I spoke yesterday at the StrataRx conference in Boston, as part of the data liquidity track. This was sort of a blue sky presentation (as you can tell from the first slide); the thought was to explore the notion of building big data analytics on top of a data store populated by health record information obtained as a result of patient requests. Why? Because doing it that way would bring the data out from under HIPAA and HITECH regulations. Patients could contribute as much or as little of the data as they wish, patients could be compensated for their contributions, and other pesky HIPAA restrictions would fall by the wayside. I used one company's newly-announced service as an example, but there are others in this space as well.
For a first look at the HIPAA omnibus rule, I had a Google+ Hangout on Air with Brian Ahier and Deven McGraw this afternoon. We talked through the changes made to the privacy and security rules, the breach notification rule, the enforcement rule, and the harmonization of HIPAA and GINA. The video runs about an hour, and we got some pretty good reviews live and in the hours since this ran. Check out the HIPAA discussion on Google+ concurrent with and immediately after the hangout, too.
One viewer, Ben Watts, posted his notes almost immediately after we were through, on his blog EMRSoap. (Thank you, Ben!) Here's an excerpt from his post:
EMRSoap Write-up of the HIPAA Hangout by Industry Leaders
Below are our notes from the discussion – they’re not specifically tied to the individual speaker.
Most of the final rule was the same. Except for the Marketing provision – that was quite a bit different than the proposed rule.
We’re still not done. Even though this is the ‘Omnibus rule’, there’s still 2 new rules that need to come out.
Bus related puns abound.
What do providers need to watch out for? One thing: Primary liability of BA’s and subcontractors. You really can’t sub out responsibility entirely.
There’s a community of small providers and Business Assocaites who aren’t aware of the reality of HIPAA and haven’t completed Risk Assessments (and more). They’re just not familiar enough with their obligations and the HIPAA environment. They’ll have till September 23rd to comply with this rule.
Date by which new BAA and NPP need to be entered into is a year after that September 23rd. The agency will be issuing further guidelines throughout this timeline.
The government is committed to more audits and fines. The fines they collect will fund the audit process. We’re going to have audits of Business Associates and their subcontractors, not just Covered Entities.
Enforcement is moving to Penalty base, and away from voluntary compliance.
But not entirely, says Devin. Rule was pretty clear – informal resolution and voluntary compliance would still play a factor in enforcement. HHS will have discretion.
HHS has been going after the smaller groups as well, even without the Omnibus rule.
Environment of ‘Hands off’ has led to people being careless. Behavior has been beyond what’s acceptable for building up trust in EMRs.
Why should patients be excited? People most bugged by marketing – that’ll be limited by HIPAA Omnibus rule. Also, breach notification provision much more clear means that institution are going to pay a lot more attention to encryption.
Discussion on the ‘conduit’ exemption – very narrow exemption. Really only works for courier-like firms (ISP and postal services, for example). Only making sense in cases of random or intermittent access to ePHI. As opposed to entities that store data – would be a BA, even if the intention is to not to look at it.
Failing to sign a BAA doesn’t exempt you from BA status.
Researchers are now permitted to give people conditional treatment if they agree to research.
Now allowed to have authorizes for future research as long as the description is rich enough to give patient a general idea of the types of research that’ll be enacted. No need for individual study approval. Requirement is somewhere in between ‘all research’ and ‘one study’.
Patients can request records in forms that makes sense for them. If you can’t technically do it in the form (5.5 in floppy, for example?) then the provider will have to reach an agreement with the patient.
Is it possible to segment your record, and keep some info off of your Health record? Yes. It’ll probably be hard for a fair amount of providers. If a patients says ‘don’t send this to my payer’, you can’t do it.
Patient right to get data trumps security requirement. If the patient is notified of risks of transmitting ePHI over email, then the ePHI can be transmitted to the patient. Requirement of alerting patients is fairly low. Bi-lateral communication is a different realm, however.
Changes to enforcement rule – bottom line is there’s a max of 1.5 million per violation. Likelihood of greater fines in the future? Maybe. Largest fine to date was against a bankrupt company.
There’s more breaches reported…not necessarily more breaches in total. Now, with our digital health system, we know who’s seen what. We’ll see more breaches in total, but that’s not necessarily a bad thing.
BA’s right to use data is explicitly limited. BA’s are directly liability, but they’re still subordinate to Covered Entities.
