Yasnoff on eHealth

Over the past year, as the majority of communities developing health information exchanges struggle to make progress (with a few failing outright), health record banks (HRBs) have received increasing attention as a model for successful community health information infrastructure (HII). There is a growing realization that other approaches do NOT solve the critical problems of HII that are addressed by HRBs, namely,

In addition to the previously cited independent report endorsing health record banking in October, 2007, from the Information Technology and Innovation Foundation, a new study released last week by the California Health Care Foundation, Gauging the Progress of the National Health Information Technology Initiative, declared that the current approach to HII that envisions a “network of networks” known as the Nationwide Health Information Network (NHIN) is “impractical and cannot be implemented.”

As a result, more communities are pursuing the development of HRBs. The State of Oregon recently received a $5.5 million Medicaid Transformation Grant from CMS (Centers for Medicare and Medicaid Services) to create the Health Record Bank of Oregon. The State of Arizona, also the recipient of a Medicaid Transformation Grant, is taking a close look at the HRB model. The State of New Jersey just enacted legislation creating the New Jersey Health Information Technology Commission, which is tasked to create “The Health Information Bank of New Jersey.” The State of Mississippi is evaluating the HRB approach. Greater Louisville (KY) and the State of Washington, among the earliest adopters the health record banking approach, are both continuing their efforts to build effective HRBs. (comments from readers on additional HRB activity would be welcome!)

In a further sign of the acceptance of the HRB approach, a recent RFP from the National Governors Association’s State e-Health Alliance requesting bids on a research project to develop recommendations for potential governance and business models for HII specifically included health record banking as one approach to be evaluated.

So isn’t this all good news for health record banking? Yes … and no. Of course, those of us who have been promoting the advantages of this approach over the past several years are pleased to see more widespread awareness and adoption. The Health Record Banking Alliance, formed in 2006 to bring together folks interested in HRBs, is growing. However, as often happens with new ideas, popularity can lead to misunderstanding as more people embrace the model without fully appreciating all of its implications.

The fact is that developing HII, even with the HRB approach, remains a complex and difficult problem. Issues of organization, governance, policy, stakeholder cooperation, marketing, financial sustainability, public trust, and technology must all be addressed simultaneously. Furthermore, having a financial strategy for maintaining an HRB does not automatically guarantee an easy financial path for STARTING one. For example, it is relatively easy to envision how a company like Federal Express can be a sustainable, ongoing concern once its infrastructure and customer base is established over a wide geographic area. But building FedEx from a new startup organization to that point remains one of the great business achievements in recent memory.

The most common mistake now being made by new HRB enthusiasts is to consider a health record bank to be purely an IT project. While the technology is clearly important and non-trivial, existing techniques and methods are more than sufficient to handle the job. Indeed, most of the component technology pieces that constitute an HRB, such as Personal Health Record (PHR) interfaces, consent management systems, and health information repositories, already exist and, in many cases, are in routine production at many sites.

What does not exist is the organizational, governance, marketing, and financial mechanisms to support the technology — and these are the difficult challenges. This is best illustrated by imagining the scenario of a community that was successful in building the perfect technical infrastructure for an HRB. Let us assume such an HRB functioned ideally in every respect — it could accept deposits of any arbitrary medical data using any reasonable data format or standard, provided easy-to-use interfaces for both consumers and providers enabling consumer control of exactly what is accessible by whom, had state-of-the-art security protections, could automatically generate relevant reminders to consumers and providers, and was implemented in a high-reliability system environment that guaranteed nearly 100% availability around the clock.

Would such an HRB be useful? Not at all, because it has NO DATA. Furthermore, it has NO USERS. Also, it has NO FINANCIAL SUSTAINABILITY and NO GOVERNANCE. Without addressing the questions of how the data ACTUALLY gets in (as opposed to whether it CAN be deposited), how patients and providers are successfully encouraged to USE the system, and how it will be GOVERNED and PAID FOR, all the fabulous technical capabilities of this “perfect” HRB have no value whatsoever.

Therefore, the strategy of issuing an RFP to “build a health record bank” is highly unlikely to succeed, particularly if directed to health IT vendors. Building the IT infrastructure for an HRB is essential, and doing it right is extremely important. But it is truly the LEAST difficult problem to be solved on the road to successful HRBs. To succeed in creating a truly effective and sustainable HRB, close attention must be focused on acquiring data and encouraging usage within an organizational framework that provides trusted governance, and developing and deploying a business model that can reliably generate the revenue needed for ongoing operations. Simply building the IT system alone is not nearly enough.

Today’s CNET story, “AOL, Netflix and the end of open access to research data”, describes how two large so-called “anonymized” databases have been re-identified, compromising the privacy of everyone in them. This provides yet another example of why “anonymized” data is a myth — and reinforces the need to avoid the release of large datasets of medical records, even if they are supposedly “de-identified.”

The first incident described involves the release of 500,000 people’s movie ratings by Netflix in 2006. To protect the privacy of their subscribers, Netflix carefully removed all personal information. They offered $1 million to anyone who could develop an algorithm that would improve their movie recommendation system — a worthy goal. However, this week researchers announced that they successfully re-identified the data using publicly available information.

A similar scenario occurred when AOL publicly released “de-identified” search data for 500,000 of its users. Some were re-identified within days.

