Giving patient data meaningful use

NHIN Direct's Arien Malec on open community and data exchange standards.

You may also download this file. Running time: Time: 27:00

Arien Malec is coordinator of NHIN Direct, a new open-source effort sponsored by the Department of Health and Human Services (HHS) to improve health care through the secure exchange of patient data. Malec, a speaker in the health track at next month’s OSCON conference, has led a uniquely open, community-based project to define standards for NHIN Direct.

Health IT at OSCON 2010In this 27-minute audio interview, Malec talks about:

  • Why privacy concerns make communication standards in health care more difficult than e-commerce.
  • The difficulties doctors face when trying to send data needed to treat patients.
  • The learning process HHS went through in deciding NHIN Direct was needed, as well as the steps it took to develop standards in the Internet’s “rough consensus and running code” fashion.
  • The kinds of applications and services that should be facilitated by NHIN Direct.


Arien Malec will discuss the collaboration and framework that made NHIH Direct possible at the OSCON convention (running July 19-23 in Portland, Ore.). Learn more about OSCON’s new health track.

tags: , ,

Get the O’Reilly Data Newsletter

Stay informed. Receive weekly insight from industry insiders.

  • Health Watcher

    There is absolutely no incentive for corporates or government to keep medical records secure or private. All strategies (OPINT, etc) push all data toward total openness. This is what Soros’ Open Society is all about, which is nothing other than a reflection of long standing elite goals.

    Can O’Reilly prove otherwise?

  • Andy Oram

    Health Watcher, you’ve identified a general social trend. It’s not
    limited to health care: how many tech leaders by now have said, “You
    have no privacy”? You’re right to worry, health care has a leg up over
    general commercial privacy for a few reasons.

    First, the public really cares. They don’t seem to worry about who
    will see the photos they post–tagging all the people in it–or what
    will happen to the personal data they put on Facebook (few have joined
    the boycott), but they’re actually overly paranoid (IMHO) about health
    care data. They’ll demand secure data.

    Second, the laws protecting personal health data–while flawed–are
    much stronger than laws concerning any other personal data in the US.
    HIPAA prevents a host of sins, and it’s a starting point for better
    laws and regulations.

    Third, as you can hear in this recording, the people running the show
    in the Administration really care. They are committed to making secure
    systems and bringing them to providers.

    And finally, I don’t believe all the forces in the industry “push all
    data toward total openness.” Health care providers have strong
    incentives to protect their patients’ rights, and if a few are tempted
    to release data to insurers or marketing firms, laws and opprobrium
    can rein them in. Yes, ever-improving forms of data mining can extract
    personally identifying information from data released for research
    purposes, but we have to seek technical and legal solutions for that.

    No system is perfectly secure, but we have to continue to reap the
    benefits of electronic health records while improving the systems.

  • Alex Tolley

    Andy: Here is one piece of evidence that supports health watcher and contradicts your view.

    I was recently involved in a car accident (other side 100% at fault). My own insurer (a major carrier in California) would only pay medical expenses if I signed a legal waiver that specifically removed all government protections over my medical records privacy and appeared to allow the carrier to anything they wanted with the data, including selling it to 3rd parties. The potential leakage of private information to somewhat more public corporate use is large if this is a general case.

  • Health Watcher

    @Andy

    Once your health records are in John Boyd’s Military designed “Cloud”, they can whatever they want with them. Even if they don’t have access to your specific records, the sheer quantity of data will provide data miners with unparalleled visibility into trends across society as a whole, facilitating micro management of our health care.

    This road is so dangerous that I can’t believe anyone would be promoting this military originated agenda. As far as I am concerned, O’Reilly has a lot to answer for, but he is totally silent on these issues, basically saying things like its the direction we’re headed, so just accept it and get used to it. Well, I’m not prepared to do any of the above.

  • Thomas Lukasik

    >> “..if I signed a legal waiver that specifically removed all government protections”

    There, Alex.. you said it yourself: You were asked to waive the very protection that Andy is saying the government tries to provides for you.

