Patient control over patient data in electronic health records: A work in progress

Over the past six months, there has been a growing (and certainly more visible) patient-centered movement fomented in large part by some of the health care digerati / blogerati / twitterati I know — revolving around patient control over electronic health records. 

Dave DeBronkart (@ePatientDave) — not the most circumspect guy you'll ever meet — is very straightforward about it. He says: "Gimme My Damn Data."  (See my earlier take, with links to his post on his Google Health experience.)  Gilles Frydman (@gfry)and others were responsible for putting together the "Declaration of Health Data Rights" (the link is to my post on the subject, with links to related resources); while that title is more sedate, Gilles is an equally vocal advocate for patient control of data.  In fact, he and Dave are two of the key drivers of e-patients.net and the Journal of Participatory Medicine.  Mark Scrimshire (@ekivemark) — HealthCamp's "chief troublemaker," with whom I had the pleasure of organizing HealthCamp Boston earlier this year — blogged on the subject of patient control of patient data a couple days ago, as he pulled together some recent posts by Gilles and Jen McCabe (@jensmccabe) which relate to part of this past Sunday's #hcsm tweetchat with Steven Daviss (@HITshrink) and others (scroll down to 8 pm or so to read about licensing of patient data).  Please follow all of these links to catch yourself up on the conversation, if you haven't been following along.

Mark suggests in his recent post that each of us should offer an emendation to the standard HIPAA Notice of Privacy Practices, directing our health care providers to upload our health data into our PHR of choice, and has called for some editing assistance.

My gut level reaction to Mark's suggestion is to agree that it makes sense and to dive into the editing.  Unfortunately, making sense is not a prerequisite (and may even be an impediment) to adoption of suggestions like this.

In my post on the Declaration of Health Rights (linked to above), I wrote that one key approach to ensuring that there be more widespread sharing of data would be for participatory-medicine-minded health care providers to revise their Notices of Privacy Practices (NPPs) (as they will have to by February, thanks to the Son of HIPAA rules under the HITECH Act effective then).  One reason for my suggestion that the change come from the provider side is very pragmatic.  Privacy advocates have promoted a number of emendations to the standard NPP language used by health care providers, but my educated guess is that virtually all health care providers collecting signed NPPs are completely incapable of managing such "exceptions."  Are they required to do so?  Yes.  Can we reasonably expect that they will?  No.  So the carefully-drafted amendments are, at best, sitting in non-digitized storage somewhere, collecting dust.

In the #hcflower conversation in the past week or so on twitter and elsewhere, prompted by a guest post and subsequent discussion on Howard Luks' (@hjluks) blog, a core of health care providers and HIT cognoscenti have begun wrestling with the technical details that would have to be working in the background to enable the instant availability of patient data to any relevant clinician or health care facility.  Because of the difficulties inherent in this exercise, Mark's proposed NPP amendment addresses the existing EHR/PHR architecture; nevertheless, it seems to me that it is probably premature — even if acknowledged and honored by health care providers, the data shared would, more likely than not, be of the quality experienced by ePatientDave, leading him to exclaim "Gimme My Damn Data," and would very likely not be provided in real time (leading, of course, to the potential of excess testing and inappropriate treatment).

There are other related issues raised in the #hcsm tweetchat, but those are perhaps best reserved for another day.

So, what do you think? 

• Are patients now ready to insist on having their health care providers upload their health information to PHR systems such as Google Health or Microsoft HealthVault?  How can patients ensure that these data be transportable from a tethered PHR to a freestanding one if and when they change providers or insurers?
  
• Are PHR platforms and health care providers prepared (and equipped) to act on these requests?  My working assumption is that the answer at the moment is no, since there are some technical issues to overcome.  One approach to the technical issues relating to real-time queries from one provider to another's EHR is outlined here.  It is unclear to me what would be involved (in time and money) in getting from here to there.  (Technical congnoscenti: help me out here.)
  
• What other questions need to be asked and answered in order to move this further along?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting