Thursday, July 30, 2009

Musings on the gradual development of a highly lelthal strain and simultaneous emergence in multiple locations.

This is related to my observations below about more countries seeming to be listing their first deaths. It is taken from a discussion on flutrackers.com in a member's area so I can't link into it. I'll edit it a little bit to remove references to the discussion it was part of.

One thing I am noticing, qualitatively, not quantitatively, is that deaths worldwide seem to be on the increase. Now there's certainly many reasons why this might be, and a large part of it could simply be due to an increase in the number cases, more cases will necessarily be more deaths. But is that all there is to it? Has much of the rest of the world reached whatever "critical point" in number of infections is necessary to start seeing an increase in the number of deaths? Or is there something else going on?

Apparently the CDC still thinks there is no change in the virus versus the vaccine consensus, but as we have now seen, as long ago as a month an apparently poorly understood but potentially very important change was discovered in Brazil. If this change was fit then we have no way of knowing how far it spread since then, and apparently we are not seeing sequences released in a timely manner anywhere, hence we really don't know what we are looking at now.

The lethal second wave struck three ports on the Atlantic Coast of three continents on or about August 22nd (Boston, MA, Brest, France, and Freetown, Sierra Leone). Shipping traffic can't have delivered the lethal strain to them all simultaneously, there is a fair chance that whatever ship(s) involved would have had a significant portion of their crew killed if they carried the lethal strain. But here is a different view.

Twentieth century pandemics (and possibly the Russian Flu of 1889) had a mild first wave that saw the virus get seeded around the world. In the case of 1918, the much more lethal second wave seems to have hit multiple places at roughly the same time. Perhaps this is what happened. As it spread around the world, the 1918 pandemic virus would have encountered other flu viruses and had chances to acquire various traits. As troops and war materiel moved around the world, these different strains would have spread back to other places, meeting up with different strains of the pandemic virus, or still other flu viruses, picking up additional traits. One of these, still not terribly lethal, but almost there, then got spread to these port cities. Three different ships from a single source could have done it, and perhaps it could have been South America, that being one location where the travel time would have been close to equal for all three destinations. With perhaps only one or two relatively small changes left, normal evolutionary pressures could have produced the more lethal strain simultaneously in different locations, and the new strain was much more fit, allowing it to spread.

So is Brazil pointing us that way? Perhaps they are the source of the new infections in Southern Mexico and Central America. Perhaps the "Sao Paulo strain" isn't the "final" more lethal version, but it could be one more step on the way thee. But with airline travel, the final version could easily crop up in multiple locations at the same time. We are looking for an immediate source, to areas where H5N1 is widespread, for instance. But whatever offspring H1N1 and H5N1 might produce will, perhaps, not be distinguishable from the current pandemic strain until a few more key changes crop up, and then it may already be worldwide.

The above was purely speculation, and I may be totally off-base.

Wednesday, July 1, 2009

HIPAA And disclosure of underlying conditions

I recently posted this on flutrackers.com:

Most announcements of deaths in the US have been light on discussion of what constitutes an "underlying condition." Generally, privacy laws are cited. In the US this is predominantly HIPAA (Health Insurance Portability and Accountability Act of 1996). But what exactly does HIPAA protect and it is really being used to hide some unsavoury facts. I am citing Wikipedia in this discussion, but what I see in the cited article more or less matches my understanding as a hospital employee in a non-direct patient care area; I am trained in this yearly for regulatory reasons. Other who work in health care can hopefully add to this discussion. First, HIPAA itself:

http://en.wikipedia.org/wiki/Hipaa

Quote:
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. It helps people keep their information private.
The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
Quote:
Privacy Rule
The Privacy Rule took effect on April 14, 2003, with a one-year extension for certain "small plans". The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[10] This is interpreted rather broadly and includes any part of an individual's medical record or payment history.
Covered entities must disclose PHI to the individual within 30 days upon request.[11] They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.[12]
A covered entity may disclose PHI to facilitate treatment, payment, or health care operations,[13] or if the covered entity has obtained authorization from the individual.[14] However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.[15]
The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI.[16] It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals.[17] For example, an individual can ask to be called at his or her work number, instead of home or cell phone number.
The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures.[18] They must appoint a Privacy Official and a contact person[19] responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.[20]
An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).[21][22] However, according to the Wall Street Journal, the OCR has a long backlog and ignores most complaints. "Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April 2003 and Nov. 30, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved."[23]
Now, there is a segment in there that describes protection of PHI (Protected Health Information). This would be the key part we are concerned with here. Using broad strokes, PHI is any of the data necessary to tie information back to an individual, either medical record information (such as name, dates of treatment) or payment history.

An expansion of PHI:

http://en.wikipedia.org/wiki/Protected_health_information

Quote:
Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.
List of 18 Identifiers according to HIPAA 1996:
1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers(SSN);
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger, retinal and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Here is where it gets interesting. Note number 2 in the list. If HIPAA is what is really being used to "protect" the data then all announcements we have are in violation of it since we have more information than state or the other narrow exceptions listed. For all of these deaths we have city and/or county, both of which are protected.

Furthermore, statistical information is reported to, for instance, the CDC and they publish it publicly, and this includes various "underlying conditions." Statistical information is not, apparently, protected, and that is really what we are after here. Some statistical information is available, but parts are being withheld, and I am having an increasingly difficult time reconciling that to the (real) need to protect privacy. There are so many cases where information that really is protected has been released (patient names and/or hospitals), so the decision not to release relevant information is extremely puzzling.