The lesson in this is simple: THERE IS NO SUCH THING AS ANONYMIZED DATA. To some extent, it can always be re-identified. For those who are interested in more details, computer scientist Dr. Latanya Sweeney’s Data Privacy Lab at Carnegie-Mellon has been studying this issue for years and developing the theory needed to understand it.

So what are the implications for medical data? As previously described in this space (Protecting Privacy While Searching Health Record Banks), each person’s complete health records need to be stored in a central location with all access under the control of that individual (or whomever they designate). To provide the tremendous research benefits available from searching this data, queries should be submitted to health record banks, but NO DATA SHOULD EVER BE RELEASED. Instead, the result of a query would be a count of the number of matches and a carefully controlled demographic summary. In this way, re-identification is prevented since no actual data is available. This allows all of us to have the fruits of medical research WITHOUT having to give up our privacy.

Let’s hope Netflix and AOL have learned their lesson and that other organizations — especially health care institutions — are paying close attention.

One of the key unanswered questions about health information infrastructure over the past several years has been, “Do we have enough trained people to build it?” Over the past year, I’ve been privileged to have the opportunity to serve as the principal investigator of a research project sponsored by the U.S. Department of Health and Human Services (Office of the Assistant Secretary for Planning and Evaluation) to begin to address this question. This work represents the first attempt to quantify the workforce requirements for building the health information infrastructure in the U.S. A presentation summarizing the final results was given to the American Health Information Community (AHIC) Electronic Health Record work group in late September, and the complete final report has recently been posted. Here is the Executive Summary:

Nationwide Health Information Network (NHIN) Workforce Study

Executive Summary

For the past several years, the nation has been working to improve health care through the widespread implementation of electronic health records. One clear prerequisite for accomplishing this goal is the availability of a trained workforce to implement the developing Nationwide Health Information Network (NHIN). While it is generally acknowledged that the nation does not have a sufficient number of trained specialists for this purpose, no prior studies have produced any quantitative estimates of the workforce requirements. Accordingly, the current research was designed to further our understanding of NHIN workforce issues by collecting, assessing, and analyzing existing knowledge and data in this domain with the objective of producing an initial estimate of the number of people needed.

This study gathered information through a series of four focus groups, five site visits, and direct communications with health information technology (HIT) vendors. The anticipated NHIN work was divided into three separate categories of activities for the purpose of assessing workforce:

Assuming a 5-year time frame for NHIN implementation, results indicated that 7,600 (+/- 3,700) specialists are needed for installation of EHRs for the approximately 400,000 practicing physicians who do not have them already. For the hospitals needing EHRs (about 4,000), approximately 28,600 specialists are needed. Finally, about 420 people are needed to build the HII systems in communities to interconnect all these other systems. These data represent the first ever quantitative estimates of the workforce needed to implement the NHIN.

These estimates should be considered preliminary and imprecise as they are based on a very small number of reports: eight for physician EHRs, four for hospitals (no data were available for other types of health care institutions), and two for communities. Furthermore, since all reported data was retrospective, the various estimates are based on information collected inconsistently at different times and under varying circumstances. Insufficient information was available to be able to characterize meaningfully the different types of personnel needed, although at least 15 different job titles were identified and defined. There was also inadequate information to allow workforce estimates for different architectures for the three major activities, despite general agreement from the expert panels that differences in architecture may have a significant impact on the personnel needs. Similarly, there was not enough data to assess or categorize the impact of size of practice or institution on workforce. However, there were some indications that the personnel requirements per physician are higher for smaller physician offices (three physicians or less). Also, the workforce data relates only to installation of systems; ongoing support and maintenance were specifically excluded. Finally, it is notable that there is no available data about the current number of specialists working in the three areas, so it is not clear whether these estimates indicate a shortage of personnel.

Further research is needed to confirm and refine these estimates, as well as overcome the limitations of these results. Nevertheless, these first-ever quantitative estimates of the workforce needed for NHIN implementation will inform such additional studies, lead to an improved understanding of this important domain, and ultimately help ensure that adequate numbers of personnel are available for this critical work.

Today, the Information Technology & Innovation Foundation released a new report, Improving Health Care: Why a Dose of IT May Be Just What the Doctor Ordered.  The report recommends health record banking as the way to develop an effective health information infrastructure. It also recommends four specific actions by the Federal government:

This report is a nice synopsis of the current situation and the rationale for health record banks. My recommendation is that you take a close look at it.

October 4, 2007 — Today, Microsoft announced their HealthVault(tm), a secure consumer-controlled repository for health and medical records available to all consumers at no charge. It was described as a consumer-centric approach to addressing fragmentation of health information — in other words, a health record bank. Microsoft’s recognition of the need for such a repository is thoughtful and positive, and the release of HealthVault will do much to focus the discussion about health information infrastructure toward the health record banking approach. It may even be important in moving the nation forward in solving the problem of making your complete health records available whenever and wherever you may seek medical care. This posting explores this important new development — what it is, what it isn’t, and how it relates to solving the overall problem.

Health Record Banking

As those of you who’ve been following this blog know, health record banking involves establishing consumer-controlled repositories that hold complete copies of each person’s medical record. Like all good ideas, health record banking is fundamentally simple. Each person keeps an up-to-date copy of their lifetime health record in an “account” with a health record bank (HRB). All access to the information in the account is controlled by the account-holder (the consumer), who makes the information available to health care providers whenever necessary. Each consumer may also access their own record as needed.

