A National Health Encounter Surveillance System

Trust is essential for interoperability. One way to promote trust is to provide transparency and accountability for the proposed national system. People have come to expect email or equivalent notification when a significant transaction is made on our personal data. From a patient’s perspective, all health records transactions involving TEFCA are likely significant. When a significant transaction occurs, we expect contemporaneous notification (not the expectation that you have to ask first), a monthly statement of all transactions, and a clear indication of how an error or dispute can be resolved. We also expect the issuer of the notification to also be accountable for the transaction and to assist in holding other participants accountable if that becomes necessary. Each such notification should identify who accessed the data and how the patient can review the data that was accessed. Each time, the patient should be informed of the procedure to flag errors, report abuse, and opt-out of further participation at either the individual source or at the national level.

Recommendation 1 :  Add Principle 2D as: Every transaction over the TEFCA network, including bulk access, is to be accompanied by a contemporaneous email to each individual patient and a monthly statement delivered via email or post if there is activity in that month.

Make Patient-Directed Exchange the Baseline for a National API

Application Programming Interfaces (APIs) are the future of interoperability and mandated by law applicable to TEFCA. The scope of APIs is broad. An API can serve inside a single legal entity to connect one information system to another, it can provide access to one patient per transaction or to a batch of patients, it can connect under the direction of an authorized entity, or it can connect two parties directly on demand by the patient herself. We are familiar with patient-directed interoperability as the paper Release of Information Form submitted to hospital records departments. This fundamental patient right must be preserved and enhanced as we move from paper and Fax to APIs. Using a separate API for entity-directed vs. patient-directed exchange increases the attack surface, confuses patients, and increases cost. If separated, the patient-directed exchange API is likely to be less supported and less functional that the entity-directed API. Errors and security breaches in both APIs are likely to be harder to detect if the two APIs are separate.

Specify that the same API is to be used for both entity-directed and patient-directed exchange. Treat bulk transfers of multiple patients in one transaction as a special case of the API that is not patient-directed, but still notifies the individual patients involved. Ensure that the API does not require more paper-based or in-person processes for patient-directed exchange than are required for entity-directed exchange.

Recommendation 2 : Amend Principle 3A to specify that the same API is to be used for both entity-directed and patient-directed exchange.

Recommendation 3 : Amend Principle 5A to specify that the same API is to be used for both entity-directed and patient-directed exchange.

Recommendation 4 : Amend Principle 6A to clarify that the multiple patient record functionality does not reduce the responsibility to contemporaneously notify individual patients.

Recommendation 5 : Definition of Individual Access 2) is confusing. The API Task Force was clear that blocking of any patient-directed sharing other than one that endangers other patients is prohibited. For example, a patient directed-request to move information to a destination via plain, unsecured email or to a foreign country is acceptable under Applicable Law.

Separate Identity and Authorization Standards from Data Model Standards

Introducing interoperability into a system as large and diverse as healthcare is a tremendous challenge that the draft TEFCA clearly recognizes and seeks to address. Much of this regulation is, quite appropriately, devoted to standards. Some of the standards relate to how health records are encoded. Let’s call this the data model. Other standards relate to how access to a record is controlled. Let’s call this authorization. It is common practice for standards-dependent efforts such as SMART or Argonaut or TEFCA to combine both data model and authorization concerns because there is some overlap in their scope. For example, the data model includes demographic information that is critical to the discovery aspects of authorization around an encounter. Unfortunately, blending projects that seek to standardize the data model with those that seek to standardize the authorization model makes scaling interoperability much harder because it makes healthcare practices less able to benefit from large-scale authorization standards outside of the healthcare domain.

Identity, demographics, and authorization standards are not specific to healthcare. To achieve broad interoperability on a national scale, adopt the Postal Service model of separating what’s on the envelope (authorization) from what’s in the envelope (the data model) and manage the corresponding standards, policies, and practices separately.

We are especially mindful of the multiple portals problem that forces patients to manage consent separately by accessing every separate provider using different protocols and procedures. Just as TEFCA seeks to provide a single on-ramp for providers as End Users it should encourage and ideally offer a single on-ramp for individual patients by allowing the patient to specify their preferred UMA / HEART Authorization Server.

Recommendation 6 : Amend Principle 1A to encourage separation of authorization and data model standards.

Recommendation 7 : Reference Kantara UMA and the profile work of Health Relationship Trust (HEART) as components of ISA.

Recommendation 8 : Any QHIN, Participant, or End User that offers access to Individuals via an API, including the TEFCA-specified API, must allow the Individual to specify and delegate control to a standards-based authorization server of their choosing.