    Your insurer is neither the government nor your healthcare provider – the two entities that Andy says are interested in and trying to protect your information.

    IMHO, your unfortunate situation does nothing to support Health Watcher or contradict Andy’s view.

  • Brian Ahier

    NHIN Direct is a project to provide greater interoperability between health systems. Basically what we want to do is replace outdated technology like the fax machine, and use modern methods instead. I have worked in healthcare for many years and can tell you that the current system is rife with privacy problems – the difference now is that when someone sends a fax to the wrong number and information is compromised no one usually finds out. When I used to work as Medical Records Director at a long term care facility we got faxes every day for patients that were not under our care.
    When you paper chart is looked at by folks that have no business seeing the information, there is little auditing capability to see who peeked. An interoperable electronic health record system actually provides much greater security than you currently have. The idea behind the NHIN Direct project is to allow small providers in rural and underserved areas to participate in secure health information exchange.
    The large health systems, government agencies and health insurers don’t need this project, they already have the resources for exchange, but small practices could be left out in the cold. This project helps rural and underserved healthcare and would be much more secure than what current practices are, so much of the criticism I see here is unfounded.

  • ShimCode

    Some good points and some naive points.

    The bottom line is that Federal regulation and massive procedure changes need to take place before anyone should trust their clinical data out in a cloud.

    I can back up 600,000 medical records on a portable drive…but only a few staffers can copy a mis-directed fax.

  • ShimCode

    And…at the same time…I think NHIN is exploring good options and pushing the envelope…

    Much like we down here in Arizona are doing…

  • Faisal Qureshi

    The big misconception here is that NHIN and big government will store medical records. In reality, each physician will continue to use their own Electronic Medical Records (EMR) but when patient information needs to be sent to, for example a lab or another physician:

    1) Information will be sent via patient consent.
    2) While that record is transmitted, it will either be encrypted or through SSL certification.
    3) There are several payload models where PHI data is not viewed.
    4) There is however a payload model where an intermediary may look at patient data. An example of this is when a physician is using an older IT system tying to a send to a newer system that must scrub/reformat the data for it to read it.
    5) The HITECH act mandates each state to setup their own IHE organizations. The federal government is only empowered to provide guidance to the states. Yet records will be able to be sent via DURSA initiatives across state line if need be securing privacy.

    These models are illustrated here http://bit.ly/cswPIt

    In conclusion, anyone who thinks the government is not working to secure patient data has the right to public comment during ONC’s privacy workgroups http://bit.ly/b5J9k3

  • Steve Gantz

    There is not, at any level of government, any initiative that aims to put the medical records of private citizens “in the cloud” or shift the point of record custody away from health care providers. I think Andy is largely correct that members of the public feel much more strongly about protecting their personal health information than they do other types of personal data, although I think it’s an overstatement to say people will “demand secure data” because from a legal standpoint, individuals have no more say in their provider’s decision to store medical records in electronic form than they do about storage of paper records. What’s different and better about laws governing electronic health records is that they convey formal rights for individuals not only to see their medical records, but to be given an account of all the times (in the past 3 years) and reasons their data has been disclosed, for virtually any reason. You simply won’t find anything like the procedural and administrative security requirements that are associated with EHRs in conventional paper-based record keeping (anyone ever asked to check on the locks to their doctor’s file room? How about getting a history of all the times your file was pulled and information in it shared with someone else?).

    There are valid privacy concerns associated with widespread availability of data in electronic health records, but people should bear in mind that NHIN Direct is a point-to-point data exchange model, NOT a search/query/response model like most state and regional health information exchanges or the larger NHIN. If you believe that moving to electronic health records is a step in the wrong direction, I’m probably not going to convince you otherwise in this forum, but many of the high-priority goals for health care reform in the U.S. — improved quality of care, reduction in medical errors, cost reduction, better continuity of care when you switch doctors or health insurance plans — are greatly facilitated by the use of EHRs and the ability to exchange data among those systems. NHIN Direct offers benefits in two important ways — one, as Brian pointed out, it will enable secure health data exchange using modern technologies and standards for the small providers and practices that make up almost half of the health care market; and two, it will help those providers qualify for financial incentives from the government to pay for EHR systems under “meaningful use”. Large health care organizations have their own business cases for electronic health records and participation in health information exchange, but much of the market and government push toward EHR adoption has focused only on the big players at and ignored the small providers. NHIN Direct corrects this oversight and, perhaps ironically, due to the enormous level of effort put in by NHIN Direct participants, seems likely to result in bringing health information exchange capabilities to these small providers much faster than the NHIN and state and regional HIEs are rolling out.

