Medsphere advocates for the community. Bravo!!

I have been impressed lately with “the new team” at Medsphere. I have interacted with COO Rick Jung and CMO Dr. Edmund Billings. (I am disappointed that Mike Doyle and I have not met, but he is respected by some whom I respect.)

I am happy to see that Medsphere has finally taken a stand against the current political madness regarding “phasing out” VistA.

This press release from Medsphere.com reads:

This week, the Military Health Service is expected to decide on whether to dismantle its proven electronic health record (EHR) system, called VistA. Research demonstrates that VistA has improved VA productivity by six percent each year since 1999 and that, in a time of ever-rising healthcare costs, VA care has become 32 percent more affordable than it was in 1996. The organization has also achieved an unprecedented and unmatched prescription accuracy rate of more than 99.997 percent, making it a model for healthcare organizations everywhere. In fact, as private hospitals across the country strive to achieve the holy grail of automated, paperless environments (none has reached the mark yet), it is striking to note that every public VA hospital is already there thanks to VistA. Despite all of this, the Department of Defense (DoD) appears determined to systematically dismantle VistA and replace it with a proprietary solution that is expensive, difficult to implement and has limited interoperability with other systems. VistA advocates say the move makes little sense, economically or strategically–it is not in the best interest of our veterans, our working service men and women, or taxpayers who would have to foot the exorbitant bill. 

Over the past 30 years, a community of open source users has developed VistA into a successful health care technology solution that works with existing hardware and software and preserves legacy IT investments in more than 130 regional centers across the country. So why is the military fixing something that isn’t broken? Ironically, the military tried to do something similar by installing a proprietary EHR system, named the Armed Forces Health Longitudinal Technology Application (AHLTA), in 2005. The solution proved to be expensive, difficult to install and incapable of working well with other systems. Now, it seems the DoD is heading down the same path again towards a “vendor-locked” solution that will cost billions up front and after implementation. 

It is signed by CEO Mike Doyle, COO Rick Jung and CMO Dr. Edmund Billings.

I am relieved to see Medsphere taking a stand that benefits the whole VistA community. The long-term success of Medsphere is married to the success of VistA and the larger VistA community. Medsphere is in a great position to advocate in a way that VA employees cannot. Medsphere can reach and influence those who ignore me and the other revolutionaries who are already outspoken critics of the current VA/DOD boneheadedness. It is already getting some coverage, and it deserves more.

Bravo, Medsphere.

-FT

Vindicated

I must admit. I love the feeling of being proven right. Granted, it appeals to my egotistic streak. (which despite my attempts to suppress it, my wife remains keenly annoyed by).

A few weeks ago, at TEPR, I did my regular talk the Health of the Source, which is basically an update on the whole FOSS Health IT industry. In that talk I mentioned that OpenMRS, along with WorldVistA and ClearHealth, was a top EHR project.

Now, OpenMRS is covered by BBC News. I only wish that the article would also acknowledge that this kind of success is only possible because OpenMRS uses a license that respects the freedom of its users.

However, Doc Searls get it. He has heavily quoted my last post while discussing his recent experience with the medical system. He titled his post:  the patient as the platform. The great thing is, when Doc talks about things other people do to.

It does feel good to have people say nice things about me… but I hope this also might represent a tide turning towards awareness of the implications of software licensing in medicine.

I can hope.

In all Fairness

Its time to set the record straight on what are valid criticisms of HealthVault and Google Health and what are not. If you have ever read my posts, then you can be sure that when an organization needs criticizing I am the first to give it them with both barrels. But here both Google and Microsoft need defending.

  • Neither Google Health nor HealthVault are HIPAA covered.
  • This is a very good thing

But to understand why, I must beg the reader for patience.

My mother died of ovarian cancer. My Grandmother had a bout of cancer, but survived. Now she is battling Alzhiemers and it will probably kill her. I have talked about this before as the fundamental basis for the Seven Generation Test.

Now read the sentences above again… and ask yourself: “what has this writer just revealed?” Extremely sensitive personal medical information about himself. Note that I did not say “information about my mother or grandmother”, though I did reveal information about them too (obviously).

