US healthcare is exceptional among rich economies. Exceptional in cost. Exceptional in disparities. Exceptional in the political power hospitals and other incumbents have amassed over decades of runaway healthcare exceptionalism.
The latest front in healthcare exceptionalism is over who profits from patient records. Parallel articles in the NYTimes and THCB frame the issue as “barbarians at the gate” when the real issue is an obsolete health IT infrastructure and how ill-suited it is for the coming age of BigData and machine learning. Just check out the breathless announcement of “frictionless exchange” by Microsoft, AWS, Google, IBM, Salesforce and Oracle. Facebook already offers frictionless exchange. Frictionless exchange has come to mean that one data broker, like Facebook, adds value by aggregating personal data from many sources and then uses machine learning to find a customer, like Cambridge Analytica, that will use the predictive model to manipulate your behavior. How will the six data brokers in the announcement be different from Facebook?
The NYTimes article and the THCB post imply that we will know the barbarians when we see them and then rush to talk about the solutions. Aside from calls for new laws in Washington (weaken behavioral health privacy protections, preempt state privacy laws, reduce surprise medical bills, allow a national patient ID, treat data brokers as HIPAA covered entities, and maybe more) our leaders have to work with regulations (OCR, information blocking, etc…), standards (FHIR, OAuth, UMA), and best practices (Argonaut, SMART, CARIN Alliance, Patient Privacy Rights, etc…). I’m not going to discuss new laws in this post and will focus on practices under existing law.
Patient-directed access to health data is the future. This was made clear at the recent ONC Interoperability Forum as opened by Don Rucker and closed with a panel about the future. CARIN Alliance and Patient Privacy Rights are working to define patient-directed access in what might or might not be different ways. CARIN and PPR have no obvious differences when it comes to the data models and semantics associated with a patient-directed interface (API). PPR appreciates HL7 and CARIN efforts on the data models and semantics for both clinics and payers.
By KENNETH D. MANDL, MD, MPH, DAN GOTTLIEB, MPA, and JOSHUA MANDEL, MD
This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.
A patient can, under the Health Insurance Portability and Accountability Act (HIPAA), request a copy of her medical records in a “form and format” of her choice “if it is readily producible.” However, patient advocates have long complained about a process which is onerous, inefficient, at times expensive, and almost always on paper. The patient-driven healthcare movement advocates for turnkey electronic provisioning of medical record data to improve care and accelerate cures.
There is recent progress. The 21st Century Cures Act requires that certified health information technology provide access to all data elements of a patient’s record, via published digital connection points, known as application programming interfaces (APIs), that enable healthcare information “to be accessed, exchanged, and used without special effort.” The Office of the National Coordinator of Health Information Technology (ONC) has proposed a rule that will facilitate a standard way for any patient to connect an app of her choice to her provider’s electronic health record (EHR). With these easily added or deleted (“substitutable”) apps, she should be able to obtain a copy of her data, share it with health care providers and apps that help her make decisions and navigate her care journeys, or contribute data to research. Because the rule mandates the ”SMART on FHIR” API (an open standard for launching apps now part of the Fast Healthcare Interoperability ResourcesANSI Standard), these apps will run anywhere in the health system.
Imagine solving wicked problems of patient matching, consent, and a patient-centered longitudinal health record while also enabling a world of new healthcare services for patients and physicians to use. The long-awaited Notice of Proposed Rulemaking (NPRM) on information blocking from the Office of the National Coordinator for Health Information Technology (ONC) promises nothing less.
Having data automatically follow the patient is a laudable goal but difficult for reasons of privacy, security, and institutional workflow. The privacy issues are clear if you use surveillance as the mechanism to follow the patient. Do patients know they’re under surveillance? By whom? Is there one surveillance agency or are there dozens in real-world practice? Can a patient choose who does the surveillance and which health encounters, including behavioral health, social relationships, location, and finance are excluded from the surveillance?
The security issues are pretty obvious if one uses the National Institutes of Standards and Technology (NIST) definition of security versus privacy: Security breaches, as opposed to privacy breaches, are unintentional — typically the result of hacks or bugs in the system. Institutional workflow issues also pose a major difficulty due to the risk of taking responsibility for information coming into a practice from uncontrolled sources. Whose job is it to validate incoming information and potentially alter the workflow? Can this step be automated with acceptable risk?
