HealthVault – A Step in the Right Direction

October 4th, 2007

October 4, 2007 — Today, Microsoft announced their HealthVault(tm), a secure consumer-controlled repository for health and medical records available to all consumers at no charge. It was described as a consumer-centric approach to addressing fragmentation of health information — in other words, a health record bank. Microsoft’s recognition of the need for such a repository is thoughtful and positive, and the release of HealthVault will do much to focus the discussion about health information infrastructure toward the health record banking approach. It may even be important in moving the nation forward in solving the problem of making your complete health records available whenever and wherever you may seek medical care. This posting explores this important new development — what it is, what it isn’t, and how it relates to solving the overall problem.

Health Record Banking

As those of you who’ve been following this blog know, health record banking involves establishing consumer-controlled repositories that hold complete copies of each person’s medical record. Like all good ideas, health record banking is fundamentally simple. Each person keeps an up-to-date copy of their lifetime health record in an “account” with a health record bank (HRB). All access to the information in the account is controlled by the account-holder (the consumer), who makes the information available to health care providers whenever necessary. Each consumer may also access their own record as needed.

HRBs would have exclusive responsibility as the agent of each consumer, and would be required to follow stringent privacy and confidentiality practices to protect the information (either via open and transparent community oversight or legally-mandated government regulation). HRBs would provide everything needed for an effective nationwide health information infrastructure: 1) consumer-controlled access to complete medical records; 2) financial sustainability; 3) incentives for physicians to acquire and use electronic health record (EHR) systems in their offices; 4) privacy protection; 5) stakeholder cooperation; and 6) availability of health data for consumer-authorized secondary uses such as medical research.

Through consumer-authorized searching, HRBs would promote appropriate secondary use of electronic health care information. When public health authorities or medical researchers query HRB(s), information from all account-holders that have agreed to allow that particular use of their data would be searched. Confidentiality can be assured by limiting the response to the query to only the number of records that meet whatever criteria were submitted (so no actual patient data is released). If needed, a message to be sent to each account-holder matching the query conditions could be included. This would, for example, allow notification of account-holders of their eligibility for a clinical trial (see the previous posting on this topic for more details). If fees are charged, the revenue could be shared with account-holders as an incentive to allow such use.

HRBs can also provide incentives for physician EHR adoption and use. The HRB would either pay a small fee for each deposit of a standardized electronic report of an outpatient encounter, or provide very low-cost access to an EHR system to physicians via the Internet. This would help ensure that all patient information was electronic — a requirement that is not being addressed in current efforts. These HRB incentives explicitly recognize that the benefits of physician office EHRs primarily accrue to other healthcare stakeholders. Note that this would also allow HRBs to enforce standardization of health care information — payments for deposits would be contingent on following standards and HRBs would only provide EHRs that did so.

HealthVault in the Context of Health Record Banking

So what does HealthVault do? Essentially, it can function as the “cubbyhole” server that makes individual complete records available for care (a previous posting describes implementing a health record bank with two servers — a “cubbyhole” server allowing access only to one record at a time for clinical care and a “searching” server for research queries). This of course depends on whether HealthVault is able to directly receive medical information from health care providers across the nation, certify the source of each data item, and ensure (to the satisfaction of physicians) that the information cannot be altered by consumers and therefore can be relied upon for decision-making. This would indeed be a major contribution.

In order for this to occur, consumers must be convinced that the information in HealthVault is totally under their control, and that its privacy and security is protected. Microsoft has taken major steps to ensure the security of HealthVault, and has also agreed to abide by the Privacy Principles of the Coalition for Patient Privacy, a major bipartisan health privacy advocacy group. They are seeking or have received outside independent security certification (backed by independent audit) and are doing the same in the privacy domain. Clearly, establishing trust with consumers is essential to the success of HealthVault.

HealthVault Does Not Fully Solve the Health Information Infrastructure Problem

However, HealthVault does not address at least two important functions required to solve the overall health information infrastructure problem. First, it does not provide for searching consumer health records. Of course, consumers can decide to send their data outside the HealthVault for searching, but then it is no longer in the protected environment. As previously discussed in this space, searching the data is critical not only for public health and medical research, but also for certain clinical functions such as notifying consumers when a drug they are taking has been withdrawn from the market. Therefore, a complete solution requires adding search capability.

Second, HealthVault does nothing to address the biggest problem of all with respect to electronic health records — that most of the information in doctor’s offices is still recorded on paper. Only about 1 in 5 physicians use an electronic health record (EHR) system today. While adoption of EHRs is continuing, it is slow — primarily because the business case for EHRs in physician offices is not good. Most of the benefits of such systems accrue to others in the health care sector besides the physicians. Therefore, physicians are reluctant to pay for them — and financial incentives for physicians are needed so that physicians will all convert to EHRs.

As noted above, health record banks can address this problem by either paying physicians for deposits of encounter reports (the eHealthTrust business model ) and/or by directly providing low-cost Internet-based EHR systems to physicians funded by the revenue received by the health record bank. In the absence of such financial incentives for physician EHR adoption, most health records will remain paper based and cannot readily be stored or processed electronically.

HealthVault and Communities

For those communities working on establishing health record banks, HealthVault is good news even though it is not the solution for the entire problem. Now communities have the option to use HealthVault as their “cubbyhole” server — at no charge. To complete their health information infrastructure, communities still need to establish a trusted multi-stakeholder organization to provide local governance to ensure trust. That organization would then engage a for-profit health record bank service provider to establish and operate a secure searching server and deliver low-cost EHRs to physicians using an effective business model that ensures sustainability. While these are by no means trivial tasks, HealthVault may allow community health record banks to be established more quickly and more easily by supplying part of the needed infrastructure — thereby reducing the upfront investment requirement.

The real question is whether consumers will have sufficient trust to store their data in Microsoft’s HealthVault. Only time will tell.

Scrap the national IT plan … and do it right instead!

August 30th, 2007

by William A. Yasnoff, MD, PhD, and Deborah Peel, MD*

In a recent editorial, Modern Healthcare argues that the current national health information technology (IT) efforts should be abandoned since they can’t succeed unless “the federal government mandates a single healthcare information technology platform for all healthcare providers and heavily subsidizes its adoption.” While we agree that the current efforts are not progressing well, we are not willing to dismiss health information technology’s potential to improve care, increase efficiency, and reduce costs.

Health Record Banks and Consent Management Tools Can Overcome Problems with Current Health IT Efforts

Over the past several years, more than enough time and energy has been spent trying to automate our existing, inadequate system of health information “exchange” between various healthcare stakeholders. Not only have these efforts failed to solve the problem of making complete patient records available, they are also numbingly complex, frighteningly expensive, and a massive threat to privacy. It is time to use ‘smart’ technology and build a system of Health Record Banks that can provide more complete electronic patient information with informed consent whenever and wherever needed. Health record banks with independent consent management tools that automate the process of obtaining permission for each release of information can make the records needed for safe and effective medical care available while fully protecting every individual’s right to health information privacy.

Health Record Banks (HRBs) would provide everything needed for an effective nationwide health information system: 1) consumer-controlled access to medical records; 2) financial sustainability; 3) incentives for physicians to acquire and use electronic health record (EHR) systems in their offices; 4) ironclad privacy protection; 5) stakeholder cooperation; and 6) access to health data for consumer-authorized secondary uses such as medical research.

