The essence of controlling Ebola is surveillance. To accept surveillance, the population must trust the system responsible for surveillance. That simple fact is as true in Liberia as it is in the US. The problem is that health care surveillance has been privatized and interoperability is at the mercy of commerce.
Today I listened to the JASON Task Force meeting. The two hours were dedicated to a review of their report to be presented next week at a joint HIT Committee Meeting.
The draft report is well worth reading. Today’s discussion was almost exclusively on Recommendations 1 and 6. I can paraphrase the main theme of the discussion as “Interoperability moves at the speed of commerce and the commercial interests are not in any particular hurry – what can we do about it?”
Health information technology in the US is all about commerce. In a market that is wasting $1 Trillion per year in unwarranted and overpriced services, interoperability and transparency are a risk. Public health does not pay the bills for EHR vendors or their hospital customers.
Continue reading “Ebola Offers a Teachable Moment For Health Information Technology”
Filed Under: Tech, THCB
Tagged: Adrian Gropper, Data Map, Ebola, Fair Information Practice Principles, health records, HIT, JASON, Patient Privacy Rights, Vendors
Oct 9, 2014
Today, ONC released a report on patient matching practices and to the casual reader it will look like a byzantine subject. It’s not.
You should care about patient matching, and you will.
It impacts your ability to coordinate care, purchase life and disability insurance, and maybe even your job. Through ID theft, it also impacts your safety and security. Patient matching’s most significant impact, however, could be to your pocketbook as it’s being used to fix prices and reduce competition in a high deductible insurance system that makes families subject up to $12,700 of out-of-pocket expenses every year.
Patient matching is the healthcare cousin of NSA surveillance.
Health IT’s watershed is when people finally realize that hospital privacy and security practices are unfair and we begin to demand consent, data minimization and transparency for our most intimate information. The practices suggested by Patient Privacy Rights are relatively simple and obvious and will be discussed toward the end of this article.
Health IT tries to be different from other IT sectors. There are many reasons for this, few of them are good reasons. Health IT practices are dictated by HIPAA, where the rest of IT is either FTC or the Fair Credit Reporting Act. Healthcare is mostly paid by third-party insurance and so the risks of fraud are different than in traditional markets.
Healthcare is delivered by strictly licensed professionals regulated differently than the institutions that purchase the Health IT. These are the major reasons for healthcare IT exceptionalism but they are not a good excuse for bad privacy and security practices, so this is about to change.
Health IT privacy and security are in tatters, and nowhere is it more evident than the “patient matching” discussion. Although HIPAA has some significant security features, it also eliminated a patient’s right to consent and Fair Information Practice.
Continue reading “What You Need to Know About Patient Matching and Your Privacy and What You Can Do About It”
Filed Under: THCB
Tagged: Adrian Gropper, cyber attacks, HIPAA, HIT, ONC, patient matching, Privacy
Feb 21, 2014
I’ve recently returned from the 7th ID Ecosystem Steering Group Plenary in Atlanta. This is an international public-private project focused on the anything-but-trivial issue of issuing people authoritative cyber-credentials: digital passports you can use to access government services, healthcare, banks and everything else online.
Cyber ID is more than a single-sign-on convenience, or a money-saver when businesses can stop asking you for the names of your pets, it’s rapidly becoming a critical foundation for cyber-security because it impacts the resiliency of our critical infrastructure.
Healthcare, it turns out, is becoming a design center for IDESG because healthcare represents the most diverse collection of human interactions of any large market sector. If we can solve cyber-identity for healthcare, we will have solved most of the other application domains.
The cyber-identity landscape includes:
proving who you are without showing a physical driver’s license
opening a new account without having to release private information
eliminating the risk of identity theft
civil or criminal accountability for your actions based on a digital ID
reducing your privacy risks through anonymous or pseudonymous ID
enabling delegation to family members or professional colleagues without impersonation
reducing hidden surveillance by state or private institutions
when appropriate, shifting control of our digital tools to us and away from corporations
The IDESG process is deliberate and comprehensive. It impacts many hot issues in health care including patient matching, information sharing for accountable care and population health, health information exchanges, prescription drug monitoring programs, accounting for disclosures, patient engagement and meaningful use, the physician’s ability to communicate and refer without institutional censorship, the patient’s ability to control information from our increasingly connected devices and implants, and more.