It’s not hard to see how surveillance as the basis for health information sharing would be contentious and risk the trust that’s fundamental to both individual and public health. Nowhere is this more apparent than in the various legislative efforts currently underway to expand HIPAA to include behavioral health and social determinants of health, preempt state privacy laws, grant data brokers HIPAA Covered Entity status, and limit transparency of how personal data is privately used for “predictive analytics”, machine learning, and artificial intelligence.
“When doctors today say patients should stay off the Internet, I know they’re wrong.” — ePatient Dave de Bronkart
Dave de Bronkart (aka ePatient Dave) credits online communities of other patients – and access to clinical research he found on his stage 4 cancer diagnosis – to saving his life more than a decade ago. Fast forward, and this patient advocate has taken his mantra, “Let Patients Help,” to the TedTalk stage and beyond.
As health care continues to shift its focus from ‘patients’ to ‘consumers,’ how can we all be better, more empowered participants in this system that, despite its best efforts, remains closed, difficult to understand, and challenging to navigate?
I caught up with Dave to talk about his definition of what it means to be a ‘consumerist patient advocate’ and get his suggestions for how we can all better partner with our doctors and nurses when it comes to improving our health. The magic ingredient is data – namely, access to it in a frictionless and open way – so that we can be fully involved in learning about our health and able to set priorities when it comes to preserving it.
How did access to health data prevent serious health consequences in Dave’s life? He’s got more than one story to prove this point – oh, and a great little rap (yes, that kind of rap) at the end.
Get a glimpse of the future of healthcare by meeting the people who are going to change it. Find more WTF Health interviews here or check out www.wtf.health.
WTF Health – ‘What’s the Future’ Health? is a new interview series about the future of the health industry and how we love to hate WTF is wrong with it right now. Can’t get enough? Check out more interviews at www.wtf.health.
How can patients help usher in a better future for healthcare? Start speaking up. LOUDLY.
In this WTF Health interview, meet one of health’s most outspoken patient advocates, Twitter voices (@mightycasey) and podcasters, Casey Quinlan of Mighty Casey Media, who talks about her patient journey as a cancer survivor — and why the awful experience led her to tattoo a QR code linking to her electronic medical record to her chest.
Casey’s ‘physical political protest’ is tied to her passionate views about the lack of data liquidity in healthcare and how patients suffer as a result. She’s launching a new “If-You’re-Selling-My-Health-Data-Cut-Me-In” Movement and weighs in on why more patients aren’t clamoring after their health data to push real change in the healthcare system.
Filmed at Health Datapalooza in Washington DC, April 2018.
Physicians have always been in the information business. We have kept records of patient data regarding the vital signs, allergies, illnesses, injuries, medications, and treatments for the patients we serve. We seek knowledge from other physicians, whether that knowledge comes from the conclusions of experts from research published in a medical journal or the specialist down the hall. However, a physician will always benefit from additional good information such as the analysis of pooled data from our peers treating similar patients or from the patients themselves.
Over the next few years, vast new pools of data regarding the physiologic status, behaviors, environment, and genomes of patients will create amazing new possibilities for both patients and care providers. Data will change our understanding of health and disease and provide a rich new resource to improve clinical care and maximize patient health and well-being.
Patient Data Used by the Patient
Instead of a periodic handful of test results and a smattering of annual measurements in a paper chart, healthdata will increasingly be something that is generated passively, day by day, as a byproduct of living our lives and providing care. Much of the data will be generated, shared, and used outside of the health system. It will belong to patients who will use it to manage their lives and help them select physicians and other healthcare professionals to guide them in their quest for a long and healthy life.
Based on a patient’s preferences and needs, the data will flow to those who can best assist them in maintaining their health. It will reveal important and illuminating patterns that were not previously apparent, and with the right system in place, it will trigger awareness and alerts for patients and other providers that will guide behaviors and decisions.
Long time (well very long time) readers of THCB will remember my extreme frustration with Patients Privacy Rights founder Deborah Peel who as far as I can tell spent the entire 2000s opposing electronic health data in general and commercial EMR vendors in particular. I even wrote a very critical piece about her and the people from the World Privacy Forum who I felt were fellow travelers back in 2008. And perhaps nothing annoyed me more than her consistently claiming that data exchange was illegal and that vendors were selling personally identified health data for marketing and related purposes to non-covered entities (which is illegal under HIPAA).
However, in recent years Deborah has teamed up with Adrian Gropper, whom I respect and seemed to change her tune from “all electronic data violates privacy and is therefore bad”, to “we can do health data in a way that safeguards privacy but achieves the efficiencies of care improvement via electronic data exchange”. But she never really came clean on all those claims about vendors selling personally identified health data, and in a semi-related thread on THCB last week, it all came back. Including some outrageous statements on the extent of, value of, and implications of selling personally identified health data. So I’ve decided to move all the relevant comments to this blog post and let the disagreement continue.
What started the conversation was a throwaway paragraph at the end of a comment I left in which I basically told Adrian to rewrite what he was saying in such a way that normal people could understand it. Here’s my last paragraph
As it is, this is not a helpful open letter, and it makes a bunch of aggressive claims against mostly teeny vendors who have historically been on the patients’ side in terms of accessing data. So Adrian, Deborah & PPR need to do a lot better. Or else they risk being excluded back to the fringes like they were in the days when Deborah & her allies at the World Privacy Forum were making ridiculous statements about the concept of data exchange.
Join me in attacking an endemic problem in health care today by Hacking HIPAA. I am crowdfunding the development of a new legal form to be used on and after September 23, 2013 to allow patients to opt-in to easier health care communications – a Common Notice of Privacy Practices that is patient-focused. (Text me, please! Email me, please! etc.)
Depending on how much support this project garners, we can attack some related problems as well. Contributions at any level are welcome; contributions at the levels designated on the Hacking HIPAA Medstartr page get you a seat at the virtual table, voicing your concerns that need to be met in the CNPP and in follow-on projects.
I’m working on this project with two leading health care open source software developers, Ian Eslick and Fred Trotter. Check out Fred’s video intro to the project on the Medstartr page – you can find Ian and Fred online via the links on the project page, too.
Here’s an excerpt from the crowdfunding project page:
Right now we have the worst of all worlds with regards to patient privacy in healthcare. Patients are frequently subject to sub-standard security and privacy practices AND healthcare innovators are unable to deliver solutions that would be useful to patients because their technical approaches are uncomfortably novel for health care bureaucrats. Patients end up getting poor security and no innovation, the worst of all options. This problem is going to get worse before it gets better, since the new Omnibus HIPAA Rule will make cloud hosting of health care projects untenable very soon.
You probably saw some of the headlines last week where Box announced that is supporting HIPAA and HITECH compliance, signing Business Associate Agreements, (BAAs) and integrating with several platform app partners such as Doximity, drchrono, TigerText, and Medigram to help seed its new healthcare ecosystem. I also announced that I was formally advising Box on their healthcare strategy.
I was drawn to Box because of all the lessons I learned at Google building a consumer-directed, personal health record (PHR), Google Health. Google Health allowed you to securely store, organize and share all of your medical records online and control where your data went and how it was managed. It was unlike the other PHRs in the industry that were tethered to the provider or payor or part of an Electronic Health Record (EHR) system.
Sound good? Well, it was in theory. The big issue with Google Health was aggregating your data from the disparate sources that stored data on you. We had to create a ton of point-to-point integrations with large health insurance companies, academic medical centers, hospitals, medical practices and retail pharmacy chains. All of these providers and payors were covered entities in the world of HIPAA and were required to verify a patient’s identity before releasing any data to them electronically. It was a very bumpy user experience for even the most super-charged, IT savvy consumer.
It’s called Blue Button+ and it works by giving physicians and patients the power to drive change.
The US deficit is driven primarily by healthcare pricing and unwarranted care. Social Security and Medicare cuts contemplated by the Obama administration will hurt the most vulnerable while doing little to address the fundamental issue of excessive institutional pricing and utilization leverage. Bending the cost curve requires both changing physicians incentives and providing them with the tools. This post is about technology that can actually bend the cost curve by letting the doctor refer, and the patient seek care, anywhere.
The bedrock of institutional pricing leverage is institutional control of information technology. Our lack of price and quality transparency and the frustrating lack of interoperability are not an accident. They are the carefully engineered result of a bargain between the highly consolidated electronic health records (EHR) industry and their powerful institutional customers that control regional pricing. Pricing leverage comes from vendor and institutional lock-in. Region by region, decades of institutional consolidation, tax-advantaged, employer-paid insurance and political sophistication have made the costliest providers the most powerful.