I have two people in my direct line of parentage that have both had cancer. Statistically, that makes me substantially more likely to get cancer. Further, alzheimers also has a genetic component. So I just revealed to you critical information about my personal health, specifically something that would go into the “family history” section of my health record. It is exactly the kind of information that a Health Insurance company would love to be able to use when setting my premium. It is exactly that kind of information that HIPAA was designed to keep my healthcare providers from telling insurance companies without my knowledge.

Just because HIPAA protects me from my doctors making this type of disclosure does not, and should not, mean that I should not be able to make that disclosure myself. There are many reasons why I might want to make this disclosure: I might want to make a point on my blog. I might want to explicitly tell my insurance company about this, in writing, so that they could adjust my insurance premiums accordingly. This way I would be well-armed in the event that they should try and deny me coverage for cancer treatment.

Lets consider the current paradigm of personal health information management. To facilitate this lets imagine that I was allergic to anticonvulsants (which is common). I have been to about fifteen or twenty doctors, each of whom has extensive records regarding my healthcare. I had knee surgery, and somewhere I have a orthoscopic video of the inside of my knee during the surgery (in VHS format). I have pages and pages of immunization and dental records from my in-processing during bootcamp for the USMC. I did not have a seizure in bootcamp, and if I had they would have sent me packing. But lets imagine that I did, and that the navy docs discovered that I was allergic to anticonvulsants. They would have promptly added it to my record.

I have all of my Marine Corps records in my file cabinet. But, these are just the records that I have in the house. I probably have about 1/10th of the medical information that is available, somewhere, regarding my healthcare.

Lets imagine that I had some kind of life event that would require me to gather those records together. To do that, I would need to call every doctor I have ever visited, and request a copy of my records. Healthcare providers are mandated by HIPAA to give me this information, and many of them, as a professional courtesy, would waive the costs of transferring my record to me. All of the providers I might contact would prefer to fax me my records. Faxing is simple, easy and well-understood by the medical practices. Faxing over phone lines is the de facto “health exchange network”  in the United States. (Unless you are lucky enough to be a Veteran, and have a record in VA VistA)

If my Marine Corps comrades understood the implications of this, they would say “that sucks salty balls”. Or something even more uncouth, but just as disturbing. Why does that suck? Because the resulting documents are largely valueless.

After making all of the requests and getting all of the faxes. I would have a briefcase full of documents of my healthcare. 95% of it would be redundant, showing my slowly rising cholesterol and blood pressure scores. The 5% that was really critical, like my imaginary allergy, would be buried so deep in my briefcase of papers that it would never be seen.

Given current primary care reimbursements, my doctor is incented do everything in his power to spend under 10 minutes talking to me. If he actually had to read through my briefcase of papers, then he would spend an hour doing nothing but shuffling papers. It is a much better use of his time just to ask “are you allergic to anything?”. I would of course say “not that I know of” in response. (Marine Corps boot camp is largely spent fluctuating between extreme emotions of hate, anguish and triumph. While you are guaranteed to learn some things, obscure allergies are not one of them. For all I know, I really am allergic to anticonvulsants)

I will not belabor my point. If I am lucky I will not convulse. If I do, they would give me an injection which will probably kill me. Why would I be dead? It is not because I had an allergy, that is only the proximate cause, the ultimate cause was very different.

The ultimate cause would have been: our ability to generate medical information has vastly outpaced our methods for handling that information.

That sentence should explain why we need storehouses of health data, that we can use to effectively deal with our own health information. HIPAA is designed to cover healthcare providers and those who come into contact with patient data, serving the business needs of those healthcare providers. Assuming that the same kinds of rules are a good idea for “data about me that me providers hold” as for “data that I hold” is silly once you see that they are very different circumstances.

Now lets imagine a world in which my various doctors medical records professionals all understood how to connect with HealthVault and Google Health. When I called them for my records, they would enter my email address instead of my fax number and press “send”. On their side, Google, Microsoft or Dossia (based on open source) would sift that information and allow me to transfer the resulting summary to anyone I wanted to, including my family, my friends, and my future healthcare providers. I could also forward the information to my insurance company, if I felt like that was a good idea. All three system would recognize the significance of an allergy and would prominently display the information.

