Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
Response to Valerie Powell, PhD
By Darrell K. Pruitt; DDS
Dear Valerie,
This is a response to statements in www.ModernHealthcare.com, although to address all of the issues will probably be more space than they will want to devote to this. So, I’ll leave it to them to decide how much, if any, they would like to post.
Starting from the Top
Valerie Powell asks whether a dentist would face liability under HIPAA if electronic health data were stolen. Of course they would. And in six months the FTC will be interested in data breaches as well. The “Red Flag Rules” were not eliminated, they were just delayed.
Practice Interference
She asks whether the thefts would interfere with the dentist’s practice. Yes again – in many unpleasant ways. For example, if there is a data breach connected to a series of identity thefts from a dental office, the HHS Office of Civil Rights, state investigators or even the FBI can confiscate the dentist’s computer to investigate. A search warrant would shut down an office much more unexpectedly than paper floating away in a hurricane. By the way, using Hurricane Katrina as a reason for dentists to go digital is merely a weak rationalization commonly used by those who would de-value paper records to increase the relative value of digital.
Self-Reporting
If the dentist is able to self-report the breach before finding out from law officials, even before the inspectors arrive, ready to teach the careless dentist a good lesson as an example to others, the dentist would be obligated to contact every one of his or her patients as soon as possible to tell them, “I am terribly sorry to inform you that your social security number, date of birth, health insurance information and other valuable items have been stolen from my office. However, I will assist you in watching for identity thefts for the next few years at my expense.”
The Ponemon Institute Report
A couple of years ago, the Ponemon Institute estimated that it costs almost $200 per patient to do this. For a small dental practice with only 2500 active patients, that is half a million dollars – even before the fines arrive.
Economic Costs
But wait, there is more. If the immediate financial costs do not bankrupt the practice, Ponemon once estimated that 20% of the clients will never return to a business that fumbled their identity. I think Ponemon is an optimist. Ponemon’s estimate is not based on breaches from dental practices. I think at least a third of dental patients would immediately leave and probably seek out a dentist who uses paper records. And that is when they will find me.
Conclusion
And so, your thoughts and comments on this Executive-Post, and continuing discourse, are appreciated.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com or Bio: www.stpub.com/pubs/authors/MARCINKO.htm
Subscribe Now: Did you like this Medical Executive-Post, or find it helpful, interesting and informative? Want to get the latest ME-Ps delivered to your email box each morning? Just subscribe using the link below. You can unsubscribe at any time. Security is assured.
Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos
Share this:
Filed under: Health Insurance, Information Technology, Op-Editorials, Practice Management | Tagged: EHRs, EMRs, HIT |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
The Encryption Fallacy
http://www.modernhealthcare.com/article/20081125/REG/311259958
Dental, Health Streams’ Should Unite Despite Hurdles
“In response to reader commentary on Joseph Conn’s “CCHIT awaits word on fate in Obama administration”
Response
Darrell Pruitt’s concerns are important. As for liability—would a dental provider in private practice face liability under the Health Insurance Portability and Accountability Act if her/his electronic health-record data was stolen? Would the procedures for dealing with such a theft interfere with her/his practice? Although if we suddenly had eHRs in every dentist’s office in the U.S., I doubt there would be a crime wave of eHR thefts across the country, clearly there is a risk. Any dental provider should take the same steps as any provider, namely, encrypt the hard disk.
High Cost-Open Source
The high cost is because of proprietary systems of great expense. The Veterans Affairs Department and the Indian Health Service have had integrated (medical-dental) systems in place for years. While the VA dental package is not open-source, the VistA system per se is open-source, and is available, sponsored by the CMS. The IHS dental package is open-source and can be used together with the VistA database. And so, when it comes to loss of records, please note that not one veteran’s EHR in VistA was lost during the Katrina disaster in Louisiana.
Optimized Care
The reason for integral communication among medical and dental providers is to optimize and support chronic care, the source of over 70% of costs of healthcare in the U.S., to optimally support prenatal care affecting the unborn, to optimally support pediatric care and to address the urgent multidisciplinary needs of patients at risk of osteo-radionecrosis.
Assessment
Dental-provider concerns are important and must be addressed. It is reasonable that dentists are alarmed, reading about thefts of computers and hard drives and problems of HIPAA compliance. Pruitt suggested in a phone conversation that two-way fax relationships with an alternative method of IDing providers and patients might solve the HIPAA liability problem. I suspect the best solution is a best-practice approach to electronic data security and backups. Practical solutions must be found so that routine, appropriate and necessary communication between medical and dental providers can safeguard the health (oral and systemic) of individual patients. Patient safety and quality of care are foremost. It is neither safe nor supportive of quality of care to have two less-than-adequately coordinated “streams” of care administering and prescribing medications and performing surgeries on patients receiving care in both “streams.”
