Friday, January 4, 2019

Congress Questions ONC on Implementing 21st Century Cures Act

On Tuesday, December 11, the House Energy & Commerce Committee’s Subcommittee on Health held a hearing capping off its oversight of 21st Cures implementation for the outgoing 115th Congress by focusing on the Office of the National Coordinator for Health Information Technology (ONC). The witness was Donald Rucker MD, the National Coordinator for Health IT.

Chairman Greg Walden (R-OR) said in his opening statement: "The fundamental value proposition of Electronic Health Record systems is the continuity of evidence-based care, however, patient health data continue to be fragmented and difficult to access for health care providers and patients themselves. The functionality of EHR systems lags behind the technological capabilities presently available, and until we close that gap I do not see how we can truly recognize the potential of clinical registries, payment reform, or health information exchanges."

Committee members had the opportunity to learn more about health information technology policies (HIT) and the work ONC has done in implementing Cures HIT provisions. Member questioning largely focused on health data privacy and security, physician burden, and patient access to their health data. Dr. Rucker was unable to provide members with any specifics on the information blocking rule currently under review at the Office of Management and Budget. Now with the partial government shutdown still under way at the time of this writing, I don't expect it will see the light of day in the near future.

Dr. Rucker's testimony and some Q&A is below:

Tuesday, December 11, 2018

Interoperability and Health Information Technology

I was very honored to appear on John Gilroy's TechTalk show on Federal News Radio. The interview ran the gamut from artificial intelligence and blockchain, to health IT certification and interoperability.

Tuesday, December 4, 2018

A Decade of Progress on Interoperability

As we approach the 2020's it is helpful to discover how we got here

I have been looking back at all of the work accomplished on health data exchange as well as some of the challenges which still remain. In 2008 most of our healthcare system was still paper-based. Less than 10% of hospitals had implemented even a basic electronic health record system (EHR).
As we can see from the data above, provided by the Office of the Nation Coordinator (ONC), a great deal of progress had occurred over the next seven years. Of course, much of this was due to the federal incentives for EHR adoption incorporated in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009, and signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. HITECH provides financial incentives to “eligible professionals” and hospitals for the meaningful use of certified qualified electronic health records (EHRs). An eligible professional is generally a physician, although in the Medicaid program some mid-level providers were also included. CMS had major responsibility for the incentives (and penalties) hospitals and clinicians would receive (broken into two separate programs - Medicare and Medicaid). With well over $30 Billion dollars in payments at stake it is no wonder that we saw a sharp uptake in EHR adoption.

The ONC is responsible for the certification program for health information technology, which is required to be eligible for a payment or to avoid a penalty. As part of HITECH the ONC also oversaw the $564 million State Health Information Exchange (HIE) Cooperative Agreement Program. In total, 56 states, eligible territories, and qualified State Designated Entities (SDE) received awards. This program was a big push towards interoperability and led to a rapid growth in the HIE market as well. As the work began to transition physicians and hospitals from paper-based to electronic systems it was critical for these systems to interoperate, allowing clinical data to flow between health care organizations.

Julia Adler-Milstein, from the Department of Health Management & Policy at the University of Michigan, along with David Bates and Ashish K. Jah conducted a study published in Health Affairs in 2013. The results showed progress as the number of operational HIE organizations identified rose from 55 in 2009 to 119 in 2012. There were still some concerns however. Some technical challenges remained but primarily the issue was around a business model - as the authors stated:
"Long-term financial sustainability for organizations facilitating health information exchange appears to be the most pressing challenge. The fact that three-quarters of efforts cite developing a sustainable business model as a major barrier is a warning to policy makers that the growth in health information exchange will likely falter unless these efforts become self-sustaining or there is a long-term public commitment to their financing."
With no long-term commitment to public financing, and not strong business model for sustainability on the horizon, many of these efforts began to falter at the end of the grant period. A 2016 study produced by NORC under contract with the ONC that only a small number of states were successful with significantly developing and implementing sustainable HIE systems. At the time of the study seven of the grantees were no longer in business and even fewer are in operation today. With the continued growth in digitization of health records in 2018 more than 95 percent of hospitals and nearly 90 percent of office-based physicians have implemented an EHR. So we started to see a picture where we had traded paper silos of the past to the largely digital silos leading into the present.