HIPAA covers healthcare providers. Healthcare providers are the only people who know your health information, without you giving them permission to know it. Here are some of the things that HIPAA prevents your healthcare provider from doing:

  • They cannot tell your aunt Sue about your health conditions
  • They cannot tell cousin Joe, Rick, or uncle Eddie about your health conditions.
  • They cannot tell your insurance company about your health conditions.
  • They cannot post your name and information to their blog
  • They cannot tell the press about your health conditions, even if you are famous.

Here is what HIPAA does not cover.

  • If you tell aunt Sue about your health conditions she can tell uncle Eddie.
  • If you tell your health information to cousin Joe, he can tell cousin Rick.
  • You can post any medical information to your blog that you want.
  • If you post to your blog, that does not mean that wordpress needs to be HIPAA compliant.
  • You can tell your insurance company whatever you want.
  • You can do an interview about how rehab went for you.

Google and Microsoft are not healthcare providers. To have accurate data in those PHR systems your healthcare providers, at your request, must send them your data. Then Google and Microsoft help you to sort out the information. Compared to the way it works today, both systems are an improvement. Both of them help you organize your health information and both of them will help you to transmit that information where it needs to go.

Are they useful? Not really, and they will not be until your medical practices understand them as well as they do the fax machine. Will they be useful when that happens? Yes and very.

HIPAA stands for Health Insurance Portability and Accountability Act. It is not an accident that HIPAA does not include Google or Microsoft. The whole point was to make healthcare providers accountable for certain issues, while generally encouraging data to move around. Sadly, paranoia about HIPAA has caused data moving to grind to an almost standstill. Everyone is paranoid about it and to data transfer does not happen. Or worse, as Dr. Peel suggests, they transfer the data anyway, but in secret.

Under HIPPA the patient has a right to force data transfer to themselves. Currently providers do this with faxes which is ends up creating a massive problem. If they used Google Health, HealthVault or Dossia instead, the patient would actually be able to exercise those records!!

Saying that Google “should be covered” by HIPAA means that somehow, the person on the other end of the fax machine should be covered by HIPAA too! That means that if you faxed your records to aunt Sally, and then she showed them to uncle Bob, she could go to jail for a HIPAA violation? Or if you actually faxed them to yourself and then accidentally left them on the table at your local burger joint that the burger boy who cleans the tables needs to be sure to not just throw your records away, and instead have a policy for maintaining those records? Perhaps you had them faxed to Kinkos; should they have to maintain a separate safe for holding your faxes?

People who are shocked that Google and Microsoft are not covered by HIPAA, never actually understood the point of the law at all. Instead they generalized HIPAA into a kind of “patient right to privacy” umbrella that is just not there. You do have the right to privacy for those with whom you must share your secrets with; your healthcare providers. You do not have a right to privacy that covers your own stupidity, your gossiping family or your tendency to leave papers in the grocery store.

Both Google Health and HealthVault are designed to make the process of dissemination of your health information to people you want them to be disseminated to easier. Are they doing that in a secure, privacy respecting way? Excellent question; fodder for further posts. Should they be covered by the same laws that cover your healthcare providers? No. The law does not work that well for your healthcare providers anyway.

The whole point of a PHR is to allow a patient to control who gets to see their data. HIPAA works at “limiting” who can see your data. Because of HIPAA medical provider typically never share your data without written consent for every data sharing instance. Think about that. Suppose I have a chronic condition and I want everyone in my family to get regular updates on my lab results. Do I need to sign a document, for each family member and for each test? It does not take much time for me to get sick of the process. Also, my doctor might get sick of it too. He has the right to charge me a nominal fee for access to my record, and after a while he would probably feel he had to use that right. On the other hand, if there were an automated way to share the same information…

A PHR is all about balancing the ability to share and the ability to limit access. If a PHR were HIPAA covered, then it would lean strongly towards limiting and sharing would be impaired.

Everyone who talks about Google Health and HealthVault needs to stop harping on the HIPAA issue. HIPAA was not meant to cover the services that Google and Microsoft are offering. Here are some examples:

Quoting from Nathan McFeters at ZDnet:

Hawhhhaaaaattttt??? So Google doesn’t have to respect HIPPA laws?!

