New FTC Rules Protect Privacy of PHR Users

Posted August 31, 2009 by Lygeia Ricciardi

Last week the Federal Trade Commission (FTC) issued a final rule that helps to protect users of personal health records (PHRs). The rule helps users by making sure they are told if the privacy of their health information has been compromised (or “breached” in industry parlance).

According to the rule, when health information in a PHR or a related device—for example, one that uploads readings from a blood pressure cuff or pedometer into a PHR—has been leaked, the service provider or providers involved need to let users and the FTC know. In some cases involving breaches of health information that impact a large number of people, the media must be informed, too.

The FTC rule is designed to address a lack of public protections for PHR services and related applications that are offered by companies or other entities that are not traditional players in the health system (such as hospital systems and health insurance companies). Such entities (including providers of major PHR platform services, such as Microsoft’s HeathVault, Google Health, and Dossia) are not covered by HIPAA, the Health Insurance Portability & Accountability Act, but will need to comply with the new FTC rules.  

The FTC was required to develop privacy breach rules for PHRs by the federal stimulus package issued last winter (the American Recovery and Reinvestment Act). The rule was released August 25th, and will go into effect on February 22, 2010. 

Further Clarifications of “Meaningful Use” Are Needed

Posted August 2, 2009 by Lygeia Ricciardi

The definition of “meaningful use” continues to occupy attention in Washington because of the important role it will play in the allocation of the stimulus package’s $17 billion dollars geared toward the adoption of electronic health records (EHRs). To qualify for incentive payments via the Centers for Medicare and Medicaid Services, health care providers will have to demonstrate that they are using their EHRs in a “meaningful manner.”

A federal advisory committee called the Health IT Policy Committee has been working to clarify what “meaningful use” will really mean. On July 16^th it approved a set of more than two dozen recommended meaningful use objectives. These generally take the form of a single phrase, such as “maintain active medication list,” describing what providers or hospitals must do to be eligible for financial support.  Several of the objectives were revised from a previous iteration released in June, which received 720 public comments.

What changed?

Notable changes in the objectives include refinements in the criteria for computerized physician order entry (CPOE), and a tighter timeline by which health care providers are required to be able to give patients access to their own health information via personal health records (PHRs), populated “in real time” with their own health information. (The deadline was moved up by two years – from 2015 to 2013).

So what happens next?

The “objectives” approved by the committee have now been handed off to two agencies within the Department of Health and Human Services – the Office of the National Coordinator (for Health IT), and the Centers for Medicare and Medicaid Services – to be translated into much more technical, specific rules. Drafts of those rules will be released in December, when the public will again have a chance to comment on them.

Further Clarifications are Needed to Make Data “Meaningful” to Patients

In general the supportive stance the committee took on patient access to and engagement with personal health information is very positive. For instance, a stated “care goal” is to “provide patients and families with timely access to data, knowledge, and tools to make informed decisions and to manage their health.” But the next phase of work is where the rubber hits the proverbial road. Based on insights from Project HealthDesign’s first round, there are a couple of key points that still need to be articulated clearly. 

Among the objectives are several that have to do with providing patients access to an electronic copy of their health information (including lab results, a problem list, medication lists, allergies, etc.). That’s a great starting point. What’s missing, though, is the stipulation that such access be in a form that is usable by patients – a computable form consistent with the Project HealthDesign vision. 

Project HealthDesign envisions patients in the near future using their health data not just as an end in itself, but as a starting point. People will be downloading information from their clinical visits and running it through a variety of tools and applications to analyze it and mash it up with other kinds of data. For example, an allergy sufferer could track how her allergy symptoms (as measured by lung capacity in her doctor’s office) relate to pollen levels (reported by the national weather service). Merely seeing health data on a screen, or downloading it in a PDF or other “locked” file format, won’t let patients use it in many of the ways that are most meaningful to them.

As a related point, many patients will want such novel data relating to their health to flow the opposite way: back to their care team.  In its study of observations of daily living (ODLs), Project HealthDesign found that individuals identify a range of types of information that are relevant to them, including sleep patterns and social interactions. Some people choose to keep such information private, but others feel strongly that others – including health care providers, other professionals such as personal trainers, and even family members – need to understand it.