To address many of the concerns on building out a national infrastructure for health information exchange in 2012 the ONC announced its plan for enforcing Conditions of Trusted Exchange (CTE) and Network Validated Entities (NVE). This approach was quickly discarded (although components are revived under the current ONC plans we will discuss later). During this time a very successful open source effort overseen by the ONC called the Direct Project began. Launched as a part of what was then known as the Nationwide Health Information Network (NHIN), the Direct Project was created to specify a simple, secure, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet. The Direct Project had more than 200 participants from over 60 different organizations, of which I was honored to be a participant.

After developing the standards and specifications for Direct a series of pilots were initiated. One of which was the HIE in Oregon which I had founded in 2010, Gorge Health Connect using a HRSA Planning Grant. Using our Medicity iNexx software we were able to quickly set up a Health Information Service Provider (HISP) in order to enable Direct secure messaging between provider organizations. Here is a demo of the pilot:

Very soon after the Direct Project initiatives started to scale across the country a serious issue came to light - we need a security and trust framework that would allow participants to have some levels of assurance around identity and strong security. Thus was born DirectTrust, a non-profit organization created to solve for these issues and I was happy to serve as a founding member of the Board of Directors. In March 2013, DirectTrust was awarded an ONC Cooperative Agreement to further work in accreditation, trust anchor distribution services, and governance of the DirectTrust community. The Cooperative Agreement was renewed for another year in 2014. Part of the Exemplar Health Information Exchange Governance Program, the grant was to “increase interoperability, decrease cost and complexity, and facilitate trust among participants using Direct for health information exchange of personal health information for health care improvements.”

Direct secure messaging was soon incorporated in standards and certification criteria by the ONC for use in the EHR Incentive Program. And the ease of integrating into a clinicians workflow made this a primary protocol for transitions of care. Those of us working on these efforts believed this could truly be a replacement for the fax machine in healthcare (and I still believe this today). As David Kibbe, MD, chief executive officer of DirectTrust said in 2015:
"In terms of new technology adoption, it's been pretty fast, If you look at the growth of Direct over the past two years – and it's only been three since it was available as a standard – it's pretty astounding. We're now up to 40,000 healthcare organizations that are contracted for Direct exchange by one of the HISPs in Direct Trust's network."
This year the DirectTrust network saw 47.8 million health data exchange transactions in the first quarter – a 90 percent increase from the same time period in 2017. So we now have a way to push structured documents to known participants for clinical care. But push is only half the story - what about querying for records?

Remember the NHIN mentioned earlier - this was a cooperative established in 2004 under the ONC to improve the quality and efficiency of healthcare by establishing a mechanism for nationwide health information exchange. The group included federal agencies, local, regional and state-level Health Information Exchange organizations and private companies. In 2012 the ONC transitioned the NHIN exchange to the the eHealth Exchange. The participants who implemented the standards and services and executed the Data Use and Reciprocal Support Agreement (DURSA) legal agreement were now in the eHealth Exchange. Overseeing the eHealth Exchange and defined in the DURSA is the Exchange Coordinating Committee. Shortly thereafter the Coordinating Committee designated Healtheway, a new nonprofit organization, to assume operational support of eHealth Exchange effective October 1st, 2012. The ONC said that the transition to a public/private partnership reflected their strategy to be an incubator for innovation and a focus on supporting a sustainable ecosystem of organizations that have found secure and scalable ways to exchange health information.

