Monday, March 26, 2007

PHRs: Certifiable?

There was a bit of buzz last week over the American Health Information Council's discussion around certification of Personal Health Records, with the Consumer Empowerment Workgroup not finding consensus on the issue. I've been waiting until the transcript of the CEW February 16 meeting was posted to comment on the workgroup's recommendations, however, the March 13th AHIC meeting which summarizes the CEW's February meeting has its transcript up already, so I'll work from that. When the Feb 16 transcript comes out I'll comment if necessary.

Quick recap on the Consumer Empowerment Workgroup:

Broad Charge for the Workgroup:

Make recommendations to the Community to gain wide spread adoption of a personal health record that is easy-to-use, portable, longitudinal, affordable, and consumer-centered.

Specific Charge for the Workgroup:

Make recommendations to the Community so that within one year, a pre-populated, consumer-directed and secure electronic registration summary is available to targeted populations. Make additional recommendations to the Community so that within one year, a widely available pre-populated medication history linked to the registration summary is deployed.

The February 16 meeting of the CEW attempted to find answers to the following questions:

  • what is certification?
  • how is certification actually going to be completed around a personal health record?
  • what is the time involved for the certification process?
  • what will the cost be for those innovators that are trying to get into the personal health record area?
  • how will the certification help to protect consumers?
  • what impact, in any, would certification have on innovation?

Notably, the question "what is a PHR?" is absent, although it's raised in the statement of dissent. While it may seem obvious, I think there should be a distinction between commercial PHR products and the general hazy notion of your PHI aggregated over a network.

In other words, it's one thing to make a platform for presenting your health record to you on a secure Web site, it's another to give me a report of all the data available to me from multiple sources using a clinical data exchange.

There are PHR products online I can go fill in myself, there are PHRs gaffer-taped onto EHR software products, there are PHRs auto populated by payors, there's a piece of paper in my wallet with my allergies on, there's various hospital records floating around...

Given a RHIO-like structure I could ostensibly aggregate my own data into my own PHR on my desktop by querying the exchange for myself.

I'll cut and paste the relevant sections of the transcript below, but in summary the split is over whether or not to recommend certification of PHRs against as-yet non-existing standards of privacy, security, interoperability and portability. The recommendation is for voluntary certification. Dr. Rose Marie Robertson, the Co-Chair of the group, led the charge for certification, David Lansky spoke for the five members who dissented.

In my estimation, the group is having a hard time defining what it is they're recommending. After Lansky speaks, Nancy Davenport-Ennis - the other Co-Chair - speaks to four different requirements the recommendation is trying to assure, i.e. privacy and security, transparency, affordability and interoperability.

Recommendation 1: HHS should support CCHIT and/or other certifying entities in identifying a pathway and timeline for voluntary certification of PHRs after adequate industry experience has been achieved in the market. Such certification should include: specifications for PHR privacy and security, interoperability between PHRs and personal health information data sources (including EHRs) consistent with HITSP-identified standards, and PHR portability. The certification criteria development process should take into account the best practices for security and privacy policies to be identified by the Consumer Empowerment Workgroup, the Confidentiality, Privacy, and Security Workgroup, and other relevant groups.

Recommendation 2: HHS, through the Centers for Medicare & Medicaid Services and the Indian Health Service, and in collaboration with the Office of the National Coordinator for Health IT, should develop plans to offer portable PHRs with adequate privacy protections to their beneficiaries, and HHS should report back to the Community about their plans as available. The plans should take into account the results of the studies and best practices recommended by the Consumer Empowerment Workgroup on January 23, 2007, as they become available, and should build upon work already underway at the agencies.

The dissenting statement was against Recommendation 1 only. The primary dissent was that instead of focussing on certifying a PHR's adherence to privacy and security standards, the workgroup should be formulating actual policy that PHR vendors could be held to, that PHRs are just too young an idea to even consider certifying them.

This is where my hacker side trumps my paranoid side.

PHRs barely exist. There are several Web sites that allow you to populate your own record, but they don't talk to any data sources. There are a few health plans that give you a sort of PHR, but they're not portable to other plans.

No-one has yet figured out what data is even available to populate a PHR, how to transport it across a network, how to audit it and the access to it, how to manage it once it's alive, the list is endless.