It’s not that providers should necessarily have to worry about the pollen levels in the zip codes where each of their patients live. Rather, providers should have the capacity to incorporate into their EHRs data identified and recorded by individuals as specifically relevant to them and their own health, whether or not it is “traditional health data” such as weight or glucose levels. While the Health IT Policy Committee’s objectives make reference to providers being able to “upload data from [a] home monitoring device,” they do not explicitly address the need to incorporate a wide variety of types of patient generated information into the EHR.

Customization of Care

In general the meaningful use definition process has been very positive from the perspective of strengthening patient engagement.  Let’s keep up the good work and make sure its outcomes are as effective as possible by clarifying the points above.

People are different, and the best quality health care needs to be customized to the individual. Many other industries are using information technology to tailor products and services to meet individual needs. In health care, too, technology can enable an unprecedented flow of usable, customizable information–if we make sure the systems we put in place support it.

(See our previous post on meaningful use.)

“Meaningful Use” Means Including Patients

Posted June 15, 2009 by Lygeia Ricciardi 

A topic of recent and ongoing debate in Washington DC is the definition of the phrase “meaningful use” as it applies to electronic health records (EHRs). And discussion is likely to heat up tomorrow as the Department of Health and Human Services (DHHS) Health IT Policy Committee releases a draft definition of the phrase.

“Meaningful use” is important because medical practices that hope to benefit directly from the roughly $17 billion dollars in the economic stimulus package (the American Recovery and Reinvestment Act, or ARRA) designed to encourage them to adopt technology will have to use a “qualified EHR” in a “meaningful manner.” Those that do so will be eligible to receive incentive payments of $40K-$60K each via Medicare and Medicaid premiums over a five-year period.

The definition of “meaningful use,” however, was purposefully left vague in the law, though it does specify that it must include the ability to do e-prescribing, health information exchange to improve the quality of care (e.g. care coordination), and the reporting of quality and performance measurements. The rest of the details are up to DHHS.

With so much money at stake, the ultimate definition will likely shape the development of EHR products, as well as the way healthcare is practiced, for many years. So of course hundreds of parties have been formally and informally weighing in—with a predominance of healthcare providers, vendors, and others with a financial stake in EHRs and the established healthcare system. 

In April the National Committee on Vital and Health Statistics (NCVHS), which advises DHHS, held hearings on the topic. Numerous others have opined online. But patients and consumers have been, in my opinion, largely under-represented. As David Kibbe put it on the HealthCare Blog,

“It may have been an oversight, but patients and consumers have been left very much on [the health IT part of ARRA’s] sidelines. The attention and the money is squarely aimed at the health care providers - doctors, clinics, and hospitals. The Act's intention is to create "interoperable" electronic health records that, in the future, will be more accessible to them: doctors, clinics, and hospitals.” 

I think the point has merit, both generally and with respect to “meaningful use”. There have indeed been efforts to insert consumer/patient needs into the “meaningful use” debate, but it’s not clear that this input will be enough to tip the scales.

For example, in addition to six other principles, the Markle Foundation, with a wide array of signatories, included in its “Framework for ‘Meaningful Use’ and ‘Certified or Qualified’ EHR” the following: “Consumers, patients, and their families should benefit from health IT through improved access to personal health information without sacrificing their privacy.” 

That’s an excellent starting point—and one voiced far too rarely--but what does it mean in practice?

The Consumer Partnership for eHealth (CPeH), a group of consumer, labor, research and policy organizations, today issued its own more granular statement on "meaningful use" as it applies to consumers and patients. (Full disclosure: I participate in the Consumer Partnership for eHealth’s work as an individual, though not as a representative of Project HealthDesign or any other organization.)

The CPeH lays out a set of general expectations or aspirations for patient-centered healthcare, and links each with some specific ways in which these might be translated into meaningful use requirements over time. Among the desired functions or capabilities for EHRs highlighted by the CPeH are the following:

• Patients have real-time electronic access to their medical record along with linkages to tools that make the information meaningful and useful to them. 
• A care summary is generated and shared with the patient and other authorized providers and family caregivers after every visit or discharge.   
• Reminders about preventive services, medications, necessary/routine tests, and follow-up care are sent to patients via their preferred medium.Connections are made to community resources (online and offline groups, support programs, community services, social services, etc.)
• Connections are made to community resources (online and offline groups, support programs, community services, social services, etc.)  
• Data regarding cost and the clinical quality of care are electronically collected and publicly reported for consumer use.   
• Patient generated data is incorporated into the clinical context for individualized care.