The eHealth Exchange has grown tremendously over the past decade. It is the largest and most successful health information exchange network in the country. The list of participants continues to grow and includes the Department of Defense, the Veterans Health Administration, and the Social Security Administration. In 2015 Healtheway rebranded itself as The Sequoia Project. Another important initiative overseen by The Sequoia Project is Carequality. Carequality was formed with an ambitious goal: to tie together the many valuable health information exchange activities occurring throughout the country, and solve the final mile of interoperability between them.

Another important effort began in 2013 named the CommonWell Health Alliance which went live in 2014. CommonWell, as it's commonly known, is a nonprofit trade association, working to make interoperability an inherent part of health IT. Compose initially of some of the major EHR vendors it has grown in scope and importance over the last four years. CommonWell was inspired by former National Coordinator at the ONC Farzad Mostashari, MD, during a 2012 Bipartisan Policy Committee meeting where he challenged the assembled health IT leaders to come up with a market-driven solution to the patient identity problem since the government was unable to address the problem for them. Arien Malec and Dr. David McCallie who were serving on the Federal Advisory Committee to the ONC took up the call and CommonWell was eventually born.

Now things have changed considerably, with the passage of MACRA and the movement towards value-based care and payment models, and more recently the 21st Century Cures Act, which includes a number of interoperability provisions (including the TEFCA which I have written about here) there is a big policy push to improving interoperability. And the private market continues to innovate and technological solutions are flourishing. Many of the standards and protocols for exchanging clinical information are developed by Health Level 7 or HL7. HL7 is a not-for-profit, ANSI-accredited standards developing organization dedicated to providing a comprehensive framework and related standards for the exchange, integration, sharing, and retrieval of electronic health information. And while messaging and structured documents are very important, healthcare has been slow to adopt modern web-based technologies used in other industries.

Then along came Graham Grieve and other thought leaders with the development of HL7 FHIR (for those wondering what that stands for it is Fast Healthcare Interoperability Resources). FHIR is a standard describing data formats and elements (known as resources) and an application programming interface (API) for exchanging electronic health records. In 2011 Graham posted that HL7 needed a fresh look. The the work began with a small team at HL7 developing the standard and after five years it has finally gained a great deal of traction. In fact Apple has partnered with a number of health systems to allow patients to access their health information right on their iPhone using the FHIR standards.

FHIR is designed specifically for the web and provides resources and foundations based on XML, JSON, HTTP, Atom and OAuth structures. Developers don't need a great deal of healthcare experience to quickly being coding since these are the same standards commonly used across the Internet. And with the federal government strongly promoting the use of open application programming interfaces (APIs), FHIR is positioned to meet the needs of the healthcare industry and help take us into the future of interoperability.

And the other private sector initiatives are not standing still. The Sequoia Project (where I serve on the Board of Directors) recently underwent a significant reorganization to position itself for the future. CommonWell has become a Carequality Implementer and the eHealth Exchange has become a member of Carequality and is in the process of becoming an implementer. "By reorganizing the eHealth Exchange and Carequality into separate legal entities, we further ensure unbiased, equitable treatment for the eHealth Exchange alongside every other implementer subject to Carequality oversight," said Dave Cassel who heads up Carequality. So with the eHealth Exchange and CommonWell now part of Carequality, and FHIR burning across the healthcare landscape it seems despite the challenges ahead this past decade has shown significant progress in interoperability.

This post also appeared in Health Data Management Magazine

Friday, August 24, 2018

Holding law-enforcement accountable for electronic surveillance

MIT CSAIL's cryptographic system encourages transparency w/public log of data requests
When the FBI filed a court order in 2016 commanding Apple to unlock the San Bernandino shooter’s iPhone, the news made headlines across the globe. 

Meanwhile, every day there are thousands of court orders asking tech companies to turn over people’s private data. These requests often require some secrecy: companies usually aren’t allowed to inform individual users that they’re being investigated, and the court orders themselves are also temporarily hidden from the public. 
In many cases, though, charges never actually materialize, and the sealed orders inevitably end up forgotten by the courts that issue them. As a result, thousands of innocent people are unlikely to ever know that they were the targets of surveillance.

To address this issue, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have proposed a cryptographic system to improve the accountability of government surveillance while still maintaining enough confidentiality for police to do their jobs.

“While certain information may need to stay secret for an investigation to be done properly, some details have to be revealed for accountability to even be possible,” says CSAIL graduate student Jonathan Frankle, one of the lead authors of a new paper about the system, which they’ve dubbed “AUDIT” ("Accountability of Unreleased Data for Improved Transparency"). “This work is about using modern cryptography to develop creative ways to balance these conflicting issues.”

image courtesy MIT CSAIL
AUDIT is designed around a public ledger where government officials share information about data requests. When a judge issues a secret court order or a law enforcement agency secretly requests data from a company, they have to make an iron-clad promise to make the data request public later in the form of what’s known as a “cryptographic commitment.” If the courts ultimately decide to release the data, the public can rest assured that the correct documents were released in full. If the courts decide not to, then that refusal itself will be made known.

AUDIT can also be used to demonstrate that actions by law-enforcement agencies are consistent with what a court order actually allows. For example, if a court order leads to the FBI going to Amazon to get records about a specific customer, AUDIT can prove that the FBI’s request is above board using a cryptographic method called “zero-knowledge proofs.” These proofs counterintuitively make it possible to prove that surveillance is being conducted properly without revealing any specific information about the surveillance.

As a further effort to improve accountability, statistical information from the data can also be aggregated so that that the extent of surveillance can be studied at a larger scale. This enables the public to ask all sorts of tough questions about how their data is being shared. What kinds of cases are most likely to prompt court orders? How many judges issued more than 100 orders in the past year, or more than 10 requests to Facebook this month?

Frankle says the team’s goal is to establish a set of reliable, court-issued transparency reports, rather than rely on companies themselves voluntarily pulling together reports that might be inconsistent or selective in the information they disclose.

Importantly, the team developed its aggregation system using an approach called multi-party computation (MPC), which allows courts to disclose the relevant information without actually revealing their internal workings or data to one another. The current state-of-the-art MPC would normally be too slow to run across the entire court system, so the team took advantage of the court system’s natural hierarchy of lower and higher courts to design a particular variant of MPC that would scale efficiently for the federal judiciary.

According to Frankle, AUDIT could be applied to any process in which data must be both kept secret but also subject to public scrutiny. For example, clinical trials of new drugs often involve private information, but also require enough transparency to assure regulators and the public that proper testing protocols are being observed.

“It’s completely reasonable for government officials to want some level of secrecy, so that they can perform their duties without fear of interference from those who are under investigation,” Frankle says. “But that secrecy can’t be permanent. People have a right to know if their personal data has been accessed, and at a higher level, we as a public have the right to know how much surveillance is going on.”

Next the team plans to explore what could be done to AUDIT so that it can handle even more complex data requests - specifically, by looking at tweaking the design via software engineering. They also are exploring the possibility of partnering with specific federal judges to develop a prototype for real-world use.

“My hope is that, once this proof of concept becomes reality, court administrators will embrace the possibility of enhancing public oversight while preserving necessary secrecy,” says Stephen William Smith, a federal magistrate judge who has written extensively about government accountability. “Lessons learned here will undoubtedly smooth the way towards greater accountability for a broader class of secret information processes, which are a hallmark of our digital age.”

Frankle co-wrote the paper with MIT professor Shafi Goldwasser, CSAIL PhD graduate Sunoo Park, undergraduate Daniel Shaar, and a second senior author, MIT principal research scientist Daniel J. Weitzner. 

The paper will be presented at the USENIX Security conference in Baltimore August 15-17. The research was supported by the MIT Internet Policy Research Initiative, the National Science Foundation, the Defense Advanced Research Projects Agency and the Simons Foundation.