Posting in Government
Health data carries the same risks as financial data, but its collection and use holds the promise for even more benefits. Population studies become both easier and more valid as we collect more data.
Take data, for instance.
Data is the driver of reform. Data is a big driver of research. With data, we can know what works and what does not, what is worth doing.
We can also cut the costs of doing it by billions of dollars.
Aren't you sick of having to give the same information to every medical professional you meet, and the paperwork following every doctor visit?
But apparently we're still scared of the first necessity, putting the data into a computer so it can be used. Larry Ponemon is sounding this alarm with a survey saying Americans deeply distrust anyone but their doctor having their health records.
Forbes wants you to know this is all some horrible plot by the Obama Administration. But while only 27% said they trust the government to hold data on them, the same level of distrust exists concerning Google, Microsoft and General Electric.
We don't trust anyone.
Ponemon called this a roadblock to the government's efforts at automating health IT, but they're also a challenge to industry. Although it's hard to see what could be done -- the money has been appropriated, and there are "sticks" in the appropriation that will cut reimbursements if the money isn't taken or is wasted.
There are risks to putting data in a computer. The data can be stolen. When it's our data we freak out over these risks. But we demand the benefits even while we're freaking out.
Do you really want to return to an age where you needed cash for every transaction, and had to get that cash at a bank, or write out a check? I don't. So we accept the risks of having banks, credit processors, and even credit agencies holding vast banks of data on us. We just get upset when the data is misused. We have learned to be rational about it.
Health data carries the same risks, but its collection and use holds the promise for even more benefits. After all, your credit card won't extend your life. But population studies are driving important changes in medicine, and they become both easier and more valid as we collect more data.
My biggest problem with health data security is that employers and insurers have every incentive to steal it and use it against me. Health reform -- even the watered-down Senate plan -- would end that. (But let's not get started on that.)
The word for this anti-data attitude is neo-Luddism. Two centuries ago gangs of workers went around England smashing automated looms in protest of the Industrial Revolution. (Anyone want to go back to weaving cloth by hand?)
The current cynicism seems to have the same aim. It needs to be seen as a threat, not just to IT but to technology in general.
Technologists, engineers, scientists, and IT professionals need to understand this fact and push back against it. Progress remains controversial.
Jan 26, 2010
...or what makes it work. Free Market Capitalism cannot function without the establishment and respect for property rights. If the "ownership" of personal data cannot be recognized or respected, then there's little hope of establishing a marketplace for the management of personal data. It is the well defined place of government to protect property rights. Asking Congress to establish respect for my personal data is hardly "socialist". It's quite the opposite.
A PHR database is not the same as a database full of leads for telemarketing purposes. A PHR database, though it might be centralized, is not about how it can be turned around for sales or marketing schemes. A PHR database should have the same kind of security and internal protections as credit card records or bank account records. In fact, it should have a lot more stringent controls than those other bank or credit card records because the PHR records are about much more intimate and personal information regarding people. I think the PHR game should be built on free enterprise principles. I don't know why anyone would disagree. The discussion has been about building and safeguarding a PHR database. The discussion is not about "the free enterprise principles" that might be involved. Personal health information regards the most personal type of information that a person can put into a database. The only person that should have any say on how the information can be used is the patient; not the database administrator and not the government, especially not the government. Period. The free enterprise system's involvement would be there only as far as the initial competition to see who would build and maintain the system. After that, it would be a highly personal interaction between doctors and patients and the database. No other external considerations should be built into or around the system. In other words, no external system should expect to use information from the database for such things as telemarketing. The database should have legal and internal protections in the same way that a doctor/patient relation is protected. Ant, don't try to lecture McGrew or me about free market capitalism. You are the one who has repeatedly, in just about all of your posts, demonstrated your disrespect and dislike for capitalism. You are a big government proponent and your berating of McGrew and me is due to our dislike for that big government which you cherish. In fact, although you haven't said it directly and you've also denied it, your words and actions demonstrate quite clearly that you are a socialist with a highly negative view of "the free market principles". A proponent of any kind of big government control over any part of our lives, is a socialist. But John McGrew demands heavy handed laws insisting that credit and health data be designated personal and no longer exchanged within the marketplace. Who's a socialist now, John?
