This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.

 Welcome to this Weekend in Health IT News, where we look at as many stories as we can in 20 minutes or less that's going to impact health it. My name is Bill Russell Healthcare, CIO, coach and creator of this Week in Health. It a set of podcasts and videos dedicated to developing the next generation of health leaders.

We have a bunch of stories. There's one really big one, which we're gonna dive deep into, and then there's, uh, , not so small, uh, white. Uh, so we're gonna look at Project Nightingale and the Ascension Google Arrangement. Uh, white House rolls out. Sweeping transparency rules. Big story as well. Uh, I look at Amazon Care as a model.

And if, gosh, if we can get to it, we'll take a look at another prediction story from healthcare execs. And, uh, Nike has a new pair of shoes for healthcare workers, which I think is, uh, fascinating. Uh, it'll be interesting, interesting to see if they get some big name doctor and put like a, you know, a doctor performing surgery, uh, embroidered on the side.

Uh, we'll have to see, uh, you know, who they get. As the sponsor for the Nike shoes, uh, we wanna thank our founding channel sponsors who make this content possible Health Ericsson VMware. If you wanna be a part our of our mission to develop health leaders, go to this week, health.com/sponsor for more information.

I. This episode is sponsored by Health Lyrics. Uh, when I became A-C-I-O-I was really overwhelmed at first, and one of the things I did is, is went out and hired ACIO coach, uh, to walk with me through the process. Uh, it was invaluable to my success in the role, and I now coach CIOs through Health lyrics. If you wanna learn more, visit health lyrics.com or drop me a note at Bill at this week in health it.com.

Don't forget. Uh, every day this month we are dropping a show. Uh, look back, look forward episode series with healthcare CIOs that we interviewed at the CHIME conference. We asked, uh, these CIOs, the eight same questions, they all answer them. So you get a wide range of the perspective of different healthcare organizations.

So. Check back every day for those. Uh, I. And I also wanted to make you aware of a, uh, great news service that's out there from a friend of the show, uh, directs to Ford. Launched three X Directs, uh, which will text you the top three stories from a healthcare CIO perspective three times a week. Uh, I just signed up and I'm, uh, I'm already using it for some of my research for the show.

Uh, just text, uh, Drex, DREX to 4 8 4 8 4 8. Uh, and by the way, this is not a paid advertisement or a quid pro quo, as has now become part of the vernacular. Uh, I just think it's the great service, uh, to the industry. Uh, okay, so now onto the News Project Nightingale Big deal. Uh, I'm gonna be hitting two, uh, two sources, healthcare IT News and Healthcare Innovation Group.

Um, story when we get to the, uh, HIPAA parts, I'm probably gonna stop, uh, intermittently on this because there's, uh, so much to digest. So, project Nightingale seems to square with hipaa, but next steps matter. Yes, they do. Uh, while Google, Google apparently signed a business associate agreement with Ascension, and the scope of the data sharing appears to be in line with the HIPAA allowances.

There's still many questions as to how patient information is being put to use. Okay, so here's what . Here's what I think transpired. I am not, uh, in the know, in any way, shape or form. So don't take this as gospel, but you have ascension. Ascension is a, a wide ranging health system. A lot of different markets, a lot of different EMRs and uh, you know, the CIO and the leadership team sit around and go, Hey, we need to bring all this data together.

We need to bring, bring this data together for, um, to do, uh, quality measures, to do, uh, you know, uh, accounting measures. I mean, you, you name it, uh, measures. It's very hard to do measures when you have a lot of disparate data and a lot of disparate. Systems. So what a lot of health systems do is they go out and they go, Hey, we're gonna do a single EMR across all these things.

Well, when you're talking a hundred some odd locations, like Ascension is, you're talking billions, not 8 billion, multiple billions of dollars in multiple years. You know, potentially seven years to get this done from one end of ascension to the other. And so as they look at it and say, $3 billion. To, uh, consolidate all of our stuff and get onto a single operating platform so that we can do this.

