Monday, September 28, 2020

Universal patient identifiers are about patient safety

Photo credit: University of Texas, Austin
Aaron Miri is the chief information officer for Dell Medical School and UT Health Austin. He brings more than a decade of healthcare experience driving growth and innovation, leading both provider and commercial healthcare enterprises and providing thought leadership and close collaboration with state and federal representatives. As CIO, Miri is passionate about humanizing technology by collaborating with clinicians, technology partners and business champions to truly transform healthcare delivery for consumers, patients and providers.

In 2018, Miri was congressionally appointed by Senator Chuck Schumer to the Health and Human Services (HHS), federal Health IT Advisory Committee, established under the 21st Century Cures Act. He was federally appointed by HHS Secretary Sylvia Burwell to serve on the HHS Health IT Policy Committee established under the American Recovery and Reinvestment Act of 2009. Miri is the prior chair of the Healthcare Information and Management Systems Society (HIMSS) National Public Policy Committee and serves as an expert adviser to the United States Senate Committee on Health, Education, Labor and Pensions and to other congressional panels engaged in numerous Health IT policy topics. PARCA eNews spoke to Mr. Miri about the challenges of adopting a national universal patient identifier.


Q. To get started I want to just make sure I'm understanding the terminology when we talk about privacy and security with patient healthcare data. I understand privacy and security to be two different things, privacy is about an individual’s right to set boundaries as to who is collecting and accessing personal health information. Security is an assurance that the person or the entity that I'm giving access to my information can keep that information safe. Is that fairly accurate?

Yes, generally speaking. I would also say I like the word assurance, so not just making sure that Michael sent it appropriately and Aaron got it, and nobody else got it, but all of the data was sent securely, that this was a secure transaction.

Q. Okay. So when I was reading about the recent Patient ID Coalition presentation at the ONC working session, what stood out to me was the recommendation to convince privacy advocates that HIPAA addresses their privacy concerns. It struck me that after 20 some years people are still not convinced that HIPAA protects privacy in terms of my having control over who has access to my health data.

Yeah, I know. Here’s what’s going on boots on the ground, and I think you and your organization are aware that there is an erosion of trust in society. Generally speaking when it comes to any organization that is collecting data, whether it's medical, whether it's credit card, whether it's whatever, I think people are becoming much more informed that their data is not as secure as perhaps we were led to believe, and that has just generally speaking led to a suspicion of ‘ok is my stuff really being taken care of or not?’

When we look at healthcare data, which only recently became digitized in the last, call it 20 years or so, in which case we are still figuring out ways of technical and standards development to ensure that level of assurance with security and privacy laws. So people are even less trusting that their medical data is secure because, guess what, the institutions and the systems that manage them aren’t that old and have not been stress tested like say a banking system or other industries.

Back to your hipaa question, the hipaa law written in 1996 does give an overarching umbrella of responsibility for the provider community to ensure adherence to a common set of rules to protect patients and their rights and so forth and so on, great. The problem is that in the 21st Century your electronic health data is not just with providers or a clearing house, it's also with your Apple iPhone or your Google Android and the apps you download and the Fitbit you wear and the Apple Watch you wear and all this other stuff, which guess what, are not covered under HIPAA. They are vaguely covered under the FTC, but even the FTC has limits on their jurisdiction.

Let me give you an example, 23andMe, a great cool service. I want to know my ancestors are from wherever in the world, I really want to know what my lineage is. Guess what? The company just sold de-identified data for hundreds of millions of dollars, and they also process your data overseas and none of that is covered by HIPAA. Link here: https://www.bloomberg.com/news/articles/2020-01-09/23andme-licenses-drug-compound-to-spanish-drugmaker-almirall?sref=ExbtjcSG

So if I'm processing your data, (and I'm going to make this up), in China and that data center is broken into there is no protection for you as a patient. Who am I going to go after? nobody. That's where HIPAA falls apart and that's where it begins to erode public trust, which then erodes trust in the hospital systems. Does that make sense?