Valerie Powell, Ph.D.
Professor: Computer/information systems
Robert Morris University
Chairwoman: Education/training
WorldVistA
Moon Township, Pa.
LikeLike
Side-Stepping Insurmountable Obstacles
“The reason for integral communication among medical and dental providers is to optimize and support chronic care, the source of over 70% of costs of healthcare in the U.S., to optimally support prenatal care affecting the unborn, to optimally support pediatric care and to address the urgent multidisciplinary needs of patients at risk of osteoradionecrosis.” Valerie Powell, PhD
Even though I have to wonder why Valerie Powell picked the rare “osteoradionecrosis” to highlight from so many more common diseases like diabetes and heart disease, I agree that better communication between physicians and dentists is needed now more than ever before. It would save lives. But we simply cannot get there from here.
Even if I am the only dentist in the entire nation to notice, as a confident scout who knows the terrain better than most, I will report again and again that I have seen what lies ahead. I am giving fair warning to all concerned that it makes no difference how many are already in the dental IT convoy, and it does not matter how many letters trail the leaders’ names. I am telling you that the bridge is out, and the greater the momentum – the more spectacular the crash. The wreckage will justifiably crush the careers of careless HIPAA stakeholders who know far too little about dentistry. Those who ride indefensible absurdity the longest will suffer the most. Fair is fair.
Unfortunately, it will also destroy patients’ trust in eDRs for the rest of their lives and dentistry may never see Open Source Evidence-Based Dentistry and the miracles that would have helped my grandchildren. If stakeholders are allowed to drive interoperability off a cliff, one can forget about real-time data-mined dental research. If either dentists or dental patients do not trust their welfare to digital records, the records will be worse than inadequate. They will be dangerous.
Did I mention in a previous part of this thread that 330,000 active and former dental patients lost their identities to a hacker at a University of Florida dental school recently? How would you like to be known as a high tech paperless dentist in that college town? If you were a dental patient in the community, and you had a choice, why would you pick a dentist with digital records over a dentist who has paper records that are impossible to hack?
Even though hundreds of thousand of years ago, even the slowest-thinking Neanderthals undoubtedly noticed that infections of the mouth can make one feel bad all over, there is abundant recent research which proves the connection between chronic diseases of the body and diseases of the mouth. Enthusiastic IT stakeholders who often confuse rationalizations with reasons would have us believe that it takes interoperable computers to communicate between dentists and other healthcare providers. I say if we wait on that to happen before establishing universally-accepted alternate safe lines of communication, millions of people will die needlessly.
“We may need to solve problems not by removing the cause but by designing the way forward even if the cause remains in place.” Edward de Bono – Pioneer of Lateral Thinking (Wikiquote).
Dentists indeed need to be better connected with physicians. But it does not require that dentists endanger their patients’ welfare by having to maintain Personal Identification Information (PII) on their computers, and most of all, it does not require a dentist to be a HIPAA-covered entity. This means that entrenched government officials and politicians will not like my idea at all. But face it. Their reckless ambition made HIPAA insurmountable.
Here is a lateral idea that I have not completely worked out, but how about this: Make eDRs and eMRs compatible with common fax machines as a requirement for CCHIT accreditation. Commonly, common sense simply provides simple solutions. Now look at how simple that was.
Darrell Pruitt DDS
Fort Worth, Texas
LikeLike
Reply to Valerie Powell, PhD
The fallacy of encryption
Valerie Powell writes, “Although if we suddenly had eHRs in every dentist’s office in the U.S., I doubt there would be a crime wave of eHR thefts across the country, clearly there is a risk. Any dental provider should take the same steps as any provider, namely, encrypt the hard disk. “
Without security, theft is impossible to prevent. Let’s just say identity theft is a growing problem in our nation that we will naturally discover was relatively small today, and hardly noticed by even professional health organizations whose mission is to do no harm.
Did you know medical records of over 160 million patients have already been lost in the last few years? And those are only the ones we know about. That is equivalent to more than half of the US population. In addition, according to a study released a year ago by the Ponemon Institute and Deloitte and Touche, 85 percent of the security or privacy executives surveyed – around 800 individuals – claimed at least one reportable security incident in the preceding 12 months. What is more, 63 percent of the professionals surveyed had multiple reportable privacy breaches – between 6 and 20 – in the previous year.
http://www.deloitte.com/dtt/article/0%2C1002%2Ccid%25253D182733%2C00.html
Even though one may not hear about patient privacy breaches occurring in dental offices, does not mean dental patients’ records are any more secure than the 26.5 million medical records that were lost by the Veterans Affairs Department in 2006 because of a stolen computer. Breaches of dental patients’ identities are simply going unreported. How good is that?
By the way, the 26.5 million records were part of the VA’s VistA database that Valerie Powell mentioned as being a good open-source interoperable system; very open-source.
Pushed by ambitious public and private healthcare IT stakeholders, the nation simply pursued eHRs with reckless abandon, particularly since the HIPAA mandate was amended in 2003 to favor stakeholders over patients. The results of egregious errors in judgment are fast becoming painfully evident to consumers, whose trust is absolutely required if we are to have trustworthy medical records. We are losing our patients’ confidence, friends.
The loss of trust is not limited to medical records. At the first of October, 330,000 dental records were lost to a hacker from a Florida dental school. This was avoidable.
As a member, I hold my American Dental Association partly to blame. The ADA, which advises the US Department of Health and Human Services about healthcare IT matters on behalf of the nation’s dental patients, has been transparently negligent because of institutional investment in digital records. The leaders of my profession should have warned both dentists and lawmakers about the danger of identity theft at least three years ago, when I brought it to their attention. Alas, I am but one dentist – brushed off by many as a trouble-maker.
I find it incredible that Valerie Powell assumes that broader adoption of today’s notoriously insecure eHRs will not create more opportunities for thieves.
So will encryption solve this problem? No; encryption will not be trusted by patients. Here is a simple test to support my claim: If your doctor fumbles the identities of you and your loved ones, would you want to know – regardless of encryption? I would.
As far as I can tell, it is only the stakeholders who can’t handle the truth.
Darrell K. Pruitt; DDS
Fort Worth, Texas
LikeLike
More on the Reply to Dr. Valerie Powell
http://www.drbicuspid.com/forum/tm.aspx?m=542
Dr. Powell, I have said this before to many people publicly and privately. I have gained great respect for you. I sincerely admire you for your compassion, your drive, your knowledge of chronic diseases and your toughness in the face of adversity. Wherever you and I go from here, I consider you my friend who I sometimes disagree with 180 degrees. I truly feel honored with your presence. What we are accomplishing here is good. The nation is watching.
“You made it clear to me what your concerns were/are about privacy and EHRs and about costs and EHRs and I sent you verification that my EHR integration agenda now includes the concerns you identified, so obviously I agree that those points need to be addressed.”
When you mentioned to me that you inserted my concerns about privacy and cost into your agenda, I was flattered. I wish you would have run your ideas by me sooner, though. I would have told you not to waste your time. Your concession is simply not enough.
Even if a dentist is shielded from lawsuits following a breach of his or her patients’ personal information – soon to include complete digital medical histories as well as PII – lawsuits are just part of the problem.
– Immediately the patients involved in the breach must be notified and the dentist must assume responsibility for helping them to monitor their credit for a couple of years. Of course, an attorney will have to be hired, and agreements signed with each patient, so it could get really expensive. A couple of years ago, the Ponemon Institute estimated that it costs around 80 dollars per client when breaches occur. The institute also predicted that 20% of the clients will never return to a place of business that fumbles their identity.
In other words, even if a dentist does the right thing following a breach, his or her practice could easily be ruined. Lawsuits make no difference at all. The dentist could be bankrupt even before the HIPAA fines are assessed.
Which brings us to …
– Authorities must be notified. This ultimately means a visit to the dental practice by PriceWaterhouseCoopers employees who are contracted by the HHS to perform HIPAA inspections. I assume they are paid on commission for the violations they uncover. I would also assume that the office computers could be confiscated for investigation if the breach involves crimes committed using the dental patients’ IDs to steal money or healthcare. And as I have previously mentioned, if one’s health history is altered, someone could be seriously injured or killed because of the breach. Am I wrong to want to shield my patients from this danger?
“So why don’t you approach your concerns as seriously as I approach mine? You could contact your congressman/woman to pursue improvement of health information technology.”
I’m not serious? Do you really question my seriousness just because I don’t contact my Congressperson?
Long ago I discovered that going through the accepted traditional channels to get things accomplished was impotent and frustrating. However, going after the sources of problems – such as your plans for my practice, Dr. Powell – is much more effective and fun.
“I incorporated the points you brought to my attention and moved forward, but, I’m sorry to say, you’re repeating the same things as when I first met you online.”
I’m funny that way about being stubborn, but you cannot sell me your product without satisfying those concerns. You have simply failed to do so. No sale.
Since you brought up seriousness, I want to share with you my favorite quote. It is from the master of aphorisms, philosopher Friedrich Nietzsche:
„Reife: Das heißt, den Ernst wiedergefunden den man als Kind hat, beim Spiel.“
“Maturity: That is, to rediscover the seriousness that one had as a child – at play. “
One should assume I am serious.
