Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

ZibdyHealth Adapts to Sub-Optimal Data Exchange Standards for a Personal Health Record

Posted on May 10, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Reformers in the health care field, quite properly, emphasize new payment models and culture changes to drive improvements in outcomes. But we can’t ignore the barriers that current technology puts in the way of well-meaning reformers. This article discusses one of the many companies offering a patient health record (PHR) and the ways they’ve adapted to a very flawed model for data storage and exchange.

I had the honor to be contacted by Dr. Hirdey Bhathal, CEO/Founder of ZibdyHealth. Like many companies angling to develop a market for PHRs, ZibdyHealth offers a wide range of services to patients. Unlike, say, Google Health (of blessed memory) or Microsoft HealthVault, ZibdyHealth doesn’t just aspire to store your data, but to offer additional services that make it intensely valuable to you. Charts and visualizations. for instance, will let you see your progress with laboratory and device data over time. They call this a “Smart HIE.” I’ll look a bit at what they offer, and then at the broken model for data exchange that they had to overcome in the health care industry.

The ZibdyHealth application

Setting up an account with ZibdyHealth is as easy as joining Facebook. Once you’re there, you can create health information manually. The company is working with fitness device makers to allow automatic uploads of device data, which can then be saved as a standard Continuity of Care Document (CCD) and offered to doctors.

You can also upload information from your physician via their health care portal–with a degree of ease or difficulty depending on your provider–and share it with other clinicians or family members (Figure 1). You have fine-grained control over which medications, diagnoses, and other information to share, a form of control called segmentation in health care.

Figure 1. Zibdy discharge summary displayed on mobile device

Figure 1. Summary of visit in Zibdy

Dr. Bhathal would like his application to serve whole families and teams, not just individuals. Whether you are caring for your infant or your aging grandmother, they want their platform to meet your needs. In fact, they are planning to deploy their application in some developing nations as an electronic medical record for rural settings, where one healthcare provider will be able to manage the health data for an entire village.

Currently, ZibdyHealth allows speciality clinics to share information with the patient’s regular doctor, helps identify interactions between drugs provided by different doctors, and allows parents to share their children’s health information with schools. This consolidation and quick sharing of medical information will work well with minute clinics or virtual MD visits.

ZibdyHealth is HIPAA-compliant, and support highly secure 256-bit AES encryption for data exchange. Like health care providers, they may share data with partners for operational purposes, but they promise never to sell your data–unlike many popular patient networks. Although they sometimes aggregate anonymized data, they do so to offer you better services, not to sell it on the market or to sell you other services themselves.

In some ways, ZibdyHealth is like a health information exchange (HIE), and as we shall see, they face some of the same problems. But current HIEs connect only health care providers, and are generally limited to large health care systems with ample resources. PHR applications such as ZibdyHealth aim to connect physicians and patients with others, such as family members, therapists, nursing homes, assisted care facilities, and independent living facilities. In addition, most HIEs only work within small states or regions, whereas ZibdyHealth is global. They plan to follow a business model where they provide the application for free to individuals, without advertisements, but charge enterprises who choose the application in order to reach and serve their patients.

Tackling the data dilemma

We’d see a lot more services like ZibdyHealth (and they’d be more popular with patients, providers, and payers) if data exchange worked like it does in the travel industry or other savvy market sectors. Interoperability will enable the “HIE of one” I introduced in an earlier article. In the meantime, ZibdyHealth has carried out a Herculean effort to do the best they can in today’s health exchange setting.

What do they use to get data from patient portals and clinicians’ EHRs? In a phrase, every recourse possible.

  • Many organizations now offer portals that allow patients to download their records in CCD format. ZibdyHealth works with a number of prominent institutions to make uploading easy (Figure 2). Or course, the solution is always a contingent one, because the provider still owns your data. After your next visit, you have to download it again. ZibdyHealth is working on automating this updating process so that providers can feed this information to the patient routinely and, by uploading the discharge CCD as part of a patient’s discharge process, ensure an easy and accurate transition of care.

  • Figure 2. List of electronic records uploaded to Zibdy through their CCD output

    Figure 2. List of uploaded CCDs

  • If providers aren’t on ZibdyHealth’s list of partners, but still offer a CCD, you can download it yourself using whatever mechanism your provider offers, then upload it to ZibdyHealth. ZibdyHealth has invested an enormous amount to parse the various fields of different EHRs and figure out where information is, because the CCD is a very imperfect standard and EHRs differ greatly. I tried the download/upload technique with my own primary care provider and found that ZibdyHealth handled it gracefully.

  • ZibdyHealth also supports Blue Button, the widely adopted XML format that originated at the VA as a text file.

I see ZibdyHealth as one of the early explorers who have to hew a path through the forest to reach their goal. As more individuals come to appreciate the benefits of such services, roads will be paved. Each patient who demands that their doctor make it easy to connect with an application like ZibdyHealth will bring closer the day when we won’t have to contort ourselves to share data.

Research Shows that Problems with Health Information Exchange Resist Cures (Part 2 of 2)

Posted on March 23, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous section of this paper introduced problems found in HIE by two reports: one from the Office of the National Coordinator and another from experts at the Oregon Health & Science University. Tracing the causes of these problems is necessarily somewhat speculative, but the research helps to confirm impressions I have built up over the years.

The ONC noted that developing HIE is very resource intensive, and not yet sustainable. (p. 6) I attribute these problems to the persistence of the old-fashioned, heavyweight model of bureaucratic, geographically limited organizations hooking together clinicians. (If you go to another state, better carry your medical records with you.) Evidence of their continued drag on the field appeared in the report:

Grantees found providers did not want to login to “yet another system” to access data, for example; if information was not easily accessible, providers were not willing to divert time and attention from patients. Similarly, if the system was not user friendly and easy to navigate, or if it did not effectively integrate data into existing patient records, providers abandoned attempts to obtain data through the system. (pp. 76-77)

The Oregon researchers in the AHRQ webinar also confirmed that logging in tended to be a hassle.

Hidden costs further jacked up the burden of participation (p. 72). But even though HIEs already suck up unsustainable amounts of money for little benefit, “Informants noted that it will take many years and significantly more funding and resources to fully establish HIE.” (p. 62) “The paradox of HIE activities is that they need participants but will struggle for participants until the activities demonstrate value. More evidence and examples of HIE producing value are needed to motivate continued stakeholder commitment and investment.” (p. 65)

The adoption of the Direct protocol apparently hasn’t fixed these ongoing problems; hopefully FHIR will. The ONC hopes that, “Open standards, interfaces, and protocols may help, as well as payment structures rewarding HIE.” (p. 7) Use of Direct did increase exchange (p. 56), and directory services are also important (pp. 59-60). But “Direct is used mostly for ADT notifications and similar transitional documents.” (p. 35)

One odd complaint was, “While requirements to meet Direct standards were useful for some, those standards detracted attention from the development of query-based exchange, which would have been more useful.” (p. 77) I consider this observation to be a red herring, because Direct is simply a protocol, and the choice to use it for “push” versus “pull” exchanges is a matter of policy.

But even with better protocols, we’ll still need to fix the mismatch of the data being exchanged: “…the majority of products and provider processes do not support LOINC and SNOMED CT. Instead, providers tended to use local codes, and the process of mapping these local codes to LOINC and SNOMED CT codes was beyond the capacity of most providers and their IT departments.” (p. 77) This shows that the move to FHIR won’t necessarily improve semantic interoperability, unless FHIR requires the use of standard codes.

Trust among providers remains a problem (p. 69) as does data quality (pp. 70-71). But some informants put attitude about all: “Grantees questioned whether HIE developers and HIE participants are truly ready for interoperability.” (p. 71)

It’s bad enough that core health care providers–hospitals and clinics–make little use of HIE. But a wide range of other institutions who desperately need HIE have even less of it. “Providers not eligible for MU incentives consistently lag in HIE connectivity. These setting include behavioral health, substance abuse, long-term care, home health, public health, school-based settings, corrections departments, and emergency medical services.” (p. 75) The AHRQ webinar found very limited use of HIE for facilities outside the Meaningful Use mandate, such as nursing homes (Long Term and Post Acute Care, or LTPAC). Health information exchange was used 10% to 40% of the time in those settings.

The ONC report includes numerous recommendations for continuing the growth of health information exchange. Most of these are tweaks to bureaucratic institutions responsible for promoting HIE. These are accompanied by the usual exhortations to pay for value and improve interoperability.