It seems almost obvious to me that PHRs must come to exist in exactly the same way personal credit data does now. Think about it:

  • Credit data comes from providers; credit card issuers, lenders
  • Credit data is aggregated by major clearinghouses; Equifax, Experian and TransUnion
  • Consumers have access to their data, and the option to submit corrections
  • Credit data is portable, no matter what bank issued the data remains usable
  • Consumers have access to an audit trail of who asked for and who was given access to their credit data
  • The information is heavily regulated and subject to proven policies

We can easily rewrite that and substitute clinical data:

  • Personal health data comes from providers; hospitals, doctors
  • Personal health data is aggregated by major clearinghouses; NHIN, RHIOs, clinical data exchanges
  • Consumers (should) have access to their data, and the option to submit corrections
  • Health data (must be) portable, no matter what health plan/provider is used the data must remain usable
  • Consumers (*should) have access to an audit trail of who asked for and who was given access to their credit data
  • The information should be heavily regulated and subject to proven policies

So asking providers of PHR technology to adhere to basic principles of security and privacy is great, but what policies will they be measured against?

It's kind of like the HON Code; a voluntary code of conduct that health content Web sites can claim adherence to. It's all well and good, and has certainly made inroads into consumer awareness, but there's nothing forcing me, as a health care Web site publisher, to neither (a) choose to adhere to the principles of the HON Code nor (b) remain accountable for my conduct if I choose to claim compliance.

This has led to billions of health care content pages on the Web that have little to no validity or governance.

The goal of PHRs should be consumer empowerment, and we can only get there by having real policy laid down for PHR producers to follow. We don't need to mandate specific technologies or functionalities, merely solid security and privacy requirements that can be upheld by the PHR hosts.

If the AHIC can't come up with adequate language, why not examine the banking industry and figure out what they use? Is our health information really so different? Is it really more sensitive?

AHIC has so far offered a tremendous amount of effort and work on our behalf, but as adoption becomes less of an issue we need actual governance and direction.

Let's certainly adopt a stance of having certification against standards and policies as a goal, but let's figure out the standards and policies first, yes? Frameworks are awesome, but without development they are useless ghosts of possibility. Man up and write it down. We need policy, not frameworks, and by all accounts we need it sooner not later.


[Excerpt from transcript follows]

Dr. Rose Marie Robertson, Co-Chair, Consumer Empowerment Workgroup:

This -- the majority of the Group was convinced that enhancing and assuring privacy and security, as well as interoperability, would lead to greater adoption of personal health records. That this was important to do, and that it was complicated. That we needed to have standards, and expectations and policies, that we needed to derive that from the appropriate bodies. That we needed to be certain that we would not stifle innovation, and in particular, that we would not stifle innovation and entry into the market of groups providing services to those who are disadvantaged, so that small vendors who might aim at a targeted population that we very much want to be involved in, and able to access personal health records, in particular, should not be disadvantaged. We were reassured that sliding scales or perhaps even government grants or other [inaudible] could be found, so that [inaudible] as well as an electronic health record, one could level the playing field.

And we ultimately came to the [inaudible] that health and [inaudible] should support certifying entities [inaudible] other certifying entities, and we carefully worded it. In identifying a pathway and a timeline, so not in certifying, now, but in identifying a way and process for doing this, for voluntary certification of personal health records. So again, not mandatory certification, but voluntary certification that would provide, if you will, the underwriters’ code, that sort of assurance for the public, after adequate industry experience has been achieved in the market to know best how to do that.

That certification would include, we think, most importantly, specifications for privacy and security, and we plan to, as you see there, work with the confidentiality Privacy and Security Workgroup. We have begun those discussions, and will have actually another meeting with them on -- a meeting to discuss that on Friday.

It should also include issues of interoperability between personal health records and sources, because otherwise, those records [inaudible] are ineffectual. And portability. We think it’s quite important for patients to be able to take this information from a tethered system [inaudible] or one employer, and be able to bring that to another system.

We think that this process should take into account practices for those policies, as identified by our Workgroup, DDS Workgroup, and other relevant groups, perhaps; including the Privacy and Security Solutions Group. Not functionalities, as you’ll notice, but privacy and security interoperability and portability.

Let me turn to David Lansky and let him present the views of the dissenting group, whose letter you have in your packet as well.

David Lansky, Markle Foundation

MR. LANSKY: Thank you, Rose Marie. I want to first thank both Rose Marie and Nancy for leading a very vigorous and open discussion about a complex area. It has been a very constructive discussion, and I think all the parties to our Workgroup have felt that we have learned a lot by going through this discussion, and I hope some of you will participate in that with us today.

I think a key point, as I come to you, is that we do not have consensus about this issue. There is, across the industry, across healthcare, across the consumer sector, not yet enough experience or understanding to achieve a unified recommendation regarding how to proceed.

