Monthly Archives: April 2009

The FTC and PHR Breach Disclosure

Posted on by

The Federal Trade Commission has issued a draft rule that outlines how PHR providers must notify consumers in the event of security breaches (warning, PDF!). The rule includes platforms like HealthVault and Google Health along with individual PHR vendors like WebMD and ActiveHealth.  Comments can be submitted here, and are due by June 1st. This does NOT affect HIPAA covered entities such as hospitals and insurance companies, although the Department of Health and Human Services will be issuing one soon, and the content is expected to be quite similar.

The Recovery Act contained temporary requirements, which will remain in effect until Congress passes new legislation based on a report currently in development by HHS and the FTC. The report is due in a year, and legislation takes a long time, so these “interim” requirements will almost certainly be in force until 2010, and possibly longer. Interim rules that hang around long enough tend to be the basis of permanent rules.

Here’s a summary of who is affected and under what circumstances:

  • A “breach of security” is defined as the acquisition of identifiable health information of an individual, from a PHR, without authorization.
  • The rule also contains the word “unsecured.” This means encryption – if a laptop containing appropriately encrypted data is stolen, that doesn’t count as a breach for notification purposes.  HHS is responsible for issuing a guidance on acceptable security policies, to be updated annually.
  • Access is not the same as acquisition. Employees looking up records about friends and celebrities is a breach. An employee inadvertently loading the wrong record in the EHR is not.
  • The “fact of having an account with a vendor of personal health records” is itself considered sensitive information. The obvious example (used in the notice) would be releasing a list of names by a company that provides PHR services for AIDS patients.
  • De-identified information, according to the existing HIPAA de-identification rules, fall outside the scope of the rule.
  • “PHR related entities”  are what the platform vendors call “Personal Health Applications”. It’s a broad net, and the examples include websites offering medication management applications and bricks-and-mortar companies advertising dietary supplements online, as long as the interaction with these companies is through a PHR or PHR platform.  The definition also includes organizations that “access information in a personal health record or send information to a personal health record.”

The breach notification requirement itself has a few components:

  • Third party service providers must notify their customers (vendors of PHRs and PHAs) following the discovery of a breach. The individuals affected must be explicitly identified.
  • Notice must be received by a “senior official” of the PHR vendor or PHR related entity.
  • There is a “reasonably should have known” clause that sets an expectation of reasonable security measures. You can be in violation of the rule if you didn’t detect the breach in time. But since some breaches are hard to detect, you’re not always in violation if you discover something belatedly.
  • Notifications to individuals must be made “without unreasonable delay” and always within 60 days.
  • Notice must be by first-class mail, or by email if the individual consents (which must be “affirmative” consent, not something buried in an end user license agreement).  There is no obligation to provide notification by mail (although if the customer doesn’t consent to email notifications, you can’t provide them with service otherwise).
  • If ten or more individuals can’t be reached, a substitute notice must be posted – a large link on the home page for six months, or through a media campaign.
  • The FTC must be notified in five business days if 500 or more people are involved. If fewer than 500 people are involved, reports may be submitted annually.

That’s not all there is to it – the rule also describes the content of breach notices and the supporting document includes an economic impact assessment. I wrote some similar impact analysis documents when I was at CMS – it’s always a challenge to get it right.

My quick reaction: it’s not bad. We’ll see every PHR vendor race to add that “email notification” permission to their products. The cost of compliance shouldn’t be that burdensome, although it’s certainly non-zero, and that’s really the point – organizations need to take security seriously, and making breaches costly and embarrassing is a good way to do that.

Better care through empathy

Posted on by

Steve Portigal at Core77 mentions last Monday’s article in the New York Times about a new study from Israel that shows radiologists write more thorough reports when a file includes the patient’s photograph.  Sequestered in dark rooms, surrounded by computers, radiologists rarely meet their patients — being able to see even a glimpse of humanity among x-rays, CT scans, and MRIs seems to create a beneficial connection between doctor and patient that otherwise wouldn’t exist.

This new study opens up additional areas of research: do photographs improve distance medicine? What about surgical procedures when the patient’s face is blocked by a curtain? Or online pharmacies that never meet face-to-face with their customers?

