Tech

An Open Letter on the NATE Trust Community

The proposed NATE Trust Community  is a privacy-invasive, rent-seeking, and cynical measure that will further fragment the already balkanized Direct secure messaging system and disenfranchise individual patients and physicians.

The proposed NATE Trust Community is a combination of:

  • weak, self-asserted security and privacy claims by institutions and corporations (privacy-invasive), who are

  • willing to pay the membership fee (rent-seeking), to the

  • exclusion of individuals bearing strong identity-proofed certificates such as those issued by the Federal Bridge Certification Authority as originally designed into the Direct secure messaging concept (cynical).

By excluding individual real people from participating in Direct, NATE is violating the core of the physician-patient relationship. The Massachusetts Medical Society has formally voted its objection to this method of implementing Direct in resolutions declaring that FBCA certificates be acceptable for Direct messaging. Physicians paying many $thousands in licensing fees and malpractice insurance each year deserve the opportunity to message with other physicians and with their patients under their medical license. This was our right and practice with Fax and US Mail and it should not be removed as we move to digital messaging.

By excluding individual patients from participating in the patient trust bundle, the NATE Trust Community is trashing the option for privacy-sensitive individuals to operate their own open source mail clients. Recent experience, amplified by the Snowden revelations, has shown great interest in end-to-end encryption that denies any institutional or cloud intermediary access to the message content. The proposed NATE Trust Community would be incompatible with open source communities that wish to serve and support individual patients.

As proposed, the NATE Trust Community also raises serious concerns around patient identity and the privacy implications of using a Direct email address that the patient does not control as a de-facto health ID. Direct email addresses, if they ever make it into widespread use, will become like the plain email addresses we have today: convenient, globally unique person identifiers used to track users and reset passwords. They will effectively become your health ID. The email address policies proposed by the NATE Trust Community are coercive and non-portable. The option for a patient to control their own Direct email domain is not considered. The NATE-proposed email addresses can even be reused after 3 years. The use of multiple Direct email addresses by a patient for privacy reasons (the way we use regular email IDs today) is not considered.

Here’s a review of slide 25 of the NATE presentation with our comments in bold after each point:

But how does this relate to provider- facing Trust Communities?

  • There are fundamental differences in what applicable law applies to providers exchanging PHI with other providers that simply do not apply when they are exchanging with their patients

    • What law? Providers have a right to exchange PHI with anyone under their medical license. That includes patients.

  • Patients have a right to their data always whereas providers have to establish why they should be authorized to have access to some forms of health information

    • Patients have a right to their data without unregulated, self-asserted institutional intermediaries.

  • From an identity management perspective, pre-existing infrastructure related to identity proofing providers can be extended to support higher levels of identity proofing for doctors within their existing operations. No such infrastructure exists for consumers today

    • FBCA and US Postal Service-based identity proofing is available to all citizens and needs to be the foundation of a 21st century secure messaging system. NSTIC / IDESG is a public-private process, now in its third year that will advance this infrastructure.

  • From a risk based assessment perspective, things that are warranted for providers who have access to hundreds or even thousands of patient records simply does not exist with regard to consumers accessing their own information

    • This has always been the case. That’s why individual providers are licensed and carry malpractice insurance. Is this a reason to disenfranchise either the provider or their patient in the digital domain?

  • Given these and other justifications, establishing separate trust communities between providers and patients makes practical sense – especially since there are a number of ways these two can be used in a symbiotic way for the benefit of both the providers and the patients

    • Fragmenting a messaging address space is not a sustainable idea. Combining an attribute (licensed physician, licensed nurse, employed clerk) with an identifier (the Direct email address) is not a scalable concept. People have many attributes, some are verified in different ways. People also have many identifiers. We use directories to link identifiers and attributes. Bundling them makes interoperability much harder.

  • There is the potential for a symbiotic relationship between Trust Bundles that have focused on provider-facing applications and those that focus on consumer-facing applications

    • What symbiosis? This may be true from an institutional perspective. It is cynical and self-serving from both the provider and the patient perspective.

  • As was described in the section on how this works, there are a number of convenient ways provider-facing Trust Bundles and consumer -facing Trust Bundles can be implemented that are seamless to the both the provider and the consumer end user

    • We have some two years of experience with Direct and trust bundles. The experience of developers, physicians, and patients speaks for itself. The governance of Direct by vendor-dominated and funded organizations such as DirectTrust and NATE has failed. If we want Direct to succeed, the governance of Direct needs to be given to true public institutions representing patients and licensed medical professionals.

