IRS faces class action lawsuit over theft of 60 million medical records

Try this with paper records.  This is spectacular (as in, spectacularly alarming) if true:

IRS faces class action lawsuit over theft of 60 million medical records

The Internal Revenue Services is now facing a class action lawsuit over allegations that it improperly accessed and stole the health records of some 10 million Americans, including medical records of all California state judges.

According to a report by Courthousenews.com, an unnamed HIPAA-covered entity in California is suing the IRS, alleging that some 60 million medical records from 10 million patients were stolen by 15 IRS agents. The personal health information seized on March 11, 2011, included psychological counseling, gynecological counseling, sexual/drug treatment and other medical treatment data.

"This is an action involving the corruption and abuse of power by several Internal Revenue Service agents," the complaint reads. "No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records," it continued.   According to the case, the IRS agents had a search warrant for financial data pertaining to a former employee of the John Doe company, however, "it did not authorize any seizure of any healthcare or medical record of any persons, least of all third parties completely unrelated to the matter," the complaint read.

The class action lawsuit against the IRS seeks $25,000 in compensatory damages "per violation per individual" in addition to punitive damages for constitutional violations.  Thus, compensatory damages could start at a minimum of $250 billion.

According to the linked Courthousenews.com piece, the class is represented by attorney Robert E. Barnes of Malibu, California.   The Complaint is reported to state that the IRS' data theft was so enormous it affects "roughly one out of every twenty-five adult American citizens."

If a government agency decides to steal medical records, I'd rather the records be on paper than electronic. I think it's inarguable that it is a lot harder for 15 people to haul 60,000,000 paper charts away than a few hard disks.

Mass theft of records must be factored into the risk/benefit ratio of electronic health records.  See other posts on this topic at the label index terms below.

Addendum:  the Complaint is here (PDF).

-- SS

Cybernetik Über Alles Again: HHS and Sebelius - Hospitals And Their Computers Have More Rights Than Patients

A Nov. 29, 2012 New York Times article by Reed Abelson entitled "Medicare Is Faulted on Shift to Electronic Records" observes that:

The conversion to electronic medical records — a critical piece of the Obama administration’s plan for health care reform — is “vulnerable” to fraud and abuse because of the failure of Medicare officials to develop appropriate safeguards, according to a sharply critical report to be issued Thursday by federal investigators [the report from HHS OIG is here - ed.] ... Medicare, which is charged with managing the incentive program that encourages the adoption of electronic records, has failed to put in place adequate safeguards to ensure that information being provided by hospitals and doctors about their electronic records systems is accurate. To qualify for the incentive payments, doctors and hospitals must demonstrate that the systems lead to better patient care, meeting a so-called meaningful use standard by, for example, checking for harmful drug interactions. [I note that meeting EHR "meaningful use" standards does not necessarily signify better care; the "standards" are experimental - ed.]

Hospitals and doctors are lying about their EHR efforts, in order to gain incentive payments, it seems.

In an article "IG says program is 'vulnerable' to abuse, better oversight needed", Fred Schulte at the Center for Public Integrity notes:

... the Centers for Medicare and Medicaid Services has since paid out more than $3.6 billion to medical professionals who made the switch without verifying they are meeting the required quality goals, according to a new federal audit to be released today

Observes the CEO of the American Health Information Management Association:

“We’ve gone from the horse and buggy to the Model T, and we don’t know the rules of the road. Now we’ve had a big car pileup,” said Lynne Thomas Gordon, the chief executive of the American Health Information Management Association, a trade group in Chicago. 

More Horse and Buggy than Model T.  At least the Model T was reasonably dependable. 

Also mentioned is this:

House Republicans echoed these concerns in early October in a letter to Kathleen Sebelius, secretary of health and human services. Citing the Times article, they called for suspending the incentive program until concerns about standardization had been resolved. “The top House policy makers on health care are concerned that H.H.S. is squandering taxpayer dollars by asking little of providers in return for incentive payments,” said a statement issued at the same time by the Republicans, who are likely to seize on the latest inspector general report as further evidence of lax oversight. Republicans have said they will continue to monitor the program.

