Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Are EMRs Getting Worse Or Doctors Getting Smarter?

Posted on August 20, 2015 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

I know it sounds crazy — it’s hard to imagine doctors being more annoyed with EMRs than they already are — but according to one study that’s just what’s happening.

A newly-published study by the American Medical Association and the American College of Physicians’ AmericanEHR division suggests that doctors like the current crop of EMRs less than ever.

About half of study respondents said that their EMR was having a negative impact on costs, efficiency or productivity, the groups reported. Only 22% said they were satisfied with their EMR, and a scant 12% said they were “very satisfied.”

Doctors’ happiness with their EMRs has dropped substantially since five years ago, when 39% reported being satisfied and 22% said they were very satisfied, according to a prior study by AmericanEHR.  In other words, nearly 4 out of 10 doctors surveyed seem to have been content with what they had. But conditions have clearly changed.

The reasons for this are unlikely to be the result of mere peevishness. After all, with EMRs being a reality of doing business today, it seems unlikely that physicians would simply revert into sulking. Actually, my own unofficial survey — of several docs I’ve actually seen as a patient — suggests that most have gone through their stages of grief and decided that EMRs aren’t unholy. (My PCP said it best: “You get used to them, then they’re not so bad.”)

Instead, I’d argue, something good is actually happening, though it may not look that way on the surface. Having adapted to the need to use EMRs, physicians are engaging with them deeply, and beginning to expect more from them than a kludgy interface slapped on a slow database can provide.

Some are actually proposing that EMRs go beyond traditional medical record paradigm, something I see as an exciting development. For example, Dr. Arlen Meyers, CEO of the Society of Physician Entrepreneurs, argues that it’s time to “unbundle and re-engineer the care processes model” by introducing new templates into EMRs. In fact, he’s a fan of rethinking the hallowed SOAP (symptoms, objective findings, assessment and plan) approach to patient notes:

Given how things are changing, it might be time to give the pink slip to SOAP. The main problems are that 1) the model does not prioritize information by levels of urgency, 2) it does not provide decision support when it comes to how one disease affects the other or how one medicine affects another, and 3) it does not add efficiencies to taking care of increasingly complex patients.

And Meyers is not the only one. In fact, a recent paper published in JAMA Internal Medicine suggests that a new format flipping the elements of the SOAP note and reordering them as APSO (assessment, plan, subjective, objective) works well in the EMR age.

According to a 2010 study detailed in the paper, APSO notes were fairly successful at the University of Colorado ambulatory clinics. The study, which looked at APSO use in 13 clinics, found that 73% of participants were “satisfied” or “very satisfied” with the new format, and 75% “preferred” or “strongly preferred” reading APSO notes.

I’m betting that physicians will only be satisfied with EMRs again when EMRs are reshaped to embrace new ways of working. Since new workflow demands are generated by using EMRs, in turn, this cycle may never end. But that’s a good thing. If physicians are engaged enough with their EMRs to propose new ways of working, it will benefit everyone.

Could On Demand Medical Services Be Good for Doctors?

Posted on August 19, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been seeing a lot of discussion lately about the peer sharing economy and how it applies to healthcare. Some people like to call it the Uber of healthcare, but that phrase has been applied so many ways that it’s hard to know what people mean by it anymore. For example, is it Uber bringing your doctor to your home/work or is it an Uber like system of requesting healthcare? There are many more iterations.

I’ll to consider doing a whole series of posts on the Peer Sharing Economy and how it applies to healthcare. There’s a lot to chew on. However, most recently I’ve been chewing on the idea of on demand medical services. In most cases this is basically the Skype or Facetime telemedicine visit on a mobile device. These models are starting to develop and it won’t be long until all of us can easily hop on our mobile device and be in touch with a doctor directly through our phone. In some cases it will be a telemedicine visit. In other cases it might be the doctor coming to visit you. I’m sure we’ll have a wide variety of modalities that are available to patients.

Every patient loves this idea. Every insurance company is trying to figure out the right financial model to make this work. Most doctors are scared at what this means for their business. Certainly there are reasons for them to be concerned, but I believe that this new on demand medical service could be very good for doctors.

In our current system practices do amazing scheduling acrobatics to ensure that the doctor is seeing a full schedule of patients every day. They do this mostly because of all the patient no shows that occur. This makes life stressful for everyone involved. Imagine if instead of double booking appointments which leads to all sorts of issues, a doctor replaced no show appointments with an on demand visit with a patient waiting to be seen on a telemedicine platform. Basically the doctor could fill their “free time” with on demand appointments instead of double booking appointments which then causes them to get behind when both appointments do show up.

