Business Case for FHIR and Argonaut: Patient Directed Post Acute Care

FHIR's purpose is an ambitious effort that defined healthcare standards and API's to accelerate ArgonautProject_logodevelopment of useful web-like applications from Electronic Health Records (EHR).  Project Argonaut is a private sector based initiative to build useful applications to drive adoption.

Applications for whom?  The current applications are heavily internal EHR focused among multiple institutions and EHR vendors.  

Although the industry talks about "patient centric" medicine, in reality that has as much relevance as "natural" has to foods you buy at the supermarket. Outside of a beauty contest called "patient satisfaction" there is not much in the field focusing on the patient's point of view.

And therein lies the killer app that can drive widespread adoption. Build an app that patients demand.

And it's not personal health records (remember Google Health?)  Instead it needs to solve an immediate problem for a large number of people. I suggest an app  that over 1 million new patients every year have a need for 3-6 months. That happens to be the number and recovery period for total hip and knee replacements (not partial, or repairs) in the United States.  

There are evidence based protocols and procedures for optimal outcomes from surgery to full recovery over a multitude of care settings.

But who is coordinating this effort over the entire lifespan?  Is it:

  • The insurance company (or Medicare)?
  • Primary care physician?
  • Rehab center?
  • Physical therapist?

All of those answers are incorrect.

In  healthcare the presiding belief is that care manager is on the provider side of the house. In reality it is the patient or in many cases the patient's advocate. The patient advocate role could be the patient, significant other or a family member. Things get very complicated when the advocate is caring for Mom who lives three states away.

This is reality.

300px-ArgonautDeviceWe need to build a post acute care platform with a FHIR component.  But it goes beyond health records.  This is the place that the patient advocate can coordinate, collect, manage and distribute information needed for the patient's full recovery (the use cases are numerous blog posts in themselves).  Everything from medication reconciliation, getting DICOM images to the therapist, through hiring Task Rabbit to take Mom to the grocery store or find a plumber to fix the leaking faucet.

By moving the focus to the patient, several authentication and state issues can be avoided. Firstly, patients have access to their records regardless of the state involved.  As for authentication, the patient has a key ring of OAuth tokens where their identity is confirmed by each medical provider or other entity.  (it's signing into a new service using Google in reverse, where the patient is Google).

Create an application like this and FHIR will take off - Because the patient advocate will demand it.

 


Big Data + Analytics = A Very Large Junkyard

Have a problem, Big Data will solve it.  The problem still is in data architecture and appropriate analytics.   And most importantly, understanding the business reason for this Big Data (solve a problem, discover new insights, etc.)

Today's tools are cheap and powerful.  For instance you can download the open source edition of Pentaho to your desktop.  It will connect to numerous data sources including Hadoop.   You now have a very large haystack to find a needle.

It's like have the world's largest junkyard and you want to buy a used 2001 Ford Focus with a broken water pump.  You can design a data architecture that links to all the junkyards in three states, NAPA Junkyardfor new pumps and car dealers.  You then develop the analytics to determine where to buy the water pump.  And you find one 2 states over that can pull and ship you just what you need.   

Problem solved, right?

What you missed was the fact that the water pump was very scarce.  Why is that?  Perhaps that model year had massive water pump failures.  By investigating further you may have seen that model year had above average repairs and perhaps buying it in the first place was not a good idea.

Wrong needle, right haystack.  And that takes planning with insight.  


Protecting against data breaches in your startup company: Apple + Box

Data security can be the furthest from your mind when doing your startup company.  You have a short runway to get a product out the door and get happy customers.  Security?  Spending scarce resources on it?

I am helping a company now with these very same questions.  The path of least resistance has been to standardize on Box business plan for all data and Apple computers and devices.  Why?   From a cost basis, they are very economical and they have the necessary security bells and whistles you need today.  And most importantly, the users like them and will use them (and you don't need a part time IT person to manage them).

