As debates about personal privacy go on all around us, one of the realities about protected health information (PHI) is that it has enormous significance and value. PHI is used for all sorts of things that most patients don’t think about, participate in, or understand. There are early signs that this is beginning to change, and it’s very likely that when consumer/patients begin to understand what actually is happening to their personal information there is going to be quite a backlash. Do you make your patients partners in their data management and stewardship? You should. Here’s a short road map to building a better partnership with your patients.
Whose information is it?
Who holds our health information and what they do with it isn’t a small issue, and it’s becoming bigger. National Public Radio did a story on January 15th about a health kiosk company that was taking personal information about their customers and selling it to insurance plans. (Story link is here.) One of the people interviewed who was not happy at getting some health insurance offers based on some very specific and personal information said something very telling. “If someone gives you something for free, then you’re the product that’s being sold.” For many people’s personal health information, that’s true.
I’ve written about this before, and when the trend was first becoming visible it was very faintly outlined–but arresting in its potential impact and scope. When I was at UnitedHealth more than a decade ago and we were doing focus groups with consumers across the country trying to understand what kind of health and wellness website would be most useful to them, one thing they told us stood out at the time, because it was so startling. A good number of people were very clear that they didn’t trust providers and health plans. There were lots of reasons, and some were no surprise. But the lack of trust for providers was surprising; there were some very clear messages that people were beginning to understand they were really on their own in managing their own health care needs. As a practicing DC, I had just assumed I was trusted by my patients. Could I assume that any more?
What also became clear was that people had no idea what their PHI actually was being used for. PHI is, in fact, a commodity that is used by a number of stakeholders. It’s used as the basis for actuarial tables and the pricing of health insurance products; it’s used for data mining by pharmaceutical and research interests; and it’s used for population health predictions. Some of these uses are benign, and it’s possible to see them as being ‘for the greater good.’ Others are not so benign, and most consumer/patients don’t understand how little control they have over their PHI once a provider collects it. (Or even actual biological samples. The Minnesota Department of Health collected hundreds of thousands of blood samples–without informed consent–from newborns, ostensibly to do important research on genetics. A class-action lawsuit was recently won against this practice, and the DoH will be required to destroy more than one million blood samples. StarTribune story is here.)
What matters for chiropractors?
These issues for chiropractors are somewhat different, obviously. Our patients’ information normally isn’t being managed by large, multi-clinic businesses. We aren’t keeping much of the same ‘medical’ information. But we are, in fact, gathering data that are quite personal and that can potentially be used against someone in a variety of ways. Some of us may not think this applies to us; for those who are still using paper records, things can seem pretty safe. But many or most are using or are moving to electronic health records (EHRs). And that’s where things begin to get interesting. The most important question to begin with is this: When we gather data electronically, where does it go?
There’s a significant difference between using an EHR where you put the software on your own computer or server and an EHR that’s ‘cloud-based.’ EHR data on your own computer you truly ‘own’ in the sense that you control the access to it. Cloud-based EHRs are very different, because although companies promise that you ‘own’ your data, in reality at best you have access to that data. You convey stewardship of that data to the cloud EHR vendor, but you really don’t control it. And the business models of cloud-based data managers frequently depend on monetizing those data by permitting access to it.
It’s fair to ask, ‘What’s the harm? What’s wrong with all this? It’s just health information.’ On the face of it, presuming ethical practices, probably nothing. But we collect this information with patients’ good faith and expectations of best practices–even if they don’t know what those are. Is that enough? Do we know if our patients care? Is it safe to assume they don’t, or should we start asking them?
Doctor of the future: the information concierge
Good customer service isn’t just predicated on what you do when someone needs something, but it’s also predicated on what you do before someone needs something. In the case of PHI, I maintain that at some point consumer/patients are going to care much more than they seem to right now about who has their information, what’s being done with it, and the business transactions that are taking place based on it.
One of the ways doctors of chiropractic can be out in front of other stakeholders in health care reform is by opening up a dialog with your patients–your customers–that permit them to feel greater ownership in their health care, how it’s delivered, and how it’s documented. Many won’t care; some will seem not to, but will begin thinking about it differently; and some will care. A lot. At a minimum, here’s my suggestion about what your customers should be asked:
- Do you know much about how your health care information is being maintained?