That last point is essential based on Project HealthDesign’s learnings about the importance of patient generated data, which can be used both for the direct care and benefit of patients themselves, and for other purposes, such as quality measurement and research – as exemplified by PatientsLikeMe. The integration of patient generated data (including ODLs) is a key emphasis of the project’s second round of grants.

Another point that especially resonates with Project Health Design’s experience is the importance, which is cited a couple of times throughout the CPeH document, of customizing messages and communication with patients in ways that respond to their unique needs, whether related to primary language spoken, cultural background, or preference in modes of communication (visual vs. audio, frequent vs. infrequent, etc.). Project HealthDesign’s grantees in its first round put a lot of care into learning directly from patients and incorporating their needs into product designs and modes of communication.  

While some of the functions or mileposts laid out by the CPeH seem rather far-fetched considering where the health system is today, the definition of “meaningful use” can and should evolve over time. Articulating these longer-term goals on behalf of consumers will, I hope, encourage the healthcare system and EHR developers to push the envelope in a way that leads to a much more patient-centered vision (and reality) of care.

What do you think? Are there other functions or requirements that would support patients’ and consumers’ “meaningful use” of health IT? And how do you think a stronger patient emphasis can be most effectively championed in a sea of other voices? 

Confusion over HIPAA slows PHR adoption

Posted March 17, 2009 by Lygeia Ricciardi 

Yesterday Modern Healthcare ran an article (free registration is required for access) about the Mayo Clinic’s delay in deployment of Microsoft’s HealthVault personal health record (PHR) platform, despite an announcement by Mayo in January 2008 that it was planning to provide the tool in order to help its patients to “manage their health and become engaged partners with their providers in a new model of health care.”  

The primary cause for the delay is confusion about whether and how the Health Insurance Portability and Accountability Act (HIPAA) requires entities covered by it (such as Mayo) to establish formal “business associate” agreements with PHR providers (such as Microsoft) as a condition of doing business together.

While until recently many PHRs fell outside of HIPAA’s purview, the stimulus bill (which, when signed into law became the American Recovery and Reinvestment Act, or ARRA—a law that is generally very supportive of health information technology) attempted to extend aspects of its privacy and security coverage to additional PHR providers through their relationships with health care entities. But there is ongoing confusion about to whom these new rules apply. Google, for example, has claimed that the new language does not apply to its Google Health—a PHR platform similar to Health Vault.

Setting up business associate agreements with their partners would mean that PHR providers such as Microsoft and Google would be held to HIPAA’s privacy and security provisions, rather than outside of them, as is the case now. One interesting result of this change would be that data generated by users, such as observations of daily living (ODLs) on diet, exercise, or sleep, which can be added into PHRs would be protected by HIPAA’s privacy protections, which has never before been the case (unless such data were part of a doctor’s or other caregiver’s medical record, which is unusual). ARRA also supports stronger enforcement of HIPAA, so there could be substantial ramifications for privacy violations, which have historically been notoriously under-enforced.

As we’ve discussed previously in this blog, while providing more comprehensive privacy and security requirements for PHRs are in general likely to provide value to consumers and PHR providers alike, extending HIPAA’s reach is not the only mechanism through which to do so. It looks like Congress and/or the Department of Health may have to provide additional clarification or try a different approach to avoid slowing development of the field. What do you think would be best?  

"Nutrition labels" for PHRs

Posted December 15, 2008 by Lygeia Ricciardi

Today at the Nationwide Health Information Network Forum in washington DC Secretary of Health Leavitt made a keynote address at which he laid out a set of key privacy principles for health information exchange and discussed a set of tools to help consumers and health information exchanges "advance toward privacy protection and consumer access to their information."

