An Open Letter on the NATE Trust Community

The proposed NATE Trust Community  is a privacy-invasive, rent-seeking, and cynical measure that will further fragment the already balkanized Direct secure messaging system and disenfranchise individual patients and physicians.

The proposed NATE Trust Community is a combination of:

  • weak, self-asserted security and privacy claims by institutions and corporations (privacy-invasive), who are

  • willing to pay the membership fee (rent-seeking), to the

  • exclusion of individuals bearing strong identity-proofed certificates such as those issued by the Federal Bridge Certification Authority as originally designed into the Direct secure messaging concept (cynical).

By excluding individual real people from participating in Direct, NATE is violating the core of the physician-patient relationship. The Massachusetts Medical Society has formally voted its objection to this method of implementing Direct in resolutions declaring that FBCA certificates be acceptable for Direct messaging. Physicians paying many $thousands in licensing fees and malpractice insurance each year deserve the opportunity to message with other physicians and with their patients under their medical license. This was our right and practice with Fax and US Mail and it should not be removed as we move to digital messaging.

By excluding individual patients from participating in the patient trust bundle, the NATE Trust Community is trashing the option for privacy-sensitive individuals to operate their own open source mail clients. Recent experience, amplified by the Snowden revelations, has shown great interest in end-to-end encryption that denies any institutional or cloud intermediary access to the message content. The proposed NATE Trust Community would be incompatible with open source communities that wish to serve and support individual patients.

As proposed, the NATE Trust Community also raises serious concerns around patient identity and the privacy implications of using a Direct email address that the patient does not control as a de-facto health ID. Direct email addresses, if they ever make it into widespread use, will become like the plain email addresses we have today: convenient, globally unique person identifiers used to track users and reset passwords. They will effectively become your health ID. The email address policies proposed by the NATE Trust Community are coercive and non-portable. The option for a patient to control their own Direct email domain is not considered. The NATE-proposed email addresses can even be reused after 3 years. The use of multiple Direct email addresses by a patient for privacy reasons (the way we use regular email IDs today) is not considered.

Here’s a review of slide 25 of the NATE presentation with our comments in bold after each point:

But how does this relate to provider- facing Trust Communities?

  • There are fundamental differences in what applicable law applies to providers exchanging PHI with other providers that simply do not apply when they are exchanging with their patients

    • What law? Providers have a right to exchange PHI with anyone under their medical license. That includes patients.

  • Patients have a right to their data always whereas providers have to establish why they should be authorized to have access to some forms of health information

    • Patients have a right to their data without unregulated, self-asserted institutional intermediaries.

  • From an identity management perspective, pre-existing infrastructure related to identity proofing providers can be extended to support higher levels of identity proofing for doctors within their existing operations. No such infrastructure exists for consumers today

    • FBCA and US Postal Service-based identity proofing is available to all citizens and needs to be the foundation of a 21st century secure messaging system. NSTIC / IDESG is a public-private process, now in its third year that will advance this infrastructure.

  • From a risk based assessment perspective, things that are warranted for providers who have access to hundreds or even thousands of patient records simply does not exist with regard to consumers accessing their own information

    • This has always been the case. That’s why individual providers are licensed and carry malpractice insurance. Is this a reason to disenfranchise either the provider or their patient in the digital domain?

  • Given these and other justifications, establishing separate trust communities between providers and patients makes practical sense – especially since there are a number of ways these two can be used in a symbiotic way for the benefit of both the providers and the patients

    • Fragmenting a messaging address space is not a sustainable idea. Combining an attribute (licensed physician, licensed nurse, employed clerk) with an identifier (the Direct email address) is not a scalable concept. People have many attributes, some are verified in different ways. People also have many identifiers. We use directories to link identifiers and attributes. Bundling them makes interoperability much harder.

  • There is the potential for a symbiotic relationship between Trust Bundles that have focused on provider-facing applications and those that focus on consumer-facing applications

    • What symbiosis? This may be true from an institutional perspective. It is cynical and self-serving from both the provider and the patient perspective.