Can PCHRs provide the data to personalize a medical encounter?

Back in 2006, when we redesigned the personal health data model for Indivo 3, I successfully lobbied to include a photo element in the patient’s contact information document.  At the time, I just thought it was logical to have a picture of the patient in the patient’s record.  Unfortunately, other development tasks took priority over integrating the photo feature into the reference UI.  The idea languished until I did some designing exercises for a next-generation PCHR user interface several months ago. My approach was to learn from the success of social networking systems to make a PCHR interface more human-centered and engaging. In our earlier work, we had been thinking so much about making PCHRs secure — it was fun to think solely about making them usable.

Including a photo in a PCHR patient profile

Including a photo in a PCHR patient profile

A list of family members with identifying photos

A list of family members with identifying photos

Now here’s where things could get interesting. Our interaction design process relies heavily on personas — composite visualizations of key users built with the ethnographic data we collect in our field research (interviews, surveys, etc.). It helps our team rally around our users as we design and build software.  Every design decision gets filtered through our personas.  “How would David build his research team? Does he think about roles, or does he already have collaborators in mind?”

An example of a persona from our grant collaboration project

An example of a persona from our grant collaboration project

Could a medical “persona” have the same impact in the delivery of healthcare?  Patient summaries as they exist today (and to the extent I’ve seen them) stick to core data like procedures, problems, lab tests, and immunizations. Primary care physicians, who we expect to develop a fuller, more human view of their patients, have increasingly less time to devote to social interaction. In our design personas we include sections for motivations, behaviors, and obstacles — might such information help caregivers move beyond the minutia of clinical “tasks” to, dare I say, “goal-directed” medicine?

Publish binaries, source, and JavaDoc using Maven

Posted on by

So you’re using Maven, like a smart Java developer. Wouldn’t your life be easier if your IDE was linked to your source code and JavaDocs? Maven makes publishing these very easy. Once correctly configured, a simple command (mvn publish) will automatically publish your artifacts to the repository of your choice. Let me show you how.

Why?

You may ask yourself, “Why do I need to publish binaries, source, and JavaDoc? My users already have the source code.” Here are the reasons:

  1. Increase the chance of people using your code. By publishing your artifacts to a repository, particularly for secondary modules and dependencies, you save your users the trouble of doing so. At ISG, we have products that depend on in-house libraries. Before we started publishing artifacts to a standard repository, a user would have to download and build three libraries just to build one project. You want people to actually use your product, right? Make it easer and more convenient for them.
  2. Increase the chance of the build executing correctly. By building the prerequisites jars for your users and pushing them to a repository, you don’t have to worry about them forgetting to update the sources of the dependencies. Many times, I have had coworkers yell out, “Hey, Product A isn’t compiling” to which an engineer would yell back, “Update your source for Module B.” Now that we have our own Maven repository, a user only has to worry about updating the module he or she is interested in building as all dependencies are published to our repo.
  3. Eclipse will automatically import your source and JavaDocs. This is my favorite reason. By hitting F3, while selecting a class, variable, or method, you can view its source. By hitting Shift+F2, you can view the JavaDoc in your web browser. It makes it much more convenient to traverse through code and view documentation.  Now when you build your eclipse project using mvn eclipse:eclipse, it’ll download your source and JavaDoc jars automatically.
  4. Increase the chances of your code being used correctly. As mentioned above, the easier it is for people to read your documentation, the less likely they are to ask you stupid questions or dismiss your product as defective.

You greatly increase the probability of adoption if your product is convenient to build, easy to use, and the reference documentation is readily available.

How?

So if you’re still reading than perhaps I’ve persuaded you to give it a try.  The process is simple:

  1. Tell maven to assemble a JavaDoc and source jar.
  2. Put a link to your repository in your project or one of it’s parents to enable automatic uploading.
  3. Put your security info in .m2/setting.xml, so your credentials to your repository don’t get committed into version control

Configuring your POM

Unfortunately source and JavaDoc are not enabled by default, so you have to tell maven-javadoc-plugin and maven-source-plugin to package both into a Jar.