HRBs would have exclusive responsibility as the agent of each consumer, and would be required to follow stringent privacy and confidentiality practices to protect the information (either via open and transparent community oversight or legally-mandated government regulation). HRBs would provide everything needed for an effective nationwide health information infrastructure: 1) consumer-controlled access to complete medical records; 2) financial sustainability; 3) incentives for physicians to acquire and use electronic health record (EHR) systems in their offices; 4) privacy protection; 5) stakeholder cooperation; and 6) availability of health data for consumer-authorized secondary uses such as medical research.

Through consumer-authorized searching, HRBs would promote appropriate secondary use of electronic health care information. When public health authorities or medical researchers query HRB(s), information from all account-holders that have agreed to allow that particular use of their data would be searched. Confidentiality can be assured by limiting the response to the query to only the number of records that meet whatever criteria were submitted (so no actual patient data is released). If needed, a message to be sent to each account-holder matching the query conditions could be included. This would, for example, allow notification of account-holders of their eligibility for a clinical trial (see the previous posting on this topic for more details). If fees are charged, the revenue could be shared with account-holders as an incentive to allow such use.

HRBs can also provide incentives for physician EHR adoption and use. The HRB would either pay a small fee for each deposit of a standardized electronic report of an outpatient encounter, or provide very low-cost access to an EHR system to physicians via the Internet. This would help ensure that all patient information was electronic — a requirement that is not being addressed in current efforts. These HRB incentives explicitly recognize that the benefits of physician office EHRs primarily accrue to other healthcare stakeholders. Note that this would also allow HRBs to enforce standardization of health care information — payments for deposits would be contingent on following standards and HRBs would only provide EHRs that did so.

HealthVault in the Context of Health Record Banking

So what does HealthVault do? Essentially, it can function as the “cubbyhole” server that makes individual complete records available for care (a previous posting describes implementing a health record bank with two servers — a “cubbyhole” server allowing access only to one record at a time for clinical care and a “searching” server for research queries). This of course depends on whether HealthVault is able to directly receive medical information from health care providers across the nation, certify the source of each data item, and ensure (to the satisfaction of physicians) that the information cannot be altered by consumers and therefore can be relied upon for decision-making. This would indeed be a major contribution.

In order for this to occur, consumers must be convinced that the information in HealthVault is totally under their control, and that its privacy and security is protected. Microsoft has taken major steps to ensure the security of HealthVault, and has also agreed to abide by the Privacy Principles of the Coalition for Patient Privacy, a major bipartisan health privacy advocacy group. They are seeking or have received outside independent security certification (backed by independent audit) and are doing the same in the privacy domain. Clearly, establishing trust with consumers is essential to the success of HealthVault.

HealthVault Does Not Fully Solve the Health Information Infrastructure Problem

However, HealthVault does not address at least two important functions required to solve the overall health information infrastructure problem. First, it does not provide for searching consumer health records. Of course, consumers can decide to send their data outside the HealthVault for searching, but then it is no longer in the protected environment. As previously discussed in this space, searching the data is critical not only for public health and medical research, but also for certain clinical functions such as notifying consumers when a drug they are taking has been withdrawn from the market. Therefore, a complete solution requires adding search capability.

Second, HealthVault does nothing to address the biggest problem of all with respect to electronic health records — that most of the information in doctor’s offices is still recorded on paper. Only about 1 in 5 physicians use an electronic health record (EHR) system today. While adoption of EHRs is continuing, it is slow — primarily because the business case for EHRs in physician offices is not good. Most of the benefits of such systems accrue to others in the health care sector besides the physicians. Therefore, physicians are reluctant to pay for them — and financial incentives for physicians are needed so that physicians will all convert to EHRs.

As noted above, health record banks can address this problem by either paying physicians for deposits of encounter reports (the eHealthTrust business model ) and/or by directly providing low-cost Internet-based EHR systems to physicians funded by the revenue received by the health record bank. In the absence of such financial incentives for physician EHR adoption, most health records will remain paper based and cannot readily be stored or processed electronically.

HealthVault and Communities

For those communities working on establishing health record banks, HealthVault is good news even though it is not the solution for the entire problem. Now communities have the option to use HealthVault as their “cubbyhole” server — at no charge. To complete their health information infrastructure, communities still need to establish a trusted multi-stakeholder organization to provide local governance to ensure trust. That organization would then engage a for-profit health record bank service provider to establish and operate a secure searching server and deliver low-cost EHRs to physicians using an effective business model that ensures sustainability. While these are by no means trivial tasks, HealthVault may allow community health record banks to be established more quickly and more easily by supplying part of the needed infrastructure — thereby reducing the upfront investment requirement.

The real question is whether consumers will have sufficient trust to store their data in Microsoft’s HealthVault. Only time will tell.

by William A. Yasnoff, MD, PhD, and Deborah Peel, MD*

In a recent editorial, Modern Healthcare argues that the current national health information technology (IT) efforts should be abandoned since they can’t succeed unless “the federal government mandates a single healthcare information technology platform for all healthcare providers and heavily subsidizes its adoption.” While we agree that the current efforts are not progressing well, we are not willing to dismiss health information technology’s potential to improve care, increase efficiency, and reduce costs.

Health Record Banks and Consent Management Tools Can Overcome Problems with Current Health IT Efforts

Over the past several years, more than enough time and energy has been spent trying to automate our existing, inadequate system of health information “exchange” between various healthcare stakeholders. Not only have these efforts failed to solve the problem of making complete patient records available, they are also numbingly complex, frighteningly expensive, and a massive threat to privacy. It is time to use ‘smart’ technology and build a system of Health Record Banks that can provide more complete electronic patient information with informed consent whenever and wherever needed. Health record banks with independent consent management tools that automate the process of obtaining permission for each release of information can make the records needed for safe and effective medical care available while fully protecting every individual’s right to health information privacy.

Health Record Banks (HRBs) would provide everything needed for an effective nationwide health information system: 1) consumer-controlled access to medical records; 2) financial sustainability; 3) incentives for physicians to acquire and use electronic health record (EHR) systems in their offices; 4) ironclad privacy protection; 5) stakeholder cooperation; and 6) access to health data for consumer-authorized secondary uses such as medical research.

Each person would keep an up-to-date copy of their lifetime health record in an HRB “account.” All access to the information in the account would be controlled by the account-holder (the consumer), who would give permission for the necessary information to be available to health care providers. Each consumer would also have access to their own record, and could add and amend information as desired. All HRB record entries would be marked as to the source of the information. The Health Record Banking Alliance (HRBA) has been established to promote this approach to health information infrastructure.

Independent consent management tools would allow consumers to exercise control of access to each and every data field of their personal health information by specifying (and changing as needed) who has permission to see each item.

How Health Record Banks Work

When seeking care, the account-holder would identify their HRB, having previously granted permission for the caregiver to access his/her records (either all or part) through a secure Internet portal. Confidentiality can be assured when data is sent from the bank to a provider by contractually requiring its use only for the purpose(s) that the patient approved. When the care episode is completed, the caregiver would then transmit any new information generated to that same account in the HRB to be deposited in the account-holder’s lifetime health record.

HRBs themselves would have exclusive responsibility as the agent of each consumer, and would be required to follow stringent privacy and confidentiality practices to protect the information (either via open and transparent community oversight or legally-mandated government regulation). The Independent Health Record Trust bill recently introduced in Congress by Representatives Moore (D-KS) and Ryan (R-WI) with 48 bipartisan cosponsors (HR 2991) would create such a regulatory framework.

HRB operations would be inexpensive — less than $1/person/month once the number of customers is large (over 1 million). This small cost could be paid directly by patients or be included in health insurance benefit plans. Even if the health care savings generated from the availability of more complete patient information amounted to just a small fraction of the published estimates of about 8% of health care costs ($40+/person/month), HRBs would pay for themselves many times over.

How Independent Consent Management Tools Work

Consent management tools permit consumers to instantly give or rescind permission to access their data electronically, set standing consents for data access in emergencies or any routine situation, and view complete audit trails of all uses and disclosures of their personal health information. Keeping all consents in a single independent location is convenient for consumers and makes it unnecessary to set up or remember to change permissions at every place of treatment and with every health professional or organization that holds, stores, or transmits their personal health information. Instead, all data holders would have to check electronically with each person’s consent management system before transmitting or disclosing any data to anyone. And consumers can easily monitor all access and uses of their health records because they will have audit trails of disclosure of their health records in one place.

Consent management tools are also inexpensive: consumers or organizations representing consumers can pay nominal fees to obtain them or be given the tools in exchange for transaction payments from data users to independent consent management tool vendors.

Health Record Banks Can Provide Physician EHR Incentives

HRBs can also provide incentives for physician EHR adoption and use. The HRB would either pay a small fee for each deposit of a standardized electronic report of an outpatient encounter, or provide free access to an EHR system to physicians via the Internet. This would help ensure that all patient information was electronic — a requirement that is not being addressed in current efforts. These HRB incentives explicitly recognize that the benefits of physician office EHRs primarily accrue to other healthcare stakeholders. Note that this would also allow HRBs to enforce standardization of health care information — payments for deposits would be contingent on following standards and HRBs would only provide EHRs that did so.

Health Record Banks Protect Privacy While Enabling Consumer-approved Secondary Data Access

Privacy protection would be assured because no HRB would allow access to any information for any purpose without the patient’s permission. In essence, the HRBs would provide “electronic safe deposit boxes” for each consumer’s medical records. Stakeholder cooperation would be assured because it is the patient who requests copies of his/her records for deposit in the HRB. Under HIPAA (the Health Insurance Portability and Accountability Act), patients already have the right to such copies.

Finally, HRBs promote appropriate secondary access to electronic health care information. When public health authorities or medical researchers query HRB(s), information from all account-holders that have agreed to allow that particular use of their data would be searched. Confidentiality can be assured by limiting the response to a query to the number of records that meet whatever criteria were submitted. The actual data would not be released to any researchers or public officials unless required by federal statute, assuring that consumers can participate without any risk of data or identity theft or loss of privacy. If needed, a message can be sent privately to each account-holder matching the query conditions. This would, for example, allow notification of account-holders of their eligibility for a clinical trial (see the previous posting on this topic for more details). If fees are charged for data access, the revenue could be shared with account-holders as an incentive to allow such use.

