28.4.08

Waiting For The Killer App & Why I Don't Give a S%$# About PHR Security

Just before moving to Holland, I received a letter from the community hospital in my old hometown, where I was both a patient and an employee.

The
letter informed me that my medical record was stored on a laptop that was stolen.

This wasn't my first experience dealing with identity theft. Nor will it be my last.

When I was 17 and applying for federal student aid, I learned my social security number and name had been appropriated and used to apply for credit cards.

Since I wasn't in my thirties living in the Midwest, this was relatively easy to clear up. I just had to prove my identity and then reapply for student loans (overlay heavy sarcasm here). I had to take back possession of my data.

Studying Shakespeare with an SMCM contingent in England during the summer between my junior and senior year of college, someone in London made a copy of my debit card and used it to bookroll a pub crawl in Ireland.

Again, relatively easy to clear up, as my Passport didn’t have a Dublin entry stamp in it, but I was missing some money for awhile (again, insert sarcastic overtones). Again, I had to take back possession of my data.

Why am I not more concerned about my identity or medical history being accessed inappropriately, even stolen?

Because it’s already happened. To millions of us.

My world didn’t end. Identity theft can be debilitating, yes.

So can injury, illness, and not being able to remember what medications you’re allergic to and get that information transferred to your new ankle surgeon.

The simple fact is, if identity theft hasn’t happened to you yet, it probably will. Sooner or later. Most likely more than once. This is, literally, the price we pay in an interconnected, web-linked world.

Even worse is the way the healthcare industry co-opts my personal health data.

To the healthcare industry...

Why do I have to take back my healthcare data from you in broken pieces and recreate the trail of my personal health narrative the same way I have to repossess my financial data from identity thieves?

Being able to access my information anywhere means it is slightly more vulnerable, but only slightly more so. And that’s a price I’m willing to pay to access my bank account online from anywhere I am in the world.

The banking comparison has been made often, but isn’t yet tired (or tested), since no PHR provider has built out offerings with a comparable level of service to what many financial institutions provide.

Banks have taken reasonable steps to ensure the safety and security of my account, both online and offline.

I trust my bank enough to walk up to an ATM machine and put in a small portion of data and pull out cash. Is that transaction risk free? Of course not. But my risk has been offset ENOUGH for me to believe the benefits outweigh the potential risks.

Other online commerce platforms have done the same. I no longer fear using my credit cards online - in fact, if I can't use PayPal or a credit card, you're not likely to get my business.

As I select my next doc, if you're not using email, you probably won't get my business.

I’m willing to pay a similar price to be able to access my health data and craft a personal health narrative online from anywhere I am in the world.

We need to stop pretending healthcare is the industry in which our vulnerability opens us up to the most potential for avaricious theft and misuse of data.

This is a naive, overly simplistic excuse used to dismiss the end value of using personal health records and giving consumers shared control over the co-creation of a personal health narrative.

Get over it. We already co-create our personal health narrative – what do you think a history and physical interview consists of? The doc asking questions, the patient giving largely subjective answers, and then that information being ‘objectified’ and codified into that provider’s medical record.

What slays me is that we do this over and over and over.

Talk about inefficiencies and misaligned incentives rampant in our healthcare system...we have to recreate meaningful interactions and establish a solidified platform of shared data at the beginning of EACH and every visit with a healthcare provider.

And it's not new information, building on backstory to establish timely relevance, it's the same old H&P data that's stored 500 other places in disjointed medical records.

If my doc could access my personal health narrative and then ask questions directly relevant to my history (“Still having trouble falling asleep?”) we might actually get somewhere in the 2.45 minutes she has to sit and talk with me before tearing off a prescription sheet.

This is an old, tired argument.

We’ve been trying to get PHRs implemented for 40 years, yes. Currently less than 2% of the American population is using them, yes (per Revolution Health's Jeff Gruen at WHCC). But the pace of adoption will accelerate.

We won’t be able to limit the exponential growth of personal health data for long.

