Recently, I was completing a risk analysis on the IHE Perinatal Workflow profile. One of the risks that was identified was the uncertainty or lack of reliability associated with externally supplied information, especially that provided by a patient though their PHR. Another concern often expressed in the context of personal health records but not in this specific case was the possibility that a malicious user might use a PHR to support drug seeking behavior. As part of that analysis, I looked at possible mitigations for both these risks.
In the first case, the issue is the uncertainty that a provider associates with patient supplied information, or information coming from unknown sources. This risk isn't unique to the use of personal health records. It already exists in the practice of healthcare when taking patient histories, or relying on externally supplied reports (e.g., discharge summaries) to provide patient information. Existing practice includes procedures for verification of that information.
When the PHR gets involved, and what is different is the assumption that providers will percieve computer supplied information as being more reliable that patient supplied data. We will need to insure that providers are trained to question electronically supplied information the same way that they question patient or other externally provided data. A simple acronym should help healthcare providers just as it has helped software engineers for many years: GIGO... Garbage In, Garbage Out.
Providers can also cross-check information from a number of different sources. This is something that health information exchanges enable that is not currently possible without extensive phone calls to the various healthcare providers for a patient. Here we can apply the wisdom of the crowd, where the crowd in this case is the collection of healthcare providers who have seen the patient. These same cross-checks can also be utilized to address the second risk, that of drug seeking behaviors.
The residual risk after implementing these procedures (known as mitigations) is the need to address new findings, symptoms or diagnoses previously unreported by other healthcare providers. It is these cases where existing practice of verifying the information comes into play. A final option here is the use of digital signatures on provider supplied information. The use of digital signatures ensures that the data came from the owner of the certificate, and that only that owner could have provided it, supporting "non-repudiation". The source of the signed document won't be able to say: "I didn't say that." because the digital signature will show that only they could have.
This was an enlightening excercise, and I wish we had done it 4 years ago when we created the first profile supporting exchange of information with the personal health record. It's not that these concerns aren't well founded, because certainly they are. However, there are a number of ways to reduce or eliminate the associated risks that we've identified in the use of this and other IHE profiles.
The next time I hear someone raise these concerns, I'll take them through the risk analysis that I went through. It will be interesting to see their responses.