But six years into the implementation of HITECH–and after the huge success of its initial goal of installing electronic records, which should have served as the basis for HIE–one gets the impression that the current industries are not able to take to the dance floor together. First, ways of collecting and sharing data are based on a 1980s model of health care. And even by that standard, none of the players in the space–vendors, clinicians, and HIE organizations–are thinking systematically.

Research Shows that Problems with Health Information Exchange Resist Cures (Part 1 of 2)

Posted on March 22, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Given that Office of the National Coordinator for Health Information Technology (ONC) received 564 million dollars in the 2009 HITECH act to promote health information exchange, one has to give them credit for carrying out a thorough evaluation of progress in that area. The results? You don’t want to know.

There are certainly glass-full as well as glass-empty indications in the 98-page report that the ONC just released. But I feel that failure dominated. Basically, there has been a lot of relative growth in the use of HIE, but the starting point was so low that huge swaths of the industry remain untouched by HIE.

Furthermore, usage is enormously skewed:

In Q2 2012, for example, three states (Indiana, Colorado, and New York) accounted for over 85 percent of total directed transactions; in Q4 2013, five states (Michigan, Colorado, Indiana, New York, Michigan, and Vermont) accounted for over 85 percent of the total. Similarly, in Q2 a single state (Indiana) accounted for over 65 percent of total directed transactions; in Q4 2013, four states (California, Indiana, Texas, and New York) accounted for over 65 percent of the total. (p. 42)

This is a pretty empty glass, with the glass-full aspect being that if some states managed to achieve large numbers of participation, we should be able to do it everywhere. But we haven’t done it yet.

Why health information exchange is crucial

As readers know, health costs are eating up more and more of our income (in the US as well as elsewhere, thanks to aging populations and increasing chronic disease). Furthermore, any attempt to stem the problem requires coordinated care and long-term thinking. But the news in these areas has been disappointing as well. For instance:

  • Patient centered medical homes (PCMH) are not leading to better outcomes. One reason may be the limited use of health information exchange, because the success of treating a person in his own habitat depends on careful coordination.

  • Accountable Care Organizations are losing money and failing to attract new participants. A cynical series of articles explores their disappointing results. I suspect that two problems account for this: first, they have not made good use of health information exchange, and second, risk sharing is minimal and not extensive enough to cause a thoroughgoing change to long-term care.

  • Insurers are suffering too, because they have signed up enormous numbers of sick patients under the Affordable Care Act. The superficial adoption of fee-for-value and the failure of clinicians to achieve improvements in long-term outcomes are bankrupting the payers and pushing costs more and more onto ordinary consumers.

With these dire thoughts in mind, let’s turn to HIE.

HIE challenges and results

The rest of this article summarizes the information I find most salient in the ONC report, along with some research presented in a recent webinar by the Agency for Healthcare Research and Quality (AHRQ) on this timely topic. (The webinar itself hasn’t been put online yet.)

The ONC report covers the years 2011-2014, so possibly something momentous has happened over the past year to change the pattern. But I suspect that substantial progress will have to wait for widespread implementation of FHIR, which is too new to appear in the report.

You can read the report and parse the statistics until you get a headache, but I will cite just one more passage about the rate of HIE adoption in order to draw a broad conclusion.

As of 2015, the desire for actionable data, focus on MU 2 priorities, and exchange related to delivery system reform is in evidence. Care summary exchange rates facilitated through HIOs are high—for example, care record summaries (89%); discharge summaries (78%); and ambulatory clinical summaries (67%). Exchange rates are also high for test results (89%), ADT alerts (69%), and inpatient medication lists (68%). (p. 34)

What I find notable in the previous quote is that all the things where HIE use improved were things that clinicians have always done anyway. There is nothing new about sending out discharge summaries or reporting test results. (Nobody would take a test if the results weren’t reported–although I found it amusing to receive an email message recently from my PCP telling me to log into their portal to see results, and to find nothing on the portal but “See notes.” The notes, you might have guessed, were not on the portal.)

One hopes that using HIE instead of faxes and phone calls will lower costs and lead to faster action on urgent conditions. But a true leap in care will happen only when HIE is used for close team coordination and patient reporting–things that don’t happen routinely now. One sentence in the report hints at this: “Providers exchanged information, but they did not necessarily use it to support clinical decision-making.” (p. 77) One wonders what good the exchange is.

In the AHRQ webinar, experts from the Oregon Health & Science University reported results of a large literature review, including:

  • HIE reduces the use lab and radiology tests, as well emergency department use. This should lead to improved outcomes as well as lower costs, although the literature couldn’t confirm that.

  • Disappointingly, there was little evidence that hospital admissions were reduced, or that medication adherence improved.

  • Two studies claimed that HIE was “associated with improved quality of care” (a very vague endorsement).

In the next section of this article, I’ll return to the ONC report for some clues as to the reasons HIE isn’t working well.

Idiosyncratic Recommendations Based on Widespread Principles: the Health IT Policy Committee Report

Posted on December 21, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Congress received an odd document last week from an advisory committee on Health IT. It takes an unexpectedly new–and demandingly detailed–approach to the perennial problem of health record interoperability. However, if one analyzes the authors’ reasoning, it turns out to be based on unstated principles that are widely accepted in health care:

  1. The market is broken, and the government must intervene either through incentives or through requirements.

  2. The intervention should be based on operational or clinical goals, not dictating the adoption of specific technologies.

  3. Policy-makers should pick off low-hanging fruit through goals that produce potentially large benefits with relative ease.

Read more..

Significant Articles in the Health IT Community in 2015

Posted on December 15, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Have you kept current with changes in device connectivity, Meaningful Use, analytics in healthcare, and other health IT topics during 2015? Here are some of the articles I find significant that came out over the past year.

The year kicked off with an ominous poll about Stage 2 Meaningful Use, with implications that came to a head later with the release of Stage 3 requirements. Out of 1800 physicians polled around the beginning of the year, more than half were throwing in the towel–they were not even going to try to qualify for Stage 2 payments. Negotiations over Stage 3 of Meaningful Use were intense and fierce. A January 2015 letter from medical associations to ONC asked for more certainty around testing and certification, and mentioned the need for better data exchange (which the health field likes to call interoperability) in the C-CDA, the most popular document exchange format.

A number of expert panels asked ONC to cut back on some requirements, including public health measures and patient view-download-transmit. One major industry group asked for a delay of Stage 3 till 2019, essentially tolerating a lack of communication among EHRs. The final rules, absurdly described as a simplification, backed down on nothing from patient data access to quality measure reporting. Beth Israel CIO John Halamka–who has shuttled back and forth between his Massachusetts home and Washington, DC to advise ONC on how to achieve health IT reform–took aim at Meaningful Use and several other federal initiatives.

Another harbinger of emerging issues in health IT came in January with a speech about privacy risks in connected devices by the head of the Federal Trade Commission (not an organization we hear from often in the health IT space). The FTC is concerned about the security of recent trends in what industry analysts like to call the Internet of Things, and medical devices rank high in these risks. The speech was a lead-up to a major report issued by the FTC on protecting devices in the Internet of Things. Articles in WIRED and Bloomberg described serious security flaws. In August, John Halamka wrote own warning about medical devices, which have not yet started taking security really seriously. Smart watches are just as vulnerable as other devices.

Because so much medical innovation is happening in fast-moving software, and low-budget developers are hankering for quick and cheap ways to release their applications, in February, the FDA started to chip away at its bureaucratic gamut by releasing guidelines releasing developers from FDA regulation medical apps without impacts on treatment and apps used just to transfer data or do similarly non-transformative operations. They also released a rule for unique IDs on medical devices, a long-overdue measure that helps hospitals and researchers integrate devices into monitoring systems. Without clear and unambiguous IDs, one cannot trace which safety problems are associated with which devices. Other forms of automation may also now become possible. In September, the FDA announced a public advisory committee on devices.

Another FDA decision with a potential long-range impact was allowing 23andMe to market its genetic testing to consumers.

The Department of Health and Human Services has taken on exceedingly ambitious goals during 2015. In addition to the daunting Stage 3 of Meaningful Use, they announced a substantial increase in the use of fee-for-value, although they would still leave half of providers on the old system of doling out individual payments for individual procedures. In December, National Coordinator Karen DeSalvo announced that Health Information Exchanges (which limit themselves only to a small geographic area, or sometimes one state) would be able to exchange data throughout the country within one year. Observers immediately pointed out that the state of interoperability is not ready for this transition (and they could well have added the need for better analytics as well). HHS’s five-year plan includes the use of patient-generated and non-clinical data.

The poor state of interoperability was highlighted in an article about fees charged by EHR vendors just for setting up a connection and for each data transfer.

In the perennial search for why doctors are not exchanging patient information, attention has turned to rumors of deliberate information blocking. It’s a difficult accusation to pin down. Is information blocked by health care providers or by vendors? Does charging a fee, refusing to support a particular form of information exchange, or using a unique data format constitute information blocking? On the positive side, unnecessary imaging procedures can be reduced through information exchange.

Accountable Care Organizations are also having trouble, both because they are information-poor and because the CMS version of fee-for-value is too timid, along with other financial blows and perhaps an inability to retain patients. An August article analyzed the positives and negatives in a CMS announcement. On a large scale, fee-for-value may work. But a key component of improvement in chronic conditions is behavioral health which EHRs are also unsuited for.

Pricing and consumer choice have become a major battleground in the current health insurance business. The steep rise in health insurance deductibles and copays has been justified (somewhat retroactively) by claiming that patients should have more responsibility to control health care costs. But the reality of health care shopping points in the other direction. A report card on state price transparency laws found the situation “bleak.” Another article shows that efforts to list prices are hampered by interoperability and other problems. One personal account of a billing disaster shows the state of price transparency today, and may be dangerous to read because it could trigger traumatic memories of your own interactions with health providers and insurers. Narrow and confusing insurance networks as well as fragmented delivery of services hamper doctor shopping. You may go to a doctor who your insurance plan assures you is in their network, only to be charged outrageous out-of-network costs. Tools are often out of date overly simplistic.

In regard to the quality ratings that are supposed to allow intelligent choices to patients, A study found that four hospital rating sites have very different ratings for the same hospitals. The criteria used to rate them is inconsistent. Quality measures provided by government databases are marred by incorrect data. The American Medical Association, always disturbed by public ratings of doctors for obvious reasons, recently complained of incorrect numbers from the Centers for Medicare & Medicaid Services. In July, the ProPublica site offered a search service called the Surgeon Scorecard. One article summarized the many positive and negative reactions. The New England Journal of Medicine has called ratings of surgeons unreliable.

2015 was the year of the intensely watched Department of Defense upgrade to its health care system. One long article offered an in-depth examination of DoD options and their implications for the evolution of health care. Another article promoted the advantages of open-source VistA, an argument that was not persuasive enough for the DoD. Still, openness was one of the criteria sought by the DoD.

The remote delivery of information, monitoring, and treatment (which goes by the quaint term “telemedicine”) has been the subject of much discussion. Those concerned with this development can follow the links in a summary article to see the various positions of major industry players. One advocate of patient empowerment interviewed doctors to find that, contrary to common fears, they can offer email access to patients without becoming overwhelmed. In fact, they think it leads to better outcomes. (However, it still isn’t reimbursed.)

Laws permitting reimbursement for telemedicine continued to spread among the states. But a major battle shaped up around a ruling in Texas that doctors have a pre-existing face-to-face meeting with any patient whom they want to treat remotely. The spread of telemedicine depends also on reform of state licensing laws to permit practices across state lines.

Much wailing and tears welled up over the required transition from ICD-9 to ICD-10. The AMA, with some good arguments, suggested just waiting for ICD-11. But the transition cost much less than anticipated, making ICD-10 much less of a hot button, although it may be harmful to diagnosis.

Formal studies of EHR strengths and weaknesses are rare, so I’ll mention this survey finding that EHRs aid with public health but are ungainly for the sophisticated uses required for long-term, accountable patient care. Meanwhile, half of hospitals surveyed are unhappy with their EHRs’ usability and functionality and doctors are increasingly frustrated with EHRs. Nurses complained about technologies’s time demands and the eternal lack of interoperability. A HIMSS survey turned up somewhat more postive feelings.

EHRs are also expensive enough to hurt hospital balance sheets and force them to forgo other important expenditures.

Electronic health records also took a hit from ONC’s Sentinel Events program. To err, it seems, is not only human but now computer-aided. A Sentinel Event Alert indicated that more errors in health IT products should be reported, claiming that many go unreported because patient harm was avoided. The FDA started checking self-reported problems on PatientsLikeMe for adverse drug events.

The ONC reported gains in patient ability to view, download, and transmit their health information online, but found patient portals still limited. Although one article praised patient portals by Epic, Allscripts, and NextGen, an overview of studies found that patient portals are disappointing, partly because elderly patients have trouble with them. A literature review highlighted where patient portals fall short. In contrast, giving patients full access to doctors’ notes increases compliance and reduces errors. HHS’s Office of Civil Rights released rules underlining patients’ rights to access their data.

While we’re wallowing in downers, review a study questioning the value of patient-centered medical homes.

Reuters published a warning about employee wellness programs, which are nowhere near as fair or accurate as they claim to be. They are turning into just another expression of unequal power between employer and employee, with tendencies to punish sick people.

An interesting article questioned the industry narrative about the medical device tax in the Affordable Care Act, saying that the industry is expanding robustly in the face of the tax. However, this tax is still a hot political issue.

Does anyone remember that Republican congressmen published an alternative health care reform plan to replace the ACA? An analysis finds both good and bad points in its approach to mandates, malpractice, and insurance coverage.

Early reports on use of Apple’s open ResearchKit suggested problems with selection bias and diversity.

An in-depth look at the use of devices to enhance mental activity examined where they might be useful or harmful.

A major genetic data mining effort by pharma companies and Britain’s National Health Service was announced. The FDA announced a site called precisionFDA for sharing resources related to genetic testing. A recent site invites people to upload health and fitness data to support research.

As data becomes more liquid and is collected by more entities, patient privacy suffers. An analysis of web sites turned up shocking practices in , even at supposedly reputable sites like WebMD. Lax security in health care networks was addressed in a Forbes article.

Of minor interest to health IT workers, but eagerly awaited by doctors, was Congress’s “doc fix” to Medicare’s sustainable growth rate formula. The bill did contain additional clauses that were called significant by a number of observers, including former National Coordinator Farzad Mostashari no less, for opening up new initiatives in interoperability, telehealth, patient monitoring, and especially fee-for-value.

Connected health took a step forward when CMS issued reimbursement guidelines for patient monitoring in the community.

A wonky but important dispute concerned whether self-insured employers should be required to report public health measures, because public health by definition needs to draw information from as wide a population as possible.

Data breaches always make lurid news, sometimes under surprising circumstances, and not always caused by health care providers. The 2015 security news was dominated by a massive breach at the Anthem health insurer.

Along with great fanfare in Scientific American for “precision medicine,” another Scientific American article covered its privacy risks.

A blog posting promoted early and intensive interactions with end users during app design.

A study found that HIT implementations hamper clinicians, but could not identify the reasons.

Natural language processing was praised for its potential for simplifying data entry, and to discover useful side effects and treatment issues.

CVS’s refusal to stock tobacco products was called “a major sea-change for public health” and part of a general trend of pharmacies toward whole care of the patient.

A long interview with FHIR leader Grahame Grieve described the progress of the project, and its the need for clinicians to take data exchange seriously. A quiet milestone was reached in October with a a production version from Cerner.

Given the frequent invocation of Uber (even more than the Cheesecake Factory) as a model for health IT innovation, it’s worth seeing the reasons that model is inapplicable.

A number of hot new sensors and devices were announced, including a tiny sensor from Intel, a device from Google to measure blood sugar and another for multiple vital signs, enhancements to Microsoft products, a temperature monitor for babies, a headset for detecting epilepsy, cheap cameras from New Zealand and MIT for doing retinal scans, a smart phone app for recognizing respiratory illnesses, a smart-phone connected device for detecting brain injuries and one for detecting cancer, a sleep-tracking ring, bed sensors, ultrasound-guided needle placement, a device for detecting pneumonia, and a pill that can track heartbeats.

The medical field isn’t making extensive use yet of data collection and analysis–or uses analytics for financial gain rather than patient care–the potential is demonstrated by many isolated success stories, including one from Johns Hopkins study using 25 patient measures to study sepsis and another from an Ontario hospital. In an intriguing peek at our possible future, IBM Watson has started to integrate patient data with its base of clinical research studies.

Frustrated enough with 2015? To end on an upbeat note, envision a future made bright by predictive analytics.

