HIPAA ({Health Insurance Portability and Accountability Act of 1996} is federal act that set forth guidelines for standardizing the electronic data interchange (EDI) of administrative and financial transactions, exposing fraud and abuse in government programs, and protecting the security and privacy of health information.)

Healthcare providers (who are covered entities under HIPAA) must comply with the HIPAA Security Rule. The HIPAA Security Rule sets standards for ensuring that only those who should have access to electronic protected health information actually have access. Providers must meet and/or address these standards, in the form of specific technical, administrative and physical safeguards to comply with the Rule.

The Security Rule covers protected health information that is held or transmitted in electronic form. The Rule provides detailed implementation specifications that set out instructions for implementing particular standards. Some standards under the Rule are required, and providers must implement policies and/or procedures that meet what the implementation specification requires. Other standards are addressable, and providers must assess whether it is a reasonable and appropriate safeguard in the provider?s environment.

HIPAA AND ELECTRONIC EXCHANGE OF INFORMATION - The increasing reliance on computers to store and exchange information continues to present a number of technical and security challenges. In the early 1990s, health care industry leaders, the Department of Health and Human Services (DHHS), and the U.S. Congress became increasingly concerned about the lack of standardization in the business of health care. At that time, it was estimated that more than four hundred different formats existed for the electronic processing of health claims. In addition, at least twenty-six cents of each health care dollar was going toward administrative costs, such as: Enrolling an individual in a health plan Paying health insurance premiums Checking eligibility Obtaining authorization to refer a patient to a specialist Processing claims Notifying a provider about the payment of a claim In 1996, as a result of ongoing work, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act is the most significant legislation affecting the health care field since the Medicare and Medicaid programs were introduced in 1965. The legislation was designed to: Ensure the portability of insurance coverage as employees moved from job to job Increase accountability and decrease fraud and abuse in healthcare

The American Recovery and Reinvestment Act of 2009 (Recovery Act)  Recovery Act was signed into law by President Obama on February 17, 2009. The law includes the Health Information Technology for Economic and Clinical Health Act, or the "HITECH Act," which established programs under Medicare and Medicaid to provide incentive payments for the "meaningful use" of certified electronic health records (EHR) tecSAhnology. The Centers for Medicare & Medicaid Services (CMS) has a role in three areas of the HITECH Act:

  • Implementation of the EHR incentive programs, including defining meaningful use of certified EHR technology;
  • Establishment of standards, implementation specifications, and certification criteria for EHR technology.
  • Privacy and Security protections under the HITECH Act

Implementation of the EHR Incentive Programs Under the HITECH Act, the Medicare EHR incentive programs provide incentive payments to eligible professionals, eligible hospitals, and critical access hospitals (CAHs) that are meaningful users of certified EHRs. Incentive payments would be made to qualifying Medicare Advantage (MA) organizations for the meaningful use of certified EHR technology by their affiliated eligible professionals. The Medicaid EHR incentive program provides incentive payments to eligible professionals and hospitals for efforts to adopt, implement or upgrade certified EHR technology or for meaningful use in the first year and for meaningful use for up to another five years.


Information and Communication Technology's Disruption on and Transformational Impact on Healthcare

The Internet and digital technologies have transformed many aspects of our lives over the past twenty years.  We can get cash at ATMs all over the world; we can book our own airline reservations; we can shop and get best prices over the Internet.

Why hasn’t this happened in health care?  Something is missing.

Recently, major global information and communication companies have announced their intention to bring their technologies and business models to health care.  While the creation of Google Health (GH), Microsoft HealthVault (HV), and Dossia (sponsors include Intel, Wal-Mart, AT&T) are important news items by themselves, what’s more important is what they represent collectively — a new Personal Health Information Network (PHIN). The PHIN and applications developed around the PHIN will fill in many missing pieces and bring health care into the Information Age.

