By Adrian Gropper, MD

In June 2006, a number of vendors demonstrated, for the first time, the application of a new generation of consumer privacy technology to personal control of private health information. Just as with personal finance software as it applies to banking, the technology to manage personal health information and to connect broadly and privately with people and services around the world is now at hand. The legal right of patients to their own health information is well established, but powerful strategic interests currently hold back practical access to this information. Those interests are a legacy of America's unique employer-based private health insurance and managed-care bureaucracy, which spends some $1,000 per person annually on administrative costs alone. In a Web-connected world, accurate and comprehensive personal health records are the essential intermediary for both consumers and policy-makers aiming to protect families, to keep our economy competitive, and to support ongoing medical innovation.

The Foundation for Personal Health Records
Personal health record banking has become practical as a result of two unrelated efforts inside and outside the healthcare industry. Inside healthcare, we have the heroic work of a group of primary care physicians to standardize the way they describe a patient's health status. Beyond healthcare, extensive investment by large, corporate interests to protect the privacy and security of consumer Web services is also bearing fruit.

Motivated by their self-interest in the open and fair evaluation of healthcare quality, the physicans' work has resulted in the ASTM standard Continuity of Care Record (CCR), a thorough and very cost-effective means to communicate personal health information, complete with legally binding source attribution with electronic signatures. Although created by practitioners for practitioners, the CCR is designed to also be accessible to patients digitally as well as on paper.

These physicians, representing the American Academy of Family Physicians, the Massachusetts Medical Society, and more than a dozen other professional organizations, recognized the benefit of standardized, clear, and low-cost medical records that do not lock them in to a particular managed care or health insurance enterprise. In retrospect, it is not surprising that the resulting standard, the CCR, is focused on the patient rather than the enterprise. Adoption of the CCR among emerging personal health records vendors and patient-centered businesses is to be expected, but the CCR standard by itself was not intended to address the privacy risks that a patient faces once his records are accessible over the Internet.

On the privacy and security front, the Liberty Alliance Project and compatible initiatives are poised to make identity protection, the discovery and disclosure of private information, and the audit of disclosures on the Web the foundation of an increasingly paperless and global economy. Consumer privacy is critical to the continued growth of the global electronics, telecommunications, and banking industries. As sponsors of the Liberty Alliance Project, corporations in these sectors have taken the lead in developing, standardizing, and promoting very sophisticated technology to increase consumer confidence in transactions over the Internet. Part of their solution aims to eliminate the tyranny of having to disclose private details and memorize passwords to every merchant you open an account with by standardizing "single sign-on." Other Liberty Alliance innovations give the consumer unprecedented control over his personal information in order to prevent identity theft and embarrassment.

Voluntary Participation Is Essential
Voluntary and non-coercive participation is a cornerstone of both the practice of medicine and the preservation of consumer privacy, particularly in the United States where the government mandate includes neither European-style information restrictions nor universal health coverage. Trust is essential for effective healthcare. Lack of trust wastes money, risks legal action, and corrupts information that could be used for biosurveillance and outcomes research. In an unconnected (paper-based) practice, patients are not required to trust invisible technology as long as they're paying cash. They have an implied right to be treated as they present themselves. Connected practices raise a variety of privacy and identity issues to the extent that they communicate private information without informed patient consent.

The HIPAA form that asks patients to agree to accept an institution's vague information practices as a pre-requisite of treatment is not much of a trust-building tool and it is certainly not informed consent. As typically worded, this blanket permission is vague as to who owns patient information as well as how and when the information can be shared beyond the practice itself. Today's HIPPA consents reflect the interests of mega-hospitals and mega-insurance companies struggling to keep as much information as possible away from competitors. The patient is left to fend for himself by forcing him to continually ask, usually in person and in writing, for his own health information, which is usually incomplete and delivered as paper instead of up-to-date, consolidated, digital reports.

Patient identification is another major component of all medical information networks and has significant impact on the benefit vs. risk equation when a patient is asked to allow any persistent record of an encounter. Blood donation, for example, is a common practice that forces an individual to disclose his or her identity in return for minimal direct benefit. A rather complete personal history and some very personal blood tests are recorded by the American Red Cross under the specified identity. Would either the patient or the Red Cross want the results of the blood donor screen to be posted to an ill-defined and evolving national health information network (NHIN)? Even if the results were not to be posted to the NHIN, would either party agree to the donor's identity being posted to a regional or national record locator service? It's fairly clear that in this example, neither the patient nor the Red Cross would benefit from posting the donor's identity and medical history to the Internet because in some cases the donor might forgo giving blood. The need for voluntary participation in a national health information network is no less clear when the health care encounter is a visit to a psychiatrist or a gynecology clinic or even a pediatrician.

A bank or credit card number is an example of a voluntary identity — a person can have as many as they feel that they need at limited cost, and they can more or less control the private information associated with each voluntary identity. The opposite of a voluntary identity is a tattoo or a chip that is implanted and can be read at a distance. Voluntary identity has been proven effective as the foundation of trust between people and diverse banking and merchant institutions world-wide. Extending well-understood voluntary identity principles to healthcare institutions is one way to promote trust and voluntary participation by patients and physicians in a national health information network.

Connected Patients and Doctors
The role of information technology toward staying healthy is growing as consumers and patients get increasingly sophisticated in using the Internet. For example, with good interfaces and a bit of attention, the consumer's personal finance application perspective is more accurate and useful than any single bank, money manager, or credit bureau. Technology will soon enable the patient's personal health record to combine information across multiple labs and hospitals the same way that Quicken assembles your financial profile across multiple merchants and banks. Internet savvy patients and personal health records are converging on the physician-patient relationship.

There's a kind of mass hysteria these days around introducing information technology to healthcare. Yet, other than Consumers Union, almost nobody is looking at technology from the perspective of patients, and few primary care physicians are taking the time to ponder the impact on their profession. Information technology is being used strategically by hospitals and insurers to increase profitability whether the institution is for-profit or not! Under the flag of quality and safety, highly integrated and therefore very inflexible enterprise information systems restrict the professional information tools of physicians and treatment alternatives of patients and drive both toward increased corporate consolidation, bundling of services, and branding of services. The result not only drives up prices, but it also obscures objective quality measures behind proprietary data banks, hampers innovation by forcing all physicians to use the same information technology, and increasingly drives clinical decisions to depend on secret and non peer-reviewed software.

Patient-centered technology places the personal health record at the crossroads of primary care, devices and labs, specialists, and healthcare facilities. A patient-centered system assumes that each person has multiple providers and each doctor has their choice of information tools. Independent personal heath record services can connect devices to patients to doctors-as-individuals, in that order. The enterprise or practice management system is allowed to focus on scheduling and billing instead of clinical decision support. Patients derive value when their health maintenance choices expand to include their home, their community, and the online community. Like a good insurance policy, good personal health records expand a family's choices for health management and administration and, like insurance, personal health records must appeal to people when they are well and not just when they are ill. Like other modern Web services, the cost of personal health records maintenance on the Internet is a small fraction of the thousands of dollars per person being spent each year on wasted administration and unwarranted procedures that it can help to reduce.

Public Demonstration
Healthcare has almost zero penetration of personally accessible Web services that are easy and practical for both patients and doctors. The combination of CCR and Liberty Alliance protocols can make the personal health record (PHR) more up to date and authoritative than any institution's database. A tipping point will be reached when the standard of care requires practitioners to review the patient's PHR prior to major treatment decisions and to update the PHR as a requirement for getting paid. Beyond that point, institutional databases will be relegated to clerical and risk-management functions and will be unimportant as professional tools.

In June 2006, a number of vendors assembled at the Burton Catalyst Conference in San Francisco to demonstrate, for the first time, the marriage of personal health information technology with advanced consumer privacy and security technology. In the simplified demo, a physician who is logged-in to her hospital network seamlessly checks an independent record locator service and discovers the link to a patient's Web-accessible personal health record which, because it is in standard CCR form, she can then view and update using the professional tools of her choosing.

For the first time, all aspects of this demonstration are based on technologies that enable the consumer to view, share, and protect his identity and his most private information while strengthening the physician-patient relationship through voluntary participation and improved communications.

Conclusion
The goal of keeping Americans healthy is not well served by the combination of administrative waste and managed care excess that now obscures the growing contributions of medical science and global communications.

A personal health record service is an independent patient-accessible and physician-accessible repository that parallels the role of a bank in financial transactions. The service stores the patient's private health information online in a way that facilitates single sign-on and privacy-controlled updates by physicians, pharmacies, laboratories, and insurance companies without excluding the consumer himself.

A recent demonstration showed how a physician signed-on to the network of her hospital sees a combined display of patient information that includes medications and insurance information supplied by the first personal health record service that is based on open Internet standards.

By using new privacy technology and voluntary participation to engender trust and restore the physician-patient relationship, personal health record services enable the patient, his community, and his caregivers to collaborate in ways that promote wellness as along with ever more sophisticated medicine.