Be Clear About Creating a National Health Encounter Surveillance System

TEFCA is creating a national health encounter surveillance system under the control of the Federal Government. Regardless of the reasons why this might be desirable, the Federal Government needs to be clear that this is a new national agency that manages personal information on substantially everyone just like the IRS, TSA, and FBI. The draft TEFCA is very confusing in this respect. It is hard to draw an analogy to existing systems of identity. State drivers’ licenses are the only common example of a distributed identity system that allows for broadcast queries to some extent, but it is operated by government, founded on coercive biometric databases, and controversial when subject to federal policy like Real ID.

Recommendation 9 : State clearly in the introduction of the proposed regulation that it is national in scope and subject to federal government policy. State also that the system is identity-based, and that a person can have zero, one, or multiple identities in the system.

Recommendation 10 : Definition of Broadcast Query to make clear that it is a national in scope and may include encounters outside of HIPAA Covered Entities.

Recommendation 11 : Definition of Recognized Coordinating Entity (RCE) to make clear that it is controlled by the federal government and subject to the policies of the federal government.

Recommendation 12 : In section 3.3, describe how patients can choose to be tracked, identity-matched, and notified of a match, in a voluntary and non-coercive way.

Recommendation 13 : In section 6.2.4, describe how patients identified only as “known to the practice” under HIPAA or receiving an anonymous service from a laboratory may voluntarily participate, without Identity Proofing in the national system.

If TEFCA is Voluntary, Explain How Patients Can Opt-Out

TEFCA is introduced as voluntary but the draft document is not clear about how a patient can avoid participation in the national surveillance system. Consider, for example, a 15 year old with a severe anxiety attack requiring mental health care. Will this patient be entered into the national system by the emergency department, the psychiatrist, the laboratory, the pharmacy, the insurance company, or all of the above? When this patient turns 18, will he or she have the ability to delete the record of this episode of care from the national system and the process to effect this deletion?

Define how the system is voluntary from the perspective of the patient and describe how a patient opts-out of having an encounter from being entered into system, how a patient is notified when an encounter is added to the system, and how an encounter is deleted from the system.

Recommendation 14 : Amend Principle 5B to replace the reference to Qualified HIN and replace it with a broad statement of participation in the national health encounter surveillance network.

Avoid Introduction of a Hidden Data Brokerage Layer

Current patient rights regulations tend to focus on the right of access to a service provider such as a HIPAA Covered Entity combined with a limit on the ability of Business Associates to aggregate information about an individual across multiple service providers. When a data aggregator or broker is introduced, as for example some state health information exchanges or the Surescripts network, these entities are not well-known to the patient and have no customer relationship with the patient. The result is that these intermediary data brokers are effectively hidden from the patient and not accountable to the patient.

By analogy, we are familiar with the national surveillance system of credit bureaus. Equifax, Experian, and TransUnion are limited in number to three so people can know of all of them, they are regulated to be accessible and responsive to people, and they are required to accept and redistribute comments from the individual. The credit surveillance system also has benefit of a unique person identifier, the Social Security Number, in order to reduce the number of errors that are propagated. Nonetheless, having to deal with three separate data brokers in cases such as identity theft to impose a credit freeze is a major hardship for the individual.

There is, however a major difference between credit surveillance and health surveillance. As individuals we access credit voluntarily but we are compelled to access health care by illness, accident, and misfortune. At a time of suffering and stress, US patients already have to worry about the scope of their insurance network, large unknowable out-of-pocket costs, the impact of their misfortune on employment, disability, and life insurance. These are all hidden consequences of seeking health care. It’s imperative that TEFCA not add another hidden layer to an already stressful system.

To the extent TEFCA envisions a layer of QHINs responsible for managing the location of encounters and consent to access personal information, it is critical that they be accessible and accountable directly to the individual at least as much as the hospitals and service providers are. To the extent TEFCA is establishing a single national data brokerage system like the TSA or the IRS, it is imperative that people know exactly who they are dealing with and how they are identified in the system. Decentralized, private-sector surveillance such as we have for advertising tracking is not appropriate for healthcare.

Recommendation  15 : In Section 7, Access, make RCE the single patient-facing entity, accountable for a consistent policy and a consistent patient identifier across all hospitals, labs, payers, and other service providers. To avoid coercion, allow patients to have multiple, separate RCE identifiers in order to voluntarily segment sensitive encounters from routine one

Adrian Gropper is CTO of Patient Privacy Rights.