- Are you aware of the number of places (clinics, systems, etc.) that have your information?
- Do you keep copies of your personal health records? (Hint: they should.)
- Are you aware of whether or not those holding your personal health information have shared it with any other business interests?
- What was the last time you filled out paperwork regarding whether or not these places had your permission to share your information with others? (This should be reviewed annually.)
- Are you aware of our practices and policies here?
It’s important to have a policy developed and in place regarding your stewardship of PHI. There are some important elements to consider in designing your own policy:
Where PHI is stored. Is it kept on site? Off site in a location (server, computer, hard drive) that is in your control? If you are using an off site vendor, what are their backup practices? Where are these backups stored? How long are they kept for? Where are they kept? Who has access to them? If you don’t know this, you should.
Who has access to PHI. How many people under your control have access to patient information? Do you have them under confidentiality agreements? Have they received HIPAA training? If the data are not under your control, what is the policy of the entity holding your data regarding access to it–specifically yours, but also yours if it’s aggregated into a bigger data pool. How long are the data kept? What is that entity’s policy if you have issues with their management of the data? If another entity manages your information, whom do they make it available to? And what constraints are put on data mining efforts by third parties who use the data? If you don’t know this as well, you should.
What your customer service responses are. What will you do if a customer (consumer/patient) wishes to remove their information from your control, stewardship, etc.? (Remember there are legal obligations as a health care provider regarding how long you should keep it.) How will you acknowledge a request? What time frame will you require to respond and take action?
These may seem like esoteric points, but they’re not. The liability stakes are high in how PHI is managed, and there is a clear liability pathway now regarding PHI. Under the new HIPAA/HITECH Act liability stops essentially with the entity that holds the data. Every entity managing health data should have a Business Associate Agreement (or BAA) in place with any vendor, developer, data mining interest, etc., that has access to the data in any form.
And if you’re still not convinced that data security and identity sources matter, or lest you think that data are REALLY anonymous, think again. A story in the New York Times on 1/18/13 showed how easy it is to find people’s identities…and their families’ information–even from supposedly anonymous posting of DNA genetic information on the Web.
Starting these kinds of conversations with your customers will do several things that benefit both you and them.
First, it will educate them about an important issue and potential concern. Experian documented the fact that medical data theft claimed more than 1.8 million victims before the end of 2013. McAfee predicted* in 2012 that 1 in 4 Americans would receive a future notice of a data breach. According to an analysis of data from the Federal Office of Civil Rights (the government arm that tracks health data breaches), more than 24 million electronic health records have been breached between 2009 and 2013 in 730 separate incidents. In fairness to the industry, these incidents are trending downward. But the scale of the recent data breach at Target offers some insight into this area in health: the industry must be presumed to have a vulnerability. As thoroughly as any tech product can be tested, security is an ongoing concern. The thieves get smarter and smarter. ANY industry is always playing catchup. If they claim they have no vulnerabilities, they are lying or misinformed. And not as smart as you need them to be.
The second thing it will do for you is to establish/underscore your value as an information resource. Fewer and fewer patients will be coming into chiropractic (or any) offices who have not prepared themselves with web searches on information regarding conditions and problems; as outcomes data are made more accessible, more and more questions about your recommendations and expectations will be asked. One of the potentially more important and relevant services you can provide is by being an information concierge for patients who will often be struggling to manage the overwhelming amount of information they find they can gather. Being that ‘trusted resource’ will pay dividends.
The third thing is you empower them to become change agents with other providers and systems. By arming them with those very important questions–and establishing appropriate answers in how you manage your own clinic’s policies, you have figuratively wound up change agents and set them loose on the world. God knows that’s needed, and that’s one of the biggest benefits you can offer your patients: appropriately preparing them for the emerging consumer-oriented health care marketplace.
And, you will have strengthened the profession by doing so. No small feat.
*McAfee and the National Cyber Security Alliance, September 2012