Thats HIPAA with two AAs man… Google respects HIPAA just fine. Google is probably relieved to find that the law makes some sense here, as opposed to the typical knee jerk legislation.

It feels like, and this is just a gut reaction here, law should have a strong and violent reaction to Google skirting around HIPPA concerns.

Again. There is no skirting. Google is not “slipping” out of responsibility. It is not covered, and that is a good thing.

The article linked to above also details that Google does not typically follow standard procedures for publicly disclosing flaws. That is a big problem and one that deserves attention, but it is not a HIPAA problem.

Quoting from Robert “RSnake” Hansen:

I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does.

Here we have two problems. First the assumption that Google should be covered by HIPAA, which I hope I have shown is not true. Second, the assumption that Google would invest more technical security if they had HIPAA liability. Perhaps Google is not doing enough for security, but its not like security programmers code better when lawyers stand over them. They might code “differently”, but not “better”.

If there is a structural flaw in Google or Microsoft’s architecture, that is something that they should both fix and take public responsibility for but that does not mean that they should be covered by HIPAA.

Frankly these two bloggers, who have been featured on slashdot are only the start of the problem. I had the privilege of covering HIMSS as a blogger, and as a result I got to ask one question to Google CEO Dr. Eric Schmidt, upon his announcement of Google Health, as did every other reporter in the room.

Three different reporters asked “Is Google covered by HIPAA?”. Each one got the same answer: “No we are not”. All three of them asked these questions in such a way that it was obvious that they had read to many “tough reporter” novels. A little hint: perhaps the first time a really good question is asked it might trip up the executive at the massive fortune 500 company. But the second and third times the question is asked in a press conference is waste of time for everyone.

This kind of useless heckling is not just a problem for Google. I just came from TEPR where a Microsoft guy was talking on HealthVault. It was the same “HealthVault is a platform” story that you can read about in the brochure, but at the end, there was time for only one question. Guess what it was? “Is HealthVault covered by HIPAA?”

I really really wish we could stop talking about this issue and talk about real problems. Real issues include:

  • Google does not typically disclose vulnerabilities.
  • Microsoft still has terms that indicate that it can host your HealthVault data in China.
  • How are we going to make connecting to HealthVault or Google Health simple enough for small medical office personnel to handle? Do you know how many “HIPAA violations” we have every year because people do not understand how to dial 9 before getting an outside line when faxing?

Critics also have silly notions about how people who are covered under HIPAA are behaving. Most of the healthcare in the United States are delivered by practice with under 5 physicians. I cannot tell you how many practices I have seen that have a locked closet for paper records but have the EHR server sitting under the receptionists desk. If you want to illegally access my medical records which do you honestly think is easier:

A: walk into my doctors office at three in the afternoon with a shirt with “IBM” written on it and just grab the server and walk out.

or

B: hacking Google or HealthVault, who both have extensive Firewalls and Intrusion Detection systems, along with well-educated network security personnel on duty 24-7.

If you really felt that Hacking was the way to go, then you would have a much easier time hacking through the average clinics firewall than Microsoft’s or Google’s. Most of the doctors I know do not even know what a firewall is, much less the steps to lock one down. (that is not a criticism, I have no idea how to remove an appendix.)

I am not making the case that Google Health or HealthVault are secure. I am not saying that they are respecting privacy. Those are discussions that we need to have.

But HIPAA is not the answer.

-FT

Health of the Source

I pretty regularly give a talk entitled “The health of the source”. The subject of the talk is everything that has happened in health FOSS, since the last time I gave the talk. Thankfully things move along fast enough that I am never short of content. You will find this article dripping with useful bias and opinion. This is not merely a list of projects but also what I think of the projects. I might be omitting your favorite project intentionally, because I think it is irrelevant, OR out of ignorance, OR because I am limiting the scope. For instance this time I did not include much on clinical research (openclinica) or imaging, since my TEPR audience might not be interested in those.

