For many years I have been saying that we, as individuals, are the de facto Health Information Exchange. The Healthcare industry has spent billions trying to work around this simple truth. It seems that this idea is finally poised to gain traction.
Recently Bill Crounse wrote an article for THCB ( Cracking the Code on Health Information Exchange. Is It Time to Wipe the Slate Clean and Start Anew?) It was promoting HealthVault but it came along around the same time as a piece on the HIMSS blog by Mark Branning and Brad Tritle ( It’s time to C-ME (see me): Consumer Mediated Exchange ) – both are promoting the third type of HHS sanctioned Health Information Exchange: The Consumer Mediated Exchange (C-ME). Other groups are referring to this type of Exchange as a Health Record Trust or Health Record Bank. I will stick with Consumer Mediated Exchange or C-ME for short.
Does a Consumer-Mediated Exchange have to be HIPAA Compliant?
The big question for me, which I don’t believe has been addressed, for the C-ME is: Does a Consumer-Mediated Exchange have to be HIPAA compliant? Let me be clear about this question. I am not advocating that C-ME’s be built to any less rigorous a standard as other systems that secure valuable personal data. Security is always a balancing act. Balancing risk with other factors: cost, usability, etc.
I want to see C-MEs built with world class security, encryption and monitoring. But let me give you just one example of a potential benefit of not being bound by HIPAA:
- If a C-ME was running on Amazon Web Services achieving HIPAA compliance imposes a cost through running Dedicated VM instances in a VPC.
- While AWS EC2 and S3 services are covered under HIPAA via an AWS BA Agreement newer services, like Glacier, are not. Therefore if bound by HIPAA a C-ME could perform backups to AWS S3 at $0.03/GB. However, if a C-ME were to encrypt backups and store them on AWS Glacier the cost would drop to $0.01/GB – A third of the cost.
Not being bound by HIPAA will give C-MEs the flexibility to take advantage of emerging cloud-based technologies, without the additional costs associated with HIPAA compliance.
I believe the question has big implications for the viability of C-MEs and Patients/Consumers being able to really control their health and related data.
Let’s start with some assumptions
In looking at this issue let’s start with some base assumptions:
- Any organization that is acting on behalf of a Covered Entity is a Business Associate (BA) and basically assumes the same responsibilities. These responsibilities pass down to any sub-contractor or service providers that may come in contact with Protected Health Information (PHI). it also applies responsibilities and accountability to individuals within those organizations.
- A Covered Entity or BA that handles PHI must put in place controls and protections to secure, monitor and account for the acquisition, use and disposal of PHI as defined in the HIPAA Privacy and Security Rules.
- A Patient, or their designated Personal Representative, can request and receive a copy of their health data.
- A patient is at liberty to use and share their health data in any way they see fit.
BlueButton and Direct Project enable data exchange
BlueButton and BlueButton+ have been developed to enable the customer to acquire an electronic copy of their health, clinical and claims data from healthcare organizations that have provided them with services. As such, BlueButton and the closely associated Direct Project are critical components in enabling C-MEs to exist.
Who does a C-ME answer to?
The accountability of a C-ME is a critical factor. C-MEs should be independent and accountable to the Patient/Customer/Member. When this is the case a C-ME can act on behalf of the Patient (I will refer to the Patient as a Member from here on). The C-ME is guided by the Member’s privacy selections and directions. In this scenario the C-ME is NOT a Covered Entity. This position is further supported by the C-ME acting as the designated Personal Representative of the Member in the acquisition, storage and management of the Member’s health data.
The C-ME is not handling PHI on behalf of a covered entity. It is handling PHI on behalf of the member.
Can a C-ME interact with Covered Entities?
Yes!
C-MEs can interact with Healthcare organizations that are Covered Entities and their Business Associates as long as the Primary Relationship is with the Member and the C-ME manages the interaction with the Covered Entity within the scope of the Member’s privacy selections. Here is a simple example:
The C-ME Member has visited their doctor and had a lab test. The member is having a follow up meeting with their doctor to discuss the lab test results. In preparation for the meeting the member instructs the C-ME to release the results of similar lab tests from previous years to the doctor so that the doctor can see the trend of the results over time.
In this scenario, a truly Consumer-Mediated Exchange is neither a Covered Entity, or a Business Associate of a Covered Entity. If this is the case then even if a C-ME has interactions with a Covered Entity, or their Business Associates, it does not become a Business Associate itself.
Why are C-MEs important to the future of Healthcare?
The Electronic Medical Records (EMR) maintained by Hospital Systems and Insurers contain a rapidly diminishing fraction of the personal data that measures a patient’s health and well being. These EMRs have traditionally operated as islands within the Healthcare ecosystem. They have been largely focused on the immediate treatment and billing of a health episode.
Mobile Apps and wearable devices are generating billions of data points. The vast majority of this data is outside the purview of the Medical Professional and the EMRs that thy have access to.
Patients with complicated health conditions can end up interacting with many different parts of the health system. Some of these interactions are with traditional healthcare providers but a growing emphasis is being placed on wellness. The vast majority of wellness-oriented interactions are with non-clinical entities, or managed by the individual themselves.
C-MEs provide the platform for Individuals to seamlessly integrate the data from these diverse data sources.
C-MEs also provide the platform for individuals to choose to donate their health and related data. David Harlow has an article on the potential power of health data donation. The critical factor, and the key strength of a C-ME, is putting the control of the use of their health data in the hands of the individual. This doesn’t have to be hard or complicated but Member control is CRUCIAL. It is the principal that is at the heart of the Medyear.com, a new C-ME platform that gives members granular control of their health data in an easy and essentially familiar manner.
What is the business model for the C-ME?
Trust is job one.
For a C-ME to succeed as a viable platform the Member’s privacy preferences have to be at the heart of everything. There are many organizations in and around Healthcare that place a high (monetary) value on health data. The business opportunities for a C-ME fall into a number of areas. Let’s look at just two:
- A C-ME can provide data to organizations that need research data. The C-ME can provide a marketplace that allows Members to choose organizations, or causes that they wish to donate to. Data Donation can take place at various levels of anonymity or identification at the control of the member.
- As the number of health related data sources grows the economics of information storage and analytics increasingly work against individual organizations. Again, under the Member’s control, the C-ME can be given permission to release elements of a member’s data to the medical professionals and organizations that they interact with. These organizations can search and analyze the data they have access to, without having to take on the management of the growing health data timeline of the individual.
What are your thoughts about the future of Consumer-Mediated Exchanges?
Isn’t it time that we are able to consolidate and control our own health data?
via WordPress http://2.healthca.mp/1i2docm
