Health IT

 VI. Key Issues: Financing and Delivery >> A. Health Spending >> Health Cost Containment  >> Improve Administration >> Health IT (last updated 2.7.16)



The adoption of various forms of health information technology (HIT) may have disparate impacts, including improvements in access/continuity of care, quality, patient satisfaction or privacy of medical information.  However, a principal motivation for pursuing HIT is the expectation that it will lead to system efficiencies that result in net savings in the short run or long run. Because most HIT innovations have multiple effects, this section examines the benefits and costs of a full range of HIT innovations for which there is real-world evidence even if their purpose or impact might be quality improvement at the expense of cost containment.
Discussion of health reform policy proposals related to HIT (i.e., policy options under discussion and not yet adopted or implemented) is contained at Health IT under Health Reform, Components of Reform, Cost Containment.


Health Information Technology for Economic and Clinical Health (HITECH) Act 


Electronic Health Records (EHRs)

Meaningful Use Program 

CMS (Update, 10.6.15): The American Recovery and Reinvestment Act of 2009 (ARRA) (Pub.L. 111–5) was enacted on February 17, 2009. Title IV of Division B of ARRA amends Titles XVIII and XIX of the Social Security Act (the Act) by establishing incentive payments to eligible professionals (EPs), eligible hospitals, critical access hospitals (CAHs), and Medicare Advantage Organizations to promote the adoption and meaningful use of interoperable health information technology (HIT) and qualified electronic health records (EHRs). These incentive payments are part of a broader effort under the HITECH Act to accelerate the adoption of HIT and utilization of qualified EHRs.
Meaningful Use (MU) is a Center for Medicare & Medicaid Services program that pays an incentive for “meaningful use” of an electronic health record (EHR). It is a separate program from PQRS (Physician Quality Reporting System). Those eligible for the Meaningful Use include doctors of medicine or osteopathy, dental surgery or dental medicine, podiatry, optometry, and chiropractic. Meaningful use is defined as use of certified electronic health record (EHR) technology to: Improve quality, safety, efficiency, and reduce health disparities; Engage patients and family; Improve care coordination, and population and public health; Maintain privacy and security of patient health information.

Stages of Meaningful Use

2011-2012 Stage 1: Data capture and sharing

2014 Stage 2: Advance clinical processes

2016 Stage 3: Improved outcomes

Stage 1 EHR Meaningful Use Requirements

  • Use of a certified EHR in a meaningful manner (e.g. e-prescribing)
  • Use of a certified EHR for electronic exchange of health information to improve the quality of health care
  • Use of certified EHR technology to submit clinical quality measures (CQM).

Qualifying for Stage 1 Meaningful Use of an electronic health record (EHR) means that:

  • The EHR meets all 20 objectives for meaningful use.
  • Six clinical quality measures are reported.
  • The EHR has been in use for at least 90 days during the first year and 12 months for all subsequent years.
  • Three core measures plus three additional measures must be reported. If the provider does not qualify for the three core measures, three alternate core measures must be reported. List of core and alternate measures.

Stage 1 EHR Meaningful Use Specification Sheets 

The Centers for Medicare & Medicaid Services (CMS), which administers the Medicare and Medicaid EHR Incentive Programs, provides these sheets to help professionals and hospitals understand the requirements of each objective and demonstrate meaningful use successfully.

Stage 2 EHR Meaningful Use 

On September 4 2012, CMS published a final rule that specifies the Stage 2 criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to continue to participate in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. All providers must achieve meaningful use under the Stage 1 criteria for two years before moving to Stage 2.

To help providers better understand Stage 2 Meaningful Use requirements, CMS developed Stage 2 Meaningful Use Specification Sheets for EPs and Eligible Hospitals that provide detailed information on each Stage 2 objective.

  • Meaningful Use Round Two: New Rules of Engagement. (EHR Decisions, 10.15.12) “The rules for both Meaningful Use and the new Standards and Certification Criteria went into effect October 4, after the requisite 30 days since first posting in the Federal Register have passed. for patients while attempting to play by the rules. Here are a few key points to guide successful attestations, using appropriately certified EHR technologies.”

Stage 3 EHR Meaningful Use

For Stage 3 of the EHR Incentive Programs in 2017 and subsequent years, major provisions include:

  • 8 objectives for eligible professionals, eligible hospitals, and CAHs:  In Stage 3, more than 60 percent of the proposed measures require interoperability, up from 33 percent in Stage 2.
  • Public health reporting with flexible options for measure selection.
  • CQM reporting aligned with the CMS quality reporting programs.
  • Finalize the use of application program interfaces (APIs) that enable the development of new functionalities to build bridges across systems and provide increased data access. This will help patients have unprecedented access to their own health records, empowering individuals to make key health decisions.