Each person would keep an up-to-date copy of their lifetime health record in an HRB “account.” All access to the information in the account would be controlled by the account-holder (the consumer), who would give permission for the necessary information to be available to health care providers. Each consumer would also have access to their own record, and could add and amend information as desired. All HRB record entries would be marked as to the source of the information. The Health Record Banking Alliance (HRBA) has been established to promote this approach to health information infrastructure.

Independent consent management tools would allow consumers to exercise control of access to each and every data field of their personal health information by specifying (and changing as needed) who has permission to see each item.

How Health Record Banks Work

When seeking care, the account-holder would identify their HRB, having previously granted permission for the caregiver to access his/her records (either all or part) through a secure Internet portal. Confidentiality can be assured when data is sent from the bank to a provider by contractually requiring its use only for the purpose(s) that the patient approved. When the care episode is completed, the caregiver would then transmit any new information generated to that same account in the HRB to be deposited in the account-holder’s lifetime health record.

HRBs themselves would have exclusive responsibility as the agent of each consumer, and would be required to follow stringent privacy and confidentiality practices to protect the information (either via open and transparent community oversight or legally-mandated government regulation). The Independent Health Record Trust bill recently introduced in Congress by Representatives Moore (D-KS) and Ryan (R-WI) with 48 bipartisan cosponsors (HR 2991) would create such a regulatory framework.

HRB operations would be inexpensive — less than $1/person/month once the number of customers is large (over 1 million). This small cost could be paid directly by patients or be included in health insurance benefit plans. Even if the health care savings generated from the availability of more complete patient information amounted to just a small fraction of the published estimates of about 8% of health care costs ($40+/person/month), HRBs would pay for themselves many times over.

How Independent Consent Management Tools Work

Consent management tools permit consumers to instantly give or rescind permission to access their data electronically, set standing consents for data access in emergencies or any routine situation, and view complete audit trails of all uses and disclosures of their personal health information. Keeping all consents in a single independent location is convenient for consumers and makes it unnecessary to set up or remember to change permissions at every place of treatment and with every health professional or organization that holds, stores, or transmits their personal health information. Instead, all data holders would have to check electronically with each person’s consent management system before transmitting or disclosing any data to anyone. And consumers can easily monitor all access and uses of their health records because they will have audit trails of disclosure of their health records in one place.

Consent management tools are also inexpensive: consumers or organizations representing consumers can pay nominal fees to obtain them or be given the tools in exchange for transaction payments from data users to independent consent management tool vendors.

Health Record Banks Can Provide Physician EHR Incentives

HRBs can also provide incentives for physician EHR adoption and use. The HRB would either pay a small fee for each deposit of a standardized electronic report of an outpatient encounter, or provide free access to an EHR system to physicians via the Internet. This would help ensure that all patient information was electronic — a requirement that is not being addressed in current efforts. These HRB incentives explicitly recognize that the benefits of physician office EHRs primarily accrue to other healthcare stakeholders. Note that this would also allow HRBs to enforce standardization of health care information — payments for deposits would be contingent on following standards and HRBs would only provide EHRs that did so.

Health Record Banks Protect Privacy While Enabling Consumer-approved Secondary Data Access

Privacy protection would be assured because no HRB would allow access to any information for any purpose without the patient’s permission. In essence, the HRBs would provide “electronic safe deposit boxes” for each consumer’s medical records. Stakeholder cooperation would be assured because it is the patient who requests copies of his/her records for deposit in the HRB. Under HIPAA (the Health Insurance Portability and Accountability Act), patients already have the right to such copies.

Finally, HRBs promote appropriate secondary access to electronic health care information. When public health authorities or medical researchers query HRB(s), information from all account-holders that have agreed to allow that particular use of their data would be searched. Confidentiality can be assured by limiting the response to a query to the number of records that meet whatever criteria were submitted. The actual data would not be released to any researchers or public officials unless required by federal statute, assuring that consumers can participate without any risk of data or identity theft or loss of privacy. If needed, a message can be sent privately to each account-holder matching the query conditions. This would, for example, allow notification of account-holders of their eligibility for a clinical trial (see the previous posting on this topic for more details). If fees are charged for data access, the revenue could be shared with account-holders as an incentive to allow such use.


So we agree — let’s scrap the current national health IT efforts … and use smart technology instead. With health record banks and independent consent management tools, we can build an electronic health system that delivers all the benefits we want and ensures that privacy rights are strengthened and preserved—so consumers will actually be willing to participate in electronic health record systems. Communities such as Louisville, KY, Washington State, and Texas are already on the HRB path — why not yours?


*Dr. Peel, co-author of this blog posting, is Founder and Chair of the Patient Privacy Rights Foundation, and leads the bipartisan Coalition for Patient Privacy. She is a practicing Board-certified psychiatrist and Freudian psychoanalyst and earned her MD at the University of Texas Medical Branch in Galveston.  Modern Healthcare recently named her #4 in their list of the 100 most powerful people in healthcare in 2007.

Health Record Banks Facilitate Consumer Control and Promote Privacy

March 3rd, 2007

Michael Porter’s Support for Health Record Banks

Many advocates of health care system reform have been avidly reading Redefining Health Care by Michael E. Porter and Elizabeth Olmsted Teisberg (Boston: Harvard Business School Press, 2006), which advocates moving to a system of value-based competition based on results. In it, the authors clearly recommend the health record banking approach:

“Today, medical records are scattered. There are separate records at individual physician offices and at various treatment facilities. Specialists usually send summaries to the patient’s primary care provider or family physician, not the full record of their care. Records are not kept in a form that is easy to integrate.

Current proposals for records management aim to facilitate requests for records, when needed, from the various providers (the so-called pointer system). However, this approach is cumbersome, technologically questionable, and inherently costly. Patients need to have ownership of their own medical records. They need a secure, complete personal medical record that is all in one trusted place (though there is no need for everyone’s records to be in the same place). Electronic availability (with appropriate permission) will enable records access on a timely basis and in emergency settings.

A trusted third party will be needed to play the role of maintaining, accumulating, and verifying the patient’s records and making them available when, and only when, the patient has given approval.” (page 272)

As work continues across the U.S. and elsewhere to build health information infrastructure (HII) allowing “anytime anywhere access to complete patient information and decision support,” a consensus appears to be emerging on the closely related issues of consumer control to assure privacy and the need for health record banks that is consistent with Porter and Teisberg’s views.

Patient Control of Access to Their Electronic Health Information

With respect to patient control of access to their own health records, a recent report entitled “The Way Forward for NHS Health Informatics” from the British Computer Society reviewed the HII efforts in the U.K. and recommended that “… informed patient consent should be paramount [in the sharing of electronic patient data].” (recommendation 1.12 on page 4)

At the January, 2007, Nationwide Health Information Network (NHIN) Forum in Washington, DC, all four of the vendors demonstrating prototype architectures and every other speaker who discussed the topic agreed that patients should control all access to their electronic medical information. Interestingly, there was essentially no discussion or questioning with respect to this point — it appears to now be an accepted conclusion.

The idea of patient control is not new. Mandl et al suggested this as a key principle in an article in the British Medical Journal in 2001. What makes the recent developments remarkable is that this truly patient-centric view has not been clearly articulated before (at least in the context of an NHIN meeting), much less accepted as a key requirement.

This is a very positive development, as it seems clear that the general public will not accept electronic health information systems unless individuals control access to their own records. For example in a 2005 national survey, 79% of respondents indicated access to such information should require their permission. There is good justification for this. As Mandl et al point out, “If patients feel that they have no control over the fate of their medical information, they might fail to disclose important medical data or even avoid seeking medical care because of concern over denial of insurance, loss of employment or housing, or stigmatisation and embarrassment.”

Finally, Dr. Robert Kolodner, Interim National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services, announced this past week that the upcoming RFPs for “trial implementations” of community HII systems would require technology implementations that allow patients to control the detailed flow of their own information — deciding how they “view, store, and control access.” In this way, the technology will be able to support consumer control at the data item level. While providing such control in health record systems is not currently required by law or policy, incorporating these capabilities ensures that the “technology will not drive the policy” with respect to privacy. This is a wise and prudent approach to HII technology.

Need for Health Record Banks for Secondary Data Use

Another interesting development at the January NHIN Forum was the acknowledgement by all four of the prototype developers that efficient secondary use of electronic health information required the establishment of one or more data repositories to facilitate searching. Activities such as identifying subjects for clinical trials, public health monitoring of disease trends, and assessing potential unexpected outcomes of therapeutic interventions on a population basis, clearly require the availability of searchable databases. As has been pointed out in previous postings here, this creates a need for health record banks where copies of complete patient records can be accumulated under strict patient control.

The provision of consumer control at the data item level will also require the health record bank approach, since it is extremely difficult to provide consumers with the ability to decide what information they wish to share unless the information itself is available to be directly linked to consumer permissions.

The Time Has Come for Health Record Bank Implementation

The State of Washington has recently recognized the advantages of the health record bank approach to HII. After a 16-month process of study and review, the Washington State Health Information Infrastructure Advisory Board (HIIAB) (created by the Legislature) released its final report in December, 2006, recommending the development of multiple health record banks containing consumer-controlled copies of health records from multiple sources. The Governor’s request for $9 million in seed funding for implementation efforts is now being considered by the Legislature.

As I indicated in a recent editorial, it is time for health record banks to be built and made available to consumers. Hopefully, 2007 will be the year that we begin to build the foundation for a safer, higher quality health care system by creating the health record banks consumers need to make their complete electronic medical records available for their care while fully protecting their privacy.

Protecting Privacy While Searching Health Record Banks

December 10th, 2006

The Value of Health Record Bank Information

Searching electronic health information in health record banks could be incredibly valuable for medical research and public health. Imagine what we might discover if we could rapidly and easily examine the medical records of many thousands of patients across the nation with a specific type of heart disease or cancer to determine which therapies are most effective! Today, such studies take years and cost millions of dollars, while only including relatively small numbers of subjects.

Health record bank information could also be invaluable to protect public health. For example, in the anthrax attacks in Fall 2001, there were seven cases of skin anthrax in the New York City area in the two weeks BEFORE the “first” case was detected in Florida (see Lipton E, Johnson K: The Anthrax Trail: Tracking Bioterror’s Tangled Course. New York Times, Section A, p. 1, 12/26/2001). Monitoring for such unusual events in an electronic health record bank could have found those earlier cases, raising the alarm sooner and allowing lives (and money) to be saved.

While the benefits of such searching are clear, all of us have a legitimate and realistic fear that such activities could seriously compromise the privacy of our sensitive medical information. So is it somehow possible for all of us to benefit from the knowledge that could be extracted from health record banks without having to compromise the privacy of our personal medical information? The answer is “yes” – and in this posting I will describe one approach to accomplishing this.

How Health Record Bank Searching Could Work

Imagine a system of health record banks across the country, with each person having their complete electronic health records stored in the bank of their choice. You control all access to your records, and have given permission for your information to be used for research and public health – as long as your information is not released as part of that use. How would a medical researcher utilize this data?

A query to the health record banks would look something like this: “How many patients are between age 45 and 54, more than 20% above their ideal weight, have ever had an abnormally high blood sugar, and had a blood pressure reading more than 10% above normal in the last 90 days?” This would be sent to all the health record banks (through a coordinating entity) and each bank would produce two results: 1) a count of the number of patients matching those characteristics; 2) some demographic data about those patients (e.g. percentage male/female). The results from all the health record banks would be combined by the coordinating entity and delivered to the researcher.

Note that in this process no one’s individual information has been released. Small alterations would be made in the counts and demographic outputs to be sure that no individual could be indirectly identified with subsequent queries (e.g. two queries with a count differing by “one”). This latter procedure, known as statistical disclosure control, is already done very effectively with data from the U.S. Census Bureau for the same reason.

Recruiting Volunteers for Clinical Trials

If the researcher was trying to recruit volunteers for a clinical trial, a message could be delivered to the patients that match the desired characteristics. The message would explain the clinical trial, the advantages and disadvantages of participation, and provide information about how to contact the researcher. Any further inquiries would be up to the patient, and there would be no obligation to respond to such a message. Note that the researchers would not know to whom their message was sent – they would only have an approximate count of the number of recipients.

If, after the first query, the researcher wanted to know more about this particular patient population (such as what medications they are taking), subsequent queries with additional “matching elements” could be submitted.

Why This Approach Protects Privacy

This methodology allows researchers to get the information needed for studies of various types without the need to release any medical information about individuals. It also eliminates the problem inherent in releasing so-called “de-identified” subsets of data – which is that often such data can be “re-identified” by linking it to other datasets (see L. Sweeney. k-anonymity: a model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5), 2002; 557-570 PDF). The risk of such re-identification is never zero – while it can be low, there is always some risk. The system described here avoids even that small risk.

Sharing the Benefits with the Owners of the Information

Finally, I believe that the value of the data should be shared with the patients who own it (i.e. you). Those who wish to submit queries should pay fees to do so, and patients who allow their data to be searched in this way should receive the majority of the revenue generated from those searches. In this way, your “deposits” of medical information in your health record bank account can earn “interest.” This is similar to the way grocery store chains compensate you with price discounts for sharing your purchasing information via “affinity cards.”

Of course, participation in such searching should be voluntary, and no one should be forced to allow their data to be used this way without their consent.


By allowing searching with patient consent while limiting the results of such searches to counts and basic demographic information, privacy can be protected. Patients would also receive fair compensation for the value of their information through sharing of the revenue from search fees. In this way, all of us can simultaneously retain the privacy of our sensitive medical information while we collectively enjoy the benefits from knowledge gained through population-based analysis.

A Call to Policymakers for Regulated Health Record Banks

November 19th, 2006

Previously in this space, I’ve explained why your health records need to be in one place, and how a health record banking system can provide this service for everyone. Recently, I described the case for health record banks and encouraged policymakers to establish regulation for them in a speech to at the Annual Meeting of the National Foundation of Women Legislators:

Good Morning. I’d like to talk with you about our “so-called” health care system — which is not about health, does not really care, and is completely unworthy of the word “system.” As we all know, our medical care is both unsafe – lots of medical errors and preventable deaths — and increasingly expensive.

This morning I’m going to highlight the problems caused by our paper-based health records, tell you one person’s story, lay out a vision of the health information system we need, and finally explain how the problem can be solved, including your role in the process.

Problems caused by paper-based health records

As you go from place to place to place to get health care, you leave a paper record of your care at each place. No one has the complete picture — and even if they had all the records, they are not very helpful in paper form. Since health care occurs in this mostly “information-free” zone, its inefficiency and uneven quality are not really surprising.

One person’s story

Let me tell you about one person’s health care experience. My friend’s 69-year-old mother Diane was in good health and enjoying an active retirement. One weekend, she developed symptoms of a urinary tract infection. By Sunday night, she was in so much distress that she finally called her regular doctor, who of course was unavailable. When she reached the on-call physician, he agreed that she had a urinary tract infection and prescribed an antibiotic. Diane, who was by then in great discomfort, immediately filled the prescription at her closest 24-hour pharmacy and began taking the medicine. Instead of feeling better, she got worse and worse and finally lost consciousness. Her husband took her to the emergency room in the middle of the night and she was admitted to the hospital. She spent nearly two weeks there suffering from multiple organ failure with one complication after another. In the end, the doctors were not able to save her. The original antibiotic that was prescribed for her urinary tract infection contained sulfa, which she was allergic to. The on-call doctor had no records reflecting this known allergy. Diane’s husband and four children are devastated.

So how can we prevent more tragedies like Diane’s?

The health information system we need

We need a health information system that always makes complete patient records available — giving health professionals immediate and efficient access to the information required for diagnosis and treatment.

We need a health information system that will reduce errors. Our doctors make more decisions in the exam room than pilots make when landing a plane — yet we provide pilots with scores of instruments and warning systems to prevent errors.

We need a health information system that will improve quality. Even our best hospitals and doctors fail to give some patients the best and latest treatments. It takes a shocking 10 to 17 years for new discoveries to be routinely used.

We need a health information system that provides consumers with the ability to access and control a copy of their medical records that is immediately available when and where needed — and otherwise completely private and secure. Consumers must have the tools to participate actively in their own care.

We need a health information system that empowers consumers — that allows them to communicate with their doctors electronically, to receive their own test results, and to record their own medical data from home.

We need a health information system that can do all these things regardless of where the physician and patient are — so that an illness or injury while traveling can be handled as safely away from home as it is at home.

And we need a health information system that allows public health officials to detect patterns of disease — so that outbreaks and bioterrorism can be spotted early, when interventions can save lives and prevent the further spread of disease.

Everyone from Newt Gingrich to Hillary Clinton agrees with this — and the good news is that we can have such a health information system and improve efficiency at the same time. Let me tell you how.

How the problem can be solved

The solution is to empower each consumer to own and control an electronic copy of all their health records in a Health Record Bank. This health record bank would serve as the designated agent of the consumer to store and safeguard a complete copy of her medical records and make them available (in full or in part) solely as she directs. An institution is needed (as opposed to having each consumer hold their own records) to allow for worldwide immediate availability of health records coupled with ironclad computer security to protect privacy.

Whenever care is received, the prior records would be available (with consumer permission) from the health record bank, and the new information generated would be deposited in the consumer’s account. Each bank would have three standard transaction windows: withdrawal — for access to records, deposit — to accept new records, and search — to accept search requests from authorized medical researchers and public health authorities. There would be many competing health record banks, and each consumer would have an account at the bank of their choice.

Many business models are possible to fund health record banks. My preference is the eHealthTrust model, in which the patient pays a very modest monthly charge ($5 or less), which can be a covered health insurance benefit. The bank would pay physicians small fees for electronic deposits of standardized reports of clinical encounters — to overcome the existing financial barriers for the acquisition and use of electronic medical records in their practices.

The need for regulation

What can you do to help make this a reality? Health record banks must be regulated to ensure that they operate in a safe, effective, and trustworthy manner. Regulation must first reinforce patient control — for both primary and secondary use of health records. It must also guarantee privacy of the records by requiring state-of-the-art security practices backed up by regular independent audits — with serious penalties for violations. Bills to accomplish this were introduced in both Houses of Congress in this session, and will be reintroduced next year. Regulation can also be done at the state level. Your efforts are needed to help create an environment where health record banks can flourish.


In our health care system today, errors are common, quality is inconsistent, and efficiency is poor. Medical records and transactions are paper-based, information is not readily accessible, and treatment decisions are overly dependent on human memory. In U.S. hospitals alone, there are as many as 98,000 preventable tragedies like Diane’s every year — equivalent to a jumbo jet crash with no survivors every day. With your help to promote the growth of health record banks, we can ensure accurate and complete records for everyone while rigorously protecting privacy.

Thank you very much.

Exposing the Myths of Health Information Infrastructure

August 27th, 2006

There is lots of discussion today in communities across the country about health information infrastructure. As people consider the issue, I thought it would be helpful to explore some of the myths and misconceptions about specific approaches and strategies that have been suggested to provide for the availability of complete patient records when and where needed.

Myth #1: The patient-carried record

One of the most popular and persistent myths of health information infrastructure is the patient-carried record. The idea is that if every person just carried their complete medical record, then it would be available for use whenever necessary. The record could be stored on a smart card, a USB drive, or some similar small and portable medium. Every site of care would have readers, and new information created at each visit would be written to the patient-carried record.

This idea is very appealing in its simplicity and low cost. On first glance, it appears to solve the problem, assuming that everyone could agree on the format of the stored records and obtain the needed hardware/software to read and write them (which would not necessarily be easy).

However, there are two serious flaws in this approach. First, what happens when the patient-carried record is lost, damaged, or destroyed? This can easily happen in a car accident, for example. Not only would the record itself be unavailable for the immediate need, but there would be no way to easily reconstruct it since there is no backup. To solve this latter problem, each person could have a second, backup record that they keep at home or in another “safe” location. However, that backup record would also not be accessible when needed for care UNLESS there was a backup location that could be reached electronically, i.e. via the Internet. However, if there is a backup of the patient-carried record available via a secure Internet portal, then why do you need a patient-carried version at all? The patient-carried record itself is the real backup in this case, and a relatively expensive one at that (compared to having a backup of all the records at the secure Internet portal). Furthermore, medical records available via a secure Internet portal would immediately be accessible from anywhere in the world without additional hardware and software, eliminating the need for everyone to have readers for the patient-carried version.

The second flaw in the patient-carried record approach is the problem of keeping it updated. This approach assumes that all medical information is generated when the patient (and the patient-carried record) are present — allowing the patient-carried record to receive the new information. But when x-rays are interpreted or blood test results are generated, the patient is rarely present. How would such information get to the patient-carried record? It might be argued that the next time any medical care is needed, the patient-carried record could be updated with this new information. But how would that information get to the next site of care (since we don’t necessarily know in advance where it might be)? Where would the new information be “held” until it can be downloaded to the patient-carried record? Would the new information be e-mailed to the patient? In that case, what if the patient forgets to do the update? Or doesn’t have e-mail or a computer? Clearly, it would be problematic to keep the patient-carried record up-to-date.

This is not to say that there is no role for patient-carried medical information. An up-to-date summary of problems, allergies, medications, and recent lab results could be very helpful IF patients would carry them. However, depending on this as a solution for delivering complete patient information when and where needed is not realistic.

