May 8, 2016 § 2 Comments
There are few more potent touchstones for the public than the protection of their privacy, and this is especially true with our health records. Within these documents lies information that may affect your loved ones, your social standing, employability, and the way insurance companies rate your risk.
We now live in a world where our medical records are digitised. In many nations that information is also moving away from the clinician who captured the record to regional repositories, or even government run national repositories.
The more widely accessible our records are the more likely it is that someone who needs to care for us can access them – which is good. It is also more likely that the information might be seen by individuals whom we do not know, and for purposes we would not agree with – which is the bad side of the story.
It appears that there is no easy way to balance privacy with access – any record system represents a series of compromises in design and operation that leave the privacy wishes of some unmet, and the clinical needs of others ignored.
Core to this trade-off is the choice of consent model. Patients typically need to provide their consent for their health records to be seen by others, and this legal obligation continues in the digital world.
Patient consent for others to access their digital clinical records, or e-consent, can take a number of forms. Back 2004, working with colleagues who had expertise in privacy and security, we first described the continuum of choices between patients opting in or out of consent to view their health records, as well as the trade-offs that were associated with either choice .
Three broad approaches to e-consent are employed.
- “Opt Out” systems; in which a population is informed that unless individuals request otherwise, their records will be made available to be shared.
- “Opt in” systems; in which patients are asked to confirm that they are happy for their records to be made available when clinicians wish to view them.
- Hybrid consent models that combine an implied consent for records to be made available and an explicit consent to view.
Opt in models assume that only those who specifically give consent will allow their health records to be visible to others, and opt out models assume that record accessibility is the default, and will only be removed if a patient actively opts-out of the process. The opt-out models maximises ease of access to, and benefit from, electronic records for clinical decision making, at the possible expense of patient privacy protections. Opt-in models have the reverse benefit, maximising consumer choice and privacy, but at the possible expense of record availability and usefulness in support of making decisions (Figure 1).
Figure 1 – Different forms of consent balance clinical access and patient privacy in different proportions (from Coiera and Clarke, 2004)
All of the United Kingdom’s shared records systems now emply hybrid consent models of one form or another. Clinicians can also ‘break the glass’ and access records if the patient is too ill or unable to consent. In the US a variety of consent models are used and privacy legislation varies from state to state. Patients belonging to a Health Maintenance Organisation (HMO) are typically deemed to have opted in by subscribing to an HMO.
How do we evaluate the risk of one consent model over others?
The last decade has made it very clear that, at least for national systems, there are two conflicting drivers in the selection between consent models. Those that worry about patient privacy and the risks of privacy breeches favour opt-in models. Governments that worry about the political consequences of being seen to invade the privacy of their citizens thus gravitate to this model. Those that worry about having a ‘critical mass’ of consumers enrolled in their record systems, and who do not feel that they are at political risk on the privacy front (perhaps because as citizens our privacy is being so rapidly eroded on so many fronts we no longer care) seem comfortable to go the opt-out route.
The risk profiles for opt in and opt out systems are thus quite different (Figure 2). Opt-out models risk making health records available for patient’s who, in principle, would object to such access but have not opted out. This may because they were either not capable of opting-out, or were not informed of their ability to opt-out.
For opt-in models, the greatest risk to a system operator is that important clinical records are unavailable at the time of decision-making, because patients who should have elected to opt-in were neither informed that they should have a record, or were not easily capable of making that choice.
Other groups, such as those who are informed and do opt-out, may be at greater clinical risk because of that choice, but are making a decision aware of the risks.
Figure 2: The risk profiles for opt-in and opt-out patient record systems are different. Opt-out models risk making records available for patients who in principle would object to such access, but were not either capable or informed of their ability to opt-out. For opt-in models, the risk is that important clinical records are unavailable at the time of decision making, because patients who should have elected to opt-in were neither informed nor capable of making that choice.