Uh, is there another way, I think is the common question that someone would ask. You want me to spend $3 billion? Are there any alternatives? So somebody said, Hey, there's a really good data company, probably one of the best data companies on the planet. Maybe they have some answers for us. Maybe they have some solutions.

Maybe they have some ways that they can normalize this data and move this data into a reporting format so that without doing a massive EMR . Upgrade across all of our health systems. We're gonna be able to create these operational dashboards and predictive models. And not only that, we're gonna be able to tap into some really cool, uh, AI models and machine learning.

Again, I don't know anything specifically, but as a former CIOI could easily see that conversation happening. So that conversation happens and somebody goes, let's go talk to Google. And they do. Uh, is my guess as to what happened. So here's what we have. Um, you sit down with Google, you start doing the deal, and they sign a business associate's agreement.

Now, so part of the challenge becomes people don't understand what a business associate agreement does and doesn't do, and they, they also don't understand how many business associate agreements are in place and how much this data is being used. So as you listen to this story. Uh, we're gonna jump over in a minute to what HIPAA actually is and what the Business Associates Agreement actually, uh, covers, uh, in, in, in a minute.

But also, think about this, you have business associate agreements with all sorts of companies that have access to that data. You could have it with call center companies, you could have it with billing companies, you can have it with collection companies, you can have it with quality companies, you can have it with i I the list

It's so long, I, I can't even keep going. It's, uh, there's a significant number of companies that have partnered with health systems to provide value on top of that data, and it's covered by a business associate agreement. Okay. Um, so the health data sharing collaboration between Google and Session has raised some big concerns nationwide, starting with some employees at Ascension about what the initiative could mean for patient privacy.

So I, you know, I find it also interesting, um, you know, there's a process for. Escalating this, uh, for the employees, if they see this concern, they could, uh, raise it within the IT department. Hey, we see and they say there's a concern with a specific tool, and we'll get to that in a minute. But, hey, there's a problem with this tool, and the IT department can look at it and if the it, if they don't like the IT department's response, you can escalate it to compliance.

And then there's an anonymous hotline that you can also go to. So there's, there's multiple levels within the healthcare organization to go to, but . S and actually, and then you can go to the federal government. And there's, uh, compliance outlines there. Uh, but they like jumped from here to the Wall Street Journal.

I, it's, it's a significant jump, uh, to make. It was almost like, um, you know, we know best and we wanna make sure that everyone in the country knows about this. Now the good thing that's coming, uh, about as with any whistleblower kind kind of thing, is we're gonna have a great . Conversation and discussion around hipaa, around, um, business associate agreements around, uh, data privacy and sharing and around who should really control, uh, the movement of that data.

So, um, . . Another thing I want to get into, there's so many misconceptions on this. Another thing I want to get into is legally the medical record is not owned by the patient, except in the state of Vermont. There's only one state in our country where the medical record is owned, keyword owned by the patient.

The medical record is owned by whoever creates the medical record. . And the reason for that makes perfect sense when you think about it. Um, if my hospital system makes the record, we own the record. Because if you change that, which is very possible, that it might change, you end up with a challenge. And the challenge is there are records made about me in just about every other industry.

Right. So if I buy a book from Amazon, they have a record, now is that record mine? Do I own that record? And if I go and, you know, fill in the blank, there are records of, uh, about me, uh, all over the place. Do I own all those records and do I get to aggregate all those records? A good conversation to have.

And we will, uh, we'll bridge that a little bit at the end of the show. So, uh, let's see. The, so-called Project Night Nightingale. It's, uh, I'm sorry, I'm gonna go back to this one more time. So the record is not owned by the patient. Access to the record is, uh, is legally mandated by the rules, or le it's legally mandated so I can have access to my medical record if I go to my health system and I request it now.

What's interesting there is, there was another story, I I, I'm not sure I covered it on the show where, um, close to 50% of health systems are still struggling to meet the, the federal requirement for providing the medical record to the person in the allotted amount of time. So I. Uh, significant problem that still needs to be overcome.

