In September, the AHIC Successor organization announced its new board of directors. The news marked a major development in the groups move from a public entity to a public/private partnership, established in cooperation with the U.S. Department of Health and Human Services. The board has been tasked with developing a unified approach in creating an “effective, interoperable nationwide health information system.” One of the 15 new board members is Paul Tang, M.D., M.S., vice president and CMIO with Palo Alto Medical Foundation in California. HCI Editor-in-Chief Anthony Guerra recently chatted with Tang about his vision for AHIC 2.0.
AG: You're talking about a record that was created by a medical organization and sealed in a PDF-type way. I'm thinking of a personal health record that a patient has control over and feeds information into. Can a clinician trust a record like that?
PT: When you say the patient feeds information into it, do they enter information by hand or is it imported?
AG: Well, I guess we could take either scenario.
PT: Okay, let’s say it was imported. They’ve been seen at the Cleveland Clinic, at the Mayo Clinic and by Dr. Smith down the hall – all of whom have EHRs. And the PHR that this patient has is a certified PHR. That means that when they import stuff in from the Cleveland Clinic and from Dr. Smith’s office, then I know this certified PHR does not allow imported data to be changed. Furthermore, I know that if the patient chooses to block access to data in certain categories, there will be a flag that tells me there is something hidden.
Under these conditions, I can trust that when a patient imports data, the data is intact and secure. I have to have confidence in the integrity of the data in the PHR, and one of the ways that you create that confidence is through a certification process for PHRs.
AG: How would a patient enter information in their PHR that was generated by a physician who is still paper based?
PT: Okay, there is an area where the PHR stores patient-entered data, and as long as it’s labeled as such, then it’ll be accepted by physicians just like any other patient-reported data. For example, when patients give me their history, I know it’s in their own words. But physicians understand how to interpret that information; we deal with that all the time. But I have to know the authenticity and the integrity of each piece of information in the PHR and its source. And if I have that information, I can trust it.
Now let’s go to another extreme. In this PHR, a patient can edit or delete anything in there. So they may be able to import something from the Cleveland Clinic or Dr. Smith’s office, but they can go in and edit it. Well the doc probably won’t view that as helpful, and could not rely on the information to decide whether to repeat tests that, in theory, were in the PHR. The physician is on the hook for making decisions based on information. I mean that’s what your license and malpractice liability is based upon. You have to make an appropriate decision at the time, and the only way you can justify that is by having information that you trust.
AG: So it’s going to be up to the physicians to decide, in the future as we go down this road, it’s going to be up to the physicians or the hospitals to come up with policies that let them determine if A, B, or, C criteria are met, so then you can take action off of that data. If not you can not. You will be liable for a test result is in a medical record that the patient brings in and you didn’t verify that that couldn’t be tampered with, but somehow those results were altered in the data transfer from the medical organization to the patient or the patient manipulated them. If you take action, there is negative consequences.
PT: Right. So that’s what the physician weighs in her head to say, do I believe this result. In a PHR where it’s actually, let’s say a Word document, then can you make decisions based on what’s in that Word document? People will be uncomfortable doing so. Versus can you make decisions based on the information in a certified PHR that imports information from other EHRs? I think I can describe for you certification criteria that would make me comfortable in saying, I'm going to rely on that data without repeating that myself. Each person is going to have to decide for themselves.
AG: Let’s step back a little bit. I know we got into the weeds, that is something I was very interested in, but let’s step back and say, if you were advising hospitals and you were describing to them the new world that you see evolving in your work with AHIC; what would be your best advice as to how hospital and if you can take it to the specific level of a chief information officer should be strategizing about the future?
PT: I think we need a way of sharing authoritative health information in a private, secure way. So the CIO needs to find a way to make that happen.
Some of the things CIOs can do on their own. They can buy an EHR themselves and install it. But when it comes to sharing they’re going to have to work with other people or other organizations. What do you have to rely on them for?
Well, we have to rely on them when data passes from one to another, (1) that the meaning is preserved. and (2) that you understand the authenticity of the source, the integrity of the data and the reliability of the security and privacy mechanisms in place. I'm just giving you some examples; that’s not the comprehensive set. But that’s the kind of thing the CIO has to think about.
Now, since they only have control within their own four walls, you have to rely on some kind of public/private utility that creates not only the technical platform for data to move around, but also the policy that controls their movement. Because if you go back to where we started about the individual physician, unless I know somebody else is taking care of those issues, I can’t rely on the information. Same thing for the CIO. Can they bring this information into the EHR or the hospital and have their medical staff rely on it? You’d have to trust that there are data security policies that are governing this in a trusted way. And so that does pretty much come full circle to why you would need an AHIC Successor. It’s sort of a public good in the sense that you’ve got to create a trusted way of exchanging data that maintains the authenticity of its source, its integrity and the protection of the information. Does that make sense?
And so Secretary Leavitt started this process with AHIC 1, and he thinks that there needs to be an ongoing body that worries about these things. He said rather than just leaving it to each administration to decide what to do, his idea was to move it out into a public/private entity governed by a board of directors. For reasons having to do with fiduciary responsibility, government officials can’t be board members. But he and Secretary Peake are going to be the government liaisons for the rest of their terms of office. And I think that makes a lot of sense. Because we just argued why you need an entity that’s trusted and now we’re saying here’s a starting place. Here’s a group of folks that are charged to go do that – figure out how to create an infrastructure that people can trust.
AG: What would you say is the main stumbling block that holds us back? One of those things that comes to mind would be the reluctance of organizations with different hospitals that are essentially competitors from exchanging information from cooperating, it’s the natural struggle, would that be one of them and if not, what would you say would be the things that you’re going to have to overcome?