Hospitals and health industry incumbents that seek to solve the hot issues raised by health reform are not eager to wait for a deliberate and comprehensive process. For them, privacy and cyber-security is a nice-to-have. Who will pay for this digital enlightenment?
Continue reading “IDESG Is a Glimpse of Our Digital Future”
Filed Under: Uncategorized
Tagged: Adrian Gropper, Cyber ID, Design, FutureMed, IDESG, Privacy
Jan 26, 2014
The governor of Vermont, Peter Shumlin, devoted all of his annual speech to the problem of drug addiction. On the national news, Shumlin points out the link between prescription painkillers and death, and he calls for treating opiate addiction as a medical problem no different than cancer. The White House praised the governor’s position.
Meanwhile in another part of Washington, I’m involved in the federal effort to link the law enforcement Prescription Drug Monitoring Program databases to the health records physicians use, and to link the databases across state lines.
The unintended consequences of criminalizing addiction and driving medical problems underground need to be considered here as well.
Physician-patient confidentiality is important to public health, and networked electronic health records have both individual privacy and public health consequences. Privacy is essential in infectious disease testing, domestic violence, mental health, adolescent, reproductive, and addiction medicine. Subjecting clinical encounters to law enforcement surveillance beyond the physician’s discretion is life-threatening.
Well-meaning people are now working to link PDMP databases to EHRs and across state lines. The evidence to justify the coerced crossing of the criminal – medical boundary is anecdotal findings in pilot studies that more physicians are in a position to uncover addiction and offer treatment.
The other goal is to reduce illegal diversion of prescription drugs by both physicians and patients. What could possibly go wrong?
Continue reading “Let’s Decriminalize Our Health Records”
Filed Under: Tech, THCB
Tagged: Adrian Gropper, decriminalizing drug abuse, painkillers, Patient privacy, Prescription Drug Monitoring Program, prescription drugs, Vermont
Jan 10, 2014
The Massachusetts Medical Society may be the first to notice that Meaningful Use EHR mandates favor large providers and technology vendors. Control over the Nationwide Health Information Network sets the stage for how physicians refer, receive decision support, report quality, and interact with patients. State health information exchanges and policy makers are caught in the cross-fire over health records interoperability. Are the federal regulations over Stage 2 being manipulated to put physicians and the public at a disadvantage?
On Dec. 7, the Massachusetts Medical Society took what might be the first formal action in the nation. A resolution stating:
“That the Massachusetts Medical Society advocate for a more open, affordable process to meet technology mandates imposed by regulations and mandates; e.g., that all Direct secure email systems, mandated by Meaningful Use stage 2, including health information exchanges and electronic health record systems, allow a licensed physician to designate any specified Direct recipient or sender without interference from any institution, electronic health record vendor, or intermediary transport agent.”
Scott Mace’s column Direct Protocol May Favor Large Providers and Vendors is the first to report on this unusual move by a professional society. Full disclosure: I’m a member of the MMS and the initiator of what became this resolution.
Meaningful Use is intended to support health reform by promoting interoperability and innovation in health service delivery. The Affordable Care Act, Obamacare, is fundamentally a free-enterprise model without single payer or even a public option. Obamacare depends on the market for eventual cost controls and sustainability. Meaningful Use is regulation designed to enable market-driven health reform by reducing interoperability barriers.
Although Meaningful Use regulations have already handed out $17 Billion to drive “voluntary” adoption of interoperable electronic health records, meaningful interoperability is still elusive. Meanwhile, the doctors are chafing about Meaningful Use intrusions and policymakers worry that the regulations will actually increase costs.
Continue reading “It’s Doctors versus Hospitals Over Meaningful Use”
Filed Under: Tech, THCB
Tagged: Adrian Gropper, EHR, EHR vendors, Hospitals, Massachusetts Medical Society, Meaningful Use Stage 2, Physicians
Dec 12, 2013
Let’s recognize Healthcare.gov as the dawn of mass patient engagement – and applaud it. Before this website, patients were along for the ride. Employers choose most of the insurance benefits, hospital web portals are an afterthought, and getting anything done with an insurance company, for both doctors and patients, means a phone call and paper. Can you imagine going online to find out the actual cost and buy anything? All that changed with Healthcare.gov.
