CVS and Google Health: adding lots of prescription data to PHRs

Users of Google Health can now import their CVS prescription data into their PHRs.  Not the first pharmacy to hook up with Google Health, but perhaps the largest.  The more info there is in a PHR, the better; incomplete records only lead to misinformation or lack of information, and when we're talking about prescription medications, that can lead to unfortunate interactions and an additional burden of illness.  Until human nature and the medical-industrial complex can both be sufficiently tweaked to yield more rationality most of the time, the aggregation and sharing of data in this fashion (if it can be done in a comprehensive, secure, and auditable manner since, after all, we don't trust people to remember what color their pills are and report accurately to a string of docs and pharmacists, much less to update their own prescription drug data on line) is, on balance, a positive development.  Google Health does not have access to all pharmacy data in the country yet, but give them time, and they will. 

TechCrunch recognizes that privacy issues abound here, as they do for the rest of Google Health.  For me, these issues are heightened by the fact that, as far as I know, Google still insists that it is beyond the reach of HIPAA and the ARRA/HITECH son-of-HIPAA provisions.  For me (as for most), these risks may well be outweighed by the benefits.  (I think my medical records are of less interest to inquiring minds than those of Britney Spears or the "octomom" -- but I recognize the concerns of folks with medical conditions that info on chronic conditions may get into the wrong hands/be used inappropriately, e.g., for employemnt decisions, though I think the solution to that problem should be in improvements to employment discrimination law.)

The privacy nuts and technophobes out there won't sign up for this service, despite the (mostly) good privacy track record of the financial industry; at the other end of the spectrum, the early adopters are already all over this.  My expectation is that general adoption is going to depend more on easy porting of medical records beyond prescription histories.  As e-Patient Dave so vividly demonstrated recently, unfortunately, we're not quite ready for prime time in that department.  The porting may work, but the data that gets ported may or may not be accurate and up to date.  I'd be interested in learning more about the accuracy of the data that gets imported to the Google Health from the various pharmacy systems before being willing to rely on this system as an improvement over the status quo.

A tip of the hat to Richard Dale, the Venture Cyclist, for pointing me to the TechCrunch post today.  

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Health Wonk Review: Spring has just about sprung

Welcome to Health Wonk Review, where everyone is above average.  We enjoy above-average health care costs per capita, above-average uninsured rates, and above-average obsession with health care reform.  That's what it's like today in America.  Our president has said, Change has come to America.  In the words of Robert Hayden's [American Journal]:

america     as much a problem in metaphysics as
it is a nation earthly entity an iota in our
galaxy     an organism that changes even as i
examine it     fact and fantasy never twice the
same     so many variables

Like Schrodinger's cat, America's health care system seems to change in the changing light as we examine it; one thing we can all agree on is that it needs some work. 

We begin with some broad brush strokes on form and amount of spending:

Len Nichols presents HEALTH REFORM: Moving Past the Impasse on the Public Plan | New America Blogs posted at New Health Dialogue

Maggie Mahar presents Health Beat: Thinking About Dr. Atul Gawande’s Congressional Testimony Part 1: Why Health Care Reform Will Require Additional Spending at Health Beat.

One cost, no matter what the payment system, is labor.  Lynn Nicholas, President of the Massachusetts Hospital Association writes about some pending changes to labor laws that might make it easier for labor to unionize, presenting the favored position of a non-union shop as one of worker, rather than employer, preference.  See Keeping Communication Lines Open in the Healthcare Labor Debate at CommonHealth, the Massachusetts health care reform blog of WBUR (a Boston NPR affiliate).

Who Will Pay for Prescription Drugs? asks Adam Fein at Drug Channels. CMS projections show that the government will have a very strong hand in managing retail drug spending and shaping the future of drug channels.  How will that affect pricing and R&D?  Richard Fogoros (DrRich) presents A Brilliant Plan For Preserving Pharmaceutical Progress at The Covert Rationing Blog, saying, The title says it all. Can we have our cake (drug price controls) and eat it too (continue drug innovation)? DrRich says, yes we can!  Check out his proposal.

My dad used to say he wanted to listen to a radio station that broadcast only good news (not Good News, just good news).  Merrill Goozner, of GoozNews, suggests this week that there ought to be a journal dedicated solely to publishing negative results -- as soon as they're known -- as he is all hopped up due to delayed publication and/or suppression of data on adverse effects of drugs.  These issues in general, and a couple of current cases he discusses, have policy implications for the new leadership at the FDA.

At InsureBlog, Mike Feehan has a piece on Wellpoint's recent spinning off of its in-house PBM, About Wellpoint's PBM Auction, and future implications for prescription costs.

Ill and Uninsured in Illinois gives us a simple but eloquent presentation of the difficulty of accessing specialty care while uninsured: The Wait for Cook County Health Care.

At the other end of the spectrum, Health Access WeBlog's Beth Capell asks What are gold-plated benefits anyway? An interesting question, now that the president has indicated that he is open to signing a bill including taxation of health benefits.  (As an aside, Obama's approach -- White House Health Care Summit with stunning transparency, concluded with an invitation to Congress to send him a bill consistent with the policies he articulated throughout the campaign -- is both a refreshing change from the Clinton years and a strategy likely to insulate him from criticism on the exact contours of the plan when it reaches his desk.)