The reason, I think, we don’t have a consensus about the industry at this time on this question is that it’s frankly too early. We simply have not done enough work in the policy development area, in developing, and marketing and using these products, and in testing the relationship between those policies and those products, to know exactly the best way to more toward implementing the policies to help more forward.

I’d also say there is no question, as Rose Marie has said, that we all share the same objective, building a trustworthy, reliable environment where people share their health information, is what we’re here for. And finding the appropriate mechanisms to develop the right policies and enforce those policies is the task we need to have in common.

In some of the ways, I think we are premature in moving the certification process forward. First, we don’t actually know what a PHR is. We can’t yet define the “it.” Secondly, the industry has felt it’s new and improved [inaudible]. Not really talked to each other [inaudible] enough experience to know what can be applied and enforced. Thirdly, frankly, this is one of the first steps most of us have taken, marketing to 300 million Americans with an enormous array of needs and requirements, in health situations, is new for all of us in this environment; and how to evaluate and validate product in the consumer stage is a new challenge that we have not yet done.

And lastly, in terms of the prematurity of the work, while we have all identified, I think, some of the areas of privacy, and other policies where we have a significant need to establish public trust, we haven’t yet developed a policy. We have identified the problem; we have not yet recommended solution. So we don’t have, even as Mark said earlier, the standards yet against which to certify. So we feel that discussion of certification is premature, until we understand what those standards and policies should be, and then determine whether certification is an appropriate tool.

In the letter that you received we’ve identified a number of [inaudible] whether the logic that has supported PHR certification as we’re seeing, does that apply equally to the consumer marketplace? Do we know that certification will enhance privacy and security and trust in the public minds? And what is the risk of impeding innovation in the consumer marketplace, which may be different than the risk in the [inaudible] or physician marketplace.

But the good news, I think -- I want to close with, is that there is tremendous areas of agreement across all the Workgroups, which are highlighted in both letters, and I hope we’ll take some time today, and see if we can move forward in areas of very strong agreement.

We all agree that we need to establish the standards and specifications for both private and [inaudible] PHRs. We all agree we need to gain more industry experiences in the real world with these products and services. And we all agree that we need to develop privacy and security policies that can be used as [inaudible].

So I hope you will undertake efforts to address those three objections that we all share, and defer the question of certification until we understand what are those policies which must be enforced in the environment we’re working in.

The last point I want to make, is really to distinguish this idea of enforcement and policy development, the way we, and those who are [unintelligible] here, have seen the question, certification is one tool among at least half a dozen by which we can implement or enforce good policies. The others include a wide range, health certifications, statutes to [unintelligible]. There are a number of tools available to implement good policies. Certification is one.

I would hope that we would first do the hard work of developing the policies [inaudible], and then determine which method of implementation or enforcement would be appropriate. If certification proves to be one that is helpful at that point, I think we will have a very strong consensus to support it, once we have done the work of developing the necessary policy.

Again, I want to thank both you, Mr. Secretary, and the Community here for letting us be part of this vigorous discussion.


soyne said...

I agree. HIPAA privacy regulations and state laws govern some access to PHI , but a company that provides PHR services that is not a HIPAA-covered entity or a business associate of such a company, isn’t likely to be legally required to protect patient privacy. Certification, at least on its own and without any concrete policy, is not an effective way to go and it’s good to hear others agree.

However, one thing that seems to be missing from these discussions is the voice of consumer advocacy groups whose constituencies would be accessing PHI. At present, most HIT initiatives are driven by the interests of providers and payers, because they are the ones who currently hold/own medical records. Since consumer and patient groups have not been sufficiently engaged in these discussions, not only are they skeptical about the potential benefits of health information exchange, they are more focused on the potential negative consequences that can result from the misuse of health data. A greater effort must be made to engage consumer representatives more directly, not just in policy development but also in the development of clinical data exchange practices at the ground level, as well as preliminary discussions like that of AHIC’s Consumer Empowerment Workgroup, which you reference. It’s great that the co-chair is from the National Patient Advocate Foundation, but if you look at the list of members (, she seems to be the only member representing consumers.

Disclosures and Disclaimers


My employer is compensated through funding to provide analytical research, technology solutions, and Web-based public and private health care performance reports by the State of New York, the State of Illinois, the Centers for Medicare & Medicaid Services, the Agency for Healthcare Research and Quality, the Commonwealth Fund and Bridges to Excellence. I am not being compensated by any of these organisations to create articles for or make edits to this Web site or any other medium; and all posts authored by me are as an individual and do not represent my employer or the agencies I work for.