Regulatory Disruption and Arbitrage in Health-Care Data Protection

This article explains how the structure of U.S. health-care data protection (specifically its sectoral and downstream properties) has led to a chronically uneven policy environment for different types of health-care data. It examines claims for health-care data protection exceptionalism and competing demands such as data liquidity. In conclusion, the article takes the position that healthcare- data exceptionalism remains a valid imperative and that even current concerns about data liquidity can be accommodated in an exceptional protective model. However, re-calibrating our protection of health-care data residing outside of the traditional health-care domain is challenging, currently even politically impossible. Notwithstanding, a hybrid model is envisioned with downstream HIPAA model remaining the dominant force within the health-care domain, but being supplemented by targeted upstream and point-of-use protections applying to health-care data in disrupted spaces.

Proposal for a data publication and citation framework when sharing biomedical research resources

Research data and biospecimen repositories are valuable resources for biomedical investigators. Sharing these resources has great potential benefits including efficient use of resources, avoiding duplicate experiments, gathering adequate sample sizes, and promoting collaboration. However, concerns from data producers about difficulties of getting proper acknowledgement for their data contributions are increasingly becoming obstacles for efficient and large-scale data sharing in reality. In this research project we analyzed the inadequacy of current policy-based solution for promoting data sharing. The recommendations in this paper emphasize data publication and citation. This project aims to promote the acknowledgement of data contributors with realizable informatics tools that augment informal policy-level strategies, and do so in a way that promotes data sharing.

Legal constraints on genetic data processing in European grids

European laws on privacy and data security are not explicit about the storage and processing of genetic data. Especially whole-genome data is identifying and contains a lot of personal information. Is processing of such data allowed in computing grids? To find out, we looked at legal precedents in related fields, current literature, and interviews with legal experts. We found that processing of genetic data is only allowed on distributed systems with specific security measures, both technical and organizational. Informed consent, although important, offers no substitute for such requirements.

Ethical, legal and social issues for personal health records and applications

Robert Wood Johnson Foundation's Project HealthDesign included funding of an ethical, legal and social issues (ELSI) team, to serve in an advisory capacity to the nine design projects. In that capacity, the authors had the opportunity to analyze the personal health record (PHR) and personal health application (PHA) implementations for recurring themes. PHRs and PHAs invert the long-standing paradigm of health care institutions as the authoritative data-holders and data-processors in the system. With PHRs and PHAs, the individual is the center of his or her own health data universe, a position that brings new benefits but also entails new responsibilities for patients and other parties in the health information infrastructure. Implications for law, policy and practice follow from this shift. This article summarizes the issues raised by the first phase of Project HealthDesign projects, categorizing them into four topics: privacy and confidentiality, data security, decision support, and HIPAA and related legal-regulatory requirements. Discussion and resolution of these issues will be critical to successful PHR/PHA implementations in the years to come.

The price is now right. UnitedHealth Group's settlement on benchmarking databases could make out-of-network care costs more transparent, equal, some say

Disagreement surrounds the discussion of whether the demise of two Ingenix price databases will aid the provider-payer relationship. Karen Ignagni, AHIP's CEO, questions the objective, wondering why in some cases "billings so exceed reimbursement." However, AMA President Nancy Nielsen, left, retorts, "This is an attempt to divert attention from what was clearly a rigged scheme".

An electronic registry for physiotherapists in Belgium

This paper describes the results of the KINELECTRICS project. Since more and more clinical documents are stored and transmitted in an electronic way, the aim of this project was to design an electronic version of the registry that contains all acts of physiotherapists. The solution we present here, not only meets all legal constraints, but also enables to verify the traceability and inalterability of the generated documents, by means of SHA-256 codes. The proposed structure, using XML technology can also form a basis for the development of tools that can be used by the controlling authorities. By means of a certification procedure for software systems, we succeeded in developing a user friendly system that enables end-users that use a quality labeled software package, to automatically produce all the legally necessary documents concerning the registry. Moreover, we hope that this development will be an incentive for non-users to start working in an electronic way.

A data protection framework for trans-European genetic research projects

The paper proposes a data protection framework for trans-European medical research projects, which is based on a technical security infrastructure as well as on organizational measures and contractual obligations. It mainly relies on pseudonymization, an internal Data Protection Authority and on a Trusted Third Party. The outcome is an environment that combines both good research conditions and an extensive protection of patients' privacy.

It's one step toward quality. Many hurdles remain to establishing new patient-safety groups, which will use confidential provider data on medical errors

The new Patient Safety and Quality Improvement Act, passed late last month, would provide incentives for healthcare providers to report medical errors. While the idea behind the new bill is universally popular--to reduce errors and increase quality of care--some members of the industry, such as physician Steve McDermott, left, say that implementing a national reporting system will be harder than it sounds.

Risk management in waste water treatment

With the continuous restructuring of the water market due to liberalisation, privatisation and internationalisation processes, the requirements on waste water disposal companies have grown. Increasing competition requires a target-oriented and clearly structured procedure. At the same time it is necessary to meet the environment-relevant legal requirements and to design the processes to be environment-oriented. The implementation of risk management and the integration of such a management instrument in an existing system in addition to the use of modern technologies and procedures can help to make the operation of the waste water treatment safer and consequently strengthen market position. The risk management process consists of three phases, risk identification, risk analysis/risk assessment and risk handling, which are based on each other, as well as of the risk managing. To achieve an identification of the risks as complete as possible, a subdivision of the kind of risks (e.g. legal, financial, market, operational) is suggested. One possibility to assess risks is the portfolio method which offers clear representation. It allows a division of the risks into classes showing which areas need handling. The determination of the appropriate measures to handle a risk (e.g. avoidance, reduction, shift) is included in the concluding third phase. Different strategies can be applied here. On the one hand, the cause-oriented strategy, aiming at preventive measures which aim to reduce the probability of occurrence of a risk (e.g. creation of redundancy, systems with low susceptibility to malfunction). On the other hand, the effect-oriented strategy, aiming to minimise the level of damage in case of an undesired occurrence (e.g. use of alarm systems, insurance cover).

