The ghetto is abuzz. As I write this #nomuwithoutme is just hitting Twitter. The reason the natives are restless in the patient ghetto is a recent proposal by our Federal regulators to downgrade a Meaningful Use (MU) requirement for Stage 3, in the final stage of a $30B + initiative to advance interoperable digital health records. The focus is on something called View / Download / Transmit (V/D/T) but the real issue and the Last Chance is broader and more important. The bad news is that MU may leave patients as beggars for own data. The good news is that the Office of the National Coordinator (ONC) and Congress are paying attention and patients still have a chance to shift the terms of the debate to what HIPAA calls “the patient’s right of access” and demand that it apply strictly to MU Stage 3 Appication Programming Interfaces (API).
To find the core of the downgrade, search the Notice of Proposed Rulemaking NPRM for the word “download”. To experience the ghetto first-hand, search the NPRM for “4 business days”. The issue is plain: patients are to get degraded, delayed information through a “portal” that forces us to take whatever the “providers” are willing to grant us.
There are so many things wrong with this picture:
The process of using patient portals and V/D/T for interoperability puts an unusual burden on the patient. It’s like your ability to view and download your credit card statement from the bank. A few us do that, but how many of us ever “transmit” that document anywhere else? Ever?
- Although useful to the patient herself, the health records available to us via V/D/T are risky and expensive for the receiving doctor to process. They are full of information the recipient did not request and might feel obligated to follow-up on. 75-page documents are not that unusual. What is a doctor to do with an abnormal lab result she did not order?
- The authenticity (provenance) of documents transferred via V/D/T is uncertain because they might have been altered in transit. In the paper days, results and doctor’s notes would have a letterhead and a signature so provenance could be trusted by the recipient. MU has not required that for documents under V/D/T and that poses a cost and a risk to the recipient as well.
- Another problem is privacy. Every copy of a record made under V/D/T is another thing to secure and worry about. If it has an error, where and how do you fix it? If the information changes between the time you copied it and the time it’s used, how do you alert the recipient? How many copies of your information are out there, and who are they with?
The 4 business day delay makes shopping for second opinions and for value even more difficult than it already is.
- Even so, there are unnecessary barriers to information sharing. The NPRM does not reference the patient right of access directly. For example, it doesn’t say that controversial “one” information request of the downgrade has to be to _any_ email address provided by the patient.
The ghetto is pretty clear. What would patients as first-class citizens look like?
I’m encouraged by this paragraph on p. 49-50 of the NPRM:
We seek comment on potential alternate proposals for this proposed change to the threshold for Measure 2 of the Stage 2 Patient Electronic Access objective. For example, we seek comment on potential alternates such as a percentage threshold less than 5 percent, or a numerator greater than 10 patients, or another similar numerical alternative. We further seek comment on suggestions for other potential alternatives which would accomplish the goals here stated of reducing the burden on providers to account for patient actions while still continuing to encourage IT supported patient engagement.
Another important paragraph shows up three times in this NPRM:
(A) Security. The API must include a means to establish a trusted connection with the application requesting patient data, including a means for the requesting application to register with the data source, be authorized to request data, and log all interactions between the application and the data source.
It’s time for ONC to follow its own JASON Task Force report and make all of us as patients first class citizens in Meaningfu Use before it’s too late. The “Public API” described by the JASONs needs to be accessible under the HIPAA patient right of access as described in the Security paragraph above and the Office for Civil Rights memo.
V/D/T tweaks are not enough. We have the technology . Do we have the will?
Adrian Gropper, MD is the CTO of Patient Privacy Rights.