The privacy principles closely resemble Fair Information Practices, which we've discussed on this blog, and which, I think, are an excellent starting point for health information exchange in general. An interesting tool that Leavitt talked about is the so-called "Leavitt Label," which would apply specifically to PHRs. Like a nutrition label, it would give consumers a standard way of comparing different PHR products or services. 

A nutrition label for food includes basic information (such as servings per package), and information about nutrients, some of which you might want a lot of, others of which you might want to avoid. The beauty of the nutrition label is that it doesn't tell you which foods are good or bad -- it lets you make your own decisions. Some people want protein, not carbs. Others want the opposite -- or the same individual may want different nutrients at different times. 

Similarly, there is not a "one size fits all one PHR." For some people, the ability to store clinical health data and link it to multiple health care providers may be the most important thing. Others might want a tool that lets them generate and monitor information for themselves, (for example, about moods) privately. For some people, privacy is extremely important, while others might be willing to make some privacy sacrifices to contribute to medical research that could yield cures or better treatments.

Given the wide variety of types of PHRs and related applications, what kinds of information would be useful on a PHR "nutrition label"? It could be about PHR functions (whether you are able to store your data, create new data, graph it visually, etc. Or interoperability (what your PHR is able to plug into to share data). Or privacy protections, which might include security, like whether information is protected by firewalls, etc., as well as policies, like who has access to the data, and how it is used. 

In some ways the question is similar to the discussion of certification for PHRs. Is it too early to create such a label? Or would it be helpful for consumers (or other purchasers) of PHRs to use in decision-making, even though the field is still developing? What do you think? 

Our next president supports health IT… but why?

Posted October 16, 2008 by Lygeia Ricciardi

No matter who you think won this last presidential debate—and a foundation-based blog is not permitted to express an opinion—health IT came out ahead.

Both candidates (again, as they did in the previous debate) supported it in their remarks. McCain said we need to “put more records online,” while Obama said health IT will help us to minimize bureaucracy and make healthcare more efficient. Not surprisingly, in the current climate, this mention of health IT was made in the context of a discussion of improving healthcare economics.

Since many Americans don’t even realize that most of their health records aren’t online, it’s good that the issue is getting airtime in such a prominent forum.

Given my druthers, though, the introduction to the topic for many people would be in a different context, emphasizing the direct benefits of health IT for them—especially better quality care, which could even save their lives in an emergency.

Last week I was talking with a group of New York-based consumer advocacy organizations that are helping to shape public outreach about health IT in their state. “Why is health IT happening now?” they wanted to know. In the worst economic mess since the Great Depression, with a general public distrust of the government and others in power, many Americans may fear that health IT is a way to save money at their expense. 

I know, a presidential debate isn’t the place to cover health IT in depth, and I am indeed appreciative that both candidates’ takes on it are positive and (I presume) more sophisticated (in the last debate Obama mentioned reducing errors as well as costs). But those of us who are concerned with public outreach will need to work carefully to paint a nuanced picture so health IT isn’t perceived predominantly as an economic issue.

I’d be interested to hear any experiences you’ve had with public perception challenges about health IT—and how to overcome them.

Certification of PHRs: Is it still too early?

Posted September 24, 2008 by Lygeia Ricciardi

Next Monday the Certification Commission for Health IT (CCHIT) will be posting for a 30-day public comment period its draft criteria for testing and certification of PHRs. It will also be launching a new web site and blog about PHRs. To its credit, CCHIT has been reaching out actively to consumer groups and other stakeholders to participate in its process.

CCHIT is a recognized certification body that already certifies electronic health records and their networks. It’s an independent, voluntary, private-sector initiative formed and funded in 2004 by three leading industry associations in healthcare information management and technology:American Health Information Management Association (AHIMA), Healthcare Information and Management Systems Society (HIMSS), and The National Alliance for Health Information Technology (Alliance). Since then others (including the California HealthCare Foundation, which supports Project HealthDesign) have provided additional funding.

Over the summer, CCHIT’s Personal Health Records Advisory Task Force issued an initial set of recommendations for PHR certification, which probably foreshadow the release next week. The Task Force is a group of industry and non-profit PHR experts who were called together to develop high level guidance to CCHIT and its work groups. Actual certification is slated to begin in summer of 2009.

