Reported PHI Breaches

April 15th, 2013

The Department of Health and Human Services (“HHS”) maintains an online list of covered entities and business associates that have experienced PHI breaches where more than 500 individual patient records were involved.  As of the writing of this post, a total of 572 reported breaches are listed on this website.  What can we learn from this information?

First, the dataset covers breaches reported from September, 2009 through February, 2013.  A total of more than 21 million patient records are listed on this report (though it is likely there is some duplication of patient records between data breaches reported here).  These incidents total less than the single data loss reported by the Department of Veterans Affairs in 2006 when a single laptop was stolen from an employee’s home that contained in excess of 26 million records.  Nonetheless, a significant amount of PHI has been lost or stolen and reported to HHS over the last three and a half years.

Second, the most common scenarios for PHI breaches are tape backups that are lost, followed by theft.  Almost 6 million patient records were affected by this kind of data loss.  The theft or loss of a laptop came in fourth, affecting about 2.3 million patient records.  Theft generally accounted for more than one third of all records compromised, followed next by loss (which probably includes scenarios like we accidentally put the backup tapes in the dumpster, or the tape fell out of my bag between the office and my car), also accounting for about one third of all records compromised.  Hacking appears down the list, affecting a total of 1.3 million patient records.

Third, a little more than half of data breaches appear to involve a business associate of a covered entity in terms of patient records breached.  However, only 92 of the 572 data breaches note a business associate’s involvement, which tends to suggest that when a business associate is involved, more records on average are affected by the data breach.  This is consistent with the expectation that technology vendors like those that implement and/or host electronic health records often do so for more clients and are a bigger target for data theft or hacking and computer viruses.

With the change in breach notification in the final HIPAA regulations recently issued by HHS, it will be interesting to see if there are more breach notifications published to HHS’ web site.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in HIPAA, Information Security, Privacy Regulations, Security Regulations | No Comments »

Changes in HIPAA Breach Notification Rule

April 4th, 2013

HHS recently released the final regulations that revise certain provisions of HIPAA, including the HIPAA breach notification rule.  Congress, in enacting the HiTech Act in 2009, included a statutory requirement that covered entities report breaches that involved the unauthorized access or loss of protected health information (“PHI”).  HHS then promulgated an interim rule to implement this statutory provision.  That interim rule required reporting of the breach under the “significant risk of financial, reputational or other harm” standard.  Criticism was subsequently leveled at this standard as being too subjective.  HHS just recently issued its final rule (effective on March 26, 2013) that changes the breach reporting rule in two ways.

First, if there is a breach that involves PHI, and the breach does not fall within a regulatory exception, the presumption of the regulation is that the breach must be reported.  This means that a party that experiences a loss of PHI cannot assume, on the grounds that the loss was uncertain to cause significant harm to the patients, that notification of the breach was not required.

Second, the final regulation replaces the interim rule’s standard with a requirement that the party who experienced the loss must demonstrate that there is a low probability that the PHI has been compromised.  In order to qualify under this new standard, the party must perform a risk assessment, taking into account at least the four factors outlined in the regulation.  These factors are found in § 164.402(2):

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

So, let’s evaluate some typical hypothetical scenarios that involve the loss of PHI.  The most common reported PHI breach involves data backup tapes that are lost.  By design, a data backup tape is usually the entire database of patient records, because this entire dataset would normally be required to restore the data from the backup.

Under the first factor, such a loss would militate towards breach notification, because the dataset would almost certainly include patient identifiers and, if the backup was of an electronic health record, extensive health information on each patient.  Under the second factor, if the tape was merely lost, there is no determination of who might have had unauthorized access to the PHI.  If, for example, the backup tape was just simply lost by a contractor that stores the backup tapes in a vault for retrieval on demand, this factor might lean towards not making a notification.  On the other hand, if the tape was in the trunk of the network administrator’s car, and the car was stolen, this factor might lean towards making a notification.

As to the third factor, a lost data tape alone, without more information, would not inform us whether the data was actually acquired by anyone, or viewed by someone.  There is certainly the potential that a lost tape could be viewed, assuming that the person that obtained it had access to a compatible tape drive.  But based on what we know, this factor is probably neutral.