I can already hear doctors complaining about them being “mercenaries” and shouldn’t they be allowed free time to grab a coffee. I’d argue that in the current system they are mercenaries that are trying to fill their schedule as full as possible. The current double booking scheduling approach that so many take means that some days the doctor has a full schedule of appointments and some days they have more than a full schedule of appointments. If doctors chose to back fill no-shows with on demand appointments, then their schedule would be more free than it is today. Plus, if they didn’t want to back fill a no show, they could always make that choice too. That’s not an option in the double book approach they use today.

In fact, if there was an on demand platform where doctors could go and see patients anytime they wanted to see patients, it would open up a lot more flexibility for doctors much like Uber has done for drivers. Some doctors may want to work early in the morning while others want to work late at night. Some doctors might want to take off part of the day to see their kid’s school performance, but they can work later to make up for the time they took off (if they want of course).

Think about retired doctors. I’m reminded of my pharmacist friend who was still working at the age of 83. I asked him why he was still working at such an advanced age. He told me, “John, if I stop, I die.” I imagine that many retired doctors would love to still see some patients if they could do it in a less demanding environment that worked with their new retirement schedule. If there was an on demand platform where retired doctors could sign in and see patients at their whim, this would be possible. No doubt this is just one of many examples.

Currently there isn’t an on demand platform that doctors could sign into and see a patient who’s waiting to be seen. No doubt there are many legal, financial and logistical challenges associated with creating a platform of this nature. Not the least of which is that doctors are only licensed to practice in specific states. This is a problem which needs to be solved for a lot of reasons, but I think it will. In fact, I think that legal issues, reimbursement changes, and other logistical challenges will all be solved and one day we’ll have this type of on demand platform for healthcare. Patients will benefit from such a platform, but I believe it will open up a lot more options for doctors as well.

Brilliant: Hannah Galvin Looks at ICD-10’s Five Stages of Grief

Posted on August 18, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Hannah Galvin, MD has a great article on Healthcare IT News talking about ICD-10’s five stages of grief. You can go read the article to see how she describes it, but the five stages of grief are:

  1. Denial
  2. Anger
  3. Bargaining
  4. Depression
  5. Acceptance

Pretty fascinating way to describe people’s response to ICD-10. I think we have people and organizations that are still at all 5 stages of grief associated with adopting ICD-10. Although, I think most people have bridged #3.

There are still many people that are in denial and that are angry about ICD-10. Although, that population is getting smaller and smaller. I don’t see many people still bargaining. We went through that stage for years, but I believe it’s over. The largest group of people are stuck in stage 4. I know very few people who aren’t depressed over ICD-10. The HIM profession is more excited about ICD-10 than anyone else, but otherwise it’s a general depression around the change. It’s hard to implement something where you’re not sure what value you’ll receive from it. I think that’s many people’s perspective.

Dr. Galvin’s final comment in the article linked above is also interesting: “Whether you’re ready or not, the transition is less than three months away – and in the end, I believe it will be worth all the grief.” Now we’re less than 2 months away. I’m still not sure it’s worth the switch or not, but it doesn’t really matter. It’s happening either way. I guess I’ve reached stage 5.

ZocDoc’s Company Culture – What’s Been Your Experience?

Posted on August 17, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Company culture has been in the tech news lately after this lengthy article looking at Amazon’s company culture. However, in the healthcare IT world, I was more interested in this recent article by Business Insider looking at ZocDoc’s company culture. The article paints a brutal picture of a “frat house” mentality together with sexism and drugs. Not a pretty picture and it pains me to even read stories like this. However, this part of the article really stuck out for me:

On the sales floor at ZocDoc, employees say there’s a phrase used over and over again: “churn and burn.” Former employees say this phrase indicates the competitive, often stressful nature of work in ZocDoc’s sales division.

“They are full steam ahead,” one former salesperson told Business Insider. “They have this arrogance in the company where the human capital is of zero value.”

A former employee at ZocDoc told Business Insider that employee turnover at the company is high. The company recruits and brings in batches of new employees regularly because so many end up leaving or quitting, the employee alleges.

I definitely know very little about ZocDoc’s company culture. I do know that they raised a lot of money, very quickly. That puts a lot of pressure on your company. First, you have to hire a lot of people over a very short period of time. That doesn’t leave much time to develop a quality company culture. Second, when you raise that much money, you face enormous pressure to scale the company and deliver results. That’s not an excuse for bad behavior (assuming the Business Insider report is accurate), but it could explain how their company culture got out of control.

