From the HHS Office for Civil Rights website: Ask your doctor. You have the right to see and get copies of your health information - PDF. In most cases, you can get a copy the way you want it, such as by e-mail. While your doctor normally has up to 30 days to provide you a copy of your information, your doctor often can provide the information much sooner than that. If your doctor offers a web portal, you may be able to easily view and download your health information whenever you want.

As Hurricane Florence makes landfall, the HHS Office for Civil Rights (OCR) and its federal partners remain in close coordination to help ensure that emergency officials effectively address the needs of at-risk populations as part of disaster response. If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

In the article titled, "Can Patients Make Recordings of Medical Encounters?" from the JAMA Network authors Elwyn, Barr, and Castaldo discuss some of the broader legalities of making a recording while visiting your doctor.

Making a recording that you can add to your personal health record can be a great way of maintaining documentation and accountability for your care, as well as assist you and your family in remembering instructions given to you by your care provider.

Understanding the legalities can help ensure this is a positive experience for both you and your doctor and will allow you to make recordings that are admissible in court if needed.

This newly published web guide from ONC titled, "The Guide to Getting & Using Your Health Records: The steps, tips, and tools you’ll need to get, check, and use your health record" helps to instruct consumers on how to get their health record from healthcare providers, their rights to those records, and some specific ways in which to get a hold of that information.

I woke up to a flood of news about ransomware today. By virtue of being down here in Australia, a lot happens in business hours around the world while we're sleeping but conversely, that's given me some time to collate information whilst everyone else is taking a break. The WannaCry incident is both new and scary in some ways and more of the same old stuff in others. Here's what I know and what the masses out there need to understand about this and indeed about ransomware in general.

From the HHS Ransomware Fact Sheet:

A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).1 Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data.

From the Troy Hunt article:

"The indictment also suggest that the hackers, in most cases, did not employ particularly sophisticated methods to gain initial entry into the corporate networks. The papers show that in most cases, the breach was made via SQL injection flaws -- a threat that has been thoroughly documented and understood for well over than a decade."

From the OCR website: 

We are experiencing an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes. Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected. Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security and Breach Notification Rules.

From the Ranked Health website: 

RANKED Health is a project run by the Hacking Medicine Institute (HMi), a non-profit organization spun out of MIT’s Hacking Medicine program. This project is designed to review and rank healthcare focused applications, providing independent, unbiased and accurate information to accelerate patient and provider adoption of clinically proven and high-quality digital health solutions. In addition to identifying best-in-class healthcare applications for better health monitoring and disease management, RANKED Health also helps uncover unsafe and ineffective apps on the market.

From the Federal Trade Commission website: 

Does your mobile app collect, create, or share consumer information? Does it diagnose or treat a disease or health condition? Then this tool will help you figure out which – and it may be more than one – federal laws apply. It’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.

From the OCR website:

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. 

From the NQF website:

"In order to address the rapidly-evolving area of HIT and its intersection with quality and outcomes, NQF initiated a project to develop a set of recommendations around the measurement of HIT-related safety issues."

I get a lot of people popping up with data breaches for Have I been pwned (HIBP). There’s an interesting story in that itself actually, one I must get around to writing in the future as folks come from all sorts of different backgrounds and offer up data they’ve come across in various locations. Recently someone sent me a list of various data breaches they’d obtained.

1. Ending the Sustainable Growth Rate (SGR) formula that determines Medicare payments for services
2. Making a new framework to reward health care providers for giving better care 
3. Combining our existing quality reporting programs into one new system

I’ve just launched my latest Pluralsight course titled Ethical Hacking, Denial of Service but before I explain what’s in it, let’s kick off with some trivia: DDoS attacks have increased massively in size in recent years.

Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re passing anti-forgery tokens to any APIs you wouldn’t want fraudulently called, right?!).

From the ONC Cypress website:

Cypress is the rigorous and repeatable testing tool of Electronic Health Records (EHRs) and EHR modules in calculating Meaningful Use (MU) Stage 2 Clinical Quality Measures (CQMs). The Cypress tool is open source and freely available for use or adoption by the health IT community including EHR vendors and testing labs. Cypress serves as the official testing tool for the 2014 EHR Certification program supported by the Office of the National Coordinator for Health IT (ONC).

From the HealthIT.gov website: 

"All referenced national level measures are provided for the most recent period of data in the 'all U.S.' report. All referenced state level measures are provided for the most recent period of data, in addition to at most two years of preceding trend data. State level measures are visualized side-by-side with national level measures for state-specific reports. All of the data is fully accessible, with full data documentation, through the Dashboard."

From the article in For the Record: 

"Lack of sufficient vendor support. Workflow inefficiencies. Changing needs.

The motivations may vary, but more health care organizations seem to be coming to the same conclusion: It’s time for a new EHR. We’re not talking your typical paper-to-electronic transformation either. This is a one-EHR-to-a-hopefully-better-EHR transition.

It’s not as uncommon as one may think. In fact, based on results from a recent survey of 17,000 EHR users in which almost one-quarter of respondents cited enough dissatisfaction with their current system to consider switching to a new EHR vendor, Black Book Rankings is calling 2013 “The Year of the Great EHR Switch.”

What are the contributing factors to EHR disenchantment and, more importantly, what considerations should health care organizations take into account before making such a mammoth decision?"

From the ECRI Institute website:

"The Partnership for Health IT Patient Safety has established workgroups for in-depth study of health IT events. The issue of copying and pasting health information (e.g., orders, notes, labels) was chosen for the first workgroup. Copy and paste is widespread, often underreported, and has the potential to cause adverse patient safety events.
Four safe practice recommendations were agreed upon and endorsed by the multidisciplinary group of stakeholders:
Recommendation A: Provide a mechanism to make copy and paste material easily identifiable.
Recommendation B: Ensure that the provenance of copy and paste material is readily available.
Recommendation C: Ensure adequate staff training and education regarding the appropriate and safe use of copy and paste.
Recommendation D: Ensure that copy and paste practices are regularly monitored, measured, and assessed.
Additional information about safe practice recommendations and implementation strategies are available for dissemination to the healthcare community through the distribution of a free publicly-available toolkit."

This was not what I was expecting earlier this week:

I am delighted to welcome you to the Microsoft Regional Director program!

More specifically, the nomination I received some weeks back was not what I expected and this week’s message was what I’d dared not get my hopes up too much about.

A bit of context first – I’m not going to work for Microsoft and despite the title of “Microsoft Regional Director”, I’m no more an employee than what I was (and still am) an MVP. The MVP title remains and what the Regional Director status does is turns that up to 11. Here’s what they told me in the email:

The competition for admission to this program was intense. Your selection is a tribute to your deep technical and business knowledge, your community leadership, and your ability to connect with Microsoft customers, partners, prospects, and product group professionals.

There’s a good little piece on what the Microsoft Regional Director Program is plus a list of the folks that I join on the program which will include many familiar names if you travel in Microsoft circles. I’ll join them representing the Asia Pacific region and I expect it will give me better access to the right people in Microsoft (although in fairness, I’ve never felt this has been a challenge in the past) as well as obviously carrying kudos which helps when talking to the various organisations I work with.

As with the MVP program, independence is still key and also as with the MVP program, I suspect I’ll continue to face a barrage of “well you have to say that, because Microsoft” responses from time to time. I’ll continue to get my phone and tablet Apple, my browser from Google and my laptops from Lenovo, but I’ll also continue to love working in Visual Studio with ASP.NET and publishing it up to Azure. That’s what independence looks like.

I’m really grateful to have this recognition, particularly because it’s comes as a result of just doing what I genuinely love. I’m really enjoying creating Pluralsight courses, travelling the world to speak and spend time with organisations in workshops and seeing Have I been pwned continue to grow in unexpected ways, all of which give me an opportunity to showcase many wonderful technologies, including those from Microsoft. All of that only works because I have an audience though so a big thanks to everyone who’s helped me along the way by consuming the things I create and enabling me to have these opportunities.

From the SNOMED website: SNOMED CT (Systematized Nomenclature of Medicine--Clinical Terms) is a comprehensive clinical terminology, originally created by the College of American Pathologists (CAP) and, as of April 2007, owned, maintained, and distributed by the International Health Terminology Standards Development Organisation (IHTSDO), a not-for-profit association in Denmark. The CAP continues to support SNOMED CT operations under contract to the IHTSDO and provides SNOMED-related products and services as a licensee of the terminology.

From the original article introduction: Healthcare is in the midst of a profound business model change. And we are all aware that the old model of “fee-for-service” medicine is over, and a new model is quickly emerging. On December 12, 2013, the Dartmouth Institute for Health Policy and Clinical Practice published the first real evidence that the management of the patient across the continuum of care can bend the cost curve of our ever- aging population. The new shared savings model that has developed is designed to deliver seamless, high-quality care for patients, replacing the fragmented care that we see in the fee-for-service payment system. In the fee-for-service model, different providers receive different, disconnected payments. But the new model is designed to maintain a patient-centered focus by developing processes to promote evidence-based medicine, patient engagement, and report on quality. To deliver on that promise, health systems need greatly enhanced data aggregation tools; however, it is difficult to evaluate these tools, and many do not understand how the system needs translate into data requirements. This article is designed to present some of those issues in context.

The Health Insurance Portability and Accountability Act (HIPAA) Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs) and give patients an array of rights with respect to that information. Regulations includes the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets national standards for the security of electronic Protected Health Information (ePHI); and the Breach Notification Rule, which requires CEs and BAs to provide notification following a breach of unsecured Protected Health Information (PHI). CEs must comply with the HIPAA Privacy,10 Security,11 and Breach Notification12 Rules. BAs must comply with the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the HIPAA Privacy Rule.

From the HRSA website: "Effective use of EHRs is a must for everyone in the safety net community. The main goal of EHRs is improving the quality and safety of patient care. Having one accurate, up-to-date record that includes all of a patient's health information makes it easier for providers and patients to make better decisions."

From the HRSA YouTube Channel:

This webinar focuses on open source Electronic Health Records (EHR) for the safety net community. Open Source EHRs are systems that are either free or very low cost to implement. The presenters will provide an overview of the types of open source systems, the benefits and challenges of using open source EHRs, and how these systems can be used effectively to meet the Meaningful Use requirements and provide high quality care to meet population health needs. In addition, one speaker will present on how his rural federally qualified health center selected the use of RPMS (a free EHR system which was developed by Indian Health Service) to support its clinical services. A second presenter will talk about his health center's selection of Worldvista (Based on the Veterans Administration EHR System) and how it supports UDS reporting requirements. 

The presenters include: Jason Goldwater, M.A., M.P.A., Health IT Program Manager, NORC; Matthew King, M.D., VistAdoc,LLC and former Chief Medical Officer of Clinica Adelanta; Sarah Chouinard, M.D., Clinical Lead
Community Health Network of West Virginia