You highlight an important point, one that I think we are working diligently to create ways that both the consumer and the provider, that information can be merged together. I think the Blue Button activities and the work of the Direct protocol is a first step in that. We still have more work that needs to be done. I think at the end of the day what will drive this is going to be patients who see the value of this, who demand that from their providers or from their health care systems.
And in fact there starts to be business drivers that make it advantageous to the organizations to share the information to include the patient in their health care and make sure that if you have multiple Web portals and the data isn't getting integrated in a way that you can perceive it, my guess is that same integration probably isn't happening at the provider side either.
InfoWorld: Let me ask you a related question around a security model with the patient information. I'll use Kaiser as an example, since I know it very well. If I go to a Kaiser facility, they give me paper with all this medical information on it. If I want to take that from their patient portal and put it onto my computer, I can't. That strikes me as odd. I realize that electronic information is much more easily routable, so it's unlikely someone's going to come and steal my paper records in my filing cabinet in the home, while it would be much easier if they had access to the portals and could take that data, that they might do nefarious things with it at scale. It's easier to do it at scale electronically.
But it seems like an inhibitor for patients to aggregate their own stuff. You can't even email, for example, your doctor and get an email back. You have to log into their system. If you happen to have your phone with you and not your computer, you don't have your password, it doesn't work the same way, blah, blah, blah. I wonder if that's also something intermediate or whether there is something fundamentally different about electronic communications that's going to keep the access tighter than it is on paper.
Fridsma: Well, I think there is greater concern around electronic data because obviously you could go down to a paper-based medical records room, put on a white coat, walk in there, and pull a chart to take a look at it. But it would be hard for you to take all the records in that room, put them in the back of your trunk and take off and peruse through that or sell the information or the like. They might notice that they are gone. If they didn't, that would be an institution you wouldn't want to go to.
InfoWorld: Yeah. But electronically, when you steal it, you still leave it there. You don't actually take it, you copy it.
Fridsma: Right. Privacy and security are important aspects. We certainly believe that's an important aspect of our responsibility, to make sure that patients and the people that are entrusted with the care of that information, treat it seriously, and provide proper safeguards to that information. So I think part of that is to have some of these other things in place.
But if you think about what's happening in social media -- it's not exact example, but I think it's important just as a data point -- if you have a Facebook account, you've probably gone to Twitter or you've been on a Web page or something like that where it says, "We'd like to authenticate you." You could just authenticate with your Facebook ID and password. You could authenticate with your Gmail two-factor authentication or the like. One of the things that we're seeing that's happening in social media and out there on the Internet is you're starting to see people developing infrastructure that allows you to authenticate in one environment and use the credentials from that authentication in another environment.
The White House a couple of years ago produced a white paper report called NSTIC, the National Strategy for Trusted Identities in Cyberspace. What NSTIC is trying to do is to develop an ecosystem of identity management, if you will. If you go to a bank and you take out a loan for a house, they credential you there and give you an ID or a password or a certificate or whatever it is, something electronic that allows you to access their website and things like that, that process by which they authenticated that it was really you, you're the one responsible for this loan, and they know you are who you say you are. They may be able to issue you a credential that could be then used in other such situations. You might be able to use this to go and do not just online banking, but other things. You could manage email, or you could do something with the government, or you could whatever.
I think there is a lot of desire to create an ecosystem that allows you to get credentials that then would allow you to authenticate and use that credential in different places. In the health care space, you could imagine that you're in your doctor's office. The doctor knows it's you because he's seen you for the last couple of years. There's a credential that gets issued as part of that office that might be able to be used, say, in a hospital that's affiliated or with a consultant that the doctor refers you to that allows you to tie together all that information and not have you go to all these different websites and authenticate.
You start to see more seamless integration. I think that's a vision that the White House in the NSTIC report put forward, not just in health care but more broadly. I think what we're seeing is right now we have some initial forays into making sure we have things private and secure and we're moving incrementally to expand the level of sophistication or the level of ease of use. But we're trying to do that in a very cautious way so that we maintain that privacy and security. We want people to really understand that to get information to flow. As Farzad [Mostashari, the national coordinator for health care information technology at the ONC] likes to say, information moves at the speed of trust. You've got to be able to trust how the information is being managed and that becomes an important part of the overall strategy.
How to keep sensitive information separate but accessible in a federated system
InfoWorld: Let me switch speaking of trust to an issue I've heard from several people on the health care provider side. One thing that really drives them nuts is how to handle the rules around AOD [Alcohol and Other Drugs], because there are stricter rules about information there, so even in the unified system, AOD stands apart. The primary physician may not know what is being prescribed, for example, by a psychiatrist or that a person is being treated for some sort of drug addiction, and there can be consequences of the isolation of information. I realize this is rooted in 1970s rules around privacy, when there was a lot of abuse of these records by insurance companies and employers and others, so legislators created these rules to basically wall it off. But in integrated care, walling it off is an issue. I'm curious if you're seeing this or if this is just a handful of people I happen to know who are frustrated by it. If this is an issue, how might it be addressed?
