Healthcare

Using Privacy as Currency: Bringing the PHR to Market

Several years ago, people were growing concerned about their privacy online.  The entire idea was somewhat nebulous, but rooted in the fear that if your personal information was available for anyone to consume, anyone could assume your identity.  Many fingers were pointed at social networks and the cloud for invading the privacy of it’s users.  While there are examples of times when the storage of personal information was abused, it’s important to recognize that personal information is almost always willingly solicited by the individual, particularly when sacrificing a level of privacy returns some modicum of value.  Facebook would not be here today were it not for this subtle economic exchange.

Privacy has always been an issue with health information, and with the continued movement of medical information systems online – the challenges that will be posed will be overwhelming.  At a recent conference of HIMSS – the Healthcare Information and Management Systems Society – I spoke with someone working on solving the problem of protecting individual elements of PHI – allowing one doctor to see certain parts of my medical record, and forbidding access to that information by another practitioner.  His question was: how do you do this in a way that is easy?

I didn’t have an answer for him, largely because the problem isn’t a simple one to solve.  It’s expensive to implement PKI for medical records.  Implementing PKI for individual slices of the record?  Now that may simply be unattainable.

Privacy and security are expensive non-functional requirements in the healthcare IT space.  HIPAA undoubtedly keeps many a CTO awake at night.  The challenges of ensuring that medical records are secure and portable at the same time pose system challenges at each step: de-identification of relationally stored data, encryption of all transactions between systems, understanding authority and ownership of medical data, and on and on.  Yet with all of these non-functionals in play – the healthcare IT world is what it is and struggles to emerge from an outdated evolutionary model to something that is 2.0.

Consumer-oriented tools like personal health repositories are prime cases.  Where the 2.0 revolution for the rest of the web looked to convince people that privacy had determinate value, healthcare walks into the 2.0 world with very ingrained ideas of what levels of privacy are not only demanded, but required.  Facebook never had to contend with rules and regulations that required de-identification of such trivial data as who are you related to? Healthcare faces an uphill battle in that these rules are fairly well established already.  Innovation that requires the entrepreneur to confront these issues may well be stifled by the shear overhead of considering the privacy implications of each feature to be implemented.  History has shown us that people are willing to sacrifice privacy if the information they provide to a service results in greater value delivered.  Personal finance darling mint.com has thrived by convincing people that the information they provide around their personal finances will result in Mint being able to deliver services that they would otherwise be unable to deliver.  Mint simply had to overcome suspicions and fears by the consumer.  Healthcare ventures need to overcome barriers articulating these consumer uncertainties as law.

Mint simply had to overcome suspicions and fears by the consumer.  Healthcare ventures need to overcome barriers articulating these consumer uncertainties as law.

This drag on innovation and time to market is accurately reflected in the lag that is so readily evident in healthcare driving a consumer-centric model in technology as compared to other industries.  Whenever you introduce non-functional requirements to a project – requirements not immediately measured by the user – you add overhead that delays time to market.  This is precisely why Massachusetts Governor Deval Patrick considered granting a waiver to stimulus-funded construction projects for compliance with ADA accessibility standards.  He recognized that the cost and delay of adding additional requirements on the project may jeopardize timely completion, and ultimately – funding.  The outcry at the very idea may very well have been justified, but the motivators are still the same – projects demonstrate the most progress when they are completed to the point that they are largely usable – not entirely usable.

Some may argue that the road to hell is paved with good intentions, and that ignoring ADA compliance would simply trade one vice for another.  But perhaps with all that is at stake with the funding proposed as part of federal fiscal plans over the next two years, we should take a hard look at HIPAA and think about whether it can be treated as a suggestion rather than a rule in the vision that usable healthcare IT in the marketplace will solve the hard problems, leaving the mundane stuff for later when it doesn’t jeopardize progress.

Tags: ADA, HIPAA, PHI, PHR, Privacy

Ryan Norris is a technical architect at Medullan. He has a background working with physicians and clients in the eHealth space in developing and delivering solutions that better interconnect providers and create more informed patients through extensible service architectures and highly-usable interfaces.