By ADRIAN GROPPER, MD
US healthcare is exceptional among rich economies. Exceptional in cost. Exceptional in disparities. Exceptional in the political power hospitals and other incumbents have amassed over decades of runaway healthcare exceptionalism.
The latest front in healthcare exceptionalism is over who profits from patient records. Parallel articles in the NYTimes and THCB frame the issue as “barbarians at the gate” when the real issue is an obsolete health IT infrastructure and how ill-suited it is for the coming age of BigData and machine learning. Just check out the breathless announcement of “frictionless exchange” by Microsoft, AWS, Google, IBM, Salesforce and Oracle. Facebook already offers frictionless exchange. Frictionless exchange has come to mean that one data broker, like Facebook, adds value by aggregating personal data from many sources and then uses machine learning to find a customer, like Cambridge Analytica, that will use the predictive model to manipulate your behavior. How will the six data brokers in the announcement be different from Facebook?
The NYTimes article and the THCB post imply that we will know the barbarians when we see them and then rush to talk about the solutions. Aside from calls for new laws in Washington (weaken behavioral health privacy protections, preempt state privacy laws, reduce surprise medical bills, allow a national patient ID, treat data brokers as HIPAA covered entities, and maybe more) our leaders have to work with regulations (OCR, information blocking, etc…), standards (FHIR, OAuth, UMA), and best practices (Argonaut, SMART, CARIN Alliance, Patient Privacy Rights, etc…). I’m not going to discuss new laws in this post and will focus on practices under existing law.
Patient-directed access to health data is the future. This was made clear at the recent ONC Interoperability Forum as opened by Don Rucker and closed with a panel about the future. CARIN Alliance and Patient Privacy Rights are working to define patient-directed access in what might or might not be different ways. CARIN and PPR have no obvious differences when it comes to the data models and semantics associated with a patient-directed interface (API). PPR appreciates HL7 and CARIN efforts on the data models and semantics for both clinics and payers.
Consider the ongoing news about the data broker called Surescripts and the data processor called Amazon PillPack. The FTC is looking into whether Surescripts used its dominant data broker position illegally in restraint of trade. Surescripts, in a somewhat separate action, is claiming that barbarian PillPack is using patient consent to break down the gate it erected for its business purposes. From my patient perspective, does Surescripts have a right to aggregate my prescription history and then refuse me the ability to share that data with PillPack without special effort?
The possible differences between CARIN and PPR pertain to how the barbarian is labeled and who maintains the registry or registries of the barbarians. The open questions for CARIN, PPR, and other would-be arbiters of barbary fall into four related categories:
1 – Labels Only
- Labels like the CARIN Code of Conduct or the PPR Information Governance Label are self-asserted by the app or service provider and, like other consumer product labels, would be enforced by the FTC. Who designs the labels?
2 – Registries Only
- For deployment efficiency, the the apps and services may be listed in controlled registries. The app could be registered by the developer of the app or by the operator (including a physician) that wants to use the app. This option is relevant because apps might have options the operator can choose that would change the criteria for a particular registry. Will registries support submissions by developers, operators or both?
- Aside from labels, patients tend to infer reputation on the basis of metrics like the number of users and the number of reviews for an app. Do the registries list software operators along with the software vendors in order to promote transparency and competition?
- Do the registries allow for public comment with or without moderation?
3 – Labels and Registries Combined
- What should be the number of registries and would they require one or more of the available labels?
- A typical app store policy is a low bar to enable maximum competition and reduce disputes over exclusion. Consumer rating bureaus, on the other hand, tend to issue stars or checkmarks in a handful of categories in order to reward excellence. Is our label and registry design aimed at establishing a low bar (“You must be this high to be a barbarian”) or promoting a “race to the top” (such as 0-5 stars in a few defined categories)?
- To improve fairness and transparency, should the orgs that define labels be separate from the orgs that operate registries?
4 – “Without special effort”
- Opening the gate to their own records is an established right for both the patient subject or the barbarian designated by the patient. Making this work “without special effort” requires implementation of standard dynamic client registration features that current gatekeepers have chosen to ignore. Should regulators mandate support for dynamic client registration, for any and all barbarians, as long as the app is only able to access the records of the individual patient exercising their right of access?
It seems that the definition of a barbarian is anyone who aims to get patient records under the current laws and the explicit direction of the patient. The opposite of barbarians, whoever they may be within the gates of HIPAA, are able to get patient records without consent or accounting for disclosures by asserting “Treatment, Payment, or Operations” as well as the pretense of de-identification. Meanwhile, these HIPAA non-barbarians are able to sell off the machine learning and other medical science teachings as “trade secret intellectual property” in the form of computer decision support and other for-profit algorithms. This hospital-led privatization of open medicine will contribute to the next round of US healthcare exceptionalism.
And as for the patients, no worries; we’ll just tell them it’s about patient safety.
Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.