• Home
• About
• Projects
• Resources
• News
• Blog
• Artifacts
• Stay Connected

ONC PHR Roundtable Comments - Dec. 2010

We are delighted to have had the opportunity to influence future policies regarding personal health record (PHR) privacy and security by submitting comments to the Office of the National Coordinator for Health Information Technology following its recent PHR Roundtable. We hope you enjoy reading our comments, as well as other individuals' and organizations' comments about Project HealthDesign's vision for the future of PHRs and related privacy and security.
 

National Program Office Comment
Sujansky & Associates Comment
dwellSense (formerly Embedded Assessment) Comment
iN Touch Comment
Estrellita (formerly FitBaby) Comment
 

A New Vision for PHRs
Patricia Flatley Brennan, R.N., Ph.D., Director, Project HealthDesign National Program Office

From its inception, Project HealthDesign has offered a new vision for PHRs. We believe the development of PHR systems should be grounded in an understanding of the daily lives and health challenges of individual PHR users. PHRs must conform to patients’ needs, support their health objectives and easily fit into their daily lives. The power of next-generation PHRs lies in their capacity to be coupled with alerts, reminders and other decision-support tools that help users take actions toward improved health or better management of their conditions. In this way, PHR systems and applications will facilitate the easy exchange of information between patients and providers and will become dynamic resources for action.

PHRs are rapidly evolving. Our work highlights two challenges to the traditional conceptualization of PHRs:

• Instead of remaining individual products, we see PHRs morphing into an ecosystem of platforms that serve as conduits for independent personal health applications (PHAs).
• We see value in the inclusion of patient-defined observations of daily living (ODLs) that give people cues to their own health states. We believe ODLs will lead to rapid growth in the types of data that could be included in a record.

Our work with ODLs has raised many issues (please read our project teams’ responses in the question two comments or our partner technology firm’s comments in the question three comments) about the nature of health data, along with the protection of its privacy and the preservation of its integrity. Lack of clarity about the rules and a lack of data protection can have a chilling effect on innovation and progress.

Through our work with 14 interdisciplinary teams and more than 500 patients, we have learned the importance of workable, technology-forward privacy and security protections for information stored by and shared from PHRs. These protections encourage individuals’ and clinicians’ adoption of PHRs and PHAs to improve health outcomes.

If you have questions or would like to speak to us about Project HealthDesign, please contact Patricia Flatley Brennan, R.N., Ph.D., national program director, or Gail Casper, R.N., Ph.D., deputy director, at info@projecthealthdesign.org.
 
 

User-Focused Privacy and Security
Walter Sujansky and Sam Faus - Sujansky & Associates / Project HealthDesign

• PHR users desire access-control functionality that allows them to assign varied, precisely customized access to each clinician, family member or other user.
• The Project HealthDesign Common Platform, which is an open source software resource for PHRs, has successfully incorporated finely tuned, patient-defined user access functionality in its data repository.

Project HealthDesign, a national program of the Robert Wood Johnson Foundation, is working to spark innovation in PHR technology. Our firm, Sujansky & Associates, was involved in the requirements analysis, system design, development and beta testing of the Project HealthDesign Common Platform (http://www.projecthealthdesign.org/resources/common_platform).

This Common Platform is an open-source, web-based personal health data repository built on a Java-based SOAP web service architecture. It was designed to allow Project HealthDesign grantee projects to store and access personal health information. Data security and access control were two of the most critical considerations that went into the design of the repository.

During the requirements analysis phase of the project, four of the nine Project HealthDesign grantee teams expressed that the components should provide finely tuned access control to patient data. These grantees indicated that they planned to use the Common Platform to make patient data available to multiple applications, which demonstrated that data could be collected once and securely re-used for multiple purposes. Because Project HealthDesign concentrates on the benefits of user-focused design, the grantees solicited input from patients who would become potential users of the personal health applications (PHAs) developed by the grantees. With the findings of this user-focused design process in mind, the Project HealthDesign grantees and leadership feel that the requirements expressed to us by the grantees accurately represented users’ desire for access-control functionality.

Our main lesson from this work on access control for the Common Platform is that individuals with online PHRs and those who use personal health applications (PHAs) that utilize personal health data want and need the ability to precisely specify which users can access their health records, which parts of their records these users may access and what kinds of operations users may perform (e.g., read, edit, annotate, etc).

For example, grantees conveyed that users expressed a desire to assert access-control logic, such as: "Any of my family members may view the medications I take, except for one of my medications that I'd rather not share." The solutions we designed and implemented for the Common Platform access-control system took these requirements into account. We have published the technical details of our approach to access control in the Journal of Biomedical Informatics (http://www.ncbi.nlm.nih.gov/pubmed/20696276).

We learned a few specific lessons about access control as we worked on the Common Platform. First, we came to understand that access to health information must be controlled at the level of the data and data types. Simply granting a user access to a patient's entire PHR—without controlling access to specific kinds of data within the PHR— is insufficient from a user’s perspective. The Project HealthDesign grantees told us that users wanted the flexibility to grant access to certain of the data while leaving the rest hidden or inaccessible. The access-control policy implemented by the Common Platform allows control of access to data at a global level (i.e., all data in a patient's personal health record), by category (e.g., all medication list data or all observations of daily living), by data type (e.g., all physical activity records or all journal entries) and by individual record (e.g., a specific medication record).