As to the fourth factor, the question here is whether the backup tape itself was encrypted, or was stored in a locked storage box.  A tape that is encrypted is much harder to access, even if the tape was intentionally stolen to obtain unauthorized access to PHI.  A tape in a locked storage box that was merely lost may be less likely to be accessed by an unauthorized user.  So this factor may swing either way based on what, if any, mitigations were in place to protect the data on the backup tape.

If we assumed that no mitigations were in place, the overall analysis would lean towards breach notification under the new rule.  As you can see, however, the facts and circumstances matter greatly in evaluating whether a breach has occurred that requires notification.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in HIPAA, Information Security, Security Regulations | No Comments »

Changes in HIPAA Compliance

April 1st, 2013

The HiTech Act set in motion a series of changes to Health Insurance Portability and Accountability Act (“HIPAA”) compliance for covered entities and business associates in 2009, which were followed by interim regulations issued by the department of Health and Human Services (“HHS”).  HHS has issued a final regulation that goes into effect on March 26, 2013, and requires compliance within 180 days by all covered entities and business associates.

The HiTech Act made a number of important changes to the law governing the security and disclosure of protected health information.  First, prior to HiTech, business associates of covered entities were not required to comply with the security rules and standards set forth in the HIPAA security regulations.  HiTech changed the applicability of the security regulations to include business associates.  The final regulation from HHS implements this provision of the HiTech Act.

Second, prior to HiTech, there was no federal requirement that a covered entity or business associate report a security breach that resulted in the disclosure of protected health information (“PHI”).  HHS subsequently issued interim regulations to implement these notification requirements, and as of March 26, 2013, HHS issued final regulations that alter the assumptions and exceptions to what constitutes a “breach” under HIPAA.

Business Associates are Covered Entities when it comes to PHI

HiTech initially changed the law governing PHI by requiring that business associates comply with the same security regulations that govern covered entities.  The final regulations with HHS clarify which security rules also apply to business associates under section 164.104 and 164.106, including those applicable rules found in Parts 160 and 162.  However, HHS also expanded the definition of “business associate” to include subcontractors of business associates that handle PHI on behalf of the business associate for the covered entity.  The regulation does provide certain narrow exceptions to who is now covered in the definition of a “business associate,” including an exception for “conduits” of PHI that may, on a transitory basis, transmit PHI but would not access the PHI except on a random or infrequent basis.  But the regulation appears to generally expand further the legal responsibilities, and potential liability, for members of the industry that work even indirectly for covered entities.

For existing health care providers, now might be the time to revisit your business associate agreement with your business associates, such as your EHR vendors.  Section 164.314 establishes certain requirements for these agreements, including provisions that all business associates comply with the full security rule, that subcontractors to business associates also comply with the full security rule, and that business associates provide the covered entity with security incident reporting in the event of a breach at the business associate’s or subcontractor’s facility or systems.

Changes in Security Breach and Notification

HiTech also introduced a breach notification provision which was intended to require covered entities to report to HHS, and where appropriate, to patients affected by a security breach involving their PHI.  The final regulations have modified the definition of a “breach” by establishing the assumption that an unauthorized access of PHI is a breach unless it can be demonstrated by the covered entity or business associate that there is a low probability that the PHI has been compromised.

Such a demonstration requires that the covered entity or business associate conduct a risk assessment and evaluate at a minimum the four factors described in the regulation: “(i) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification, (ii) the unauthorized person who used the protected health information or to whom the disclosure was made, (iii) whether the protected health information was actually acquired or viewed, and (iv) the extent to which the risk to the protected health information has been mitigated.”

Altering the burden and requiring a covered entity or business associate to engage in this risk assessment is likely to increase the number of breach notifications required under the final regulation.