So is CCHIT’s certification of PHRs a good thing? In the long run, probably yes, but open questions remain about the most appropriate timing to begin certification and the specifics of what it should entail.

Some say certification will encourage the PHR market to grow by helping developers and purchasers alike to agree on a standard set of features. Purchasers, in theory, whether they are members of the public buying PHRs for themselves or employers, plans, providers or others buying them on behalf of employees/patients, may be more likely to buy a certified product than an un-certified one.

On the flip side, though, certification could stifle innovation by too stringently defining features while the PHR market is still developing. A couple of my colleagues on the Project HealthDesign team have made the point that competition around features may be an important force in shaping the market. In addition, high costs associated with certification could disproportionately hurt smaller developers (which are often among the most innovative) and end up driving PHR product prices up overall.

When CCHIT began certifying EMRs in 2006, some people, such as doctor/EMR developer Alberto Borges sent letters of complaint to the FTC and other agencies about the “onerous” process and high costs (“up to $28,000.00 a year just to maintain an updated certification”), Dr Borges alleged that CCHIT and its supporting members, who belong to the large association founders and in many cases develop their own EMRs—were using certification to undercut competition.

For PHRs, the Task Force recommendations of last summer make no mention of costs, though in the past CCHIT has talked about exploring funding sources other than PHR developer/vendor fees. As far as functionality goes, the Task Force’s definition of PHRs, which is borrowed from the Connecting for Health Common Framework for Personal Health Information, is very broad, encompassing both PHR applications (which collect, store, and use personal health data), and platforms that act as a conduit of information among numerous sources. Particularly with such a broad view of PHRs, it’s important to leave a lot of leeway for variation and evolution.

In response to that point, the Task Force recommends limiting certification of functionality requirements in the first year to those necessary to support privacy, security, and interoperability. This sounds like a good initial strategy, and focusing on security and interoperability makes a lot of sense. I’m less sure about privacy, which, the Task Force says “should be the #1 goal of certification”.

I couldn’t agree more that encouraging public trust in PHRs by strengthening privacy protections is a good thing—particularly since many PHRs are not covered by HIPAA. But is certification the best mechanism to do it? Certification should be one of many mechanisms–-including law, regulation, and industry best practices-–that together strengthen privacy. And certification should probably take a back seat to those other mechanisms in this context.

The CCHIT Task Force’s strong push on privacy concerns me a little given the extent to which consumer groups and privacy advocates have been struggling (with limited results) to get stronger privacy protections into law and regulation for health information exchange in the last few years. Could CCHIT’s appearing to “solve” the privacy problem be used by policymakers as an excuse not to address it in ways that would in fact be much more effective?

In January of 2007 the AHIC Consumer Empowerment Workgroup recommended that HHS encourage a certification process for PHRs. At that time, five members of the group (including Project HealthDesign’s Steve Downs) dissented, stating in a letter to Secretary Leavitt and the AHIC members that “certification should not be a focus at this time,” and that “the risks outweigh any potential benefits.”

How much has changed since then? And if we are not yet ready for PHR certification, how will we know when the time is right?

PHRs and HIPAA

Posted May 7, 2008 by Lygeia Ricciardi

Recently Dr. Reid Cushman, who is part of a Project HealthDesign team at the University of Miami that is working on the ethical, legal and social implications of next-generation PHRs, posted a paper on “PHRs and the Next HIPAA”. I’d like to build on and perhaps further clarify some of the topics he raises.

Cushman begins by asking how the existing HIPAA law and regulation apply to PHRs. The short answer is “only somewhat.” The longer answer is that it depends on who is providing the PHR. If the PHR provider is a “Covered Entity” under HIPAA, the law applies to them, whether they are going about their regular business (like caring for patients or paying claims) or providing a PHR. Covered Entities include health plans, health care providers, and healthcare clearing houses.

Most of the new entrants to the health field—whether they are providing platforms where consumer information is stored (such as Microsoft’s Health Vault) or PHR applications (including offerings by Google and CapMed) —are not considered Covered Entities and thus are not directly subject to HIPAA. So if Kaiser Permanente provides a PHR, it is covered. If Google provides a PHR, it is not.

