Plenty of others had tried to get in, but weren't able. ONC staff were making a pretty big deal about being quiet about it until after the meeting, which is why one person referred to it as a secret meeting. I think expectations and public relations could have been handled a little bit better. One advantage about the way that they did handle it was that everyone who was invited showed up.
The point of this meeting was to:
- Identify and prioritize a list of standards and best practice activities needed to advance patient and consumer access to health data
- Establish a process for addressing the priority standards activities
- Galvanize participants to engage constructively in this process
The key point that my daughter made later in the meeting was on that same topic. It's the idea that your rights to your healthcare data needs to be included in the Health curriculum that's being taught to high school students (and I saw lots of people taking notes on what she said). She's attending an agricultural high school next year (she wants to become a vet), and as part of that has to do some summer reading and tests to start earning her OSHA 10 hour card. She points out that one of the first lessons learned in getting that card is what they teach you about an employee's rights. Why shouldn't one of the first lessons learned in Health class be what a patient's rights are? Too right! We've had HIPAA for more than a decade now. Have we really just now learned that patients need help?
I know Leon heard some stories that made his ears perk up. He pointed out after these stories that OCR is an investigative body, and for some of the stories he heard from our patient representatives, he offered to put people in touch with the right investigator. In fact, he even said it might be him.
at many levels. I could tell folks about some of the work that HL7 is doing around Blue button, making it possible to generate the "old style" blue button result using a CCD, or possibly even a CCDA.
We talked about what could be done to further facilitate patient access to data. There was a lot of attention given to OAuth (some of it a bit of magical thinking, but that's OK, I know how to take requirements and turn them into something meaningful even if there's magic involved). One of the new projects that we'll certainly see coming from ONC is how to make "Blue button" data available to patients every day, all of the time, push or pull. There's some working coming out of IHE called Documents for Mobile Health that could be an ideal fit here on the pull side. Direct and "cc: me" could readily address the push side. OAuth could work with the pull side to provide the API that folks in the Cloud have been screaming for, and I think I know how to fit all the pieces together.
We spent a great deal of time on patient identification, authorization and access (almost an inordinate amount). One of the key points made in the discussion is that it is about risks & benefits, and we spend far to little time on the benefits. As Dave and Regina both pointed out, more people die because of lack of access, than are injured because of too much access. Over and over patients made the point that it aught to be up to us to decide how much security and privacy we want over our data, including NONE! Go ahead, e-mail me. The convenience might be worth the lack of security. Given that one of the reasons that Peter has the job he does was a major issue regarding security and privacy (as he reports himself), I can understand why it might be of concern to him.
The fellow from AT&T made an interesting point about identity verification. Everyone with a cell phone number assigned to them by any of the major cell phone providers has already had to show a valid photo ID. That's not necessarily the same level of identity authentication as would be needed for some cases, but could be good enough for many others. This isn't my area of expertise, so I signed John Moehrke up to tell them what they need to know about security and privacy. Unfortunately, it seems that what he probably has to tell them, is something that policy makers simply aren't ready to hear yet.
It was a good meeting, and we all learned quite a bit (including my daughter). I'm glad to be home, and especially glad finally to be getting to bed (now that I've written down the high points). This is the kind of meeting that I hope will be handled differently once we have some idea of what NwHIN Governance will look like. After all, this is really trying to figure out what the next step looks like for the NwHIN, and should be handled using those rubriks. And if you've been cracking the whip to get your comments in, you can relax just a bit. The deadline for comments has been extended to 6/29 (you can see the updated deadline here on regulations.gov)