Tag Archives: HealthVault

Future of Google Health

Posted on by

John Moore at Chilmark Research asks today if Google Health is irrelevant. I’m re-blogging it because I agree with him. Microsoft is easily the leading player in broad audience Personal Health Record platforms. That doesn’t mean their product is ideal – it’s certainly not – but they’ve been improving it steadily and have integrated it with a very cohesive strategy aimed at engaging with the healthcare industry as a whole. Google hasn’t done that.

One take-away I had from the Microsoft Health Solutions Group conference in June (besides one heck of an airplane-acquired infection) was how tightly Microsoft is linking Amalga UIS – its hospital intelligence/data warehousing offering – with HealthVault. Amalga is the back-door – hospitals will make the data integration investments because of bottom-line and quality improvement benefits that are realized by UIS. But once that work is done, integrating with HealthVault is just flipping a switch. Microsoft has allocated its R&D money accordingly.

Google, on the other hand, still strikes me as simply dallying in healthcare. They’ve done some good work in focused healthcare search, but that’s pretty much where it ends. I completely agree with John’s statement that Google has gotten disproportionate attention simply because it’s Google. I’m not really inclined to start trying to take down the myth of Google here, but it’s safe to say that the company isn’t omnicompetent. From very personal experience, it was quite difficult to get projects in PHR off the ground during the six months after Google Health leaked but before it launched. There was a huge chilling effect – everybody wanted to wait and see what Google would do.

Chrome OS has nothing to do with PHRs

Posted on by

I usually don’t bother picking on other people’s editorials. But this one, from FierceHealth IT (which I usually like, incidentally – it’s a nice roundup of daily HIT stories) just struck me as trying to fill space:

Google’s Chrome OS may heat up PHR competition with Microsoft – FierceHealthIT.

Google’s Chrome OS has nothing to do with healthcare. This is not a signal of the shift to cloud computing – that signal flare went up several years ago. Google won’t “tightly couple” Google Health to Chrome OS. HealthVault is just as web based and interactive as Google Health (admittedly, a little more complex to use, but you get more out of it).  Both systems have all kinds of big, enterprise-class integrations behind them.  Chrome OS is about Netbooks – they’ll ship a few million units on cheap hardware, and it will be easier for us to sit in front of the TV at night checking email. I won’t say it will never be a competitive desktop operating system, but that would be many years and several paradigm shifts down the road. A new version of Google Calendar would be more significant – at least you could integrate that with appointment reminders somehow.

The last sentence kind of sums it up:

I don’t pretend to have any kind of crystal ball here. But I do think it’s hard to argue that the PHR world is a lot more interesting with the Chrome OS in it.

That’s verbatim. And I agree – it is VERY hard to argue the proposition that Chrome OS makes any kind of difference whatsoever.

Android, by the way, is a different story – while it’s also too early to say, Google’s OTHER OS project, intended at the moment for cell phones, could enable a range of interesting healthcare applications. Since it doesn’t require always-on connectivity, Android could form the base of a handheld computing ecosystem in healthcare. Apple’s iPhone OS could do the same thing, and if Apple brings out a tablet, as they’re now expected to, I’d look for a wave of innovation coming off that platform. Local storage coupled with intuitive interfaces and great performance? That matters.

The Tories and HealthVault

Posted on by

The Google froth turned up an interesting op-ed from the Guardian newspaper in London. Apparently the Conservative party has started agitating for use of systems like HealthVault and Google Health to replace the large, centralized National Health Services databases.  Certainly fits the small-government agenda, but as the article correctly points out there’s a lot more in a real EHR than you’re going to find in HealthVault. Patients do need their records – but so do physicians.

The Guardian: Don’t ask the public to care for its data.

To be fair, the proposal only came from a think tank, and they weren’t really focusing on healthcare per-se; they were focusing on large government programs. But still, I’ve heard the same question come up from very educated sources outside the health and health IT areas.

Microsoft Connected Health Conference

Posted on by

I spent all day yesterday at the Microsoft Connected Health Conference in Bellevue, Washington. I had to miss todays’ wrap-up sessions in order to attend a few other meetings, and was generally crippled through the whole event thanks to an airplane-acquired something-or-other, but it was still a very interesting day. One of the great things (if not the only great thing) about a sore throat is that it gives you an excuse to listen to other people.

The conference opened with a very nice panel, featuring Peter Neupert, Microsoft’s Corporate VP for the Health Solutions Group, Uwe Reinhardt of Princeton University, former Secretary of Health and Human Services Michael Leavitt, and David Kibbe of the AAFP. The topic was one that we’ve all rehashed dozens of times – how do we fix the US healthcare system, what role can Information Technology play, and if IT is valuable in the long term, what do we have to do to get it into place?

That’s an important distinction, by the way, that many events miss. Health IT adoption is not a goal in and of itself. The fact that my physician types rather than uses a pen is of no intrinsic value to me. The value comes in faster, more accurate, safer, cheaper and more effective healthcare.  That’s the goal – investments in Health IT are just one of several non-exclusive paths to a more functional healthcare system.

In the end, the panel concluded that it all comes down to Congress. When I was at HHS myself, we had all kinds of things we wanted to try, but we generally couldn’t – not enough money, or not enough Congressional authorization.  A great example of this phenomenon (which Leavitt mentioned in his remarks) was a recent program to require bidding for Medicare Durable Medical Equipment contracts. Congress actually authorized the program, which went into effect on July 1, 2008, and was projected to save the government about a billion dollars (and that from just ten products in ten regions). The DME industry went to Congress, and on July 17th the program was shut down. At CMS and on the AHIC Chronic Care workgroup we looked at trying to do a demonstration program for electronic patient visits, but were blocked because the Medicare telemedicine statutory restrictions are very, very tight.

Another point of (at least apparent) consensus on the panel was that while the Medicare reimbursement system was fundamentally flawed, its status as the 800 pound gorilla of the US healthcare system means that every hospital and small practice has to set themselves up around the Medicare fee for service model.  Fee for service payments are not good at aligning incentives between participants in a market. So what happens if (as some propose) we extend Medicare to the entire population? Will centralized ownership of risk lead to the kinds of preventive medicine programs and support for (appropriate) technology investment that will ultimately take cost out of the system? Or will the system ossify under Congressional supervision?

I offer no answers, of course. I’ll post some other thoughts on the conference later (paticularly around HealthVault and Amalga), but for now, I leave you with a great, if slightly paraphrased,  Leavitt quote from the keynote panel: “The problem isn’t a lack of political will. It’s an overabundance of political will. Whenever we get close to actually making a change people start unholstering their political will on each other.”

The FTC and PHR Breach Disclosure

Posted on by

The Federal Trade Commission has issued a draft rule that outlines how PHR providers must notify consumers in the event of security breaches (warning, PDF!). The rule includes platforms like HealthVault and Google Health along with individual PHR vendors like WebMD and ActiveHealth.  Comments can be submitted here, and are due by June 1st. This does NOT affect HIPAA covered entities such as hospitals and insurance companies, although the Department of Health and Human Services will be issuing one soon, and the content is expected to be quite similar.

The Recovery Act contained temporary requirements, which will remain in effect until Congress passes new legislation based on a report currently in development by HHS and the FTC. The report is due in a year, and legislation takes a long time, so these “interim” requirements will almost certainly be in force until 2010, and possibly longer. Interim rules that hang around long enough tend to be the basis of permanent rules.

Here’s a summary of who is affected and under what circumstances:

  • A “breach of security” is defined as the acquisition of identifiable health information of an individual, from a PHR, without authorization.
  • The rule also contains the word “unsecured.” This means encryption – if a laptop containing appropriately encrypted data is stolen, that doesn’t count as a breach for notification purposes.  HHS is responsible for issuing a guidance on acceptable security policies, to be updated annually.
  • Access is not the same as acquisition. Employees looking up records about friends and celebrities is a breach. An employee inadvertently loading the wrong record in the EHR is not.
  • The “fact of having an account with a vendor of personal health records” is itself considered sensitive information. The obvious example (used in the notice) would be releasing a list of names by a company that provides PHR services for AIDS patients.
  • De-identified information, according to the existing HIPAA de-identification rules, fall outside the scope of the rule.
  • “PHR related entities”  are what the platform vendors call “Personal Health Applications”. It’s a broad net, and the examples include websites offering medication management applications and bricks-and-mortar companies advertising dietary supplements online, as long as the interaction with these companies is through a PHR or PHR platform.  The definition also includes organizations that “access information in a personal health record or send information to a personal health record.”

The breach notification requirement itself has a few components:

  • Third party service providers must notify their customers (vendors of PHRs and PHAs) following the discovery of a breach. The individuals affected must be explicitly identified.
  • Notice must be received by a “senior official” of the PHR vendor or PHR related entity.
  • There is a “reasonably should have known” clause that sets an expectation of reasonable security measures. You can be in violation of the rule if you didn’t detect the breach in time. But since some breaches are hard to detect, you’re not always in violation if you discover something belatedly.
  • Notifications to individuals must be made “without unreasonable delay” and always within 60 days.
  • Notice must be by first-class mail, or by email if the individual consents (which must be “affirmative” consent, not something buried in an end user license agreement).  There is no obligation to provide notification by mail (although if the customer doesn’t consent to email notifications, you can’t provide them with service otherwise).
  • If ten or more individuals can’t be reached, a substitute notice must be posted – a large link on the home page for six months, or through a media campaign.
  • The FTC must be notified in five business days if 500 or more people are involved. If fewer than 500 people are involved, reports may be submitted annually.

That’s not all there is to it – the rule also describes the content of breach notices and the supporting document includes an economic impact assessment. I wrote some similar impact analysis documents when I was at CMS – it’s always a challenge to get it right.

My quick reaction: it’s not bad. We’ll see every PHR vendor race to add that “email notification” permission to their products. The cost of compliance shouldn’t be that burdensome, although it’s certainly non-zero, and that’s really the point – organizations need to take security seriously, and making breaches costly and embarrassing is a good way to do that.

PHR Package & Reconcile

Posted on by

A quick followup to yesterday’s post on PHRs and Claims Data. Sean Nolan, the architect of HealthVault, has a nice comment on John Moore’s post on the Boston Globe article that does a nice job of explaining their “package and reconcile” model for importing data into HealthVault. For those wondering how PHR platforms map to document standards like the Continuity of Care Record, this is a nice clean explanation.

Bad Data & PHR Adoption « Chilmark Research.

Google Health integrates with CVS

Posted on by

Ok, back to Health IT and PHRs. This is something I’d hoped to see:

CVS-Google Health pact now includes drugstores – BusinessWeek.

Medication lists are the most important part of a Personal Health Record. Over the last four years I’ve spent a lot of time talking with physicians about this, and it’s almost the only point of complete unanimity. “Give me the medication list,” they say, “and all else is forgiven.” A physician can infer quite a bit of very useful information from a the drugs a patient is taking.

I’m looking forward to trying this out. Unfortunately (for this very specific task) I’m not on any chronic medications. But I do fill all my prescriptions at CVS, since I’ve spent the last five years in Boston and Washington, both cities with extreme CVS penetration. So they have data on me – we’ll see how easy it is to get it out without having a new prescription filled.

The next step is for other pharmacy chains to follow suit (I think they’ll have to – WalMart and Walgreens, in particular). The CVS announcement demonstrates that the security and identity issues are manageable. This is a lot simpler than building a Health Information Exchange, where you have to identify patients at one or more degrees of remove. Determining that Patient A, visiting Hospital B, is the same Patient A that visited Hospital C three weeks ago is a hard problem, particular when Patient A isn’t involved in the determination. Figuring out how to release pharmacy data to Patient A is a lot simpler – because all that CVS really has to do is prove that they’re turning over the data to the Google Health account associated with the person who physically walked into the store and picked up the pills. All the necessary identity proofing is already in place, and if the patient used a fake name and paid cash – so what? It’s still not a HIPAA violation.

Widespread pharmacy adoption is going to blow PHR adoption wide open, and Google just took the high ground. I expect to see a similar announcement around integration with HealthVault shortly. CVS Caremark and Microsoft did a webinar together a few weeks ago, and Dr. Troy Brennan, CVS’ Executive Vice President and Chief Medical Officer, was previously at Aetna where he was a major supporter of the ActiveHealth PHR platform. He gets it – and CVS certainly understands that a single PHR platform partner is not in their best interest. My prediction for the future is that we’ll see all of the major chains linked up with both Google Health and HealthVault within the next year.