Tuesday, June 21, 2011

Meaningful Use: Portals, Portals everywhere but not a way to share (#MeaningfulUse #hcdc #healthapps #dchealth)

I was reading an article in Contactless News about "HealthCare Providers seeking convergence" in Identity Management as Meaningful Use criteria come in to play in the HealthCare field. It got me thinking about the future for Patients in a world of Patient Portals.
Meaningful Use
Meaningful use demands that
"health care data be kept confidential, private and secure, accurate, shareable with patients as well as providers, mobile and exchangeable, and readily available." A tall order!
My fear is that we are headed for a situation where patients are tossed in to the sea of meaningful use without a care for the big picture from the patient's perspective. Why do I fear this?
HealthCare providers, payers and other data handlers in the Industry are still mired in 1990's technology approaches in how they control their data, or rather; the data that they manage. The emerging interpretation of Meaningful Use is the application of the old style approach - The Patient Portal. 
Don't get me wrong - there is nothing wrong with a Patient Portal per se. Just look at the level of engagement that Kaiser Permanente have achieved by providing their patients/members with a usable and useful patient portal. But Kaiser Permanente is one of those exceptions - they are an integrated system. For the vast majority of consumers who are not receiving care via an integrated health system the situation is about to become vastly more complicated."

Portals, Portals Everywhere
For Providers to comply with Meaningful Use they will no doubt deliver a Patient Portal. Many of the Practice Management Systems provide the capability almost out of the box. 
But what happens when a patient is needing to visit the Primary Care Physician, a couple of specialists, may be a surgery center, a retail clinic and the local hospital? How many Portals will they have to navigate? How will they get a comprehensive view of their records?

Paranoid Security Reduces Security
In order to comply with HIPAA regulations I can see HealthCare providers implementing complex userid and password requirements. Not letting patients reuse a password, having different rules that prevent the same password being used in multiple systems. Again, don't get me wrong, these are all commendable steps to secure data. But when a patient is managing multiple systems and user accounts the end result is that if they can't easily remember a userid and password they will either write it down, or just hit the password reset button and have a new password setup via an email mechanism. 
Is this really better security?
There Is An Alternative
There are two steps that HealthCare Industry system providers can adopt that can dramatically improve this situation:
1. Adopt OpenID/OAuth for Authentication. 
2. Support the Rainbow button Initiative

1. OpenID/OAuth

OpenID/OAuth is broadly the process by which Facebook and Twitter allow users to connect their respective account to another service. The benefit of this is that a user can login to another service using their Facebook or Twitter account credentials - without ever revealing their account password to the new service.  The big advantage of this is that there are fewer password resets because the user is making use of a userid and password combination that they use on a regular basis and therefore are more likely to remember.
OpenID/OAuth is already being adopted by the Federal Government to allow citizens to login to federal websites. If it is good enough for the Government shouldn't it be good enough for HealthCare. The Twitter Authentication mechanism is also being baked in to the core of Apple's iOS 5 making it a standard across hundreds of millions of Apple devices.
I urge every HealthCare Portal developer to integrate Single Sign-on using OpenID/OAuth. Development libraries are available from companies like JanRain. I implemented the JanRain Library on HealthCa.mp in about an hour using a JanRain plugin for Wordpress. If you want to be a really proactive developer you can fully implement OpenId/OAuth so that your portal account can act as credentials to connect to other sites. This is something that any Health Care Payer organization should be thinking about.
The big win for the member/patient is that as patient portals proliferate life doesn't have to get more complicated. When they have to connect to a new Patient Portal they can reuse their account credentials from elsewhere. This can even simplify account setup on a new portal by allowing basic demographic data to be taken from the source account. e.g. Name, Address, Email, Gender, Date of Birth.

2. Support the Rainbow Button Initiative

At Patients 2.0 and 
HealthCa.mp we have been supporting the VA/HHS Blue Button Initiative and have promoted an expansion of the concept - The Rainbow Button Initiative. I urge all Patient Portal Providers to implement the Rainbow Button idea:

Blue Button - Download my Health Data to my computer using a standard format

Green Button - Allow me to donate my health data anonymously to another organization 

White Button - Allow me to send/upload my detailed Health Data to another Provider (or copy me when my data is sent between providers)

Red Button - Lock elements of my Health Record I do not want to be shared.

By implementing these simple buttons a Portal provider can give Patients a simple set of tools to manage their Health Records. Allowing them to import and export their data.

Act Now Before It Gets Too Complicated

If we don't take steps in these early days of Meaningful Use to provide tools, like single sign-on and data interchange buttons, to simplify life for Patients then we will be creating yet another overly complicated, archaic monster that patients are forced to navigate around. 
Failure to act will chalk up Meaningful Use as yet another great idea that becomes a barrier to better health in it's implementation. After all, we have been here before. HIPAA was about Portability and yet it became just another form to fill in and an excuse for locking up data from patients while still freely sharing it amongst industry business partners.