Personal health narratives are becoming increasingly interwoven into the daily societal lexicon. Presidential candidates are sharing details about emotional struggles related to infidelity and the battle to quit smoking.

Let’s get real. We’re comfortable accessing our health information. More than that, we don’t just want to access it, we want to share it.

If you’re having a hard time imagining widespread personal health exhibitionism, wander anywhere near someone talking in public on a cell phone. Chances are you’ll overhear more personal health/wellness information than you’d ever gain from stealing his/her medical records.

When we say consumers aren’t ready to accept these privacy risks – I have one question for you: Which consumers are you asking?

Are you asking those of us who visit a doc more than 2x a year for a preexisting condition?

Are you asking those of us who have 2.345 kids and need to tote information from allergist to pediatrician to orthopedist to dentist and back home again?

Are you asking those of us who have a ‘zebra’ condition that requires we be an active, participatory partner in care in order to help educate our docs about what works and what doesn’t?

Perhaps as a consumer I am "20 years ahead," as one friend put it this weekend.

We were discussing a concept for a killer app SaaS portal that partners with existing Health 2.0 and 3.0 companies and provides a backend PHR function.

The debate got rowdy when we started discussing how long it will take for the same percentage of the American public to use PHRs with the same self-assured, immediately assumed utility we use Google (8M health searches a day via Google, by the way).

My argument was that maybe I’m 2 years ahead, but not 20.

Cigna, WellPoint, Aetna and co. are already committing to making members' personal health data portable outside their existing coverage plans.

Still, this is giving consumers some control but not the tools that allow us to cross-pollinate that data across various brick-and-mortar and virtual healthcare delivery interactions.

I told him to try one simple, personal means test: Gather all his records from the past 5 years of doctors visits and try to get them transferred to a GP here in Holland. See how long that takes. Say goodbye to the rest of your calendar year.

Even if he does just call physicians’ offices and request faxed records, good luck getting all the coding and billing info and getting complete access once you tell them you’re in Holland. You’ll bear the burden of proof for demonstrating that you’re ‘you’ and you want access to records.

Personal health record developers – take notes. Don't try to limit my access to my own information.

Make the web-based platform easy enough for me to use so that I can email records right to my doctor or hospital.

As soon as someone provides a PHA (personal health application) with a bare minimum level of security and the portability I’m looking for, I'm there. And I’m your number one evangelist, your ‘ground zero’ patient tester.

If one doesn't enter the market fast enough, well, perhaps I'll just create it.

And that’s another important distinction.

There’s a reason PHRs and EMRs aren’t working. They aren’t enough. What we need most isn't a PHR. It’s a multi-functional PHA.

It's an opensource, multifaceted killer app, an SaaS portal that provides a single access point to multiple health/wellness nodes like American Well, Organized Wisdom, and Phreesia.


To entrepreneurs (and especially Google and Microsoft) - forget the PHR.


Give consumers an offering that provides a single gateway for me to access health content, wellness communities, and perform related purchase (commerce) activities. Give me FreeMED combined with functionalities for patients.

These tools are great starts, (hat tip to The Healthcare IT Guy) but they're missing the consumer-centric coherence that's essential to 'nexthealth' or Health 4.0 (content, community, commerce, and continuity).

I can't go any one place, access a single personal health application, and do anywhere near everything I want/need to do with my personal health data.

Here's just one example of how consumer interaction with the system would change: Imagine what would happen if I could login to a single PHA portal and resend claims/insurance data to the medical billing company that's trying to charge me full price for a covered visit?

Then the industry would REALLY have to adapt to meet consumer demands.

To developers - give me this capability and more.

Go straight for a PHA that lets me chat with a doc online, print out a Wisdom Card, and schedule an appointment. Let me login to SugarStats.com from your portal, and simultaneously export my latest glucose readings to 1. my linked PHR, 2. my mobile phone, and 3. my doc.

Give me the access, let me create the record, let me download information, let me access communities, let me show my doc or nurse how to pull up my PHA on the web and create shared meaning – let me be your disruptive innovation embodied.

Give me some of the responsibility for maintaining my health. Start with letting me access my own health record.

If you can't even let me maintain my own PHA, how are you ever going to loosen the hold on the reins for me to take a proactive role in working towards my personal wellness goals?

If you don’t, well, someone else will just have to accelerate that 20 year timeline.

Crazy? Sure is. Most game-changing innovations are.

From George van Antwerp @WHCC:


“Data is only exciting if you can do something with it.” [Reed Tuckson]

Final food for thought, from "How to Fix the Web," by Rob Scoble, Fast Company, May 2008:

"It’s time that we stop hoarding customers and their information in silos for fear of them straying. If you love them, set them free.”


PS - If you think keeping my records offline keeps me safe, think again...

2 comments:

Ian Furst said...

It's a compelling argument Jen but.....
most of the vendors of EMR (let's not even get into dental EMR) can barely manage getting labs in properly. It's coming but you're right -- it's at least 2 years. The main problem (I think) is that all programs want to be proprietary. A couple of years ago I pushed to have a unified way to match forensic dental records to the odontograms done in computer software (for mass casualty incidents) and got laughed out of the country. The programmers are extremely protective of how their programs manipulate data.

So let's assume that there is a unified way of transferring all of the different data (which will come about soon) you're the exception not the rule and most patients don't seem to care. So for the 10% (?) that do want portability where should it be stored? I do not want Microsoft having my data (I don't even like giving them my email address) but I wouldn't mind having it on a key.

Finally, and no one seems to want to talk about this, a lot of notes are written strictly for legal protection. Much of what I write is not for continuity of care. You have every right to it, you're more than welcome to it, but the thought of every patient critiquing my every note (or missing note) in real time sends shivers up my spine. I don't have a court transcriptionist sitting next to me during a consult. Making notes about someone seeking narcotics is even more complex.

This will be a major change in the thought process of practitioners and it's a change that I don't think most want to see. Rather than going for complete portability I think the industry needs to start with something simple like a central repository of medications which have a unified format and few legal implications. From there it will progress. I'm a big believer in EMR and I laugh at some of the excuses (including some of them that I throw out there) but complete portability is expensive and complicated. The PHR has a marginal effect on access/efficiency and doesn’t add a lot to quality of care on a populational basis so I just don’t believe there is the drive to get it done except from the vendors that stand to profit by it.

Unknown said...

I will be the last one to disagree that the health care has been dragging its feet when it comes to adopting new technology. However, there are some very valid reasons for that.

People working in the health care industry are most often genuinely wanting to help people. Much like teachers, they are there to do good, and when the choice comes down to giving better care by hiring more nurses or implementing some software solution, the choice is easy for most.

Identity theft I don't think is the reason why people are holding back on these initiatives. The comparison with banks i don't see. The big difference between PHR data and financial abuse is that you can give back money, you can adjust financial records, but you can never undo health record information. The world is not ready to know exactly what your coworker has nor is it their right to know. When the monkey is out of the back, you can never put it back in.

Im skipping a few, but the main problem isnt the health care industry itself. It is the law that everyone has to abide by. There are a huge amount of physicians who are well educated and versed in technologies that would want nothing more than to go ahead and get into the 21st century. Unfortunately the law hasnt caught up yet. It has taken nearly a decade for law to adapt slowly to the new reality of internet. Privacy law applies there too, but not as deeply as it does with health care solutions.

Every visit and contact between patient and physicians has so many stake holders that keeping track of origin and security levels is complex. That complexity also somehow needs to be visualized to the patient ultimately in a simple way to allow them to make choices. That is an incredibly difficult task, especially if you take in account that it needs to be visualized for people from very young to very old.

Yes, i think for healthy people, or people with "simple" problems something can be done, but that is also the group that needs it the least.

And let me ask you this, are you willing to personally financially contribute to building these types of systems, because most people do not. They are just fine with paper, and it "works", just not as well as it should.

Just for the record I've joined a company that builds a HIS solution, to put my comments in perspective.