ"-a framework that is used in physical sciences and engineering research to manage high-capacity data flows. CONCLUSION: By implementing a Medical Science DMZ architecture, biomedical researchers can leverage the scale provided by high-performance computer and cloud storage facilities and national high-speed research networks while preserving privacy and meeting regulatory requirements.

Digital Photograph Security: What Plastic Surgeons Need to Know.

BACKGROUND: Sharing and storing digital patient photographs occur daily in plastic surgery. Two major risks associated with the practice, data theft and Health Insurance Portability and Accountability Act (HIPAA) violations, have been dramatically amplified by high-speed data connections and digital camera ubiquity. The authors review what plastic surgeons need to know to mitigate those risks and provide recommendations for implementing an ideal, HIPAA-compliant solution for plastic surgeons' digital photography needs: smartphones and cloud storage. METHODS: Through informal discussions with plastic surgeons, the authors identified the most common photograph sharing and storage methods. For each method, a literature search was performed to identify the risks of data theft and HIPAA violations. HIPAA violation risks were confirmed by the second author (P.B.R.), a compliance liaison and privacy officer. A comprehensive review of HIPAA-compliant cloud storage services was performed. When possible, informal interviews with cloud storage services representatives were conducted. RESULTS: The most common sharing and storage methods are not HIPAA compliant, and several are prone to data theft. The authors' review of cloud storage services identified six HIPAA-compliant vendors that have strong to excellent security protocols and policies. These options are reasonably priced. CONCLUSIONS: Digital photography and technological advances offer major benefits to plastic surgeons but are not without risks. A proper understanding of data security and HIPAA regulations needs to be applied to these technologies to safely capture their benefits. Cloud storage services offer efficient photograph sharing and storage with layers of security to ensure HIPAA compliance and mitigate data theft risk.

[Use of routine data from statutory health insurances for federal health monitoring purposes]. / Nutzungsmöglichkeiten von Routinedaten der Gesetzlichen Krankenversicherung in der Gesundheitsberichterstattung des Bundes.

Federal health monitoring deals with the state of health and the health-related behavior of populations and is used to inform politics. To date, the routine data from statutory health insurances (SHI) have rarely been used for federal health monitoring purposes. SHI routine data enable analyses of disease frequency, risk factors, the course of the disease, the utilization of medical services, and mortality rates. The advantages offered by SHI routine data regarding federal health monitoring are the intersectoral perspective and the nearly complete absence of recall and selection bias in the respective population. Further, the large sample sizes and the continuous collection of the data allow reliable descriptions of the state of health of the insurants, even in cases of multiple stratification. These advantages have to be weighed against disadvantages linked to the claims nature of the data and the high administrative hurdles when requesting the use of SHI routine data. Particularly in view of the improved availability of data from all SHI insurants for research institutions in the context of the "health-care structure law", SHI routine data are an interesting data source for federal health monitoring purposes.

Who owns the image? Archiving and retention issues in the digital age.

Patients are often confused with respect to the ownership of radiologic images and the extent to which they may exert rights over their own imaging. In general, a facility that generates imaging maintains "ownership" rights. Patients have a right to inspect their images and obtain copies but they may not have the images or reports modified or stricken. Facilities may use images not only for treatment purposes but also have rights to use images with respect to educational training, quality control, and research, subject to HIPAA requirements. A facility has statutory obligations with respect to record retention and may face financial penalty and malpractice consequences for failure to retain images. Bankruptcy and state laws address issues of transfer of ownership of a patient's images in cases in which a facility goes out of business. Future questions remain as to whether the length of time a facility maintains images should increase as digital storage media improve and whether the use of inter-facility image sharing via "cloud" technology should alter obligations with respect to which facility must retain the images.

Building public trust in uses of Health Insurance Portability and Accountability Act de-identified data.

OBJECTIVES: The aim of this paper is to summarize concerns with the de-identification standard and methodologies established under the Health Insurance Portability and Accountability Act (HIPAA) regulations, and report some potential policies to address those concerns that were discussed at a recent workshop attended by industry, consumer, academic and research stakeholders. TARGET AUDIENCE: The target audience includes researchers, industry stakeholders, policy makers and consumer advocates concerned about preserving the ability to use HIPAA de-identified data for a range of important secondary uses. SCOPE: HIPAA sets forth methodologies for de-identifying health data; once such data are de-identified, they are no longer subject to HIPAA regulations and can be used for any purpose. Concerns have been raised about the sufficiency of HIPAA de-identification methodologies, the lack of legal accountability for unauthorized re-identification of de-identified data, and insufficient public transparency about de-identified data uses. Although there is little published evidence of the re-identification of properly de-identified datasets, such concerns appear to be increasing. This article discusses policy proposals intended to address de-identification concerns while maintaining de-identification as an effective tool for protecting privacy and preserving the ability to leverage health data for secondary purposes.

[Standardization and archiving of clinical reviews: search for optimal solutions].

The article refers to the necessity of the optimization processes for standardization and archiving of clinical examinations at the different stages of care, including also outpatient care. The compromise solution to the problem has been offered in the article.

Comparative case study investigating sociotechnical processes of change in the context of a national electronic health record implementation.

The introduction of electronic health records (EHRs) lies at the heart of many international efforts to improve the safety and quality of healthcare. England has attempted to introduce nationally procured EHR software--the first country in the world to do so. In this qualitative comparative case study tracing local developments over time we sought to generate a detailed picture of the implementation landscape characterising this first attempt at implementing nationally procured software through studying three purposefully selected hospitals. Despite differences in relation to demographic considerations and local implementation strategies, implementing hospitals faced similar technical and political challenges. These were coped with differently by the various organisations and individual stakeholders, their responses being shaped by contextual contingencies. We conclude that national implementation efforts need to allow effective technology adoption to occur locally before considering larger-scale interoperability. This should involve the allocation of sufficient time for individual users and organisations to adjust to the complex changes that often accompany such service re-design initiatives.