Baseline Article on PHRs - Half Correct

One of the better IT publications is Baseline.  Their reporters typically do in-depth stories on various IT subjects and their case studies of large IT implementations are some of the best I have seen (and in my decade plus as an analyst, I’ve seen a lot). This week, Baseline published an article on privacy and PHRs.  [...]
Read more [Healthcare IT: Analyst's Views]

GAO: Privacy Laws Need Revamping

Congress should revise the scope of federal privacy laws, including those pertaining to medical information, to cover all personal information and limit the use of that information, according to recent congressional testimony from the Government Accountability Office.
Read more [Health Data management Online Current News]

Connecting for Health: Another wave in the shift to consumer controlled health information

The recent announcement of the Common Framework for Networked Personal Health Information by the Connecting for Health collaboration lead by the Markle Foundation is just the next wave in what may be a tidal shift. The tidal shift is one centered on the input, control, ownership, and administration of health information that results from the active and real use of PHRs by consumers.

Those participating in and endorsing the Connecting for Health initiative are a diverse group of health care and technology companies, including Google, Microsoft, Intuit, WebMD, Dossia, BlueCross BlueShield, AARP, AAFP, SureScripts and others.

Whether or not the wave is large enough or just one of many more to come is yet to be determined. The ocean of health information and health information exchange is so fluid these days as we undergo major projects surrounding health information technology at the national level, state level, by HIEs, private industy, etc. For health lawyers - it is a field day for spotting regulatory legal issues and implications. Some of the real life factual scenarios we have been going through as a result of work related to the West Virginia Health Information Network and the NIH2 project remind me of law school exams.

For more insight on the Connecting for Health collaborative check out thoughts by other health care lawyers: Jeff Drummond who talks about the provider "betamax" and "culture fears, David Harlow who raises good questions and applauds the effort to gain public trust. He also looks at whether the recent PHR developments might obviate the need for local HIE infrastructure (with follow up commentary from Micky Tripathi at MAeHC Blog). Matthew Holt looks at the important health vs. wealth issue underlying the effort and the (non)involvement of the EMR vendors in the process.

Check out the latest developments with a Google News search: "connecting for health".
Read more [Health Care Law Blog]

Key players agree on PHR framework

A group of the leading lights in the PHR world have come together to endorse a PHR standard, potentially putting to bed the initial arguments over what a PHR actually is and shifting participants' energy to improving features. Connecting for Heath's "Common Framework for Networked Personal Health Information," which was developed over a number of years, has gotten the thumbs-up from Google, Microsoft, WebMD, Dossia, Aetna, the Blue Cross and Blue Shield Association and America's Health Insurance plans. A number of provider organizations were involved in the development of the framework and have endorsed the the final result, including Geisinger Health System, the VA and Partners HealthCare. 

While the framework should help a great deal in creating interoperable health data sets, it won't resolve a key legal issue--whether these new patient data compilations should be protected under HIPAA. Right now, the majority of entities offering PHRs--such as Google, Microsoft and WebMD--aren't defined as "covered entities" by HIPAA, and so they aren't technically required to meet HIPAA standards. The players also face ongoing struggles over how to protect privacy, which isn't defined in the framework.

To learn more about the framework:
- read this Modern Physician piece (reg. req.)

Related Articles:
AHIMA demands better PHR privacy protections
Addressing ID verification could spur PHR adoption
HIPAA privacy officer job expanding quickly

Deal Reached on Senate Privacy Bill

Read more [Health Data Management Magazine Articles]

ACLU: House I.T. Bill Lacks Privacy

Health care information technology legislation introduced in recent days in the House does not adequately protect patient privacy, according to the American Civil Liberties Union.
Read more [Health Data management Online Current News]

Electronic Medical Record Perspectives Grow

There is an interesting blog post in BNET entitled Electronic Medical Records:  Bad for Health? The discussion around EMRs is fascinating. There are many differing perspectives on various topics:  privacy, interoperability, usability, acceptance, failure, etc.

This article consolidates some of the recent negative articles or perspectives on EMRs, including:

• Privacy - exposing patient data to outsiders.
• Savings - insurers gain more than physicians
• Copy-and-paste - copying notes from one patient record to another, because it helps with billing
• Too much information - no human selection of relevant information
• Physician insensitivity - “Dr. Computer”
• “Cookie-cutter” medicine - just using the template

These points may be valid, but is the status quo better? Continuing with a paper-based system does not seem to be the better answer. Having the right sense of responsibility to deliver the right approach in using EMRs seems to address many of the potential issues.

MAeHC's second HIE goes live in Newburyport

MAeHC CEO Micky Tripathi blogged today about the launch of the MA eHealth Collaborative's latest accomplishment -- the launch of its second (of three planned) community-wide health information exchanges, this one in greater Newburyport.  Patients can opt in to the system, which allows for sharing of health data community-wide: labs, hospitals, physician offices, etc., thus promoting better coordination of care and less duplication of diagnostic testing.  In the future, there will be a patient portal as well, allowing patient access to all this information, too.

Given the strides made in the PHR market since this HIE project first got under way, I wonder whether the Google Healths and HealthVaults of the world may obviate the need for some pieces of the infrastructure of local HIEs, bringing them more withing reach financially for a broader range of providers and communities -- particularly as privacy, interoperability and chain-of-trust issues are better addressed on those platforms (see my earlier post touching on recent developments in those arenas).  There have been myriad workflow and process improvements that MAeHC has helped local providers make as they prepared for the transition to EHRs; my observation is limited to the "last mile," if you will, the connections among providers and between providers and patients.

-- David Harlow

PHR privacy breakthrough?

Connecting for Health. a broad industry coalition organized by the Markle Foundation, announced yesterday a framework for PHR privacy protection that could, if fully implemented, bridge the gap from HIPAA protection of PHI in the covered entity and business associate realm to the Wild West environment in the world of PHRs.  Parties endorsing the Common Framework for Networked Personal Health Information include Microsoft, Google, payors, providers, IT vendors, and associations from AHIP to AARP. 

This framework has been in development for 18 months, and is being touted as the solution to the PHR privacy question -- i.e., how can PHR vendors be trusted to keep personal health record information private if they are not covered by HIPAA or other regulatory strictures.  The response to date has been, essentially: "Hey, we have a privacy policy."  As these policies, by their terms, may be revised without advance notice they are (even if they are very good) not much to rely upon.

Since this is a framework rather than a finished product -- guiding principles rather than fully-fleshed-out rules -- some of the same nagging questions that I have raised before elsewhere at HealthBlawg (as have many others) remain.  For example:

• How are privacy policies enforced?  Self-policing?  Third-party certification?  This seems to be up in the air at the moment.
• Is there a mechanism for health care provider certification of records ("chain of trust"), so that PHR information may be trusted by other providers?  This seems to be in the works.

There is a tremendous amount of information provided via the links above, and the participants in this effort are to be commended for their undertaking, which has been made necessary by the regulatory vacuum in this field and by the concomitant need to develop public trust in a whole new type of products and services that would otherwise bee seen as useful but perhaps too risky.  There's a long road ahead, but this framework puts us several steps down that road.