Alright, back to the story. The So-called Project Nightingale overall does appear to meet HIPAA compliance standard based on Google and Ascension's own statement of what has been reported so far by the Wall Street Journal and others. Uh, C NM BC reported that while Ascension and Google did sign a business associate agreement that was required by hipaa, some Ascension employees were concerned.

Okay, so we're gonna come back to that. The other concern, I wanna go over to HIPAA real quick. And again, we're, we're just trying to educate people on this spec specific topic 'cause there's a lot of confusion. So, um, why was HIPAA probably not violated? This is straight from the Healthcare Innovation Group.

Uh, story. The answer lies in understanding, at least in some degree, the scope of parental uses under hipaa. It is true that two or more commonly discussed components of HIPAA are the privacy rule and security rule in the context of use and disclosure. The privacy rule is the applicable rule in governing the use and disclosure of protected health information.

HIPAA allows covered entities to use and disclose protective health information without consent or notice for treatment payment. . In healthcare operations purposes, the use and disclosures include providing protected health information to business associates to assist with permissible categories. Would you like to hear the permissible care categories?

Sure. I. Here we go. Number one, conducting quality assessment and an improvement activities including outcome evaluation and development of clinical guidelines. And it goes on and on. It's a long paragraph. Number two, reviewing the competence of qualifications of healthcare professionals evaluating practitioner and provider performance, health plan performance, so forth and so on.

Again, long paragraph number three, exhibited as. Uh, ex except as prohibited under some long, uh, guideline. 1 64 0.502 a five subsection I, underwriting enrollment, premium rating, and other activities related to the creation, renewal and replacement of contract of health insurance or health benefits and seeding, securing.

And. Like you get the idea, you can do a whole bunch of stuff around, um, insurance capabilities. Number four, conducting and arranging for medical review, legal services and auditing functions. Number five, business planning and development such as conducting cost management and planning related analysis related to and managing the operating entity.

Uh, and it goes on number six, business management and general administrative activities and entity including, but not limited to hear how broad this is. Business management and general administrative activities of entity, including but not limited to. Which means there's no way that they sign an agreement that is not covered under hipaa, by the way.

So, uh, number one, management activities relating to the implementation and or compliance with requirements of this subchapter. So this is a subsection under number six, business management and general administrative activities. One was management activities relating to the implementation of compliance and requirements.

Um, of this sub, uh, subsection two, customer service, subsection three, resolution of internal grievances. Number four, the sale, uh, transfer, merger and consolidation all are part of the covered entity. And number five, consistent and applicable requirements. Uh, creating de-identified health information or limited data set and fundraising, so forth and so on.

Uh, so as this demonstrates, it's a very . Broad reading. Um, and hopefully with the escalation of this we will revisit it and we'll take a look at it. So, uh, let me go continue to go on here 'cause we've already used a bunch of the time. So Ray to know. Uh, principal Data Analyst at Technology Consultants SPR explains development tools such as Google Data Studio can be problematic for HIPAA compliance 'cause it doesn't have logging of data changes, access controls, data viewing, and screen locks.

That could be true in my use of, uh, Google Data Studio. I, I don't recall those things being in place, but they could be in place. I'm not entirely sure. Uh, if nothing else as a result of this Google within the next three months will put those things in place. Um. How and which is good. Uh, it's good that we're having this conversation.

It's good that they're going to be required to put that in place. However, tactical HIPAA compliance is a bit of a red herring. He said it is the spirit of hipaa that should be in question. Uh, is data acquired and used for specifically providing value to the patients? Um, yeah. I mean, sure. By the way, I, again, I'm gonna totally agree with this at the end of the show, so I'm not gonna be a hypocrite here and, and poke holes in this, but that's, that's how they're adhering to the law as it is written.

So we can talk about the spirit of the law all we want, but, um, it doesn't seem to be relevant at this point. Uh, but it should be relevant. And then we have some other people talking about, um, . Uh, the back and forth between actually how Google and Ascension handled the, uh, notification of people around. Uh, this project doesn't seem that anyone knew what was going on.

