Uncategorized

TECH: Privacy, standards, certification and RHIOs–more from AHIMA

Yesterday’s the AHIMA meeting morning presentations were excellent. The presenters were all on their game, and were also relatively amusing (especially Mark Frisse). But although I know a lot more about the DC based machinations of the national health initiative after this and the Brailer talk yesterday, I’m still of the opinion that there’s less there than meets the eye.

Imgp5093

Carole Diamond runs the Markle Foundation and their Connecting for Health Program with the help of David Lansky, who used to run the Foundation for Accountability which Markle has swallowed (more or less) whole. In her speech she talked about Connecting for Health

Connecting for Health cares about

1 Tech standards and adoption

2 Policy framework for successful EMR/PHR/RHIO implementation

3 The consumer

Carol thinks that the policy challenges are greater than the technology challenges of implementing all this stuff (but then I guess she’s never had to write an interface between two "standardized" IT systems!).

Much of the talk featured the lessons from Katrina, (and no, not the ones about having FEMA run by someone without his head up his …)

Katrina shows us that a national medication record would be vital. Carol and markle helped put together within 7 days a secure portal that allowed providers to access their patients medication history via RxHub, Surescripts, chain pharmacies, the VA et al. In addition they even got the AMA in the mix to authenticate doctors. In some ways a simple thing, but you can imagine the effort in getting everyone’s divergent system into a common web portal.  A great effort.

What did they learn?

1) We are not prepared for this!

2) There is no mechanism to communicate with physicians in America3) The big challenge is linking data about a single patient and secure authentication of both patients and providers

So how to build the network? They are taking it as a given that there will be no single patient ID and no central database. (I’m not sure why they needed a year to figre that out but.,..) Instead we need a central locator index (a la Google) and common standards and agreed policies for data sharing. Markle is now doing a series of tests in Indiana, Massachusetts and California. (and with low tech community clinics in California)

What about the consumer and the PHR?

She believes that the "Un-tethered PHR" is not viable (one that a patient fills in) and is not an alternative to a national network. Patients need to have their data shared by whoever has it. (Preaching to the converted over here at THCB I hope).

They studied some of this and did focus groups (did 6, mostly health care professionals and policy wonks).  Their results were that we

–need to sell the benefits of the products not the features of applications

–privacy and security are very important (I think this is largely BS given the growth of other online transactions when privacy is being compromised left and right but Carol and the next speaker are very insistent about it) but they are changing their terminology to "secure" national health information exchange

–people see this is going to happen, so they can be molded into having the right opinion

–people want to see progress soon not in ten years

–in terms of the value of the EMR people believe that it a) will benefit their own medical care and b) physicians will have the best treatment information about the best practice option

–However, this needs to be done with the physician (people think that their doctor cares about them)

She showed the survey data, (about which I had some not entirely favorable comments last week) and obsesses over privacy…even mentions all the breaches of privacy (Choicepoint et al) but as I said this didn’t stop other online transactions.

She thinks that health professionals need to market the PHR and called on the AHIMA crowd to get involved in that.

Emily Stewart, Policy Analyst, Health Privacy Project, (healthprivacy.org)

Emily Stewart came from the Georgetown-based Health Privacy Project. While Emily substituted for her boss Janlori Goldman, she did a great job, and I’d encourage more big-wigs on the speaking circuit to let their staff members (who, lets face it, do all the work putting these talks together) to actually share the glory and the fun sometimes!

Emily and Janlori are privacy bigots — not that that’s a bad thing, but for them a la Vince Lombardi it does seem to be the only thing. So onto some numbers

One in 6 patients use techniques that avoid the consolidation of their medical records because of privacy fears, which will have impact on quality of data for treatment and research.  Only 1/3 of US adults trusted their health plans or the government, one in 5 believe that their info has been disclosed improperly. In a 2000 survey of Fortune 500 companies only 38% have not disclosed their employees information (I wasn’t clear if this was asked of HR people or who, but I’ll ask Emily).

So from some Harris data that THCB has run in the past, 70% are concerned about that, and 47% say that the potential bad side of the privacy effects outweigh the benefits of the EMR. She then told some horror stories, and there are some real people being harmed. Then she gave the horror stories about privacy breaches, ending with the Kaiser Permanente one that THCB readers know all too well about given that it was the story that I "broke". Although to be honest I can’t figure out who got harmed in that one. In fact I think that they’re mixing up the issue of a privacy breach with the separate issue of the negative impact of a privacy breach, by calling both of them per se bad things.

Illegitimate access to health data is motivated by profit and curiosity. So her conclusion is that privacy and security needs to be built in at the start. And HIPAA does indeed make a start here. But there is a laundry list of more rights and recourses against breaches that the privacy policy project is calling for. HIPAA should be seen as a base, and they believe that state laws stronger than HIPAA should not be preempted, especially in the areas of AIDS, genetic testing or mental health.

So far enforcement is lax (no penalties sent out by OCR at HHS), and individuals cannot be held liable under HIPAA (new DOJ ruling). Needless to say the privacy project doesn’t approve of that laxity.

In addition, the bio-terror networks and surveillance systems (since 9-11)  have no privacy standards and guidelines at all…no legal agreement between law enforcement and public health authorities. She says that their needs to be an open debate about use of data from the public health and bio-surveillance network. With that one I completely agree. I’m far more scared of the Federal government and law enforcement misusing that data, but then again I am a card carrying ACLU member!