Choosing a consent model is only half of the story
In our 2004 paper, we also made it clear that choosing between opt-in or out was not the end of the matter. There are many different ways in which we can grant access to records to clinicians and others. One can have an opt-in system which gives clinicians free access to all records with minimal auditing – a very risky approach. Alternatively you can have an opt-out system that places stringent gatekeeper demands on clinicians to prove who they are, that they have the right to access a document, that audits their access, and allows patients to specify which sections of their record are in or out – a very secure system.
Figure 3 – The different possible functions of consent balance clinical access or patient privacy in different proportions. The diagram is illustrative of the balances only – thus there is no intention to portray the balance between access and privacy as equal in the middle model of e-Consent as an audit trail. (From Coiera and Clarke, 2004)
So, whilst we need to be clear about the risks of opt in versus opt out, we should also recognise that it is only half of the debate. It is the mechanism of governance around the consent model that counts at least as much.
For consumer advocates, “winning the war” to go opt-in is actually just the first part of the battle. Indeed, it might even be the wrong battle to be fighting. It might be even more important to ensure that there is stringent governance around record access, and that it is very clear who is reading a record, and why.
- Coiera E and Clarke R, e-Consent: The design and implementation of consumer consent mechanisms in an electroninc environment. J Am Med Inform Assoc, 2004. 11(2): p. 129-140.
May 1, 2016 § Leave a comment
What is the role of government in contributing to the nation digital health infrastructure? That is not an easy question to answer. Every nation has its own specific variant of a health system, with different emphases on the public or private, on central government intervention or laissez-faire commerce. I have in earlier blogs made the point that, despite these differences in national systems, we now collectively have enough experience that we cannot ignore the evidence when crafting national strategies.
Back in 2009, when I explored the implications of these structural differences for government, I came to the conclusion that digital health needed a ‘middle out’ governance model, rather than top-down or bottom-up approaches to strategy. One consequence of the thinking in that paper was that I formed a view that we did not need a centralised national summary care record – a view which left me with fewer friends in government than I used to have! I was only trying to be helpful …
With a new Australian Digital Health Agency, it is now a good time to revisit these questions, to learn from the past, and to come together as an informatics and e-health community, and give ourselves the best possible shot at getting digital health right.
Digging through my papers recently, I came across this briefing paper I wrote for the Secretary of Health in 2008 – well before the middle out and summary care record papers. It was a time when Facebook was in the ascendancy, so I used the term ‘Healthbook’ to portray my ideas for a distributed, federated digital information system. Maybe now is a good time to revisit its spirit, if not the technical details?
‘Healthbook’ – the consumer as catalyst for the creation of a national ehealth infrastructure
E. Coiera, 2 May 2008
Briefing paper to DOHA
Australia like many nations is struggling to identify a strategic approach to creating a health information infrastructure that is technically feasible, low risk, and affordable.
The current proposal for a national shared electronic health record (SEHR), presumes a centralised, potentially monolithic, structure, where every Australian has a health record summary stored for them, to facilitate health care provision. The mental model is similar to English NHS’ system, which has cost billions of pounds to implement, and has experienced significant technical and implementation challenges on the way. If Australia were to take a similar centralised approach to the SEHR, then it too would cost several billion dollars, presuming our cost structures are similar to the English NHS, and face its own technical risks. And after investing that money we are locked into ageing technologies that require continued significant investment. Implementation starts, but it never ends.
A second disadvantage of beginning with a centralised SEHR is that it demands ‘delayed gratification’. There is massive up front investment, substantial pain within the health jurisdictions during implementation, with benefits only arriving after many years, and little for consumers to see or appreciate despite the large sums of money being invested. It also draws resources away from other cheaper, but potentially higher value, elements of the eHealth infrastructure, specifically decision support technologies, which have great capability to reduce harm, improve safety, and deliver efficiency gains through more evidence-based use of investigations and therapeutics.
A different way
An alternative approach has emerged. Imagine that, rather than waiting 5-10 years for a ‘centrally planned’ SEHR (that is what it may take) we achieve many of the same goals in less than 5 years, at significantly less cost to government, in a market-driven and industry lead way, growing organically and flexibly, rapidly adopting technological innovation, and potentially building up new export industries for Australia’s IT industry. Imagine also if this new way had strong support from consumers, because it was all about them and their health care, and not about putting in expensive ‘backroom’ technologies they will never see.