Information is valuable and not evenly distributed. The haves are immensely valuable corporations. The have nots are patients and doctors. Welcome to the world of health IT politics where the rich get richer ($20 Billion of “incentives” have caused massive health IT consolidation and a hidden health surveillance state) and the poor get frustrated (talk to an independent physician about their EHR or to a patient trying to access her own health records).
Information asymmetry drives $1 Trillion waste of our $2.7 Trillion health care cost. That waste is about $3,000 per year per citizen.
The politics of health IT policy are not left vs. right but institution vs. individual. Politicians and regulators alike are now scrambling to understand the role of health IT policy in that $3,000 annual waste per citizen.
The asymmetry that drives health IT policy is easy to understand when you consider that health IT is sold to corporations. As physicians and patients, we do not prescribe or buy information technology and we are paying the price through a total lack of price and quality transparency.
Continue reading “Information Asymmetry – The Politics of Health IT Policy”
Filed Under: Tech
Tagged: Adrian Gropper, Healthcare.gov, HIT Privacy, The ACA, Transparency
Nov 9, 2013
… and a call to action. This case study is based on my meeting with the Center for Health Information and Analysis (CHIA) in my home state. CHIA is an all payers claims database, a massive collection of diagnoses, locations, dates and prices for all of your health services across all of your providers and insurers. Whether it’s claims or health records, almost every state and many private clearing houses are setting up to monitor you.
Your information can be used by business to manipulate prices for maximum profit, or by you to inform your choice of health insurance plans and health care providers.
Unfortunately, business can get your information but you can’t. This reflects an industry strategy to obstruct the market-based features of the Affordable Care Act. I hope you will take this case study, edit it, and file it with the Attorney General and Governor in your state to ask for your data as a consumer protection issue. That’s what I’m about to do.
My state is #1! Go Massachusetts! My state is #1 in health care costs. It’s also #1 in implementing a health insurance exchange (Romneycare 2006) and a leader in state surveillance with the 2012 cost containment law known as Chapter 224. Chapter 224 mandates various state surveillance mechanisms including a health information exchange that monitors encounters and an all payer claims database called “the center”.
The cost containment law also includes some consumer protections. Line 1909 states:
“To the maximum extent feasible, the center shall also make data available to health care consumers, on a timely basis and in an easily readable and understandable format, data on health care services they have personally received.”
Although the state surveillance is in place, and the price fixing that keeps us #1 is ongoing, the consumer protection part of the law is not implemented. So, I took the opportunity to meet with the executive director of CHIA and their chief legal counsel and get the scoop on why the state is not following the law. To paraphrase their explanation: “It’s too hard.”
Continue reading “State Surveillance Endangers the Affordable Care Act: A Case Study”
Filed Under: THCB
Tagged: Adrian Gropper, Center for Health Information & Analysis (CHIA), Consumer Directed Healthcare, Health Insurance Exchanges, Health Plans, Massachusetts, Pharma, The ACA, The States
Oct 18, 2013
Thanks to the flood of new data expected to enter the health field from all angles–patient sensors, public health requirements in Meaningful Use, records on providers released by the US government, previously suppressed clinical research to be published by pharmaceutical companies–the health field faces a fork in the road, one direction headed toward chaos and the other toward order.
The road toward chaos is forged by the providers’ and insurers’ appetites for categorizing us, marketing to us, and controlling our use of the health care system, abetted by lax regulation. The alternative road is toward a healthy data order where privacy is protected, records contain more reliable information, and research is supported or even initiated by cooperating patients.
This was my main take-away from a day of meetings and a panel held recently by Patient Privacy Rights, a non-profit for whom I have volunteered during the past three years. The organization itself has evolved greatly during that time, tempering much of the negativity in which it began and producing a stream of productive proposals for improving the collection and reuse of health data. One recent contribution consists of measuring and grading how closely technology systems, websites, and applications meet patients’ expectations to control and understand personal health data flows.
With sponsorship by Microsoft at their Innovation and Policy Center in Washington, DC, PPR offered a public panel on privacy–which was attended by 25 guests, a very good turnout for something publicized very modestly–to capitalize on current public discussions about government data collection, and (without taking a stand on what the NSA does) to alert people to the many “little NSAs” trying to get their hands on our personal health data.
It was a privilege and an eye-opener to be part of Friday’s panel, which was moderated by noted privacy expert Daniel Weitzner and included Dr. Deborah Peel (founder of PPR), Dr. Adrian Gropper (CTO of PPR), Latanya Sweeney of Harvard and MIT, journalist Sydney Brownstone of Fast Company, and me. Although this article incorporates much that I heard from the participants, it consists largely of my own opinions and observations.
