US healthcare is exceptional among rich economies. Exceptional in cost. Exceptional in disparities. Exceptional in the political power hospitals and other incumbents have amassed over decades of runaway healthcare exceptionalism.
The latest front in healthcare exceptionalism is over who profits from patient records. Parallel articles in the NYTimes and THCB frame the issue as “barbarians at the gate” when the real issue is an obsolete health IT infrastructure and how ill-suited it is for the coming age of BigData and machine learning. Just check out the breathless announcement of “frictionless exchange” by Microsoft, AWS, Google, IBM, Salesforce and Oracle. Facebook already offers frictionless exchange. Frictionless exchange has come to mean that one data broker, like Facebook, adds value by aggregating personal data from many sources and then uses machine learning to find a customer, like Cambridge Analytica, that will use the predictive model to manipulate your behavior. How will the six data brokers in the announcement be different from Facebook?
The NYTimes article and the THCB post imply that we will know the barbarians when we see them and then rush to talk about the solutions. Aside from calls for new laws in Washington (weaken behavioral health privacy protections, preempt state privacy laws, reduce surprise medical bills, allow a national patient ID, treat data brokers as HIPAA covered entities, and maybe more) our leaders have to work with regulations (OCR, information blocking, etc…), standards (FHIR, OAuth, UMA), and best practices (Argonaut, SMART, CARIN Alliance, Patient Privacy Rights, etc…). I’m not going to discuss new laws in this post and will focus on practices under existing law.
Patient-directed access to health data is the future. This was made clear at the recent ONC Interoperability Forum as opened by Don Rucker and closed with a panel about the future. CARIN Alliance and Patient Privacy Rights are working to define patient-directed access in what might or might not be different ways. CARIN and PPR have no obvious differences when it comes to the data models and semantics associated with a patient-directed interface (API). PPR appreciates HL7 and CARIN efforts on the data models and semantics for both clinics and payers.
By KENNETH D. MANDL, MD, MPH, DAN GOTTLIEB, MPA, and JOSHUA MANDEL, MD
A patient can, under the Health Insurance Portability and Accountability Act (HIPAA), request a copy of her medical records in a “form and format” of her choice “if it is readily producible.” However, patient advocates have long complained about a process which is onerous, inefficient, at times expensive, and almost always on paper. The patient-driven healthcare movement advocates for turnkey electronic provisioning of medical record data to improve care and accelerate cures.
There is recent progress. The 21st Century Cures Act requires that certified health information technology provide access to all data elements of a patient’s record, via published digital connection points, known as application programming interfaces (APIs), that enable healthcare information “to be accessed, exchanged, and used without special effort.” The Office of the National Coordinator of Health Information Technology (ONC) has proposed a rule that will facilitate a standard way for any patient to connect an app of her choice to her provider’s electronic health record (EHR). With these easily added or deleted (“substitutable”) apps, she should be able to obtain a copy of her data, share it with health care providers and apps that help her make decisions and navigate her care journeys, or contribute data to research. Because the rule mandates the ”SMART on FHIR” API (an open standard for launching apps now part of the Fast Healthcare Interoperability ResourcesANSI Standard), these apps will run anywhere in the health system.
Today on Health in 2 Point 00, we have another takeover edition! On Episode 92, Jess talks to Louise Schaper, CEO of the Health Informatics Society of Australia (HISA) at HIC 2019. Louise’s key takeaway from the conference is that health tech in Australia is focused on humanity and improving outcomes for all people. Jess also asks Louise about the Australian Digital Health Agency’s MyHealthRecord, an online summary of individuals’ health information. It’s got a great participation rate with 90% of Australians opted in, but it’s not being utilized as much as it could be. Finally, Louise debunks some of the chatter around HealthEngine’s data scandal in which they were caught sharing health data with law firms. The thing is, the press has sold it as if they have full access to your medical data and has sold that, but that’s not the case.
The McKinsey “2,750 times” statistic is a pretty
good proxy for the amount of your personal health data that is NOT protected by
HIPAA and currently is broadly unprotected from sharing and use by third
However, there is bipartisan legislation in front of Congress that offers expanded privacy protection for your personal health data. Senators Klobuchar & Murkowski have introduced the “Protecting Personal Health Data Act” (S.1842). The Act would extend protection to much personal health data that is currently not already protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996).
In this essay, we will look in the rear-view mirror to see
how HIPAA has provided substantial protections for personal clinical data — but
with boundaries. We’ll also take a look out the windshield — the Wild West of
unprotected health data.
Then in a separate post, we’ll describe and comment on the
pending “Protect Personal Health Data Act”.
Today on Health in 2 Point 00, we’re wishing Matthew a happy birthday!
On Episode 90, Jess and I talk about the drama around Amazon PillPack and Surescripts, HelloHeart’s $12 million raise, and Cerner selling its health data. In the end, the data is going to have to flow after this battle between Surescripts and PillPack. For HelloHeart’s blood pressure and cardiovascular health management platform, have they found their niche or is it too little too late with others like Livongo, Omada and Vivify in the space already? Finally, Cerner has put in their earnings call that they’re going to develop a business model around selling their data, sending ePatient Dave on a Tweet storm, but how big of a deal is this really? —Matthew Holt
“The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” series will cover a whole host of topics that discuss, clarify, and challenge the notion of sharing data and if it should be kept private or made public. On the one hand, sharing health information is essential for clinical care, powering medical discovery, and enabling health system transformation. On the other hand, the public is expressing greater concerns over the privacy of personal health data. This ‘Goldilocks Dilemma’ has pushed US policymakers towards two seemingly conflicting goals: 1) broader data interoperability and data sharing, and 2) enhanced data privacy and data protection.