Fridsma: You're absolutely right. There are a lot of folks who are concerned that they follow the rules and regulations around protecting these particular kinds of diagnoses and behavioral health issues, issues that have to do with drug dependency and things like that. As a result, they would much rather not share data at all than risk breaching or sharing information in a way that would be not in compliance with the what the rules and regulations are.
This is something that we identified early on as a significant challenge, and we've been working very closely with SAMHSA [the Substance Abuse and Mental Health Administration] and primarily through Joy Pritts, our chief privacy and security officer, to develop technical specifications that help implement or support the policies that are out there around these behavioral health issues.
One of the things that we did is, over the course of the last year and a half or so, develop a project called Data Segmentation. It's data segmentation for privacy. It's a standard in the interoperability framework, one of the initiatives that we have that helps support the community to reach consensus around standards.
Coming out of that initiative, we developed technical specifications that allow you to take the medical record and segment those chunks that would be protected diagnoses or protected information that allows you to say, "Here's the whole medical record. Here's the chunk that I'm going to share with you as a primary care doctor. But I don't want you to share it with anybody else." That information gets carried with the electronic information so it carries with it the disclosure rules and things like that, so you can make sure that you can segment the data, that which you want to share and that which you don't want to share, and that which you're going to share but you don't want that person to forward it on to anyone else.
That early work is now being piloted. There are, I think, three or four pilots that are currently ongoing. There's a standard that's going through the standards balloting process right now, and we have some commercial enterprises that have adopted that standard, that demonstrated at HIMSS this past spring.
I think fundamentally it's really important, as you expressed, that behavioral health providers feel confident that they can share information and not have it disclosed in ways that would not be under the rules and regulations that that information is held. By providing that technical infrastructure that would enable that to occur, we hope to be able to engage behavioral health providers and others, because clearly there are patient safety and other issues that need to be addressed if that information is withheld or is not shared or is inadvertently shared.
InfoWorld: One health system I talked to, what it's done is basically put in the records that the person is being treated, no details as to what, and indicate, "You need to call us if you're treating this person, because there's something else going on that we can't put in the record." It basically put in a flag. That way at least you know there's something going on, as opposed to not knowing, because if you don't reveal that there is something going on, a person may make assumptions and just go blindly, not knowing there is an issue to even worry about. That's how one organization does it. Another one I've talked to basically says, "If it involves any medications, we have the psychiatrist, if they're being treated by a psychiatrist, review the medications from the primary physician." They sort of flip it the other way, where they put the responsibility on the person who has the most access, which the doctors didn't like at all. But they didn't know how else to deal with it. Those are two models I've come across.
Fridsma: One of the things that's important, at least from my perspective in the work that we do, is when it comes to the standards and the technical specifications that we work on, I don't want the technology to be a barrier to the policies that people want to apply or to implement. Regardless of how to handle that issue, we want to make sure that people don't say, "Well, there's no technology to do this, so therefore we aren't going to share at all." We want to be able to support the various use cases and make sure that we've got the right way to do this. So that's part of our responsibility, is to make sure that we've got the technical capabilities that allow the policies to be properly implemented.
Why incremental efforts are a better approach than a top-down specification
InfoWorld: I suppose one subtext there is that if the policies were created for a different time and space, and don't fit the more integrated care model of today, maybe the policies need to be revisited, which of course is outside of your domain. But that may be a requirement.
Fridsma: No, but you're absolutely right. We talk about the interaction between the policy and technology pieces. Within ONC, we have both of those responsibilities. So, on the one hand we want to make sure that the technical infrastructure can support the policies that are out there. But we also have to recognize that sometimes a particular policy in a different world would have been easy to implement, but in the current world is really convoluted, and that maybe we need to go back and revisit that and say, "If there's a small refinement to our policy, we can actually simplify the technologic implementation of that in a really substantive way."
There is this interplay between the policy and the technology that's so critical. It's one of the reasons why, at least within ONC, we have both the HIT Policy Committee and the HIT Standards Committee, and they keep each other informed. Because the policy folks might say, "We would like to do X," the standards folks will say, "Well, you can do X, but it's going to be really complicated. If you wanted to just tweak this a little bit this would be easier." Then we feed that back and we can come to the right angle of repose, if you will, between policy and technology.
InfoWorld: It's funny, this sounds like the so-called agile development process where the stakeholders all are talking to each other throughout the development, because things do affect each other. If you specify, then dump it over to somebody to implement, those interactions aren't always apparent and they can lead to overly complicated approaches, approaches that don't work. Right?