Conclusion

So we agree — let’s scrap the current national health IT efforts … and use smart technology instead. With health record banks and independent consent management tools, we can build an electronic health system that delivers all the benefits we want and ensures that privacy rights are strengthened and preserved—so consumers will actually be willing to participate in electronic health record systems. Communities such as Louisville, KY, Washington State, and Texas are already on the HRB path — why not yours?

—–

*Dr. Peel, co-author of this blog posting, is Founder and Chair of the Patient Privacy Rights Foundation, and leads the bipartisan Coalition for Patient Privacy. She is a practicing Board-certified psychiatrist and Freudian psychoanalyst and earned her MD at the University of Texas Medical Branch in Galveston.  Modern Healthcare recently named her #4 in their list of the 100 most powerful people in healthcare in 2007.

Michael Porter’s Support for Health Record Banks

Many advocates of health care system reform have been avidly reading Redefining Health Care by Michael E. Porter and Elizabeth Olmsted Teisberg (Boston: Harvard Business School Press, 2006), which advocates moving to a system of value-based competition based on results. In it, the authors clearly recommend the health record banking approach:

“Today, medical records are scattered. There are separate records at individual physician offices and at various treatment facilities. Specialists usually send summaries to the patient’s primary care provider or family physician, not the full record of their care. Records are not kept in a form that is easy to integrate.

A trusted third party will be needed to play the role of maintaining, accumulating, and verifying the patient’s records and making them available when, and only when, the patient has given approval.” (page 272)

As work continues across the U.S. and elsewhere to build health information infrastructure (HII) allowing “anytime anywhere access to complete patient information and decision support,” a consensus appears to be emerging on the closely related issues of consumer control to assure privacy and the need for health record banks that is consistent with Porter and Teisberg’s views.

Patient Control of Access to Their Electronic Health Information

With respect to patient control of access to their own health records, a recent report entitled “The Way Forward for NHS Health Informatics” from the British Computer Society reviewed the HII efforts in the U.K. and recommended that “… informed patient consent should be paramount [in the sharing of electronic patient data].” (recommendation 1.12 on page 4)

At the January, 2007, Nationwide Health Information Network (NHIN) Forum in Washington, DC, all four of the vendors demonstrating prototype architectures and every other speaker who discussed the topic agreed that patients should control all access to their electronic medical information. Interestingly, there was essentially no discussion or questioning with respect to this point — it appears to now be an accepted conclusion.

The idea of patient control is not new. Mandl et al suggested this as a key principle in an article in the British Medical Journal in 2001. What makes the recent developments remarkable is that this truly patient-centric view has not been clearly articulated before (at least in the context of an NHIN meeting), much less accepted as a key requirement.

This is a very positive development, as it seems clear that the general public will not accept electronic health information systems unless individuals control access to their own records. For example in a 2005 national survey, 79% of respondents indicated access to such information should require their permission. There is good justification for this. As Mandl et al point out, “If patients feel that they have no control over the fate of their medical information, they might fail to disclose important medical data or even avoid seeking medical care because of concern over denial of insurance, loss of employment or housing, or stigmatisation and embarrassment.”

Finally, Dr. Robert Kolodner, Interim National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services, announced this past week that the upcoming RFPs for “trial implementations” of community HII systems would require technology implementations that allow patients to control the detailed flow of their own information — deciding how they “view, store, and control access.” In this way, the technology will be able to support consumer control at the data item level. While providing such control in health record systems is not currently required by law or policy, incorporating these capabilities ensures that the “technology will not drive the policy” with respect to privacy. This is a wise and prudent approach to HII technology.

Need for Health Record Banks for Secondary Data Use

Another interesting development at the January NHIN Forum was the acknowledgement by all four of the prototype developers that efficient secondary use of electronic health information required the establishment of one or more data repositories to facilitate searching. Activities such as identifying subjects for clinical trials, public health monitoring of disease trends, and assessing potential unexpected outcomes of therapeutic interventions on a population basis, clearly require the availability of searchable databases. As has been pointed out in previous postings here, this creates a need for health record banks where copies of complete patient records can be accumulated under strict patient control.

The provision of consumer control at the data item level will also require the health record bank approach, since it is extremely difficult to provide consumers with the ability to decide what information they wish to share unless the information itself is available to be directly linked to consumer permissions.

The Time Has Come for Health Record Bank Implementation

The State of Washington has recently recognized the advantages of the health record bank approach to HII. After a 16-month process of study and review, the Washington State Health Information Infrastructure Advisory Board (HIIAB) (created by the Legislature) released its final report in December, 2006, recommending the development of multiple health record banks containing consumer-controlled copies of health records from multiple sources. The Governor’s request for $9 million in seed funding for implementation efforts is now being considered by the Legislature.

As I indicated in a recent editorial, it is time for health record banks to be built and made available to consumers. Hopefully, 2007 will be the year that we begin to build the foundation for a safer, higher quality health care system by creating the health record banks consumers need to make their complete electronic medical records available for their care while fully protecting their privacy.

The Value of Health Record Bank Information

Searching electronic health information in health record banks could be incredibly valuable for medical research and public health. Imagine what we might discover if we could rapidly and easily examine the medical records of many thousands of patients across the nation with a specific type of heart disease or cancer to determine which therapies are most effective! Today, such studies take years and cost millions of dollars, while only including relatively small numbers of subjects.