Q. It does but it sounds more like the issue is security I mean everywhere I go when I have a healthcare encounter, I have to sign a form saying it's okay for them to see my medical information, but you're saying that there's a lot of healthcare information that I have that isn't covered by HIPAA.

That's right. That's exactly right, and you can just Google it. There are known gaps that spell it out very clearly. I just gave you that one example of where the HIPAA just doesn’t cover because when the law was written these things didn't exist. There was no Apple iPhone in 1996 it didn’t exist, so it wasn't thought of.

So now you're left with this situation where there is some feeling from a legislative perspective to modernize HIPAA, but what does that mean? Are we going to find ourselves in this position again 20 years from now or is there more protection needed from the FTC or other agencies that perhaps have the ability to enforce, and what are those enforcement mechanisms?

All that said it's not just security. It's also privacy and privacy is even more interesting because certain states have mandated certain levels of protection of privacy that are higher than national standards, for example, the California Consumer Protection Act or (CCPA), and Texas where I live, have the breach notification laws.

All these things are privacy specific, meaning you as an individual have rights to know who may have breached your data accidently or inadvertently, all those kinds of things but they vary state to state. So if Aaron were to travel from Texas to, I'm making this up, Alaska and my data was breached in Alaska for a record I'd sent from Texas to Alaska, I may not hear about it because Alaska’s privacy rule is not as stringent as it is in Texas and maybe didn't meet some minimum threshold. 

So there's not an overarching privacy law in this country like a GDPR in Europe that mandates and holds accountable actors with your data and gives a level of assurance to patients or whomever that your information is protected. And so because the patchwork of laws and these gaps like we talked about with HIPAA it leaves patients feeling sketchy like, ‘do I really know what the speed limit is on the highway or not?’ Yeah. That's the problem we're in.

Q. What needs to be done to address that privacy issue?

A couple of things. Number one there needs to be either an overarching or a harmonization of state laws from a privacy perspective so that there are known rules of the road when it comes to how do I notify Aaron at what level do I notify Aaron? And what options does Aaron have from a patient privacy perspective so that you have total control of your data? This is about patient empowerment.

To me, it starts with everybody recognizing that patients own their information, which they did recognize in 21st Century Cures Act. That is there, but we have to reconcile state law to also further reinforce that so that everybody's playing from the same deck of cards.

Number two, from a security perspective there is nothing like a national speed limit. There are voluntary framework and voluntary security standards, so HIPAA represents NIST (National Institute of Standards and Technology) but there's no mandate like

‘Thou shalt meet these minimum security technical standards for every IT product implementation, every health IT product,’ there is none. It's all voluntary. It's a voluntary framework. It's a voluntary security standard. So we need to mandate minimums just like we mandate seat belts in cars just like we mandate how fast you can drive on a road in this country. We can mandate minimum security standards so that everybody's playing from the same rules and those two actions would really achieve some velocity with our systems and trust.

Q. Are we moving towards that or is it still controversial?

I don’t think it is controversial. I give a lot of credit to both the previous administration and the current administration for educating the lawmakers on what is happening by not addressing these issues.

Here's what's going on. I'll give you an example, in 2015 the cybersecurity information sharing act (CISA) was passed. Section 405d called out healthcare and said, this is what Congress said under the law by Obama at the time, you're going to put together a working Committee of experts to educate us on why this stuff matters. And so they did. The CISA group put together a cybersecurity task force that was organized under, let me say, Homeland Security that put out a series of recommendations that are excellent. I recommend that you read them. That educated lawmakers on Capitol Hill who said, oh golly we have some serious gaps here.

So as you cross administration's now at the current administration little by little whether it's executive action, whether it's congressional action, whether it is states taking recommendations and running with them, there have been an execution of items to help address and alleviate some of these concerns. Is it perfect? No. But it's trending in the right direction because of the work that has taken place since 2015 that accelerated opening people's eyes. So now folks realize oh, this is what happens when you send your data to 23andMe or some company that's not covered under HIPAA. These are the risks you take, right?