Breach Notification – we’ve moved away from the ‘harm standard’ – moved away from the subjective value of the underlying data. We’ve moved to an examination of ‘what happened in this instance?’ Presumption being if we don’t know what happened, then there was a breach. Notion of ‘if it’s info about your big toe then it’s not harmful’ is gone, as is underlying subjective value judgment of data. Faxing info to Doctor X instead of Doctor Y, maybe less of a big deal. As long as that mistake is handled appropriately, it’s not that big of a deal. If there’s greater than a low probability that the ePHI was breached, then there needs to be a notification. There’s a 4 pronged set of standards that need to be examined in that investigation to determine if there was a breach. But if you know that there was a breach, you don’t need to do an investigation.
Everybody: gotta revise your Notice of Privacy Practices. Remember that you have until September.
We enjoyed using the Google+ Hangout on Air platform, though it was a little bumpy as it was our first time. We are considering putting together future hangouts on the HIPAA omnibus rule, and would welcome your input regarding which issues warrant a closer look.
I attended Health 2.0 in San Francisco this week, and participated in the new Health Law 2.0 pre-conference, moderating a lively panel discussion about reviews posted on listings and ratings websites, featuring attorneys and an entrepreneur.
"This post comes to you from the Health 2.0 conference in San Francisco. The main conference kicks off today, but it has been preceded by a week of code-a-thons and a variety of other events, including HealthCamp and the four-track pre-conference yesterday (Health Law 2.0, Patients 2.0, Doctors 2.0, Employers 2.0). I moderated one of the Health Law 2.0 panels, and shook up some of my brothers and sisters at the bar by wearing my new Regina Hollidayjacket -- I've joined the Walking Gallery. (Follow the links, including the walking gallery back story, to learn more about who Regina is, and what this means.) ..." (Read more on the Health 2.0 pre-conferences.)
"Todd Park, the HHS CTO, is a vigorous champion of data liberation. He has moved the government to open its vast repositories of data (e.g. Medicare claims data) to sharing with the public to solve health care problems. Data liberation is one of the watchwords of the participatory medicine movement, and is a goal that will be reached more easily through the proliferation of online tools that will facilitate health information exchange. While we would hope that, in the future, this would be a core functionality of interoperable EHRs, It seems we just aren’t there yet. Meanwhile, however, there are Health 2.0 companies ready to bridge the gap, and ensure that data from whatever source regarding an individual patient will be available to her clinicians...." (Read even more on the Health 2.0 pre-conferences.)
"The health care payor and provider worlds are concerned with access, cost and quality. The federal government adds a population health gloss, and calls it the Triple Aim – better care for individuals, better health for populations, at reduced per-capita costs. Those fundamental drivers are now having a clearer effect on the Health 2.0 ecosystem. The demos and discussions I’ve observed thus far at this year’s conference are more consistently focused on addressing these issues than they have been in the past. Early-stage, and more established, companies’ products are also notable in that they are focused on connectivity in a broader sense than before – whether that’s connectivity for data, so that sensors can share data with your personal tracking software, your doctor or your community, or connectivity for individuals, who can use online social tools to improve their own health status through online interactions in a number of different ways...." (Read more on Health 2.0 Day 1.)
"On the last day of Health 2.0, the key takeaway was this: data liquidity can improve health care and health status, and reduce cost. Hey, we knew this already; the cool thing about hearing this message at Health 2.0 is that you get to hear it (1) while seeing the tools that will actually create that data liquidity that are ready for prime time, or almost ready for prime time and (2) from federal officials who are visibly excited about this stuff...." (Read more on Health 2.0 Day 2.)
The conference was jam-packed, and of course there were many more worthwhile demos and presentations that I was not able to include in these brief collections of highlights. I hope to see more of you at the next conference.
We e-patients are an impatient lot, and therefore we may not be big fans of the Five-Year Plan approach to creating change. The Office of the National Coordinator for Health IT released a draft federal health IT strategic plan in late March, via blog post (the plan itself is linked to from the post; a copy is posted here).