For example, suppose you just found out you have high blood pressure – that’s not uncommon.  Suppose you could easily submit information about your condition using the Google Health platform to receive a service that does the following:

  • informs you whether there are clues in your medical history that point to a cause for your high blood pressure
  • explains why being overweight can be a contributing factor
  • tells you in easy-to understand language what the top number and the bottom number mean (“140 over 90″)
  • explains which laboratory tests are necessary
  • alerts you to the possibility that one of your prescription or over the counter  drugs could be making your high blood pressure worse
  • advises you about the usefulness of using non-drug approaches to treatment
  • tells you which treatment drugs have the greatest efficacy and safety for your specific circumstances
  • tells you if any of those generics high blood pressure drugs are available at Walgreens for $4 a month
  • offers to provide you a map with several Walgreens stores in your city that carry those $4 a month medications

…and many more possibilities we have not yet begun to imagine!

This essay:

  • Is the first in a series of articles we’ll be writing to describe the PHIN and why it’s important — expect about a dozen follow-up posts.
  • Is an overview of the basic idea — think executive summary or long abstract
  • Introduces some new concepts, which we’ll try to simplify and define.  We understand that some of this is not easy reading. ….so we suggest you refill your cup of coffee and settle in.

Today’s Environment for Your Personal Health Information (PHI)

Today’s health care system is largely “closed”.  Your personal health information (PHI) is

  1. Scattered among multiple providers and locations, and
  2. Not accessible using broad computer industry and Internet standards.

While a lot of your health data is already being exchanged among “business to business” (B2B) applications, consumers generally have no access to or knowledge of these information streams.

How “open” should your PHI be? Three key terms are relevant to understand the flow of PHI: portability, interoperability, and data liquidity. In short,

  • Portability refers to the ability to take your data with you when you switch jobs, health plans, or care providers.
  • Interoperability is the ability to communicate and exchange data accurately, effectively, securely and consistently with different information technology systems, software applications, and networks, in various settings.
  • Data liquidity refers to the degree of freedom with which data from different sources are permitted to move over networks; the concept implies minimal costs, ‘friction’, and hassle.

The debate about PHI in health care is occurring in the shadows of a much broader societal debate about “openness” — open standards, open source, and open innovation.  Much of the initial public exposure about PHI has been one sided — focused on the dangers of breaching confidentiality and security.

There is another side to this debate — the value of appropriately open PHI to advance our collective knowledge and benefit mankind — biomedical research, clinical trials, encouraging openness in publication/disclosure of research results, new sources of information for patients and caregivers, and public health.

At a national level, there are several possible routes toward achieving portability, interoperability, and data liquidity for PHI.  One of these routes is a straightforward Federal mandate, but we don’t see this in the cards in the near horizon.

Other routes that are being pursued involve the NHIN — the Nationwide Health Information Network and RHIOs (Regional Health Information Networks).  Unfortunately, a viable business model has yet to emerge to sustain the development of the NHIN and RHIOs. The NHIN also remains largely focused on electronic health records (EHRs) and B2B applications.

We observe another route emerging — the PHIN (Personal Health Information Network).  The PHIN is complementary and synergistic to other initiatives attempting to create interoperable health information.

The Emerging PHIN (Personal Health Information Network)

Nothing like the PHIN exists in health care today.  The fundamental shift occurring is the transformation from Industrial Age Medicine to Information Age Health Care.


Source: Association FirstHealth Europe (click on the graphic for a larger version)

Healthcare is behind every other industry in shifting from an Industrial Age to an Information Age model.  We believe this coming shift for healthcare has huge implications.

What’s a “network”?  On one level, there is a technical perspective of a network, e.g., servers, routers and other components that make up the Internet.  There’s another level — the human connection that occurs because of the technical layers — connections that enable many other activities of daily life, such as staying in touch with friends and loved ones, banking, shopping, watching TV, or listening to music.

telephonenetworkWould you buy a telephone if you knew that you were the only person in the world who had a telephone?  Of course not — but stop a minute to consider why.  The answer is that your ability to obtain value from the telephone is dependent on other people owning telephones –one telephone by itself is useless.

This is the concept of a network effect at work — that the value of a network increases exponentially with the number of users (nodes) on the network.  Email and fax are two other products that are dependent on network effects — these would be of no value to you if nobody else in the world did email or owned a fax machine.

In contrast to having network effects, some products have primarily stand-alone value. For example, your ability to enjoy bread, ice cream, or treasury bonds is not dependent on a network effect — your benefit from your personal consumption of these products does not depend on others having and using them.

Some products provide value as stand-alones and also exhibit a network effect. A simple example of a product with is the personal computer.  As a stand-alone, you can use your PC for word processing, spreadsheets, video games, and many other applications.  But the PC’s value also is increased dramatically from the network effect — your ability to connect to the Internet, exchange email, share information with peers, and participate in communities.  The PHIN and many applications supporting it create value both as stand-alone offerings and due to a strong network effect.

What will the PHIN look like?  Will there multiple, non-interoperable, competing networks or just one interoperable network?

It’s possible to think of the PHIN as multiple, non-interoperable, competing networks — an analogy might be credit card networks.  VISA, MasterCard, American Express and others each operate on separate platforms, and their networks are NOT interoperable — you can’t buy something at a store that only accepts American Express credit cards by presenting your VISA card.

It’s also possible to think about the PHIN as a single network — one that is interoperable at the level of exchanging core information among platforms, but competing at other levels. The best example we can think of is the telephone network. You know that you can use your telephone to call any other person in the world — there is one worldwide telephone network.  Yet, we also observe competition at many other levels — among telephone manufacturers (VTech, Nokia, Motorola), among carriers (AT&T, Verizon, Sprint), and among cellular networks (GSM and CDMA).

We believe that the telephone network is a closer model to what the PHIN will look like — that PHIN players will compete at one level but will be strongly incentivized to collaborate at the higher levels that make PHI portable, interoperable, and appropriately liquid, i.e., to effectively create one network.

Why?  Let’s revisit the concept of network effects.  The value of the network is dependent upon the number of users in the network — the more users, the more value (exponentially!).  Thus, Google Health, HealthVault, Dossia and others are incentivized to grow collaboratively the total size of the network.  Think fax machines — the more fax machines, the greater value of the total network.

We believe network effects will be particularly strong in the PHIN.  Many of the uses of the PHIN are dependent on the creation of only one network for interoperable PHI.  If you were traveling and went to a hospital emergency room, what good would it do you (or the hospital) if your PHI was stored on a network not accessible by the hospital (the American Express & VISA scenario)?  If you had high blood pressure and needed to manage your own care with support from your physician, what good would it be if your lab values were on one network and your medications were listed on another, non-interoperable network?

The Markle Foundation has begun to develop a framework to describe intermediaries (platforms) in what we’re calling the PHIN.  Their term for these intermediaries is consumer access services (CAS) companies, whom they label as “Global Internet Brands and Others”.


Who are the players in the PHIN?  Several can already be identified — and we expect that others will emerge over time.  Google Health, Microsoft HealthVault, and Dossia are early entrants.  There’s been a lot of discussion of creating PHI banks or trusts, and these could also be players in the PHIN.  Other existing players in the PHR/EHR (personal health record/electronic health record) market could be players in the PHIN if they adopted appropriate stances toward portability, interoperability, and liquidity.

We anticipate that the PHIN will consist of multiple interoperable platforms.  The exchange of information among these platforms will be enabled by standards, e.g., the ASTM Continuity of Care Record (CCR) Standard and the HL7 CDA Continuity of Care Document (CCD).

Some applications built on the PHIN will prove to be higher value than others (e.g., patients exchanging information with their physician), and we anticipate that some standards — e.g., the CCR — will be more flexible and readily adopted in enabling the PHIN.

Of course, there will be barriers and challenges to the PHIN.  Patients currently have low awareness of the value of their PHI, and about why and how to use a PHR. There are significant, legitimate concerns about privacy, confidentiality and security of PHI.  An appropriate legal structure will need to evolve to balance broader societal uses of PHI vs. protecting individuals’ privacy.

The PHIN as a Disruptive Force

In the sense used by Harvard Professor Clay Christensen, we envision the PHIN as a disruptive innovation.

The PHIN could be particularly disruptive to hospitals, health plans, physicians, and enterprise health information technology (HIT) vendors.

There will be many beneficiaries of this disruption and many stakeholders will be keenly interested in promoting the amount and speed of disruption. For example, we anticipate that employers and government will be highly supportive of the PHIN.  However, the best news is that the greatest beneficiaries of this disruptive innovation will be patients themselves.

There are also some stakeholders that will experience internal conflicts from the PHIN.  We suggest there will be cultural and economic forces that simultaneously promote and inhibit the integration of the PHIN into existing workflows in many parts of the health care delivery system.

For example, health insurance plans and physicians are likely to experience significant stresses. Many health plans will be threatened by the PHIN because it challenges their current positioning. Depending upon the chair that you’re sitting in, you might describe this positioning as “the fiduciary and de-facto owners of their enrollees’ health data” or as  ”King-of-the-Hill of health data about YOU”.  Their enrollees’ health plan is mostly built off of claims data bases that are imperfect and out of date, yet still comprise the most comprehensive repository of patient level data possessed by any single player in today’s health care system.

How will health plans, hospitals and others react to this scenario?

“Hello. We’re here from Google Health representing John Doe and 30 million other John Does that have signed up for GH.  John has given us a proxy to obtain any of his PHI that might be in your possession and to transfer that PHI to John’s personal health URL data repository.  Please hand over the data, please hand it over in a standardized, electronic format, and please continue to hand over any other PHI of John’s that you obtain in the future.”

Yet, despite potential resistance to Google’s request to hand over the data, we believe health plans will come to understand that they also stand to benefit significantly from the implementation of the PHIN.  The Markle Foundation has estimated that 89% of the value of health information technology accrues to payers, primarily in the form of reduced utilization of services and duplication of tests. The PHIN promises to improve health care quality, reduce medical errors, improve patient satisfaction, and reduce health care costs — and much of this value accrues to health plans.

Finally, there are many other stakeholders in the broader PHI-Ecosystem.  These include:  consumer access services (CAS) complementors (application vendors), physicians and physician associations, retail clinics, PHR/EHR vendors, Health 2.0 companies, disease management companies, and others.  We’ll develop at least a couple of case studies exploring the impact of the PHIN on these players.

Key Success Factors — Operating and Business Models

We believe that winning PHIN models will be: patient centric & patient controlled; interoperable; transportable; automated, among other factors.

We’ll also point to some predictable, yet transformative events to occur:

  • Business models will be transformed by the PHIN; companies will have to adopt new models for a new era.
  • Interoperability can be achieved incrementally.
  • Initial “killer apps” can focus on gathering PHI for patients, not necessarily by patients. It’s true that today patients don’t understand PHRs, but patient permission is a key to progress, not necessarily patient engagement.
  • Existing “tethered” PHR models offered by health plans, employers and providers are unsustainable. Once consumers understand options for patient centric control, tethered models will become unattractive.
  • There will be a market created for the exchange of PHI and for other transactions involving using PHI, including medical care; people will be able to sell and buy PHI.  This will create controversy, but the lack of a market explains many of the failings of our current health care system.  For example, physician payment is currently based on resources used (the RBRVS) rather than value created.

We understand that many of these events won’t be self-evident upon a first read, but we’ll explain more in future postings.

While the theme of putting consumers in charge of their health care has resonated soundly, consumers need more than understanding and motivation.  The PHIN will provide the missing ingredients — the platforms, network and applications to make it happen.