Continue reading “Chaos and Order: An Update From Patient Privacy Rights”
Filed Under: Uncategorized
Tagged: Adrian Gropper, Andy Oram, Big Data, HIEs, HIPAA, Hospitals, Meaningful Consent, Patient privacy, Patient Privacy Rights
Oct 16, 2013
Health IT Week demonstrated a double barrel strategy to segregate patient information from provider information. Providers already have the power to set prices and health IT plays the central role.
By rebranding HIPAA as “Meaningful Consent” and making patients second-class citizens in Meaningful Use Stage 2 interoperability, providers and regulators are working together to keep it that way.
Essential consumer protections such as price transparency or independent decision support are scarce in the US healthcare system. The journalists are shouting from the rooftops.
There’s $1 Trillion (yes, $3,000 per person per year) of unwarranted and overpriced health services steering the Federal health IT bus with an information asymmetry strategy. Those of us that want to see universal coverage succeed need the information transparency tools to drive for changes.
Here’s how it works: The department of Health and Human Services (HHS) controls the health IT incentives and regulations. HIPAA applies to most licensed health services providers. Laboratories and devices are regulated by Medicare and the FDA.
Unlicensed services offered directly to patients, such as personal health records, web info sites and apps are regulated by the FTC. Separate regulatory domains facilitate the segregation of information and contribute to the lack of transparency by making patient-directed services use delayed and degraded information. This keeps independent advice from FTC-regulated service providers from illuminating the specific abuses.
The segregation of patient information from “provider” information is the current federal regulatory strategy. It’s even more so in the states. By making patients into second-class citizens, the providers can avoid open scrutiny, transparent pricing, and independent decision support.
Federal regulators then create a parallel system where information is delayed, diluted, and depreciated by lack of “authenticity”. This is promoted as “patient engagement”. For regulators, it’s a win-win solution: the providers support the regulation that enables their price fixing and many patient advocates get to swoon over patient engagement efforts.
The proof of this strategy became clear on the first day of Health IT Week – the Consumer Health IT Summit.
Continue reading “A Troubling Strategy at Health IT Week”
Filed Under: Tech, THCB
Tagged: Adrian Gropper, Blue Button, HHS, HIPAA, HIT, HITECH Act, independent decision support, Meaningful Consent, Meaningful Use Stage 2, National Health IT Week
Sep 19, 2013
Secrecy breeds suspicion. The role of secrecy in health care is practically non-existent so when we see examples of secrecy, as in the operational details of the Federal Data Services Hub, we get the recent outcry from a range of politicians and journalists waving privacy flags. For Patient Privacy Rights, this is a teachable moment relative to both advocates and detractors of the Affordable Care Act.
There’s a clear parallel between the recent concerns around NSA communications surveillance and health care surveillance under the ACA. Some surveillance is justified, to combat terrorism and fraud respectively, but unwarranted secrecy breeds suspicion and may not help our civil society.
“The Hub” is described by the government as:
“For all marketplaces, CMS [the Centers for Medicare and Medicaid Services] is also building a tool called the Data Services Hub to help with verifying applicant information used to determine eligibility for enrollment in qualified health plans and insurance affordability programs. The hub will provide one connection to the common federal data sources (including but not limited to SSA, IRS, DHS) needed to verify consumer application information for income, citizenship, immigration status, access to minimum essential coverage, etc.
CMS has completed the technical design, and reference architecture for this work, is establishing a cross-agency security framework as well as the protocols for connectivity, and has begun testing the hub. The hub will not store consumer information, but will securely transmit data between state and federal systems to verify consumer application information. Protecting the privacy of individuals remains the highest priority of CMS.”
Here’s where the secrecy comes in: I tried to find out some specific information about the Hub. Technical or policy details that would enable one to apply Fair Information Practice Principles? Some open evidence of privacy by design? Some evidence of participation by privacy experts? I got nothing. Where’s Mr. Snowden when we need him?
Continue reading “The Federal Health Data Services Hub Hubbub”
Filed Under: Tech, THCB
Tagged: Adrian Gropper, data breaches, Federal Data Services Hub, HHS, NSA, Patient privacy, Privacy, The ACA
Aug 15, 2013