I think the PHR game should be built on free enterprise principles. I don't know why anyone would disagree. But John McGrew demands heavy handed laws insisting that credit and health data be designated personal and no longer exchanged within the marketplace. Who's a socialist now, John? Adornoe seems to think the government can designate who will be a player in this game, and thus who won't. I think the only regulation should be on standards, standards for security, for interoperability and for handling data. Beyond that, let the market prevail. Government picking winners and losers is not the way to go. Down with big government! Anyone for tea?
I believe that no one "agency" or company or cloud service provider should be handed the total personal health records business. It should be distributed amongst a few players. No one company can earn the trust of all the people, not even a government agency. However, the application systems that handle PHRs should be the same regardless of who is doing the servicing. That way, if one service goes down, the others are available to step in and with the same kind of software/hardware and interface. Redundancy is of the utmost necessity, but with security still being a very high requirement.
The analogy to how credit data is handled is probably the biggest reason people are resistant to the idea. I think that I should have complete ownership over my credit data; just being allowed to view it for free is inadequate. I think that the law should recognize that the citizen owns their personal data. (financial, medical or otherwise) I don't think that credit agencies should be allowed to sell that information as they do without my express permission. If an agency would like to enter into a contract where I am paid when they sell my data, that might be acceptable. Either way, it's up to the "owner". Of course, that trashes the credit industry's business model, and possibly Google's as well. Either way, the only way this will fly is if people are convinced that they have complete ownership and control over their data. So, where do we go from here?
Google wants to sell ads against your data and interests. If that's what Google would do with our records, then Google should be dropped from consideration for the administration of that PHR database. Our most personal records are not to be used as a client base for Google's advertising. Banish that thought. But in this case the way to do it is with government regulation. Regulations are fine and indeed, perhaps necessary. However, no government control. Period. I don't trust government with my data. They already have enough information about me and I don't want them to have another layer of information and control over my life. I'm pretty sure there are millions of others with the same sentiment.
Every personal health record is owned by the patient. It is hosted at a Microsoft or Google or elsewhere so that security can be applied, and so that interoperability can be maintained with the Electronic Health Records (EHRs) on which it's based. Now why do people get into the PHR business? Motives vary. Microsoft wants to support its EHR customers. Google wants to sell ads against your data and interests. Insurers want to maintain "customer control." TANSTAAFL. An "alert system" should be automatic. Access to any PHR does not happen without the consumer initiating it in some way, unless there's a break-in. And we do get notice of break-ins. Many states, Georgia included, have laws requiring that you be allowed to get a free copy of your credit score every year. Yet even here we have a lot of people buying the "free" credit score advertised on TV, which isn't free at all but requires the purchase of a subscription to a service designed to deliver alerts. Allowing not-free to masquerade as free only feeds the paranoia. I want to see paranoia reduced. But in this case the way to do it is with government regulation.
and the ultimate owner of the record on the database is not the patient, then the system should never be undertaken. If people have the right to information on their credit records, they have an even bigger right when it comes to their medical records. Medical records are a lot more personal than their credit worthiness or credit histories.
Of course, that does bring us back to the original "luddite" problem, where the bigger and more complex something is, the harder it is to get people to understand and trust it. Selling "accountability" will be crucial.
however, even that should have a solution. How about if that issue is taken care of in the oversight arena? In other words, no one entity, should have governance or control over the database. The database should administered by a neutral player, but with oversight by multiple parties. The oversight parties can be from both the public sector and the government sector. The neutral administrator can be a Microsoft or a Google or an IBM or any other large and capable business entity. The government oversight body should be there to insure that access and administration is handled according to regulations and that no abuse can occur. A private oversight body can be composed of many different sectors of the economy, including businesses and hospitals and doctors and medical insurers and regular citizens. That way, they can all keep an eye on each other and abuse can be cut down. Whatever one sector wants to do with the database, all of the other oversight components must approve. Rules and regulations have to be predefined and no one entity can be superior to the others, not even the government side.
...if "reporters" would be. Was anyone ever punished for the "Joe" leaks or did the promised investigation just disappear into the miasma? If there were visible prosecution as the result of data leaks, that would go a long way towards convincing the public that this was an issue that was being taken seriously. I like adornoe's idea of notification of any time anyone looks at my data. The only problem I see with that is that I'm afraid that it is inevitable that there will be "exceptions" to the notification rule. (There always is)
To help alleviate the fears about a huge database of medical records, perhaps an alert system needs to be developed. I would call such a system: "Heads Up!" Alternately, it could also be called: "Access Alert!". In essence, if a medial record was accessed for anything at all, be it for update or for reading or browsing, the owner of that record would get an alert notice indicating that his or her record had activity performed against it. That alert would get automatically generated no matter who did the access, even if the record was updated by a doctor or by any third party, like the government or any kind of hospital or medical insurer. The alert should indicate what information was added or changed or updated. The total medical record does not need to be sent as part of the advisory. When it comes to the alert, even any kind of government access to the record should trigger an alert, even if it's just for "a government study" or a "research study". The alerts can generated for on-line viewing or as a letter for those who don't have access to computers or prefer a paper notice. A method should be provided that allows the patient to inquire further about the access.
We might start with making this a technical question instead of a political one. For every accusation against a Democrat (Obama wasn't President when the Joe the Plumber incident happened -- Bush was in office) abusing power with data, there are equivalent examples going the other way. It's bipartisan. The solution has to be bipartisan too. Or rather, non partisan. By which I mean it needs to be done by security professionals, and we need to understand that mistakes happen, at which point we use law enforcement. One more thing about Joe. It was reporters who abused his privacy, not anyone in government. And the reason was that, by putting himself forward as a spokesman for a point of view (which he did, deliberately) he made himself a public figure, according to the rules of Times vs. Sullivan. He wasn't just some sort of "Joe the Plumber" who came upon the President, we learned quickly. He was a political operative masquerading as a political naif. Now, how many reporters you want to put in jail for getting that stuff?
Americans may be suspicious of anyone but their doctors having their health information, but the fact is that it's the doctors that are going to put their information into computers. The stimulus bill included a very large dollar amount for encouraging doctors and hospitals to get electronic medical records, and penalties (in the form of lower payments from Medicare, the nation's largest payer of medical bills) if they aren't using electronic records in a meaningful way by 2015. Once the information is in the doctors' or hospitals' computers, they'll swap it as needed to facilitate care, and we'll all sign papers letting them do so because who wants ill-informed doctors? This is probably the single best thing that could happen to the system from a quality of care standpoint. The provider community and the payers (of whom the government is, let's not forget, the largest) will mine the data as needed, with identifiers stripped. They already do this extensively with hospital discharge summaries, but the data is of very bad quality and leads to many erroneous conclusions. At least being able to mine complete records should improve that situation quite a bit. All this is to say that this change will happen despite public paranoia, and in 15 years it will seem just as normal and innocuous as the ATM network, and ever so much more useful. Like the ATM network, it will suffer occasional breaches, but those won't be enough for the public to want to shut the whole thing down.
Exactly how many hours was it between the time that "Joe the Plumber" evoked an embarrassing answer from candidate Obama, and that his personal information was accessed by the accounts belonging to the office of the Ohio Attorney General, the Cuyahoga County Child Support Enforcement Agency and the Toledo Police Department? About 48? Of course, he wasn't alone. Obama had passport data looked over. And Sarah Palin had numerous data breech incidents. Okay, so that's not likely to happen to most people. However, nearly everybody personally knows at least one ordinary somebody who's had their ID stolen and has had to deal with the collateral damage that results. The point is that when it comes to the security of data of the most personal nature, I don't think you need to be a luddite in order to have a legitimate concern. On the other end of the equation, the government has a dismal history of managing large IT projects. Just name any alphabet agency (FBI, FAA, CIA, IRS...) and you'll have an example of massive projects where billions were spent with little to show for it. So the cynicism comes legitimately, and it's going to take more than hope and change to alter that impression as well. That said, I actually do agree with you in that in order to move forward and make health care more efficient, we need to overcome our paranoia. As a systems analyst who has spent an adult lifetime figuring out stuff like this, I get thoroughly frustrated every time I go to a new provider and have to spend a half hour filling out the same information. Why can't I beam in all of this ahead of time? I also agree with you that data mining (minus personally identifiable information) could be invaluable for research of all kinds, as well as identifying preventable disease trends. It might even eventually lead to cost savings. (although not enough to pay for everything they fantasize about paying for) So we agree. Now what? You say "Technologists, engineers, scientists, and IT professionals need to understand this fact and push back against it. Progress remains controversial." We already get that. The question is, exactly how do we do it?