The final regulation includes a variety of other changes in requirements for covered entities and business associates not discussed in this article, such as sale and marketing of PHI, use of genetic information for insurance underwriting, notices to patients of privacy practices, and disclosure of PHI to friends and families of decedents.  Providers should promptly examine their privacy and security policies to ensure compliance with the final regulations.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in HIPAA, Information Security, Security Regulations | No Comments »

Implementing Stages of Meaningful Use

October 8th, 2012

With the release of the final Stage 2 Meaningful Use regulations, CMS issued a CMS Press Release on Stage 2 that, among other things, attempted to clarify when practices that implement an EHR will need to comply with which stage of the regulations.  In the beginning of the incentive program, there was some concern that practices that delayed EHR adoption might have to jump right to a later stage of meaningful use to obtain any incentive money.  The following chart describes the current phased-in approach based on when a practice first adopts an EHR as compared to when that practice has to demonstrate which stage of meaningful use.

As you can see, for practices that decide to adopt an EHR in 2013, the individual eligible providers will be able to demonstrate compliance with the Stage 1 criteria in both 2013 and 2014, delaying the Stage 2 criteria to 2015.  Readers should note that Medicare eligible providers that delay implementing an EHR until 2015 will not be eligible for any incentive dollars; instead they will just be staving off the proposed Medicare reimbursement cuts of 1% per year (up to 5%) by adopting EHR.  See § 495.211.  For those Medicaid eligible providers, the last year one might adopt an EHR is 2017 to be able to receive any incentive payments (though such a provider would not have to meet the Stage 2 criterion until 2019).  See § 495.310.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in EHR, Technology | No Comments »

Comparing Meaningful Use Stage 1 and Stage 2 Criteria

October 5th, 2012

In an earlier post, I had analyzed side by side the final Stage 1 criteria for achieving meaningful use to the interim Stage 2 criteria that will be phased in starting in 2014.  Following that analysis, HHS released the final Stage 2 criteria.  As a result, the comparison has changed a bit from my post earlier this year.  The following two tables analyze the final Stage 1 Core and Menu Criteria in comparison to the same for the final Stage 2 criteria.

A few highlights on what changed between the interim and final Stage 2 criteria.  First, a few of the final Stage 2 criteria ended up reducing the compliance metrics from what was proposed in the initial Stage 2 criteria.  See 495.6(j)(1), (j)(9) and (j)(11).

However, a few of the Stage 2 criteria metrics were changed to include additional requirements for compliance which might present a curve ball for those of you planning on obtaining compliance with these.  For example, in the final Stage 2 regulation, the criterion on patient access to health information has an added metric that 5% of patients actually download information available electronically from the provider.  You may want to contact your information systems vendor to determine if the portal you are implementing can provide you with this kind of information as it may not be collected and stored in a way that a report could be generated to evaluate compliance.

In addition, a new Menu criterion was added in the final Stage 2 regulations, found at 495.6(k)(6).  Here, a practice could elect to enter patient chart information as structured data; the metric requires that 30% of patients that are seen during the reporting period have data entered in this manner.  As a practical matter, many EHR systems today will store documented patient information as structured data where the patient visit is documented electronically as a part of the patient visit.  This might be an easy Menu criterion to comply with (as you need to pick three of the six total criteria in the final Stage 2 regulations).

Table 1 – Core Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

Eligible Providers must meet all of the Core Criteria to Qualify for the Incentives.  Stage 1 had 15; Stage 2 has 17.  Stage 1 meaningful use Core Criteria are found in section 495.6(d) for eligible providers.  Stage 2 meaningful use Core Criteria are found in section 495.6(j) for eligible providers.