The first thing I do is turn on 2 factor authentication (when you login on a new device, a code is sent to your phone for verification).  Both Box and Google for business support this.  I turn on full disk encryption for Apple computers (put in a password) and passcodes for iPads and iPhones.  And enable the ability to remote wipe any stolen or lost computer or device.  Pretty simple, but you  Wellwould be surprised at the number of people who don't do this.  And it's built in (no additional cost).

On the Box side, make sure you require a passcode to access it from your iPad or iPhone.  Since you have Box business, pin devices / computers to your users and you can restrict what applications your users use with Box.  You can restrict content that can be shared or not.

With Apple and Box, you get a lot of data security built in.   Think of this as a security well.  

You start at the top with the basics and as you grow you increase security measures as you progress down the well and need more protection.   Now that wasn't that hard was it?


Protecting yourself from hacked credit card readers: Google Wallet & Apple Pay

First TJX with 90 million accounts stolen, then Target with 40 million accounts stolen and now Home Depot with 56 million accounts stolen.  I found it interesting that Target was hacked through a flaw in Microsoft Active Directoy.  No news yet on the details of Home Depot.

What's a person to do?   Buy a phone with NFC payment option.  The newer Android phones have Google Wallet and it looks like Apple Pay is coming soon.  When you activate Google Wallet, you link it to a credit card.  I prefer American Express because they have great anti-fraud detection and allow you to dispute un-authorized charges from their website.

When you are shopping, look for the wireless payment option on the card reader.  Most grocery stores have them and big chains like Best Buy.  Walmart is too cheap and does not (use cash if you must shop there).   WirelessWhen you touch your phone to the card reader, Google prompts you for a pin.  And that's it.  What's interesting is that to the card reader, it looks like a single use Master Card regardless of your actual credit card.  And you need a data connection, because Google sends out the authorization code real time.  Pretty cool.  On your credit card statement it will say GOOGNFC*merchant name

If your phone gets misplaced, you can deactivate your wallet from the Google website.  Of course you have 2-factor authentication for your Google account, right?  And you have a lock code on your phone. And a good PIN for Google Wallet.

Bottom line, if that card reader was hacked, the bad guys only get a fictitious credit card number that can't be used.  Not bad.

 


Why Are You Special?

And by you, I mean your customers.   How do they view you?   Why did they buy and will they buy Customeragain?  This is the first question I try to understand whenever I start a new project (or talk to a company about a position). 

Once we figure that out, then you only need to do two things:

  1. Do more of what is special.
  2. Eliminate or automate anything that does not contribute to number 1.

The problem I see in many companies is they follow the latest "process" without understanding what is different about them versus everyone else.   On the other side of the coin I also see companies who generate plenty of good ides, without having the means to test and execute on them.

In my last consulting engagement it turned out that what management thought was "special" was completely different than what their customers thought.  In three months after going through the two steps above, revenue increased by 80%. 

Think about your specialness from your customers' eyes.


Designing for Privacy & Security : All your base are belong to us

Last week I had a lively discussion with an education expert talking about privacy and security.  This resulted after interpretations of FERPA resulted in universities selling student directories / email addresses to spammers third party marketing organizations. (just because they can, doesn't mean they should).

Then we moved on to the topic of security.   I always start with the assumption that all systems will be compromised, either externally or internally.   That is reality.  But it can be managed.  Starting with that premise, how do you design or improve your system?

First you need to compartmentalize your system to the smallest discrete pieces.  So if one compartment is compromised, none of the others will be.  Cloud systems tend to be monolithic silos.  Break into one part and everything else is exposed.   At my last company we built a separate virtual instance for each customer.  That way if one customer was compromised, it had zero effect on anyone else.

We also segregated the data (we were dealing with patient health records).  But we needed subsets of that data aggregated to do analytics.  Pulling the data is very bad, because that creates a single point of weakness.  Instead, each instance pushed the summary data to the aggregation database. 

Next you need audit.  Record everything.  And make sure that the system administration role is completely seperate from the auditing role.

Finally you need remediation.  What are the protocols to observe when any part of the system is compromised?  