Jared Rhoads presents Less government, not more at The Lucidicus Project, discussing the recent report by Physicians for a National Health Plan (the single payor proponents).  I spoke with PNHP's David Himmelstein a little while back, and while he has a compelling argument for adopting a single-payor plan in this country (the savings would be impressive), I still believe that the more pragmatic approach is to make incremental changes in the system before us. 

Taking our cue from Dr. Himmelstein, we begin a bit of a grand tour by visiting our neighbor to the north. 

North of the border, Sam Solomon asks Can Canadian doctors fire their patients? at Canadian Medicine, and says in short, yes, but carefully.

At BNET Healthcare, Ken Terry writes that Massachusetts Needs to Deal With Primary Care Crisis, saying that while proponents of the healthcare reform program in Massachusetts tout it as a model for the entire country, and detractors point to the program's rapidly rising costs, neither side is really focusing on the need for better access to primary care in the state. He also observes that retail clinics are expanding in Massachusetts, and community health centers are pulling in federal cash for expansion.  One observation: retail clinics in Massachusetts are not currently expanding as they cannot find nurse pratitioners to hire.  Also, on a national level, Minute Clinic recently shuttered 90 sites for the season.  Even if they were growing, they are no substitute for primary care.

Looking at a new model of physician practice -- available 24/7, untethered to most of the traditional trappings of a physician practice (including that old-fashioned trope of accepting insurance payments), Ted Eytan, MD is Now Reading: Take Two Aspirin And Tweet Me In The Morning: How Twitter, Facebook, And Other Social Media Are Reshaping Health Care.

GrrlScientist shares her overseas medicine story, Finnish Emergency Medicine: One American's Experience at Living the Scientific Life.  Seemed to work well for her without instantaneous contact back home.  (See my own tale of a close ecounter with an overseas health care system last year as well.)

Here at HealthBlawg, I recently interviewed the CEO of Satori World Medical, a medical tourism company that offers a twist: through an HRA, it funds patients' future years' insurance premiums with a portion of the savings their employers or insurers enjoy as a result of their overseas medical procedures.

Closer to home, many doctors are now leery of online ratings sites, and have started using a service, Medical Justice, to get patients to agree not to post negative reviews as a condition of being taken on as patients.  Dmitriy at Trusted.MD has been following this issue for a while and offers some insights.

Jaan Sidorov presents The Worrisome Outpatient Trend: What Does Disease Management Have to Offer? posted at Disease Management Care Blog.  Chronic care consumes 75% of the health care dollar in this country, and needs to be better managed.  Outpatient chronic care is a significant part of the equation.

Care management is also the theme of Julie Ferguson's post on The effect of obesity and other comorbidities on workers comp at Workers' Comp Insider.  In light of a new report which shows that workers comp medical claims can cost three times as much when the injured employee is obese, she makes the case for breaking down the silos between employer-based occupational health and general health programs.

David Williams' post on Wal-Mart and eClinicalWorks over at Health Business Blog concludes with a healthy bit of skepticism about this new EHR offering to small physician practices.

Using the cost per doc put out by Wal-Mart, John Moore does some calculations, and shows in his post The HITECH Challenge: Is $19B Enough to Drive HIT Adoption at Chilmark Research that docs getting wired and getting HITECH incentive dollars will be engaged in a money-losing proposition -- they'd actually be better off financially not implementing EHRs and getting hit with the penalty a few years down the road. 

Speaking of Wal-Mart, it bears mentioning that this day in history marks the anniversary of the Civil War Battle of Bentonville (No, not that Bentonville; the battle was in North Carolina.)

Tinker Ready, at Boston Health News, shares some insights from John Glaser, CIO of Partners Healthcare, on getting HIT right.

Shahid N. Shah presents Client/Server vs. ASP/Web-Based in Healthcare IT posted at The Healthcare IT Guy, since with the HITECH Act and stimulus bill making news, many users are asking if they should purchase software and use it on premises or if they should use a "cloud" package or an ASP/web-based solution.

In addition to jump-starting HIT, current legislation is giving a boost to research funding.  One pot of funds is time-limited; Glenn Laffel looks at Beaker Ready projects ready for NIH funding at Pizaazz.

Jason Shafrin reviews some of the pros and cons of establishing a government body to conduct cost effectiveness research in Should the U.S. get NICE? at Healthcare Economist.

In The Color of Money: What Sort of School Doesn't Pay Its Faculty to Teach? Roy Poses at Health Care Renewal puts academic medicine on the spot, saying that some leaders have abandoned core missions in favor of collecting "taxes" from medical faculty, which makes faculty more dependent on commercial interests.  Strong words indeed, and an issue that needs to be rolled out front and center together with other payment issues if there is to be a wholesale revamping of health care financing in this country.

For those brave enough to enter the land of credit default swaps, Joe Paduda, at Managed Care Matters, examines the reasons for propping up AIG and why it may fail anyway.

And finally, to leave you with some doom and gloom from The Health Care Blog to ponder, Brian Klepper and David Kibbe ask Is the healthcare economy rightsizing?

Thanks for visiting HealthBlawg for this edition.  Please see me on twitter too, and join us again next time for Health Wonk Review.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Dan Greden, head of eHealth Product Management at Aetna, speaks with David Harlow about PHRs and patient engagement

Dan Greden, Head of eHealth Product Management at Aetna, spoke with HealthBlawg last week about Aetna's PHR system, its above-average rate of adoption by members, and the benefits that it provides to members, clinicians and ultimate payors.