<build>
...
<plugins>
...
 <!-- Package source to JAR to upload to repo-->
 <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-source-plugin</artifactId>
    <executions>
       <execution>
          <!-- Restrict execution of source compilation to install or deploy. -->
          <!-- The default is package. -->
          <phase>install</phase>
          <goals>
             <goal>jar</goal>
          </goals>
       </execution>
    </executions>
 </plugin>
 <!-- Package JavaDocs to JAR to upload to repo -->
 <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-javadoc-plugin</artifactId>
    <executions>
       <execution>
          <id>attach-javadocs</id>
          <!-- Restrict execution of source compilation to install -->
          <phase>install</phase>
          <goals>
             <goal>jar</goal>
          </goals>
       </execution>
    </executions>
 </plugin>
...
</plugins>
</build>

If you don’t already have a repository

If you’re going to share your code with users, you’ll obviously need a place to put files. For maven, this is simply a web-accessible folder where artifacts are organized using a strict directory naming convention. The bare minimum for a repository is simply a web-accessible folder with a means of remote access. Most first repos are simply a directory on an Apache HTTP server. Most users choose FTP, SSH, or WebDAV to publish their files.

Editing your POM to tell your project where to shove those files

WebDAV is the easiest method to get automatic publishing working. If your repository supoprts WebDAV, Just paste the following into your pom.xml file:

<distributionManagement>
   <repository>
      <id>mycompany.releases</id>
      <name>A friendly description of your release repo</name>
      <url>http://your.webdav.url/releases</url>
   </repository>
   <snapshotRepository>
      <id>mycompany.snapshots</id>
      <name>A friendly description of your snapshots repo</name>
      <url>http://your.webdav.url/snapshots</url>
   </snapshotRepository>
</distributionManagement>

Configuring your ~/.m2/settings.xml file to authenticate with your server.

Technically, your credentials don’t have to be in your settings.xml. You can omit credentials and Maven will prompt you for a username and password for each connection. This is quite tedious and I’d recommend using the settings.xml file. The settings.xml file is designed specifically for workstation-level settings, like security credentials.

Add the servers snippet below to your settings.xml.

<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
...
<servers>
   <server>
      <id>mycompany.releases</id>
      <username>your.username</username>
      <password>your.password</password>
   </server>
   <server>
      <id>mycompany.snapshots</id>
      <username>your.username</username>
      <password>your.password</password>
   </server>
</servers>
...
</settings>

Additional Options:

Publish to SSH or FTP

Apache has an excellent reference at http://maven.apache.org/plugins/maven-deploy-plugin/project-deployment.html explaining how to publish using SSH and FTP. You can even deploy using SSH from Windows.

Publish to Nexus

Nexus is an open source repository manager and a powerful tool for Maven users.  It acts as a proxy and aggregator and downloads dependencies from multiple sites. This is my personal choice for managing dependencies. The main benefit is the proxy that allows me to retrieve jars from dozens of repositories, but only expose one URL to our users. It also makes uploading third party dependencies very easy for those situations where you have a great library you want to use, but no repository to download them from. By default, Nexus uses WebDAV to allow easy uploads and is easy to install. It is simply a war and can be deployed to Tomcat or run from embedded Jetty (see my previous post to learn how to enable it yourself).

Settings for Eclipse Users

If you’re using Netbeans or IntelliJ, congratulations, you’re done. Your IDE natively recognizes Maven projects. Eclipse users have one extra step.

There are presently two popular ways to use a Maven project in eclipse: maven-eclipse, the built-in plugin, and m2eclipse (http://m2eclipse.codehaus.org/).
Maven-eclipse will create eclipse .project and .classpath files for you to import into any eclipse install. M2eclipse requires you to download and eclipse plugin, but adds many powerful features, including the ability to automatically update your classpath as your POM changes as well as launch and debug Maven processes, such as Jetty or the Maven test runner.