All providers will be required to comply with Stage 3 requirements beginning in 2018 using EHR technology certified to the 2015 Edition. The Stage 3 requirements are optional in 2017. Providers who choose to begin Stage 3 in 2017 will have a 90-day reporting period. Objectives and measures for Stage 3 include increased thresholds, advanced use of health information exchange functionality, and an overall focus on continuous quality improvement.
CMS restructured the objectives and measures of the EHR Incentive Programs in 2015 through 2017 to align with Stage 3, and modified “patient action” measures in Stage 2 objectives. 
CMS announced on 10.6.15 a 60-day public comment period to facilitate additional feedback about Stage 3 of the EHR Incentive Programs going forward, in particular with the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), which established the Merit-based Incentive Payment System (MIPS) and consolidates certain aspects of a number of quality measurement and federal incentive programs into one more efficient framework. (Center for Medicare and Medicaid Services, 10.6.15)

Stage 3 Meaningful Use Resources

Possible Meaningful Use Replacement

  • CMS Promises Meaningful Use Replacement This Year. “Slavitt said CMS was in the process of making the much-reviled program more physician-friendly, with EHR technology built around ‘individual practice needs, not the needs of the government.’ ‘We have to get the hearts and minds of the physicians back,’ he said. ‘I think we lost them.’ Slavitt’s statements don’t mean that the incentive program is screeching to a halt this year, relieving physicians of reporting obligations and financial penalties. However, they could portend major changes in meaningful use as early as next year, according to medical society leaders interviewed by Medscape Medical News. The changes come in conjunction with a massive overhaul of how Medicare pays physicians. Slavitt said at the San Francisco healthcare conference that on the basis of consultations with the American Medical Association (AMA) and other physician groups, CMS was drafting meaningful use reforms that it would disclose over the next several months. The focus, he said, would move from rewarding physicians for using EHRs to rewarding them for patient outcomes. And EHR technology would be user-centered and interoperable — no more programs that can’t swap data.” (Medscape Medical News, 1.14.16)

EHR News and Analysis



Legal and Professional Issues

  • Online Psychotherapy Gains Fans And Raises Privacy Concerns. “Some studies suggest that therapy online can be as effective as it is face to face. ‘We have a lot of promising data suggesting that technology can be a very good means of providing treatment,’ says Lynn Bufka, a clinical psychologist who helps develop health care policy for the American Psychological Association…Family therapists, mental health counselors and clinical social workers are licensed to practice by individual state boards. But it’s unclear whether a practitioner who lives in one state can or should treat someone who lives elsewhere.’ We’d like to see a little more mobility and flexibility with that, because certainly for licensed psychologists the standards are pretty similar across state lines,’ Bufka says. Perhaps, she adds, therapists could get a special certification that would allow them to practice in multiple states or countries.” (National Public Radio, 6.30.14)
  • FSMB Compact Could Ease MultiState Licensing. “The Federation of State Medical Boards (FSMB) has unveiled a draft interstate compact for physician licensure that, it said, should make it easier to practice telemedicine across the country. The compact, which the FSMB expects to finalize in the next month or two, offers a ‘streamlined alternative pathway’ for physicians who want to practice in multiple states, according to a federation news release. Under current state medical board policies, physicians must be licensed in the state where a patient is located to diagnose or treat that patient, a stance that the FSMB recently reaffirmed in its model policy for telemedicine. As a result, physicians who consult remotely with patients in other states must be licensed in those states. That can create barriers to telehealth consultations, especially for on-call physicians who are not licensed in every state where patients may contact them online. The FSMB’s interstate compact would allow physicians to apply once and receive licensure in all states that are party to the compact.” (Medscape Medical News, 8.5.14)
  • Current Law Restricts Millions of Americans’ Access to Telehealth Services. “Several of the nation’s largest pharmacies and health-care companies are urging lawmakers to expand the types of telehealth services that can be covered by government insurance programs, arguing that an outdated federal law is limiting the number of Americans who can access telemedicine. Under current law, only telemedicine services offered through rural hospitals and clinics are covered by Medicare, according to a section of the Social Security Act that regulates how Medicare reimburses for telemedicine.” (Washington Post, 10.19.14)
  • Teladoc Files Antitrust Suit Against Medical Board. “In just over a month, a new state rule is set to kick in that could undercut the business model of Dallas-based Teladoc, a rapidly growing telemedicine company that connects patients and doctors over the telephone and internet. With the clock ticking, the company is brandishing every weapon in its arsenal, deploying teams of lobbyists and lawyers to fight a Texas Medical Board rule change that it says is more about stifling competition than protecting patient health. The board’s rule, set to start June 3, would prevent doctors from treating people over the phone — making a diagnosis or prescribing medicine — unless another medical professional was physically present to examine the patient.” (Texas Tribune, 4.30.15)
  • Telepsychology: Compliance Alert from State Psychology Board. (Ohio Psychological Association 7.22.15) “Psychologists and other mental health professionals are being actively and increasingly recruited by national companies to provide online services. The Board’s Telepsychology Rules include specific requirements and direction regarding the practice of Telepsychology within the state of Ohio. However, when online services involve residents outside of Ohio, numerous challenges and considerations become apparent. Deliberation, competence, and caution are necessary.”


  • Former Senators Join Forces to Advance Telemedicine. “In their post-Senate careers, the three former lawmakers have relocated to K Street, home to lobbyists, and are working on behalf of the Alliance for Connected Care, a nonprofit collection of health care providers, insurers, pharmacies, technology firms and telecommunications companies, to pursue legislative and regulatory changes to let more Americans essentially get much of their health care remotely…All three former lawmakers said they became interested in the potential of digital technology to deliver health care when they were representing states with pockets of poverty, where access to health care can be difficult for geographic and economic reasons.” (New York Times, 5.20.14)
  • Pediatric eHealth Interventions: Common Challenges During Development, Implementation, and Dissemination. “The challenges associated with eHealth interventions and their proposed solutions are multifaceted and cut across a number of areas from eHealth program development through dissemination. Collaboration with a range of individuals (e.g., multidisciplinary colleagues, commercial entities, primary stakeholders) is the key to eHealth intervention success. To ensure adequate resources for design, development, and planning for sustainability, a number of public and private sources of funding are available. A study design that addresses ethical concerns and security issues is critical to ensure scientific integrity and intervention dissemination. Table I summarizes key issues to consider during eHealth intervention development, testing, and dissemination.” (Journal of Pediatric Psychology. 2014;39(6):612-62)
  • The Cleveland Clinic: Coming to a Kiosk Near You? Health System to Offer New Telehealth Options. “The Cleveland Clinic has signed a letter of intent to partner with HealthSpot, a provider of telehealth services based in Ohio, to provide care to patients via walk-in kiosks located in non-traditional health care settings, like workplaces, universities, and retail stories. The kiosks are private, eight-by-five foot spaces outfitted with medical devices, videoconferencing capabilities, and medical devices. They allow Cleveland Clinic providers to see patients through the kiosks, and each kiosk is staffed by a medical assistant.The clinic will integrate patient data from the kiosks into its electronic health record system.” (The Advisory Board Company, 5.22.14)
  • Physicians Warm to Digital Communications With Patients. “Forty percent of physicians say they believe the use of digital technologies to communicate with patients can improve outcomes, and the same percentage say they have increased their use of digital tools in patient care during the past year, according to a recent Manhattan Research survey. These digital technologies include everything from the use of patient portals and emailing and texting with patients to the prescribing of mobile health apps for self-tracking and remote patient monitoring, Monique Levy, vice president of research at Manhattan Research, told Medscape Medical News.“ Medscape Medical News, 6.12.14
  • Telecare Collaborative Management of Chronic Pain in Primary Care: A Randomized Clinical Trial. “The Stepped Care to Optimize Pain Care Effectiveness (SCOPE) study was a randomized trial comparing a telephone-delivered collaborative care management intervention vs usual care in 250 patients with chronic (≥3 months) musculoskeletal pain of at least moderate intensity (Brief Pain Inventory [BPI] score ≥5). Patients were enrolled from 5 primary care clinics in a single Veterans Affairs medical center from June 2010 through May 2012, with 12-month follow-up completed by June 2013…Telecare collaborative management increased the proportion of primary care patients with improved chronic musculoskeletal pain. This was accomplished by optimizing nonopioid analgesic medications using a stepped care algorithm and monitoring.” JAMA. 2014;312(3):240-248
  • New Push for TeleHealth in ACOs. “NAACOS has co-signed a letter to HHS urging CMS to grant a waiver to permit all ACOs to use and bill for TeleHealth services. HHS clearly has the authority but so far has been unwilling to exercise it.” (National Association of ACOs, 6.6.14)
  • Telehealth Services Comments Letter: NAACOS has signed on to an Alliance for Connected Care letter to the House Energy and Commerce Chairman and the Energy and Commerce Subcommittee on Health Chairman addressing improvements to the availability and use of telehealth services. (National Association of ACOs, 6.16.14)
  • Medicare Increases Telehealth Coverage…a Bit. “The Centers for Medicare & Medicaid Services (CMS) proposes to increase incrementally the telehealth services that Medicare will cover, including wellness visits and some behavioral health services. However, CMS continues to restrict telehealth coverage to rural areas and offers a very circumscribed definition of the telehealth technology that can serve as the basis for coverage…Years ago, Dr. Bashshur recalled, CMS refused to cover telehealth at all, and it is still taking a very restrictive approach because it is afraid of the potential for overuse. On the basis of his own research, Dr. Bashshur has estimated that CMS paid only $12 million for telehealth last year.” (Medscape Medical News, 7.16.14)
  • Does Telehealth Diminish Physician-Patient Relationships? “Nonvisit care of patients is becoming a necessity in primary care, noted Dr. Scherger, who practices part-time and was a pioneer of secure email consultations. Moreover, he pointed out, the Internet has created new ways to deliver chronic and preventive care and treat minor acute problems, and those modes will be used. ‘You’ve got this new platform of communication and care that is going to be delivered, whether it’s by a continuity provider or by somebody else.’” (Medscape Medical News, 7.25.14)
  • Virtual Visits Benefit Physicians as Well as Patients. “Virtual patient visits — via videoconferencing on a personal computer, laptop, tablet, or smartphone — as well as remote visits via old-fashioned telephone, secure email, and even texting, are controversial to many physicians, who may regard a hands-on office visit as being the sine qua non of good patient care. That’s changing fast. In August, a Deloitte report predicted that the number of telehealth visits in the United States and Canada could soar to 75 million in 2014, representing 25% of the addressable market. The study noted that of the 600 million annual visits to primary care practices in North America, approximately half were for problems that could be solved by remote rather than in-office visits. To meet exploding patient demand, especially for videoconferencing, virtual physician networks are springing up across the country. They are being sponsored by insurers, health plans, employers, hospitals, and physician groups, often funded by millions of dollars in venture capital, and there appears to be no shortage of physicians who seek to join them. Here’s why.” (Medscape Business of Medicine, 9.25.14)
  • What Will You Do With All That Telemedicine Data? “(T)he growing prevalence of monitoring devices is starting to make many doctors nervous as they contemplate how they will deal with all the data they may receive. And if you work in an environment where reimbursement will increasingly be based on outcomes—a hospital, a practice owned by a hospital system, an accountable care organization (ACO), or a patient-centered medical home (PCMH)—this dilemma may affect you sooner than you may think…Many physicians fear that once remote patient monitoring becomes the standard of care, they will be deluged with patient data that they will then need to evaluate and, in some cases, act on in a timely fashion, when there already aren’t enough hours in the day.” (Medscape Business of Medicine, 12.18.14)
  • ACP Supports Expanding Telemedicine in Primary Care. “Telemedicine can broaden access to care, improve outcomes, and reduce care costs, but risks and benefits must be carefully evaluated for both patients and physicians, say authors of a new position paper from the American College of Physicians (ACP). The paper, published online September 8 in the Annals of Internal Medicine, offers more than a dozen recommendations — and the rationale behind them — for successful telemedicine, which the ACP says should be held to the same standards of practice as in-person medicine.” (Medscape Medical News, 9.8.15)
  • Patients Consent to Physicians Crowdsourcing for Diagnosis. “The increasing number of apps and online services that allow physicians to use crowdsourcing to make a diagnosis highlights the need for a debate on how to allow for patient privacy and consent, according to results from a new survey. When asked whether they would give permission to have their picture posted online, about 80% of respondents agreed to posting to improve their own medical care, about 80% agreed to posting to educate other doctors, and about 80% agreed to posting to advance scientific knowledge.” (Medscape Medical News, 5.1.15)

TeleMental Health

  • Coalition for Technology in Behavioral Science Formed (Summer, 2014). CTiBS is an inter-disciplinary group dedicated to fostering the legal and ethical use of evidence-based technology in behavioral health care and is open to members of all disciplines who share an interest in technology in improving the human experience. “Please review the many areas of technological research, development and consultation that we support; review our mission; avail yourself of our extensive and searchable bibliography; and read about the latest writings about the intersection of technology and behavioral health in our blog.”
  • Telepsychologist Competencies for Psychologists Practicing in Ohio. Webinar provides an overview of competencies and best practices in implementing telehealth. (Ohio Psychological Association, October, 2014)
  • Cognitive Therapy Works Even by Telephone, Computer. “Cognitive behavioral therapy (CBT) for anxiety and depression, whether self-guided, provided via telephone or computer, or provided face to face, was better than no care in a primary care setting and was also better than treatment as usual (TAU), according to a meta-analysis published online September 22 in Family Practice.” (Medscape Medical News, 10.9.14)
  • Federal Health Records Program Leaves Some Medical Professionals Out of the Loop. “Mental-health clinics, psychologists and psychiatric hospitals were left out of the incentive and penalty program, along with nursing homes, emergency medical services and others. It has been estimated by the consulting firm Avalere Health that including them would require an additional $1 billion…’If a broad base of health professionals had access to mental-health records that include psychotherapy notes, I am concerned about the potential for privacy violations . . . not only for the patient, but also for the others who are involved in the patient’s life,’ he said…Recent provider backlash against the current government incentive program may also be a roadblock. Earlier this year, 37 medical societies led by the American Medical Association asked federal regulators to shift direction, arguing that today’s electronic records systems are cumbersome, inefficient and can present safety problems for patients.” (Washington Post, 3.5.15)
  • Telephone-Delivered Cognitive Behavioral Therapy and Telephone-Delivered Nondirective Supportive Therapy for Rural Older Adults With Generalized Anxiety Disorder. “Telephone-delivered CBT consisted of as many as 11 sessions (9 were required) focused on recognition of anxiety symptoms, relaxation, cognitive restructuring, the use of coping statements, problem solving, worry control, behavioral activation, exposure therapy, and relapse prevention, with optional chapters on sleep and pain. Telephone-delivered NST consisted of 10 sessions focused on providing a supportive atmosphere in which participants could share and discuss their feelings and did not provide any direct suggestions for coping…In this trial, telephone-delivered CBT was superior to telephone-delivered NST in reducing worry, GAD symptoms, and depressive symptoms in older adults with GAD.” (JAMA Psychiatry, October, 2015)

TeleMental Health Guidelines

Remote Monitoring

  • Patients Self-Monitor With Wearable Diagnostics. “In a scene that does not usually take place at a medical conference, models showed off wearable diagnostic and tracking devices here at the Health 2.0 Annual Fall Conference. The technology included otoscopes attached to smart phones and monitors that fit inside pendants, bras, socks, and wrist watches. A model demonstrated a headset that monitors brainwaves to accompany an armband that tracks heart rates (Evoke Neuroscience), jewel-like sensors that update the wearer on exposure to sunlight (Netanol), and a monitor that inserts under the skin to continuously report on glucose (Medtronic)…Despite marketing directly to consumers, the entrepreneurs still envision a role for physicians.“ (Medscape Medical News, 9.25.14)
  • Fifteen Game-Changing Wireless Devices to Improve Patient Care. Cardiac electrophysiologist David Lee Scher, MD, clinical associate professor of medicine at Penn State University, director of a digital health consulting firm, avid blogger on mobile health issues, and chairman of the Healthcare Information and Management Systems Society (HIMSS) Mobile Health Roadmap Task Force, points to 15 potential game changers in mobile health technology that hold the promise of revolutionizing patient care in hospitals, in nursing homes, and at home. (Medscape, 10.23.14)
  • The Tyranny of the Should. “In the UK, it appears the NHS will have a ‘huge rollout‘ of wearable technology as part of a ‘revolution in self care.’ Being able to monitor patients remotely, especially those with a chronic condition, is admirable. If entities in healthcare will be able to monitor us remotely, surely that’s always going to be a good thing? Perhaps not. Given the huge financial pressures facing the NHS over the next 20 years, we may have to ration access to care. In the future, could all this data collected about our behaviour be used to ration or even deny care? I’m not the only one who is asking that question. In a great article by Hamza Shaban examining the impact of sensors collecting data about our health on the pricing of health insurance, one sentence stands out, ‘Imagine a pricing scheme that would punish sleep-deprived single parents or the dietary habits of the working poor.’ A world where our health insurance premiums decline when we behave within the guidelines, and rise when we deviate from the guidelines…Today, the National Institutes of Health announced it’s searching for a wearable or otherwise discreet device capable of measuring blood alcohol level in real time. There is a fine line between ‘Digital Nudges’ and ‘The Tyranny of the Should’ – and it’s not clear to me that we’re having the right conversations in the right places.” (Juneja, Maneesh, 3.2.15)
  • Using Facial Recognition and AI to Confirm Medication Adherence. “The developers of AiCure’s technology have likened it to a personal trainer in a gym working directly with a client to achieve their goals. It involves facial recognition and motion-sensors in a mobile device. It records patients taking their medication and transmits that data back to a clinician through a HIPAA-compliant secure network, who can then confirm that patients took their medication. It can also flag up adverse events or potential barriers and work with patients to overcome them. It is designed to support Directly Observed Therapy…The move comes as Barton Health became the first health system to prescribe ingestible sensors, initially for patients with hypertension. emocha, a DreamIt Health company from Baltimore, also enlists video from mobile phones to confirm when patients have taken their medication.” (MedCity News, 1.12.16)

Telehealth Resources

  • Smartphone Applications for Patients’ Health and Fitness. Article introduces evidence that smart phone apps can better help patients reach their health and fitness goals,  describes what features to look for in an app, gives an overview of popular health and fitness apps, and offers app recommendations. Current limitations of apps, and future research are also discussed. (The American Journal of Medicine, 2016)


Health IT and Hospitals

  • The Healthcare Chief Information Officer MindMap. “It’s a beautiful display of everything that’s happening in healthcare IT. Although, it’s also an illustration of the challenge we hospital CIOs face. Is it any wonder that so many hospital CIOs feel overwhelmed?” (EMR and HIPAA. 4.8.14)



  • Transition to a Post-HITECH World (9.18.15) The Robert Wood Johnson Foundation. “In 2015…a large percentage of acute care hospitals have at least a basic electronic health record (EHR) system. But many are not ready to meet Stage 2 meaningful use criteria—criteria that must be met in order to participate in the Medicare and Medicaid EHR Incentive programs. Key Findings: By 2014, 75.5 percent of hospitals had adopted at least a basic EHR, a substantial increase from 58.9 percent in 2013; Seventy-six percent of hospitals reported exchanging data with outside health professionals in 2014, up from 62 percent in 2013 and 41 percent in 2008, the year the survey began including this measure; Hospitals continue to face barriers toward adopting national standards enacted in 2009 to encourage technology investments and the development of health information exchanges.”

Hospital Monitoring of High-Risk Behavior

  • Hospitals to Begin Monitoring Your Credit Card Purchases to Flag ‘Unhealthy’ Habits. “What you buy at the grocery store, where you live, and even your membership status at the local gym are all subject to a new data collection scheme by the American medical system. Reports indicate that hospitals and doctors’ offices all across the country are now collecting this and other personal information in order to target individuals deemed to have ‘unhealthy’ lifestyle habits that put them at high risk of disease.”(Caldwell, Leonard, 8.11.14)
  • Hospitals Soon See Donuts-to-Cigarette Charges for Health. “Some hospitals are starting to use detailed consumer data to create profiles on current and potential patients to identify those most likely to get sick, so the hospitals can intervene before they do…Information compiled by data brokers from public records and credit card transactions can reveal where a person shops, the food they buy, and whether they smoke. The largest hospital chain in the Carolinas is plugging data for 2 million people into algorithms designed to identify high-risk patients, while Pennsylvania’s biggest system uses household and demographic data.” (Bloomberg Business, 6.26.14)


Health IT News and Analysis

  • Omnibus Bill Keeps Office of the National Coordinator for Health IT Funding at Same Level as 2014. “In its ‘Congressional Asks’ — formal requests to Congress to accomplish specific goals to advance health IT–HIMSS urged lawmakers to fund ONC at the higher level. It calls this fourth year and Stage 2 of Meaningful Use a ‘critical juncture’ for the adoption and effective use of EHRs, citing the need to maintain the momentum achieved so far.” (Fierce Health IT, 12.15.14)

Security Concerns

  • Medical Devices Can Lead to Breaches. “Computer-security researchers have discovered a website containing documents that could allow hackers to easily obtain electronic medical records and payment information from health-care providers, CIO Journal’s Rachael King reports. The documents—found by two cybersecurity firms on a site commonly used by hackers—detail the type of equipment used in computer networks, the Internet addresses for computers and other devices, and the passwords to network firewalls run by health-care providers such as nursing homes, doctors’ offices and hospitals. If such networks were accessed, cybercriminals easily could find personal details on individuals, security experts said. Such information could be used to sell credit-card information and—more valuable to hackers—medical information that could be used to commit insurance fraud…The SANS Institute corroborated widespread problems with hackers infiltrating health-care networks and plans to issue a report on the vulnerabilities Wednesday. The report finds that security practices at health-care companies generally aren’t keeping pace with the high volume of attacks, SANS researchers say. Researchers from the institute found evidence of hacked dialysis and MRI machines and compromised personal health information…Medical records sell for about $60 apiece on the black market, while credit-card information typically goes for about $20, said Sam Glines, the CEO of cybersecurity firm Norse Corp. Medical records are ‘more valuable because you can do more with it, including Medicare fraud and prescription fraud,’ he said.” (Wall Street Journal CIO Report, 2.18.14)
  • Expert: U.S. Hospital Breach Biggest Yet to Exploit Heartbleed Bug. “Hackers who stole the personal data of about 4.5 million patients of hospital group Community Health Systems Inc broke into the company’s computer system by exploiting the “Heartbleed” internet bug, making it the first known large-scale cyber attack using the flaw, according to a security expert…Community Health Systems, one of the biggest U.S. hospital groups, said the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.” (Reuters, 8.20.14)
  • Apple: Health Apps Shouldn’t Use iCloud Storage. “After an apparent breach into celebrities’ iCloud accounts led to nude photos leaking, Apple is forbidding its health app developers from housing sensitive user data with the storage service. Apple’s latest version of its App Store developers guidelines, released on Tuesday, say that apps “using the HealthKit framework that store users’ health information in iCloud will be rejected, 9to5mac originally reported.” (CNBC, 9.3.14)
  • Patients’ Medical Records Under Threat from Data Breaches. “Your private medical information is under threat. That’s according to a study that found almost 30 million health records nationwide were involved in criminal theft, malicious hacking or other data breaches over four years. The incidents seem to be increasing. Compromised information included patients’ names, home addresses, ages, illnesses, test results or Social Security numbers. Most involved electronic data and theft, including stolen laptops and computer thumb drives…Hackings doubled during the study, from almost 5 percent of incidents in 2010 to almost 9 percent in 2013. Hackings are particularly dangerous because they can involve a high number of records, said Dr. Vincent Liu, the lead author and a scientist at Kaiser Permanente’s research division in Oakland, California. ‘Our study demonstrates that data breaches have been and will continue to be a persistent threat to patients, clinicians, and health care systems,’ Liu said…A JAMA editorial says there’s evidence that the incidents are leading some patients to avoid giving doctors sensitive information about their health, including substance abuse, mental health problems, and HIV status. ‘Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States,’ the editorial said.” (Associated Press, 4.14.15)
  • Partners Data Breach Affects 3,300 Patients. “Hackers may have accessed medical and personal information, including Social Security numbers, about 3,300 patients at Partners HealthCare, the health system said Thursday. The breach happened when some Partners employees responded to phishing e-mails, which allowed unauthorized access to their e-mail accounts. Some of the e-mails contained private patient information, including Social Security numbers, addresses, phone numbers, and information about medical treatments and health insurance.” (The Boston Globe, 4.30.15)
  • Three Keys to Improving Privacy and Security Protections for Electronic Health Information Exchange. “Increasing reports of cyber theft of patient information via hacking — most recently of UCLA Health System, EHR vendor Medical Informatics Engineering and its patient portal NoMoreClipboard, and, earlier, of Anthem and Premera — suggest these data breaches will continue as criminals increasingly seek out medical data because the data contain links to financial and insurance information. According to DirectTrust President and CEO David C. Kibbe, MD, MBA, ‘The reason healthcare data are so vulnerable is, in a word, neglect. Despite the rich trove of data it stores, the healthcare industry has not taken security as seriously as other sectors of the economy, where privacy breaches have occurred for several years and systems have been hardened to protect against intruders.’… ‘Ironically, the push to make healthcare information systems more interoperable, and the rush into mobile and wearable healthcare applications may be increasing the vulnerability of health information to hacking events,’ Dr. Kibbe continued.” (Market Wired, 8.4.15)
  • Over 90% Of Cloud Services Used In Healthcare Pose Medium To High Security Risk. “According to cloud security vendor Skyhigh Networks, more than 13% of cloud services used in healthcare are high‒risk and 77% are medium risk ‒ as measured across 54 different security attributes (like data encryption and “two factor” authentication).” Munro, Dan. (Forbes, 9.1.14)
  • Roundup: Three Data Breaches, One Settlement. “The health data breaches continue apace. In Ohio, Kentucky, and North Carolina, for instance, providers have had to announce a series of recent exposure, while in Connecticut a hospital said it has agreed to pay a settlement related to its own security incident.” (Government HealthIT, 11.23.15)
  • Health Care Industry Susceptible to Cyber Attacks. “Health care organizations are a popular target for cyber attacks. According to a KPMG survey published last month, 81 percent of health care executives said their organizations had been hit by malware, botnets or cyber attacks at least once in the past two years. Similarly, recent Raytheon/Websense research found that the health care industry experiences 340 percent more security incidents and attacks than most other industries. Hackers are interested in health care data because of its high value, said Carl Leonard, principal security analyst for Raytheon/Websense. ‘Health care providers have very complete data sets. Your doctor knows pretty much everything there is to know about you,’ he said, adding that the data often even includes links to insurance and other sensitive financial information. With widespread adoption of electronic health care record systems just a few years old, health care organizations are behind the curve when it comes to data protection best practices. ‘They are still learning how to expose data to authorized individuals,’ Leonard said.” (eSecurityPlanet, 10.5.15)


Health Data Collection and Sharing


Health Information Exchange (HIE)


Impact on Privacy

  • The Data Privacy Lab: This program was established in the Institute for Quantitative Social Science (IQSS) at Harvard University. The Lab started in 2001 and relocated to Harvard University in 2011. “The overall objective of the Data Privacy Lab is to provide intellectual leadership to society in shaping the evolving relationship between technology and the legal right to or public expectation of privacy in the collection and sharing of data…A goal of the Data Privacy Lab is to inform on-going discussions and to assess and propose balanced approaches in which data can be shared but in which inferences about the identities of people and organizations contained in the released data cannot reliably be made.” One project under this organization, thedataMap, explores the sharing of health data with various entities. The lab offers a flow chart of health sharing in 1997, before implementation of HIPAA, and a more current interactive map.



  • Big Data Peeps At Your Medical Records To Find Drug Problems. “To do a better job of spotting unforeseen risks and side effects, the Food and Drug Administration is trying something new — and there’s a decent chance that it involves your medical records. It’s called Mini-Sentinel, and it’s a $116 million government project to actively go out and look for adverse events linked to marketed drugs. This pilot program is able to mine huge databases of medical records for signs that drugs may be linked to problems…Their health records include nearly 180 million Americans. If you have insurance through a private health plan, the chances are ‘pretty good’ that your data may have been used in one of these studies, says Dr. Richard Platt, the principal investigator for Mini-Sentinel and a professor at Harvard Medical School’s Department of Population Medicine.” (NPR, 7.21.14)
  • Health Data Privacy Concerns Top HIE Barrier, Study Finds. “Concerns over health data privacy and potential confidentiality issues were one of the top barriers to HIE, according to a recent study published by the Robert Wood Johnson Foundation.” (HealthIT Security, 9.29.15)

Data Anonymization/De-identification

With some exceptions, health researchers are obligated to eliminate 18 personal identifiers, using “de-identified” or “anonymized” records when they analyze and share patient health data. Due to advances in technology, patients can now be re-identified.

  • The Importance and Value of Protecting the Privacy of Health Information: The Roles of the HIPAA Privacy Rule and the Common Rule in Health Research. “[D]e-identification (and the less stringent anonymization) of information is particularly troublesome with respect to detailed databases containing genotypic and phenotypic data. The increase in genomic data coupled with the increase of computerization of other records about individuals, many of which are publicly available, increases the likelihood that data subjects can be re-identified. Single nucleotide polymorphisms (SNPs) contain information that can be used to identify individuals. Even a small number of SNPs can identify an individual almost as precisely as a social security number does. People who have access to individual data can potentially perform matches to public SNP data leading to matching and identification of individuals. Similarly, researchers with access to a large number of SNPs and corresponding phenotype data can potentially re-identify some individuals even if the information had been encrypted…Thus, it will become more questionable to treat this information as if the use and disclosure of this information poses no risk at all to the individual. (National Academy of Sciences, 2008)
  • Your Medical Records Are for Sale. “As hospitals shift to digital medical records, administrators promise patients better care and shorter waits. They often neglect to mention that they share files with state health agencies, which in turn sell the information to private data-mining companies. The records are stripped of names and addresses, and there’s no evidence that data miners are doing the legwork to identify individual patients. Yet the records often contain patients’ ages, Zip Codes, and treatment dates—enough metadata for an inquiring mind to match names to files or for aggressive companies to target ads or hike insurance premiums.” (Bloomberg Business, 8.8.13)
  • Big Data and Privacy: A Technological Perspective — The President’s Council of Advisors on Science and Technology (PCAST, May 2014) Summary: “This report begins by exploring the changing nature of privacy as computing technology has advanced and big data has come to the forefront.  It proceeds by identifying the sources of these data, the utility of these data — including new data analytics enabled by data mining and data fusion — and the privacy challenges big data poses in a world where technologies for re-identification often outpace privacy-preserving de-identification capabilities, and where it is increasingly hard to identify privacy-sensitive information at the time of its collection.”
    • Data Privacy: “The same data and analytics that provide benefits to individuals and society if used appropriately can also create potential harms – threats to individual privacy according to privacy norms both widely shared and personal. For example, large‐scale analysis of research on disease, together with health data from electronic medical records and genomic information, might lead to better and timelier treatment for individuals but also to inappropriate disqualification for insurance or jobs…With a broad perspective, scholars today recognize a number of different legal meanings for ‘privacy.'”
    • Environmental Sensors: “Environmental sensors that enable new food and air safety may also be able to detect and characterize tobacco or marijuana smoke. Health care or health insurance providers may want assurance that self‐declared non‐smokers are telling the truth.”
    • Anonymization or De-identification: “[Y]ou may not mind if your medical record is used in research as long as you are identified only as Patient X and your actual name and patient identifier are stripped from that record…Unfortunately, it is increasingly easy to defeat anonymization by the very techniques that are being developed for many legitimate applications of big data. In general, as the size and diversity of available data grows, the likelihood of being able to re‐identify individuals (that is, re‐associate their records with their names) grows substantially…by fusing public, Personal Genome Project profiles containing zip code, birthdate, and gender with public voter rolls, and mining for names hidden in attached documents, 84‐97 percent of the profiles for which names were provided were correctly identified. Anonymization remains somewhat useful as an added safeguard, but it is not robust against near‐term future re-identification methods. PCAST does not see it as being a useful basis for policy. Unfortunately, anonymization is already rooted in the law, sometimes giving a false expectation of privacy.”
  • Every Patient a Subject. “[C]urrent norms for medical research permit a scientist who gets a sample of blood, tissue, or saliva to sequence and use that genome without the donor’s specific consent, or even without her knowledge. The scientist then may share those genomic data with others, including a database maintained by the U.S. National Institutes of Health that’s used by researchers and companies worldwide. This can all happen without any notice to the people whose DNA was sequenced. (In fact, if the study is federally funded, in some cases the scientist must share the information.)…‘[D]e-identification’ is becoming only a reassuring myth. Subjects of genomic research should not confidently expect to remain anonymous. The possibility of ‘re-identifying’ people from either their genomes or the health or demographic data connected with those genomes is real…If the research community truly believes that science must conscript patient genomes for public benefit, it should make that case openly, explaining how notice and consent will impose undue burdens on crucial research.” (Slate, December, 2014)
  • How Data Brokers Make Money Off Your Medical Records. “Once upon a time, simply removing a person’s name, address and Social Security number from a medical record may well have protected anonymity. Not so today. Straightforward data-mining tools can rummage through multiple databases containing anonymized and nonanonymized data to reidentify the individuals from their ostensibly private medical records…’It is getting easier and easier to identify people from anonymized data,’ says Chesley Richards, director of the Office of Public Health Scientific Services at the Centers for Disease Control and Prevention…‘I personally believe that at the end of the day, individuals own their data,’ says Pfizer’s Berger. ‘If somebody is using [their] data, they should know. And if the collection is ‘only for commercial purposes, I think patients should have the ability to opt out.’” (Scientific American, 2.1.16)

Privacy on the Affordable Care Act Exchanges

  • Analyst: Private Firms’ Access to Obamacare User Info ‘Incomprehensible.’ “‘[W]ith today’s technology, Wright said, even with names and addresses stripped from the data collected by these firms, other companies and outside groups need only a small amount of information to identify users. ‘It’s gotten to the point now on the Internet where there’s so much data floating out there, it takes very small steps to create a profile on you, sir, to understand what you do, where you live, what your interests are,’ Wright said. He pointed to a recent study by MIT researchers that showed marketers can identify you ‘with more than 90 percent accuracy by looking at just four purchases, three if the price,’ is included. ‘And this is after companies ‘anonymized’ the transaction records,’ Wright added…Not only did users of the site not authorize the collection of their personal data by private firms, they also didn’t know that collection was going on in the first place, De Mooy explained.” (PJ Media, 2.22.15)
  • California’s Obamacare Exchange to Collect Insurance Data on Patients. “California’s health insurance exchange wants to know why you got sick this summer. With 1.4 million people enrolled, the state-run marketplace is embarking on an ambitious effort to collect insurance company data on prescriptions, doctor visits and hospital stays for every Obamacare patient. Covered California says this massive data-mining project is essential to measure the quality of care that patients receive and to hold health insurers and medical providers accountable under the Affordable Care Act. The state in April signed a five-year, $9.3-million contract with Truven Health Analytics Inc. of Michigan to run the database. The effort has raised questions about patient privacy and whether the state is doing enough to inform consumers about how their data will be used. There are also worries about security amid massive breaches at Anthem Inc. and other health insurers affecting millions of Americans. Peter Lee, executive director of Covered California, said protecting sensitive information was a top priority and that consumers stand to benefit from the collection of medical data. He acknowledged the state had no plans to let consumers opt out and keep their records out of the database…(Covered California) shared details on Covered California enrollees with researchers at UC San Francisco and UC San Diego, and those names were compared with a state database of patients who received hospital care in 2012.” (Los Angeles Times, 6.21.15)


Governmental Health IT Initiatives