    [Fair and full disclosure, while I have registered on the NHIN Direct site to be able to post comments, I have no formal or informal role in the initiative]

  • Rich Elmore

    NHIN Direct is an ONC led initiative to enable boundaryless secure point-to-point messaging to healthcare stakeholders. NHIN Direct would provide a secure standards-based replacement to paper, fax and email-in-the-clear and a transport layer for system-to-system point-to-point messaging.

    I appreciate the earlier commentators concerns about security.

    Security has been a major focus of the initiative and there are no compromises contemplated in its implementation. There is no cloud associated with NHIN Direct.

    (By way of background, I am the Individual Involvement workgroup leader for NHIN Direct. I work for Allscripts. David McCallie – Cerner and the HIT Policy Committee – and I recently submitted a “convergence proposal” which is likely to be a foundation of the NHIN Direct concrete implementation approach.)

  • Jeff Brandt

    Bryan,
    Unfortunately the SMTP solution of the NHIN_direct will do nothing to assist in the problem with faxes going to the wrong destination. I agree that should be encrypted and add to the protection over paper.

    All of the responsibility will be placed on the originator(DURSA) to know where they are sending it and if it is legal to do so.

    From my point of view the NHIN_D circumvents the state level HIE. If you get a provider to invest in the NHIN_Direct SMTP solution this could undermine getting them on an HIO or HIE. Why should they join the HIE?

    To assist in reducing these types of exposures I suggest that we let the States provide a plan to connect the edge to the state HIE. The HIE could provide routing to insure valid addressing. The HIE could also provide routing information and consent and age of majority filtering of interstate exchange.

    I do not see an “edge” doctor successfully setting up at email client for S/MIME and handing certs without support. This system will take training or additional system purchases and support, e.g. secure email system.

    This solution provide very little audit trail and or at least nothing better then a send box that can be deleted or modified.

    As you well know, “SMTP is one of the most abused protocols on the Internet”, states Michael Gregg in his book, Hack the Stack. SMTP is the victim of all type of attacks and Exchange is one of the most used and popular hacker targeted systems. As you well know there are numerous security patches and reboots leading to more maintenance, downtime and concerns. SMTP is also not considered as a “mission critical” service. This is some of the reasons that I am concerned about it being choose for the backbone of the NHIN_D. I have been speaking to a colleague that consults for a banking system that told me that his Microsoft servers get security updates almost everyday.

    As for the Cloud, done correctly it is much safer than office based system. Company around the world have been using “cloud” for years, it not a new technology, e.g., Banking. Many HIT/HIS systems are housed under a desk or in an unlocked cabinet. Many so called “HIT” people have no experience at all handing security.

    Again I commend the NHIN_D for this “Out of the Box” thinking for a quick inexpensive solution, but there are issues that need to be worked out before agreeing on it.

    I am very passionate about security in Healthcare. Together we must build the best system possible. Failure are not an option. If we break the “trust” we are done.

    After all, We are all patients.

    thanks for the consideration,

    Jeff Brandt
    Communication Software, Inc.

    Jeff Brandt

  • Health Watcher

    Everyone assumes that locating ones personal data in the “Cloud” is the only option for meeting market requirements. It is not, but it IS the ONLY option that allows for central control through sophisticated profiling feedback/control algorithms. Why are other options not on the table? Instead, all discussion is restrained within the “Cloud” ONLY container. This is a ridiculous self-imposed constraint.