Are Privacy Standards Enough to Push Electronic Health Records?

By Ericka Chickowski  |  Posted 2008-06-30

Google, Microsoft, WebMD, Dossia and other major technology providers in the burgeoning PHR (personal health record) niche are all hopeful that a new privacy and security standard released last week will be just the catalyst they need to give consumers more control over their digital health care information.

Developed with direction from health care policy makers, insurers, consumer activists, health care providers and PHR technology vendors, the Connecting for Health Common Framework was the brainchild of The Markle Foundation. This New York-based non-profit organized the consensus framework through its public/private Connecting for Health collaborative group in the hopes that it could jumpstart the use of public health records among patients across America.

According to a survey also released by Markle last week, only about 2.7 percent of Americans currently take advantage of online personal health records, but 80 percent of those who use them find them extremely helpful.

Will the standard be enough to convince Joe Patient that PHR services are safe to use? And even if it is, can the PHR industry tackle the other technological challenges it needs to face to make widespread adoption a reality? Baseline takes out its stethoscope to examine the heart of the matter.

The PHR Ideal
An online PHR gives health care consumers the power to control all the data about their medical treatment, conditions and prescriptions in a single, portable digital file.

“PHRs are a way to give consumers more control over their own health care to help reap some of the benefits of health information exchange,” says Jim Dempsey, vice president for public policy of the Center for Democracy and Technology and a contributor to the Connecting for Health initiative. “They make it easier for patients to access their own health records to make those records available to providers.”

The idea has been around for some time, but only in the last several years has it begun to snowball, as employers looked for better ways to lower the cost of benefits and give their staff more medical choices. In fact, some large employers are so convinced that PHRs are a way of bringing health care costs down that they are taking drastic measures to make them a reality. Case in point: Intel, Wal-Mart, Pitney Bowes and BP teamed up to create a non-profit organization called Dossia to support member employees’ PHRs.

“The goal is to create the infrastructure that puts our employees’ health data in their hands,” says Colin Evans, president of Dossia. “We believe that empowering our employees to actually have data to become consumers will ultimately have the effect consumer pressure has in every other industry, to make it more efficient, more cost-effective and more effective, in general.”

Once member employees opt into the system, Dossia collects their information from their health plans, their health care providers, labs, pharmacies and so on, and offers digital access to the patient. The patients then have control over who sees their information. Not only can patients share their PHR with their regular physicians, they can also use them for a range of online health care applications and services that are cropping up to serve those with online PHRs.

“We have an open program interface that sits on top of Dossia which will enable a range of application service companies to provide tools that, with patient permission, can then be used on that data,” Evans says. “So an employer might do a deal with WebMD to provide a broad set of PHR tools, or they might have an arrangement with a disease-management company or a fitness company, or the employees themselves might hit the upgrade button and connect to services themselves. We're an enabler of our employees, and we hope we're talking to people on both ends of that food chain, the institutional data donors today as well as the software and application infrastructure.”

The last eight months have held breakthrough moments for PHR, as the two titans of computing, Microsoft and Google, both moved into the market with their own takes on health record services. In October 2007, Microsoft launched its HealthVault launch and Google followed suit in March Google Health

Despite all the early activity and hype surrounding PHRs, nobody’s using them yet.

“There are hundreds of companies that have personal health record systems, products, services [and] applications,” Evans says. “Every major health plan claims you can have access to your information personally. Most live providers give you access to their data. And yet almost none of these systems have any kind of volume adoption.”

Right now, Dossia’s users number in the hundreds, but the group is poised for a major rollout by summer’s end, which could potentially boost the total into the tens of thousands, Evans says.

Both Microsoft and Google are still in beta stages with their health services, and even players who have been around for awhile aren’t seeing huge numbers of consumers taking advantage of their services. Survey numbers and analyst estimates range from Markle’s 2 percent approximation to a generous guess from Forrester Research that PHRs have penetrated more than 6 percent of the U.S. population.

Privacy a Major Barrier
Many factors still hinder the online health records movement, but none are as readily apparent as privacy and confidentiality issues. Markle’s survey, created by Columbia University Professor Emeritus Alan F. Westin and conducted by Knowledge Networks, found that among 1,500 members of the public, 53.6 percent were disinterested in using PHRs. Of those, privacy was the most frequently chosen reason.

Privacy has long been a delicate issue in health IT circles, which was why Congress acted in 1996 to push through the HIPAA (Health Insurance Portability and Accountability Act). Yet, for all its benefits, HIPAA has nary a whisper on the subject of online personal health records. The law is, after all, 10 years old.

"Some of the new services aren't covered under federal health information privacy laws, and there is uncertainty about privacy protections," Steve Findlay, health care analyst for Consumers Union, publisher of Consumer Reports, said at last week’s press conference on the Connecting for Health Common Framework release. "This collaboration lays out specific practices that all PHRs and related services can use, whether they are covered by federal privacy rules or not, so they can enhance public trust."

The Connecting for Health framework task force set aside the HIPAA debate and went back to the basics, by defining fundamental elements of privacy in the context of PHR and tailored online health services, says Dempsey of the Center for Democracy and Technology. Most importantly, the framework recommendations were written to be consumed by a range of audiences, including policy makers, system developers, health care providers, employers, insurance companies and consumers, he says.