Core Criteria for EPSubsections (d), (j) Stage 1 Metric Stage 2 Metric
§ 495.6(j)(1) – provider use of CPOE for medication, lab, and radiology orders [§ 495.6(d)(1)] 30% of orders 60% of medication orders;30% of lab and rad orders
§ 495.6(d)(2) – drug-drug and drug-allergy checking Enabled during period moved to 495.6(j)(9), same metric
§ 495.6(d)(3) – maintain up to date problem list 80% of patients subsumed into transition of care requirement.
§ 495.6(j)(2) electronic prescriptions [§ 495.6(d)(4)] 40% of Rx 50% of Rx
§ 495.6(d)(5) – active medication list 80% of patients subsumed into transition of care requirement.
§ 495.6(d)(6) – active allergy list 80% of patients subsumed into transition of care requirement.
§ 495.6 (j)(3) demographics [§ 495.6(d)(7)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(4) vital signs [§ 495.6(d)(8)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(5) smoking status [§ 495.6(d)(9)]50% of patients with encounters 80% of patients with encounters
§ 495.6(d)(10) – reporting clinical measures to CMS or State Successful testing not a separate criterion; CQM submission required
§ 495.6 (j)(6) decision support [§ 495.6(d)(11)] Implement 1 decision support intervention Implement 5 decision support interventions
§ 495.6 (j)(7) lab results as structured data [§ 495.6(e)(2)] Was Menu in Stage 1; 40% of all lab results 55% of all lab results
§ 495.6 (j)(8) patient lists by specific condition for QI [§ 495.6(e)(3)] Was Menu in Stage 1; at least 1 list At least 1 list
§ 495.6 (j)(9) patient reminders [§ 495.6(e)(4)] Was Menu in Stage 1; 20% of patients sent during period 10% of patients seen in last 2 years receive a reminder
§ 495.6 (j)(10) patient electronic access of health information [§ 495.6(e)(5)] Was Menu in Stage 1; 10% of patients receive timely access 50% of patients receive timely access & 5% actually download information
§ 495.6 (j)(11) clinical summaries at patient visit [§ 495.6(d)(13)] 50% receive summary from office visit 50% receive summary from office visit
§ 495.6 (j)(12) patient education resources [§ 495.6(e)(6)] Was Menu in Stage 1; 10% of patients receive ed. resources 10% of all office visits
§ 495.6 (j)(13) medication reconciliation for transition of care [§ 495.6(e)(7)] Was Menu in Stage 1; 50% of transitions have recon 50% of transitions of care have medication recon
§ 495.6 (j)(14) patients transitioned to another provider’s care have care summary prepared by provider [§ 495.6(e)(8)] Was Menu in Stage 1; 50% of transitions have recon 50% of transitions of care have patient summary; 10% of transitions must involve exchange of data
§ 495.6 (j)(15) capability to submit electronic data to immunization registry [§ 495.6(e)(9)] Was Menu in Stage 1; perform 1 test to registry Ongoing submission of data to registry during CY
§ 495.6 (j)(16) security risk assessments under HIPAA security regulations [§ 495.6(d)(15)] Conduct security assessment Conduct security assessment
§ 495.6 (j)(17) use electronic messaging to communicate with patients N/A 5% of patients seen during period received secure message from provider
[§ 495.6(d)(14)] – capability to exchange key clinical information among care providers and patients One test of exchange N/A
[§ 495.6(d)(12)] 50% of patients receive timely access 50% in 3 days on patient request N/A

Table 2 – Menu Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

In Stage 1, EP had to meet 5 out of 10 Menu Criteria to qualify.  In Stage 2, EP must meet 3 out of the 6 Menu Criteria to qualify.  Stage 1 meaningful use Menu Criteria are found in section 495.6(e) for eligible providers.  Stage 2 meaningful use Menu Criteria are found in section 495.6(k) for eligible providers.

Menu Criteria for EPSubjections (e), (k) Stage 1 Metric Stage 2 Metric
§ 495.6(k) (1) – access to imaging results in EHR N/A 10% of imaging results in EHR
§ 495.6(k) (2) patient family health history in structured data N/A 20% of all patients seen
§ 495.6(k) (3) capability to submit syndromic surveillance data to public health agency [§ 495.6(e)(10)] Was Menu in Stage 1; perform 1 test to registry Successful ongoing submission of data for period
§ 495.6(k) (4) capability to identify and report cancer cases to State cancer registry N/A Successful ongoing submission of data for period
§ 495.6(k) (5) capability to report other specialized registry (other than cancer) to specialized registry N/A Successful ongoing submission of data for period
§ 495.6(k) (6) record electronic notes in patient records N/A 30% of patients seen during the reporting period
[§ 495.6(e)(1)] – implement drug formulary checking Enable functionality Moved to Core / decision support
[§ 495.6(e)(2)] – lab results as structured data 40% of lab results are structured data Moved to Core
[§ 495.6(e)(3)] – generate lists by specific conditions 1 reporting list Moved to Core
[§ 495.6(e)(4)] – send reminders to patients for follow-up care 20% of patients Moved to Core
[§ 495.6(e)(5)] – Provide patients with timely access to health information 10% of patients have electronic access Moved to Core
[§ 495.6(e)(6)] – Use EHR for patient education 10% of patients Moved to Core
[§ 495.6(e)(7)] – Incoming transition of care to EP medication reconciliation 50% of patients have medication recon Moved to Core
[§ 495.6(e)(8)] – Outgoing transition of care from EP care record summary 50% of patients have care summary Moved to Core
[§ 495.6(e)(9)] – immunization registry 1 certified test Moved to Core