So there have been talks of do we need a Consumer Protection Bureau? Something like the BBB? No one knows yet, but at least it is being discussed and that is the path to progress.

Q. How does this relate to the Universal Patient ID Coalition? 

Right, today, here in Austin, I have physicians, I have hospitals I have a university. I have all these people in what is the 11th largest city in the US that are being taken care of in an amazing way by caregivers by faculty by staff behind the scenes, and by students themselves. But if I, Aaron, go from one hospital on the north side of Austin to a hospital on the south side of Austin guess what? They don't really know if it's me because my medical records at one institution may differ in enough ways from the standard physician I go to, to cause them to ask themselves, ‘is this the same person, is there an issue here?’

So when you start looking at geographies and transitory people and a situation like COVID-19 where we need to accurately get testing for surveillance, if I really can't tell that Aaron is Aaron that is a problem that makes tracking difficult.

As for the safety issue around universal identification, I would turn you to the Pew Charitable Trusts, which is a not for profit that did a phenomenal white paper on patient identification. It's spelled it out for you. Why patient identification is critically important for patient safety and how it ties back to privacy and security because how am I going to ensure Aaron's records and information is secure and kept private to the level you want to keep private if I really can't tell who Aaron is.

At the end of the day trust and assurance boils down to, do we know who Aaron is?, do we know what's happening to his data and who's accessing it and so forth, and did he as the owner of his data rightfully give permission for it to be used in XYZ manner? Without a unique patient identifier to do all that it's very hard to bring back a level of assurance just like you said earlier.

Q. There's a couple things that I have read about that. I just want to throw out to you. One possible solution or implementation would be using blockchain. Is that something that's under discussion?

There are there are numerous use cases for blockchain. Is it the end-all be-all technology for identity management? The jury is still out because blockchain is so new. Can it do it. Yeah, and have we shown it to do it on a limited scale? Yes. Here is the rub with blockchain technology. When you get enough links in the chain meaning in this case enough patients that you're managing, then blockchain requires a lot of computing power necessary to do blockchain transactions. 

The computing power needed is very steep. So as we get more mature with the technology and the cost of utilizing technology comes down just like anything else, that's when you'll see blockchain really hit mainstream. And we’re getting there right? There's a number of people doing a lot of stuff with blockchain and we're learning every single day and I think it has a lot of promise, but it is still too early to call but it's the right direction because it's about immutability, and immutability is that level of assurance just like you're talking about.

Q. Okay, another thing I read about is at the end of 2019 Experian Health announced that every person in the U.S population an estimated 328 million Americans had successfully been assigned a unique universal patient ID powered by their platform. So my question is, what are the chances that all of the stakeholders in healthcare might adopt The Experian system? That seems to me to be even more difficult to trust for a consensus of stakeholders.

Yeah, so we first have to lift the law that bans research into universal patient ID. In 1998 Congressman Ron Paul pushed through a bill saying effectively banning any development or implementation of implementing a unique health identifier for each individual, employer, health plan and healthcare provider for use in the healthcare system. The US House of Representatives twice now, even as recently as about a month, struck down that ban, but it continues to falter in the Senate.

So assume for sake of argument that it makes it through the Senate and is signed into law by President Trump great. So the unique identifier ban has been overturned, now HHS and therefore CMS, which is a huge payer for all the hospitals, could say thou shalt go implement a standard that we can look at as a national standard, and if the Experian model meets the standard, then the Experian system can absolutely be an option.

It is likely though that HHS would want to control that (patient identifier system) and create their own number system just as the DoD has done for, the military To your point because Experian has already done it they obviously would be a strong candidate. I do know that the federal government does not like to bank on a certain vendor or certain technology set because it kind of locks them in and it can almost create the appearance of unfair bias. I appreciate that.

But let’s just say Experian made their technology freely available, right, for greater good and well-being in the good of the public, there's no reason why you couldn't adopt that.

Q. As a patient, I would be suspicious because my experience with Experian has not been good on the credit reporting side, so I don't know that I would trust them.