This intended to reference Larry Walls regular summary of the perl community typically entitled “state of the onion“. (I am suffering from pun envy here… if you have something better… let me know) As I was writing yet another throw-away Open Office presentation, I was lamenting the fact that I had not posted anything really meaty on my blog lately, and I thought I should post my presentation. Then I was thinking how each page of my presentation would really serve as a blog post by itself. Then I realized that I could write one blog post, and if I kept each page short enough to fit above the fold on my little laptop, I could make a postentation. ( <- just invented this word)

So if you would like, you can now read my latest presentation just by clicking on the page numbers on this post. Hopefully it is coherent enough to read without me talking about each slide. But if not, leave me a comment and I will try and fix things.

Defining terms

(Update August 9th 2016: This site has been dead for some time. But there is a wayback machine link that lives on)

NAHIT has released its definitions.

In summary:

An EMR is a record for the doctor.

An EHR is a record for the doctors. (with data ready to move)

A PHR is a record for the patient.

A HIE is the process of moving health data.

A HIO is a O that does HIE.

A RHIO is a HIO that is Regional.

Well now that that is settled, I am sure that the whole industry will stop using the terms EMR and EHR interchangeably. I am sure that no one will refer to a RHIO as an HIE.

Thank God for the government.

-FT

What do about the VA crisis: the aboveground railroad

Dana has just written a new article Why are reformers destroying Veterans’ health computer system. It focuses on the disastrous centralization movement within the VA. Specifically it references Roger Maduro’s impeccably researched editorial in the Jan 2008 edition of Vista News which Roger edits.

Roger and I tend to see this issue in the same way. I was defended VistA in a Government Health IT article and I have written an article on the reason that the new Cerner lab system is a threat to VistA. That threat is hard to really comprehend until you understand what makes VA VistA good in the first place.

If my comments have been your only exposure to this crisis, then I would definitely take the time to read Roger’s editorial. Where I skim the surface of the issue, Roger examines the issue with the careful eye of someone who is far more familiar with both the VA and VistA. I learned much from the article and I consider myself relatively informed with regards to VistA. By relatively I mean “relative to the general population”.

But what to do about it. I recently listened to an excellent video interview with Tom Munnecke on early VA VistA history. What struck me about the interview is that Tom, like many VistA enthusiasts, views the movement between centralization and decentralization as a pendulum. The problem with this is that during periods of centralization, VistA starves.

Like all projects based on open source development models, VistA needs long-term leadership and stewardship. Currently, this leadership is either political, driven by the whims of presidents and congress, or bureaucratic, driven by permanent government employees who range from wildly incompetent with regards to Health IT, to amazingly capable. The best VistA can hope for, under the current model, is a good bureaucrat. The model needs to change. VistA was created by a community of computer programmers and clinicians working together. A similar community needs to be placed in charge again.

My proposal is for Congress to create a new council to make a clinical software design, development, and deployment decisions within the VA. Here are the rules for the new council.

  • The council should have 9 members at a time, similar to supreme court justices.
  • The council term should be for ten years. (the initial term should be split to ensure that members do not rotate out all at once.) Long terms are required for stability past the possible term of a single U.S. President. Members should be limited to one full term.
  • The initial members of the council should be elected by the card-carrying members of the underground railroad, and the local CIOs of the current VA hospitals, the national VA, Indian Health Services, the CIOs of hospitals outside the VA running VistA (including internationally) and the CEOs of software vendors who support VistA. The national VA should be able to appoint 1 member. The local VA CIOS should be able to elect 2 members. The underground railroad should be able to appoint 3 members. The outside CIOs should elect 1 member, the vendors should elect 1 member and Indian Health Services should elect 1 member. (Update March 2011 added private CIOs, Vista Vendors and Indian Health Services)
  • (Added 2010:) As I think about it, all council members should be able to code at least a little, some of them should -also- (and not alternatively) be clinicians.
  • Future elections will be held in the same way, except former council members will then vote with the underground railroad.
  • The council should have separate funding for 1 million dollars per year to handle incidental costs of meeting and small stipends.
  • The council should be able to meet in person on a quarterly basis, and via conference call once a week. The council can choose to invite anyone it wants to these meetings as guests. The travel for both the guests and the council will be funded by the one million per year.
  • The IT budget for the VA will be split into two parts. Any system that houses clinical information will be under the control of the council.
  • It is not required to be an employee of the VA to be on the council.
  • If an employee of the VA is elected, they will be allowed to spend the time needed to attend the meetings as part of their VA duties.
  • The council should not be a full-time position, but should come with a generous stipend, something like 50k a year, so that someone could decide to do it full-time if they wanted to.
  • The council should report directly to congress (March 2011) as well as to the CTO/CIO of the VA.
  • Congress should commit to not interfere with the councils decisions for ten years. At the end of the first decade, congress should decide to either disband, or permanently endorse the council.