Company culture aside, their description of their sales organization mimics what I’ve heard from a number of doctors about ZocDoc. I’ve only ever met one doctor who liked ZocDoc. That doctor felt that he got patients he wouldn’t have otherwise gotten and so it was worth it. Every other doctor I’ve talked to said that ZocDoc charged way too much for new patient referrals and so they didn’t use them.

Outside of doctors’ views on ZocDoc’s pricing model, some doctors told me how aggressive the ZocDoc sales people were with them. They’d tell me about being contacted all the time by their sales people. I remember one practice manager telling me that they would never do business with ZocDoc since they hated their sales approach. The practice manager didn’t talk about the ZocDoc product or service at all. The sales person had ruined ZocDoc with that practice.

After hearing so many practices talk about ZocDoc over the years, it resonated with me when the former salesperson described the “arrogance in the company.” That’s the impression I’d been given by the many practices I’d talk to myself. I’m sure the $97.9 million they’d raised in funding (and reports said they’re raising another $152 million) helped perpetuate that culture.

What’s been your experience working with ZocDoc? I’d love to hear from more doctors and practice managers.

A Mature API for an Electronic Health Record: the OpenMRS Process

Posted on August 14, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://radar.oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

By some measures, OpenMRS may be the most successful of the open source EHRs, widely deployed around the world. It also has a long experience with its API, which has been developed and refined over the last several years. I talked to OpenMRS developer Wyclif Luyima recently and looked at OpenMRS’s REST API documentation to see what the API offers.
Read more..

WearDuino Shows That Open Source Devices Are a Key Plank in Personal Health

Posted on August 13, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://radar.oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

New devices are democratizing health. We see it not only in the array or wearable fitness gear that an estimated 21 percent of Americans own (and that some actually wear), but also in innovative uses for mobile phones (such as testing vision in regions that lack doctors or checking athletes for concussions) and now in low-cost devices that are often open source hardware and software. Recent examples of the latter include the eyeSelfie, which lets a non-professional take an image of his retina, and the WearDuino, a general-purpose personal device that is the focus of this article.

WearDuino is the brainchild of Mark Leavitt, a medical internist who turned to technology (as have so many doctors pursuing visions of radical reform in health care). I ran into Leavitt at the 2015 Open Source convention, where he also described his work briefly in a video interview.

Leavitt’s goal is to produce a useful platform that satisfies two key criteria for innovation: low-cost and open. Although some of the functions of the WearDuino resembles devices on the market, you can take apart the WearDuino, muck with it, and enhance it in ways those closed platforms don’t allow.

Traits and Uses of WearDuino
Technically, the device has simple components found everywhere, but is primed for expansion. A small Bluetooth radio module provides the processing, and as the device’s name indicates, it supports the Arduino programming language. To keep power consumption low there’s no WiFi, and the device can run on a cheap coin cell battery for several months under normal use.

Out of the box, the WearDuino could be an excellent fitness device. Whereas most commercial fitness wearables collect their data through an accelerometer, the WearDuino has an accelerometer (which can measure motion), a gyroscope (which is useful for more complex measurements as people twist and turn), and a magnetometer (which acts as a compass). This kind of three-part device is often called a “9-degree of freedom sensor,” because each of those three measurements is taken in three dimensions.

When you want more from the device, such as measuring heartbeat, muscle activity, joint flexing, or eye motion, a board can be added to one of the Arduino’s 7 digital I/O pins. Leavitt said that one user experimented with a device that lets a parent know when to change a baby’s diaper, through an added moisture detector.

Benefits of an Open Architecture
Proprietary device manufacturers often cite safety reasons for keeping their devices closed. But Leavitt believes that openness is quite safe through most phases of data use in health. Throughout the stages of collecting data, visualizing the relationships, and drawing insights, Leavitt believes people should be trusted with any technologies they want. (I am not sure these activities are so benign–if one comes up with an incorrect insight it could lead you to dangerous behavior.) It is only when you get to giving drugs or other medical treatments that the normal restrictions to professional clinicians makes sense.

Whatever safety may adhere to keeping devices closed, there can be no justification on the side of the user for keeping the data closed. And yet proprietary device manufacturers play games with the user’s data (and not just games for health). Leavitt, for instance, who wears a fitness monitor, says he can programmatically download a daily summary of his footsteps, but not the exact amounts taken at different parts of the day.

