Tuesday, June 28, 2011

Boone's Law

It's very similar to Godwin's law, but related specifically to Health IT.  In any sufficiently long discussion of Healthcare IT, the probability of a comparison being made to the financial sector approaches unity. Keith's corollary is that that in any sufficiently long discussion of patient safety, the probability of a comparison being made to the aviation industry also approaches unity.

Last night's HITsm discussion of PHRs (inspired by Google Health's over-reported demise), the financial industry comparison was made.  This one just sets the hair of my neck standing on edge for a number of different reasons.

My "rebuttal" below is probably what Julian Sanchez means by a one-way hash argument, but here goes anyway:

Financial transactions are very small (those dial-up POS terminals you see in small merchants run at 1200-2400 baud!).  They include account holder identity information from the credit/debit card (less than 100 bytes of data), merchant identity information, and a transaction amount.  They are intermediated by a third party (called an acquirer) who connects to the card issuer.  The merchant gets back an authorization for the transaction.  Subsequently (usually at the end of a shift or day), the merchant processes the authorizations so that a deposit (minus transaction fees), can be made to the merchant bank account.

Now, look at communicating data in healthcare.  The first difference here is in establishing identity of the destination account.  Membership in employer health plans turn over faster than jobs do (employers change health plans and people take new jobs, either event results in reissuing a health insurance card).  We still don't have a national patient identifier and very likely won't any time in the near future (it may be decades away or even never).  So any identity will have to be issued by a third party at the moment.  One suggested solution for this is a "Direct" address.  That might be OK, but there are some challenges with individually (person) owned end-points around certificate management.  It's pretty easy if you want an organization to help manage the communications for you, but to manage it yourself would be more difficult.

The next challenge is around bandwidth.  Existing POS terminals at 1200-2400 baud would take about 1-2 minutes per transaction to complete it for the smallest collection of information in a standardized form.  Larger ones (imaging) and other study data could take quite a bit longer.  That's because the size of the transaction is  two to four orders of magnitude larger than existing POS transactions.  So the ubiquity of the POS terminal is not an argument for success.  Have you ever had to wait two minutes while completing a credit card transaction?  Probably, but it's rather rare.

Now the next big hurdle:  Regulation.  This flowchart from a HIMSS presentation shows the process by which a Healthcare delivery organization can determine whether they must register their systems with the FDA under recent medical device regulation.  Would the system be used to transmit data from an EHR, an EKG, an automated blood pressure cuff?  These are all medical devices.  Would someone want to advertise its use for healthcare?  The MDDS rule would probably apply.

There's more.  Some risk analysis is needed here.  How will the system ensure that the patient for whom data is being transmitted (e.g., identified via some sort of card) is that same as the patient for whom the data is transmitted.   BTW:  That would mean that you need a card for every family member, and the system needs to make sure that you do not confuse them so that your data doesn't wind up in your spouse's record and visa versa.  Does that step exist in current financial transaction protocols at the POS device?

HIPAA and Breach Notification.  More regulations to ponder.  Yes, there are similar issues in the Financial space, but here there are more specific reporting requirements in healthcare.

Records retention, logging, audit trails, security, yes, the financial industry deals with all of that fairly well, probably better so in some cases, but the real issue is dealing with the fact that we aren't transmitting single pieces of data in the payload (the amount of the transaction), but instead hundreds, thousands or even more for imaging studies.

The other piece of this that comes into play is the business model.  What would be the business model for these healthcare transactions, and who would pay for it (even if it is the patient who eventually bears the cost).  In financial transactions, there's a payment model that is already built in.  In an information sharing model, there really isn't a good one (I'd be rather hesitant to give a few percent of my data to the transactors).

So, look at it in more detail before you make the comparison, and explain it in detail.  It's VERY useful to learn from what other industries do, but please, do the comparison thoughtfully, and not just in 140 characters or less.

     Keith

P.S.  For a good discussion of Keith's corollary, see Patient safety is harder than aviation safety

1 comment:

  1. "It's VERY useful to learn from what other industries do, but please, do the comparison thoughtfully, and not just in 140 characters or less."

    I can't believe you're setting such a high bar. You actually want people to do something thoughtfully? Unfortunately, it seems being thoughtful has become a scarce resource. Maybe we should declare it an endangered species and try to avoid its extinction.

    ReplyDelete