 

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in EHR, Technology | No Comments »

Abe Lincoln – A Personal Hero

October 3rd, 2012

I was recently tooling on Facebook this week and noticed an advertisement for the movie “Lincoln” that is scheduled for general release next month.  After clicking on the ad, the individuals promoting this film will be happy to know that I was among those converted to a fan of their Facebook page (as of today, numbering around 44,000).  I was prompted by this Facebook ad to write about Lincoln.  Abraham Lincoln is a personal hero for several reasons.  Of course, Lincoln died a national hero in service to the country.  He served at one of the most difficult times in our nation’s history when pretty much no one else wanted to be president.  And he remains well-known for a number of sound-bites from his speeches that continue to resonate with the public today.  However, he’s a hero to me for several other reasons.

First, he was an attorney for most of his career, and as an attorney, handled many humdrum business disputes, and represented a number of clients over the years.  Such a caseload is not terribly dissimilar today for many small and solo practitioners today like me who make an effort to help the clients that come to them.  Second, Lincoln was, for the most part, a failed politician for most of his career.  While he served as a local politician early in his career, his attempts at federal office and as a presidential candidate outnumbered the times he was elected to such offices.  And, for those students of history out there, Lincoln’s prosecution of the Civil War involved a series of hard losses for the union, at the cost of the lives of many.  Lincoln, however persevered in the face of failure.  I think to myself that if Lincoln could manage to bear the tremendous loss of human life (both during the civil war and also in his personal life at the death of two of his children), surely I can manage when I lose a trial or a client decides to not pay his bill!

Finally, Lincoln was able to change his mind, particularly on the major issue of the union: slavery.  Lincoln did not start out as an abolitionist, even though today I think most would agree that slavery is plainly wrong.  I think it took Lincoln most of his life to come to that conclusion publicly, well after the civil war had started.  Even at the outset of war, Lincoln’s argument was not that slavery was wrong, but that states did not have the legal right to secede.  I aspire to be open to changing my mind, even on ideas I might hold quite dear.

I look forward to the movie next month, and hope you will too!

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in News | No Comments »

Final Stage 2 Meaningful Use Regulations

September 17th, 2012

The final version of the Meaningful Use regulations, including the final Stage 2 requirements, were published at the end of August.  A copy of the full regulations can be found here: 2012-21050 (you can also get these from the Federal Register’s web site; the final regulations were published on September 4, 2012.)  The final version of the Stage 2 regulations are similar to the interim regulations that were published earlier this year (and discussed in this post).  However, the final regulations made some changes to what’s in store for providers trying to obtain their incentive payments from the interim regulations.  This article is intended to briefly cover these changes.

Core Criteria Changes

First, the Stage 2 metrics for specific Core criteria were reduced from the interim regulation targets.  For example, for provider use of computerized order entry (§ 495.6(j)(1)), the interim regulations for Stage 2 required that 60% of orders be computerized.  The final regulations softened this so that only 60% of medication orders be electronic, leaving the target of 30% for lab and radiology orders where it had been under Stage 1.  Also, the Stage 2 target for electronic prescriptions in the interim regulation was to be 65% of all prescriptions (up from 40% in Stage 1).  In the final Stage 2 regulation, the metric has been reduced to 50%.