Uh, I'm gonna go down here. There's a good one from a lawyer. So, see, uh, so similar point was raised by healthcare attorney and the point that's being raised is that . Uh, BAAs happen all the time, but this one's between Google, which is, makes it a big deal because Google is in the data business. Similar point was raised by healthcare attorney Matthew Fisher, partner of Westboro.

Uh. Huge law firm in Massachusetts who echoed, uh, McGraw's assessment That Project Nightingale is not fundamentally that different from all sorts of interactions that occur between healthcare organizations such as Ascension and vendors such as Google on a daily basis, as long as Google fulfills its privacy and security obligations under hipaa.

With regard to the protected health information provided by Ascension, there's no HIPAA issue to, um, on the face of things said Fisher. A big unknown, and this is a huge unknown, um, about the relationship though, is whether Google will be permitted to de-identify the ascension patient information. And, uh, this is a problem for two reasons.

One, the, uh, Google can then use that data in all sorts of different areas that they're pursuing within healthcare to fine tune search results. And which will, uh, increase their value to health systems in order to get positioned well in order to grab some of the dollars. As you know, most health, um, encounters begin with a search of Google.

I. I have this condition and Google is now working very hard on its search results to, uh, position, um, you know, the right information for me. When I say strep throat or I have a sore throat, it positions the right, uh, data as well as recommendations and the ability to do advertisement, which, which is their core business.

So if they can de-identify this information, they can get much more specific potentially, and know that it is Bill Russell who is searching. . Bill lives in California, bill, fill in the blank. And that, um, that ad could be very specific to me. So, uh, even to the extent of knowing my insurance so that they can, uh, I mean these, some of these things are actually huge convenience things.

I mean, I search, it says, well, I know this is Bill Russell, Billy, have a sore throat bill. Here's the three doctors you can see that are covered under your plan. Fill in the blank. Um, with that being said, it's still a huge violation of my privacy, and we're gonna get to that in a minute. . Uh, the other thing is, uh, an argument can be made and it is being made.

Um, Google's doing work of the University of Chicago and a plaintiff is making the argument that no data is de identifiable in the hands of Google because of their data prowess. And there's a certain case to be made that that is true. Um, then they go on to talk about, um. Let's see. We have to remember that the average person is not a security expert and can easily be overwhelmed by technical jargon from suppliers professing how secure and trustworthy they are.

He said. Um, so, you know, Google is saying they're trustworthy. Google is saying they're going to, they, uh, protect the data and all those other things. So let me, so here's, here's my, so what. Um, the move by Ascension was, was a good move. It is innovative. It is forward thinking. It is, um, not accepting the status quo.

It is looking for a way to not increase their debt load by $3 billion, which ends up getting passed on to patients and increases the cost of healthcare. Uh, it is a way of, uh, providing a new set of services that aren't available today. Uh, I'm not arguing that this . Uh, move in innovation was a bad move in any way, shape or form.

I think it was a good move and a strong move. Um, I think what was missing was one step and that was, uh, at what point do you engage the user community, not that you're required to, uh, but is there an ethical obligation to tell people, Hey, we're giving your data to, um. To, to Google and beyond an ethical, is there a new, um, is there a new playing field that we operate on where it's important to notify the users so that we don't take this kind of PR black eye and slow the project down by a couple of months while we're trying to fend off all the things that are gonna be coming at us?

Was there like an open comment period that could have been used? Um. . So that's one thing. And then I, I would be remiss if I didn't bring up one of my favorite topics, which is, um, I believe that we need patient bill of rights or whatever around the data, specifically around the data that the medical, that I, let's assume, I'm gonna say, that healthcare system can, can continue to operate exactly how they operate.

I don't care. I do care, but let's assume I don't care for this case, I want to have every data element that the health system has on me delivered to me electronically and in, in some sort of format that can be parsed and that can be fire, it can be, well, it could be XML, can be, um, I don't know. It could, could be any number of formats and we can determine what the format is.

And I get the data and then I can determine what I can do with the data. Because I believe that if you gave blue button 2.0 kind of que kind of thing, you give every patient their medical data that there will be a data ecosystem that emerges and then it's my choice to give the data to, to Google or not give the data to Google.

And you know what? I may choose to give it to Amazon or Google or Microsoft or fill in the blank if it adds value to my life. If, if it, if it lowers my cost of care, if it think of it, I mean, it's the triple aim. If it lowers my cost of care, if it, uh, improves the, uh, clinician experience in my experience in that setting.

It's a quadruple aim actually. Um, . If it, uh, increases out, it improves outcomes in any way, shape or form. If it can help me to identify the doctor that I should see that has a, a higher propensity for successful operations and those kind of things. Um, anyway, uh, you get the, get the picture. I want all my data.

And I almost don't care how bad it is, uh, because I think that there's companies out there that can make sense of it. And once they make sense of it, they can create value for me as the patient. We are 20 minutes in. I am gonna cover, uh, you're gonna gimme another five minutes. I'm gonna cover these things real quick.

White, white House, uh, rolls out. Sweeping transparency rules for hospital insurers, Trump administration on Friday and now sweeping new rules. Uh, the first set of rules is, let's see, insurers. Would, uh, have to tell patients in real time through online tool what they'll owe out of pocket for all covered healthcare services.

The requirement could also make it easier for people to compare costs. By the way, this is a Politico article. Um, I. The story, uh, continues. So under a separate policy, the administration finalized Friday, hospitals would have to disclose currently confidential rates they've negotiated with insurers and other cost information, like what hospitals are willing to accept in cash from a patient.

It's, uh, I don't, I don't know if that's why he's doing it or is, is, is not why he's doing it. What we're gonna take a look at is the rule itself. So the rule itself requires, um, uh, insurance companies to give information on what is going to be owed. Earlier in the process, they already do this. I think actually she talks about it.

Our goal, uh, will be to give patients the knowledge of what they need about the real price of healthcare services. They'll be able to check them, compare them, and go to different locations. Uh, this is Secretary Azar. Uh, he also said the new measures, uh, may be more significant change to American healthcare markets than any other single thing that we've done, but just hours after the announcement, uh, four large groups, including the American Hospital Association, um, said that they have a legal right and they're gonna

Try to file a lawsuit to block the rules, um, and they go on to talk about why it may or may not go. CMS Administrator. Verma said the health information insurers must disclose is already available to patients in their explanation of benefit statements, but patients would now be able to access that information uh, sooner.

We're just requiring that it be available before care and not after said Verma. Hospitals will have to post the information online for 300 common services such as x-rays, and lab tests in an easy, understandable format. CMS will specify 70 of these services and hospitals can choose. The rest. Hospitals that don't comply could face fines of up to $300 a day, $300 a day , that doesn't seem like much of a fine anyway.

Um, . This is gonna be a political hot potato, as you can imagine. And there's gonna be opposition to this. Transparency in markets is required. Well, transparency in markets is required. Anyone who has economics, economics 1 0 1, that, um, you know, the more . Uh, access to information you have, uh, creates a better, more, well, more well-functioning market and hospitals and healthcare is not a well-functioning market, and we do not have transparency in that market.

So the administration is trying to make it. You heard that when we interviewed Don Rucker? About this, that, um, they truly believe that they can, um, tweak this enough to make healthcare a truly functioning market. And then on the other side, you have people essentially saying it'll never happen, therefore the government should take it all over.

Or some facsimile thereof with, uh, Medicare for All, with Medicare Advantage for some, I guess is the, uh, model that's being proposed out there. Uh, all right. Nike shoes, or Now let's hit the, let's hit the Amazon story. Should we hit the Amazon story? So, um, Amazon Care, an employee perspective. So Amazon Care, this is from, uh, CNBC.