Security middleware infrastructure for DICOM images in health information systems

In health care, it is mandatory to maintain the privacy and confidentiality of medical data. To achieve this, a fine-grained access control and an access log for accessing medical images are two important aspects that need to be considered in health care systems. Fine-grained access control provides access to medical data only to authorized persons based on priority, location, and content. A log captures each attempt to access medical data. This article describes an overall middleware infrastructure required for secure access to Digital Imaging and Communication in Medicine (DICOM) images, with an emphasis on access control and log maintenance. We introduce a hybrid access control model that combines the properties of two existing models. A trust relationship between hospitals is used to make the hybrid access control model scalable across hospitals. We also discuss events that have to be logged and where the log has to be maintained. A prototype of security middleware infrastructure is implemented.

Do you own your intellectual property?

A lack of caution at the beginning of a project can be costly, but the solution is simple.

Protecting patient privacy in clinical data mining

This paper investigates whether HIPAA de-identification requirements--as well as proposed AAMC de-identification standards--were met in a large clinical data mining study (1997-2001) conducted at Duke University prior to the publication of the final rule. While HIPAA has improved de-identification standards, the study also shows that privacy issues may persist even in de-identified large clinical databases.

[Requirements for the successful installation of an data management system]

Due to increasing requirements on medical documentation, especially with reference to the German Social Law binding towards quality management and introducing a new billing system (DRGs), an increasing number of departments consider to implement a patient data management system (PDMS). The installation should be professionally planned as a project in order to insure and complete a successful installation. The following aspects are essential: composition of the project group, definition of goals, finance, networking, space considerations, hardware, software, configuration, education and support. Project and finance planning must be prepared before beginning the project and the project process must be constantly evaluated. In selecting the software, certain characteristics should be considered: use of standards, configurability, intercommunicability and modularity. Our experience has taught us that vaguely defined goals, insufficient project planning and the existing management culture are responsible for the failure of PDMS installations. The software used tends to play a less important role.

Final HIPAA privacy rules: "How do we get started?"

This article provides a general overview of the HIPAA privacy standards established by the Final Rules. It also discusses organizational approaches health care providers, more specifically hospitals and health systems, can use to "get started" with their HIPAA compliance effort. It also explores the corresponding human and financial resources that such providers will need to develop and implement the program. While the needs and approaches identified and discussed in this article may also apply to some extent to Covered Entities other than health care providers, this article does not specifically address those considerations in the context of health plans (including employer-sponsored plans), health care clearinghouses, or retail pharmacies.

[Establishing a clinical information system for surgical ophthalmology and orthopedics specialties with reference to GSG '93]

BACKGROUND

As a result of new health care guidelines (Gesundheitsstrukturgesetz) and the federal hospital and nursing ordinance, there has been a large increase in the documentation required for diagnoses (ICD-9) and service ("Operationenschlüssel nach section 301 SGB V" = ICPM), all of which is done in the form of a numeric code. The method of coding diagnoses is supposed to make possible data entry and statistical evaluation of plausibility controls, as well as conspicuous and random testing of economic feasibility. Our data processing system is designed to assist in the planning and organization of clinical activities, while at the same time making documentation in accordance with health care guidelines easier and providing scientific documentation and evaluation.

METHOD

The application MedAccess was developed by clinicians on the basis of a relational client-server database. The application has been in use since June 1992 and has been further developed during operation according to the requirements and wishes of clinic and administrative staff. In cooperation with the Institute for Medical Information Technology, a computer interface with the patient check-in system was created, making possible the importing of patient data. The application is continuously updated according to the current needs of the clinic and administration. The primary functions of MedAccess include managing patient data, planning of in-patient admissions, surgical planning, organization, documentation (surgery book, reports with follow-up treatment records), administration of the tissue bank, clinic communications, clinic work processing, and management of the staff duty roster.

RESULTS

Clinical data are entered into a computer and processed on site, and the user is assisted by practical applications which do not require special knowledge of data processing or encoding systems. The data is entered only once, but can be further used for other purposes, such as evaluations or selective transfer, for example, to clinical documents. Through an integrated flow of data, information entered one time remains readily available, while, at the same time, preventing duplicate entries. The integration of hardware and software via a mainframe computer (clinic system WING) has proven to be well-suited for the exchange of data.

CONCLUSION

The use of this thesaurus-supported and graphics-oriented system required no special knowledge of the ICD code and makes documentation much easier to produce. The advantages of computer-supported encoding not only include a savings in time, but also an improvement in the quality of the encoding from which clinical and scientific reports can be derived. The relational client-server, operating in a graphics-supported programming environment, makes it possible for the clinic's doctors to further develop and improve the system. Through the installation and support of a Macintosh network, and training of doctors, medical personnel and clerical staff, cost as well as investment of time have been kept to a minimum in comparison to other LAN servers.

[Future development of the Japanese chemicals regulation data search system and the effective use of the IRPTC legal file]

After ten years of international cooperation in developing the IRPTC Legal File, its usefulness in searching for chemicals regulation data from abroad and in Japan was studied. The superiority of the database in offering summaries of the legal texts from 50 countries and 7 international organizations was obvious, but the need for improvements in the coverage and the accuracy of the data was found. The development of a Japanese database of legal information on chemicals based on international information exchange is desirable.