Mark Frisse, Vanderbilt (ex-First Consulting, ex-Express Scripts)

Mark Frisse was up next, and having left the consulting and the PBM racket he is now in Tennessee working with a new RHIO. He believes that the rate limiting factors for RHIOs and EMRs are privacy and identity management — not cost.

Funded by Federal and state moneys, there is one of several RHIO experiments up and running at Vanderbilt. They have live data from 8 institutions serving 1 million people, but not live yet (only in the lab) They are not the vendor, and Frisse thinks that there is nothing to "own" for a vendor. (I find this) funny because in the early CHIN days everyone thought that the vendors would pay and the vendors thought that everyone else was going to pay. In the end no one paid.

What are they doing? They are starting with emergency departments because of the Medicaid issue in Tennessee and there’s a great value in reducing costs, especially because of reducing redundant testing. But he doesn’t think that they’re doing it because of that, they’re doing it because it should create better health care. Mark really also does gets the concept that a redundant test is actually part of someone’s livelihood–there are economic incentives for the status quo.

His Great quote "What have you (the AHIMA med records people) missed by not attending RHIO meetings so far–bad coffee, and stale bagels, and everyone in the parking lot outside saying –‘do you really believe that stuff? Nah’ "

Mark says that the same warfare as ever between different power interests is going on, but Katrinahealth.org showed that public-private partnerships can work. You can diffuse these disputes by saying, what’s the right thing to so?

He certainly can’t be blamed for being too pessimistic!

Finally up was Scott Wallace from the National Alliance for Health Information Technology. He came to talk about interoperability, as he heads the commission on systemic interoperability (CSI) that’s supposed to look at what interoperability is. He calls interoperability the rule of once–data put into the system once and its use is authorized everywhere. (Methinks he was a java gear head at one point)

CITL (Blackford Middleton’s shop) has a 4 tier definition for machine interoperability

–non-electronic

–machine transportable (fax)

–machine organizable (HL7)

— machine interoperable (e.g. any phone on any network can call another one on any network)

Scott’s general view was that we are going to coalesce around standards. But as his report is out next week there wasn’t much more he could say!

In addition to the standards body there will be a Certification Commission for Healthcare Information Technology — created basically by Linda Kloss at AHIMA. Brailer on Monday suggested that if you don’t get your product certified then bad things will happen. Maybe no one will buy it, or be able to use it on the network, or something bad. However, I think they’ll find that America’s entrepreneurs don’t really like that kind of certification. (But take heart standards guys, ISO9000 is very popular in south-east asia where it’s used in advertisements, as in ‘our factory is ISO9000 certified!’)

Scott wasn’t so keen on Emily and Carol’s obsession with privacy. He even thinks it has the wrong name, as we’re not concerted about privacy but really about confidentiality. Privacy is about no one else seeing it. Healthcare is about confidentiality as you so want to share information knowing that your providers are going to respect your confidentiality.

Scott thinks that if we optimize our systems just to protect privacy we’re going to miss out on other things. Katrina showed that people didn’t care just about confidentiality and consumers are aware of this. No one knew about their records. Katrina has made policy makers realize that health care is a national security issue, and of course if we can cast it as that then it’s fundable. (Same with avian flu)

Categories: Uncategorized

Tagged as:

4 replies »

  1. I agree with gadfly that rather than using the healthcare provider itself, there are many privately run national healthcare associations that could be used as the arbiter. These organizations already handle personal information of their membership base. Perhaps a trusted certification organization or national healthcareer association might work.

  2. I mentioned this in a comment elsewhere, but I want to reiterate that while I think it’s good to have centralized, portable electronic records (the ring binder is vulnerable to a house fire, for example), I don’t think the steward of that centralized information should be the Healthcare providers. They will abuse it to increase profitably and use the demographic information in ways that may, indirectly, push the patient out of the pool of people with health care coverage (since HMOs just want to cover people who don’t utilize their services – it’s free money.) Anyway, I like the concept of an electronic personal lockbox.

  3. What about a hybrid type system where the patient and a central database both “have” the information. Something like a password/PIN protected portable storage device (USB key or similar). Patient receives care, data goes into the databse and the patient gives the USB key to the front desk and they update the record maintained on the key (as well as the central database). Now we promote the patient responsibility that Mr. Novack speaks of as well as immediately having a back-up copy. I am not tech savvy enough to know if you could use a “credit card” sized dvice that could be swiped, but that would be nice. Additionally, the card can have the patients demographic and personal info so it could be used to fill in a standardized intake form as well as give the patient additional diagnosis specific links or info as well. It could also link directly to the patient HSA (that’s for Ron) or other insurance info in near real time. I’m sure there are privacy and technology challenges, but so many other industries have similar technology (credit card co’s, video rental co’s, cruise ships and all inclusive resorts).

  4. Matthew- private organizations leading the way in healthcare- (foundations putting together health info)– is that really what you want to be promoting?
    Let me promote a simple method of health record portability- and cheap- when you go to the doctor, request that copies of each visit are sent to you. Then keep a three ring binder of that at home. If you take medications, keep a list with you in your wallet or purse. For operations and hospital stays- get a copy of the operative report and discharge summary.
    Just like you should keep bank records or tax records.
    This message should be on every health IT consultant’s list of first steps toward transitioning to EHR/PHR. We (all of us individually) must understand that our health- which includes copies of what has been done in the past- is our responsibility.
    The government does not mandate “emergency health” bracelets that many wear- yet those people understand that their health is important enough to have information available to doctors so that precious time, energy, and resources can be better devoted to helping them when the need arises. Keeping a folder of health information does that for all of us.
    Simple, cheap, easy, and effective.