There are three elements to this approach:
1 – The shareable record can be consumer rather than health service focussed: Utilising the resources of private industry, consumer demand for access to their record, personal health records are emerging as a major new business sector. The strongest evidence for this is the move by two of the largest IT companies into this space. Microsoft has made its first major step into healthcare with its HealthVault product, and Google Health is emerging as their main competitor. Both offer consumers a service to store their personal health information, and to make it accessible to health providers with consumer consent.
In the US many large health service organizations have many millions of their patients using locally developed personal health records, for example the VA hospitals, and Partners. Similar activities are underway here with smaller start-up companies e.g. myvitals.com. Expect a flurry of such companies to appear locally, or arrive from overseas, over the next 12 months.
There is much to be commended about personal health records, but there are also some major limitations, including – the potential for the consumer created record to be of poor quality or perceive to be so by clinicians, the lack of interoperability between different systems, the consequent locking in of one’s records to a single vendor, the poor connectivity between health service provider records and personal health records, the significant risk that personal health information may be used for secondary and commercial purposes, and for Australian’s, the very real risk that core national IP – the health records of all Australians, is stored overseas – resulting in a massive transfer of information and wealth overseas.
2 – The rise of social computing. While there has been talk of the internet being an online community since the mid ‘90s, only in the last 2 years has this really taken off, with Facebook, My space and others providing a sophisticated social networking experience that has caught the imagination of the average consumer, trained consumers in sophisticated information sharing strategies, and developed software to support this. Consumers are now comfortable to carry out many of their most personal transactions on the web, from banking, to finding partners and socializing. Blogging has created a generation that is far more comfortable in sharing their personal information than any before.
3 – The continuing rise of search. Google and its competitors continue to prosper. Health information is amongst the top two categories of information searched for. Consumers want information about their health, and continue to turn more to the Internet for that information.
Putting these three together it may now be possible for private industry to create information services that challenge the centralized monolithic SEHR model, and create a rich and flexible ehealth infrastructure on the way.
The idea of a facebook for health (or ‘healthbook’) is fairly straightforward – it is a web space where you manage your health information and access health information services, in the same way that your internet banking account is the place you manage your wealth e.g. looking at account balances, paying bills, transferring funds. There will be many competing ‘healthbook’ systems provided by industry, and we can expect companies to be offering consumers at least some or all of the following services:
- A personal health record, where you enter your own health information;
- Access to health information e.g. search engines, local guidelines, drug information, health leaflets;
- A social computing environment in which a personal health record and information can be shared amongst family, friends, clinicians, and groups;
- Links to a selected subset of health providers, allowing them to see personal health records, exchange messages (reminders, appointments, results, health messages), and maybe allow you to see some of their records about you e.g. a division of GPs might offer this service, or a private health insurer may negotiate with health service providers to offer this to their clients.
It is important to emphasise that we are not saying that the personal record now becomes the shared health record – it cannot and should not – but that the links to different clinical record systems we might find in a ‘healthbook’ effectively provides the first stage in shared access to clinical records. While such systems will grow organically, and possibly quite quickly, there are several missing pieces and some concerns that need to be addressed, including:
- Message exchange and access to your records stored by the public hospital system
- Message exchange and access to your records stored by other health services not part of the particular online consortium you join.
- Interoperability between systems, allowing consumers to take their personal health information, and linked messages and records, to a different provider.
- Protections for Australian health information going overseas and being exploited for secondary commercial purposes.
- Accreditation of healthbook providers to ensure clinical service providers and patients are comfortable in making their clinical records available via them.
If issues such as these were addressed quickly, we may in Australia be creating business conditions not yet operating anywhere else in the world, and create an opportunity for our local IT industry to corner or at least become highly competitive in a new business clearly destined to become the single largest information technology market.
It thus seems entirely feasible for government to choose not to invest in a monolithic national e-health infrastructure, but foster competition and rapid expansion of a web and business driven infrastructure. Government creates appropriate protections for the community and their personal information while supporting high quality and safe clinical care. Government is a key enabler, working with the professions and individuals to identify incentives and provides critical missing elements needed to fast track this world, including regulation, legislation, investment in making jurisdictional systems interoperable, provision of public knowledge and information sources, and investment in evaluation and research to drive evidence-based innovation.
What might happen next
If government steps in to address some of these barriers to fully interconnecting consumer-based personal health records, we could imagine three stages in the evolution of our national eHealth infrastructure:
Stage 1 (next 2 years) – Personal health record systems available and taken up by a few Australian. Some offer access to knowledge services e.g. Healthinsite; some service providers band together to allow their records to be linked to these systems and for messages to be exchanged between providers and consumers within this system. Records might be shareable within these restricted health service organizations. Standards are being developed by NEHTA, ISO and Standards Australia, and industry and the jurisdictions are moving to comply with these as they install eHealth systems.
Stage 2 (2-3 years) – Messaging standards and unique and secure IDs for every Australian (the UPI) are in place and allow communication between providers and any standards compliant ‘healthbook’. Record portability legislation encourages innovation and competition and avoids monopoly outcomes (similar to mobile telephone number portability, where a consumer can take their phone number and address book from one Telco handset and swap them to a different one). Some state jurisdictions and primary care divisions provide standard secure web interfaces to any accredited private system, and consumers chose to link to their records in these systems, if they are aware that they are able to. When viewing linked records they appear in non-standard ways, dependent on the structure of the local system the record sits on. 10% of Australians have a ‘healthbook’ page, with international IT companies amongst the major players, but Australians may end up trusting their health providers and government with their private information, so the biggest user base may be found with Divisions of general practice, or private health insurance companies. Many other players jockey for dominance.
Stage 3 (3-5 years) – Interoperability standards have allowed any accredited record provider to provide a discoverable web service, so that any healthbook can access these records, with consumer permission. This means when you create your new healthbook account and put in your UHI, the system will find all the records associated with your care that are on the web, and ask you if you want to link them in. When records are browsed from within a consumer space, they have a uniform appearance. So, irrespective of which company’s ‘Healthbook’ you use, a clinician can always find the information they want in the same place, by selecting the ‘common user interface’ option. It is possible to extract elements of provider records into a personal health record manually or automatically. For example, you can extract medication lists, test results, or allergies from your GP system into your personal health record.
For those who choose it, their treating clinician may decide which data gets extracted from the clinical record into the personal summary record. For Australians who are not interested in using a private system, or are unable to do so, a ‘vanilla’ personal health record is made available, possibly via the jurisdictions, that allows a provider to see other linked records for a given patient, with a patient’s consent. Local Australian companies provide the back end service to consumer health sites, with the front end run by large health delivery organizations e.g. public hospital systems, and private insurers. International IT companies provide some of the core technologies underpinning these systems but the data is stored in Australia, protected by legislation from going offshore, or even analyses of the data going offshore.
The Role of government
Government has a role to:
- Facilitate – through standards activities (NEHTA) and early investment for industry development and research. For example COAG may wish to provide seed funding for 2-4 large-scale implementations e.g. requiring each consortium to include a public hospital system, a primary care organization, and for some % of the industry membership to be locally based. This attracts industry to invest, and creates a competitive climate in which innovation is focussed on delivering to the consumer as the main customer. It should be clear investment is for start up and that all programs need to be self-funding at the end of the projects. There may be incentives for meeting subscription and transaction rate milestones, and for health services incentives for meeting outcome targets e.g. preventative health activities. There may be penalties for failure to deliver, including withholding of payments should benchmarks not be met. There should be some key deliverables that we expect of out any such consortia, including:
- Working with standards organizations like NEHTA, they should agree on a working record portability standard and mechanism, that allows a consumer to extract their personal health record, provider messages, links to clinical records, and any other information such as a future shared health record, and transfer it to another provider;
- Consortia should demonstrate interoperability between each other for record mobility between consortia, and for messaging between providers and different consortia.
- Working with standards organizations, the consortia should agree on a default ‘common user interface’, which provides a uniform way of accessing linked records, messages, and patient data for clinicians and consumers. There is no obligation to use this interface as different systems will want to ‘value add’ and provide better user experiences for their customers. We want to ensure that clinicians will only need to learn how to access healthbook records once, and always find the information they need in the same place every time – for safety as well as efficiency reasons.
- Demonstrated use of a unique personal identifier like the UHI, ensuring secure and safe creation of new accounts, protection of personal information, and ease of access in clinical situations.
- Demonstrated security and consent mechanisms so that consumers feel safe using these systems.
- Protect – the privacy of individuals, and the national IP – through legislation, and where appropriate accreditation. Consumers will need record portability and not be locked into one vendor, so legislation should allow for consumers to extract their digital records from any one vendor and move to another. Consumers and providers will want to know that healthbook systems are accredited before records are linked into them, and that accreditation ensures that records made available this way are not used for any purpose other than clinical care, and only with the consent of consumers.
- Evaluate – We need benchmarks for this program, both in terms of uptake by citizens, as well as adoption rates, usage and benefits. Evaluation programs for benefits are best run by independent organizations, and this is a clear role for academic institutions.
- Ensure Access – Ensuring all citizens and health service providers have access via a decent broadband system, and for those citizens who choose not to actively be engaged, or are unable e.g. infirm, elderly, then create an option of clinician or health service managed e-services where the consumer gives permission for their ‘healthbook’ to be created for them. Facilitate early adoption by service providers with an incentives program (e.g. to make practice records linkable to commercial systems).
- Innovate – We want Australian industry to have access to new ideas and IP to make them competitive with the US industry in particular, and there is a clear opportunity to support Australian R&D and innovation with targeted support for eHealth innovation programs.
- Participate – where jurisdictions control medical content such as records or knowledge resources (Healthinsite, service or provider directories), make these available and interoperable with private sector systems. Where government has a specific duty to individuals such as military personnel, provide or auspice services available to citizens e.g. military personnel may have records that cannot be linked for security reasons to commercial systems, so a military system might be needed, which links to all public records, but remains secure.
Appendix – Some benefits and ideas worth capturing at this stage
Benefits of this approach
- A better informed, better engaged population
- A transition plan to implementing SHER functions, not a ‘big bang’ centralised SHER, which is a single point of failure if things go wrong.
- Technical and investment risks are lower, as the elements government may want to invest in e.g. standards, making jurisdictional records compliant, and messaging are all required under the monolithic SEHR model too. So, if the consumer-drive model does not work, government can in the future elect to step in and can complete the ‘last mile’ e.g. with health information exchanges.
- Most of the implementation risk is borne by private enterprise
- A shift to preventative healthcare, as consumers build for possibly the first time a place where they actively manage their healthcare, and receive targeted messages and support.
- Safer care – driven by consumer benchmarking and rating, the use of consumer decision support systems, easier interaction with clinicians via messaging, a shareable record that allows clinicians to see the bigger clinical picture.
- Support for the Australia it industry and research community to become a world leader in a market that is highly lucrative – if there is to be a new company that becomes the Google of healthcare, why could it not be an Australian company?
- Use the healthbook to send reminders for vaccinations, screening tests, routine check ups.
- Support for healthy journeys e.g. parents with young children accessing information at crucial child development stages, and possibly linking up with the community 1-stop shop proposal by government.
- If every high school student has a computer why can’t they use ‘healthbook’ applications to manage their exercise and eating regimes, by providing a online social environment where quality information is shared, groups can form e.g. how to cope with anorexia or obesity, providing information and social support?
- Support for more targeted, efficient access to services e.g. by providing consumers health service directories, similar to ‘choose and book’ in the NHS, with the ability to identify providers, and make appointments. Especially valuable for rural and remote citizens to identify services that might be available to them outside of local area.
- Consumer based benchmarking of services – similar to Amazon star rating for books (this will happen anyway – best to support it being as informative and balanced as possible).