If you use maven-eclipse (mvn eclipse:eclipse), make sure the following parameters are set in your pom.xml build section:

<build>
   <plugins>
      <!-- eclipse plugin -->
      <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-eclipse-plugin</artifactId>
         <configuration>
...
            <downloadSources />
            <downloadJavadocs />
         </configuration>
      </plugin>
   </plugins>
</build>

For our POMs, we also add WTP and Spring IDE support:

<plugin>
 <groupId>org.apache.maven.plugins</groupId>
 <artifactId>maven-eclipse-plugin</artifactId>
 <configuration>
    <additionalProjectnatures>
       <projectnature>org.springframework.ide.eclipse.core.springnature</projectnature>
    </additionalProjectnatures>
    <additionalBuildcommands>
       <buildcommand>org.springframework.ide.eclipse.core.springbuilder</buildcommand>
    </additionalBuildcommands>
    <wtpversion>2.0</wtpversion>
    <downloadSources />
    <downloadJavadocs />
 </configuration>
</plugin>

If you use m2eclipse (mvn eclipse:m2eclipse), you can enable source and JavaDoc retrieval in the settings tab.

Check Download Artifact Sources and Download Artifact JavaDocs

Check Download Artifact Sources and Download Artifact JavaDocs

Conclusion

It’s quick and easy to publish binaries, source, and JavaDocs using Maven.  With minimal effort, you can dramatically increase the probability of the adoption and successful use of your product.  This is just one of the many menial programmers’ tasks that can be automated using Maven, allowing you to focus your attention on pleasing your customer and not worrying about your build.

References:

PHR Package & Reconcile

Posted on by

A quick followup to yesterday’s post on PHRs and Claims Data. Sean Nolan, the architect of HealthVault, has a nice comment on John Moore’s post on the Boston Globe article that does a nice job of explaining their “package and reconcile” model for importing data into HealthVault. For those wondering how PHR platforms map to document standards like the Continuity of Care Record, this is a nice clean explanation.

Bad Data & PHR Adoption « Chilmark Research.

Claims Data and PHRs

Posted on by

The Boston Globe ran a piece this morning about the challenges of using insurance claims data to populate PHRs. It’s nicely done, and highlights what a shame it is that the Boston Globe is teetering on the verge of bankruptcy.

Electronic health records raise doubt – The Boston Globe.

Dave deBronkart, the patient involved, has been an active blogger for several years at e-Patient Dave.

Claims data is very challenging – it’s messy and not particularly precise.  I always envisioned claims information as being useful primarily as a directory, rather than a source of actual content for PHRs. The insurance company knows where you’ve gotten treatment, and that information can be used by a PHR platform to seek out information from clinical systems. Of course, that requires a lot more interoperability in the entire system than we have today.

Another approach is to work backwards – rather than including every claim from an insurance company in the PHR, only include the unambigous subset. A flu shot is a flu shot. But some data is just ambigous – like the cancer in the story, which seems tohave used a broad billing code. And some, of course, is intentional – physicians who file a misleading diagnosis so that a patient can be reimbursed for an off-label use of an expensive drug.  So for these cases – give the user an interface that allows them to review potentially problematic data, and explain clearly that some of it might not be entirely accurate, and there’s a good reason for that.

Finally, consumer controlled health records require very clear statements of data provenance. This was something our group paid a lot of attention to back when we were working on active development in the area, and Microsoft does a pretty nice job in HealthVault as well. I don’t know what Google’s design rationale was in not choosing to surface this information more prominently, but to my mind it was a mistake. Ten years from now we may have clinical data flowing so effortlessly that we can simply sit back and trust in the validity of any automatically sourced data. But that day is not today.

Checklists aren’t just for pilots

Posted on by

My father runs a flight school, and over the years I’ve met more than my share of private pilots.  A lot of them fly aerobatics, which involves taking a perfectly good airplane, flipping it upside-down, and performing feats that are not intended to make my mother particularly calm. It’s a fascinating little subculture, and a few years ago I spent a weekend at an aerobatic competition in upstate New York, hanging out with the pilots and generally poking around. What struck most was how safety conscious all of these pilots were. For one thing, nobody took off without going through a simple checklist of key flight safety operations.  They were all expert pilots – one had flown with Chuck Yeager in the Air Force in the 1950s – and had taken off thousands of times. And they did the checklist every time.

