Where a company like Box can help address today's gaps
Box is taking baby steps toward addressing these questions with its move this week. They do nothing to solve the health-records readability issue, though a program pioneered by the Veterans Administration called Blue Button Plus may eventually take care of that need.
Box's efforts don't deal with the need for secure email exchange between providers on different email systems, but an ONC venture called Project Direct is piloting a national secure email system for health care providers. HIPAA requires all providers to transmit health information over secured systems, which is why you have to sign into a patient portal to email your doctor, rather than use your normal email client.
HIPAA also requires that only authorized caregivers have access to your data, and HITECH requires that any access be tracked, which is why Box pursued the certifications. Thus, medical providers can safely use Box for data storage and exchange, which is exactly what Box wants, whether the providers go through Box directly or via an HIE or EHR provider.
For patients, there are no HIPAA or HITECH concerns; as with paper records, you're free to secure or not secure, share or not share your own records as you see fit. But if caregivers are using Box, they'll be more likely to provide a simple Box-based transfer to patients, who may already know the Box name.
Using a service like Box (or Microsoft HealthVault) can also be more convenient for both caregivers and patients. For caregivers, such a third party is not part of their EHR system, so their legal responsibility under HIPAA and HITECH ends once the data is put in patients' PHRs. But today, many EHRs provide their own PHR systems for use by patient, and because those are "tethered" to an EHR system, the health care provider has to manage the PHRs as if they were still in the EHR system, keeping them subject to HIPAA and HITECH.
For Box, it makes sense to try to be the file-sharing glue in an industry where information is so fragmented and sharing is so hard. That's why Box has taken the step of offering business associate agreements to hospitals and other providers -- a BAA is essentially an agreement taking on liability for securing patient data on behalf of others, a commitment avoided by even some HIEs. A hospital or large medical practice simply won't do business around digital health records without a BAA in force, even if HIPAA and other regulatory technical requirements are established. In fact, the feds say a BAA is "generally required" for a third-party provider to be considered HIPAA-compliant.
Still, Box is not likely to become the document storage platform for large-scale health care providers, such as Humana, Kaiser, the VA, or larger county health departments. However, there are plenty of small physician practices, community hospitals, and so on that have little IT savvy or budget and aren't big enough for one of the larger EHR providers like Epic, Cerner, AllScripts, Siemens Health, Greenway, or Netsmart.
When I asked Box's enterprise general manager Whitney Bouck, she wouldn't speculate how far Box might go into the digital health records business, making it clear the company is still in the exploration phase. Moving beyond the role of a storage provider and into the management of records or into services like coordinating and categorizing the disparate records downloaded into a common Box repository would require a big shift in both domain expertise and software development. It's more likely at first that Box will have other companies do that kind of work, with its service as the underlying storage and access technology.