-- David Harlow
 

Markle promotes a privacy standard

By Matthew Holt The Markle Foundation put together a group creating a road map over the last few years and today they announced their new policy framework for privacy in PHRs and personal health information. In general this is a...
Read more [The Health Care Blog]

ACLU joins privacy advocates on healthcare IT bill

The American Civil Liberties Union has joined the chorus of privacy advocates calling for strict security safeguards for medical information as Congress prepares to consider proposed healthcare IT legislation.
Read more [Healthcare IT News]

Privacy Framework for PHRs

Early this afternoon, The Markle Foundation announced broad industry endorsement for their just released Privacy Framework, a part of a broader effort by Markle referred to as the Connected For Health Framework. Quoting from the press release: …endorsing a set of practices for new internet services that help consumers track and improve their health. The [...]
Read more [Healthcare IT: Analyst's Views]

Connecting for Health releases industry-first PHR framework

Connecting for Health has released a common framework for increasing consumers' privacy and control of their health information on online personal health records, or PHRs.
Read more [Healthcare IT News]

Lawmakers introduce healthcare IT legislation

U.S. Reps. John Dingell (D-Mich.) and Joe Barton (R-Texas) introduced legislation Tuesday aimed at encouraging speedier adoption of healthcare information technology while also protecting patient privacy.
Read more [Healthcare IT News]

Bad data mining

Recently I received a flier in the mail from Bausch & Lomb, offering me a free sample of an over-the-counter allergy drug called Alaway (ketotifen fumarate ophthalmic solution). "Don't suffer through another allergy season. Stop itchy eyes," the mailer said.

How did Bausch & Lomb know I have hay fever? It could only be from my history of purchasing OTC decongestants like Claritin-D and Alavert-D (both are loratadine/pseudoephedrine combos). And the reason why drug companies know I was taking this medication is because federal law now requires a photo ID and a signature to purchase any products containing pseudoephedrine. (Thanks, meth heads, for inconveniencing millions of innocent people.)

Clearly, pharmacies are selling their pseudoephedrine purchase logs to pharma marketers. Some might call this legitimate use of my personal information for disease management purposes under the treatment/payment/operations exception to HIPAA. It feels more like a violation of my privacy.

Anyone else have similar thoughts?

Privacy, Security Top HIPAA Summit

The Sixteenth National HIPAA Summit, with a heavy emphasis on privacy and security issues, is scheduled for Aug. 18-21 at Harvard University in Cambridge, Mass.
Read more [Health Data management Online Current News]

Patient compliance with prescription regimens, evil for-profit health care companies, and Health 2.0

Last week, Paul Levy blogged on patient compliance with drug regimens, offering some statistics courtesy of Express Scripts, the recently-fined PBM.  (I caught wind of Paul's post only yesterday,, thanks to my wife the Luddite who has the Boston Globe delivered to our doorstep.) 

No surprise, compliance is kinda low.  Commenters on Paul's post noted -- among other things -- that (1) using the word "compliance" is un-PC, as it assumes that Doctor Knows Best, (2) MDs are run ragged by HMOs so they can't be expected to explain drug regimens to patients and (3) can't trust Express Scripts.

(Interestingly, as an aside, Express Scripts announced this spring the establishment of The Center for Cost-Effective Consumerism once it realized that it could influence consumers to switch to higher-profit-margin generic cholestorol medications.)

This brought to mind a troubling statistic I saw a few weeks ago: Massachusetts is number one in the nation for e-prescribing, but that only means that 13% of scrips are handled electronically.  The rate of adoption has been infernally slow here in Beantown, even worse elsewhere (top ten states include some barely above the 2.5% mark).  The federales may try to mandate encourage eprescribing using legislative carrots, and have laid the groundwork for a national e-prescribing system with uniform standards through regulations (see the e-prescribing regs issued recently by CMS (see related press release and e-prescribing page).      

The regs address many of the concerns of the naysayers (esp. interoperability, and also privacy concerns, though further legislative action -- e.g. "TRUST" -- would be helpful), and the potential benefits are enormous: avoiding the illegible scrawl/med error issue, automated drug interactions checks, cost savings to patients through improved and automated prescriber-insurer-pharmacy communication about formulary restrictions and -- back to Paul's issue --  feedback to prescribers regarding whether or not a prescription has been filled (many are not), giving prescribers and their staffs an opportunity to contact noncompliant patients with reminders or potentially other resources (including financial resources and referrals to sources of payment/insurance) to address the reasons for noncompliance.

-- David Harlow

Group: HIPAA a Barrier to Research

The HIPAA privacy rule is having a negative impact on the advance of biomedical research and the search for treatments, according to a new report from The Association of Academic Health Centers.
Read more [Health Data management Online Current News]

Score one more for Google Health at the Hub of the Universe

Another Hub health care worthy has signed up with Google Health -- today's Boston Globe reports that Blue Cross Blue Shield of Massachusetts joins Beth Israel Deaconess Medical Center -- see John Halamka's GeekDoctor post -- in facilitating the download of patient data to Google Health PHRs. 

Per the Globe, BCBS says that "Google wants to attract as many users as possible to its site, while Blue Cross-Blue Shield seeks to offer members an online tool."

Regarding attracting users to Google's site -- Google says it isn't serving ads on Google Health, but presumably that won't last for long, because that's how the Googleplex keeps humming.  The value of the online tool for BCBS members is limited so long as the data is limited to insurance company data.  If local provider networks -- beyond the BI Deac -- were to sign up, the value to individuals would be greater.  John Halamka (BI Deac CIO) also notes in a response to a comment on the blog post linked to above, that

The interesting advantage over Patientsite [the BI Deaconess PHR portal] that Google Health may develop is that it is a development platform which thousands of programmers can extend. I expect hundreds of new applications over the next 6 months that will enable patients to get decision support, graph/chart their data, and connect to home health devices like blood pressure cuffs/exercise machines. The utility of Google Health will be measured by the number [of] the patients who decide to use it based on the value add of these new applications.

Americans care about healthcare IT, Kaiser survey shows

A little more than half of Americans say healthcare IT should be a top priority for the next president, according to a new Kaiser Permanente survey. The research also revealed that Americans continue to have concerns about privacy.
Read more [Healthcare IT News]

Say what?

The following press release crossed the wire this morning:

SOURCE: Aperture Health, Inc. (flexSCAN, Inc.)
Jun 12, 2008 08:00 ET

Aperture Health Announces Sweepstakes

MISSION VIEJO, CA--(Marketwire - June 12, 2008) - Aperture Health, Inc. (OTCBB: APRE) announced today that it will raffle off its wellness360 Wellness RV to one of its lucky members. Tom Banks, founder and CEO, stated that the RV "is beautiful and will be ideal for family vacations." Members will receive one (1) entry in the Road-to-Wellness sweepstakes for every friend they invite to become members of wellness360.com. There's no cost to enter. Entries must be received by August 31, 2008 for the September 15, 2008 drawing. Visit the website for the sweepstakes Official Rules. Members also earn ten (10) points for every invitation sent. Banks added, "We think everyone should join wellness360. It's easy and you will earn points that are redeemable for cash. Our unique proposition is that you get paid to get healthy and you may even win a $40,000 RV."

About Aperture Health, Inc.

Aperture Health generates revenues from advertisers by providing highly granular health and wellness targeting. Aperture Health never divulges individual information to advertisers, sponsors, employers or any third parties and they back their promise with a $1 million Privacy Guarantee. wellness360™ empowers people to take action with their health and wellness with a robust suite of online services including; diet and fitness management tools, research tools to stay informed on issues related to their personal health and wellness needs and an online medical resource library and state-of-the-art search engine. More importantly, wellness360.com also allows individuals to electronically store their personal health records as well as all their "paper" medical records from their doctors. As an added benefit, members can create a wellness360's Emergency Medical Record enabling emergency responders to quickly and easily dispatch key medical information to emergency personnel.

That's right, Aperture Health, a PHR company, is giving away a $40,000 RV (photos here), to drum up referrals to its advertising-supported product. Yes, the service relies on ads based on patient-entered personal health information, with a promise of 33 percent cash back to users.

The fact that virtually no consumer is taking the time to enter data into any sort of PHR notwithstanding, this ought to raise hackles of privacy hawks everywhere.

As I type this, I'm in Washington, listening to Paul Wallace, M.D., of Kaiser Permanente speak to the 7th Annual Information Therapy Conference about patient-centered care and health IT. He just came out with a line that fits pretty perfectly right here: "I would argue that no consumer has ever had a hand in developing consumer-directed healthcare."

For the record, Aperture stock closed at 6 cents a share today.

Health IT: Is it worthwhile, and will the government screw up a good thing?

Item:  CBO says EHRs don't really save money after all.

Item:  DoD is hard at work undermining VistA (developed over years at taxpayer expense and now in the public domain) and replacing it with a zillion-dollar military-industrial complex "solution."

Item:  ONCHIT's two-years-overdue report on the development of a National Health Information Network and expansion of EHR use comes out and seems to come from another planet.

All in all, the federales seem hell-bent on screwing up what could be a good thing -- or are they?

The headlines on the CBO report ignore the full story:  EHR adoption alone won't help -- adoption needs to be followed by changes in practice.  For a good (but long) review of the CBO report and other prognostications on the future and value of EHRs, see Mark Frise's Policy Blog.  Score one for the bureaucrats.

Health Beat is beating the drum on DoD's undermining of VistA, and the approach described there seems to be of a piece with the ONC's report, which continues to recommend pushing development into the private sector, and -- as pointed out in a scathing review on The Health Care Blog, seems blissfully unaware of the existence of the Internet, and its use for secure transmission of health information.  While I am not technologically savvy enough to appreciate the potential shortcomings of VistA, a bunch of techies are lined up behind it, and it has encouraged a fair number of businesses to sprout up based on tweaking and implementing it in various settings.  The ONC report just seems to confirm folks' worst fears about government --  too big, unwieldy and out-of-touch to do much good.  It is a striking contrast to the VA that nurtured the development of ViistA and that has managed to eke significant improvements and cost savings out of its vast system, thanks in part to VistA. 

Bottom line: EHR systems have potential to do good, but they need to be implemented in a sensible, cost-effective and interoperable manner, and clinicians need to make the best use possible of the intelligence that they can help us gather and process. 

Sounds obvious, right?  So why isn't this just happening? 

One issue is, of course, the cost of implementation.  The feds have taken a variety of baby steps in the right direction (e.g., the recent EHR demonstration project grants), and some pending legislation might go further (see links to legislation in a previous HealthBlawg post), but EHR adoption is held up by the initial cost (equipment, software, training, lost productivity while learning the system) to smaller providers and provider networks across the country. 

Another is the resistance by many seasoned clinicians to change their practice patterns, even in the face of evidence.  Pay for performance incentives may assist in moving these behaviors around, but payors in the U.S. seem stuck at a ceiling of about 5% of total compensation being tied to performance.  (Maybe it's the fear of paying to get someone healthier and then have that patient switch insurers next open enrollment, thereby losing the benefit of that investment).

There are other reasons, too, I'm sure . . . . I've gotten a little off the mark here and perhaps dangerously close to arguing for a single payor system (which I hadn't meant to do), and this issue is closely connected to a host of others, so I'll just stop here for today.

-- David Harlow   
 

Privacy is Important but…

Is all this talk about privacy actually hindering HIT adoption? This week, a congressional panel is once again talking about the need to aggressively move forward to drive adoption for IT in the healthcare sector.  While IT is certainly no panacea for all of the numerous ills that afflict this broken system, it certainly can help. Unfortunately, [...]
Read more [Healthcare IT: Analyst's Views]

This Isn't Supposed to Happen on Facebook

Rather than take the time to describe what I've been dealing with at Facebook since the beginning of the holiday weekend, I am simply going to re-post the email thread between myself, Facebook, the Attorney General of Massachusetts, the Barack Obama campaign, the Boston Globe, the Congressional Black Caucus, a number of prominent bloggers active in the social media space, and the Boston offices of the Clinton campaign and the NAACP.

I have removed one link because I am not certain that the Web page it leads to correctly identifies the perpetrator of the vile, racist, hate-filled messages I received.

Facebook's decision to reinstate my account was better late than never. Their final decision along with the entire email chain follows:
Hi Jeff,

Your account was disabled because you took repeated actions that could be construed as spam. For instance, it is a violation of Facebook's Terms of Use to repeatedly send the same message or to make the same post. Facebook prides itself in protecting users from spam, and we take this standard very seriously.

However, after reviewing your situation, we have reactivated your account, and you should now be able to log in. Please refrain from sending the same message or repeating the same post, as further violations of our Terms will result in your account being permanently disabled.

Please also be aware that when a warning message appears on your home page, it will generally be displayed for 24 hours. It can be displayed for longer, however, if you continue to perform these actions. We appreciate your cooperation going forward.

Thank you for reporting this potential abuse on our site. We will review the reported material and remove anything that violates our Terms of Use. If warranted, we will either warn or disable the user.

In the future, please feel free to use the "Report" links located near most pieces of content on the site to report offensive material to Facebook. If you are not able to use the "Report" links for any reason, please write to us at privacy@facebook.com with a link to the offensive material and a description of the problem. We will then review this material and take the appropriate action. Please be assured, these reports will be kept confidential.

Thanks for contacting Facebook,

Leslie
User Operations
Facebook

-----Original Message to Facebook-----
From: Jeff O'Connor (jtoc72@yahoo.com)
To: naacpbostonbranch@verizon.net
ArrayCC: info@facebook.com, warning@facebook.com, cdoten@hillaryclinton.com, letter@globe.com
Subject: [SPAM] Fw: Harassment, Racial Slurs from Clinton Supporter to Obama Supporter at Facebook.com; Facebook Closes Obama Supporter's Account

Dear Sir or Madam:

I would appreciate the support of the Boston office of the NAACP in petitioning Facebook to do the right thing and bar Marian Shaffer from the site for life, as well as restore my account.

I would also appreciate it if the NAACP could investigate Marian Shaffer's relationship with the Clinton campaign, if any.

Thank you for your support.


----- Forwarded Message ----
From: Jeff O'Connor <jtoc72@yahoo.com
To: ago@state.ma.us
Cc: info@facebook.com; warning@facebook.com; cdoten@hillaryclinton.com; letter@globe.com
Sent: Sunday, March 23, 2008 5:05:55 PM
Subject: Harassment, Racial Slurs from Clinton Supporter to Obama Supporter at Facebook.com; Facebook Closes Obama Supporter's Account

To the Honorable Martha Coakley:

On the morning of March 22, 2008 at 11:06 AM I received the following email through the service provided by the social networking site Facebook.com from a woman identifying herself as Marian Shaffer of Boston, Massachusetts:

GO FUCK YOURSELF, NIGGER LOVER!!!

Shortly thereafter, I received a second message, this one stating:

your little boy sucks cock

- a reference to my one year old nephew, whose pictures I keep in my online photo album.

I do not know nor have I ever met Marian Shaffer, I have never spoken to or about this person, and I have never participated knowingly in any online forum that she is a member of, although given the size and nature of the Facebook online community it is very possible that she's a member of one of the political discussion groups that I am a member of.

I was briefly able to access Marian Shaffer's profile, with the intent of filing a complaint with Facebook about her. During my brief period of access, I was able to see two images posted on her profile - one of a young woman, presumably her, standing next to Hillary Clinton, and another of Barack Obama with the word "NOPE" under it.

Marian Shaffer blocked my access to her profile shortly thereafter, effectively rendering her invisible to me on the site. However, I work in information technology and have helped develop a number of prominent online commercial sites, so I knew enough to be able to view the images in my browser even after she took this action.

I cannot be totally certain, but the woman in the picture with Mrs.Clinton bears a striking resemblance to the person identified as Marian Shaffer in the photograph on this site:

[ REMOVED ]

Because I believe that the same social norms that apply in offline society are applicable online, I took it upon myself to report this person and to re-post her message to me on several social networking, political action, and race relations groups throughout Facebook. This is the exact message that I posted:

This morning I received the following email from Marian Shaffer in my Facebook inbox.

I have never met this person, don't know her, and am not in any Facebook-sponsored groups with her. Therefore, I can't be totally certain, but believe that this was prompted by my being an Obama supporter:

Between You and Marian Shaffer

Marian Shaffer
Today at 11:06am
Report Message
GO FUCK YOURSELF. NIGGER LOVER!!!

Marian Shaffer is from Boston, MA.

This is the link to her profile:

http://www.facebook.com/s.php?k=100000080&id=514286617

Like a true racist coward, she has blocked my access to her profile, so I cannot see it. However, I have notified Facebook and am asking anyone who thinks that this sort of conduct is inappropriate to do the same and request she be banned from this social network.

Thank you for your time.

Because of my efforts to draw attention to this sort of behavior within the Facebook community, Facebook has locked-out my account.

I am not an expert in Internet law, but I believe that if I were to receive harassing letters in the mail from someone I would have the right to make the nature of the letter's content public along with the identity of the sender and seek some sort of criminal and/or civil penalty in the courts if that person were stupid enough to make themselves known to me, as Marian Shaffer was in this case.

I also believe that there are laws against using email and electronic bulletin boards to transmit threatening, racist, and obscene materials. I believe "nigger lover" qualifies, as does the assertion that my one year old nephew engages in fellatio. Finally, I believe that the political context of the email in question runs afoul of federal election laws, especially if Marian Shaffer is involved in some sort of official capacity with the Clinton campaign.

I am asking the office of the Attorney General to investigate this matter and determine what laws, if any have been broken and what course of action I am entitled to in pursuing civil and/or criminal charges against Marian Shaffer and compelling Facebook to disclose her identity to law enforcement or my attorney.

Thank you for your time, I look forward to hearing your reply.


Sincerely,


Jeff O'Connor

p.s.- I attempted to cc: the Obama campaign this email, but all of their Web sites use forms rather than emails for contact. So at the instruction of a staff volunteer, I cut-and-pasted this message into the email form on the Barack Obama campaign Web site here: http://my.barackobama.com/page/s/contact2

-----End Original Message to Facebook-----I am quite sincere in my desire to see Marian Shaffer prosecuted for violating whatever laws are applicable, and would like to find out just what her relationship, if any, is to the Clinton campaign.

If anyone has any information in this regard, please contact me and cc: The Honorable Martha Coakley at ago@state.ma.us

Lastly, I have to thank Jeremiah Owyang for his support and advice in dealing with this matter. Although I've never met him personally, I am very glad that he has put so much work into Web Strategy by Jeremiah, through which I had come to learn of him and respect his opinion.
Read more [Healthcare Informations Systems Blog]

Healthcare NBIC

Jack Powers left a comment on my recent Red Herrings post. His comment linked to some scenarios on the International Informatics Institute site (http://in3.org/), which in turn made me aware of his blog, in which the most recent post, Healthcare NBIC, also links to the two scenario sets Jack referenced. This is a very brief post, but the scenarios make fascinating reading. Jack doesn't post very often in the blog, but the in3.org site looks very active and has a lot of useful information and insights.

Since Google is not a healthcare provider, the privacy restrictions of HIPPA, the Health Insurance Portability and Accountability Act of 1996 don't apply. Health IT security guru Fred Trotter describes why this is a good thing, and we went brainstorming to see how open architecture might affect wellness, sex, eldercare, insurance and other health concerns.

Testimony on healthcare IT highlights privacy, connectivity

Business, government and healthcare leaders testifying before a Congressional subcommittee on Wednesday pressed for passage of healthcare IT legislation.
Read more [Healthcare IT News]

AARP: Strengthen I.T. Legislation

Congress should quickly pass legislation to encourage adoption of health care information technology and create a federal board to tackle related privacy issues, a representative of AARP testified on June 4 before the House Energy & Commerce subcommittee on health.
Read more [Health Data management Online Current News]

Red herrings swimming around Google and Microsoft PHRs

I spent three days last week at the American Medical Informatics Association (AMIA) Spring Congress. I was there to present lessons learned from Michigan's $3.2M NIH Roadmap contract funded under the 2003 "Re-Engineering the Clinical Research Enterprise" Broad Agency Announcement (BAA) in the Clinical Research Informatics track, but I spent a few of the sessions in the Personal Health Records (PHR) track.

Unsurprisingly, there was a lot of buzz in the PHR track about Google Health, and to a lesser degree, Microsoft HealthVault. Google Health was more prominent for several reasons, not all of which are enduringly pertinent: its public debut happened more recently; Google does not suffer from the Borg-like "Evil Empire" image from which Microsoft suffers; and Dr. Roni Zeiger, MD, Google Health Product Manager, was an eloquent and well-received speaker at one of the sessions.

That was Thursday. My presentations were on Friday right after lunch, so I was a bit distracted that morning and missed a couple of breakout sessions. After my time in the limelight, I spent a very inspiring hour talking with Bob DiLaura of Cleveland Clinic, during which we speculated about the future of PHRs. One assertion with which I believe we both agree is that the entry of these two major players is going to revolutionize the healthcare records "marketplace".

I put "marketplace" in quotes because in the USA a market implies exchange of value that can be represented in monetary terms. HealthVault and Google Health are free, and as FasterCures CEO Greg Simon said in one of the keynotes, "Free is the new money". Google and Microsoft will aim for volume, and monetization will come later. It's not terribly difficult to imagine a variety of ways huge volumes of consumer health records could be monetized without violating patient privacy. But there are a lot of red herrings in these waters. Let's look through the glass window in the bottom of the boat here and see what these red herrings look like.

Red Herring #1: Monetization

Monetization is the first (and reddest) of the red herrings. We shouldn't give custody of copies of our medical records to Google, Microsoft, and other PHR providers because they will sell them for profit.

Let's assume the PHR providers understand from the outset that the data they sell cannot be personally identifiable. To do so would be illegal in many if not most jurisdictions, but it would also be killing the goose that lays the golden eggs.

Even if the data were aggregated and not identifiable, it seems somehow lurid for anyone to get rich off a repository of millions, or better yet tens or hundreds of millions, of personal health records.

So, who are the customers for such data? Insurers, for one. They want such data so they can study the prevalence of various disorders and the outcomes for differing treatment protocols. Do they want these data so they can better define pre-existing conditions they want to exclude? You bet your bippy that's one use for the data. But the problem there isn't the insurer for buying or the PHR provider for selling the data, it's the fragmented system that sets up such Prisoner's Dilemma problems in the first place.

Edward Abbey once wrote, when the protagonist of his novel was throwing beer cans out of his Cadillac convertible onto the Texas highway, that the real problem wasn't the beer can - it was the road. We have a similar situation here. We are a country where one out of six of us is uninsured, and our healthcare costs more than twice as much per capita as the next most expensive health care system in the OECD, and two and a half times the average in that cohort. Something is terribly wrong, and Google and Microsoft aren't the villains in that scenario.

In fact they could be seen as heroes, in a way, given that finding the most cost-effective treatment protocols increases the quality of care and our potential for treating a larger fraction of the population.

Pharmas will want the data for the same reason. The feasibility of truly large scale Phase 4 protocols depends on access to large quantities of data. At present there is no way to obtain such data on the scale that would be needed for optimal benefit. Pharmas will definitely be in the checkout line when the data goes on sale.

And finally, the public health agencies will be customers, for the same reasons. They can't afford to do epidemiological studies on the scale that such a rich lode of health information would provide. On the other hand we, the healthcare consuming public, can't afford for them not to do such studies.

Red Herring #2: Impracticality

It has been pointed out that getting the data into the PHR repositories is an unendurable burden, and for that reason it will never happen. This is a specious argument, because much of the data will be reflected automatically from healthcare system EHR repositories, as Cleveland Clinic is doing with Google Health. As for the paper charts, getting those data into the system will involve significantly more effort, to be sure.

I feel optimistic on that front as well. Google is hard at work here on the University of Michigan campus, as well as at Harvard and others, scanning our library systems' tens of millions of books and other documents into their system. The scanning process involves OCR for indexing purposes. This is being done for free - and free is, you will recall, the new money.

Trust me, someday soon practicality will not be the issue. Not with a lode of data this rich.

Red Herring #3: Quality of the data

Some of the data in a PHR will be patient-entered. Isn't such data suspect from a  quality standpoint? Let's leave aside the issue of the comparative quality of the data in the hospital and clinic records; if you want to maintain that these data sources are pristine, the burden of proof is on you. But that aside, yes, the quality of some data points will be suspect. On the other hand, the sheer volume of data should be a huge stabilizing factor in terms of quality. When you have hundreds of millions of records, the overall accuracy should be very acceptable, especially for uses that were impossible before such data were to become available.

Red Herring #4: Ethics

I heard a representative of Kaiser Permanente say that there are ethical issues in making the patient's healthcare data available to them directly. Can we trust them with all that information about their own bodies? If a breach occurs downstream, aren't we indirectly responsible?

Suppose you give a patient a paper document containing news of her HIV-positive diagnosis, and she leaves that piece of paper on the table at the company cafeteria, where her supervisor finds it. Are you, the healthcare provider and diagnostician, responsible? I'm sure a tort litigator would try to say Yes, but I doubt if it will stick. The same logic will apply to PHRs. It may be a rocky legal road at first, as the tort lawyers test the waters, but that's not an ethical issue, it's a legal issue. The ethical issue, in my mind, is whether it is right to withhold such data from the patient, not whether it's right to provide it.

Parting thoughts: Disruptive innovation

This is a classic disruptive innovation, as Clayton Christensen described the phenomenon. Something that is now done well on a large, expensive scale will be done less expensively, with fewer features, targeted at a market thus far unable to afford the existing product or service. By expanding the market, a whole new field of innovation opens up, a field the high-end providers can't afford to enter, even if they see the need - they're too busy satisfying the needs of their existing high-end customers, who want to push the old products to new heights of functionality.

Ultimately the high end becomes a niche in a much larger market segment, a segment created by the disruptive innovation. That's what's happening here. Will Epic, GE, Siemens and the other EHR vendors go out of business? No, but neither are they likely to be the winners in this new game. In their business model, free is a loss leader, not a revenue generator. Of course they could change and adapt, but that outcome is a rarity in situations involving disruptive innovation.

The sharks - Google and Microsoft being the largest - are going to outswim the red herrings. It will take a while, but it has the feel of inevitability.

Federal Health IT Strategic Plan Published

The Office of the National Coordinator (ONC) for Healthcare  Technology has issued  their strategic plan for  2008-2012.  Subtitled "Using the Power of Information Technology to Transform Health and Care", the report details plans in the areas of privacy and security, interoperability, adoption, and collaborative governance. It includes goals the areas of patient-focused healthcare and population health.
The measures of success are clearly spelled out:
•Health IT becomes common and expected in health care delivery nationwide for all communities, including those caring for underserved or disadvantaged populations;
•Your health information is available to you and those caring for you so that you receive safe, high quality, and efficient care;
•You will be able to use information to better determine what choices are right for you with respect to your health and care; and
•You trust your health information can be used, in a secure environment, without compromising your privacy, to assess and improve the health in your community, measure and make available the quality of care being provided, and support advances in medical knowledge through research.


This is one of the best strategy statements I have seen. The obvious question is: will congress and a new president pay sufficient attention to it and fund it appropriately so that Health IT can be transformative?

I recommend reading the synopsis if you time is limited.

Technorati: Health IT

Read more [eHealth]

ONC-Coordinated Federal HIT Strategic Plan: 2008-2012

Today the Office of the National Coordinator for Health Information Technology (ONC) released "The ONC-Coordinated Federal Health Information Technology Strategic Plan: 2008-2012". Find more information here, including a synopsis of the full report.

The plan is meant to serve as a guide to coordinate the federal government's health IT efforts to achieve a nationwide implementation of an interoperable health information infrastructure.

Robert Kolondner, MD, National Coordinator for Health Information Technology states in the synopsis summary:
Looking toward the future, we can envision a health care system that is centered on each and every individual patient. Clinicians will have at their fingertips all of the information needed to provide the best care; individuals will have access to this and other information that can help them engage and insert their values in the decision-making process about their health and care; and, secure and authorized access to health data will provide new ways that biomedical research and public health can improve individual health, and the health of communities and the Nation.The synopsis goes on to state that the plan has two goals -- "patient focused health care and population health" and describes them as follows:
Patient-focused Health Care: Enable the transformation to higher quality, more cost-efficient, patient-focused health care through electronic health information access and use by care providers, and by patients and their designees.

Population Health: Enable the appropriate, authorized, and timely access and use of electronic health information to benefit public health, biomedical research, quality improvement, and emergency preparedness.

Each goal has four objectives and the themes of privacy and security, interoperability, adoption, and collaborative governance recur across the goals, but they apply in very different ways to health care and population health.I've only had a chance to scan the synopsis and the 115 page full report but should make for interesting reading for anyone involved in the ongoing evolution of our health care system and the impact that health technology is having on the industry.
Read more [Health Care Law Blog]

Physican Blogs Criticized on Basis of Privacy Issues

Blogs authored by physicians are starting to attract more attention, particularly with regard to patient privacy issues (see: Doctor Blogs Raise Concerns About Patient Privacy). Below is an excerpt from this article with boldface emphasis mine:

[Physician-authored] blogs have raised concerns about privacy issues on the Web.....One physician blogger, who draws about 12,000 readers a day, is New Hampshire internist Dr. Kevin Pho. His blog, "Kevin, M.D.," offers a doctor's eye view on medical issues that appeal to both his peers and the public."...Blogging can be a great marketing tool for raising a physician's profile and attracting new patients, says [a healthcare consultant]. But not all physician blogs are geared toward marketing. In fact, just the opposite seems to be the case in some extremely candid blogs, like "White Coat Rants," "Cancer Doc" and "M.D.O.D.," which bills itself as "Random Thoughts from a Few Cantankerous American Physicians." These are more like diaries in which doctors vent about reimbursement rates, difficult cases and what a "bummer" it is to have so many patients die....Dr. Deborah Peel, a psychiatrist and founder of the group Patient Privacy Rights, thinks physician blogs often step too close to the limits of patient privacy."The problem with physicians blogging about patients is the danger that that person will be able to identify themselves, or that others that know them will be able to identify them," she says.

My own thoughts about physician bloggers are mixed. On the positive side, I think that they put a human face on physicians and the practice of medicine. They thus enable patients to better understand some of the complexities and pressures facing physicians on a daily basis. Clearly, none of the physician bloggers would ever name the patients whose cases they might reference in the blog. Nevertheless, a patient referred to even anonymously may be able to identify himself or herself. I personally would view this as a breach of confidentiality. I don't follow these physician blogs but the best strategy for them, I think, would be to refer to patients only in a veiled and abstract manner if at all. I will make it a point to follow Kevin M.D. more closely in the future. His numbers suggest that he has developed an enthusiastic groups of readers.

Healthcare and Emerging Rich Web Technologies

In this post on the European site, OBBeC, subtitled, "The WEB 2.0/Semantic Web Challenge and Opportunity"
gives a good overview of Web 2.0 in health care. It describes both how social networking and semantic technologies are an opportunity and a caution for health care. He notes that adoption of these web technologies is slower than in other industries because "the care process is fundamentally more complex" in health care. There are the usual concerns about privacy but also health care's dependence on a face-to-face process. The driving forces of Web  2.0 in health care are seen as the need to aggregate the volumes of information physicians must wade through and the "power patients" becoming more commonplace.
Three specific semantic technologies are noted:

• semantic wikis
• semantic blogs
• semantic desktop

House proposes bill to help small physician practices pay for health IT

Members of the House Committee on Energy and Commerce proposed a bill last week to help doctors pay for healthcare IT and improve patient privacy protection.
Read more [Healthcare IT News]

HHS Secretary Mike Leavitt Blogs About EHR Adoption

Today I came across the HHS Secretary Mike Leavitt’s blog. To be honest, I saw Mike Leavitt’s picture on the blog and I felt like I was meeting an old friend. No, I don’t really know Mike Leavitt from the next person on the street. We have never met before and the closest I’ve been to him is probably when I watched him pass by in numerous 24th of July parades in Utah. However, he was the governor of Utah for many of the years I lived in Utah and so I feel like I kind of know the man.

Reminiscing aside, I find Mike Leavitt’s blog completely captivating. He currently has been writing about his trip to China. For some reason I’ve always had an inner itch whenever I heard about China. I don’t know what it is, but I find the place completely fascinating. So, you can imagine my fascination with the HHS secretary’s interaction with the Chinese government. Plus, these posts about HHS and China give Mike a real personal quality that I find real and interesting.

Of course, I couldn’t begin to read the HHS Secretary’s blog without making sure to find some post about EHR or EMR. I quickly found a post entitled Value-Driven Health Care Interoperability which I think could more aptly be entitled “Electronic Health Records (EHR) Progress Report.” Of course, he is in government so that explains the title.

I’m grateful that the HHS Secretary is willing to engage the public in a discussion about EHR and EHR adoption, but unfortunately the post I found is so filled with political rhetoric. It sounds really good, but really has very little substance.

First, I’ll start with the good.

Three years ago, there were 200 vendors selling electronic health record systems but there was no assurance that the systems would ever be able to share privacy protected data in interoperable formats.

I think the concept of a certification for interoperability is good. It just makes sense that every EMR software vendor should be able to interact with another. Establishing a quality standard for this interoperability is valuable and even worth certifying.

Unfortunately, I think the HHS Secretary has been getting bad information when he says the following:

Since then, we have made remarkable progress.

An EHR standards process is now in place, and we are marching steadily towards interoperability. We created the CCHIT process to certify products using the national standards and it is functioning well. More than 75% of the products being sold today carry the certification.

Where to begin? First, Mike has suggested that there were 200 vendors selling EHR systems 3 years ago (It’s probably a few more than 200 EHR, but we’ll let this one slide). Mike asserts that “75% of the products being sold today carry the certification.” If that’s the case, then simple math tells us that there should be 150 certified EHR software, no?

If you look at the 2006 CCHIT Certified Ambulatory EHR list I count 92 EHR software products. Let’s see, that’s only 46% of EHR products that are certified. Plus, my count of 92 EHR counts some of the software multiple times since a number of the EHR software vendors certified multiple versions of their product. That sounds like less than 75% of EHR products sold to me.

Of course, Mike Leavitt certainly could say that 75% represents a percentage of actual products sold. Certainly the certified eMD’s has a lot more installs than any of the free open source EMR products out there. However, I think it’s a bit deceptive to say 200 EHR and then 75% of products sold if they aren’t the same thing.

I also love how it says 75% of products sold. I think we’re all aware of the outrageous failure rates of so many of the EHR products out there. It’s unfortunate that we don’t have a percentage of products installed. Then, you’d have a much better idea of how many doctor’s offices really have the possibility of interoperability.

Wait a minute! I was being extra generous above when I said that there were 92 Ambulatory EHR CCHIT certified. Why? Because it was 92 EHR certified with the 2006 CCHIT Certification. Correct me if I’m wrong, but I think that interoperability was taken out of the 2006 CCHIT Certification (along with the joke of the pediatric requirements). I’m pretty confident about this, because I work on one of the 2006 CCHIT Certified EHR and I have no way of sending a chart to another clinic other than manually going through the product and printing out the chart.

What does all this mean? That means that instead of 92 interoperable CCHIT certified EHR, there are only 31 EHR CCHIT certified in 2007. That represents 15.5% (not 75%) of the 200 EHR products on the market today are interoperable according to number of certified EHR.

I’m not really blaming Mike Leavitt for this. I’m sure him or his office was given a nice executive report with a bunch of data and they made it look as nice as possible. Reminds me a lot of what I call EMR sales miscommunications. Sometimes the data just gets lost in translation. Let’s just hope my trackback to Mike Leavitt’s blog gets read.

You thought I was done. Nope. Still plenty more to say and I’m just hitting the major points.

In addition, a National Health Information Network will start testing data exchange by the end of the year and go into production with real data transmission the year after.

This concept I really find intriguing. I look forward to seeing this go public and I’m glad it’s on the agenda. However, I fear that this isn’t more than political hyperbole. I’d love to see how they plan to address any of the following: unique identifier, the ultimate hacker’s health information paradise, economic model, motivational model and that’s just the list off the top of my head.

The primary reasons for low adoption rates among small practices are predictable: economics and the burden of change.

I’m glad you pointed out the obvious. If this was so obvious, then why did you support the implementation of a certification that costs so much money that EHR will inevitably raise the cost a small practice pays for an EHR? That doesn’t make much economic sense. Not to mention you missed what I think is the biggest factor in lack of implementation: fear. Not fear of change. Not fear of the expense. Certainly those are two major factors, but I believe that adoption rates by small practices are so low because most doctors have seen too many of their colleagues fail at implementing an EHR.

Let’s start waving the CCHIT certification flag again. Many will be willing to make the case that CCHIT certification helps supplant a doctor’s fear that their EHR implementation will fail. It may even supplant some fear, but what it doesn’t do is decrease the number of failed EHR implementations. It’s a problem I’ve discussed many times on this blog. Certifications don’t certify usability. They never have and never will.

I actually have a thought about what should have been done instead of CCHIT, but I think I’ll save that for a future post.

Thanks Mike for opening up the lines of communication with your blog. Now it will be interesting to see if Mike Leavitt and HHS have really embraced new social media and participate in the discussion they started. I’m certain that Mike’s blog is going to become one of my favorite reads.

Privacy 2.0

Fred Frotin on the World Healthcare Blog has introduced the concept of Privacy 2.0.  Privacy and confidentiality have been growing concerns for Web 2.0 in health care. The post, titled, "Coming to Health Care: The Challenge of Privacy 2.0" He notes that "confidential information predominately resides today in slow moving, conservative institutions that dominate health care delivery." Privacy 1.0 was focused on, "how to impose rules and sanctions regarding things like disclosure, notice, encryption etc." 
He asks, "Do we have to accept a diminished private space to gain the benefits of social media?"
Will the technology of control enable a Privacy 2.0 or will a backlash by consumers overreach and squelch Health 2.0, Google Health and others?

Technorati: Health 2.0

Read more [eHealth]

A Google Health Clinical Exam

By CRAIG STOLTZ Not one more pixel need be spilt about the issues of privacy, security, HIPAA, metastatic data, third-party crashers, or corporate imperial overreach raised by the debut of Google Health. Let’s just snap on the latex gloves and...
Read more [The Health Care Blog]

Why Google Health and HealthVault are not covered by HIPAA

Fred Trotter sent out this note to several health IT bloggers recently.

Recently slashdot referenced two uninformed comments on Google Health offering.

http://science.slashdot.org/article.pl?sid=08/05/23/0520223

The problem here is that HIPAA should NOT cover Google Health or HealthVault. This issue now dominates this debate, and I wanted to specifically point out some of the problems with this thinking.

http://www.fredtrotter.com/2008/05/23/in-all-fairness/

Fred does a great deal of wonderful healthcare and IT writing. His latest argument for why HIPAA does not cover Google’s or Microsoft’s PHR offerings makes a lot of sense and is well worth reading. Vendors of technology are generally not covered entities unless they are somehow participating in the care process and I think everyone’s making a big deal about "Google is not HIPAA compliant" or "Microsoft has privacy problems" for very little reason.

PHRs, EHRs, privacy, functionality, and what the future might hold

I had the opportunity to give an informal talk at a NEHIMSS gathering earlier this week. It was a perfect storm: Google Health finally went live on Monday (and now I am the last blogger to blog about it), and... David Harlow
Read more [HealthBlawg - David Harlow's Health Care Law Blog]

PHRs, EHRs, privacy, functionality, and what the future might hold

I had the opportunity to give an informal talk at a NEHIMSS gathering earlier this week. 

It was a perfect storm: Google Health finally went live on Monday (and now I am the last blogger to blog about it), and a local institution has been involved as one of the first cohort of providers and others that can deliver patient records to Google Health should a patient choose to make that happen.  The patient privacy advocacy community is all fired up about the potential privacy issues brought to the fore not only by PHRs, but also by EHRs and by components of those systems, and related systems, that are being further defined these days at various levels -- consider, for example, the e-prescribing regs issued recently by CMS (see related press release and e-prescribing page), as well as the overarching Wired for Health Care Quality Act.  Letters have been written, reports issued.  Senate sponsors have apparently agreed to make some changes to the Wired Act, though some observers wonder if Ted Kennedy's health issues will derail action on the bill.  Not all advocates are satistfied, and there is another bill (known by its clever acronym, TRUST) wending its way through Congress as well.  Other observers believe that the privacy issues are so significant, and the opportunity to share EHR data with those who need it (i.e., other clinicians) is just around the corner, that the consumer-facing PHR business model is in serious trouble.  The Commonwealth Fund got into the act, too, releasing a report on a number of EHR implementations and the measurable benefits that accrue from their use.

We had an interesting discussion about the benefits and burdens associated with PHR and EHR systems -- from evidence-based medicine built on appropriately-blinded secondary use of data, to better patient management through tracking of the filling of e-prescriptions.  While there are a lot of regulatory initiatives out there to promote EHRs and e-prescribing, the government is not mandating their use. Instead, it seems to be in the business of establishing standards (if you adopt such a system it must have certain features and be interoperable with other systems.  It is ceding the field to payors, who are likely to continue to mandate being wired as a condition of provider network participation.

Back to the question of regulation:  HIPAA seems to have left some gaping holes through which Microsoft's HealthVault and Google Health may pass.  Those companies say that their privacy policies are more stringent than HIPAA and Google has said recently that serving ads on Google Health is not in the cards.  The problem with relying on these statementsis simply that they are voluntary policies adopted by businesses that may change them over time.  Other related parts of the health care information economy are similarly untouched by HIPAA. 

This raises the perennial issue of the regulator: how do we regulate what is not covered by law?  This, in turn, raises a philosophical question about the nature of regulation, and the degree of specificity that is needed in a statutory or regulatory scheme.  (The more specific, the shorter the shelf life.)  Check out a fascinating discussion of rules-based regulation vs. principles-based regulation in a recent issue of The New Yorker.  While the magazine column is focused on US Treasury regulations (do we prevent another Enron or Bear Stearns debacle only by writing rules that would have limited specifically what Enron and Bear Stearns did, after the fact?), its points are generalizable to other regulated industries:  Why not establish broad principles (as many EU countries do) that allow for broad discretion on the part of regulators?  For example, financial statement disclosure need not be one-size-fits all.  Let's give regulators the tools to prevent the next debacle before we even know exactly what it will look like, instead of always fighting the last war.  One argument against the principles-based approach: if one believes an Administration to be unprincipled (or to have the wrong principles), then one cannot blithely grant broader discretion to the regulators.  It will be interesting to see whether the principles-based approach to rulemaking gains traction in other federal agencies.

-- David Harlow

Read more [HealthBlawg - David Harlow's Health Care Law Blog]

Another black eye for EHRs

FORT LAUDERDALE, Fla.—Sitting in my hotel room the night before the end of TEPR, I just received an article from NextGov, a publication I had not been familiar with, but which seems to have a good amount of health IT coverage. (I might have to pitch some ideas of my own the editor.)

This particular story is alarmingly headlined: "Cyber criminals overseas steal U.S. electronic health records" According to the report, "medical records are a 'platinum card' for organized crime, which can rake in millions of dollars from false billings, said Pam Dixon, executive director of the World Privacy Forum."

Another source is quoted as saying stolen U.S. health data, including diagnoses, medical histories, prescriptions, insurance information and Social Security numbers, was found on a Russian-registered server in Malaysia.

Happy reading!

As for TEPR, the conference itself is really small, particularly when compared to the last time in Fort Lauderdale in 2004, when David Brailer delivered his first major speech as national health IT coordinator, and the opening session also included Bill "Dr. HIPAA" Braithwaite and the legendary Dr. Larry Weed.

This year's conference has been truncated from four days to three, and Cerner and NextGen are among the vendors who are conspicuously absent from the trade show. In fact, Mark Anderson's AC Group had a bigger booth than McKesson.

For that matter, Google not only was not here, the company held its own event on the opposite coast on Monday to launch Google Health.

However, the educational presentations I've been to have been very good, though the compressed schedule means that some time slots had two dozen concurrent sessions, so I missed a few I would have liked to have seen.

I recorded a new podcast here on Tuesday, and hope to have it up soon.

HHS Adds Languages to Privacy Forms

The Department of Health and Human Services' Office for Civil Rights now offers in eight languages consumer brochures that explain the HIPAA privacy rule. The OCR has enforcement jurisdiction over the privacy rule.
Read more [Health Data management Online Current News]

Placing Our Trust in Google Health

Google's public unveiling of Google Health yesterday occasioned many commentaries from bloggers. One that resonates with my own concerns is Paul Pallato's post in First Read: Placing Our Trust in Google Health.

Electronic medical records management is the new frontier on the Web. And it's a potentially rich new source of revenue for Google and other companies in the field who are developing similar systems. Consolidating their records online is a complex and difficult task because these are the personal records that are the least organized.

Medical records are always scattered among a multitude of doctors, hospitals, insurance companies and pharmacies. Most of them are still on paper and haven't been converted to digital forms. All of the current custodians of these records are bound by federal law to carefully guard the privacy and integrity of these records. [italics mine]

Herein lies the rub, if there is one. Google Health and Microsoft HealthVault both claim to be exempt from the provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Don't believe it? See Larry Dignan's post yesterday that quoted Google's Terms of Service.

4. Use of Your Information

If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party. [some italics added by Larry, more by me]

Hmm... what is a "covered entity"? According to 45 CFR 160.103:

Google Health is clearly not a health plan or provider. Is it a "health care clearinghouse"? Back to 45 CFR 160.103:

One of the value-added services touted by both the Google and Microsoft offerings is standardization of information. But is it true that Google actually "processes or facilitates the processing of health information received in a nonstandard format into standard data elements"? From what I can see of their APIs, they do not. Instead, they accept, maintain, and transmit the information in a subset of the Continuity of Care Record (CCR) format, pushing all inter-format translations onto the API callers.

Google's attorneys offer some reassurances in a blog post that also went up yesterday, which includes a link to a chart showing the protections afforded by HIPAA and the corresponding protections offered by Google.

What about HealthVault? Chillmark Research put up a post earlier this month arguing that HIPAA coverage of PHRs is a bad idea anyway, with links to a number of good primary and secondary sources, including a page put together by the Microsoft HealthVault and legal teams explaining the relationship between HealthVault and HIPAA, most of which sounds like it applies equally to Google Health. They too assert that they do not transform data, hence are not a healthcare clearinghouse. I'm a teeny bit more skeptical of HealthVault's assertion, but for a laudable reason: they support more than one format, adding support for the HL7 Continuity of Care Document (CCD) standard.

Disclaimer: I'm not familiar with CCD, and I haven't time to do the research to make sure I have the acronym translation correct. This may seem like a nitpicky disclaimer, but I am arguably legendary in the HL7 community for having put up an AMIA poster in which the title translated CDA as "Common Document Architecture" instead of "Clinical Document Architecture".

Arggh!!! If you are going to make mistakes, it's best not to use a 96-point bold font when doing so.

CCD is the HL7 harmonization of CCR with its CDA format, with which I am somewhat familiar, having worked with it as data architect on an NIH Roadmap "Re-Engineering the Clinical Research Enterprise" contract for 3 years. I applaud Microsoft's use of both standards, and encourage them to flout the law of the land if necessary in order to encompass as many health data interchange standards as possible.

I feel a lot more comfortable with HealthVault and Google Health as custodians of quasi-universal PHRs than I would with a governmental entity playing the same role. Both are commercial entities with extraordinarily deep pockets, representing fine targets for tort litigators should they fail in their custodial duties. The same cannot be said for the US government, which is the world's largest debtor nation, and statutorily protected to some degree from lawsuits.

Will there be breaches of privacy involving Google Health and Microsoft HealthVault? That's like asking in the 1950's whether there would ever be an accident at a nuclear power plant. that was then, and this is now, a statistical inevitability. Will such a privacy breach bring the world to a halt, or even outweigh the benefits these systems will provide? Not a chance. Instead, I believe that maybe, just maybe, these two new services will provide a light at the end of the long, painful tunnel that is our national healthcare system.

Someday soon, I hope to think more deeply about the implications of Google Health and Microsoft HealthVault on clinical and translational research.

Google Health and More

Today in a webcast from the Googleplex, Google Health was opened to the public. All the features are now available to the U.S. at least. I participated in the pilot for the Cleveland Clinic as a participant in MyChart and found it easy to use, to import information and add more specifics. Now I can import my Google Health profile back into MyChart. Pretty cool. Also added the Walk for Good widget to my iGoogle home page. 100 users have signed up already.
This has already hit the tech and mainstream news outlets already with discussions about privacy, questions about Google's motivation and benefits for consumers.
I think Google is adding some value here. There are making an effort to protect privacy while promoting health. And their partnerships indicate a desire to make this a broad umbrella for addressing health care issues.
I encourage you to try Google Health before making a quick judgement.

Technorati: Google Health


Read more [eHealth]

More on Microsoft's HealthVault Strategy

Sean Nolan, chief architect of Microsoft HealthVault, commented on my post of a few days ago regarding Microsoft's HealthVault strategy. He gave me a pointer to an entry on his own blog to clarify how they are tracking the the provenance of data, or its "pedigree" as he refers to it (And Now for a Little Usability, April 17, 2008).  One of the comments on the post got me looking more closely at HealthVault, and thinking about how it can help with the current dismal state of the art regarding the search for consumer health information on the Web.

My thesis work tapped into a huge body of server log data  that accompanied a Microsoft Research grant to my thesis advisors, Lada Adamic and Suresh Bhavnani,  as part of the research program leading up to last summer's Microsoft Live Search Summit. The data set provided a remarkably clear picture of search behavior "in the wild". The bottom line: the quality of the result sets returned by major search engines was questionable at best.

This came as no surprise, for two reasons. First, consumer health information seekers tend to submit terse, vague queries. Search engines are hard put to discern the user's intent. Their general-purpose algorithms do a pretty good job of bringing relevant information into view, but it is not uncommon for outdated or unscientific information to appear in the midst of (or even ahead of) authoritative results.

Second, commercial entities bolster their findability on the Web by paying for information about the keywords people use in their queries, and through the application of well-known search engine optimization techniques, do the best they can to obtain a high position in search results. Non-profit, governmental, and academic websites pay less attention to search engine optimization, and their position in results often reflects this neglect. Sadly, though, the non-profit, governmental,  and academic sites have been shown in comparative expert evaluations to be the right place to find objective, up-to-date, empirically sound information.

Don't get me wrong: many commercial sites do a pretty good job of providing high-quality information, but their commercial nature inherently calls into question their objectivity.

Is position important? You have no idea how important (or at least I didn't, prior to my analytical work). The top ten search results for every health topic I looked at received more than 99% of the actual clicks. Moreover, the top five results received more than 80% of clicks for almost every topic, and no less than 75% for any topic I investigated.

This could indicate that the quality of the top five results was remarkably high, and for some topics this was the case. A more likely explanation is that users generally don't scroll: on the most common screen resolutions, five results is all you will see without scrolling. Ten results is all you see without choosing the link to the second page of results, which is apparently a rare occurrence.

The Live Search data set was from May 2006, prior to Microsoft's integration of the MedStory acquisition and early in the development of HealthVault, so things may have changed over time. I'm gathering data on the behavior of six search engines, including the four most popular general-purpose search engines and two that are health-specific, and will be reporting on my results eventually, after I get them published. I don't have access to click data, so my analysis will have a different flavor, but it should be directly relevant to this subject.

Search engines  could do a much better job if they knew more about the information seeker, and that's where HealthVault comes in. In natural language processing, context is key, and HealthVault's standards-based representation of the consumer's health record provides a reliable source of objective information about the person's health and demographics. Granting the search engine access to the data should and no doubt will be via the consumer opting in to such access, so privacy should not be too much of an issue.

HealthVault can't address the other side of the equation, namely the identification of high-quality health information, but from what I saw last summer of the work in progress at Microsoft Research, efforts are underway to address that side of the problem as well; unfortunately I don't know enough about the present state of the art to comment on that facet.

Sean and his team, along with their counterparts at Google Health, are holding onto the tail of the tiger here, and I expect they will have a wild and rewarding ride for years to come. The fact that both groups are closely associated with major search engines is reson for considerable hope. If search engines work on using contextual information from sources like HealthVault and Google Health to better interpret the seeker's intent, the quality gap will begin to close. I'm eager to see where this takes us over the next few years.

System Gives Patients Privacy Control

IBM Corp. and HIPAAT Inc., a vendor of health information consent management applications, have jointly developed software that grants patients more control over who can access their data in various systems.
Read more [Health Data management Online Current News]

Group warns against blanket patient consent

The Health Privacy Project of the Center for Democracy and Technology (CDT) released a paper Thursday urging a comprehensive privacy and security framework for sharing sensitive healthcare information online.
Read more [Healthcare IT News]

IBM and HIPAAT partner to offer EHR privacy software

IBM and HIPAAT, Inc., a provider of consent management solutions, have partnered to offer a consent management solution designed to put privacy back into the hands of the patient.
Read more [Healthcare IT News]

Deal Reached on Privacy Bill

Sen. Patrick Leahy (D-Vt.) has reached agreement with sponsors of the proposed Wired for Health Care Quality Act that could result in the long-stalled health care information technology bill moving through the Senate. The agreement also would substantially change the HIPAA privacy rule.
Read more [Health Data management Online Current News]

Deal Reached on Privacy Bill

Sen. Patrick Leahy (D-Vt.) has reached agreement with sponsors of the proposed Wired for Health Care Quality Act that could result in the long-stalled health care information technology bill moving through the Senate. The agreement also would substantially change the HIPAA privacy rule.
Read more [Health Data management Online Current News]

Health 2.0 - Clinical Trials

A new way to search for clinical trials is now available through Emerging Med. Wrapping clinical trials information from the NIH with a set of tools and services, this new site offers a range of services. You can create a profile to be notified of clinical trials and utilize the matching system to get a referral for treatment. Phone support is also available. There are some good suggestions on when to search, for instance,

• Just before a biopsy (to study tissue from a tumor)
• Just before the first surgery or radiation treatment (neo-adjuvant studies)
• Just after surgery or radiation treatment (adjuvant studies)