There was also a reduction in the final Stage 2 metrics for (j)(13) and (j)(14) requirements for patients that transition care.  The interim Stage 2 regulations had a metric of 65% of patients with transitions of care have a medication reconciliation performed, and for outgoing transitions, the provider prepare a care summary for the receiving provider.  The final regulations reduce this metric to 50% where it stood when these were Stage 1 Menu criterion.

The final regulations also reduced the target metric for the criterion for using electronic messaging to communicate with patients in (j)(17).  The interim regulations had set the metric at 10%; the final regulations reduce this to 5%.

However, there are other changes that may pose some dilemmas for providers.  The interim Stage 2 core criterion include one for patient electronic access to health information.  This originally was a Stage 1 Menu criterion; it becomes a core criterion in Stage 2.  The metric in the interim Stage 2 regulation was that 50% of patients receive timely access to information in their chart (up from 10% in Stage 1).  However, in the final Stage 2 regulation, there is a second aspect to the metric – namely, that 5% of patients actually download information made available to them.  It is not clear how this will be measured by the software, and it is also not clear how providers will cause patients to download the data made available to them.

An additional metric was added to (j)(14) between the interim and final Stage 2 regulations.  Not only must 50% of patients have a care summary prepared by the provider as part of the transition of care, but 10% of these transitions must involve the electronic exchange of data between the two providers.  This core requirement will tend to incentivize referral patterns between providers that are able to send and receive electronic data between them or through regional health information exchanges.  As a result, those that are unable to participate in such exchanges will become increasingly isolated.

Menu Criteria Changes

There were also two changes in the Menu criteria between the interim and final Stage 2 regulations.  First, the target metric for the first menu criterion, access to imaging results in the EHR, was reduced to 10% in the final regulations from 40% in the interim regulations.  Second, a new menu criterion was added to encourage providers to actually document notes into structured data within the EHR system, and setting the metric to 30% of patients seen during the period.

 

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in EHR, News, Technology | 1 Comment »

FarmVille, CityVille, This-Ville That-Ville

April 23rd, 2012

There are an almost endless number of online games.  Some of them end in -ville.  For that, we have game maker Zynga to thank.  Zynga recently had an initial public offering (IPO), where they became a publicly traded company.  (Zynga, by the way, had set its initial stock price at $10 per share.  Today it is trading down, though the stock had a brief period over $10/share around the time that Facebook announced it would be doing its own IPO later this year.  This impacts Zynga because Zynga itself primarily makes games, like Farmville, to be played on Facebook.)  Farmville and the other games out there used to be grouped under the category of massively multiplayer online games.  I think people stopped using this because the MMOG (or MMORPG for online role playing games) shorthand didn’t spell out anything cool.  And we all have the attention span of six seconds.  I just changed the channel.

What’s surprising is that an online game maker would have an IPO.  It used to be that game makers were local mom and pop shops with a few employees (some of whom were here in Hunt Valley, Maryland, like good old Microprose).  But game makers have become increasingly complex, in some ways like movie production houses.  Games themselves have also pushed the technology envelope.  New games were often an excuse for computer owners to buy a new computer (including yours truly) so that one would have sufficient RAM and a fast enough video card to play the new game du jour.  Given that, the overall online gaming market continues to grow, and the need to access larger amounts of capital to create new games (both in dollars and human capital), it seems likely that more game makers will become publicly traded businesses (or be acquired by existing, large companies like Sony or Disney).

Farmville itself, and its ken, employ several tactics to increase their profit.  First off, activities on Farmville take a certain amount of time to occur.  For example, certain crops on your farm take a variable amount of time to grow, ranging from a few hours (in real time) or a few days.  If you are in a hurry, you can convert real money into game currency, and speed up certain tasks.  In Farmville, it doesn’t appear that there is a way to convert Farmville currency back into real dollars (though this is the case in other systems, such as Second Life).  In addition, there is substantial advertising within the gaming system itself which generates a certain amount of value back to Zynga.  Farmville also has a social component, in that users can become neighboring farmers, and can share resources or tend to each other’s farms.  Farmville attempts to exploit the network effect of allowing users to belong to a virtual community of other game users.  By that I mean that the more users of the game, the more they interact, and the interactions create more users, causing a positive feedback loop that increases the value of the game to its users and Zynga.