Myth #2: Your medical record stored on your home computer

This idea is that everyone could just keep their complete medical records on their own home computer. After all, many people are already doing this with their financial information by integrating the data from multiple institutions. However, aside from the obvious problem that not everyone has a home computer, this approach does not work for your medical records. Unlike financial data, medical information may be urgently needed on a moment’s notice, and most likely the need will not be when you are at home with access to your computer. How would your doctor or hospital get access to the record in your home computer? Theoretically, you could leave your computer connected to the Internet and enabled for remote access. But then each person would need to implement and operate a highly secure portal to their computer to assure that there was no improper access and that viruses, worms, or hackers did not damage or destroy their medical records. In addition, each person would need to provide for backup power and telecommunications capability to ensure 24/7 availability, not to mention off-site backup of the information so it could be recovered in a disaster. Clearly, such efforts by individuals would be both unrealistic and prohibitively expensive. So this is not a viable solution.

This does not mean that having your medical records on your home computer is a bad idea — it could actually be very helpful. But your home computer is not a good place to have the copy of your medical records that is intended to be available for your care whenever and wherever needed.

Myth #3: “Google-like” retrieval of your medical records

Everyone is familiar with the impressive search capabilities of Google and other Internet search engines. With just a few keywords, they can rapidly find relevant information from (literally) billions of web pages. Why not use this capability to find your medical records — wherever they are located — and make them available for your care? (assuming they were all electronic and accessible via the Internet in a way that protected your privacy)

First of all, if this could be easily done, Google and others would already be doing it. The fact that they aren’t immediately tells you that there are fundamental problems. In my view, the most important problem is that Internet searching represents a type of information retrieval known as “non-deterministic”. In plain English, this means that the results of the search are never perfect — not all the items that should be found are actually found, and not every item displayed is one that is really relevant to the search. This is not a criticism of the search methods — they work really well — but is just inherent in the use of techniques for finding relevant documents.

In contrast, “deterministic” searching is what is done with computer databases. When someone searches their Accounts Receivable database to see which customers have balances over $500, the expectation is that the result will include every customer with such a balance and not any others. In this case, if the search did not work this way, we would say that there was an “error” and that the software was not working properly. When you search your Contacts file for “Mary Turner,” you expect to only find that name and you’d be puzzled if “John Tucker” also showed up in the results.

One reason it doesn’t work this way when using keywords to search for documents is that the “relevance” of a given document is itself not completely clear, and often depends on the context of the use of those key words (as well as human interpretation). For example, a search for “diabetes treatment” is highly likely to find a document with the phrase “… and this has nothing whatsoever to do with diabetes treatment” or “… this is in contrast to diabetes treatment, which is outside the scope of this discussion.” While these contain the phrase we are looking for, they are unlikely to be of interest.

Another reason document searching is challenging is that documents themselves are “free text” — not formatted into specific “fields” with known values. It is not easy for a computer to figure out the major topics of a 5000-word document (even people often find this difficult). Contrast this to a database where each item is in a “field” with a specific known format and meaning (e.g. phone number). When you know exactly where to find a specific piece of information and what it means, then a computer can easily retrieve it when asked. These two different search methods are also known as information vs. data retrieval.

So when searching for documents based on keywords, there is no absolutely reliable marker in each document that an algorithm can use to determine if that document is really relevant. The process is more like “pattern recognition” — trying to decide if the words in a document form a pattern that is consistent with what the query is requesting. In contrast, when searching the Accounts Receivable for balances over $500, it is easy to look specifically at the balance field and decide if it does or does not meet the “over $500” condition.

Getting back to medical records, many of which are also “free text,” it would clearly be unworkable to use document retrieval methods to find them. It would not be an acceptable response to a request for your records to locate 60-80% of them while also finding many records belonging to others. To be useful, a medical record retrieval method must find 100% of your records and none belonging to anyone else. Because of their inherently non-deterministic nature, no document retrieval method can do that.

But, you might ask, why not just label every one of my records with my name and a unique identifier so it can easily be found? That would solve the problem, but you’d no longer be using document retrieval (where you look for words), but database retrieval where you look in specific fields for specific values. The latter is not what Google and the other Internet search engines do.


Hopefully, the discussion of these myths will be helpful to you in considering how to approach the development of community health information infrastructure. For more information on a feasible and practical approach for building health information infrastructure in communities, please check out the previous posting on health record banking. As always, your feedback, comments, and additional thoughts are welcome.

Managing Change in the Context of a Community Health Information Infrastructure

July 16th, 2006

Building health information infrastructure in communities is very challenging. One important reason is that it requires fundamental changes in how nearly everyone in health care does their job every day. Such massive change is never easy — and is never easy to manage. I’m assuming that since you’re reading this, you are involved in some fashion in trying to implement health information infrastructure in your community. Therefore, you are likely to find that your efforts, while well-intentioned, are not always welcome or productive. In an effort to help you navigate through the problems of managing change, I wanted to share some observations that may be helpful.

Resistance to Change
First and foremost, the world doesn’t want to be changed. Organizations are not “resistant to change,” but are established and designed purposely to prevent change. Processes are constructed for the express purpose of executing the same (previously successful) steps over and over — ostensibly to produce future success. This is totally rational. After all, you wouldn’t want an organization to invent a process for producing payroll checks from scratch every pay period. No — the efficient organization develops a process, documents it, hires staff to run it, and expects it to be done the same way every time. But this does not make the process amenable to needed change — quite the contrary, it is (and is designed to be) resistant to it. Just as a car simply will not fly unless you add wings, fighting against this basic characteristic of organizations is fruitless. If you want to change things in an organization, you’ll need to understand how to help reconfigure it — figuratively to “add wings” — to accommodate the new techniques. Simply pointing out the benefits of the “new way” is not an effective approach.

Change is not Welcome
Second, you should also recognize that as a change agent, you will not be welcomed, honored, or lauded — at least until sometime after the change is complete and proven successful (and maybe not even then). Even if what you are suggesting is the most reasonable, sensible, life-saving, and cost-effective idea, don’t expect congratulations followed by rapid adoption. Recall that it took the British Navy nearly 200 years to adopt the use of citrus fruit to prevent scurvy after it was clearly proven to be effective in a controlled trial. In order to adopt something new, people must first acknowledge — to some degree — that their current thinking is wrong. This is typically quite difficult — can you think of someone you know who doesn’t believe his or her current opinions are correct?

Likeability Trumps Good Ideas
A third key to success as a change agent is to recognize that your likeability is orders of magnitude more important than the desirable characteristics of whatever change you are proposing. It is obvious — but often overlooked — that organizational decisions are made by human beings. And human beings are not computers, and do not process facts and figures without emotion. Quite the contrary — they will typically use facts and figures to justify what they “feel” is right. And when they “feel” good about the person proposing change, they will be more likely to listen to the new idea and adopt it, even if it is not objectively terrific. So if you want to be a successful change agent, work hard on perfecting your social skills.

Change Must not be too Fast
Fourth, you must recognize that change has a definite “speed limit.” While computer systems can be changed quickly, “peopleware” cannot be rapidly reprogrammed. People are comfortable doing pretty much the same things day after day. If you impose too large a change, it will be immediately rejected — folks will literally refuse to be part of the new system. So incremental approaches are always best. In addition, it is important to keep everyone well-informed by letting them know what is going to happen and how it will affect them. Such communication must be repeated multiple times to be sure that it really reaches everyone.

Listening to Stakeholders is Key to Successful Change
Fifth, and perhaps most importantly, you must learn to listen — really listen — to all those who may be affected by the proposed change — and then you must act on what you hear. Listening is a mostly underdeveloped skill in today’s world. When communicating, most people are too busy thinking about their next response to really pay attention to what the other person is saying. There are many techniques that can help. One is simply repeating back what you thought you heard in the form of a question. For example, “did you say that it is more important for a change agent to be likeable than to have the best solution?” This forces you to listen and allows the other person to correct any misperceptions right away.

Once you are really listening, shape your plan based on what you’ve heard. Give people what they want — not what you think they need! And start meeting their objectives as quickly as possible so you can earn their trust. That trust will go a long way in later stages when things inevitably do not go so smoothly. Also, you should note carefully any potential negative impacts expressed to you, and work diligently to minimize them.

To summarize, here are some key lessons about being a “change agent”:

  • 1) the world is organized for stability — not change, so recognize the need to reconfigure organizations as part of the change process
  • 2) the change agent is not welcome, so expect an uphill battle
  • 3) your likeability is vastly more important than your ideas, so master social skills.
  • 4) change has a maximum rate that you cannot exceed, so don’t even try to do so
  • 5) listening very carefully to the stakeholders and meeting their perceived needs is critical to success
  • As you pursue your own activities developing health information infrastructure, I hope these ideas are helpful. If you have additional lessons you’d like to share, please feel free to submit a comment.

    Next time: Exposing the myths of health information infrastructure

    Health Record Banking: A Practical Approach to the National Health Information Infrastructure

    June 21st, 2006

    In this space, I’ve been discussing various approaches to providing “anywhere anytime health information and decision support” (also known as “health information infrastructure” or HII) in communities. Now I believe a clear model is emerging that provides a practical approach to HII for the entire country: health record banking.

    What is Health Record Banking?

    Like all good ideas, health record banking is fundamentally simple. Each person keeps an up-to-date copy of their lifetime health record in an “account” with a “health record bank.” All access to the information in the account is controlled by the account-holder (the consumer), who makes the information available to health care providers whenever necessary. Each consumer may also access their own record as needed.

    Health Record Banks themselves would be non-profit organizations required to follow stringent privacy and confidentiality practices to protect the information (either via open and transparent community oversight or legally-mandated government regulation).

    How would Health Record Banks work?

    In order for this concept to work effectively, every Health Record Bank needs to have three virtual “transaction windows:”

  • Deposit window
  • where new medical records for account-holders are submitted

  • Withdrawal window
  • where health care providers (and others) authorized by the account-holder can access the medical records

  • Search window
  • where authorized public health authorities and medical researchers can submit inquiries to be run against the medical records of all the account-holders that have authorized such an inquiry

    With these three functions, all the medical record needs of account-holders can be accommodated. When seeking care, the account-holder would identify their Health Record Bank and give permission for the caregiver to access his/her records (either all or part) through a secure Internet portal. When the care episode is completed, the caregiver would then transmit any new information generated to the same account in the Health Record Bank to be added to the account-holder’s lifetime health record (through the Bank’s “deposit window”).

    When public health authorities or medical researchers need to search electronic health care information, they can submit queries to the relevant Health Record Bank(s). Each Bank would process the query using information from all account-holders that have agreed to allow that particular use of their data. If fees are charged, the revenue could be shared with account-holders as an incentive to allow such use. Confidentiality can be assured by limiting the response to the query to the number of records that meet whatever criteria were submitted. If needed, a message to be sent to each account-holder matching the query conditions could be included. This would, for example, allow notification of account-holders of their eligibility for a clinical trial.

    Thus, health record banking provides all the functionality needed for the national health information infrastructure (NHII). As described in detail in last month’s posting, it is essential to have each person’s lifetime health record stored in one place (and carefully protected) — such as a Health Record Bank. When this is done, there is no need for the Health Record Banks to communicate with each other — except when there is an occasional need to transfer an account from one Bank to another.

    How can Health Record Banks be financed?

    However, the question of how to finance the creation and sustainability of Health Record Banks must still be addressed. One approach to this is the eHealthTrust model where consumers pay $5/month for an account, and the revenue is used to both operate the Bank and pay physicians about $3/encounter to amortize the acquisition and use of electronic health record (EHR) systems in their offices. However, other business models may also be used as long as there is sufficient revenue to create and operate the health record bank, and a mechanism is developed to ensure that physicians have EHRs in their offices.

    What is the origin of the Health Record Banking idea?

    It is also important to acknowledge that health record banking is not a new idea. I believe the first description of the concept was in an article in the July/August 2000 issue of MD Computing by Peter Ramsaroop and Marion J. Ball (A Model for More Useful Patient Health Records. MD Computing, 17(4):45-48) {If anyone knows of an earlier mention of the idea, please submit a comment}. In any case, in 2000 it was clearly an idea that was ahead of its time.

    Health Record Banking is gaining momentum

    Health record banking has been getting more attention in the past few weeks. Senator Brownback (R-Kansas) introduced S. 3454, the “Independent Health Record Banking Act” on June 8th. An identical bill (HR 5559) was introduced in the House by Representatives Dennis Moore (D-Kansas) and Paul Ryan (R-Wisconsin). It would provide a legal basis for health record banks, requiring them to be non-profit entities subject to both Federal and State regulation. Cerner Corporation has posted additional information about this proposal.

    Besides this legislation, Kansas City has previously indicated that it will be creating a Health Record Bank for its HII, and the Governor of Rhode Island recently announced legislative approval of a $20 million bond issue to fund development of a statewide “central EHR repository.” Of course, Louisville has previously announced its intention to build a health record bank using the eHealthTrust business model. So the list of communities that are pursuing health record banking is growing.


    In conclusion, I believe that Health Record Banking represents a practical and achievable approach to achieving the benefits we all seek from health information infrastructure. Accordingly, we will be hearing much more about it over the next several months (and years). What do you think?

    Next time: Managing Change in the Context of a Community Health Information Infrastructure
    (with apologies to those who’ve been waiting for my post on this topic)

    Why Your Complete Lifetime Health Record Needs to be Stored in a Single Location

    May 22nd, 2006

    There is widespread agreement that having your complete lifetime health record (LHR) immediately available when needed could save your life, improve the quality of your medical care, and save money. Today, most people receive their care from many different specialists and institutions, resulting in records that are scattered among multiple locations. Even if all those scattered records are electronic, no one in the health care “system” has your complete lifetime health record. If you try to keep all the records yourself, as many folks with chronic diseases already do, these will likely be on paper and therefore not easy to use. Furthermore, can you be sure you will always have your records with you in an emergency?

    So it’s clear that we all need a way to have our complete LHR available. Efforts are now underway across the country to address this problem. The key question is, “How exactly should we do this?”

    Need for Community Focus

    Everyone also agrees that these efforts should focus on communities. This is because health care is primarily local — you get the vast majority of your health care in your own community. Even if you get sick or have an accident when you are traveling, you will return home for your care as soon as you can. Therefore, the information needed for your LHR is nearly all in your home community and it will primarily be used there.

    So in each community, the issue of how to best do this is being discussed and debated. One thing is very clear — there should to be a secure place where authorized personnel can access your LHR electronically when you need medical care. Where should that place be? And how should it operate?

