The Markle Foundation put together a group creating a road map over the last few years and today they announced their new policy framework for privacy in PHRs and personal health information. In general this is a great framework, and hopefully will help gain more consumer confidence in PHRs and other uses of personal health information online by consumers and doctors. (The AMA was on the call and was a “supporter” if not an “endorser”).
Overall I’m not sure that privacy is that big a deal (as I’ve written elsewhere). Given the choice between being private and being useful, most people pick useful. (You’ll give out your Social Security Number to just about anyone to make a credit check). So I think that PHR and consumer online services need to be useful first. It was a little telling that when someone asked if this would change any of the PHR vendors actual activity, they all said that they’d been adhering to these processes all along! But there is something to being publicly and loudly transparent about it.
There is, though, one tricky problem regarding disclosure of health
information, and that is of course the impact it has on your wealth. So
I asked the tricky question. They have AHIP, Aetna and BCBS Association
(and Dossia) on their list of endorsers. They also have a separate policy about Discrimination and Compelled Disclosures (PDF is here).
But as I asked, given that insurers (and some employers) already do
discriminate based on health history, and thereby greatly impact
people’s wealth and their own of course, what’s the point in them
saying that they won’t go fishing in the PHR. The answer is in the
policy document (and to be fair it’s all they can say.)
(The) Technical Overview discusses “business data streams” and
“consumer data streams.” Business data streams consist of transactions
of personal health information among business partners conducted
without a consumer view or participation. For example, consumers
generally don’t see the transactions between their doctor’s office and
the insurance company, or between the insurance company and its data
warehouse, etc. Consumer data streams involve transactions of
information into or out of a consumer-accessible application, such as a
PHR. In addition to the enforcement of existing anti-discrimination
laws, any organization acting as Consumer Access Service or PHR
supplier should maintain a “firewall” between consumer data streams and
business data streams to ensure that data captured or stored in
consumer applications are not used as a basis for discrimination.
In other words, the plans have offered not to dip into the PHR’s on
their site or compel data from other PHRs for “business purposes.”
That’s all well and good, and frankly what else could Markle say? I wasn’t expecting to hear "We got AHIP and the Blues to promise to not underwrite anybody at all." Not exactly likely!
Health plans are now saying to the individual:"We won’t use what you put in your PHR, but meanwhile please list your entire medical history on this application form!"
They’ve of course been doing this forever, and the PHR privacy issue is
a total red herring in terms of health plans and their bad behavior—whatever Deb Peel et al may say.
Another question asked was, where were the big EMR companies? None
of them have signed up thus far. David Lansky said that they’d reviewed
documents but didn’t see themselves being too close to the consumer.
Fair enough, but the comments of the Cerner folks about Google Health the other week suggest that they’re not exactly on board and I think we all know why!
However, when all is said and done, big time Kudos to the folks at
Markle (especially David Lansky) for putting this unwieldy team
together, and big props to the vendors and users who got so deeply
involved in it. Scut work, but necessary.
So now I hope that the vendors can point to the Markle (or more
likely Consumer Reports) seal of approval—yes they were on the call
too, and the press can write about something else other than privacy
violations when discussions come to health IT. Some hope….
Nice capture of yesterday’s call. I was the one asking about the EMR vendors and yes Cerner is not exactly jumping in with both feet (though they did send someone to the HealthVault event a couple weeks back). Epic is even more intransigent having heard from many a PHR vendor as to how difficult they are to work with and they’re the platform behind Kaiser’s portal! Cleveland Clinic’s as well.
Thought you raised a good point as well as to AHIP/payers use of data. We’ll have to see where that goes in the future. If consumers perceive value that exceeds risk, the privacy issue will fade to a certain degree. Right now, few PHRs provide sufficient value, though most are working hard at it.
One curious thing which I wrote about over at http://www.chilmarkresearch.com is the lack of employer groups endorsing the privacy framework. Maybe Markle believes they have it covered with Dossia, but Dossia is pretty unique and not exactly representative.
All in all continued good work by Markle (& Lynsky), and this young industry could certainly use some high level guidance on what is an appropriate privacy framework as today, it is literally all over the map.