The ONC post says:
The Plan demonstrates how we will build off the foundation of meaningful use to unlock the power of information to:
Enhance our ability to study care delivery and payment systems
Empower individuals to improve and participate more in their care
Improve care, efficiency, and population health outcomes, through tools such as clinical decision support, real- time feedback of performance to clinicians, and targeted public health campaigns
Our comments focus on Goal IV of the Federal HIT Strategic Plan – “Empower Individuals with Health IT to Improve Their Health and the Health Care System.” This Goal breaks down into three Objectives, and a number of Strategies to achieve each Objective. The Goal and Objectives are laudable, but we would seek to strengthen the Strategies — by involving patients in the development of the system — so as to increase the likelihood of achieving the Goal in a meaningful way, and to do so sooner than five years from now.
One overarching comment on this Goal is that it is not integrated with the concept of care coordination, which is discussed elsewhere in the strategic plan. In order to fully realize the goal of patient centeredness, the patient must be involved in the coordination of his or her care. This omission highlights the perspective of the ONC on health care as something that is provided to patients rather than as a partnership process that involves patients, clinicians and non-professional caregivers. The patient-centeredness criteria promoted as part of the proposed rule on Accountable Care Organizations should be incorporated into the Strategies used to achieve this Goal. While these criteria are not all health IT-specific, the ONC makes the point in the strategic plan that that health IT enables patient empowerment, transparency, and achievement of the Triple Aim. Thus, all process, systems and standards improvements called for in the patient-centeredness portion of the ACO rule should be brought to bear on the health IT strategic plan.
Accelerate individual and caregiver access to their electronic health information in a format they can use and reuse
Integrate patient-generated health information and consumer health IT with clinical applications to support patient-centered care
Can’t argue with the Objectives; as noted above, though, some of us e-patients are impatient, and would like to see these Objectives reached sooner rather than later.
One key thread running through our comments is that policymakers must remember that health care is not something done to patients, it is something done with patients, so a strong patient voice must be heard, and must be built into the system. This is the time to do it, as we are framing out a brave new health care system.
Finally, as an added incentive to read the comments, please note that they include a link to a post by Regina Holliday containing her explication of a recent allegorical painting of hers — well worth the read, as it is an eloquent statement of the health IT and patient engagement issues at hand.
I attended the 14th Annual Healthcare and the Internet Conference in Las Vegas this week, and gave a keynote presentation entitled: "Health Care Social Media - The Lawyers Don't Always Say No" in which I discussed the reasons for health care providers to engage with their constituencies via social media -- both from a business perspective and from a regulatory perspective (ACO rules and future phases of Meaningful Use rules effectively demand a response from providers involving social media), and how to do it without getting into trouble (there are a variety of HIPAA, other privacy, liability, anti-kickback and fraud and abuse issues to keep in mind when planning for patient engagement through social media). Here are the slides from my talk:
Some of the themes I touched upon ran through other sessions at the conference as well: development of patient portals, on-line services and a panoply of off-the-shelf and customized web and social media solutions. There was a great deal of sharing -- formal and informal -- throughout, and I enjoyed meeting many folks in person (some of whom I've known for a while, but only on line). Kudos to the team at Greystone for putting on a terrific conference.
I attended the Connected Health Symposium last week in Boston. I enjoyed many of the sessions (sometimes wished I could have attended two simultaneously, though the livetweeting helped on that front), and as usual enjoyed the hallway and exhibit floor conversations too. As is often the case at conferences these days, I had the opportunity to meet several on-line connections in real life for the first time.
(I will not attempt to give a comprehensive report of the symposium here; please see the livetweeting archive linked to above and other reports to get a sense of the rest of the event.)
This year's exhibit floor included a diverse mix of distance health tools. Most striking from my perspective was the fact that most of these tools do one of two things: Enable patient-clinician videoconferencing, or upload data from in-home monitoring devices. The best of the second category also trigger alerts resulting in emails or PHR/EHR alerts to clinicians if vital signs are out of whack, or phone calls to consumers or their caregivers if, for example, meds aren't taken on time (one company had a pill bottle with a transmitter in the cap that signals when it's opened; another had a Pyxis-like auto-dispenser, that looked like you'd need an engineer -- or a teenager -- to program it). One tool -- Intel's -- seemed to combine most of these functions, and more, into one platform, but it's barely in beta, with only about 1,000 units out in the real world.
The speakers this year seemed to return again and again to several major themes: (1) Is any particular connected health solution scalable? (2) Who will pay for connected health, or mobile health (mHealth)? and (3) Does it work?
These issues are, of course, interconnected. With the current ACO (Accountable Care Organization) feeding frenzy, and expectations of health reform's full implementation as background, there was a palpable sense, or hope, that all this health-tech-geeky goodness will be snapped up by the ultimate payors for health care.