Why these rules? The idea is to create a council that would be actually capable of running a software project as complex as VistA. The council should be made of people who are respected by 1. The people who originally fought for VistA or 2. The local VistA users. In short, they should be community elected, rather than bureaucrats or politicians. Their positions should be funded well-enough that they would not need to worry about how to pay for things, but not so well-funded that people would pursue the roles just for the funding. They should have long tenures, in order to isolate them from fear of reprisals for controversial decisions, and to ensure that long-term vision is achieved. Both VA employees and those who are not with the VA (like retired underground railroad members) should be eligible for the role of council member.

The million dollars should be used to create quarterly meetings that are attended by the council and by those that they appoint as custodians of particular systems. This will give the opportunity for the council to imitate what has worked for the Apache Foundation or the Mozilla Foundation which are the most complex and successful projects currently run by council. (Rather than benevolent dictator)

This proposal is basically a way to put the underground railroad formally back in charge, with a mechanism for introducing new blood and new ideas. In short, this is a proposal to create an “above ground railroad”.

Anyone should see that the council that I am proposing has parallels with WorldVistA. (Added March 2001) Since the writing I have discovered that WorldVistA has no mechanism to replace or change board members at all. The organization suffers as a result, and is no way suited to take this role.

Regards,

-FT

Credit where it is due

I use this forum to grip quite a bit. When someone does something silly or stupid, I do not hesitate to blast them. It is only fitting that when someone does something right, they get equal time for praise.

Skip McGaughey and his new group the Open Health Tools seem to qualify. Here is what they have done right:

  • They have some of the most important players already committed to the movement, including Eclipse, IBM, Red Hat and the VA.
  • They are posting the minutes to their meetings on the web, demonstrating a commitment to openness.
  • They already have a good FAQ which is complete enough to include some of their thoughts on licensing. Again, openness.
  • They are posting detailed information about their initial project.
  • Skip already has credibility in the community because of his participation within Eclipse community.
  • The particpants in may cases are already releasing substantial health code-bases, so the group has lots of “doers”.

Its not often that I can recommend someone out of the gate, but so far it appears that the Open Health Tools group is firing on all cylinders. They only thing left to do is make new, relevant, and usable code that gets deployed in real clinical environments.

Modern Healthcare interpreted my reaction to the groups announcement as “skeptical“, which I would probably rephrase as “hopeful”. (The problem with generally being skeptical is that even your hope can come across as negative….)

But who cares what I have to say? Dana Blankenhorn already has an interview with Skip McGaughey up, and it is definitely worth a read!!

-FT

FUD From Dr Peel

FUD stands for Fear, Uncertainty and Doubt. You should probably take a moment and read the wiki-page, otherwise the rest of this post might be lost on you.

In the United States, FUD seems to be a legitimate marketing strategy for many institutions. Microsoft uses FUD regarding the coverage of their patents on the Linux kernel. SCO used FUD as its last central business strategy. Both the political parties use FUD constantly to target the other party.

It is easy to spot FUD, here is the easy criteria: If the source of potential FUD can be summarized as saying “Given a substantial lack of information about what is actually happening, there remains very good reason to still be terrified about it”

FUD is unpopular with advocates of Free and Open Source Software. Our community values transparency that is the opposite of FUD. Generally our expectation is that the data regarding any kind of problem should be made available for analysis, and then, and only then, should conclusions be made. Our community has the patience to read long contracts, to perform subtle meta level data mining or just to carefully review code for bugs.

Generally, unlike politics, real dialog is favored over mere rhetoric in the FOSS community. Don’t get me wrong, we also enjoy zinging those we disagree with (I am particularly fond of it), but zings are supposed to be fact-based and meaningful. In fact, we have a very handy way to detect when conversations are no longer meaningful and have become purely rhetorical. We call it Godwins law:

“As an online discussion grows longer, the probability of a comparison
involving Nazis or Hitler approaches one.”

Of course, the most important is the implication of the law:

“Godwin’s Law? Isn’t that the law that states that once a discussion
reaches a comparison to Nazis or Hitler, its usefulness is over?”

– Cliff Stoll (“Cuckoo’s Egg” author), ca. 1994

I would like to formally propose that we add Dr. Peels Corollary to Godwin’s law:

“As an online discussion of medical privacy ethics grows longer, the probability of comparison to the Tuskegee Study approaches one.”

Dr. Peel has commented on the announcement that an EMR vendor to share patient data with genetics research firm by calling it the “new Tuskegee.” (update 3-25-08 Joseph Conn conducted an investigation into the research story, that is well worth reading) Here are the problems with that comparison:

The Tuskegee Experiment stands as one of the most blatant disregards for ethics in modern medical history. By comparing this modern data analysis project to the Tuskegee experiment, Dr. Peel has solidly crossed over into FUD Territory. I have heard Dr. Peel speak in person, and I believe that her heart is in the right place. However, by making a comparison to Tuskegee, we are no longer having real discourse about the ethical issues about the case in question, which is obviously quite different from the original Tuskegee experiment.

In the data mining study in question, the patient data is de-identified. Which means that discrimination as a direct result of this study will be very difficult. It also means that the study qualifies for a HIPAA carve-out for de-identified data sharing.

However, there are some very concerning ethical issues in this case which deserve attention.

  • The EHR vendor in question is anonymous, so we cannot really tell who is really participating in this. Knowing which vendor is doing this is a prerequisite for further discussion and thought.
  • It is unclear from the article to what degree patients will have the option opt-out or opt-in, and at what stages this is an option.
  • There is no mention of the algorithm used to do de-identification, so there can be no analysis on the possibility of a correlation attack.
  • The study is covering genetic markers for type II Diabetes, which has a genetic race-related component. Although the current study is unlikely to be “racist,” it could lead to some tests that are used for the purposes of racial discrimination.

Some of these issues are ethical issues surrounding this study in particular. Others, especially the last one, are larger ethical issues faced by the entire medical community. The a real and sobering implications of these ethical implications as it is. It seems to me that by making an unwarranted reference to the Tuskegee Experiments we are moving to far afield from todays facts.
By making a reference to the Tuskegee experiment, Dr. Peel is essentially forcing these issues into a political debate, rather than the subject of further rational discourse. Perhaps I should be thinking about this differently. Perhaps I should be happy that Dr. Peel continues to raise consciousness with old-fashioned Republican/Democrat type politicians regarding issues of patient privacy.

So I leave it to the reader for comment. Is the use of Dr. Peels reference to the Tuskegee experiments in this context appropriate?

-FT

HealthVault team responds to security model criticism.

In further evidence that the Microsoft HealthVault team might actually be making good on a move towards real openness. Sean Nolan has addressed some of my criticisms in a post entitled Sharing Data using HealthVault

I have updated the post in question to correct the errors that I had made. However, even with the correction made I still think the HealthVault authorization model has erred too much on the “functional” side. It is worth pointing out that this is a design decision that many programmers would side with Microsoft on. It is a tricky issue: How do you allow for the transfer of ownership of a record without also creating a system that can be easily abused? Microsoft has historically taken the view that functionality comes first, and so they have always released operating systems that are extremely functional, but that hackers inevitably have a field day with. They have done pretty well with the “functionality first” design paradigm. (who am I to argue with the whole Windows install base?)

I will not reply fully to Seans post until I have had the opportunity to study HealthVault more closely and perhaps even ask Sean some very specific questions, however, the most significant thing here is that Microsoft is responding at all. This is awfully quick turn-around for a company that has historically ignored criticism.

I do believe Microsoft is listening.