The audio file of my interview with Dan Greden (about 30 minutes long) is available for download/podcast. A full transcript is at the end of this post (and in the linked transcript).
  

About 11% of Aetna's subscribers are active users of the Aetna PHR system (vs. well under 5% PHR adoption by the population at large).  The PHR is automatically populated with data from providers' clinical systems, including prescription information and lab results.  As Greden explains in greater detail, the PHR system is bolstered by an evidence-based medicine expert system that generates patient-specific alerts to patient and/or clinician (depending on the urgency of the alert), and allows for members to be more fully engaged in active management of their own health care.  This increased level of engagement is beneficial both to the management of members' health and to the management of the cost of care.  As more employer health plans steer members into HDHP/HSA combinations, members are becoming more cost-conscious, and have become more interested in learning about quality and cost-effectiveness when it comes to managing their own health care.

Aetna's system allows members to delegate access to their PHRs to clinicians and family members in a variety of controlled ways, limiting access where the member so desires (or where the right to impose limits is required by law -- e.g., for records relating to minors' reproductive health issues).

Greden stressed that the records belong to the individual members, and that in case of a change in insurance coverage a departing member may arrange for his or her PHR to be ported to HealthVault.

As the entire country has become focused on EHRs and PHRs thanks to the HITECH Act (which, by the way, brings PHRs into the big HIPAA tent), it is instructive to look at successful implementations of PHRs such as Aetna's, which has been in place in one form or another for over two years, in order to consider how the HITECH Act's billions might best be spent.  For example, the architects of the new system should consider in very concrete terms the improvements to patient care that are enabled by PHR systems such as Aetna's and the accompanying EBM expert systems and logic, and the minimum infrastructure necessary to enable such improved coordination of care and better outcomes, both on the patient side and on the provider side. 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Interview of Dan Greden, Head of eHealth Product Management at Aetna

February 26, 2009

David Harlow:  This is David Harlow on HealthBlawg and I am speaking today with Dan Greden who is the head of eHealth Product Management at Aetna.  Good morning, Dan.

Dan Greden:  Hey, good morning.

David Harlow:  Well, thank you for taking the time to be with us this morning, Dan. I had the pleasure of hearing you speak at a recent conference on Health 3.0 and while we may debate the definition of Health 3.0, what I heard from you about what you are doing at Aetna was fascinating. I would like to ask you to speak a bit about your work in connection with the personal health records online access tools for Aetna members and how that allows them to be engaged with their physicians managing their own healthcare.

Dan Greden:  Great.

David Harlow:  So I wonder if just for starters if you could describe what the tool is and how patients are accessing it?

Dan Greden:  Sure, David.  We built our PHR as part of our Aetna Navigator secure website and that was a deliberate decision from the beginning that it should be part of the rest of our members’ online experience. You know, it’s not a separate tool, it’s highly integrated into all their other interactions, and what we focused on was building a tool that helps them be better consumers of healthcare and providing them a resource to make decisions, to be more engaged with health care providers, and so our approach was really beyond just putting the data on a secure site.  What we chose to do is really marry the data that we all really have through our normal healthcare plan operations with our care engine, the analytical engine that our Active Health Management subsidiary provides us, so we could really guide our members by continually analyzing their records and reaching out to them and/or their physicians when we find an opportunity to improve their care or be more engaged to better manage their care through that analysis of their records.  So even though we call it a PHR, it’s really much more than just a record online, it’s really a tool and resource that our members can use to be more engaged and better consumers of their healthcare resources.

David Harlow:  And what about their clinicians?  What access or inputs to the PHR do the clinicians have, and how do they use that information?

Dan Greden:  Well, the first and the primary way that a member shares their information with their physicians is by printing it out; we had that ability in the product the day we launched, which was just over two years ago, February 14th of 2007.  Since then we have added additional capabilities to have the physician access the record when the member provides that to the clinician. So the member is always in control of who sees their records; they have to formally delegate the access to someone else, whether it be a physician, whether it be a family member.  The way it works electronically is that a member can go online, choose the physician that they want to access their records and then when, if the physician is using our Aetna provider portal which is part of a larger package of resources that Navimedix provides -- it’s a company that provides tools for physicians to automate their practices -- when the physician staff or office is going on and doing something like an eligibility verification prior to the visit or even perhaps submitting a prior claim, if the member has delegated access to the PHR it will show up as part of that activity and there will be a prompt that asks the office: hey, your patient, your member has asked to share this with you, click here to print it.  We also can send care alerts -- or what we call care considerations -- that the care engine identifies to the physician in that way.  So if there is an opportunity to improve care we deliver it via that channel as well.

David Harlow:  That’s a very interesting additional tool.  Now, how are those care alerts generated and what are they based on?