Categories: Uncategorized

19 replies »

  1. Most health problems we are facing today are lifestyle associated, for which one visits to the clinician. In modern practice, a visit to clinician often results in a prescription with some diagnostic test, prophylactic (preventive) pills (disease for which symptoms) to attain health. The prescription fulfills the mutual desire that ‘‘something be done’’ to ritually and therapeutically justify the visit. The patient tracks down the prescription and struggles to remember to take them on time, and also pay-off for them to restructure their lives. Continue reading…

  2. Great discussion, Brian. ….”data available to support the care of the individual…”

    Or better maybe… “data to support the care of the individual and the needs of the stakeholders…”

  3. It depends on the definition of “interoperability”.

    I see this as one of the most serious limitations of TEFCA. The focus of TEFCA seems to align with your statement: “This has got to mean the need of any provider to access the findings of any other provider—for any given patient.”

    In the fourteen years ONC has pursued provider interoperability, the industry has moved into an expanded definition of “provider”. Retail clinics arrived on the scene in 2000. Today there are almost 3000 in operation. Worksite clinics have dramatically expanded services to bridge primary care. A 2015 Mercer survey reported that 29% of employers with 5000+ employees provided worksite clinics. The National Association of Worksite Health Centers reports that “near-site” and “shared-site” solutions are allowing small to mid-sized employers to offer clinic services to their employees.

    Amazon, Berkshire Hathaway and JP Morgan just announced their collaboration to bring better/lower cost care to their 1.1 million employees. Apple just announced their “AC Wellness” program to bring its own primary health care clinics to their 120,000 employees. (While just announced, there are indications this may be a trial run at an offering to the general public.)

    Tele-health visits are increasingly offered as a free first stop benefit to addressing member health issues.

    An entire generation is already in place that in many cases has no primary care provider relationship.

    Cost(high) + Convenience(low) = Friction. Friction + Technology = Innovation. Interoperability must mean: data available to support the care of the individual wherever, whenever and however the individual engages in a form of care.

  4. We do have an astonishing set of contradictory expectations in health IT: We are supposed to protect privacy, yet promote transparency. We are expected to keep secrets yet move lots of information easily and swiftly. We want many new innovations yet we yearn for standards. We want the patient to feel he has some type of ownership of his own data, yet we make it practically impossible to do this.

    Of course similar contradictions are seen in the rise of hospitalists, yet we talk about incorporating the outpatient medical data from the doctor’s office into the inpatient data.

  5. Amen.

    But as we’re now in the era of “patient-centered care,” what you want and don’t want is of absolutely no significance.


  6. Thank you.

    The eternal promise of “interoperability” is a red herring used to distract practicing physicians from the much more mundane problems that make EMRs unusable.

  7. People with chronic or life-changing illness and people that want to contribute to medical research need a way to keep a longitudinal health record. Without interoperability, how do they do that?

  8. With rare public health exceptions, you certainly should have a right to an absolutely personal encounter with your physician, lab, and institutions you choose.

    That said, many people want to contribute clinical data to research and others want the convenience of aggregating data from multiple encounters in one place *of their choice*. My proposal around TEFCA is to call this act of creating longitudinal health encounter aggregates the surveillance that it is and make it entirely voluntary and transparent so that every individual can choose if and where their data (not just HIPAA covered entities) is aggregated and if and how it is used.

  9. It’s illogical to assume that your smartphone or your connected implant has to be owned by anyone but you just because that’s the way it is today with Android and Medtronic. People need powerful technological agents to shield us from the probes of corporations and government eager to get under our skin. Apple understands this and goes out of it’s way to compete on privacy with policies like “Apple will not see your data.” on health, home, and maybe other services. Apple also takes responsibility for its hardware supply chain to prevent “back doors” to a significant extent. I’m not aware of another vendor that does. Individual ownership of technology (including open source software to avoid secret, non peer-reviewed, black boxes) is well within reach in 2018.

    The problem lies more with the medical profession and other licensed professionals that have been manipulated into thinking that artificial intelligence and even health records technology has to be inscrutable and controlled by hospitals or corporations. When technology is open source, the licensed professional can take responsibility and act as the agent of the patient instead of an arm of some employer or the state. I’m not comfortable channeling libertarian principles but I can imagine that they would prefer regulation of medical technology at the “edge” of the network by licensed professionals rather than centrally by the FDA.

  10. I wonder if anyone has ever studied the need for interoperability? This has got to mean the need of any provider to access the findings of any other provider—for any given patient. And Adrian wants it to mean patient access to, and contribution-ability to, any provider record…I think a logical extension.

    But but, come on….how often do we really need this? Maybe once in awile to see a recent film of the chest or abdomen.