OpenUMA: New Privacy Tools for Health Care Data

Posted on August 10, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The health care field, becoming more computer-savvy, is starting to take advantage of conveniences and flexibilities that were developed over the past decade for the Web and mobile platforms. A couple weeks ago, a new open source project was announced to increase options for offering data over the Internet with proper controls–options with particular relevance for patient control over health data.

The User-Managed Access (UMA) standard supports privacy through a combination of encryption and network protocols that have a thirty-year history. UMA reached a stable release, 1.0 in April of this year. A number of implementations are being developed, some of them open source.

Before I try to navigate the complexities of privacy protocols and standards, let’s look at a few use cases (currently still hypothetical) for UMA:

  • A parent wants to show the child’s school records from the doctor’s office just long enough for the school nurse to verify that the child has received the necessary vaccinations.

  • A traveler taking a temporary job in a foreign city wants to grant a local clinic access to the health records stored by her primary care physician for the six months during which the job lasts.

The open source implementation I’ll highlight in this article is OpenUMA from a company named ForgeRock. ForgeRock specializes in identity management online and creates a number of open source projects that can be found on their web page. They are also a leading participant in the non-profit Kantara Initiative, where they helped develop UMA as part of the UMA Developer Resources Work Group.

The advantage of open source libraries and tools for UMA is that the standard involves many different pieces of software run by different parts of the system: anyone with data to share, and anyone who wants access to it. The technology is not aimed at any one field, but health IT experts are among its greatest enthusiasts.

The fundamental technology behind UMA is OAuth, a well-tested means of authorizing people on web sites. When you want to leave a comment on a news article and see a button that says, “Log in using Facebook” or some other popular site, OAuth is in use.

OAuth is an enabling technology, by which I mean that it opens up huge possibilities for more complex and feature-rich tools to be built on top. It provides hooks for such tools through its notion of profiles–new standards that anyone can create to work with it. UMA is one such profile.

What UMA contributes over and above OAuth was described to me by Eve Maler, a leading member of the UMA working group who wrote their work up in the specification I cited earlier, and who currently works for ForgeRock. OAuth lets you manage different services for yourself. When you run an app that posts to Twitter on your behalf, or log in to a new site through your Facebook account, OAuth lets your account on one service do something for your account on another service.

UMA, in contrast, lets you grant access to other people. It’s not your account at a doctor’s office that is accessing data, but the doctor himself.

UMA can take on some nitty-gritty real-life situations that are hard to handle with OAuth alone. OAuth provides a single yes/no decision: is a person authorized or not? It’s UMA that can handle the wide variety of conditions that affect whether you want information released. These vary from field to field, but the conditions of time and credentials mentioned earlier are important examples in health care. I covered one project using UMA in an earlier article.

With OAuth, you can grant access to an account and then revoke it later (with some technical dexterity). But UMA allows you to build a time limit into the original access. Of course, the recipient does not lose the data to which you granted access, but when the time expires he cannot return to get new data.

UMA also allows you to define resource sets to segment data. You could put vaccinations in a resource set that you share with others, withholding other kinds of data.

OpenUMA contains two crucial elements of a UMA implementation:

The authorization server

This server accepts a list of restrictions from the site holding the data and the credentials submitted by the person requesting access to the data. The server is a very generic function: any UMA request can use any authorization server, and the server can run anywhere. Theoretically, you could run your own. But it would be more practical for a site that hosts data–Microsoft HealthVault, for instance, or some general cloud provider–to run an authorization server. In any case, the site publicizes a URL where it can be contacted by people with data or people requesting data.

The resource server

These submit requests to the authorization server from applications and servers that hold people’s data. The resource server handles the complex interactions with the authorization server so that application developers can focus on their core business.

Instead of the OpenUMA resource server, apps can link in libraries that provide the same functions. These libraries are being developed by the Kantara Initiative.

So before we can safely share and withhold data, what’s missing?

The UMA standard doesn’t offer any way to specify a condition, such as “Release my data only this week.” This gap is filled by policy languages, which standards groups will have to develop and code up in a compatible manner. A few exist already.

Maler points out that developers could also benefit from tools for editing and testing code, along with other supporting software that projects build up over time. The UMA resource working group is still at the beginning of their efforts, but we can look forward to a time when fine-grained patient control over access to data becomes as simple as using any of the other RESTful APIs that have filled the programmer’s toolbox.