  • Bottom line – Consumer-facing bundles and provider- facing bundles are complimentary to one another

    • Unfortunately, I have to agree.

 

PPR hopes that the states and the vendors underwriting the NATE process will consider alternatives to vendor-dominated governance and discard the current draft. By pivoting to person-centered trust, NATE can seize the opportunity to lead in the direction of making Direct a showcase for physician-patient engagement. That’s how we all can work together toward the Triple Aim.

Adrian Gropper, MD

Chief Technology Officer

Patient Privacy Rights

 

Deborah Peel, MD

Founder and Chair

Patient Privacy Rights

 

Livongo’s Post Ad Banner 728*90

Categories: Tech, THCB

Tagged as:

22
Leave a Reply

19 Comment threads
3 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
11 Comment authors
Holly SpringMatthew HoltDeborah C. Peel, MDPeggy ZuckermanWilliam Palmer Recent comment authors
newest oldest most voted
Matthew Holt
Editor

As requested by Adrian, I’m moving the Deborah & Matthew show to another thread, so look for it on the main page soon and meanwhile please resume back to Adrian’s original comments.

Holly Spring
Guest
Holly Spring

athenahealth does not sell patient data. Please see here for our views regarding an economic model for health information exchange: http://www.athenahealth.com/blog/2014/04/08/a-walk-back-and-setback-for-sustainable-hie/ Also, it’s worth mentioning that athenahealth treats interoperability as part of its service — not a separate invoice of add-ons. In fact, this week athenahealth announced CommonWell interoperability services will be offered to its 59,000+ providers services for free.

Adrian Gropper MD
Guest

Please listen to or read Jaron Lanier in http://edge.org/conversation/the-myth-of-ai

Hopefully, it will redirect this thread back to the role of technology and patient-data in medicine.

Matthew Holt
Editor

Deborah–I understand that with enough computing power and probabilistic matching you could re-identify data if you really wanted to but as you know it’s illegal which makes it kind of unlikely that a large publicly traded company would do it as openly as you think they are doing it. My understanding is that IMS gets given connected data by organizations that are allowed to connect it (covered entities) who strip the identifiers from it, or at least that was what they were doing back when I knew the company that does that for them (Pharmetrics) well. Most of the data… Read more »

Matthew Holt
Guest

Dr Peel Exhbit A on data exchange http://patientprivacyrights.org/2010/05/attention-doctors-and-vendors-selling-patient-data-without-informed-consent-is-now-a-federal-crime/ In which athenahealth suggested that providers paying each other for data exchange would speed it up, and you said that they wanted tp sell patient data when they were instead suggesting paying for data that was ALREADY being exchanged (just not enough of it or in efficient manner) just as the national HIE program is trying (albeit not trying hard enough) to do. At the least your words are a complete distortion of what athenahealth was suggesting. The careless reader may have thought you were accusing them of selling patient data to… Read more »

Adrian Gropper MD
Guest

Matthew, Dr. Peel will likely speak for herself but I would like to clarify my perspective of the issues you raise in terms of payment for health information exchange and appropriation of patient data. With respect to payment for interfaces, a position widely promoted by Jonathan Bush of athenahealth, charging everyone for health data exchange would be a far fairer way to pay for HIE than charging vendors for certification. Charging tens of thousands of $ for certification discriminates against individual doctors, patients, and open source communities. Charging for actual usage, the way people and hospitals pay for a postage… Read more »

Deborah C. Peel, MD
Guest

Hi Matthew: Thanks for pointing out the articles where you think I was distorting the major business model of the Digital Age: selling pii. Some key points: 1) You imagine re-identification and aggregation of health data is not happening, when it is rampant. The business model of big data requires the massive collection and aggregation of all pii about you in order to combine it into very detailed profiles of you and millions of other individuals over time. “De-identification” and “anonymization” are processes that simply do not deliver what the words describe. But Congress, courts, and the public don’t know… Read more »

Deborah C. Peel, MD
Guest

Holt: Speaking of screeds, I just read yours. I would really appreciate you leaving out the insults and wrong facts–and actually the World Privacy Forum was not an ally that we worked with. When will you stop making things up about PPR and what I think and do? I have no idea what you referred to when you wrote I made “ridiculous statements about the concept of data exchange”. Please explain. PPR has always fought for patients’ longstanding rights to control data exchange. It still is our right under US law and medical ethics. FYI–patients controlled information exchange in the… Read more »

Deborah C. Peel, MD
Guest

Hi Will:

If it’s so complex to identify individuals and communicate directly with them, how come virtually every other US business or company you can think can have a direct relationship with us online? Technology is not the problem.