Dan Greden:  Well, what the care engine does is it takes the claims-derived data from a multitude of sources. It’s not just medical claims but also pharmacy claims.  We look at lab claims, often we have lab results as well, and it goes through and does several types of analysis.  The first is it will go through and try and identify a potential presence of certain medical conditions and so it’s not just taking the way the claims are coded as the basis for the presence of the medical condition, you have to look for more evidence beyond that so if we use the example of a diabetic, we’ll see whether the claim coding, the ICD-9, or the CPT-4, or whatever, suggest the presence of diabetes, but those are often rule-out diagnoses the way the physicians code the claims so we’ll also look to see, all right, do I see prescriptions that would be consistent with someone managing diabetes, do I see lab results that would be consistent with someone  managing diabetes and based on what that analysis provides, the care engine may say you know I have reasonable cause to suspect this member has diabetes.  I am going to go through and do an additional set of analyses to make sure that all the best practices of care related to a patient with diabetes are being followed. So, for example, is this patient taking a low dose of an ACE inhibitor?  There have been recent studies that have proven that a very low dose of lisinopril, for example, five milligrams for example, can in the long run significantly prevent complications with kidney function, and if the member has taken a scrip that’s great, no action will be taken.  But if we see that the member has not taken it we will send a note to the physician as well as to the member, just informing them of this potential opportunity. You know, we are not drawing any conclusions; we are just introducing the topics for further discussion and further exploration between the member and their physician.  So that’s an example of how diabetes would work.  There are literally hundreds of different opportunities to improve care that are analyzed and dozens more medical conditions that have care management protocols or alert potentials in place.

David Harlow:  I’m wondering whether you have the potential to overload physicians with information about these various alerts, alerts that go to physicians or that go to patients as well.

Dan Greden:  The potential is there to overload physicians with the result of this analysis.

David Harlow:  Yeah, there is a potential, it seems to me, to provide so much information that the physicians could potentially be overloaded with information on a variety of conditions for a large number of patients.

Dan Greden:  First of all that’s a great question, and the way that that’s been managed is two-fold.  One, I mentioned how the analysis for the presence of the condition is fairly rigorous, it doesn’t just look for the claim coding, it looks for other data that would corroborate the presence of the condition, so it reduces errors that way, but I think the primary way that that’s mitigated is through what we call the alert urgency; we don’t send physicians just routine and preventive care, and the way that the alerts are communicated to the physicians  is also a function of the criticality.  So level one urgency is a life-threatening situation that we may have identified, whether it’s a drug-to-drug interaction risk or a drug-to-medical-condition interaction risk, or in rare cases, a drug-to-family-history interaction risk, the type of thing a physician may not have recognized on their own but it is potentially life-threatening, that will typically be made through a phone call with follow-up fax.  But less urgent ones are typically sent by mail or fax, and the ones that really involve the member being proactive, or engaging in preventive care, are not sent to the physician. So through the urgency of the alert and the means through which the alert is delivered we have been able to manage that pretty well I think. Active Health has been running the care engine for, boy, a little over five years now, I think about five years, and so it’s a staff of physicians who run this part of that business so it’s been pretty sensitive to what warrants an outreach and what a proper form of outreach is based on the content. 

David Harlow:  And the care guidelines that they use are based on peer review journals or data from your network or a combination of both or how does that work?

Dan Greden:  They are really more expert than I am on this but I know that they continually review peer-reviewed journals and include that.  There is analysis going on of informatics work within our databases but it’s really -- a lot of the feedback that they get suggests that this is a means for physicians to learn about new findings in various fields, and the ACE inhibitor one is a good one. That’s a couple of years old, still being understood throughout the physician community that treats people with diabetes, and so they often get the feedback on care consideration from the physicians, like: thanks, I didn’t know the study, your note prompted me to look into it and I am going to start changing my treatment approach.

David Harlow:  This system has been in place for two years now, and I am wondering whether you have done any sort of systematic review of quality of care improvements, cost of care reductions, any sort of tracking that’s been done to date?

Dan Greden:  We track that extensively, but because we started our pilot two years ago we’ve really only had a meaningful user base for about a year.  We are just now starting to see some early indicators of the improvements in care and so we are really at, we think, the tip of the iceberg on that but what we are seeing is a few things.  People who use our PHR generate significantly more of those care considerations, those care alerts that I talked about.  That’s a good thing for medical costs, because we have seen through other work in the care engine, Connected Health Management, which has been up and running about five years, that the more alerts that are generated, the more opportunities we have to improve care and lower costs. So the PHR makes that care engine program and its ROI more effective.  We have also found that the compliance with those alerts is higher for people who use our PHR. We think it’s for a few reasons, but one of them is that we are sending the notice to both the physician and the member in some cases so there is better follow-through. That improvement is over four percent so early indicators are that the users of our PHR are much more likely to have a medical condition and the PHR helps them be more engaged with their care, so we do expect, as we have had more of a experience base to do our informatics work on, that will continue to see very specific cost savings.

David Harlow:  I see, now you say this is now this was done as a pilot for a year and it’s been out of pilot so how many patients or what proportion of your membership is using this actively and how do you measure that?

David Harlow:  Yeah that’s still changing pretty rapidly because, like I said, so many of these deployments have happened recently.  I mean, to give you a specific number, about eighty-five percent of the membership who has our PHR have had it for seven or eight months or less, so it’s relatively new to most of these people.  In terms of how we measure this, we don’t just measure what percent of the people who have the PHR have used it.  Now obviously we’d do that too but what's more relevant to us is who are they, what is the value delivered to these members through the PHR and then really focusing on making sure that we continue to build out the right capabilities to help them be better consumers of their healthcare.  As an example, we have much higher than normal usage among people with a medical condition.  Also we see higher usage among mothers with children.  They are doing things like accessing immunization records or other health data across multiple kids or even a single kid, and we also see the pre-retirees use it more.  Now what's important to note there is that while there are similarities there is different value delivered to each of these members based on how they are using the tools.  So our measurements around adoption really tend to focus more on who is using it and what they are using it for and what the value delivered from that is.