-FT

Google Health vs. HealthVault round 1

Everyone is talking about Googles new PHR offering vs. Microsoft HealthVault. Mostly the talk is drivel. I was able to get a seat at the Press Interview with Google CEO Eric Schmidt at HIMSS and, I kid you not, two reporters asked “Is the data in Google Health covered by HIPAA?” within five minutes of each other. Frankly, not-covered-by-HIPAA is an industry standard for PHRs, and the fact that the question was asked at all is an indication that the press covering this largely have no idea what is going on. (I will talk more about HIPAA and PHRs in a future post.)

Rather than finding drama in all of the wrong places, I wanted to highlight a couple of differences that really are worth paying attention to. I have had the privilege of speaking with the programming leads for both projects extensively, and it is not yet time to give a close blow by blow of where these two system are in comparison to each other. (that will happen after Google Health goes live) I hope that what little technical meat I was able to dig up will be interesting to you.

Privacy Policies:

Google has not published its privacy policy. However, it has historically given great weight to privacy concerns. Most notably take the Google Toolbar privacy notice. It begins “Please read this carefully, it’s not the usual Yada Yada”. It does a fair job of warning a user about the considerably privacy issues surrounding a tool placed directly within a browser. In fact, the sites you browse on the internet is probably as great a privacy concern as any health information you have. If you have any serious health conditions you have probably already searched for them and visited sites with content relevant to that condition. If you use toolbars, the information about where you visited was potentially transmitted back to the author of that toolbar. Google is upfront about this, and gives you an opt-out. This is much better than your average toolbar.

Microsoft’s Privacy Policy is awful. It has language that includes things like: “you give us permission to host your data off-shore”, and “we can change this policy anytime we like”. The current HealthVault privacy policy does nothing to protect a patients privacy from future policy changes within Microsoft. Based on the current language, the privacy policy might as well not exist. I discussed this with the HealthVault team and their response was “boiler-plate language”.

Frankly, the fact that ANY boiler-plate language was included in a privacy policy is a good indication that the thinking at Microsoft Legal is totally backwards. It is currently thinking “What will the market let us get away with” rather than “Hey this is a new moral sphere, if we do the right thing here, maybe the Government(s) will not make our lives completely miserable by over-regulating this industry.”

Privacy Policy Verdict:

Google wins. Without even releasing a Privacy Policy. On a scale of 1-10 Healthvaults scores a -2 which in English translates “hell-no”. That makes Google’s lack of score actually come out ahead.

API Design:

Google Health uses a CCR record wrapped in some of its standard web-service APIs. It would be better if they could have adopted CCD. But they said it was not ready when they started, which is a fair response. Still CCR is already a popular standard and a smart move for Google.

HealthVault has released its own XML specification. While they have promised to promise not to sue the pants of people like me who decide to use those specifications, creating a “new standard” in the healthcare space is regrettable step backwards.

API Design Verdict:

Google wins for respecting current standards.

Security Architecture:
Google is using their authsub system to allow users to provide token based access to other people (care-givers etc) for temporary and limited access.

HealthVault is using a “root” user notion that is transitive. That means that if I trust bob enough to make him a “root” user on my PHR record, then he can do anything with my record. Including passing the root privilege to Jenny, who can pass it to Sam, who can pass it to Ruth who can then do anything with my PHR account. See the problem? While the HealthVault system does allow for finer grain control, there is no concept of passing along “complete control” without also passing along the ability to create other “root” users.

(updated 03-04-08 Sean Nolan from Microsoft has posted a rebuttal to the previous sentence, while the rebuttal does not address my criticisms of a “transitive root” privilege system, it does argue that this design can be considered a feature rather than a flaw)

Security Architecture Verdict:

Obviously Google has time to screw this up before coming out of beta, but it looks like its access control system has been better thought out.

Time to Market Verdict:

Obviously, Microsoft wins here. HealthVault has been out for months. However, if they do not get their act together they will not have any remaining first-mover advantage. Google is obviously making very sharp moves, in fact, maybe their best move was not coming to market before they were ready.

Now that Microsoft has made some FOSS friendly sounds, I will take a closer look at their software. When Google Health is finally released, I will do a complete comparison.

-FT