Health record bank information could also be invaluable to protect public health. For example, in the anthrax attacks in Fall 2001, there were seven cases of skin anthrax in the New York City area in the two weeks BEFORE the “first” case was detected in Florida (see Lipton E, Johnson K: The Anthrax Trail: Tracking Bioterror’s Tangled Course. New York Times, Section A, p. 1, 12/26/2001). Monitoring for such unusual events in an electronic health record bank could have found those earlier cases, raising the alarm sooner and allowing lives (and money) to be saved.

While the benefits of such searching are clear, all of us have a legitimate and realistic fear that such activities could seriously compromise the privacy of our sensitive medical information. So is it somehow possible for all of us to benefit from the knowledge that could be extracted from health record banks without having to compromise the privacy of our personal medical information? The answer is “yes” – and in this posting I will describe one approach to accomplishing this.

How Health Record Bank Searching Could Work

Imagine a system of health record banks across the country, with each person having their complete electronic health records stored in the bank of their choice. You control all access to your records, and have given permission for your information to be used for research and public health – as long as your information is not released as part of that use. How would a medical researcher utilize this data?

A query to the health record banks would look something like this: “How many patients are between age 45 and 54, more than 20% above their ideal weight, have ever had an abnormally high blood sugar, and had a blood pressure reading more than 10% above normal in the last 90 days?” This would be sent to all the health record banks (through a coordinating entity) and each bank would produce two results: 1) a count of the number of patients matching those characteristics; 2) some demographic data about those patients (e.g. percentage male/female). The results from all the health record banks would be combined by the coordinating entity and delivered to the researcher.

Note that in this process no one’s individual information has been released. Small alterations would be made in the counts and demographic outputs to be sure that no individual could be indirectly identified with subsequent queries (e.g. two queries with a count differing by “one”). This latter procedure, known as statistical disclosure control, is already done very effectively with data from the U.S. Census Bureau for the same reason.

Recruiting Volunteers for Clinical Trials

If the researcher was trying to recruit volunteers for a clinical trial, a message could be delivered to the patients that match the desired characteristics. The message would explain the clinical trial, the advantages and disadvantages of participation, and provide information about how to contact the researcher. Any further inquiries would be up to the patient, and there would be no obligation to respond to such a message. Note that the researchers would not know to whom their message was sent – they would only have an approximate count of the number of recipients.

If, after the first query, the researcher wanted to know more about this particular patient population (such as what medications they are taking), subsequent queries with additional “matching elements” could be submitted.

Why This Approach Protects Privacy

This methodology allows researchers to get the information needed for studies of various types without the need to release any medical information about individuals. It also eliminates the problem inherent in releasing so-called “de-identified” subsets of data – which is that often such data can be “re-identified” by linking it to other datasets (see L. Sweeney. k-anonymity: a model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5), 2002; 557-570 PDF). The risk of such re-identification is never zero – while it can be low, there is always some risk. The system described here avoids even that small risk.

Sharing the Benefits with the Owners of the Information

Finally, I believe that the value of the data should be shared with the patients who own it (i.e. you). Those who wish to submit queries should pay fees to do so, and patients who allow their data to be searched in this way should receive the majority of the revenue generated from those searches. In this way, your “deposits” of medical information in your health record bank account can earn “interest.” This is similar to the way grocery store chains compensate you with price discounts for sharing your purchasing information via “affinity cards.”

Of course, participation in such searching should be voluntary, and no one should be forced to allow their data to be used this way without their consent.

Conclusion

By allowing searching with patient consent while limiting the results of such searches to counts and basic demographic information, privacy can be protected. Patients would also receive fair compensation for the value of their information through sharing of the revenue from search fees. In this way, all of us can simultaneously retain the privacy of our sensitive medical information while we collectively enjoy the benefits from knowledge gained through population-based analysis.

Previously in this space, I’ve explained why your health records need to be in one place, and how a health record banking system can provide this service for everyone. Recently, I described the case for health record banks and encouraged policymakers to establish regulation for them in a speech to at the Annual Meeting of the National Foundation of Women Legislators:

Good Morning. I’d like to talk with you about our “so-called” health care system — which is not about health, does not really care, and is completely unworthy of the word “system.” As we all know, our medical care is both unsafe - lots of medical errors and preventable deaths — and increasingly expensive.

This morning I’m going to highlight the problems caused by our paper-based health records, tell you one person’s story, lay out a vision of the health information system we need, and finally explain how the problem can be solved, including your role in the process.

Problems caused by paper-based health records

As you go from place to place to place to get health care, you leave a paper record of your care at each place. No one has the complete picture — and even if they had all the records, they are not very helpful in paper form. Since health care occurs in this mostly “information-free” zone, its inefficiency and uneven quality are not really surprising.

One person’s story

Let me tell you about one person’s health care experience. My friend’s 69-year-old mother Diane was in good health and enjoying an active retirement. One weekend, she developed symptoms of a urinary tract infection. By Sunday night, she was in so much distress that she finally called her regular doctor, who of course was unavailable. When she reached the on-call physician, he agreed that she had a urinary tract infection and prescribed an antibiotic. Diane, who was by then in great discomfort, immediately filled the prescription at her closest 24-hour pharmacy and began taking the medicine. Instead of feeling better, she got worse and worse and finally lost consciousness. Her husband took her to the emergency room in the middle of the night and she was admitted to the hospital. She spent nearly two weeks there suffering from multiple organ failure with one complication after another. In the end, the doctors were not able to save her. The original antibiotic that was prescribed for her urinary tract infection contained sulfa, which she was allergic to. The on-call doctor had no records reflecting this known allergy. Diane’s husband and four children are devastated.