More recently, checklists have become a big deal in medicine. The best layman’s introduction is Atul Gawande’s 2007 New Yorker article on the subject. The short version is that by making a list of simple steps, and following those steps every time, you can eliminate “never events” (like taking out the wrong kidney), and dramatically cut a lot of other risks as well. It sounds like a no-brainer, and it probably is. But checklists have met with a surprising amount of resistance, which are nicely summarized by the following two clips from the penultimate episode of NBC’s “ER”:

And the punchline:

It’s network television, and so it’s a bit over the top – but my surgeon and medical resident friends tell that the attitude of the lead surgeon is pretty typical – and that without a champion in the room, the checklist won’t get used. I’ve observed this myself when visiting ORs – checklists were completed, but they were completed after the procedure was over, when the nurse had a few minutes to spare (so my colleagues don’t go after me, I should say that this was not at a Harvard teaching hospital).

So they’re good for pilots, and good for doctors and nurses. And, of course, they’re good for just about everyone else. They’re definitely good for EHR deployments, and for decisions about personal health planning. And they’re good for software development, too. Over the last few months I’ve written several checklists to govern different aspects of our software design, review and deployment policies. We’re all smart people, but we’re not going to remember everything. Over the next few weeks I’m going to share some of the software development checklists we’ve developed, and I hope readers will pitch in with their own ideas.

Cufón: A step closer to web fonts support

Posted on by

About ten years ago, I first played with Microsoft’s font-embedding technology for the web, WEFT.   It was pretty simple — generate a condensed version of your web page’s font files, add some code to embed them in your HTML, and then any lucky user of Internet Explorer 4+ could see your site just the way you intended it.

Like any good web innovation from Microsoft, it wasn’t supported by rival browsers, so I forgot about it for a while, checking in every now and then for some progress. In the meantime, I generated headlines and buttons as images, even going so far as to use a Comic Sans with Windows 95).

Of course, I also watched in disgust as the web community foolishly flocked to

Then, last week, I read about Cufón on Cameron Moll’s blog.  It’s a pure JavaScript/CSS solution for rendering text with your desired typeface, which is used just like WEFT, only the font conversion occurs through an online script rather than desktop software.  Cameron lists Cufon’s drawbacks as compared to sIFR, but they seem pretty reasonable given its advantages: Cufón does not require third-party client software, it zooms cleanly within the browser, and it’s very easy to work with.

WEFT hasn’t died, though.  Implementation is still perilous, and font licensing issues still hamper it, but Firefox 3.1 3.5 will support the @font-face rule.

All this discussion raises the question: is it worth it?  I love typography; in fact, I’m teased at the office for trying to use such wacky, non-traditional fonts like Helvetica in our PowerPoint presentations.  On the web, though, I don’t think the benefits of custom fonts outweigh the costs to usability and complexity of implementation.  There are some great examples of web typography that carefully use default fonts. I think I’ll wait for ubiquitous, consistently cross-browser support of web-embeddable fonts before wading those waters again.

Google Health integrates with CVS

Posted on by

Ok, back to Health IT and PHRs. This is something I’d hoped to see:

CVS-Google Health pact now includes drugstores – BusinessWeek.

Medication lists are the most important part of a Personal Health Record. Over the last four years I’ve spent a lot of time talking with physicians about this, and it’s almost the only point of complete unanimity. “Give me the medication list,” they say, “and all else is forgiven.” A physician can infer quite a bit of very useful information from a the drugs a patient is taking.

I’m looking forward to trying this out. Unfortunately (for this very specific task) I’m not on any chronic medications. But I do fill all my prescriptions at CVS, since I’ve spent the last five years in Boston and Washington, both cities with extreme CVS penetration. So they have data on me – we’ll see how easy it is to get it out without having a new prescription filled.

The next step is for other pharmacy chains to follow suit (I think they’ll have to – WalMart and Walgreens, in particular). The CVS announcement demonstrates that the security and identity issues are manageable. This is a lot simpler than building a Health Information Exchange, where you have to identify patients at one or more degrees of remove. Determining that Patient A, visiting Hospital B, is the same Patient A that visited Hospital C three weeks ago is a hard problem, particular when Patient A isn’t involved in the determination. Figuring out how to release pharmacy data to Patient A is a lot simpler – because all that CVS really has to do is prove that they’re turning over the data to the Google Health account associated with the person who physically walked into the store and picked up the pills. All the necessary identity proofing is already in place, and if the patient used a fake name and paid cash – so what? It’s still not a HIPAA violation.

Widespread pharmacy adoption is going to blow PHR adoption wide open, and Google just took the high ground. I expect to see a similar announcement around integration with HealthVault shortly. CVS Caremark and Microsoft did a webinar together a few weeks ago, and Dr. Troy Brennan, CVS’ Executive Vice President and Chief Medical Officer, was previously at Aetna where he was a major supporter of the ActiveHealth PHR platform. He gets it – and CVS certainly understands that a single PHR platform partner is not in their best interest. My prediction for the future is that we’ll see all of the major chains linked up with both Google Health and HealthVault within the next year.

PhRMA Supports Comparative Effectiveness

Posted on by

I’m getting pretty nerdy on the health policy front today, since despite all the HIMSS chatter on the blogs, this is the one that most caught my eye this morning:

Comparing Drugs Is ‘Real World’ Demand, New PhRMA Head Says – Health Blog – WSJ.

In short, PhRMA, the lead trade group for the pharmaceutical industry, is notionally supporting (who knows what’s going on in the back rooms) the idea of comparative effectiveness research. Comparative effectiveness, for those who don’t read Health Affairs for fun, is the concept of comparing two treatments on a value basis, and using that information to make reimbursement decisions. It produces results like “on average, this drug will extend life by three months, at low quality, for a total cost of $75,000″. Using that information, the people who pay for healthcare (governments, insurance companies, large employers and so forth) can make what are essentially rationing decisions. Basically, if we only have a certain number of dollars to spend, we should spend it on the treatments that provide the most bang for the buck.

Europeans have been doing this actively for years. It’s why healthcare costs are lower over there, and also why some treatments aren’t available, or are only available to patients in certain age brackets or with other qualifiers. Americans have been traditionally distrustful of CE research. Medicare and FDA legislation, for instance, specifically bar “value” determinations – the CMS can’t generally say no to a new treatment that’s better than the one it replaces, even if the cost increase is substantial and the incremental benefits marginal. But this is changing, and the stimulus bill includes a substantial bolus of money – over $1 billion – to support it.

On the surface, it’s odd to see the drug companies getting behind the concept. After all, they’ve years fighting NICE (the Comparative Effectiveness group in the UK) over reimbursement for various expensive cancer treatments. It may just be that they see the way the wind is blowing. But I think there’s something else to it as well. Let’s think about how the overall cost of care breaks down:

US Healthcare Spending Breakdown

For the full Robert Wood Johnson Foundation report from which I stole that image, click here (warning: PDF!). The take away is that prescription drugs are the smallest part of overall healthcare spending. Now, this is a little misleading, since a lot of pharmaceutical profits are tucked away in the “Hospital Care” segment. But you have to think – the pharmaceutical industry is a handy political target because lots of voters pay for drugs at least partly out of pocket, and for many it can be a real burden. But viewed from a comparative effectiveness standpoint, drug treatments may stand up very well against more intensive interventions, like surgery.

Could be nonsense, of course – and the simple explanation, that they’ve decided not to fight a battle they can’t win – certainly makes sense. But I can’t imagine this hasn’t crossed somebody’s mind down at PhRMA HQ.

Back to Health IT land tomorrow, I promise.

Meaningful Use

Posted on by

The first thing I missed by not going to HIMSS this year was a session where several legislators discussed the economic stimulus package.  The essential point: it’s important to define “meaningful use” of EHRs as soon as possible, and nobody entirely agrees how to do it. Legislators discussed how bad the Federal government’s track record of identifying value has become, and  Senator Sheldon Whitehouse told an audience that coming up with the definition will be “difficult and complicated.”

I briefly touched on this last week, and my opinion of the options hasn’t changed. Seeing this kind of discussion is important (and post-worthy) because it makes it crystal clear that nobody in Congress has any particular idea what was meant. And so the lobbying will continue. Write your Congressman.