For most stroke patients, receiving a clot-dissolving drug shortly after arriving at a hospital can reduce the effects of stroke and limit permanent disabilities. But for some patients with a certain type of stroke, such a drug can actually increase bleeding in the brain. Stroke experts say the best way to tell which patients should get the drug is by having a CT scan of their heads read within 45 minutes of their landing in the emergency room. But a rule that would call for a CT scan within 45 minutes was rejected last fall by a quasi-governmental group that sets medical guidelines used by Medicare to evaluate and reimburse U.S. hospitals. The group, known as the National Quality Forum, said the vague wording of the rule raised too many questions.
Sen. Jon Kyl said he voted against Kansas Gov. Kathleen Sebelius to be secretary of Health and Human Services because of her support for research comparing the effectiveness of different medical treatments for a specific disease. "She left me with no assurance that HHS, federal healthcare programs, or any new entity—such as the Federal Coordinating Council—will not use comparative effectiveness research as a tool to deny care. And this should be a matter of concern to all of us," the Arizona Republican said in a statement.
HHS issued a proposal for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure protected health information (PHI) and prevent a breach.
The guidance released Friday includes the technologies and methods specified by the Secretary of HHS that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals." The American Recovery and Reinvestment Act of 2009 (ARRA) required the draft guidance by Saturday, April 18, according to an HHS press release.
Covered entities and business associates are not required to follow the guidance. However, if they do, it creates a "safe harbor" and protects them from the notification requirements when a security breach occurs, according to the new HHS report.
Though not final yet, covered entities and business associates should pay close attention to the guidance because it will help determine whether their facility had a breach of patient privacy.
The report released Friday includes those specifications. After a public comment period, which ends May 21, the final guidance will be released by August 17, according to the ARRA.
Wait to make your move
"Keep in mind, this is a new federal requirement which overlaps with security breach notification laws already on the books in almost every state, and personal information disposal laws on the books in many states," says John R. Christiansen, of Christiansen IT Law, in Seattle. " . . . We're going to have to analyze state laws specifically to figure out if there are places where the state law is stronger. It probably isn't worth doing a definitive analysis until the final guidance comes out."
In general, HHS specifies two methods for protecting data: encryption (for information flowing out of a network) and destruction (for paper and electronic records).
John C. Parmigiani, president of John C. Parmigiani & Associates, LLC , in Ellicott, MD, says in effect the guidance mirrors what many state laws already say.
HHS defines acceptable encryption as:
Electronic PHI that is encrypted as specified in the HIPAA Security Rule by "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key"
The final regulations will be published in the Federal Register within 180 days of the signing of the ARRA, or by August, 17, 2009.
Overall, providers who already encrypt their data are in good shape, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
"Use what's already out there and government-approved," Borten suggests.
According to Christiansen, covered entities and business associates should read this guidance and check their state's security breach notification laws.
"HITECH works like HIPAA when one of its provisions and a state law both apply: The one that is more protective trumps the other," Christiansen says. "My feeling is that the HITECH provision plus this guidance is probably more stringent than almost all state laws. I haven't yet tried to analyze it against California, which has the strongest law in this area—but generally I expect HITECH will apply."
This article in The Economist explores the potential impact interactive digital medicine that flows in multiple directions—peer-to-peer, doc-to-patient, physician-to-physician, and online groups—can have on the industry. For example, a website called PatientsLikeMe, enables members from around the world to share stories about their ailments and treatment plans.
Dispelling concerns that the much-promoted medical tourism in the Philippines would deprive local residents of needed medical services, the Cebu City Health and Wellness Council has assured the public that medical packages offered to tourists will also be available to locals. CHWC Chairman Oscar Tuason said medical tourism would even benefit Cebuanos because the influx of foreigners will prompt hospitals to put up the latest state-of-the-art medical equipment and improve their facilities.
Mexican authorities are investigating a group of physicians at Tapachula General Hospital in Chiapas who allegedly refused to treat an illegal Nicaraguan migrant. The man's leg later had to be amputated as a result. The man says doctors would not treat a foot infection he developed after stepping on a nail while running from Mexican immigration officers. He also alleges that the same doctors have offered him money to withdraw his complaint. Several of the doctors have since been suspended, pending the investigation.