An exception is that a PHR provider may sign a Business Associate agreement with a Covered Entity. In that case, the Business Associate has to comply with HIPAA’s rules, or, if it doesn’t, the sponsoring Covered Entity may be held liable. While this is coverage to a point, Business Associate agreements are not universally required or used, and even if they were, enforcement of HIPAA is notoriously weak.

The question of who is covered and who isn’t is essential because HIPAA protection depends on who holds the data—protection does not “follow” the data itself. So let’s say there is information in your doctor’s medical record about treatment of your diabetes. While that information is under your doctor’s care, it is covered by HIPAA. But if you get a copy of that information and enter it into an independent (non-HIPAA covered) PHR, that same information is no longer covered.

The big takeaway here is that many PHRs (and the health data in them) are in no way covered by HIPAA--or any other significant and comprehensive source of privacy protection. And that’s a problem. It means none of HIPAA’s safeguards--like requiring certain technical security safeguards, privacy training for staff who work with the data, and authorizations from patients before the information is shared with other non-Covered Entities—are required.

How to fix the problem? Cushman asks whether PHRs should be covered by HIPAA, and there have been legislative proposals to do just that, most notably in Senate Bill 1418--the "Wired for Healthcare Quality Act"—which has been stalled since last summer in part because of more general concerns about how best to address privacy and health information exchange legislatively.

A different perspective, championed by the Center for Democracy and Technology, is that while extending HIPAA coverage to PHRs may appear to be an easy fix, it is not appropriate to address privacy in the evolving PHR landscape. HIPAA wasn’t written for entities outside of healthcare, and applying it to PHR companies could stifle innovation and even cause the unintended consequence of weakening privacy protections in some ways.

According to this viewpoint, what’s needed instead is to build on some of HIPAA’s underlying principles (see for example my previous discussion of Fair Information Practices) in establishing a broader framework of legal privacy protections that can then be tailored by regulation to fit the specific cases of PHRs, RHIOs, and other services or entities that handle health information but do not fall under HIPAA.

Regardless of the specific ways in which HIPAA is amended or built on, it is clear that privacy protections for PHRs and for health information exchange more broadly extend well beyond its scope.

Openness in health care paper released

Posted January 22, 2008, by Lygeia Ricciardi

Today the Digital Connections Council of the Committee for Economic Development released “Harnessing Openness to Transform American Health Care” by Elliot Maxwell.

This is the paper many of you read advance copies of through this blog last October. Thanks for your interest and for harnessing openness yourselves by submitting your own commentary here and to the author directly.

Minimal federal government impact on PHRs in 2008?

Posted January 16, 2008 by Lygeia Ricciardi

The recently released budget for ONC—the Office of the National Coordinator (for Health IT)—remains the same as last year: $61.3 million. It didn’t receive the dramatic boost requested by President Bush (who asked for $117.9 million).

Though National Coordinator Robert Kolodner vows to “keep making progress”, anticipated work in a couple of areas will be curtailed, including the build out of the Nationwide Health Information Network (NHIN), for which expansion to additional communities had been planned, and work on defining the architecture of personal health records.

While in general I favor greater federal support for health information exchange, I tend to agree with Chillmark Research’s assessment of the budgetary flatlining – at least as it applies to PHRs. In short, PHRs and HIT in general will be “saved from meddling”. As Chillmark blogger John Moore points out, there are numerous other private sector and NGO efforts underway (he mentions Project HealthDesign among them) that are likely to be more relevant and effective in helping PHRs to progress.

When it comes to defining the platform architecture, technical features, and the like for PHRs, I strongly believe the private sector should take the lead, and government should avoid doing anything to hamper creative development. This is not to say that there isn’t a crucial role for the feds to play—notably in the area of defining legal and regulatory parameters to protect public privacy, as well as in making new tools and services available to underprivileged populations.

Though ONC is unlikely to make any dramatic moves affecting PHRs, and indeed major policy shakeups of any kind are unlikely in an election year, I am still keeping my eye on the Wired for HealthCare Quality Act, which I really do think is likely to pass this year.

Regardless of what happens in the federal government, we can look forward to June, when Project HealthDesign grantees unveil their prototype PHR applications at a DC event that culminates their 18-month journey.  Stay tuned for more details!