    Where Should Your Lifetime Health Record Be?

  • Alternative 1: Smart Card/USB Drive
  • To be useful, your LHR must be immediately accessible whenever you need medical care. One way of doing this that is often mentioned is for each person to carry their LHR in electronic form (either on a smart card or USB drive). There are at least two problems with this approach: first, the device with your LHR may be lost or damaged. This means that there must be a backup at some other location that is immediately available (which rules out your home PC). If there is a backup immediately available electronically from a secure place, what value is added by the smart card/USB drive? In fact, it is the device you carry that is the backup — and an added cost.

    Second, there is no way to update a smart card/USB drive without it being present. This would be fine if all medical information were generated when you were there, but this is clearly not the case. Results of your lab tests, interpretations of x-rays, and consultation summaries created by your doctors are all examples of information that is produced in your absence. So your physical device would not be up-to-date with the latest information

  • Alternative 2: Secure Internet Portal
  • The other alternative is to have a secure location accessible via the Internet that allows authorized personnel to access your LHR. This is in fact the approach that most communities are pursuing. But there are two different ways to accomplish this: first, you could have a system that only keeps a record of where you’ve received care, but does not store any of your records. When needed, the system electronically requests your actual medical records from each place and puts them all together to create your LHR “on the fly.” I call this the “scattered model.” The second method is to have your complete LHR stored in a central database and ready for use when requested — the central repository.

    The Scattered Model — Gathering Your Records On-the-fly When Needed

    The scattered model has some appealing features. The system does not store your actual medical information — only a list of places where you have medical information. This means that less storage is needed, and that the information stored is not (for the most part) sensitive medical information, but the less worrisome data about which doctors and hospitals you’ve visited. On first glance, this seems to provide more information security, since the same folks that have your medical information now continue to have it. The idea is that your LHR is assembled only when needed from the existing sources.

    However, the scattered model has a number of serious flaws:

  • It does not provide for searching the data, which is needed for public health and medical research
  • It requires additional (expensive) software and hardware for every holder of health care information in the community
  • It is very expensive to operate, requiring substantial technical staff around the clock to assure that all the systems in the community can immediately provide records needed for an LHR
  • It requires real-time connections with every possible source of medical information in the nation (and ultimately the world) to be sure that your LHR will include every possible place where you may have records
  • Its response time is slow
  • 1. No searching of the data

    Although the primary purpose of making your LHR available is to improve your own health care, having electronic LHRs in the community would be invaluable for medical research and public health. Think of the possibilities — early detection of patterns of disease to spot disease outbreaks earlier, finding potential adverse effects of new medications, or pinpointing relationships between treatment alternatives. However, none of these can occur if the data cannot be easily searched — which is not feasible unless it’s stored in one place.

    With the scattered model, any search requires retrieving the “pieces” of each record and then examining the assembled whole. This must be done in sequential fashion — one record at a time — and therefore would be unbelievably slow (to the point of being impractical). The reason computer searches (like Google) are fast is primarily because the data has been “pre-searched” and the results deposited in an index (like the index of a book). When you request a search, the computer then merely goes to the index and finds the results. If you search for the presence of two terms at once, the results that appear in the index for both become the final result returned to you. Without the presence of such indexes, the data would need to be searched sequentially each time you ask a question — and it would take an unbelievably long time to get the results. It’s the computer equivalent of looking up a name in a phone book that’s in random order! Even with the speed of the computer, this is a VERY slow process.

    2. Additional (expensive) software and hardware

    The scattered model requires that every system holding medical information be able to respond immediately to queries. This would need to be done in addition to the routine tasks being addressed by each system. Both software to process the queries and additional hardware to prevent the slowdown of the primary work of the system would therefore be needed. Indeed, for large systems that would be queried often (such as those in hospitals), there would need to be a separate server with a copy of the data to handle the queries. Otherwise, the hospital would find it difficult to guarantee adequate response time for internal access to its own records. This additional hardware and software has a cost — which would be borne by every medical information system in the community. These costs would be especially burdensome to physicians, who already are struggling with the high cost of electronic health record systems for their offices — this is one of the key obstacles to widespread adoption (see Seven Keys to RHIO Success).

    3. Very expensive to operate

    The scattered model requires constant monitoring of all the medical information sources that may be queried. Naturally, those systems that do not respond properly to these periodic test queries would require troubleshooting. Since the number of medical information sources in a community would likely be in the thousands, even a small percentage of non-responding systems would be a significant number (for example, 1% of 3,000 systems would mean 30 problems). There are many possible underlying causes for such query failures which require substantial expertise to diagnose and remedy. To address the problem systems quickly, a substantial staff of senior network engineers would be needed — perhaps 10-15 people. Moreover, these folks would be needed around-the-clock since systems may fail at any time, and must be restored quickly to ensure that patient records being retrieved are always complete. The cost of this operational staff would be substantial — in the range of $10 million/year.

    4. Requires real-time connections to every possible source of medical information

    Every possible source of medical information would need to be connected to be sure that every part of each patient’s record is retrievable when needed. In addition to sources in the local community, any records of care given elsewhere (nationally and even internationally) must be connected. This means that interoperability across the nation (and the world) is a prerequisite to delivering complete records with the scattered model. Even if this were achievable, it clearly could not be done all at once, so patient records would be incomplete as the system was being implemented. Those sources of medical information that were not connected also would not be able to inform the scattered model system that they have information about the community’s patients, so not only would this data be absent from the retrieved patient records, but the fact that information was missing would not be apparent.

    5. Slow response time

    In the scattered model, the response time includes both the query-response cycle to the central index, the secondary query-response cycle to the outside systems holding the patient information, and the aggregation of the secondary responses. The effective response time for the secondary queries is determined by the slowest system that is responding.

    Also, the number of secondary queries is likely to be substantial — at least 20 and probably closer to 100. Here’s why: Assume the average person has three medical encounters/year for a 70-year lifetime (210 total — rounded to 200 for simplicity). A simple estimate of the average number of sources needed for a typical query would be half these encounters (100). Then the number of secondary queries would vary depending on what percentage of these encounters were at places that had previously been visited. A very high average for repeat encounters would be about 80%, which would result 20 secondary queries. A low average would be 0%, resulting in 100 secondary queries. This estimate also assumes that each encounter generates information at only one source — in reality, it is likely to be higher (for example, many encounters include lab results and/or prescriptions) which would further increase the average number of secondary queries.

    The expense and overhead for all these secondary queries is enormous — especially when you consider that they all must be repeated each and every time the patient needs medical care. And it’s very inefficient — once you have a care episode somewhere, their information system would need to be queried every time your records are needed for the remainder of your life!

    Overall, it will be very challenging to assure rapid response time with the scattered model, especially since it is dependent on so many outside systems.

    The Central Repository — Storing Your Records Where They are Immediately Available

    The central repository eliminates the problems created by the scattered model. The data can easily be searched since it is all available in one place. The medical information systems in the community do not need to pay for extra hardware and software to handle thousands of queries, but merely transmit copies of new information to the central repository as it is produced. No complex interfacing to other systems is needed — only a mechanism to receive new medical information reports from other systems (which need not be identified in advance). Whenever you receive care, whether inside or outside the community, all that’s needed to update your LHR is to submit it JUST ONCE to the central repository. From then on, it will always be part of your LHR.

    The central repository is inexpensive to operate and maintain (since there is no complex real-time communications to monitor as with the scattered model), and it can be easily managed since the system is controlled at a single location (with backup elsewhere, of course, for reliability). The response time is rapid — just one query-response cycle — regardless of how many places you have received care.

    Public trust is clearly an issue since there is a natural fear of having all the medical information in a community in one place. However, this can be overcome with a trustworthy architecture. For example, the clinical records can be made available on a special secure server with a “stripped down” operating system that only provides the functions of authenticating the user and retrieving a single (complete) patient record. No searching or indexing capabilities would be present, so only one record at a time could be obtained — thereby limiting potential damage from intrusion. A decoy server with dummy data could also be established and a large prize (e.g. $100,000) offered to anyone who can penetrate the security. This would both reassure the community that the system is secure, and provide an appealing target for hackers who could claim the prize in exchange for exposing a security flaw (which would then be fixed). (Note that the security issues for the clinical record server are no different for the scattered model since it too provides a portal for access to individual records)

    A separate system would be used for searching the data for public health and medical research purposes (with the consent of each patient whose data is being used). It would have no phone lines or network connections, and therefore would be immune to outside electronic access. This research system would be loaded on a daily basis with hand-carried new information written on media by the clinical server. Of course, both the clinical and research servers would need to be housed in a high-security physical environment — such as a bank vault — and guarded just like a large amount of cash.

    One final thought: If gathering personal information on-the-fly was a good idea, why do all of the credit reporting agencies have central databases? Clearly, they each have very sophisticated information technology capabilities, as do the folks like Visa and Mastercard and the banks and merchants that send them data regularly. If it were cheaper/easier/smarter to gather up your information from all the various creditors only when your credit report was needed, why don’t they do it that way? The reason is simple: it is cheaper, simpler, more reliable, and more efficient to store the information in one place so it’s there when needed — just as it is for your lifetime health record. (Note that I am NOT suggesting that your LHR should be handled the same way as the credit bureaus handle your financial information — am just pointing out how they organize the information).


    Although the idea of electronically assembling complete patient records from existing sources only when needed is initially appealing, the approach is unnecessarily complex and expensive, and does not allow the critical function of searching for public health and medical research. This helps explain why the small number of communities that have progressed furthest in the implementation of health information exchanges all store their data in a single location. It is clear that communities wishing to provide lifetime health records at a reasonable cost for their citizens should utilize central repositories.

    Next time: Managing Change in the Context of a Community Health Information Infrastructure

    Governance of Community Health Information Infrastructures

    April 17th, 2006

    One of the most critical elements in developing a health information infrastructure (HII) in a community is establishing an organization that can earn and maintain the trust of the community. Such trust is promoted by assuring that

  • consumers have complete control over their own information
  • the architecture of the information system is trustworthy
  • the organization itself is trustworthy
  • Here we focus our attention on the last of these requirements, a trustworthy organization. What are the elements of a trustworthy organization in the context of a community HII?

    The organization operates solely in the interest of consumers

    Given the potential conflict between the interests of shareholders and consumers in a for-profit firm, most communities have chosen non-profit organizations to govern their HII. To maximize return on investment, the shareholders of a for-profit entity would naturally seek to generate substantial fees from granting access to the community’s healthcare information. The fiduciary responsibility of the corporate officers to the shareholders would in fact require this. Allowing the customers to have complete control over their own information would interfere with the ability of the organization to profit from it, creating a natural conflict. This problem is avoided in a non-profit, given that the key stakeholders (particularly consumers) are able to exercise control. Also, a non-profit can be operated primarily for the benefit of the customers, without reference to the need for adequate return on investment for shareholders.

    Among the multiple types of non-profit organizations, those commonly encountered in the community HII domain are the charitable organization {501(c)(3)} and the “social welfare” organization {501(c)(4)}. The major difference is that all the activities of the charitable organization must be for “public benefit,” while the social welfare organization is not held to such a strict standard in this regard (more info). As a result, contributions to a charitable organization are tax deductible, while those made to a social welfare organization are not. Another key difference is that charitable organizations are prohibited from engaging in lobbying activities.

    One consequence of these differences is that it is more difficult to establish a charitable 501(c)(3) organization, since the Internal Revenue Service (which must approve the designation) must be convinced about the pure “public benefit” of all the proposed activities. Because of this, and also the perceived need of HII organizations to be able to lobby, the 501(c)(4) social welfare organization is now being used more frequently. To my knowledge, the Indiana Health Information Exchange (IHIE) was the first HII to choose this latter form. Although contributions to such organizations are not tax deductible, the funds collected by an HII are typically for services rendered and therefore are deductible as business expenses in any case.

    In addition to being a non-profit organization, the HII’s membership agreement should ensure that the organization’s fiduciary responsibility is solely focused on consumers. It has even been suggested that a formal “trust” agreement would be appropriate, wherein the HII organization becomes the legal “trustee” of the consumer’s medical records, and therefore legally bound to act exclusively in the interest of the consumer (Kostyack P: The Emergence of the Health Information Trust).

    The leaders of the organization are representative of all community stakeholders

    Creating a Board of Directors for the HII organization that is representative of the community is a difficult and politically sensitive task. No established formula has yet emerged for accomplishing this, and each community has so far approached this issue a bit differently. However, it is possible to identify the key stakeholders that should be represented:

  • consumers
  • physicians
  • nurses
  • allied health professionals
  • pharmacists
  • hospitals
  • clinics
  • health plans & insurers
  • employers
  • Medicaid
  • government (as employer)
  • existing HII activities
  • medical school(s)
  • public health
  • privacy advocates
  • In considering Board membership, the issue of including health information technology (HIT) vendors often arises. In general, it is problematic to include them on the Board because of its role in developing and issuing RFPs that vendors may bid on. However, when a potential vendor is also a large employer in the area, the issue of Board membership becomes more complex since employers must have representation.

    In Louisville, the creation of the Board is based on four groupings of stakeholders suggested by complexity science research. These groups are:

  • 1) purchasers of care (consumers, employers, Medicaid)
  • 2) producers of care (hospitals, clinics, long-term care facilities, pharmacies)
  • 3) practitioners (physicians, nurses, public health)
  • 4) resources for care (health plans, payers, HIT vendors, medical school)
  • These four groups are given equal representation to create a balanced Board.

    The operations are subject to continual independent oversight with respect to privacy and confidentiality

    To earn and maintain public trust, it is imperative that HII organizations submit themselves to continual audit of their privacy and confidentiality practices. This is analogous to the requirement for financial audits of organizations — in this case, the valuable commodity that must be monitored involves information rather than money. Such an audit function can be established by creating an independent committee of the Board. Such a committee would ideally include representation from those in the community who are the strongest advocates of privacy. This group should be empowered to receive and investigate complaints, and issue public “report cards” detailing the performance of the HII in safeguarding medical information. Funding for this activity must not be dependent in any way on the content of its reports.


    Community support for developing an HII must be reflected in the development of an organization capable of guiding and governing the required activities. While a universally successful formula for creating such organizations has not yet emerged, using what has already been learned by others can shorten the process and increase the likelihood of a positive outcome.

    Next time: Managing Change in the Context of a Community Health Information Infrastructure