Who the ultimate payors are depends on your vision of the future. Is it health care providers, who will be squeezed by bundled payment demos and mainstream Medicare payment changes coming down the pike under the Affordable Care Act? Providers have an incentive to save more money than they'll be losing through payment reform under the ACA (and perhaps even the implementation of the SGR [link is to a post on the subject from over a year ago; Congress still hasn't faced the music]-- the latest "doc fix" is slated to expire after the election and fall in the laps of the lame duck Congress). Is it health care insurers, who are being squeezed by state regulators? Consider, for example, the recent Massachusetts experience with the Connector -- the model for state insurance exchanges -- and the governor insisting on limited rate increases, with the dispute ending up in court. Is it premium-paying or self-insured employers? Is it consumers, or patients?
In addition, the future of ACOs and the rest of health reform implementation is a little unssettled, to say the least. The law has been thrown to the courts in a series of constitutional challenges, and will be thrown to a new Congress in January. So even if an investment in some of these systems could eliminate a significant chunk of a physician practice's overhead expense, who's going to invest those up-front dollars right now?
Some of the pricey hi-tech solutions raise my perennial question as well: How many childhood vaccines could we buy with that money? Roni Zeiger of Google Health tweeted a similar comment attributed to Bill Gates during a presentation on genome sequencing: "I'll get my genome sequenced after we cure the top 20 infectious diseases."
In short, there is recognition that some connected health tools can have a positive impact on health status of individuals and populations, but the key questions center on the cost-effectiveness of those interventions.
One speaker, B.J. Fogg, of the Standford Persuasive Technology Lab, said: "Many crummy trials beat deep thinking," encouraging folks to continue to throw stuff against the wall and see what sticks. I would take issue with this approach. For example, the home monitoring devices I described above only upload data to their own proprietary software. Only one vendor (Intel) seemed to be close to designing an interoperable interface to standard PHRs. It seems to me that this is a key feature of any such system, and the sooner the vendors adopt this thinking, the sooner they will be able to demonstrate the utility of their products and grow their markets.
On the "Does it work?" front, many speakers addressed the issue of behavior change. All of the tools discussed at the symposium are, in essence, intended to make change in personal behaviors easier to accomplish. While much of the behavior change discussion was laced with paternalism, it had, at its core, a remarkable patient-centered orientation. This orientation was emphasized by a discussion on process and outcome measures of the future, to be used as a means for calculating incentive payments to health care providers. One speaker insisted that the most useful measures will be patient-centric measures: patient satisfaction, patient compliance, etc. The difficulty lies in reaching the point where patient and consumer behavior is being changed appropriately.
This raises the question: How do we reach consumers? What incentives will people resond to? What options do we need to present to individuals, and how?
Sheena Iyengar delivered a terrific keynote on choice, making the point that in our society we have too many choices -- about everything: breakfast cereal to jam to mutual funds in our retirement plans to Medicare Part D plans. Research shows that the optimal number of choices to lay out before human beings is 7+2, and that more choice results in no choice at all being made -- no mutual funds selected for retirement, no Medicare drug supplement plan selected to help with prescription medication costs.
Kevin Volpp, from the UPenn Leonard Davis Institute Center for Health Incentives, spoke about how we do, and can, incentivize healthy behaviors, noting that many accepted approaches are shown through research to be ineffective -- e.g., posting calorie counts on menus, CDHPs, reducing copays. One interesting positive note: lotteries can improve compliance with healthy behaviors in a cost-effective manner. Volpp gave a compelling example of a medication compliance study that increased compliance by giving compliant patients the chance to win money in a lottery if they took their meds.
Overall, there was consensus that the reason we don't have all the latest tech available in service of health care is that the economic model for health care in this country is broken, thanks to skewed incentives based on the fee for service model.
To me that seems to be too facile an excuse, explaining only the failure of health care providers to adopt these tools on their own initiative. Gary Gottlieb, CEO of Partners Healthcare addressed one plenary session and emphasized that the work of the folks in the room was critical to the success of Partners -- precisely because of the cost-saving potential of the solutions at various stages of development. This is of critical importance to Partners as it seeks to prepare for success as an ACO and, more broadly, for success in a market less willing to see things its way than in the past.