There are a lot of online games these days.  Civilization has been working on a release within Facebook.  Ultima (an Electronic Arts game) has operated its own online system on various shards (servers) throughout the world.  Ultima has also recently been advertising a release of its system on Facebook.  EA, by the way, is also a publicly traded company.  Ultima itself has been available for a long time (I have fond memories of trying to complete Ultima III on an old PC).  Blizzard’s World of Warcraft, along with dozens of others, are out there.  For WoW users, ebay.com lists in-game items available for purchase with real money.  In fact, there have arisen a number of game “sweat shops” where employees work on building up inventory for various online games to offer those virtual items for sale for real currency.  As an industry, it appears that these games are here to stay.

The interesting question is whether online computer gaming can be applied within the regular business world.  Gamify.com seems to think so.

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in News, Technology | No Comments »

Klout and You

April 23rd, 2012

Klout is an online influence metric.  The site gathers information from your twitter, linkedin, facebook, google+, instagram, and other online social media web sites, and calculates a score of how your online postings influence others on the good, ole interweb.  This is an interesting metric because, if you are trying to have an impact on other users, you can experiment and see if your Klout score improves or declines.  Having a metric is helpful because the internet can be a very large echo chamber, with no outside way to measure if all the bouncing around off the rocks has any actual impact on your readership.

Try Klout out yourself and see what your current score is.  See how posting more content on various social media web sites impacts others that may follow what you are posting.  Where Klout looks for its scoring is also interesting – you might investigate whether you should join one or more of those web properties.  For example, I do have a google+ account, but rarely spend a lot of time with it.  There are a number of people that have added me to their circles and post content on google+, but I don’t spend too much time on it.  However, I thought I would check it out today.  The Dalai Lama posted a comment that we ought to use the time we have in a meaningful way.  Nice.  If you aren’t using social media to get out your message, maybe now is a good time to start doing something!

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in Intellectual Property, News, Technology | No Comments »

Our Conflicted Love Affair With Apple

April 12th, 2012

America, and probably much of the world, loves Apple.  The company’s stock price recently has exceeded $600 per share and its market capitalization is around 1/2 of a trillion dollars.  We buy millions of iPhones and iPads, and i-This’s and i-That’s.  But there is another side to Apple and probably many of the brands that we buy in the U.S.: China.  Oh, how conflicted we are about our life’s love!

Mike Daisey has been making the rounds telling of woes he claims to have personally observed in the manufacturing center of China for Apple products.  The only problem is that Mike’s story involves a little dramatic license because he has a larger agenda which, by the way, is not journalism.  On the other hand, factories in China that make Apple products, such as Foxconn‘s, actually have blown up here and there, killing workers and causing injury to others.  Apple has hit back in recent months with assertions that it has created jobs in the U.S. directly and indirectly through supporting industries.  But there is a simple equation in all the noise: Apple makes its products outside of the U.S. because this makes commercial sense.  Part of its ability to trounce the tablet market is that Apple has negotiated larger volume, longer term, and lower-cost component parts contracts with particular suppliers because of its overall market volume.  And, of course, Apple is cool (or a cult, depending on who you ask).

As a result, Apple products remain priced so that we can buy them and Apple continues to make a healthy profit margin, in part fueling an increase in the share price of Apple from its 2002 price of under $60/share (though it probably helps that Apple is also planning to offer a dividend with all the billions in cash it has on hand, and that Apple is also planning some kind of share buy back).  Factory conditions in other countries are a problem, just as they have been in the United States.  Safety, wage and hour rules, and employee benefits do increase the cost to manufacture goods.  The question for us, though, is should we support subcontractors that avoid these costs so we can buy cheaper products at home?  Is such a business model sustainable?  What do you think?

Post to Twitter Tweet This Post

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Posted in News, Technology | No Comments »

« Older Entries