See my comments above.

Best,
Deborah

Deborah C. Peel, MD
Guest

Amen, Peggy. Why is it that every other US company or business can connect directly with individuals online except physicians, healthcare and HIT companies? Why isn’t healthIT set up like online banking, where we control our ‘assets’–ie our data? Online banking allows us to set up automatic transfers and to make one-time transfers, we can see/track all transactions in real-time, we can set up alerts for suspicious or unusual activities or transfers, and we can change our preferences at any time or delegate control. Technology that enables patients to control PHI does exist, in accord with our expectations and rights,… Read more »

Peggy Zuckerman
Guest

I will not attempt to deal with the technical details of what must be done to provide patients with complete and unfettered access to their own records and ALL the information that is fed into those records. As most patients, I want that access in my own terms and in my own email/USPS/fax etc of my choosing, the ability to send to any providers whom I choose, to make corrections in the record with some basic protections for accuracy, and to open those records for additions from new providers and so on. What I want most from the technical providers… Read more »

Adrian Gropper MD
Guest

Thanks Matthew for hosting, and hopefully moderating, a much needed debate on the core policies and practices for consumer engagement. CommonWell, HealtheWay, Carequality, Qualcomm 2net, and almost every state-supported Health Information Exchange are all EHR-to-EHR designs that are completely inaccessible to consumers and also inaccessible to the vendors that proposed the NATE Trust Community. That’s the reality of Direct and Blue Button Plus today. What you see as an attack on our part is simply a wake-up call to patients and physicians and an effort to draw the NATE community into an open discussion. a) The State of Play: EHRs… Read more »

William Palmer
Guest
William Palmer

@ Holt I’m not blaming Adrian or Deborah. They’ve got the arcane jargon right and they are warning us. The concepts are somple: that folks transmitting PHI want to know the quality of the senders and receivers and their legal right and certification to be doing this. It’s just that when you actually begin to think this through, it becomes amazingly frightful and complex. Eg How does a patient who is generating some of his own health data–say he has an outside lab doing INRs and he wants to upload this to the “mother” database–get the system to trust him… Read more »

Matthew Holt
Guest

Adrian/Deb, I don’t know how this one slipped past the editors at THCB central but if your collective goal was to elucidate this debate you have failed miserably. I vaguely understand this stuff and have some idea what BB and Direct are all about, and frankly have NO idea what this long screed is about. I am loathe to spend too much time getting into the details (although I might) but it seems to me that Adrian is saying that only doctors and patients should be able to message each other, and that NATE is trying to prevent it. As… Read more »

Dean
Guest
Dean

“FBCA and US Postal Service-based identity proofing is available to all citizens and needs to be the foundation of a 21st century secure messaging system. NSTIC / IDESG is a public-private process, now in its third year that will advance this infrastructure.”

Are you going to trust the US Postal Service when they cannot secure their own infrastructure?

U.S. Postal Service Says It Was Victim of Data Breach
http://online.wsj.com/articles/u-s-postal-service-says-it-was-victim-of-data-breach-1415632126

Adrian Gropper MD
Guest

OUR health records hold the key to both quality and cost. In our private-but-regulated health care system, this makes OUR health records deeply strategic and subject to manipulation by every organized “stakeholder”. Casey, Jeanne, and William are typical of the patients and physicians that should be the principals, the PRIVATE principals, in how health records are stored and maybe shared. The Society for Participatory Medicine and the Massachusetts Medical Society have figured this out. Maybe some states and state HIEs will catch on as well. Who out there believes that Direct and Blue Button can succeed if the patients and… Read more »

William Palmer MD
Guest
William Palmer MD

@Mighty Casey I think the proponents of this Byzantine NATE scheme need to risk something themselves if this complex problem is not solved. Perhaps have them bet in some futures market. The losers, as mentioned above, might need compensation with a sort of credit default swap type insurance. Just think of how valuable and marketable some of the health information is: employers want to know about health of future employees, spouses and lovers might like to know about STDs and HIV and past abortions, advertisers want to better aim their brochures, owners of senior living facilities would like to know… Read more »

Mighty Casey
Guest

Amen, Doc. The money is the thing. All the lip service given to “trust” and “privacy” is a smoke screen for “I’m monetizing this b*tch.”