And I, I think it's interesting, I just wanted to cover it 'cause I just think it's interesting. So, uh, it's exactly what you think it is. They, they download an app, they get a bunch of disclosures, they let 'em know, Hey, you're using a medical group. You're not being, this is not, um, . Uh, you know, there's, there's a medical group that's using it and has disclosure statements and those kind of things, uh, and then it starts to guide them through the pro process.

So, um, according to the screenshots, . , uh, Amazon employees trying, trying the service out. Get a welcome kit, uh, mobile phone holder, and a digital thermometer if those are interesting. From there, they're asked whether they could, would prefer a free chat via nurse via messenger care chat, or a video chat video care with a medical provider.

An employee might share that they're feeling unwell, and the provider would follow up within minutes and ask for a set of questions to figure out. . Whether the patient needs to be seen in person. If so, a practitioner will then be dispatched and a map in the app shows their location, an estimated time of arri arrival.

Amazon employees can also set up a profile with their payment methods, care history, uh, and their dependents. So far, the company has received dozens of positive ratings and reviews, implying the employees are happy with the quality of the care. Um, despite its focus on employees, Amazon care is viewed by analysts and other health experts as a threat to establish telemedicine companies.

That offers similar services to consumers. Many of these companies have struggled to market themselves and stand out in a hotly competitive space. If Amazon Care succeeds among employees, the company could someday sell it to millions of people who already rely on Amazon for their groceries, entertainment, and more.

Wow. That's a stretch. I mean, I'd love to see that, but that's, that's a stretch to scale that, that's, uh, a little ways away. Um, . But I think what's what's more likely to happen is you're gonna see this, um, end up in the, uh, in the, uh, Amazon, uh, Berkshire, JP Morgan, uh, model, uh, the Haven model. And then you're gonna see it marketed to other large employers, and that is a very real possibility.

Uh, but I just wanted to give you an idea of what that model looks like. It's a, uh, it's a really, well, sounds like a really well designed digital, uh, experience model. And then finally, uh, just 'cause I have to talk about it, uh, Nike has new shoes specifically for healthcare workers. And, uh, where is this from?

Uh, Fox Business. So this showed up in my feed and, um, my healthcare feed. Nike has made a new shoe design specifically for healthcare workers who spend upwards of 11 hours per day on their feet. The air zoom, pulse, pulse, interesting air zoom. Pulse is fashioned in black and white souls and Nike logo and, and.

Beded in the blue five point pointed. Anyway, you get the idea. It's a really cool, um. Six upcoming design variations featuring everything from L-G-B-T-Q Pride Rainbow to cartoon sketches of medical instruments, uh, are set to go on sale next month. So interesting that they're coming out with shoes designed specifically for healthcare workers.

And I, you know, this shoe brought to you by. I don't know, Dr. Topel. I don't know. . We'll see. We'll see what direction they go in. I think it's, uh, I think it's fascinating and interesting, uh, a lot of news to cover. Um, love your feedback. Did I hit the mark? Did I miss the mark? Uh, I definitely went a little longer than I would like.

Um, just shoot your notes to Bill at this weekend, health it.com. I would love to, uh, get your feedback. Uh, remember, check back every, uh, check back off, and we're dropping an episode every day this month. Um. Please come back every Friday for more, uh, interviews. Following that in December, we will start back with our Friday, uh, interviews.

Uh, and if you wanna support the fastest growing show, um, share it with a peer. Sign up for our insights and staff meetings on our, uh, homepage. Uh, interact with our social media content on Twitter and LinkedIn. Uh, post or repost that content. And again, send me feedback. I, the feedback is so helpful. I can't even begin to tell you.

I love getting the emails. I will respond to each one. Bill it this week in health it.com. Uh, the show is production of this Week in Health It. For more great content, check out the website this week, health.com or the YouTube channels. Special thanks again to our sponsors, VMware and health lyrics for choosing to invest in developing the next generation of health leaders.

Thanks for listening. That's all for now.