    Usually we just repeat lab work…and even most x-rays…and its often good to repeat studies as the clinical picture is flluid and dynamic so often.

    Thus, “Interoperability” seems a straw man to allow government agencies and financial stakeholders access to patient records…much more than the clinical need for interoperability.
    Do we really want this?

  11. I have to admit that I haven’t read all the details, but generally speaking, I don’t want any surveillance of any kind.

    I don’t want notification that my information was “shared” and options to correct it, so it’s more useful to those who make fortunes from “sharing”. I don’t want to “opt out” of future “sharings”, because once it is “shared” once, it’s “shared” forever.
    I don’t trust those who own the servers, manage the servers and/or write the software that enables this grand “sharing”. I don’t trust HHS or any other private or governmental agency to do stuff for my own good.

    What I want is to be 100% certain that when I talk to a doctor, it stays between me and that doctor and nobody else. I want to be able to get the information in a transferable format on demand, in case I want to have it or share it myself with another doctor.

    I don’t need a network for that. I don’t want a network for that.

    I do want legislation that imposes millions of dollars in fines along with mandatory jail time in high security federal facilities where common criminals are held, for anybody “sharing” my information (identified or deidentified) in any other way that is different from what I described above.

    And I do want a national surveillance system of data holders to make sure we apprehend all data criminals, preferably before they “share” my stuff.

  12. Surveillance systems can be useful but they need to be appropriately governed in order to be sustainable.

    The TV series “Person of Interest” http://www.imdb.com/title/tt1839578/ (on Netflix) is a relevant example. A surveillance system to thwart terrorism (the relevant use) can also be used to invade privacy of non-terror “irrelevant” suspects. This creates tension in governance and leads to a combination of extreme secrecy and vigilante justice because the relevant use might be shut down if the actual workings of the surveillance system became common knowledge. Amazingly, the series predates the Snowden disclosures https://en.wikipedia.org/wiki/Edward_Snowden and makes you wonder…

    The HHS approach to the draft TEFCA proposal was driven by technology and feasibility (I know this based on private communications with principals) rather than a vision for sustainable governance. This approach mirrors how HHS has attempted to deal with a national patient ID over both the Obama and now the Trump administrations. ID is a problem that arguably must be solved before we can have any kind of surveillance-based interoperability. Voluntary, patient-directed interoperability, on the other hand, does not need a new patient ID domain because patients already know who they are. (Incidentally, “Person of Interest” trivializes this fraught linkage between surveillance and identity by assuming every “person of interest” has a social security number.)

    Simply put, in healthcare, do we want to regulate interoperability, surveillance, or neither? 21st Century Cures, the applicable current and bipartisan law, does not allow for neither. Therefore, it’s up to HHS to decide if they want to regulate and enforce interoperability or if they want to escalate their interpretation of Cures to include surveillance.

    By calling attention to draft TEFCA as a national surveillance system, I am pointing out the overreach and fuzzy governance of the current proposal. A TEFCA that sticks to patient-directed and fanatically transparent interoperability does not need a new governance strategy and has a good chance at being both useful and sustainable.

  13. Given the security of the internet, who would really want their life-long health data open to anyone who comes along with the right, i.e. wrong, entry process. What will happen is that the “providers” will occasionally make notes on their own data device, especially for mental health issues. With neither the patient nor the provider having 100% jointly reliable control of their data, another addition to Parkinson’s Law has occurred!

    John, and so it should! By the way, did I miss how these records will eventually be subjected to full destruction?

  14. There’s a lot to like here …

    BUT .. and this one is a big but, the problem I have with the post is that framing your suggestion in this way almost guarantees it will be rejected ..

    A national health surveillance system?

    Lawmakers that are hesitant to make simple public health recommendations and pay attention to basic scientific facts aren’t going to touch something with the words “national + system” and “surveillance” in it.

    Which is a tragedy …

    What we need is the equivalent of the FAA for public health data to maintain a national health data grid or health data net — which is kinda sorta what the CDC was supposed to be doing before we started legislating that they not research things ..

  15. Thanks Adrian for being there and watching all this stuff and reporting to us. Your wisdom is wonderfully illustrated by your last sentence. Look up “RCE”, folks, and think about what Adrian is saying.

    We have to also remind ourselves that metadata, like the address on the envelope, can reveal as much information as the content in the letter. “Oh honey, I lost our baby—did you see all the blood in the toilet? Husband sadly thinks of spontaneous abortion. Meanwhile the immutable record of her admission to a local hospital (for a D&C) last week is recorded as metadata for the world to see and ponder.