The game is that device manufacturers cannot recoup the costs of making and selling the devices through the price of the device alone. Therefore, they keep hold of users’ data and monetize it through marketing, special services, and other uses.

Leavitt doesn’t have a business plan yet. Instead, in classic open source practice, he is building community. Where he lives in Portland, Oregon a number of programmers and medical personnel have shown interest. The key to the WearDuino project is not the features of the device, but whether it succeeds in encouraging an ecosystem of useful personal monitors around it.

ICD-10 Training Games and Lookup

Posted on August 12, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

NueMD has recently launched what they’re calling their ICD-10 Training Lab. To be honest, I wasn’t sure what to expect when they sent it over to me. They told me it was a free ICD-10 training lab. With ICD-10 breathing down our necks, I was interested to see what they’d put together.

If you’re looking for a full scale ICD-10 training course, then this isn’t it. I asked my HIM Manager friend, Erin Head, on Twitter about the training and she replied that “It’s very basic level but a good start. Still need to know how to code. Nice mobile view.”

Erin brings up a fine point. The ICD-10 training lab is not going to teach you to code. I don’t think that was NueMD’s intent. I think their intent was to provide a tool for those who already understand coding to be able to learn some of the new ICD-10 codes. In fact, since they’ve broken it out into specialties, my guess is that they really hope this ICD-10 training lab will help doctors to get up to speed on the most common new ICD-10 codes for their specialty.

My favorite part of the ICD-10 training lab is the ICD-10 Training games:
ICD-10 Training Games
What’s better than a game to learn something? Plus, when you’re trying to memorize something, repetition is a real key to learning. Games are great at providing a fun way to get in your repetitions.

The ICD-10 training lab also includes an ICD-10 code lookup. You can tell they’ve put in quite a bit of effort to make their ICD-10 code search work quite well. Although, it’s still just an ICD-10 code search. Something that should be incorporated in most EHR systems.

What Does e-MDs and AdvancedMD Under the Same Private Equity Mean?

Posted on August 11, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The healthcare IT world has seen a lot of movement and investment lately. Kareo raised $55 million recently. Modernizing Medicine acquired gMed last month. Accolade secured $22.5 million in funding. medCPU closed $8 million in financing. BoardVitals raised $1.1 million to build the Wikipedia of Medicine. Premier acquired CECity. Plus, that doesn’t even mention the $1 billion acquisition of Merge healthcare by IBM. I’m sure that there are many more that people can share in the comments.

There’s a lot of investment going into healthcare IT. No doubt there’s a huge opportunity for health IT companies. However, I’ve been most interested in what’s happening with the EHR companies involved in these deals. For example, one recent transaction that I didn’t mention above was Marlin Equity Partners acquiring AdvancedMD from ADP. The ADP acquisition of AdvancedMD never seemed to work. The idea of doctors offices being small businesses and ADP offered a bunch of small business services kind of made sense, but most doctors offices treat their EHR purchase very different than other tech investments for their office. The EHR purchase is its own beast. So, it’s not surprising that ADP would divest itself of an EHR software company.

What’s more interesting about the deal is that Marlin Equity Partners had already acquired EHR vendor e-MDs in March of 2015 and merged it with MDEverywhere. Now Marlin Equity Partners has e-MDs and AdvancedMD under their umbrella. I asked them what their plans were now that they had two EHR vendors (competitors) in their portfolio. They declined to comment until the acquisition of AdvancedMD closed.

Something has to give. I can’t imagine Marlin Equity Partners continuing with two software companies. Hard to say whether e-MDs will win or AdvancedMD, but I expect we’ll see one of them being sunset in the next year or two. They’ll offerer a way to convert from one to the other, but switching EHR software is never fun. It’s even less fun when it’s being forced upon you by the vendor.

The crazy thing is that I think we’re just getting started with this kind of activity. 300 EHR vendors is not sustainable long term. I don’t think we’ll get to 5 EHR vendors like most suggest, but we could narrow it down to 100 and still have plenty of options. That’s a lot of doctors being left high and dry when their EHR gets consolidated.

Funny ICD-9 Codes Video – Putting ICD-10 Codes in Perspective

Posted on I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In response to Jennifer Della’Zanna’s post on putting crazy ICD-10 codes in perspective, I wrote about the funny ICD-9 codes over on EMR and HIPAA. I guess ClinicSpectrum liked the post enough that the decided to create a video animation of the post. I thought it was pretty cool. Check it out:

ICD-10 is near. Are you ready?

