You Had One Job, or, If you can’t ensure data security, then ….

Vibrent, one of NIH’s data management contractor for the All of Us genomic and other health data research project, was found by OIG to have a number of holes in its data security infrastructure and policies, ranging from failure to encrypt its AWS servers to failure to adhere to FISMA (federal IT security) standards more broadly. OIG also found that NIH fell down on the job by not monitoring its contractor more closely. Everything has been patched, but this represents a black eye for a program intended to build public confidence in government colleciton and analysis of sensitive medical and genomic data as it seeks to enroll one million Americans.

What can NIH, or any entity responsible for dealing responsibly with sensitive medical, genomic or other personal data, do to discharge its responsibilites more adequately?

As regular readers of HealthBlawg are already rehearsing silently, it’s all about infusing a compliance mindset into organizational culture. This, combined with practical tools and empowerment of personnel, will then manifest itself in comprehensive data privacy and security policies and procedures, function-specific appropriate training and testing of personnel, compliance review of subcontractor organizations, personnel and technical infrastructure in advance of engagement, regular audits of subcontractors’ activities and deliverables from a data security perspective, and more. Many of these ideas are spelled out in the federal standards applicable to this procurement, but somehow they didn’t make it to the front lines.

The All of Us program has taken long enough to get off the ground, and is taking baby steps towards its enrollment goals. Here’s hoping that this misstep does not squander the momentum the program has built to date.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Live at HIMSS 2019 with 2bPrecise and PatientMatters — Harlow on Healthcare

Live at #HIMSS19, I spoke with Assaf Halevy, CEO, and Joel Diamond, CMO, of 2bPrecise, a precision medicine data delivery platform connecting genomic data with clinical data, and with Eric Van Portfliet, CTO, and Vik Kodipelli, Senior IT Architect, at PatientMatters, where patient engagement meets revenue cycle management.

As a bonus, check out these video postcards from #HIMSS19 (follow the link for more):

I spoke with Assaf, Joel, Eric and Vik as part of my ongoing series of fireside chats with healthcare innovation leaders – Harlow on Healthcare, on HealthcareNOW Radio. Listen to our radio station online, or ask your smart speaker (Amazon Echo or Google Home): “Find Tune In station HealthcareNOW Radio.” You can catch me live weekdays at 8:30 am, 4:30 pm and 12:30 am ET. As each new show goes live, the last one joins the archive, available via SoundCloud or your favorite podcast app iTunesStitcheriHeartRadio). Your comments are welcome here. Join the conversation on Twitter at #HarlowOnHC.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Brian Loew, CEO of Inspire: Accelerating medical progress through connected patients – Harlow On Healthcare

My guest for this episode of Harlow On Healthcare is Brian Loew, CEO of Inspire (@TeamInspire). Brian created Inspire in 2005 with the goal of accelerating clinical trial recruitment through the use of safe trusted online social networks organized by medical condition for patients and their caregivers. In his words, “Our goal at Inspire is to accelerate medical progress through a world of connected patients.” This world is broken down into thousands of rare (and not so rare) disease communities; about one-third of the groups are cancer-related, one-quarter are focused on rare diseases. There are also subgroups, many of which have been defined by patients (e.g. segmenting cancer groups by stage, infertility groups by couples trying to get pregnant and those trying to stay pregnant), and many of which include caregivers as well as patients. Constituencies also include medical professionals, researchers and national patient advocacy associations. As Brian said, “Our goal, ultimately, is to facilitate medical progress by enabling researchers around the world while we do some research ourselves. Our real goal is to make it possible for thousands of researchers outside of Inspire to do great work more quickly.”

The community dialogue, and the research, needs to be built on trust, and Inspire’s website has a control panel that enables community members to set levels of access to their own information within the community, and change those levels over time; all researcher access is based on explicit permissions, opting in to particular studies.

One interesting example of the research enabled by the data in the Inspire communities is a published study, which leveraged discussions on Inspire to identify the fact that adverse effects of a certain drug were known in the online community seven months before they were first reported to the FDA. See: JAMA Oncology and JMIR Public Health & Surveillance.

While it won’t necessarily replace randomized clinical trials anytime soon, descriptive research based on the patient perspective is critical. As Brian noted, “the FDA was interested in the lived experiences of patients and caregivers … and in treating that as a source that is as valid as scientific or medical or physician[-sourced] information.” He called the “early warning” found in this study an example of a “profoundly useful early warning” derived from an analysis of a billion and a half words written by Inspire members.

Inspire has been the source of other sorts of research efforts over the years. For example, it was the platform that allowed for the identification of patients with an extremely rare condition, who were located all over the world (SCAD). The patients brought the study participants to the researchers. Another example is the use of NLP anlaysis of comments allowing a researcher to discern a previously undocumented correlation between a drug and a symptom. Another involves a similar review of content to establish a connection between certain childhood events and a certain cancer. These research efforts are all powered by the large volume of comments, from a large number of support group participants, on the Inspire platform, and they allow researchers to focus their efforts on genomic research or other research in a way that would be impossible without the support group content and the connections among patients across geographies.

Brian concluded by saying, “I would hope that all of us — as patients and caregivers — are treated with respect and our data are available to us without restriction and we are fully recognized as valuable contributors to medical progress. That is a positive vision of the future and I hope we get there sooner rather than later.”