  • Isolate it
  • Fix it
  • Notify those effected
  • Identify the root cause
  • Change to eliminate the root cause

This goes beyond system design into understanding how your customer / users need to interact with the system.  Do all new users really need to default to administrator role?

It is our job to take security and privacy seriously and engage our users to make sure they have what they need without making their lives more difficult (give me two-factor authentication to my cell phone over complicated passwords any day).

update:  I showed this blog post to a college student and they thought I had typos in my title.  To complete your education on video game nostalgia, read this.


Living in the HealthCare IT Bubble

Reality is a harsh mistress.  With the advances in Electronic Health Records, patient portals and records transport ala Direct X.509, my peers and I see a very bright future for healthcare in the U.S. and talk about all the great things we have accomplished.

Then a friend gets sick and enters the U.S. medical system and the bubble bursts.  The following happened over the last two weeks.   They have an issue and go to the ER of an Atlanta hospital.  Afterwards they are sent to their primary care physician and get a blood workup.  And sent for a CT scan at the imaging center.   The physician, hospital and imaging center are part of the same healthcare delivery system and all have the same EHR from a company in Tampa Florida.

First I contacted the medical records department at the hospital to get the CCD for the ER visit through their patient portal.  After being directed to four different people, they had no idea what a patient portal was.

The blood panel came back from the lab and since the physician had no patient portal, they sent a fax of the results.  The physician got the CT scan and was concerned (if you guessed the imaging center didn't have a patient portal, you would be correct).

My friend was sent to a surgeon on a referral.  During his examination he prescribed a simple medical procedure to correct what he saw.  He too was part of the network, but never got the CT scan or physicians report and we did not have copies.  Fortunately it was brought to his attention before he left, he ordered a rush on the reports and he scheduled surgery.

In the hospital the mishaps continued.  During prep for surgery the anesthesiologist went over the check list and stated the patient weighed 110 kilograms.  She was corrected and told 110 pounds.  The surgical nurse said not to worry, it happens all the time with the EHR but they always catch it in the operating room.

After the surgery and a few days on the med-surgical ward, the physician specifically prescribed a non-opiate pain medication.  Well, the pharmacy couldn't deliver it in 6 hours so she was given an opiate and had a severe reaction to it. 

6 hours later she was given the correct drug, to be repeated in 6 hours.  3 hours later the nurse came in to deliver the next dose.  She hadn't looked carefully at the chart.  When questioned, she said it was no big deal because the system would have caught it.

In discussions with the physicians and staff, it turns out they do have an patient portal.  It just doesn't work.

And this is one of the best hospital systems in Atlanta.  I'm sure they collect their MU1 and MU2 payments.  And the CEO makes over $1.5M a year.

added: Overall, the staff and the physicians are excellent.  Poor UX design, implementation and training resulted in these issues, and that's on us.  Depending on a system to catch your medication errors is like waiting to change the oil in your car when the check engine light comes on.  And that's a training issue all the way up to the CEO!

We have a lot of work to do.

 


Changing the Language of Healthcare from Cost to Outcomes and Productivity

The US healthcare system has been warped by reimbursements for care.  In Sharin's piece "The End of Hospital Cost Shifting", he talks about the impact on hospitals of the Medicare cutting reimbursements to hospitals based on work done by Austin Frakt

  • Cost shifting: Increasing the prices it charges commercially-insured individuals to compensate for reduced Medicare reimbursement.
  • Cost cutting.  Reduce cost for all patients to ensure average profitability across the entire Medicare/commercial payer mix.
  • Reduce profit margins.  Reduced Medicare reimbursement could simply eat away at hospital profits.

And he notes that cost cutting is the most likely result and that would impact patient outcomes:

Wu and Shen (2011) found that hospitals that faced large payment cuts from the 1997 Balanced Budget Act cut operating costs and staff and experienced increased mortality rates of heart attack patients relative to those seen at hospitals that faced smaller cuts.  They calculated that a 1 percent cut in payment results in a 0.4 percent increase in heart attack mortality rates.

And he concludes:

Such a trade-off calls to mind what Mark Pauly expressed in a 2011 paper in Health Affairs, “Perhaps a little less quality for a lot less money might be acceptable to consumers and taxpayers, as we work to keep medical spending from siphoning off funds required for other needs” (Pauly 2011). Whether it is acceptable or not, it may be what consumers and taxpayers get.

Let me break it down: Lower quality = worse patient outcomes = increased mortality = more people die.   And that's o.k. because it costs less.

And that's where the vocabulary is just wrong.  Nowhere does he focus on productivity improvement, resource utilization and the impact on outcomes.  They just don't think like that.  But every other industry does, except healthcare.  

I don't accept that more people dying in hospitals or post acute care is an acceptable tradeoff for lowering costs and I hope you don't either.


It's time to retire CPT® in health care

CPT (Current Procedural Terminology) is a medical billing coding system created by the American Medical Association (AMA) with the sole purpose of charging insurance companies for health care services and putting royalty money in the AMA's pocket.  Cpt-2014-professional-pIt's an artifact of the pay for service reimbursement system that has caused the US to spend the most on healthcare while delivering mediocre patient results.

If a CPT code does not exist for a service, chances are your physician won't do it.  Wonder why adverse drug reactions are under reported?  There is no CPT code for that. 

There is absolutely no relationship between good CPT coding and good patient care.  And there is no relationship between CTP code reimbursement rates and what those services actually costs a provider.  (Just ask the CEO of any hospital how much it costs them to perform a hip replacement.)

Sad but true.

The insurance companies are basically a cost plus business, so they focus on reducing the price paid per CPT.  The American Medical Association makes a from licensing the codes, so they have no incentive to change it.

Hopefully new "pay for performance" mandates in PPACA will shift the power to patient care quality / results from this very broken system.  And the AMA will have to find other ways to make money. 

CPT® is registered trademark of the American Medical Association.


Encyrption is easy: Key management is hard

Encryption basically has two use cases:


1. Moving information from point A to point B and not letting anyone else be able to see it during transit.
2. Making sure that when the information is at rest (data, email, etc.) that unauthorized people cannot use it or read it.

You often hear claims like "AES 256 bit encryption" or "We use military grade encryption".  Doesn't mean much.  All encryption uses keys.  These keys are mathematical constructs, when used properly, Keys provide the amount of security necessary.  Who ever has access to the keys, can see your information.

Key management is a very big deal.  Your first consideration is who generates the keys and how do they do it.   For instance, if you are storing data off site, and the service provider generates and stores the key, you have to ask yourself "Do I trust them"? 

This is the model of Google Drive for instance.  In that case you are at the mercy of rogue Google employees, stolen equipment, or unknown subpoenas from government agencies.

Amazon Web Services also will generate the key for you, but not store it.  That's a little better, but you are vulnerable if a copy is being made surreptitiously.

The best case scenario is you generate your own keys using a proven key generation mechanism (a topic for discussion in itself). 

Now comes the hard part.  Whoever has the key can read the information.  How are you protecting and distributing those keys?  What is your access control and audit?  What happens if an employee leaves and has a key?

The best scenario is to assess the balance of risk and usability.  If it is too difficult it won't be used.  One of the slickest methods I've seen for protecting a user / application communicating to a server works like this:

1) The user / application starts a secure session using a public key (PKI uses a lot of overhead)
2) After the connection is made, a single use symetrical key is created (very fast)
3) The session switches to using the same symmetrical key

This gets more interesting when you're talking about backups and disaster recovery.  To fail over to a cloud warm site, that site needs your key to restore the data.  One way to get around this is to have the service provider hold the key and have that key encrypted.  To release the key, you would simply log into the recovery site, enter your credentials and now the key would be released.  They don't need to store your password, just an encrypted hash of the password to verify (and maybe 2 factor authentication to your cell phone).

This is all doable and well worth the time to think through the process from beginning to end.