In her letter in response, which has not been made public, Ms. Sebelius dismissed the idea of suspending the incentive program, arguing that it “would be profoundly unfair to the hospitals and eligible professionals that have invested billions of dollars and devoted countless hours of work to purchase and install systems and educate staff.”

I was taught "first, do no harm."  Fairness to patients injured and killed by this technology in its present "Horse and Buggy" state (buggy being a particularly apropos term) seems not a matter of particularly high concern to HHS.   A suspension of incentives would slow the adoption rate down, necessary in order to "get the bugs" out of the technology before mass deployment and develop safety, validation and surveillance standards (currently non-existent), as I wrote in my Oct. 24, 2012 "Letter To U.S. Senators and Representatives Who've Sought HHS Input On EHR Problems."

This is despite the fact that FDA, IOM and others have indicated the level of harm is not known, due to systematic impediments to diffusion of that knowledge (see IOM statements in the midsection of my post on health information technology hyper-enthusiasm at this link, and an internal FDA memo on HIT safety at this link). 

HHS seems to care not about health and human services, or at best to be severely misguided.  "Cybernetik Über Alles" seems their current credo.

-- SS

Cart Before the Horse, Part 3: AHRQ's "Health IT Hazard Manager"

(Addendum: the AHRQ hazards manager taxonomy report can see seen at http://healthit.ahrq.gov/sites/default/files/docs/citation/HealthITHazardManagerFinalReport.pdf.)

In a July 2010 post "Meaningful Use Final Rule: Have the Administration and ONC Put the Cart Before the Horse on Health IT?" and an Oct . 2010 post "Cart before the horse, again: IOM to study HIT patient safety for ONC; should HITECH be repealed?" I wrote about the postmodern "ready, fire, aim" approach to health IT:

In the first post, I wrote:

... These "usability" problems require long term solutions. There are no quick fix, plug and play solutions. Years of research are needed, and years of system migrations as well for existing installations.

Yet we now have an HHS Final Rule on "meaningful use" regarding experimental, unregulated medical devices the industry itself admits have major usability problems, along with a growing body of literature on the risks entailed.

For crying out loud, talk about putting the cart before the horse...

Something's very wrong here...

However, this situation is anything but humorous.

How more "cart before the horse" can government get?

In the second post, I wrote:

... So, in the midst of a National Program for Health IT in the United States (NPfIT in the U.S.), with tens of billions of dollars earmarked for health IT already (money we don't really have, but it can be printed quickly, or borrowed from China) the IOM is going to study health IT safety, prevention of health IT-related errors, etc. ... only now?

Here we go yet again.

The problem with the AHRQ (Agency for Healthcare Research and Quality, a division of HHS) announcement below of a webinar about a new tool for identifying, categorizing, and resolving health IT hazards, as I have written before, is putting the "cart before the horse" and throwing medical ethics to the wind.

If we've just developed a tool "for identifying, categorizing, and resolving health IT hazards", the magnitude of which others such as IOM admit are unknown to our detriment (e.g., Health IT and Patient Safety: Building Safer Systems for Better Care, pg. S-2), then health IT is, it follows, an experimental technology.

If it is an experimental technology, AHRQ and others in HHS should probably be raising the issue of a slow down or moratorium on widespread rollout under HITECH until risk management and remediation is better understood.  At the very least they should be calling for patient informed consent that a device that will largely regulate their care is experimental, that a competency "gap" exists among healthcare practitioners within the "health IT environment" (meaning patients are at risk), and that patients should be offered the opportunity for informed consent with opt-out provisions.  The principals should not just be announcing a webinar:

Sent: Tuesday, June 05, 2012 12:23 PM
To: OHITQUSERS@LIST.NIH.GOV
Subject: Register Now! AHRQ Health IT Webinar "Purpose and Demonstration of the Health IT Hazard Manager and Next Steps" June 11, 2:30 PM ET

Agency for Healthcare Research and Quality

Purpose and Demonstration of the Health IT Hazard Manager and Next Steps

June 11, 2012 — 2:30-4 p.m., EST

The Agency for Healthcare Research and Quality (AHRQ) has identified a gap in a health care/public health practitioner’s competency within the health IT environment. This webinar is designed to increase practitioners’ competencies in several areas: improving health care decision making; supporting patient-centered care; and enhancing the quality and safety of medication management by improving the ability to identify, categorize, and resolve health IT hazards.

The Webinar will explore the Health IT Hazard Manager—a tool for identifying, categorizing, and resolving health IT hazards. When implemented, the tool allows health care organizations and software vendors alike to learn about potential hazards and work to resolve them, including the use of data to communicate potential and actual adverse effects. The session will discuss how the Health IT Hazard Manager was tested and refined as well as strategies and implications for deploying it. The target audience includes AHRQ grantees/researchers; health care providers, including physicians and nurses; consumers/patients; and health care policymakers.

... Webinar learning objectives include:

1. Describe the rationale for developing the Health IT Hazard Manager and how it evolved through alpha and beta testing.
2. Explain the process for identifying and categorizing health IT-related hazards.
3. Demonstrate how the Health IT Hazard Manager would be used [i.e., it's not yet in use, despite mandates for HIT rollout with penalties for non-adopters - ed.] within and across care delivery organizations and health IT software vendors.
4. Discuss policy and process implications for deploying the Health IT Hazard Manager via different organizations (i.e., AHRQ; Office of the National Coordinator for Health IT; Patient Safety Organization(s); Accrediting bodies; IT entities).

In effect, HHS seems to be saying "we're working on the HIT risk problem, but roll it out anyway; if you get harmed or killed, tough luck."  This seems a form of negligence.

Have we thrown out all we know about medical research and human subjects protections in face of the magical powers and profits of computers in medicine?

-- SS

WSJ "There's a Medical App for That—Or Not" - Misinformation on Health IT Safety Regulation?

There's a health IT meme that just won't die (patients may, but not the meme).

It's the meme that health IT "certification" is a certification of safety.

I expressed concern about the term "certification" being misunderstood even before the meme formally appeared, when the term was adopted by HHS with regard to evaluation of health IT for adherence to the "meaningful use" pre-flight features checklist.  See my mid-2009 post "CCHIT Has Company" where I observed:

HIT "certification." ... is a term I put in quotes since it really is "features qualification" at this point, not certification such as a physician receives after passing Specialty Boards.

The "features qualification" is an assurance that the EHR functions in way that could enable an eligible provider or eligible hospital to meet the Center for Medicare & Medicaid Services' (CMS) requirements of "Meaningful Use."  No rigorous safety testing in any meaningful sense is done, and no testing under real-world conditions is done at all.

I've seen the meme in various publications and venues.  I've even seen it in legal documents in medical malpractice cases where EHR's were involved, as an attempted defense.

Now the WSJ has fallen for the health IT Certification meme.

An article "There's a Medical App for That—Or Not" was published on May 29, 2012.  Its theme is special regulatory accommodation for health IT in the form of opposition to FDA regulation of devices such as "portable health records and programs that let doctors and patients keep track of data on iPads."

In the article, this assertion about health IT "certification" is made:

... The FDA's approach to health-information technology risks snuffing out activity at a critical frontier of health care. Poor, slow regulation would encourage programmers to move on, leaving health care to roil away for yet another generation, fragmented, disconnected and choking on paperwork.

The process already exists for safeguarding the public for computers in health care. It's not FDA premarket review but the health information technology certification program, established under President George W. Bush and still working fine under the Obama Health and Human Services Department. The government sets the standards and an independent nonprofit [ATCB, i.e., ONC Authorized Testing and Certification Bodies - ed.] ensures that apps meet those standards. It's a regulatory process as nimble as the breakout industry it's meant to monitor. That is where and how these apps should be regulated.

It's a wonderful meme.  Unfortunately, it's wrong.  Dead wrong.

Certification by an ATCB does not "safeguard the public."   Two ONC Authorized Testing and Certification Bodies (ATCB's) admitted this in email, as in my Feb. 2012 post "Hospitals and Doctors Use Health IT at Their Own Risk - Even if Certified".  I had asked them, point-blank:

"Is EHR certification by an ATCB a certification of EHR safety, effectiveness, and a legal indemnification, i.e., certifying freedom from liability for EHR use of clinical users or organizations? Or does it signify less than that?"

I received two replies from major ONC ATCB's indicating that "certification" is merely assurance that HIT meets a minimal set of "meaningful use" guidelines, not that it's been vetted for safety.  For instance:

From: Joani Hughes (Drummond Group)
Sent: Monday, March 05, 2012 1:06 PM
To: Scot Silverstein
Subject: RE: EHR certification question

Per our testing team:

It is less than that. It does not address indemnification although a certification could be used as a conditional part of some other form of indemnification function, such as a waiver or TOA, but that is ultimately out of the scope of the certification itself. Certification in this sense is an assurance that the EHR functions in way that could enable an eligible provider or eligible hospital to meet the CMS requirements of Meaningful Use Stage 1. Or to restate it more directly, CMS is expecting eligible providers or eligible hospitals to use their EHR in “meaningful way” quantified by various quantitative measure metrics and eligible providers or eligible hospitals can only be assured they can do this if they obtain a certified EHR technology.

Please let me know if you have any questions.

Thank you,
Joani.

Joani Hughes
Client Services Coordinator
Drummond Group Inc.

The other ATCB, ICSA Labs, stated that:

... Certification by an ATCB signifies that the product or system tested has the capabilities to meet specific criteria published by NIST and approved by the Office of the National Coordinator. In this case the criteria are designed to support providers and hospitals achieve "Meaningful Use." A subset of the criteria deal with the security and patient privacy capabilities of the system.

Here is a list of the specific criteria involved in our testing:
http://healthcare.nist.gov/use_testing/effective_requirements.html

In a nutshell, ONC-ATCB Certification deals with testing the capabilities of a system, some of them relate to patient safety, privacy and security functions (audit logging, encryption, emergency access, etc.).

What was suggested in the email below (freedom from liability for users of the system, etc.) would be out of scope for ONC-ATCB testing based on the given criteria. [I.e., certification criteria - ed.] I hope that helps to answer your question.

I had noted that:

... My question was certainly answered [by the ATCB responses]. ONC certification is not a safety validation, such as in a document from NASA on aerospace software safety certification, "Certification Processes for Safety-Critical and Mission-Critical Aerospace Software" (PDF) which specifies at pg. 6-7:

In order to meet most regulatory guidelines, developers must build a safety case as a means of documenting the safety justification of a system. The safety case is a record of all safety activities associated with a system throughout its life. Items contained in a safety case include the following:

• Description of the system/software
• Evidence of competence of personnel involved in development of safety-critical software and any
safety activity
• Specification of safety requirements
• Results of hazard and risk analysis
• Details of risk reduction techniques employed
• Results of design analysis showing that the system design meets all required safety targets
• Verification and validation strategy
• Results of all verification and validation activities
• Records of safety reviews
• Records of any incidents which occur throughout the life of the system
• Records of all changes to the system and justification of its continued safety

A CCHIT ATCB juror, a physician informatics specialist, has also done a guest post in Jan. 2012 on HC Renewal about the certification process, reproducing his testimony to HHS on the issue.  That post is "Interesting HIT Testimony to HHS Standards Committee, Jan. 11, 2011, by Dr. Monteith."  Dr. Monteith testified (emphases mine):

... I’m “pro-HIT.” For all intents and purposes, I haven’t handwritten a prescription since 1999.

That said and with all due respect to the capable people who have worked hard to try to improve health care through HIT, here’s my frank message:

ONC’s strategy has put the cart before the horse. HIT is not ready for widespread implementation. 

... ONC has promoted HIT as if there are clear evidence-based products and processes supporting widespread HIT implementation.

But what’s clear is that we are experimenting…with lives, privacy and careers.

... I have documented scores of error types with our certified EHR, and literally hundreds of EHR-generated errors, including consistently incorrect diagnoses, ambiguous eRxs, etc.

As a CCHIT Juror, I’ve seen an inadequate process. Don’t get me wrong, the problem is not CCHIT. The problem stems from MU.

EHRs are being certified even though they take 20 minutes to do a simple task that should take about 20 seconds to do in the field.  [Which can contribute to mistakes and "use error" - ed.] Certification is an “open book” test. How can so many do so poorly?

For example, our EHR is certified, even though it cannot generate eRxs from within the EHR, as required by MU.

To CCHIT’s credit, our EHR vendor did not pass certification. Sadly, our vendor went to another certification body, and now they’re certified.

MU does not address many important issues. Usability has received little more than lip-service. What about safety problems and reporting safety problems? What about computer generated alerts, almost all of which are known to be ignored or overridden (usually for good reason)?

 

The concept of “unintended consequences” comes to mind.

All that said, the problem really isn’t MU and its gross shortcomings, it is ONC trying to do the impossible:

ONC is trying to artificially force a cure for cancer, basically trying to promote one into being, when in fact we need to let one evolve through an evidence-based, disciplined process of scientific discovery and the marketplace.

Needless to say, as was learned at great cost in past decades, a "disciplined process" in medicine includes meaningful safety regulation by objective outside experts.

Further, the certifiers have no authority to do important things such as forcibly remove dangerous software from the market.  An example is the forced Class 1 recall of a defective system as I wrote about in my Dec. 2011 post "FDA Recalls Draeger Health IT Device Because This Product May Cause Serious Adverse Health Consequences, Including Death".   Class 1 recalls are the most serious type of recall and involve situations in which there is a reasonable probability that use of these products will cause serious adverse health consequences or death.

In that situation, the producer had been simply advising users (in critical care environments, no less) to "work around the defects" that could indicate incorrect recommended dosage values of critical meds, including a drug dosage up to ten times the indicated dosage, as well as corrupt critical cardiovascular monitoring data.  As I observed:

... I find a software company advising clinicians to make sure to "work around" blatant IT defects in "acute care environments" the height of arrogance and contempt for patient safety.

Without formal regulatory authority to take actions such as this FDA recall, "safeguarding the public" is a meaningless platitude.

It's also likely the ATCB's, which are private businesses, would not want the responsibility of "safeguarding the public."  That responsibility would open them up to litigation when patient injuries or death were caused, or were contributed to, by "certified" health IT.

I have in the past also noted that the use of the term "certification" might have been deliberate, to mislead potential buyers exactly into thinking that "certification" is akin to a UL certification of an electrical appliance for safety, or an FAA approval of a new aircraft's flight-worthiness.

The WSJ needs to clarify and/or retract its statement, as the statement is misinformation.

At my Feb. 2012 post "Health IT Ddulites and Disregard for the Rights of Others" I observed:

Ddulites [HIT hyper-enthusiasts - ed.] ... ignore the downsides (patient harms) of health IT.

This is despite being already aware of, or informed of patient harms, even by reputable sources such as FDA (Internal FDA memo on H-IT risks), The Joint Commission (Sentinel Events Alert on health IT), the NHS (Examples of potential harm presented by health software - Annex A starting at p. 38), and the ECRI Institute (Top ten healthcare technology risks), to name just a few.

In fact, the hyper-enthusiastic health IT technophiles will go out of their way to incorrectly dismiss risk management-valuable case reports as "anecdotes" not worthy of consideration (see "Anecdotes and medicine" essay at this link).

They will also make unsubstantiated, often hysterical-sounding claims that health IT systems are necessary to, or simply will "transform" (into what, exactly, is usually left a mystery) or even "revolutionize" medicine (whatever that means).

Health IT is a potentially dangerous technology.   It requires meaningful regulation to "safeguard the public."  How many incidents like this and this will it take before that is understood by the hyper-enthusiasts?

I've emailed the ATCB's that had responded to my aforementioned query for clarification on the WSJ assertion about their role, being that the statement is in contradiction to their earlier replies to me.  I also advised them of the potential liability issues.

However, if it turns out to be true that the ONC-ATCB's do intend themselves as the ultimate watchdog and assurer of public safety related to EHR's, that needs to be known by the public and their representatives.

-- SS