I spoke with Brian as part of my ongoing series of fireside chats with healthcare innovation leaders – Harlow on Healthcare, on HealthcareNOW Radio. Listen to our radio station online, or ask your smart speaker (Amazon Echo or Google Home): “Find Tune In station HealthcareNOW Radio.” You can catch me live weekdays at 8:30 am, 4:30 pm and 12:30 am ET. As each new show goes live, the last one joins the archive, available via SoundCloud or your favorite podcast app (iTunesStitcheriHeartRadio). Your comments are welcome here. Join the conversation on Twitter at #HarlowOnHC.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Talking Artificial Intelligence with SAP – Harlow on Healthcare

Dr. Clemens Suter-Crazzolara (@clesucr) is VP Product Management for Health and Precision Medicine at SAP (@SAPHealth). We sat down at HIMSS 2019 to discuss ethics and biases of artificial intelligence and the balance between human and machine intelligence over the long term. In his view we are still in the very early stages of developing AI in healthcare.

As a bonus, check out this video postcard from #HIMSS19 (follow the link for more):

I spoke with Clemens as part of my ongoing series of fireside chats with healthcare innovation leaders – Harlow on Healthcare, on HealthcareNOW Radio. Listen to our radio station online, or ask your smart speaker (Amazon Echo or Google Home): “Find Tune In station HealthcareNOW Radio.” You can catch me live weekdays at 8:30 am, 4:30 pm and 12:30 am ET. As each new show goes live, the last one joins the archive, available via SoundCloud or your favorite podcast app (iTunesStitcheriHeartRadio). Your comments are welcome here. Join the conversation on Twitter at #HarlowOnHC.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

The 340B Saga Continues

This week, a federal court found the administration’s 340B program rates to be fatally flawed; the HHS Secretary “patently violated” the governing law.

The 340B program is designed to support critical access hospitals and other safety-net providers by providing targeted subsidies for their outpatient prescription drug costs; an administration rule appealed by industry associations would have cut this support by about 30% from 2017 levels. As described by the court, the agency elected to adjust 340B rates “based not on the drugs’ average sale prices — as dictated by the statutory text — but on the drugs’ estimated acquisition costs.”

This ruling applies to the 2019 rates, much as a previous ruling reached the same conclusion with respect to the 2018 rates. The court has ordered the agency back to the drawing board for both years, and “expects HHS to resolve this issue promptly,” ordering the parties to provide a status report in three months’ time. The court said it was a very close call, but decided to stop short of invalidating the rules entirely — noting that vacating two years’ Medicare reimbursement rules could wreak havoc on administering Medicare, especially since budget-neutrality laws likely mean that any increase in 340B payments would have to be offset by reductions in other Medicare payments. Re-setting other payment levels, recouping payments from other providers, and recalculating patient-pay amounts would be an administrative nightmare. (It may be interesting to explore further whether the budget-neutrality rules would necessarily apply in the case of a court-ordered revision to a single reimbursement rule.)

The 340B program is just one example of the myriad ways in which the federal government helps underwrite the delivery of health care services by safety-net providers. The program has been examined from every angle over the years, and there are numerous bills, congressional committee hearings and GAO reports that have looked at improvements that may be needed in order to ensure that the program does what it is supposed to do.

Here’s hoping that the federales can continue to invest effectively in addressing both the healthcare needs of those served by safety-net providers and the social determinants of health that may help reduce the need for healthcare services.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HIPAA News from OCR: FAQs and Fines

In the past week, OCR has released two new issuances touching on HIPAA interpretation and enforcement. On the one hand, the regulated community eagerly awaits and devours these morsels as they are doled out. On the other hand, these particular morsels are unremarkable sub-regulatory issuances; one restates and interprets regulations in a manner that comes as no surprise to those of us immersed in HIPAA and the other announces an approach to exercising enforcement discretion that may well change again in the future.

Here are the specifics:

First: Five new FAQs on HIPAA — The HIPAA access right, health apps, & APIs. The questions center on whether apps not developed and delivered by a covered entity or a business associate or a downstream contractor of a business associate are covered by HIPAA and whether upstream regulated parties (CEs and BAs) are liable for inappropriate releases of data by such third parties. Unsurprisingly, the answer is no — a patients may direct a CE to release their PHI in whatever manner or format a patient desires, so long as the CE is set up to do so. Secure API to an app, insecure email at the patient’s direction so long as the patient is aware of the potential issues — all OK; it’s up to the patient. A couple of the FAQs focus on the slightly more complicated situation where an app developer may be acting on behalf of a CE or BA, in which case the delivery of the PHI via the app is subject to HIPAA, and any potential breach could yield liability up and down the food chain.

Of course, breaches not covered by HIPAA are covered by the FTC health data breach notification rule issued under the HITECH Act.

(Some of us would rather see OCR using its capital to insist that CEs release PHI at the direction of patients — something that is still much harder for many patients than it should be — or to issue a FAQ confirming that sending PHI via SMS should be seen in the same light as sending PHI via email.)

Second: OCR has adjusted downward the maximum fines that it will assess for HIPAA breaches under the HIPAA Enforcement Rule. Whether or not OCR makes such an announcement in advance, it has the discretion to impose fines lower than the maximum. However, the agency has announced that it erred (in its incarnation under the previous Administration) in interpreting an internally inconsistent statute and that it has now identified the corect interpretation, which leads to permitting fines of $1.5 million only in extensive cases of uncorrected willful neglect.

Given this retrenchment, I expect the regulated community will breathe easier, knowing that it is unlikely to face multi-million-dollar fines for lower levels of culpability. However, the agency has been measured in assessing fines and — quite frankly — fines (low, high, or indifferent) don’t seem to be having a significant effect on the frequency or severity of breaches in the wild. In any event, signaling that fines will be lower is not likely to improve compliance.

Despite these announcements, covered entities, business associates and app developers not covered by HIPAA must all remain vigilant and hew to a higher standard in order to maintain the privacy and security of sensitive data.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting