Principles of patient access in Directed Exchange

This is an opportunity to rethink how health data flows.

The Health Insurance Portability and Accountability Act (HIPAA) is good law. HIPAA formalized principles of patient privacy that should have been codified industry norms for more than 50 years (better late than never). HIPAA provided the right to patients in the U.S. to get access to their own healthcare records. The law struck reasonable balances on hundreds of complicated issues in order to achieve these goals. The law solved more problems, by far, than it created. Which is as close to the definition of good government as I can imagine. Patients are better off after HIPAA than before.

Sadly, the “letter of the law” in HIPAA is frequently either ignored or worse, fully embraced, in order to make patient access to their own healthcare data more cumbersome. This is evidenced nowhere better than Regina Holiday’s experience with access to her husband’s medical records. To make a long story short, she was able to acquire an unpublished manuscript of a Stephen King novel, sooner and for less money than she was able to get her husband’s medical records.

Principle zero: Some clinicians will do anything they can to make patient access to their health records impossible or cumbersome.

Regina’s work, detailing her experience with her husband is titled 73 cents, because that’s how much it cost to get one page of her husband’s medical record. HIPAA allows hospitals and clinicians to charge a “reasonable” copying fee for access to patient records. The problem with that is that in the digital age, a single healthcare record print out looks like this:

A single EHR record, printed out
A partial printout of a patient’s medical record.

This is what happens when you print out a digital health record. Having patients pay the copying costs for access to medical records makes a simple presumption: there are only a few pages there. Obviously no patient will be able to afford copying costs in the age of all-digital records.

Principle one: Patient access to their own healthcare records must be digital once the record is digital.

Once you concede that access to the patient’s medical record must be digital, we can discuss the push vs. pull question. When someone else on the Internet has data that is important to you, you can generally find ways to have it “pushed” to you or you can choose to “pull” it. The simplest example is the weather. You can always check the weather easily online by visiting a website (by pulling). But you can also have software text you when it is going to rain (by pushing).

There are advantages of both push and pull approaches for patient access to data. People who are excited about the pull model tend to focus on the benefits of the “portal” requirements in Meaningful Use, and those that favor the push model are excited about directed exchange. Without getting into the debate, I can posit that there are some cases where push access to patient data is critical. Without supporting patient participation in directed exchange we regulate patients to second-class citizens with regard to healthcare exchange.
That is unacceptable. Patients should be first-class citizens in healthcare exchange.

Principle two: Patients should be able to participate in health information exchange as first-class citizens.

The Office of the National Coordinator for Health Information Technology (ONC) should be applauded for requiring directed exchange with patients in the current proposed rule. I hope that ONC does not back off of this new requirement.

The current proposed rule making, however, is silent on a critical issue for directed health information exchange. How do we ensure that providers will not refuse to communicate with patients over directed exchange because of bogus “security concerns”? As we see with the copying costs under HIPAA, every potential barrier to a patient’s access to data will be used against patients.

There are already rumors of cases in the pilots of directed exchange where organizations are using the trust architecture of the Direct Project to refuse to communicate with certain parties. While that might be reasonable between institutions (do you really think Planned Parenthood will ever automate communication with Catholic charity clinics or vice-versa?), it is absolutely critical that this not hamper patient-clinician communication.

When we first designed the Direct Project Trust model, we presumed that patient-clinicians communication would take place based on “business-card” identity verification. That meant that when a patient provided a clinician with a public key (no matter how they did that) the clinician would trust it because the patient provided the public key. We did this because we knew that if clinicians could reject a patient’s public key based on “security concerns,” they would do so. Either the clinicians (or more likely the vendors that they hired) would choose directed exchange “partners” that were “approved” and “secure,” ensuring that the patient’s experience of directed exchange was merely a more extensive menu of patient portal options. Patient data is very valuable and controlling the flow of patient data is central to more business plans than I care to count.

In order for patients to be first-class citizens in health information exchange, they should have the right to send their records, in an automated fashion, anywhere they want. Even if it meant sending it to a service that the patient was enthusiastic about, but the clinician disapproved of (i.e. qpid.me). In the world of secure email enabled by public-key infrastructure (PKI), that translates to clinicians must accept any public key/direct address presented by a patient in a reasonable manner. This acceptance must be unconditional, but should probably mean limiting the acceptance of that key to communication with just that patient. Anything less than this means that the patient is a second-class citizen with regards to the information exchange of their own data.

Conclusion: ONC should require that clinicians communicate with a patient’s chosen directed exchange provider, which means accepting any public key presented by a patient in a reasonable manner.

The community at Direct Trust is working hard to agree on what “reasonable manner” should mean, exactly. Here is my latest proposal on the subject, and here are similar ideas from Dr. David Kibbe. Eventually the Direct Trust community will knock out a firm understanding on the specific ways that might be “reasonable” for a patient to provide a certificate. But we are certainly agreed that without firm requirements on certificate acceptance, this issue will be used by clinicians to limit where patients can send their own data.

As the U.S. federal government is preparing to pay healthcare providers to adopt electronic health records (EHR) they will insist that those doctors/hospitals/etc. show that they are using the new software in clinically meaningful ways. On Monday (May 7, 2012) they will be accepting comments on the second stage of the requirements that clinicians must meet in order to receive compensation. These requirements are usually short-handed as “meaningful use.”

I will be submitting this blog post as my comments to that process. Others will be submitting comments that directly contradict the principles and conclusions I write here. Most notably the American Hospital Association (AHA) has argued that the requirements for patient portals and for providing patients with access to their digital record should be entirely removed from the meaningful use standards (PDF). Specifically:

“Our members are particularly concerned with the proposed objective to provide patients with the ability to view, download and transmit large volumes of protected health information via the Internet (a “patient portal”). The AHA believes that this objective is not feasible as proposed, raises significant security issues, and goes well beyond current technical capacity. We also believe that CMS should not include this objective because the Office of Civil Rights, and not CMS, regulates how health care providers and other covered entities fulfill their obligations under the Health Insurance Portability and Accountability Act (HIPAA), including the obligation to give patients access to their health records.”

This is fairly ironic, since the report also says:

“To date, OCR has received comments on its own significantly
flawed original proposal to implement this section of HITECH, but has yet to finalize the
standard.”

Apparently, AHA is not satisfied with any government agency’s interpretation of giving electronic access to patient data. The AHA would prefer that patients continue to wait the same amount of time for access to their digital records that they do for their paper records. Specifically:

“Further, 30 days are necessary to make determinations about how to respond to a request no matter the format of the protected health information. While providing an electronic copy of protected health information maintained in an EHR eventually may be facilitated more easily by technology, the process of determining which records are relevant and appropriate takes the same amount of time as it does for evaluating paper records.”

Of course, this is entirely false. Indeed, HIPAA does maintain that certain parts of healthcare records (i.e. a psychiatrist’s notes) and disclosures (i.e. when the FBI asks for records) are not subject to patient access. An EHR should be capable of understanding which parts of an EHR record are subject to HIPAA and which are not. If the EHR system can understand this distinction, then responses to HIPAA requests can be made in near-real-time. If the EHR system cannot make the distinction between which portions of the record to automatically provide to honor a HIPAA patient access request, then having 30 days is not going to be enough. Can you imagine a nurse reading through the entire stack of papers above to ensure that a certain mental health diagnosis is redacted?

One of the most critical features of patient participation in directed exchange is the patient’s capacity to prevent the spread of bad information as it is happening. Apparently, the AHA believes that patients should tolerate the spread of mis-information in their health records to other institutions for a month before correcting it. This of course works in every situation where patients can wait a whole month to get correct information to other hospitals and clinicians.

I would like to be the first to welcome the American Hospital Association to the digital age. (Okay, maybe the second.) From a technology perspective, there is nothing at all that would prevent patients from receiving copies of their updated digital health records seconds after it is “signed” by their clinicians. Inside those seconds is plenty of time to digitally determine whether sharing with the patient is appropriate, legal and safe. Seconds after a patient like me receives data, I intend to process it in an automated fashion. It is not unreasonable, in this new digital world, for me to get a text message that a doctor has ordered a medication that I am allergic to. I wish to get that message after the doctor has ordered the medication, but before I receive it in my IV.

In this new digital world, 36 hours is unreasonable. It means that humans continue to be involved in tasks that can be performed perfectly by a computer without errors. Even 36 hours means that doctors, nurses and hospital administrators are still “thinking in paper.” Thirty-six hours means that you still do not view me, the patient, as an equal data partner. It means that I am blind to the data in your hospital at the only time it really matters, which is right now. Health data that is 36-hours old can only be analyzed as a post-mortem and data that is 30-days old is already rotting. As a patient, 36 hours is a short-term solution. It is an opportunity for you to rethink how information flows in your hospitals. It is an opportunity for you to rethink the notions of “inside” the hospital and “outside” the hospital.

This is not that I do not take your point regarding the reconciliation of the policies from the perspective of HIPAA and meaningful use. Two time-lines for compliance is difficult. But the reconciliation is to speed HIPAA up, not slow meaningful use down. The notion that you will give patients a stack of paper like the one above 30 days after it is useful is a bad joke. It was a bad joke 20 years ago, when the technologies already existed to fix the problem, but you decided that the patient’s experience was not worth that investment.

There is always something you can do, if you feel as strongly about this as I do.

Meaningful Use and Beyond: A Guide for IT Staff in Health Care — Meaningful Use underlies a major federal incentives program for medical offices and hospitals that pays doctors and clinicians to move to electronic health records (EHR). This book is a rosetta stone for the IT implementer who wants to help organizations harness EHR systems.

Photo: Medical record printout by jodi0327, on Flickr

Related:

tags: , , ,
  • David Smith

    While I am in general sympathy, I am concerned that it assumes that there is a completely secure PKI that the general public is capable of using in a secure and effective manner.

    I’m inclined to believe that this isn’t the case, and as a result promiscuous distribution of health records based on the assumption that it is the case would be a Bad Thing from a privacy perspective.

  • http://www.fredtrotter.com Fred Trotter

    David,
    The Direct project does not leverage PKI in the same way the browsers do. There is no automatically trusted Certificate Authority in compliant Direct implementations.

    That helps to address some of the inherent problems with PKI based communications.

    We hope that different vendors will entirely outsource PKI tasks for consumers and healthcare providers, but we wanted to ensure that those patients who wanted the freedom to do PKI themselves would not be cut out of the picture.

    Beyond that, I know there are warts around the practical deployment of PKI, but there really is no politically viable alternative.

    Just to be clear, I would label your concerns as a security concern and not a privacy concern. If used properly, PKI systems do a good job of protecting privacy. But there is a security risk because it can be difficult to use the technology properly.

    -FT