And now, nore about the hybrid solution:
“At the same time I know a hybrid fax technology that you hint at is not sufficient for patient care and others writing to DrBicuspid have already explained to you why it won’t suffice.”
Dr. Powell, this is the second time you have immediately dismissed my idea, only this time, you claim that “others” have already told me why it won’t work. What did I miss? Why, exactly will it not work? I don’t think you and Dr. Franklin Din truly considered it.
Remember, all we are talking about is simple exchange of information between machines. What difference does it make if one end terminates with paper? Where is the problem?
Once again, if you are waiting on interoperability, that could take decades, if it happens at all. On the other hand, I think if a simple universal format could be agreed upon – perhaps a one-page form highlighting significant medical/dental changes dentists/physicians should be made aware of – an interoperable hybrid system could be established within six months. You must agree that this solution offers a simple, super-cheap and safe way to exchange admittedly important health information.
All that is needed is a format, a collection of interested healthcare providers and someone with the connections to get this rolling. I can think of nobody better equipped to succeed than you, Dr. Powell.
Concerning the research stating that dental health histories are inaccurate, what makes you think digital health histories will be accurate if patients are overly concerned about their privacy?
But let us return to your early statement that 44,000 and 98,000 Americans die each year due to medical errors. I asked how many of those were connected to dental offices. I assume nobody knows.
Before dentists are asked to spend at least 20,000 dollars for a dangerous system that may be obsolete in three years, shouldn’t we base our decisions on evidence of need and not just guesses and unrealistic promises?
Once again, you are reaching for weak rationalizations for dentists to adopt paperless practices. I can confidently tell you that dentists recognize this immediately, which makes it a lousy, but nevertheless, entertaining sales pitch. Deaths of dental patients have never been a significant national concern until stakeholders needed it to be. Besides, where is the proof that reading information on an LCD screen is better than reading it on paper?
We sometimes have power outages from ice storms here in North Texas. Which records are easier to see with a flashlight – digital or paper?
-Darrell Kellus Pruitt; DDS
LikeLike
Attention HIT stakeholders in dentistry:
It’s time to give it up!
The nation is finally onto a trail left by deceptive, unresponsive business practices elsewhere in your industry. It certainly took the Washington Post and the Obama administration a long time to pick up on the bad news you and I have recognized for years, don’t you think?
As anyone can see, electronic dental record vendors and other equally unaccountable stakeholders continue to take advantage of uninformed dentists by hiding the mounting costs and dangers of their products. Their notoriously unethical sales practices could soon end if Obama has his way. Outside the EDR stakeholders’ comfortable, hidden niche in dentistry, the buzz this week is about making good ol’ boys similar to them to pay attention to consumers’ concerns for once.
“Health-care sector vulnerable to hackers, researchers say” by Robert O’Harrow Jr. was published on December 25.
http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html
“A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.”
Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, tells the Washington Post, “I have never seen an industry with more gaping security holes. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
I have no reason to believe that dentists’ offices are any more secure than other healthcare organizations, yet the two largest EDR vendors – Dentrix and Eaglesoft – long ago blocked this dentist from posting such concerns on their Facebooks.
“National Coordinator Looks to Vendors for Improving Patient Safety – HHS Stops Short Of Calling For Safety Regulations” by Jay Hancock was posted on December 26, yesterday.
http://www.hitechanswers.net/national-coordinator-looks-to-vendors-for-improving-patient-safety/?goback=%2Egde_3993178_member_199173323
“The Obama administration last Friday urged cooperation between software companies and caregivers to prevent patient harm caused by faulty electronic records. But it stopped short of calling for regulation or a federal requirement to report computer mistakes that pose a risk to patients.”
Dr. Farzad Mostashari, the administration’s coordinator for health information technology, said about the report: “We are saying to the vendors: Step up and prove your ability to create a code of conduct that would be enforceable, that would bind you voluntarily to reporting safety events. And what we’re saying is: If you don’t step up, we can always look at more classic regulatory approaches.”
“Classic regulatory approaches.” Here is one thing for certain: The administration’s born-again demands for better documentation of security efforts as well as higher quality will naturally increase the cost of EDR systems – which are already more expensive, as well as more dangerous than paper dental records.
For those of you stakeholders who over the years found it easier to censor this dentist’s concerns than address them, it’s sort of like I anticipated your destiny and headed you off at this narrow pass a long time ago. Now I once again politely invite you to join me in an open discussion concerning the feasibility of de-identifying dentists’ primary EDRs… or not. Your unsafe products are losing value faster than one might realize.
D. Kellus Pruitt DDS
LikeLike