  • As was described in the section on how this works, there are a number of convenient ways provider-facing Trust Bundles and consumer -facing Trust Bundles can be implemented that are seamless to the both the provider and the consumer end user

    • We have some two years of experience with Direct and trust bundles. The experience of developers, physicians, and patients speaks for itself. The governance of Direct by vendor-dominated and funded organizations such as DirectTrust and NATE has failed. If we want Direct to succeed, the governance of Direct needs to be given to true public institutions representing patients and licensed medical professionals.

  • Bottom line – Consumer-facing bundles and provider- facing bundles are complimentary to one another

    • Unfortunately, I have to agree.


PPR hopes that the states and the vendors underwriting the NATE process will consider alternatives to vendor-dominated governance and discard the current draft. By pivoting to person-centered trust, NATE can seize the opportunity to lead in the direction of making Direct a showcase for physician-patient engagement. That’s how we all can work together toward the Triple Aim.

Adrian Gropper, MD

Chief Technology Officer

Patient Privacy Rights


Deborah Peel, MD

Founder and Chair

Patient Privacy Rights


Categories: Uncategorized

Tagged as:

22 replies »

  1. As requested by Adrian, I’m moving the Deborah & Matthew show to another thread, so look for it on the main page soon and meanwhile please resume back to Adrian’s original comments.

  2. athenahealth does not sell patient data. Please see here for our views regarding an economic model for health information exchange: http://www.athenahealth.com/blog/2014/04/08/a-walk-back-and-setback-for-sustainable-hie/ Also, it’s worth mentioning that athenahealth treats interoperability as part of its service — not a separate invoice of add-ons. In fact, this week athenahealth announced CommonWell interoperability services will be offered to its 59,000+ providers services for free.

  3. Deborah–I understand that with enough computing power and probabilistic matching you could re-identify data if you really wanted to but as you know it’s illegal which makes it kind of unlikely that a large publicly traded company would do it as openly as you think they are doing it. My understanding is that IMS gets given connected data by organizations that are allowed to connect it (covered entities) who strip the identifiers from it, or at least that was what they were doing back when I knew the company that does that for them (Pharmetrics) well. Most of the data IMS receives BTW is prescription data which has the physician identifier on it but not the patient. You may not like that but it’s not illegal.

    Practice Fusion claims it sells de-identified aggregated data. And so far not too successfully if what’s said about them on Secret and by various VCs off the record is to be believed. Certainly not $250m worth, and maybe not a teeny percentage of that. Why you think they are selling identified data when again it’s illegal.I’m not sure, but perhaps they’ll clarify. And yes several others (inc GE) try to sell de-identified data. again not too too successfully. The $$ value of the EMR software and services market is far far greater than the size of the data sold from it

    athenahealth was not looking to sell the data they collect in the example you discussed. They were trying to get it transferred from one provider to another to increase the efficiency of the referral and check in process. That’s “selling” data exchange between 2 covered entities. BTW I’m not sure they ever got it done

    In all these cases you say they are doing something the companies say they are not doing, and you never cite any proof. Sure, they could do that, but the risks to their business are huge and I struggle to see the upside. You may well be better informed than me, and perhaps we can get some of these companies to comment.

    If you think all data sales of any type (or for that matter all data collection for secondary uses) should be illegal, you are entitled to your view. Apparently it’s a view your colleague Adrian doesnt share because he thinks that this should all be collected in a public database. I actually agree with him but that data too would be funded (in this case by the taxpayer or user fees I assume) and would also be subject to re-use by thrid parties.

    My final conclusion for you is that if the major business model of health IT is de-identifying and re-identifying data, the business is in very, very sad shape. Luckily for most of the major players in that business, they make money selling software or online services–a revenue stream many times that of data sales of any kind.

    PS THCB doesn’t have opinions or support anything. I own it but I’m not the editorial director, have no control and barely even write any more. If I did exercise control and only had people I agreed with on it. do you think your name would be in a by-line? 🙂

  4. Hi Matthew:

    Thanks for pointing out the articles where you think I was distorting the major business model of the Digital Age: selling pii.

    Some key points:
    1) You imagine re-identification and aggregation of health data is not happening, when it is rampant. The business model of big data requires the massive collection and aggregation of all pii about you in order to combine it into very detailed profiles of you and millions of other individuals over time. “De-identification” and “anonymization” are processes that simply do not deliver what the words describe. But Congress, courts, and the public don’t know this yet.

    2) Longitudinal real-time profiles of patients, which many entities sell, require re-identification in order to aggregate info about each individual–if they can’t link yesterday’s data about you with today’s data, they could not create longitudinal profiles.

    3) Check out the 3 page paper by Narayanan and Shmatikov that states it’s now easy to re-identify data because there are so many public data sets that can be used to match people with their data. The ease of re-identification has been well -known to computer scientists for years.

    How do you justify ignoring computer science? Here is the link: http://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf It’s written for general audiences by the guys who re-identified the AOL and Netflix research data bases.

    4) Please look at the IPO filed by the world’s “leading information, services and technology company”. It describes how the company aggregates longitudinal “anonymous” profiles of 500M people daily by adding new info from “EHRs, claims data, prescription records, and social media”. The company sells health data profiles to “5,000 customers” including the US government. The company will identify patients that customers seek for clinical trials, for example. That means this company is identifying and targeting specific people without their knowledge or consent.
    See: http://www.sec.gov/Archives/edgar/data/1595262/000119312514000659/d628679ds1.htm

    This company buys, sells, and trades pii with “100,000 health data suppliers covering 780,000 live daily health data feeds”.

    Finally, why would athenahealth charge doctors less for using their EHR if they agree to allow athenahealth to use and sell patient data–unless they derive profit from the use of the data? As a corporation their legal duty is to deliver profits to shareholders, not transfer data to help patients. Do you believe athenahealth would transfer data if it lowered annual revenue?

    The business model of many EHRs is in fact selling patient data.

    The man who most blatantly explained the model of selling patient data is Ryan Howard, CEO of Practice Fusion–PF’s EHR is FREE to the doctor because Practice Fusion sells patient data. Howard has been quoted in books and articles saying this. Two quotes: “Practice fusion subsidizes its free EMRs by selling de-identified data to insurance groups, clinical researchers and pharmaceutical companies” and “Every healthcare vendor is selling data. Everyone has this data, but we’ll have more of it and it will be real-time and aggregated,” Howard said. The URL is: http://www.healthcareitnews.com/news/practice-fusion-expands-shows-signs-rapid-growth?single-page=true

    Chris Anderson’s 2009 book called “Free” features a graph about Practice Fusion’s business model that shows if they license the software they would make $100M, but if they sell patient data they make $250M. See page 104. The page is titled “How can healthcare software be free? (Hyperion is the publisher).

    Now that I have written this out for you, it astounds me that you—a very, very smart man—are seemingly not aware that selling pii is the major business model of the Digital Age: it’s the business model of Google, of Facebook, etc, etc.

    Either you are in denial of reality (which seems unlikely) or you truly believe the hype and propaganda of the government and industry: that business that collect, aggregate, and sell PHI and pii will ONLY use our pii for good. It’s not an accident that the army of health data brokers that collect, aggregate and sell personal health data claim they are only helping us. The problem is, if they use it for good, why is what they do totally hidden from us: the collection, sale, and what they use the data to do can’t be discovered. How can we find the 880,000 companies that buy, sell, and trade information about our minds and bodies?

    If the health data broker industry really wants to ‘do good’ with our data, why don’t they just ask us first? And why did this industry fight the ban on the sale of PHI in HITECH? The Omnibus Privacy Rule regs grandfathered in all sales of PHI, which just happens to benefit the health data broker industry. Virtually every company that touches our PHI treats it as a corporate asset and sells it. Even states sell patient data. See: http://thedatamap.org/states.html

    You and THCB should support examining facts about the health data broker industry and promote HIT that enables the benefits of technology and prevents the massive harms: #1 violating patients’ rights to privacy and control over PHI and #2 the distrust of physicians and the healthcare system caused by today’s poorly designed HIT.

    If THCB does not look at facts or at what the vast majority of public wants and expects (ie control over PHI, with rare exceptions), it will remain just an industry shill.