The government does a good job of providing opportunity for public comment before they do something. And so those are the kinds of things that the government would look for. I mean assuming a ban is overturned before they ever double down on a solution. So you're right, I mean we use Experian here for our clearinghouse for our patients just to make sure that they have the benefits, the have coming, such as pre-op preauthorization. But you know, it was just two years ago or so that I got the letter telling me my records were involved in the Experian breach of my personal information. So it's like, ‘great what can you do now?’ In fairness to Experian nothing is a hundred percent. No technology is perfect. I don't care what you say, right? There's always a way, there is always some bad guy or person out there trying to break in. It's just inevitable.

But what if it is Experian plus something else. Maybe it's your, I'm making this up, facial scan plus and Experian number equates to be the magic key to unlock your record, right? Who knows what is the right combination of factors needed to give the patient a better level of assurance. But we can never get there until we overturn this patient identifier ban which is just a bugaboo for a lot of things.

Q. Okay, on the same kind of theme, one of the critiques of private vendors developing these patient identifiers platforms is that it just makes it easier for data mining they can sell your information to more people for more profit. What are the policies or regulations being considered that can give patients more control over how their data is used?

There is something I would encourage you to read up on, called granular consent. This was started in the last administration and has been carried forward, which if you can imagine a series of toggles whereby you, as a patient can opt in or opt out of sharing various elements of your medical record.

Let me give you an example, and I’m making this up, let’s assume I have type 1 diabetes, but I don’t really want anybody knowing that. So for half of my medical record, I could say I’m ok with you sharing my x-rays, but when it comes to my lab results, or when it comes to my HA1c results, I want to be informed before that is ever shared and without my expressed permission you cannot share this information. That's granular consent, which means that each element that makes up your healthcare chart it is up to you whether to share or not.

So there are a series of technical standards that were proposed and we’re still some time away from fully implementing, but that progress and the steps towards that happening have begun to enable people to get their data. This was the cornerstone for the 21st Century Cures Act. So if you read that act it literally calls it out, it is about patient empowerment over their data. That comes back to what you are asking about, which is granular consent.

Q. That sounds really difficult to implement on a population scale, particularly if you're a buyer of data and you're trying to do research that seems like it could be a very big barrier to getting the data needed to do a study.

It could be, or it may be, and this is me hypothesizing. Perhaps there's a reimbursement level for patients to be able to opt in and they're paid for their data right? Maybe there's some national fair market value that your clinical notes are worth this, or your labs are worth, or whatever so the giant pharma companies and others that today spend hundreds of millions of dollars paying the hospitals and medical centers, and the giant electronic medical record companies of the world for de-identified data instead take that money and pay patients.

Q. You touched on this earlier, but what do you think are the prospects of rescinding the ban on research into the UPI that was passed in the house. Do you think it is likely to get passed by the Senate?

I'm hopeful. I think there's a number of Senators, I think you can do some Google searching and you'll see a number of Senators that have publicly spoken out in support, especially with COVID-19. What I appreciate about all of HHS, and I literally just said this on a national call. I just got off the phone on one of my HITAC calls right before you called, I told the leadership of HHS publicly that I appreciate that HHS listens to the provider community and tries to find ways to help us if there is no clear path to success for whatever the issue is.

I think those barriers, one of those issues being heard is that it's very hard to identify people and that we need to get to some unique patient identifying strategy. So there's been a number of Senators especially with large rural populations in their states that have spoken out in support of ‘hey, why is it so difficult?’ So I have hope that at the end of the day, when you put all the noise of mainstream media aside and focus on logic, lawmakers are not incompetent people. They are very bright, and their teams of staffers are even brighter, and they will get to goal because it benefits this country, and I am bullish on these folks generally speaking, are about serving our country, and love this country and will do the right thing.

Q. I think that's all the questions I had. Are there any issues or points that you would like to emphasize that I haven't brought up?

I would say, when you look at universal identifiers and privacy and security, at the end of the day, this is about patient safety. Why would we not make this priority number one to make sure that our patients and our children are safe in this country.

No comments:

Post a Comment

Followers