David Harlow:  Sure, now do you have a sense of what proportion of your membership is using this in some regular fashion?

Dan Greden:  Again,  it continues to grow significantly every month and we do measure this regularly, right now over ten percent of our subscribing members -- these are the ones who you know subscribe directly to the health plan  --  have accessed  their PHR,  and that’s higher than the industry average, and we expect that to continue growing.  A little clarifying point is that those are the members who are easier for us to communicate to, those are the ones who through their employer subscribe to the plan and you know their dependants for example, their minor dependants have a PHR but the parent accesses it for them, but we have to count those.

David Harlow:  You are not counting those other family members in your percent?

Dan Greden:  That’s right I mean we do when we look at that as well, but I think the more relevant measure is the one that I gave you.

David Harlow:  Subscriber rather than the member, I guess. Okay.  Have you thought about additional bits and pieces of functionality that could be added on?  You said a moment ago that different people access this and use it in different ways depending on their personal situations. Has looking at that given rise to thoughts about expanding the functionality of the tool?

Dan Greden:  Oh yeah, we have a very long list of enhancements on our product plan in the forward years.  I think the best way to describe it is our plan, which is based on an assumed evolution of this because it’s a new tool right now, is just simply building awareness of the tool and what it can do for people.  So a lot of more recent enhancements have been to help people delegate access to a record or bring other people to access their record.   You know, we just talked about how there is a tool for a member to delegate access to their physicians but we haven’t talked about a new capability we launched where a member can delegate access to their family members.  So, for example, I went on when we shipped this enhancement a few months ago, and all right, now my wife can access my record.  I don’t know whether she has done the same for me, and I have to check, but what's interesting about that is if a member does that and their spouse or other adult dependent for whatever reason isn’t registered on our websites yet, we built it in such a way that they can invite that member by sending an e-mail to any e-mail address that’s from the member themselves and it’s an invitation to come online with Aetna and access their PHR.  We borrowed from a lot of other social networking sites, such as Facebook, in designing that so our focus has really been on how do we just create awareness in that initial experience with the PHR and then down the road we’ll be building a lot more integration of the PHR to other activities within the health plan.

David Harlow:  I see.  The other area that I was interested in thinking about here is plans for the future in the context of new legislation.  Now I know it may be too soon to be planning this out since I don’t think the legislators who voted on this have even read it yet – let alone the rest of us.

Dan Greden:  It’s my sense that it’s very directional at this point but more detail to come.

David Harlow:  Right.  There are a couple of areas that I did want to sort of explore with you a little bit. The first of those has to do with security, the online security of this information, which I imagine has been a big part of the design upfront.  The HIPAA regulations in the future look like they will have more technology-specific direction in there whereas up until now it’s really been technology-agnostic, if you will, and HHS is being directed to come up with more specific requirements that will be updated on an annual basis in conjunctions with industry stakeholders.  So as an industry stakeholder, I am wondering if there is a particular architecture that you are more comfortable with, or security architecture and systems, and whether you have some cause for concern where this could be changing on an annual basis.

Dan Greden:  Again, it’s really too early to have concern but I know that in our case we have invested heavily in security not just in the technology framework but also in operational protocols and protections and processes, long before we even had our PHR, so what we found is that this is a logical extension to our security environments already.  I know that in the case of the data-sharing work that we have done is part of the AHIP working group, the America's Health Insurance Plans working group, I think that was a very good approach in defining an industry standard that works well amongst the larger community of stakeholders and so if we see something like that evolve out of this I expect that would be constructive.

David Harlow:  Yes, and hopefully that will evolve.  As you said, it is very early.

Dan Greden:  One thing I also see is that something like a PHR – obviously not limited to that --  this is very new to everybody and so it’s an opportunity for the whole healthcare community to really raise awareness among the rest of the population that doesn’t think about this stuff all day long, to explain the benefits and so on.

David Harlow:  Right.  Now one of the other issues that jumped out of me was a section of the new law that addresses the ability of an individual to restrict access to information in his or her medical record, and that is a patient can ask an individual provider not to share information with insurance companies if it’s not for purposes of treatment or payment, and I imagine that currently the PHR that you describe, that you are using, captures a lot of such information and I am wondering whether you have had any pushback or feedback from members about what information should or should not be in this PHR?

Dan Greden:  In the way we approach that is, once again, we make it clear over and over again that the patient or our member owns their record.  They are in control of it.  They are in control of what’s in it.  They are in control of who sees it.

David Harlow:  Yeah.  You are much clearer about that than many others.

Dan Greden:  Yeah, that’s true, and I think there are a few reasons for that.  I mean, we are not a hospital, so I think potential confusion about the ownership of data that others might have doesn’t exist for us.  In terms of the details of the language, we already support the idea that a member can choose to not share parts of the record or does not just share the record at all.  We even have built the capabilities, say for whatever reason the member wanted to exclude parts of the record from a specific delegation, a specific sharing, they can do that.  So I think generally it’s consistent.  I would add that we encourage sharing the whole record.  A lot of what we are doing here is trying to encourage more open and constructive dialogue about members’ health but -.