    I thought inviting me to participate meant you were finally willing to acknowledge the critical importance of human and civil right to privacy.

    Deborah C. Peel, MD

  5. Matthew,

    Dr. Peel will likely speak for herself but I would like to clarify my perspective of the issues you raise in terms of payment for health information exchange and appropriation of patient data.

    With respect to payment for interfaces, a position widely promoted by Jonathan Bush of athenahealth, charging everyone for health data exchange would be a far fairer way to pay for HIE than charging vendors for certification. Charging tens of thousands of $ for certification discriminates against individual doctors, patients, and open source communities. Charging for actual usage, the way people and hospitals pay for a postage stamp or a fax, would not favor corporations over individuals and would enable all sorts of Health 2.0-type innovation. I have made this suggestion to NATE as a way of paying for them to operate a NBB4C trust bundle that did not discriminate against individual users. They have not yet responded in my private communications or to this thread.

    With regard to personal data appropriation under cover of de-identification or coercion as a condition for treatment, the question is: do we want to privatize medical knowledge and sell it under license one answer at a time? At what point do we stop making medicine secret?

    Here’s a real-world case. Traditional labs are now collecting outcome data and then selling it, in the form of medical knowhow, to other lab clients. Examples include Foundation Health and CollabRx that do cancer genomics tests and then sell interpretations based on the patient outcome data they also collect. This promotes secrecy on the part of the lab (making comparable tests diminishes the value of the proprietary database) and fragments the universe of medical knowledge. Is this a sustainable strategy?

    If I’m a cancer patient and I pay a lab for a genomic test, should I send my health record to both Foundation Health and CollabRx in order to maximize my chances of helping fellow patients? Or, should I send my data to neither one and send it, instead, to a non-profit medical school or foundation that will be able to combine my data with all of the other appropriate patients and publish it for the world to use? If I, as a patient, have a choice of genomic test labs, how much would I pay to get the result in a standard format and send it to a public database instead? Genomic tests can cost over $1,000 each. Running a database to help science with the results costs pennies. If the interpretation databases were freely accessible how much cheaper would that $1,000 genomic test be?

    Personal data appropriation, under various covers such as de-identification, hurts everyone and enriches a few. Medical knowledge was never secret in the paper world. The digital transformation makes information processing much cheaper and more accessible than paper. Why would we shift to making medical knowledge secret, in the form of secret software and secret databases, just when this world of opportunity is opening up?

  6. Dr Peel

    Exhbit A on data exchange


    In which athenahealth suggested that providers paying each other for data exchange would speed it up, and you said that they wanted tp sell patient data when they were instead suggesting paying for data that was ALREADY being exchanged (just not enough of it or in efficient manner) just as the national HIE program is trying (albeit not trying hard enough) to do. At the least your words are a complete distortion of what athenahealth was suggesting. The careless reader may have thought you were accusing them of selling patient data to any buyer, when they were trying to prevent a patient having to fill in the damn clipboard one more time when they move from one doctor to another (or to a hospital)

    Exhibit 2, your comment above
    “Why isn’t healthIT set up like online banking, where we control our ‘assets’–ie our data?”
    Health data is now the most valuable digital commodity of all. US industry and govt freely use and sell it without asking us.”

    You don’t think banks and absolutely everyone else in the financial chain sell & trade our data? How do credit bureaus operate if not?

    You still have never cited an example I’m aware–despite me offering you the forum many times–of where a HIT vendor has sold or traded identified patient data outside of HIPAA regulations. Yet in 2008 you were quoted in the WaPo http://www.washingtonpost.com/wp-dyn/content/story/2008/03/10/ST2008031001828.html?sid=ST2008031001828
    thus “Many online PHR firms share information with data-mining companies, which then sell it to insurers and other interested parties, Peel said.” As far as I recall you always fall back on the remote possibility that data might be re-identified after it’s been sold. I still wait to be convinced on what might then happen with it. Easier for a hacker to break into Target and steal credit cards and a lot more valuable

    My hope was that working with Adrian you had moved over to the idea that exchange data electronically would improve the patient care experience, and that we’d all work together to make sure it happens safely. But going off on the state of HIT and comparing it to totalitarian states reminds me of what John Lennon said in Revolution about carrying pictures of Chairman Mao.

    I apologize for conflating PPR with the World Privacy Forum. I thought you and Gellman worked together & his report on PHRs referenced PPR and you extensively if I recall. Although that was 8 years ago so much has changed including my memory’s capacity…

  7. Holt:

    Speaking of screeds, I just read yours. I would really appreciate you leaving out the insults and wrong facts–and actually the World Privacy Forum was not an ally that we worked with. When will you stop making things up about PPR and what I think and do?

    I have no idea what you referred to when you wrote I made “ridiculous statements about the concept of data exchange”. Please explain.

    PPR has always fought for patients’ longstanding rights to control data exchange. It still is our right under US law and medical ethics. FYI–patients controlled information exchange in the paper age, because nothing moved without our consent. That enabled us to trust that our information was only used for purposes we agreed with and prevented the vast hidden health data broker industry (over 880,000 health data suppliers).

    PPR’s solutions to fix HIT, to make it trustworthy, are free to download on our website–it’s a short chapter in a book published by HIMSS: http://patientprivacyrights.org/wp-content/uploads/2014/06/Peel-chapter-HIMSS-book.pdf

    Please read what PPR and I actually stand for: realistic solutions that offer all the benefits of HIT and prevent the harms. The chapter is much simpler than our letter, which you found to be incomprehensible.

  8. Hi Will:

    If it’s so complex to identify individuals and communicate directly with them, how come virtually every other US business or company you can think can have a direct relationship with us online? Technology is not the problem.

    See my comments above.


  9. Amen, Peggy.

    Why is it that every other US company or business can connect directly with individuals online except physicians, healthcare and HIT companies?

    Why isn’t healthIT set up like online banking, where we control our ‘assets’–ie our data? Online banking allows us to set up automatic transfers and to make one-time transfers, we can see/track all transactions in real-time, we can set up alerts for suspicious or unusual activities or transfers, and we can change our preferences at any time or delegate control.

    Technology that enables patients to control PHI does exist, in accord with our expectations and rights, but industry and govt instead built HIT systems that violate medical ethics and the laws requiring consent before health information is used. Govt and industry fail to understand that ethics and privacy law is what enables patients to trust doctors and share sensitive information. The practice of Medicine has always required patient control over the disclosure of personal health information (with very rare exceptions).

    Health data is now the most valuable digital commodity of all. US industry and govt freely use and sell it without asking us. Our PHI is now held in millions of data bases unknown and inaccessible to us.

    The systemic hidden use and sale of PHI is the worst data privacy breach you’ve never heard of. Not only is this system of hidden data use a threat to the practice of Medicine, US HIT systems are the most intrusive surveillance systems in the Western world—far worse than the NSA’s spying on cell phones. It is actually a threat to our freedom and our Democracy. How ironic: US surveillance is far more comprehensive and detailed than the worst totalitarian regimes could ever imagine.

  10. I will not attempt to deal with the technical details of what must be done to provide patients with complete and unfettered access to their own records and ALL the information that is fed into those records. As most patients, I want that access in my own terms and in my own email/USPS/fax etc of my choosing, the ability to send to any providers whom I choose, to make corrections in the record with some basic protections for accuracy, and to open those records for additions from new providers and so on.

    What I want most from the technical providers is some format to be created which gives value to that record in terms of history, diagnosis and treatment decisions. Without this kind of access, there will continue to further distrust of the medical world and its various providers by the patient. This could destroy the medical system as we know it now, and prevent the development of the kind of health outcomes that all truly desire.

  11. Thanks Matthew for hosting, and hopefully moderating, a much needed debate on the core policies and practices for consumer engagement.

    CommonWell, HealtheWay, Carequality, Qualcomm 2net, and almost every state-supported Health Information Exchange are all EHR-to-EHR designs that are completely inaccessible to consumers and also inaccessible to the vendors that proposed the NATE Trust Community. That’s the reality of Direct and Blue Button Plus today. What you see as an attack on our part is simply a wake-up call to patients and physicians and an effort to draw the NATE community into an open discussion.

    a) The State of Play: EHRs and their tethered PHRs rule the day. EHRs have no reason to transfer patient or physician engagement to PHRs and continue to do everything in their power to obstruct that process. As long as physicians can’t control what information moves to or from a patient-centered technology, there is no significant strategy for PHRs to become part of mainstream care. PHRs are currently a vanity product with an uncertain business model. Second generation market introductions like Apple HealthKit are now offering the EHR vendors and their hospital customers a new way to bypass the PHR and connect directly to wearables and patient-controlled apps.

    b) NATE is proposing a NBB4C “trust bundle” that separates the PHR community from the HIPAA “treatment, payment, and operations” community with their DirectTrust “trust bundle”. The main differences are the lack of HIPAA-related controls and the replacement of audits with self-assertion. Their hope is that hospitals and EHR vendors will adopt BOTH DirectTrust and NBB4C and thereby change “the state of play” described above.

    c) The PPR comment has three major components:
    — First, there are risks to consumers in letting our data move from HIPAA-covered entities that are subject to “The patient’s right of access” and an “Accounting for Disclosures” to unregulated and self-asserted intermediaries. Competition and the FTC will surely provide some protection but the fact that NATE’s governance mechanism is not open means that valuable time will be lost as FTC enforcement and market mechanisms lag by many years. For example: http://www.ftc.gov/news-events/press-releases/2014/11/truste-settles-ftc-charges-it-deceived-consumers-through-its For another example: How many of the NATE vendors offer Blue Button Plus access to get data OUT of their walled garden?

    — Second, hope is not a strategy. Hope hasn’t worked for transparency of cost or quality. Hope hasn’t worked for Direct or Blue Button Plus even after years of work by many dedicated people and hundreds of $Millions invested by Microsoft and other PHR vendors. Hope is not an alternative to clear right-of-access and accounting for disclosures regulations.

    — Third, PPR proposes that NBB4C include strong individual federal bridge (FBCA) certificates alongside their self-asserted vendor certificates. We have made exactly the same request of DirectTrust and have been able to get a major medical society to officially make this their policy. Adding FBCA individual trust does not preclude trust communities from differentiating according to different institutional policies. It does not preclude different trust communities form offering more convenient or cost-effective alternatives to the FBCA. It simply sets a floor for physician-patient collaboration and who can argue with that?

    I truly hope some of the NATE vendors take the opportunity Matthew and THCB have given us for a bit of open discussion. This may be the core unresolved issue created by Meaningful Use as we head for the next round of health policy decisions.

  12. @ Holt
    I’m not blaming Adrian or Deborah. They’ve got the arcane jargon right and they are warning us. The concepts are somple: that folks transmitting PHI want to know the quality of the senders and receivers and their legal right and certification to be doing this.

    It’s just that when you actually begin to think this through, it becomes amazingly frightful and complex. Eg How does a patient who is generating some of his own health data–say he has an outside lab doing INRs and he wants to upload this to the “mother” database–get the system to trust him and let him in?

    And, of course, you have every conceivable combination of transmissions: provider to provider to patient to insurer to business/billing/audit/government offices–in any direction and at any time, including shortly after death of the patient. And you want to put a stamp on these that says valid, OK, and secure.

    The whole effort is important, right? The problem to me is that it may be impossible. Software can’t always be written that works. Recall the Denver International Airport baggage handling software? They gave uo. Too complex. They quit. Also, its incredibly top down. This is not good. also hackers are getting ever more clever and this stuff is super valuabe data. The effort just has a unworkable gloom about it. It just seems an expensive fork in the road that will arrive at a dead end.

  13. Amen, Doc. The money is the thing. All the lip service given to “trust” and “privacy” is a smoke screen for “I’m monetizing this b*tch.”

  14. Adrian/Deb, I don’t know how this one slipped past the editors at THCB central but if your collective goal was to elucidate this debate you have failed miserably. I vaguely understand this stuff and have some idea what BB and Direct are all about, and frankly have NO idea what this long screed is about.