OpenUMA: New Privacy Tools for Health Care Data

Posted on August 10, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://radar.oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The health care field, becoming more computer-savvy, is starting to take advantage of conveniences and flexibilities that were developed over the past decade for the Web and mobile platforms. A couple weeks ago, a new open source project was announced to increase options for offering data over the Internet with proper controls–options with particular relevance for patient control over health data.

The User-Managed Access (UMA) standard supports privacy through a combination of encryption and network protocols that have a thirty-year history. UMA reached a stable release, 1.0 in April of this year. A number of implementations are being developed, some of them open source.

Before I try to navigate the complexities of privacy protocols and standards, let’s look at a few use cases (currently still hypothetical) for UMA:

  • A parent wants to show the child’s school records from the doctor’s office just long enough for the school nurse to verify that the child has received the necessary vaccinations.

  • A traveler taking a temporary job in a foreign city wants to grant a local clinic access to the health records stored by her primary care physician for the six months during which the job lasts.

The open source implementation I’ll highlight in this article is OpenUMA from a company named ForgeRock. ForgeRock specializes in identity management online and creates a number of open source projects that can be found on their web page. They are also a leading participant in the non-profit Kantara Initiative, where they helped develop UMA as part of the UMA Developer Resources Work Group.

The advantage of open source libraries and tools for UMA is that the standard involves many different pieces of software run by different parts of the system: anyone with data to share, and anyone who wants access to it. The technology is not aimed at any one field, but health IT experts are among its greatest enthusiasts.

The fundamental technology behind UMA is OAuth, a well-tested means of authorizing people on web sites. When you want to leave a comment on a news article and see a button that says, “Log in using Facebook” or some other popular site, OAuth is in use.

OAuth is an enabling technology, by which I mean that it opens up huge possibilities for more complex and feature-rich tools to be built on top. It provides hooks for such tools through its notion of profiles–new standards that anyone can create to work with it. UMA is one such profile.

What UMA contributes over and above OAuth was described to me by Eve Maler, a leading member of the UMA working group who wrote their work up in the specification I cited earlier, and who currently works for ForgeRock. OAuth lets you manage different services for yourself. When you run an app that posts to Twitter on your behalf, or log in to a new site through your Facebook account, OAuth lets your account on one service do something for your account on another service.

UMA, in contrast, lets you grant access to other people. It’s not your account at a doctor’s office that is accessing data, but the doctor himself.

UMA can take on some nitty-gritty real-life situations that are hard to handle with OAuth alone. OAuth provides a single yes/no decision: is a person authorized or not? It’s UMA that can handle the wide variety of conditions that affect whether you want information released. These vary from field to field, but the conditions of time and credentials mentioned earlier are important examples in health care. I covered one project using UMA in an earlier article.

With OAuth, you can grant access to an account and then revoke it later (with some technical dexterity). But UMA allows you to build a time limit into the original access. Of course, the recipient does not lose the data to which you granted access, but when the time expires he cannot return to get new data.

UMA also allows you to define resource sets to segment data. You could put vaccinations in a resource set that you share with others, withholding other kinds of data.

OpenUMA contains two crucial elements of a UMA implementation:

The authorization server

This server accepts a list of restrictions from the site holding the data and the credentials submitted by the person requesting access to the data. The server is a very generic function: any UMA request can use any authorization server, and the server can run anywhere. Theoretically, you could run your own. But it would be more practical for a site that hosts data–Microsoft HealthVault, for instance, or some general cloud provider–to run an authorization server. In any case, the site publicizes a URL where it can be contacted by people with data or people requesting data.

The resource server

These submit requests to the authorization server from applications and servers that hold people’s data. The resource server handles the complex interactions with the authorization server so that application developers can focus on their core business.

Instead of the OpenUMA resource server, apps can link in libraries that provide the same functions. These libraries are being developed by the Kantara Initiative.

So before we can safely share and withhold data, what’s missing?

The UMA standard doesn’t offer any way to specify a condition, such as “Release my data only this week.” This gap is filled by policy languages, which standards groups will have to develop and code up in a compatible manner. A few exist already.

Maler points out that developers could also benefit from tools for editing and testing code, along with other supporting software that projects build up over time. The UMA resource working group is still at the beginning of their efforts, but we can look forward to a time when fine-grained patient control over access to data becomes as simple as using any of the other RESTful APIs that have filled the programmer’s toolbox.