David Harlow:  It’s hard to connect the dots if you don’t have access to all of them.

Dan Greden:  Yeah.  I will also give you a very specific example of how we really pushed for some of that. You know, state privacy laws are such that there is a lot of information about minors that can’t be disclosed to anyone by us, including their parents.  So we built, instead of taking the choice and saying all right, well we just, parents can’t access their minor child’s PHR, which obviously isn’t the right thing for a lot of people, we started to build some additional capabilities in order to comply with state privacy laws where types of information that are specifically addressed in the law are filtered out of the view, and the parent is still seeing ninety-eight or ninety-nine percent of most records but specific content about whether it would be reproductive help or substance abuse treatment that state law, state privacy law explicitly addresses, that’s filtered out; so we get the benefit for the vast majority of the people by still having parents be able to access minor child’s PHR and still complying with state privacy law.  To build that capability, we had to spend some of our resources, but we felt it was the right thing.

David Harlow:  Sure.  So that can be applied to any of these other situations where disclosure will be limited or information can be customized to different providers or different folks that would access the information?

Dan Greden:  That’s right and from my perspective the fact that the legislation doesn’t even have  -- fostering the discussion of this is a great thing.

David Harlow:  Yeah, is it your sense or do you just say that you know it would make sense for people to share information more clearly, do you have a handle on whether that is in fact what's being done or whether people are keeping some information close to the vest, if you will?

Dan Greden:  Yeah, in our case a lot of the sharing features are fairly new so it’s hard for me to know.  I don’t have enough data to really draw any conclusions yet but what I can tell you is that when it’s shared, sharing it by paper is still the most common.  It’s an interesting thing, but when we did research not long ago, the vast majority of physicians, even those that practice in an environment that have an EMR, use paper so you know -.

David Harlow:  I am familiar with that in my own paperless office here -.

Dan Greden:  Yeah exactly I have piles everywhere in mine -.

David Harlow:  So that’s the mode of communication.  It’s interesting.  There is a physician module for this, is there not?

Dan Greden:  Well, the way it works is, through Aetna’s provider or physician portal,  we’ve added the delivery of the PHR onto existing workflow that was already built there, so in other words our assumption, our view on this is that we don’t want to ask our providers to take an additional step so when they are -.

David Harlow:  You don’t need to log in somewhere else?

Dan Greden:  Oh gosh, no, they log in the same place and when they are doing other work that they already need to do with us such as verifying eligibility of one of their patients for coverage, in some cases submitting the claim, as they do those other steps we can layer delivery of a personal health record onto that activity without them really having to do any additional work.  You know, classic scenario is, a member of the staff goes in the morning of the appointment, the night before, verifies that there is coverage in place and they verify the eligibility and if the member has delegated the PHR to that physician it’s delivered via that same activity.

David Harlow:  Right.

Dan Greden:  And just to close the loop, what we find is they told us: Yup, and we print it out and we stick it in the folder along with everything else so -.

David Harlow:  I understand  it’s a work in progress and I guess I have asked this another way before, but do you see sort of a particular growth curve in terms of additional functionality or additional utilization by patients and physicians?  This has sort of taken off in the past year and do you see it continuing to grow, or sort of leveling off in the next year or so?

Dan Greden:  No.  I think we are really just getting started in terms of the people who can really benefit from a PHR becoming aware of these tools and what they do.  I’m not one who believes that a PHR is valuable to everyone though, I think -.

David Harlow:  I was just going to ask that, is it the goal to have a hundred percent adoption?

Dan Greden:  No I would think there are better ways that we can engage those -- we call them young and invincibles -- but realistically some are at a point in their life where for whatever reason they are not even generating medical claims -- obviously we would like if they were doing their preventive care but you know there is a lot of our population who just don’t use their clinician resources and medical resources at all.  We have different ways to engage them that are more effective and more relevant than the PHR, but I think we are really still at the beginning of getting the part of the population that would benefit from the PHR to understand what they are, understand that they have one and then try it and see how it delivers value for them.  In our case, we are continuing to deploy this tool pretty rapidly, but last year -- you know, I think we touched on these numbers earlier --  we went from around a million at the very beginning of ’08 to over seven at the beginning of the year.  We were just deploying it aggressively. We are getting past the mid point so that’s going to slow down then we will start to see a lot of these people who have gotten it recently, have it for some time, have the marketing that we have in place to make them aware would start kick in but we are already seeing a pretty nice growth in the awareness and the adoption.

David Harlow:  Yes, well, very interesting.  It sounds like a very valuable program as it’s being rolled out.  Well thank you.  I have been speaking with Dan Greden, head of eHealth at Aetna.  This is David Harlow on HealthBlawg, and once again, thank you, Dan.

Dan Greden:  Oh, you’re welcome. Thank you.