    I am loathe to spend too much time getting into the details (although I might) but it seems to me that Adrian is saying that only doctors and patients should be able to message each other, and that NATE is trying to prevent it. As far as I can tell, NATE is a bunch of vendors who want to make it as easy as possible for patients to download data directly and move it among their providers under their control. How this is contradictory to what Adrian wants is beyond me,

    And that’s the point. What Adrian & Deborah are saying is beyond me. This is a long jargon filled rant that anyone with less than Adrian’s arcane knowledge of the topic has no hope of understanding. And I am prepared to bet the group that doesnt understand includes Jeanne, Casey and all the other commentators (and probably Deborah Peel too).

    Frankly Adrian (and possibly NATE too) need to go back to high school composition class and explain
    a) what they perceive to be the state of play with Blue Button now
    b) what they think NATE is proposing
    c) what they’d propose instead

    As it is, this is not a helpful open letter, and it makes a bunch of aggressive claims against mostly teeny vendors who have historically been on the patients’ side in terms of accessing data. So Adrian, Deborah & PPR need to do a lot better. Or else they risk being excluded back to the fringes like they were in the days when Deborah & her allies at the World Privacy Forum were making ridiculous statements about the concept of data exchange.

  15. “FBCA and US Postal Service-based identity proofing is available to all citizens and needs to be the foundation of a 21st century secure messaging system. NSTIC / IDESG is a public-private process, now in its third year that will advance this infrastructure.”

    Are you going to trust the US Postal Service when they cannot secure their own infrastructure?

    U.S. Postal Service Says It Was Victim of Data Breach

  16. OUR health records hold the key to both quality and cost. In our private-but-regulated health care system, this makes OUR health records deeply strategic and subject to manipulation by every organized “stakeholder”.

    Casey, Jeanne, and William are typical of the patients and physicians that should be the principals, the PRIVATE principals, in how health records are stored and maybe shared. The Society for Participatory Medicine and the Massachusetts Medical Society have figured this out. Maybe some states and state HIEs will catch on as well.

    Who out there believes that Direct and Blue Button can succeed if the patients and physicians are not in the leadership when it comes to policy?

  17. @Mighty Casey
    I think the proponents of this Byzantine NATE scheme need to risk something themselves if this complex problem is not solved. Perhaps have them bet in some futures market. The losers, as mentioned above, might need compensation with a sort of credit default swap type insurance.

    Just think of how valuable and marketable some of the health information is:
    employers want to know about health of future employees, spouses and lovers might like to know about STDs and HIV and past abortions, advertisers want to better aim their brochures, owners of senior living facilities would like to know health of applicants for residency, politicians would dearly appreciate health info re opponents, adopted folks might appreciated health info about biologic parents, newspaper columnists would surely like some of this data, especially about drugs and rehab and about psychiatric history. Life insurers. Graduate school admissions offices. It takes no imagination to go on and on.

  18. Funny, this healthcare consumer feels no trust – bundled, or not – toward any of the players involved in determining “trust bundles” over my virtually supine form as they discuss and decide who will be able to see/read/exchange MY. ****ING. MEDICAL. DATA.

    Seems clear that the industry players in this effort are interested most in preserving their slice of the revenue pie – +/- $3T per annum at last count – and least in making PHI available/useful/actionable by the patient whose PHI is being exchanged.

    I’d love to slam the door shut on the fingers reaching for my data, the better to ad-target and shift me in their direction of choice (“ask your doctor about” rampant). However, it seems that the NATE Blue Button peeps are determined to nail that window shut, leaving me only able to look through such windows as they allow me to access to see my own damn data.

  19. PHI can be so valuable and marketable that parties need skin in the game to insure privacy. Just as a credit default swap functions as insurance against default on the part of the seller of the bond–the buyer of the bond (the lender) receives compensation from a third party insurer if the seller(the borrower) defaults on his repayments–a sort of transmission default bond purchased by sender or receiver of PHI might serve to compensate the loser of high value health information and stomulate the maximum security effort from both parties.