Tuesday, June 5, 2012

Not So Secret White House Meetings with Patients

Today (actually yesterday at this point) I attended what one tweep this morning described as a "Secret WH Meeting".  I can certainly understand this response.  The meeting was held in a small room in the White House Conference Center just across the street from 1600 Pennsylvania Ave.  It could hold about 50 people.  Of those, a little more than half were invited guests, and the rest were ONC, VA, OCR and other government staff.

Plenty of others had tried to get in, but weren't able.  ONC staff were making a pretty big deal about being quiet about it until after the meeting, which is why one person referred to it as a secret meeting.  I think expectations and public relations could have been handled a little bit better.  One advantage about the way that they did handle it was that everyone who was invited showed up.

The point of this meeting was to:
  • Identify and prioritize a list of standards and best practice activities needed to advance patient and consumer access to health data
  • Establish a process for addressing the priority standards activities
  • Galvanize participants to engage constructively in this process
Those aren't my words, but those of the organizers.  

We heard from Todd Park, Farzad Mostashari and Peter Levin to start with.  Leon Rodriguez, Director of the Office of Civil Rights talked to us about a letter TO patients that would help them explain to providers THEIR rights to access THEIR data.  I had to tweet a picture of it because OCR didn't have a web link to it (yet). You can see it to your left.

The key point that my daughter made later in the meeting was on that same topic.  It's the idea that your rights to your healthcare data needs to be included in the Health curriculum that's being taught to high school students (and I saw lots of people taking notes on what she said). She's attending an agricultural high school next year (she wants to become a vet), and as part of that has to do some summer reading and tests to start earning her OSHA 10 hour card.  She points out that one of the first lessons learned in getting that card is what they teach you about an employee's rights.  Why shouldn't one of the first lessons learned in Health class be what a patient's rights are?  Too right!  We've had HIPAA for more than a decade now.  Have we really just now learned that patients need help?

We heard ePatient Dave, Hugo Campos, Nikolai Kirienko, and Regina Holliday tell their powerful stories.  Regina had the room crying again (including me and Farzad), but we cursed not the tears, but the reasons for them.  You probably know Dave's stories, and Regina's, but how about Hugo, who has an implanted defibrillator, and wants access to his device data.  Or Nikolai, who's spent so many hours as an inpatient (10,000 he estimates) that he is now an expert at it.  And so much so that twice he's been right when doctor's haven't about his chronic condition.

I know Leon heard some stories that made his ears perk up.  He pointed out after these stories that OCR is an investigative body, and for some of the stories he heard from our patient representatives, he offered to put people in touch with the right investigator.  In fact, he even said it might be him.

There's some new thinking around Blue button as we heard from Farzad and Peter Levin.  Forget about "dumb ASCII text", and think more about "a brand meaning patient access".  I'll proudly wear a blue button now, because now it means that patient's can have access to something more powerful than digital paper.  In fact, there's quite of bit of attention being given to blue button, at many levels.  I could tell folks about some of the work that HL7 is doing around Blue button, making it possible to generate the "old style" blue button result using a CCD, or possibly even a CCDA.

We talked about what could be done to further facilitate patient access to data.  There was a lot of attention given to OAuth (some of it a bit of magical thinking, but that's OK, I know how to take requirements and turn them into something meaningful even if there's magic involved).  One of the new projects that we'll certainly see coming from ONC is how to make "Blue button" data available to patients every day, all of the time, push or pull.  There's some working coming out of IHE called Documents for Mobile Health that could be an ideal fit here on the pull side.  Direct and "cc: me" could readily address the push side.  OAuth could work with the pull side to provide the API that folks in the Cloud have been screaming for, and I think I know how to fit all the pieces together.

We spent a great deal of time on patient identification, authorization and access (almost an inordinate amount).  One of the key points made in the discussion is that it is about risks & benefits, and we spend far to little time on the benefits.  As Dave and Regina both pointed out, more people die because of lack of access, than are injured because of too much access.  Over and over patients made the point that it aught to be up to us to decide how much security and privacy we want over our data, including NONE!  Go ahead, e-mail me.  The convenience might be worth the lack of security.  Given that one of the reasons that Peter has the job he does was a major issue regarding security and privacy (as he reports himself), I can understand why it might be of concern to him.

The fellow from AT&T made an interesting point about identity verification.  Everyone with a cell phone number assigned to them by any of the major cell phone providers has already had to show a valid photo ID.  That's not necessarily the same level of identity authentication as would be needed for some cases, but could be good enough for many others.  This isn't my area of expertise, so I signed John Moehrke up to tell them what they need to know about security and privacy.  Unfortunately, it seems that what he probably has to tell them, is something that policy makers simply aren't ready to hear yet.

It was a good meeting, and we all learned quite a bit (including my daughter).  I'm glad to be home, and especially glad finally to be getting to bed (now that I've written down the high points). This is the kind of meeting that I hope will be handled differently once we have some idea of what NwHIN Governance will look like.  After all, this is really trying to figure out what the next step looks like for the NwHIN, and should be handled using those rubriks.  And if you've been cracking the whip to get your comments in, you can relax just a bit.  The deadline for comments has been extended to 6/29 (you can see the updated deadline here on regulations.gov)


  1. Yeah for Abagail. I knew she would get a chance to shine.

    Note that the IHE mHealth profile can also be used for PUSH. This is simply just like we did for XDR. But in the case of mHealth it is naturally independent. Yes, I am that sneaky. And mHealth is totally buzzword compliant, including having the text "OAuth".


    1. Awesome. Be prepared for a hefty dose of comments on this one.

  2. There will be a new S&I Framework project working on constant access to patient data for patients.

  3. An important point missing from the letter, I think, is about the cost of access. I've seen many providers over the years (both my own and as a researcher/provider) who will provide a copy of records but charge for copies and a "service fee." This cost can be a major barrier to low-income patients, and might serve to increase disparities in engagement and care quality.

  4. Shortly you'll see a blog post from ONC with some specific opportunities for people (including those not at the meeting) to sign up to participate in "next steps".