Slouching towards HITECH Act implementation

I attended the Transforming Healthcare Summit in Boston last Thursday evening, saw a bunch of old friends and met some new ones.  About 500 people turned out for the event.  It featured a keynote by Jim Roosevelt, CEO of Tufts Health Plan.  He was excited about the comparative effectiveness provision of the HITECH Act, preventive care advances, and the opportunity to translate some lessons from the Massachusetts experience with universal health care coverage to the national arena. Jim's talk highlighted four key issues that he believes are the central issues of the health care system that we all need to grapple with (not that they are immediately soluble problems, but they demand our engagement):

1.  Ensure quality and effectiveness of heath care services, which may be facilitated by broader HIT adoption, chronic disease management programs, P4P programs, prevention and wellness programs.

2.  Reverse the growing shortage of PCPs

3.  Improve transparency of health care cost and quality.

4.  Address racial and income disparities.

Aspirational goals, and a tall order, to be sure.  Jim comes by such goals honestly; as his introduction noted, he is FDR's grandson.

These opening remarks were followed by a panel discussion moderated by Scott Kirsner, blogger and columnist at the Boston Globe.  The panel included Roosevelt, Charlie Baker, blogger and CEO of Harvard Pilgrim Health Care, John Glaser, occasional blogger and CIO of Partners Healthcare, and Jonathan Bush, CEO of athenahealth.  It was a freewheeling discussion punctuated by a bunch of good-natured ribbing among the panelists (especially once it was established that Roosevelt was the only Democrat on the panel, and the suggestion was made that the three other panelists were perhaps the only Republicans in Massachusetts). 

The meeting was serendipitously scheduled just after the signing of the stimulus package, including the HITECH Act (starts on p. 112 of the stimulus package, or ARRA), which provided much fodder for the evening's discussants.  It was a lively conversation, but perhaps a bit too soon after the signing, as there are still some significant open questions regarding implementation.

Two important examples:

• What does "meaningful use" of EHRs mean?  Providers engaged in "meaningful use" of EHRs are eligible for the stimulus incentive payments.  The term will have to be defined in regulations. John Glaser expressed the hope that "meaningful use" is defined so as to include a requirement of communicating aggregated patient data to enable further development of evidence-based medicine, one of the key justifications that has been offered for computerizing medical records.


• What will the new EHR certification body look like, and what EHR certification standards will be used?  Many observers are concerned that CCHIT will, by default or inertia, end up ensconced in this position, using existing standards.  John Halamka, who has a bit of an inside track on this sort of thing, expects that "NeHC will become the standards committee and will create value cases that contain standards and architecture for HITSP to harmonize and CCHIT to certify."  Read his whole post.
  

To get more of a sense of the evening, and to see an archived "live-tweeted" event, check out the consolidated twitterstream of everyone who tweeted the event.  If that's too overwhelming, take a look at just the HealthBlawger's twitterstream.  The links go to the oldest page of each twitterstream; read up, and page back to the newer pages to read in order.

Finally, for some "CEO on the street" sound bites collected after the panel discussion, check out the one-minute interviews with several health care CEOs in the audience, at David Williams' Health Business Blog.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HIPAA faces the music: New OCR Guidance on the HIPAA Privacy Rule and the Electronic Exchange of Health Information

HIPAA guidance for the world that followed HIPAA (finally): HIEs, PHRs, etc., and how they may be brought under the big tent of HIPAA.

OCR release from late yesterday:

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published new HIPAA Privacy Rule guidance as part of the Department’s Privacy and Security Toolkit to implement The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework).  The Privacy and Security Framework and Toolkit is designed to establish privacy and security principles for health care stakeholders engaged in the electronic exchange of health information and includes tangible tools to facilitate implementation of these principles.  The new HIPAA Privacy Rule guidance in the Toolkit discusses how the Privacy Rule supports and can facilitate electronic health information exchange in a networked environment.  In addition, the guidance includes documents that address electronic access by an individual to his or her protected health information and how the Privacy Rule may apply to and supports the use of Personal Health Records. 

These new HIPAA guidance documents are available on the OCR Privacy Rule Web Site.  See also more information on the Privacy and Security Framework and other documents in the Privacy and Security Toolkit.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Constabulary notes from all over

The ever-vigilant law enforcement community meets the health care system:

Item: Massachusetts state trooper pulls over woman in labor; asks "what's under your jacket?" while writing ticket for driving in breakdown lane en route to hospital.

Item: New Hampshire state trooper pulls over man after PET scan; asks for proof of medical procedure after radioactive isotope detected by anti-terrorist hardware.

Can't be too careful, eh?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Patient Safety Organization regulations finally finalized

PSO regulations under the Patient Safety and Quality Improvement Act of 2005 have finally wended their way through interminable process and have made it to publication as final regulations in today's Federal Register, effective January 19, 2009.

The introductory commentary on the rule explains that it

create[s] a voluntary system through which providers [may] share sensitive information relating to patient safety events without fear of liability, which should lead to improvements in patient safety and in the quality of patient care. The [rule reflects] an approach to the implementation of the Patient Safety Act intended to ensure adequate flexibility within the bounds of the statutory provisions and to encourage providers to participate in this voluntary program. The . . . rule emphasize[s] that this program is not federally funded and will be put into operation by the providers and PSOs that wish to participate with little direct federal involvement. However, the process for certification and listing of PSOs will be implemented and overseen by the Agency for Healthcare Research and Quality (AHRQ), while compliance with the confidentiality provisions will be investigated and enforced by the Office for Civil Rights (OCR).