“What this task force did was it took motherhood and apple pie principles─you've got to protect privacy, you ought to have security, you need to give notice to people about your practices─and translated them into 120 pages of detail,” Dempsey says.

Framework Details
The Common Framework is broken up into two major sections. The policy section makes key IT governance and policy recommendations, such as how the IT architecture should be built in a networked health information environment, what kind of authentication should be in place for system administrators, how to match patients with their records without individually identifying them, and what the guidelines are for notifying users when security breaches occur.

The technical section goes into further detail, standardizing how PHR information is to be exchanged. This section includes an architecture implementation guide, technical standards for the expression of medical history and laboratory results, recommendations on data quality assurance and consumer authentication requirements.

Also in the framework are specifications on how a privacy policy should be written, most notably that they should not exceed a fourth to sixth grade reading level to ensure that legalese does not enter the equation.

The Connecting for Health initiative had more than 30 partners and participants contributing to the framework, which took more than a year of collaboration to finalize. Some found the consensus-building activity of creating the framework so illuminating that they began implementing certain discussed privacy principles before it was rubber stamped. For example, both Microsoft and Google reported to the committee that they had begun to use lessons learned through their participation in their new PHR efforts.

"Thanks to the Internet, people can manage their finances, make purchases, book travel and more. However, the same level of access and convenience hasn't been offered for health services, in part, because privacy rules are unclear,” Peter Neupert, corporate vice president of Microsoft’s Health Solutions group, said in a statement. “This framework is a good start in articulating sensible privacy and security practices around the appropriate handling of personal health information and should help to increase consumer trust and adoption of emerging online health services."

Even if a company had already been following all of the practices laid out by the framework guidelines, some participants such as Dossia’s Evans say it adds another layer of legitimacy to PHR privacy efforts.

<p">“People need to know that [PHR technology and practices are] totally and completely private, that they can control access and they can decide what to do with it,” he says. “We made it very clear to employees that we're not going to loop into the data flow, but as a supplement to our statements, Connecting for Health is a very good external legitimization to prove that we're not making this stuff up; this is sort of an industry movement.” <p"> 

Perhaps the Achilles heel of the Common Framework is the matter of enforcement. Unlike HIPAA, this standard is not an enforceable government regulation. Nor is there legal and contractual leverage for compliance as is the case between retailers and credit card companies regarding PCI data security standards.

Instead, the Common Framework depends on the participant’s pledge to abide by the rules and a hopeful combination of other means of enforcement.

<p">“I think all of the endorsers agree that there is no one magic bullet [for] effective enforcement. It will have to come from a mix of government regulation, self-regulation and consumer watch dogging,” says Dempsey of the Center for Democracy and Technology. “You’re going to need some elements of all of that, and certain elements of the framework will be better enforced by different mechanisms.” <p">  <p">However, the details on how this will work remain sketchy. Consumer Reportshas said that it eventually expects to grade PHRs against the framework, much as it would rank car performance. But government regulators wouldn’t get involved until there were actual regulations created by lawmakers to benchmark against.  <p">

New Challenges Lie Ahead
Even with enforcement issues settled, though, a number of challenges continue to stymie PHR penetration. First and foremost, may just be general consumer apathy toward the use of online health records.   The Markle survey, conducted by Knowledge Networks, found that of those not interested in using a PHR, approximately 46 percent said it was at least partly because they didn’t feel they needed one to handle their health needs satisfactorily.   "Consumers are just not that excited about these (services)," Forrester analyst Elizabeth Boehm told the Wall Street Journal last fall. "They just don't understand what's in it for them."   <p">

<p"> <p"> <p"> <p"> <p"> <p">

These factors are particularly challenging, Evans explains, because they are held back by an extremely creaky national health care IT infrastructure.

“There are plenty of standards available that would specify how one might take health information from system A to system B, from a hospital medical records system into a PHR system. There's no lack of clarity on that,” he says. “The question is, have all of these different institutions implemented all of these standards in their legacy IT environment?”  

The answer is no, says Evans, adding that even a very conservative average would put most health care IT systems 10 years behind systems in any other vertical.

“Frankly, it’s because they've not been forced to invest in IT as a competitive necessity,” he says. “If you talk to a health plan, even the ones that claim that they're leading-edge health plans, they've got systems that are incapable of really linking data at the individual level. The systems weren't built to know something about individual customers; they were built to do claims management, optimization, loss adjustment or market analysis. They've got old systems, and they're not very responsive about changing that.”  

Unless employers apply more heat to the market, this will remain the weakest technological link to the health information exchange ecosystem, Evans says. “The reason we are doing Dossia is that we believe that if we give information to our employees, they will become smarter consumers and will ultimately still spend less money and be healthier people,” Evans says. “Health plans themselves claim they are customer-oriented, but the person that is getting treated at the doctor and is filing their claims really isn't their customer. The customer is the employer that is paying the bill. So the employer needs to start stepping into the space and saying 'We think you need to be more efficient in dealing with us.'”

Beyond that, there are also major technological hurdles that still need to be overcome. Evans points to two that Dossia is trying to address: “One is the data itself has to be in a format that is usable to clinicians. If it is just gobbledy gook, no doctor will ever use it. Secondly, it has to be auto-populated; people are not going to type in their own information on their drugs and their allergies and their treatments. It is too complicated.” <p">

<p"> <p"> <p"> <p"> <p"> <p"> <p"> <p">