But this issue is even more nuanced and is influenced by many moving parts including: Federal & State privacy legislation, health technology legislation, policy & interoperability rules, data usage from AI & machine learning tools, data from clinical research, ethical concerns, compensating individuals for their data, health data business models, & many more.
Fear not, Deven & Vince are here to walk readers through this dilemma and will be providing pieces to help explain what is going on. Most of their discussion & pieces will cover 2 specific affected areas: 1) How are policymakers addressing health data privacy risks, and 2) The impact on business models within the Health Data Goldilocks Dilemma.
Office of the National Coordinator (ONC) and the Centers for Medicare and
Medicaid (CMS) have proposed final rules on
interoperability, data blocking, and other activities as part of implementing
the 21st Century Cures Act. In this series, we will explore ideas
behind the rules, why they are necessary and the expected impact. Given that
these are complex and controversial topics are open to interpretation, we
invite readers to respond
with their own ideas, corrections and opinions.
Interventions to Address Market Failures
Many of the rules proposed
by CMS and ONC are evidence-based interventions aimed at critical problems that
market forces have failed to address. One example of market failure is the long-standing inability for health care
providers and insurance companies to find a way to exchange patient data. Each
has critical data the other needs and would benefit from sharing. And, as CMS
noted, health plans are in a “unique position to provide enrollees a complete
picture of their clams and encounter data.” Despite that, technical and
financial issues, as well as a general air of distrust from decades of haggling
over reimbursement, have prevented robust data exchange. Remarkably, this happens
in integrated delivery systems which, in theory, provide tight alignment between
payers and providers in a unified organization.
With so much attention
focused on requirements for health IT companies like EHR vendors and providers,
it is easy to miss the huge impact that the new rules is likely to have for
payers. But make no mistake, if implemented as proposed, these rules will have
a profound impact on the patient’s ability to gather and direct the use of
their personal health information (PHI). They will also lead to reduced
fragmentation and more complete data sets for payers and providers alike.
Overview of Proposed CMS Rules on Information
Sharing and Interoperability
The proposed CMS rules
affect payers, providers, and patients stating that they:
Require payers to make
patient health information available electronically through a standardized,
open application programming interface (API)
Promote data exchange
between payers and participation in health information exchange networks
Require payers to provide
additional resources on EHR, privacy, and security
Require providers to comply
with new electronic notification requirements
Require states to better
coordinate care for Medicare-Medicaid dually eligible beneficiaries by
submitting buy-in data to CMS daily
Publicly disclose when
providers inappropriately restrict the flow of information to other health care providers and payers
Today, THCB is spotlighting Lygeia Ricciardi. As the former Director of Consumer e-Health at the ONC, Lygeia tells us about patient access to health data and the ONC and CMS’s new rules on interoperability. But now, she’s the CTO of Carium Health, going from a “consumer activist consultant-type” to actually working with a startup. Carium provides a platform for consumer empowerment and engagement, helping to guide individuals through their health care and wellness journeys.
The dashboard is the potent symbol of our age. It offers the elegant visualization of data, and is intended to capture and represent the performance of a system, revealing at a glance current status, and pointing out potential emerging concerns. Dashboards are a prominent feature of most every “big data” project I can think of, offered by every vendor, and constructed to provide a powerful sense of control to the viewer. It seemed fitting that Novartis CEO Dr. Vas Narasimhan, a former McKinsey consultant, would build (then tweet enthusiastically about) “our new ‘control tower’” – essentially a multi-screen super dashboard – “to track, analyse and predict the status of all our clinical studies. 500+ active trials, 70+ countries, 80 000+ patients – transformative for how we develop medicines.” Dashboards are the physical manifestation of the ideology of big data, the idea that if you can measure it you can manage it.
I am increasingly concerned, however, that the ideology of big data has taken on a life of it’s own, assuming a sense of both inevitability and self-justification. From measurement in service of people, we increasingly seem to be measuring in service of data, setting up systems and organizations where constant measurement often appears to be an end in itself.
My worries, it turns out, are hardly original. I’ve been delighted to discover over the past year what feels like an underground movement of dissidents who question the direction we seem to be heading, and who’ve thoughtfully discussed many of the issues that I stumbled upon. (Special hat-tip to “The Accad & Koka Report” podcast, an independent and original voice in the healthcare podcast universe, for introducing me to several of these thinkers, including Jerry Muller and Gary Klein.)
The 2016 21st Century CURES Act is the law. It is built around two phrases: “information blocking” and “without special effort” that give the administration tremendous power to regulate anti-competitive behavior in the health information sector. The resulting draft regulation, February’s Notice of Proposed Rulemaking (NPRM) is a breakthrough attempt to bend the healthcare cost curve through patient empowerment and competition. It could be the last best chance to avoid a $6 Trillion, 20% of GDP future without introducing strict price controls.
This post highlights patient-directed access as the essential pro-competition aspect of the NPRM which allows the patient’s data to follow the patient to any service, any physician, any caregiver, anywhere in the country or in the world.