AHRQ explains further:

The goals of the Patient Safety Act are to encourage the expansion of voluntary, provider-driven initiatives to improve the safety of health care; to promote rapid learning about the underlying causes of risks and harms in the delivery of health care; and to share those findings widely, thus speeding the pace of improvement. The Patient Safety Act:

• Encourages the development of Patient Safety Organizations (PSOs)—organizations that can work with clinicians and health care organizations to identify, analyze, and reduce the risks and hazards associated with patient care.

• Fosters a culture of safety by establishing strong Federal confidentiality and privilege protections for information assembled and developed by provider organizations, physicians, and other clinicians for deliberations and analyses regarding quality and safety.

• Accelerates the speed with which solutions can be identified for the risks and hazards associated with patient care by facilitating the aggregation of a sufficient number of events in a protected legal environment.

The integration of state peer review protections, HIPAA protections and PSO confidentiality rules will serve to close some gaps that existed in the patchwork system we have had to date.

All in all, this is a welcome step forward for the further development of evidence-based medicine, taking into account details of negative outcomes and using those outcomes as learning opportunities for the system as a whole without exposing individual providers to additional potential liabilities.  Through the improved protections, these regulatory changes will enable provider organizations to realize more fully the patient care improvement promise of EHRs as well.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

New Massachusetts identity theft regs overlap with HIPAA, FTC Red Flag rule

Massachusetts identity theft regs take effect January 1, 2009.  Any business that does no more than keep a copy of a personal check from a client or customer on file is subject to these new rules, which require implementation of a security program covering any "personal information" maintained in a business' files.  "Personal information" means any non-public linking of a person's name and Social Security Number, driver's license number, or financial account number (debit, credit or bank account number).  The enabling statue does not apply to state government agencies, but Gov. Patrick brought them into the big tent by executive order.

Internal and external security audits and employee training will be required.  

For those lucky enough (!) to be subject to HIPAA already, these requirements will not be that difficult to accommodate, as the new rules cover familiar territory.  However, HIPAA pre-emption analyses and compliance programs will need to be reviewed, to be sure that Massachusetts health care providers, payors and clearinghouses maintain full compliance with both federal and state rules in this area.

Both healthcare and non-healthcare-sector businesses may have to consider doing a further pre-emption analysis, looking at the recently-delayed FTC Red Flag rule.  

If HIPAA regulation and compliance efforts are an indicator, one of the thornier issues to deal with in coming into compliance with these rules will be establishing parameters for remote access of personal information.  Also, as under HIPAA, it will be interesting to see whether private enforcement efforts will be permitted under the new law. 

TOH: Colin Coleman, John Koenig.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

David Harlow quoted in Radiology Today on HIPAA compliance reviews

I spoke last month with Radiology Today on the question of HIPAA compliance, in light of increased, or at least more public, enforcement.  HIPAA security compliance audits are underway, and providers need to be aware of what to expect.  The best defense is still a good offense, which in this case means conducting an audit and beefing up policies and procedures, as necessary.  For further information, see an earlier HealthBlawg post. 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Where does HIPAA go? Wherever it wants.

The GAO just issued another assessment of HHS's and ONCHIT's progress in identifying and addressing key HIPAA and other health IT related privacy issues, and developing an overall approach to HIT privacy.  The federales -- not known for nimbleness -- have made significant progress, but have not yet fully addressed all of the issues on this front tagged by GAO in its Febuary 2007 HIT report.  In GAO-speak:

We recommended that this overall approach include (1) identifying milestones and the entity responsible for integrating the outcomes of its privacy-related initiatives, (2) ensuring that key privacy principles in HIPAA are fully addressed, and (3) addressing key challenges associated with the nationwide exchange of health information. In this regard, the department has fulfilled the first part of our recommendation, and it has taken important steps in addressing the two other parts. Nevertheless, these steps have fallen short of fully implementing our recommendation because they do not include a process for ensuring that all key privacy principles and challenges will be fully and adequately addressed. In the absence of such a process, HHS may not be effectively positioned to ensure that health IT initiatives achieve comprehensive privacy protection within a nationwide health information network.

This assessment may, in fact, be too kind.  The federales' June 2008 HIT strategic plan, though full of privacy and security objectives, strategies and compliance, has been critiqued by some observers as being somewhat out of touch with reality.  There's a lot further to go.

In related privacy news, HHS released some HIPAA FAQs this week -- two information sheets, one directed at consumers and one at providers.  No new information there, but perhaps they will be useful in eliminating basic HIPAA confusion in some quarters.  HIPAA should no longer the universal excuse for being unable to provide information to or about a patient, or to agree to a particular provision while negotiating a deal (though it's still proffered as an excuse sometimes, as is Stark and Sarbanes-Oxley, usually more because a party to a negotiation just doesn't want to agree to a particular contract term and is seeking to hang their hat on some external factor).

Moving from HIPAA privacy to HIPAA security: Another recent development is the release of a new health informatics information security management standard by the ISO.  Quoth the press release:

ISO 27799:2008 applies to health information in all its aspects – whatever form the information takes, whatever means are used to store it and whatever means are used to transmit it. The standard specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their size and circumstances.

It remains for someone better-versed in the technical end of things than I am to assess whether ISO compliance and HIPAA compliance could dovetail neatly in a manner that may yield more reliable protections for health information security, or whether this ISO standard will be a wrench thrown in the works of evolving HIPAA security rule compliance.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting