Friday, July 3, 2015

A Declaration of Data Independence Through the Lens of the Patient

Data LiberaciĆ³n is our battle cry...


Six years ago I wrote a blog on Independence Day. In 1776 the 56 citizens of the 13 British colonies signed their names to a document declaring that the King was abusing the colonies and violating the basic principles of human decency bestowed by God. So they declared independence from Great Britain and birthed the United States of America.

Abraham Lincoln said in a speech during his Senate race against Stephen A. Douglas of the Declaration of Independence, "This was their majestic interpretation of the economy of the Universe. This was their lofty, and wise, and noble understanding of the justice of the Creator to His creatures."



We are blessed to live in the greatest country in the world. We have had many struggles and challenges and have had to to overcome the sins of the past, but the Founders wisely put in place a constitutional framework that allows for transformational changes to occur, generally without bloodshed. The Republic is alive and well and actually improves every generation. I wish all of you a peaceful, safe, and joyous Fourth of July celebrating with family, friends, and neighbors. I also hope that you will participate in the first Data Independence Day.

We need to declare our right to access our own health data. For far too long health information has been locked up in paper tombs and sharing has been difficult. A long time policy goal has been interoperability and patient engagement. Todd Park (at the time the CTO of HHS, who then went on to serve as CTO of the USA) rallied the troops at Health 2.0 over five years ago, and Data LiberaciĆ³n is our battle cry...

Patients have been denied access to their electronic medical record. Previously HIPAA was fairly weak in this area. The HIPAA omnibus rule expanded the right to patient access now into the digital realm.  It also updated the notice of privacy practices healthcare organization are required to provide to patients notifying them of their rights under HIPAA.

Among one of the perhaps lesser-known changes to HIPAA are that, if asked, providers must send a patient’s medical record to whatever email address said patient offers. The provider is allowed to warn them of the risks and have them sign a form, however, they are not allowed to deny that request. This actually lays a foundation to go beyond the requirements of the HITECH Act, but a patient access HIPAA violation can be a serious offense. One of the largest fines ever for a HIPAA violation, $4.3 million, was levied for not providing patients access to their own data.

This year the perfect storm arose with the announcement just prior to the annual HIMSS event of a proposal for a significant lowering of the bar for patient engagement in Stage 2 Meaningful Use in 2015, and the fierce opposition from many stakeholders. I was the ring leader for the Blog Carnival during HIMSS and was fortunate to have the topic of patient engagement. Farzad Mostashari, Former National Coordinator at ONC, called for a day of action. That day has come!


I've written before that Stage 2 Meaningful Use contains a Core Objective that all providers must use secure electronic messaging to communicate with patients on relevant health information. Another Stage 2 Core Objective is that all providers must give patients the ability to view online, download and transmit their health information within four business days of the information being available. The specifics require that 50% of all unique patients are given access to information, and that five percent (down from 10% in the proposed rule) are able to view, download or transmit to a third party relevant health information. These measures require patients to take action in order for a provider to achieve meaningful use and receive an EHR incentive payment. This year as CMS backed off on many of the requirements in a proposed rule, especially around patient engagement it created quite a stir.

At the Health Datapalooza conference it was announced that July 4, 2015 would be Data Independence Day. Generous donors and tireless advocates combined to create http://getmyhealthdata.org. Farzad Mostashari along with former White House CTO Aneesh Chopra and several open-data and consumer health advocates spurred us into a new phase in the health data access movement. Now a coalition of patient advocates has launched the Get My Health Data Campaign just in time for Data INdependence Day to support patients in asking for, getting and effectively using their digital health data.


This is all backdrop for where this gets deeply personal for me. A couple weeks ago I was in Boston for an invitation-only meeting on developing a national Health Information Technology Platform supporting Substitutable Apps known loosely as an “App Store for Health." The meeting brought together key stakeholders from industry, government, academia and the public sector to follow up the work begun six years ago at the ITdotHealth meeting. The meeting was moderated by one of my healthcare heroes Atul Gawande. I was scheduled to present on FHIR and talk about how the technical architecture of the future will support clinicians and patients have granular data level access to their health information. Unfortunately, on my way to the meeting I suffered a heart attack, fell and hit my head, and spent a week in the hospital. Fortunately, I was at an excellent world class academic medical center which is also one of the top cardiac centers on the planet. I received excellent care.

Unfortunately, I was never advised of my rights under HIPAA nor provided a copy of their notice of privacy practices (I actually never saw or signed any forms or documents at all during my stay). I have asked for but have not received an electronic copy of my medical record and am still waiting to receive all of the paper records. Remember that HIPAA requires them to provide an electronic copy of my medical record if they are capable of producing it. But the only way to request a copy of my medical record is by downloading a form from their website, printing it, signing it, and sending it by fax (you know that new-fangled health data transport mechanism). Then it will take up to 60 days to be sent.

When asking for an electronic copy I was told they did not have this capability. They do have a patient portal, where you can easily pay your bill, but health data access is extremely limited. They state that "The only way to export this information from the portal is to use the print option. There is no option to save this information to another document/system. Also, your complete medical record is not available on the portal." After being stabilized and able to travel home to Oregon, I followed up immediately with my PCP, cardiologist, and therapists; however, I had to piece together and incomplete medical record which could scanned into the EHR.

This is truly a call to arms. Every patient in this country should demand their rights under HIPAA and obtain a copy of their medical record, electronically if at all possible. Like the brave patriots from the Boston Tea Party it is time to take a stand...