So how can we prevent more tragedies like Diane’s?

The health information system we need

We need a health information system that always makes complete patient records available — giving health professionals immediate and efficient access to the information required for diagnosis and treatment.

We need a health information system that will reduce errors. Our doctors make more decisions in the exam room than pilots make when landing a plane — yet we provide pilots with scores of instruments and warning systems to prevent errors.

We need a health information system that will improve quality. Even our best hospitals and doctors fail to give some patients the best and latest treatments. It takes a shocking 10 to 17 years for new discoveries to be routinely used.

We need a health information system that provides consumers with the ability to access and control a copy of their medical records that is immediately available when and where needed — and otherwise completely private and secure. Consumers must have the tools to participate actively in their own care.

We need a health information system that empowers consumers — that allows them to communicate with their doctors electronically, to receive their own test results, and to record their own medical data from home.

We need a health information system that can do all these things regardless of where the physician and patient are — so that an illness or injury while traveling can be handled as safely away from home as it is at home.

And we need a health information system that allows public health officials to detect patterns of disease — so that outbreaks and bioterrorism can be spotted early, when interventions can save lives and prevent the further spread of disease.

Everyone from Newt Gingrich to Hillary Clinton agrees with this — and the good news is that we can have such a health information system and improve efficiency at the same time. Let me tell you how.

How the problem can be solved

The solution is to empower each consumer to own and control an electronic copy of all their health records in a Health Record Bank. This health record bank would serve as the designated agent of the consumer to store and safeguard a complete copy of her medical records and make them available (in full or in part) solely as she directs. An institution is needed (as opposed to having each consumer hold their own records) to allow for worldwide immediate availability of health records coupled with ironclad computer security to protect privacy.

Whenever care is received, the prior records would be available (with consumer permission) from the health record bank, and the new information generated would be deposited in the consumer’s account. Each bank would have three standard transaction windows: withdrawal — for access to records, deposit — to accept new records, and search — to accept search requests from authorized medical researchers and public health authorities. There would be many competing health record banks, and each consumer would have an account at the bank of their choice.

Many business models are possible to fund health record banks. My preference is the eHealthTrust model, in which the patient pays a very modest monthly charge ($5 or less), which can be a covered health insurance benefit. The bank would pay physicians small fees for electronic deposits of standardized reports of clinical encounters — to overcome the existing financial barriers for the acquisition and use of electronic medical records in their practices.

The need for regulation

What can you do to help make this a reality? Health record banks must be regulated to ensure that they operate in a safe, effective, and trustworthy manner. Regulation must first reinforce patient control — for both primary and secondary use of health records. It must also guarantee privacy of the records by requiring state-of-the-art security practices backed up by regular independent audits — with serious penalties for violations. Bills to accomplish this were introduced in both Houses of Congress in this session, and will be reintroduced next year. Regulation can also be done at the state level. Your efforts are needed to help create an environment where health record banks can flourish.

Conclusion

In our health care system today, errors are common, quality is inconsistent, and efficiency is poor. Medical records and transactions are paper-based, information is not readily accessible, and treatment decisions are overly dependent on human memory. In U.S. hospitals alone, there are as many as 98,000 preventable tragedies like Diane’s every year — equivalent to a jumbo jet crash with no survivors every day. With your help to promote the growth of health record banks, we can ensure accurate and complete records for everyone while rigorously protecting privacy.

Thank you very much.

There is lots of discussion today in communities across the country about health information infrastructure. As people consider the issue, I thought it would be helpful to explore some of the myths and misconceptions about specific approaches and strategies that have been suggested to provide for the availability of complete patient records when and where needed.

Myth #1: The patient-carried record

One of the most popular and persistent myths of health information infrastructure is the patient-carried record. The idea is that if every person just carried their complete medical record, then it would be available for use whenever necessary. The record could be stored on a smart card, a USB drive, or some similar small and portable medium. Every site of care would have readers, and new information created at each visit would be written to the patient-carried record.

This idea is very appealing in its simplicity and low cost. On first glance, it appears to solve the problem, assuming that everyone could agree on the format of the stored records and obtain the needed hardware/software to read and write them (which would not necessarily be easy).

However, there are two serious flaws in this approach. First, what happens when the patient-carried record is lost, damaged, or destroyed? This can easily happen in a car accident, for example. Not only would the record itself be unavailable for the immediate need, but there would be no way to easily reconstruct it since there is no backup. To solve this latter problem, each person could have a second, backup record that they keep at home or in another “safe” location. However, that backup record would also not be accessible when needed for care UNLESS there was a backup location that could be reached electronically, i.e. via the Internet. However, if there is a backup of the patient-carried record available via a secure Internet portal, then why do you need a patient-carried version at all? The patient-carried record itself is the real backup in this case, and a relatively expensive one at that (compared to having a backup of all the records at the secure Internet portal). Furthermore, medical records available via a secure Internet portal would immediately be accessible from anywhere in the world without additional hardware and software, eliminating the need for everyone to have readers for the patient-carried version.

The second flaw in the patient-carried record approach is the problem of keeping it updated. This approach assumes that all medical information is generated when the patient (and the patient-carried record) are present — allowing the patient-carried record to receive the new information. But when x-rays are interpreted or blood test results are generated, the patient is rarely present. How would such information get to the patient-carried record? It might be argued that the next time any medical care is needed, the patient-carried record could be updated with this new information. But how would that information get to the next site of care (since we don’t necessarily know in advance where it might be)? Where would the new information be “held” until it can be downloaded to the patient-carried record? Would the new information be e-mailed to the patient? In that case, what if the patient forgets to do the update? Or doesn’t have e-mail or a computer? Clearly, it would be problematic to keep the patient-carried record up-to-date.

This is not to say that there is no role for patient-carried medical information. An up-to-date summary of problems, allergies, medications, and recent lab results could be very helpful IF patients would carry them. However, depending on this as a solution for delivering complete patient information when and where needed is not realistic.

Myth #2: Your medical record stored on your home computer

This idea is that everyone could just keep their complete medical records on their own home computer. After all, many people are already doing this with their financial information by integrating the data from multiple institutions. However, aside from the obvious problem that not everyone has a home computer, this approach does not work for your medical records. Unlike financial data, medical information may be urgently needed on a moment’s notice, and most likely the need will not be when you are at home with access to your computer. How would your doctor or hospital get access to the record in your home computer? Theoretically, you could leave your computer connected to the Internet and enabled for remote access. But then each person would need to implement and operate a highly secure portal to their computer to assure that there was no improper access and that viruses, worms, or hackers did not damage or destroy their medical records. In addition, each person would need to provide for backup power and telecommunications capability to ensure 24/7 availability, not to mention off-site backup of the information so it could be recovered in a disaster. Clearly, such efforts by individuals would be both unrealistic and prohibitively expensive. So this is not a viable solution.

This does not mean that having your medical records on your home computer is a bad idea — it could actually be very helpful. But your home computer is not a good place to have the copy of your medical records that is intended to be available for your care whenever and wherever needed.

Myth #3: “Google-like” retrieval of your medical records

Everyone is familiar with the impressive search capabilities of Google and other Internet search engines. With just a few keywords, they can rapidly find relevant information from (literally) billions of web pages. Why not use this capability to find your medical records — wherever they are located — and make them available for your care? (assuming they were all electronic and accessible via the Internet in a way that protected your privacy)

First of all, if this could be easily done, Google and others would already be doing it. The fact that they aren’t immediately tells you that there are fundamental problems. In my view, the most important problem is that Internet searching represents a type of information retrieval known as “non-deterministic”. In plain English, this means that the results of the search are never perfect — not all the items that should be found are actually found, and not every item displayed is one that is really relevant to the search. This is not a criticism of the search methods — they work really well — but is just inherent in the use of techniques for finding relevant documents.

In contrast, “deterministic” searching is what is done with computer databases. When someone searches their Accounts Receivable database to see which customers have balances over $500, the expectation is that the result will include every customer with such a balance and not any others. In this case, if the search did not work this way, we would say that there was an “error” and that the software was not working properly. When you search your Contacts file for “Mary Turner,” you expect to only find that name and you’d be puzzled if “John Tucker” also showed up in the results.

One reason it doesn’t work this way when using keywords to search for documents is that the “relevance” of a given document is itself not completely clear, and often depends on the context of the use of those key words (as well as human interpretation). For example, a search for “diabetes treatment” is highly likely to find a document with the phrase “… and this has nothing whatsoever to do with diabetes treatment” or “… this is in contrast to diabetes treatment, which is outside the scope of this discussion.” While these contain the phrase we are looking for, they are unlikely to be of interest.

Another reason document searching is challenging is that documents themselves are “free text” — not formatted into specific “fields” with known values. It is not easy for a computer to figure out the major topics of a 5000-word document (even people often find this difficult). Contrast this to a database where each item is in a “field” with a specific known format and meaning (e.g. phone number). When you know exactly where to find a specific piece of information and what it means, then a computer can easily retrieve it when asked. These two different search methods are also known as information vs. data retrieval.

So when searching for documents based on keywords, there is no absolutely reliable marker in each document that an algorithm can use to determine if that document is really relevant. The process is more like “pattern recognition” — trying to decide if the words in a document form a pattern that is consistent with what the query is requesting. In contrast, when searching the Accounts Receivable for balances over $500, it is easy to look specifically at the balance field and decide if it does or does not meet the “over $500″ condition.

Getting back to medical records, many of which are also “free text,” it would clearly be unworkable to use document retrieval methods to find them. It would not be an acceptable response to a request for your records to locate 60-80% of them while also finding many records belonging to others. To be useful, a medical record retrieval method must find 100% of your records and none belonging to anyone else. Because of their inherently non-deterministic nature, no document retrieval method can do that.

But, you might ask, why not just label every one of my records with my name and a unique identifier so it can easily be found? That would solve the problem, but you’d no longer be using document retrieval (where you look for words), but database retrieval where you look in specific fields for specific values. The latter is not what Google and the other Internet search engines do.

Conclusion

Hopefully, the discussion of these myths will be helpful to you in considering how to approach the development of community health information infrastructure. For more information on a feasible and practical approach for building health information infrastructure in communities, please check out the previous posting on health record banking. As always, your feedback, comments, and additional thoughts are welcome.