Ultimate payors have always had the incnetive to improve health care processes and outcomes, and they are getting more and more sophisticated about it. ACO's may be the latest (provider-centric) frame for the discussion, but the (ultimate payor-centric) patient-centered medical home frame has been around for a while, and may even prove to be a key engine for ACO success.
Back to patients. The key to success in transforming health care in this country is patient engagement, so patient-centered care, delivery of information to patients, and the enabling of patient community are the goals that health care providers and their connected health vendors need to focus on.
The concluding presentation from Joe Kvedar demonstrated that patients are more likely than we may expect to prefer interacting with computers vs. people in certain circumstances. As symposium participants struggled with the challenge of scaling their solutions, this insight provided some comfort. In an earlier session, Adam Bosworth described his goal for Keas as broader than scaling an individual solution. He hopes to have his company's service act as a platform for other developers' applications -- creating an ecosystem for health apps benefiting individuals and underwritten by the ultimate payors for health care (in Keas' case, employers).
Scaling, payment, utility -- several of the challenges lined up opposite the connected health community.
All in all, this year's Connected Health Symposium showed that the potential exists for (lower case) meaningful use of a whole heck of a lot of tools and toys. The challenge is to execute on this potential.
Last month, PricewaterhouseCoopers issued a report, Healthcare Unwired, examining the market for mobile health monitoring devices, reminder services, etc. among both health care providers and the general public. One of the big take-away points seems to be that 40% of the general public would be willing to pay for mobile health, or mHealth, devices or services ranging from reminders to data uploads; and the reaction by insiders is either joy (40% is good) or dismay (40% is not enough). PwC estimated the mHealth market to be worth somewhere between $7.7 billion and $43 billion per year, based on consumers' expressed willingness to pay. Deloitte recently issued a report on mPHRs, as well -- and there is tremendous interest in this space, as discussed in John Moore's recent post over at Chilmark Research. I agree with John's wariness with respect to the mHealth hype; there is certainly something happening out there, but significant questions remain: What exactly is going on? Is there reason to be interested in this stuff or is it just something shiny and new? Can mHealth improve health care status and/or health care quality and/or reduce health care costs?
As a society, across generational divides, we are continuing to move in the direction of greater comfort with electronic communication and mobile devices, and we have the desire and readiness to use these tools in managing our health care -- there are numerous studies and reports out there supporting these conclusions beyond the latest from PwC and Deloitte. The infrastructure is moving in the right direction, though there are still significant bumps in the road, e.g., lack of a universally-accepted data set for PHR data (the CCD/CCR divide, epitomized by the Microsoft HealthVault/Google Health adoption of these different health data standards). In a growing effort to overcome some of the interoperability issues in this space, HealthVault recently announced that it will be joining forces with the Continua Health Alliance, thus making a large number of mHealth devices capable of uploading data directly into individuals' HealthVault PHRs. This is -- potentially -- a huge development; we have yet to see how it will play out. As HealthVault continues to grow its "white-label" PHR market among health care providers (growth goosed in part by the meaningful use regulations), its ubiquity, paired with the utility of the Continua standards, and the growing adoption of these tools both by health care providers and the general public, will turn mHealth from a geek-fest into a tool, or set of tools, used by all.
Clearly, this is the wave of the future, and the interest in mHealth is not just as a plaything for the early adopter. Eventually, we will stop calling it mHealth -- it will simply be part of "health." (See Susannah Fox's post on a similar sea change in thinking about the term "e-patient" -- if we are all educated, empowered and engaged in our own health care, then we are all patients, and perhaps need the appellation "e-patient" no longer.)
As mHealth edges into the mainstream, it must continue to demonstrate its utility. As it does so, its potential for success should not be measured by the dollars individuals are willing to shell out, but by the savings to the health care system that it enables. There should be no market for mobile health devices and apps that cannot be counted on to increase health care quality and/or reduce health care cost. If they don't do one or both of thoise two things, then they could still be sold -- but as toys, not as meaningful health care tools.
Savings should be created by those efficiencies, and the price for the tools should be paid by the beneficiaries of those savings -- the health care payors: public and private sector insurers (i.e., Medicare, Medicaid and commerical insurers), self-insured employers and self-paying individuals, and health care provider organizations paid on some basis other than fee-for-service (and we hope this last group will be growing, thanks to the growing emphasis on sharing fiscal responsibility for health care quality with provider organizations).