Secondly, and perhaps more importantly, access to a patient’s data should be specified based on a user’s role with respect to that patient.  This approach is in contrast to traditional “role-based” access control methods, which specify access to data based on a user’s general role within an organization (such as “physician” or “clerk”).  The Common Platform allows patients to specify the role of a user relative to themselves, rather than as general attributes of the user’s account (in contrast to traditional role-based access-control models). This specificity, for example, allows patients to grant access to their designated physician only, rather than to all users who are physicians. This feature also allows individual users to have different roles with respect to different patients. For example, a physician user may be assigned a “primary care physician” role for one patient, but a “family member” role for another.

In summary, data access policies that require finely tuned, patient-defined user access provide a powerful and flexible approach to personal health access control. These solutions have been implemented successfully in the Project HealthDesign Common Platform personal health data repository. Finally, because the Common Platform was developed under an open-source LGPL license, all of the technical implementation details are available for PHR developers to leverage.

dwellSense (formerly Embedded Assessment)
Anind K. Dey, Ph.D. – Project HealthDesign / Carnegie Mellon University

Project HealthDesign is forging a new vision of personal health records (PHRs) by exploring practical ways to capture and integrate patient-recorded observations of daily living (ODLs) into clinical care. Project HealthDesign’s dwellSense (formerly Embedded Assessment) project team, on which I serve as principal investigator, is developing and evaluating technology to monitor the routines of older individuals who have arthritis, and who are at risk for cognitive decline, in order to provide long-term functional assessment. This project has allowed us an understanding of patient expectations concerning privacy, security and ease of use.

The dwellSense project team has placed sensors throughout patients’ homes in order to collect ODLs. These wireless sensors capturing routine daily activities (e.g. using a telephone, making coffee, taking medications) send data to a nearby laptop computer, which enables the process to occur automatically and unobtrusively. The sensor data is then transmitted from the laptop into a PHR, where custom applications turn it into custom individualized visualizations for both the patients and their clinicians.

The sensors are small and unobtrusive; they therefore have limited computing power and limited battery power. As a result, the information that moves from the sensor to the laptop is not encrypted. If the information were encrypted, the sensor would require greater computing power and a stronger, larger and more obtrusive battery. The sensor batteries for unencrypted transport need to be replaced every two weeks; if encryption were absolutely required, the batteries would need to be replaced daily.

Once the data is sent to the laptop, the information is then encrypted. The information sent to the PHR is also encrypted. The information in transit is at risk only in the brief time during which it moves from the sensor to the laptop. Project staff looked into using a more secure radio signal to combat “sniffing” of the data, but this option would also require greater battery power.

We understand the need to secure the sensor information from inappropriate access, but the automatic and unobtrusive collection of this data is critical to success.

iN Touch
Katherine Kim, M.P.H., M.B.A. – Project HealthDesign / San Francisco State  University

Project HealthDesign is forging a new vision of personal health records (PHRs) by exploring practical ways to capture and integrate patient-recorded observations of daily living (ODLs) into clinical care. Project HealthDesign’s iN Touch project team, on which I serve as co-principal investigator, employs technology that allows low-income youth who are managing obesity and depression to track via smartphones ODLs such as physical activity, diet and mood. This project has allowed us an understanding of patient expectations concerning privacy and customized access to the data.

The iN Touch project is a demonstration of how a PHR can empower youth to manage their own health and enlist a care team as partners. Participants in this project are low-income adolescents and young adults who are overweight, dealing with anxiety/depression and trying to manage multiple stressors in their lives. Our team encourages these patients to use their project-specific smartphones much like diaries or photo albums in order to report how they are feeling and specific personal circumstances and activities that result in exercise, diet or mood changes. Though eager to change their lives for the better, these adolescents are also very concerned about who is able to access this very personal information. Most do not want to share this data with their parents, and because they are minors, laws concerning the privacy of this data are not always clear on whether this is possible.

Often, we see that the patients are more comfortable sharing this information with their health coaches or advocates, with whom they have close and trusting relationships. They are less willing to share with other health advocates whom they do not know. They are concerned about sharing the data with physicians or other authority figures who might chastise them about their behaviors or choices. We have not arrived at a clear conclusion in regard to the point at which the data in the smartphones is considered part of the provider’s medical record and therefore subject to access by health care providers or others.

As a result, the adolescents desire a very high level of control over who can see their data and how much the individual person can see. Any failure to provide these types of assurances could chill the accuracy of the information, which would diminish its effectiveness both as a personal and clinical care tool.

Also, health care providers and coaches are often under legal obligations to report suspected abuse or potentially dangerous situations to law enforcement or social services. In some cases, the parent may be the source of the problem. Adolescents may alter information about their moods if they believe it could lead to undesired intrusions into their homes.

The inability to assure teens that the information will be kept confidential and accessible only to individuals they authorize diminishes the likelihood they will feel comfortable using the tool to enter accurate information.

Estrellita (formerly FitBaby)
Gillian Hayes, Ph.D. – Project HealthDesign / University of California, Irvine

Project HealthDesign is forging a new vision of personal health records (PHRs) by exploring practical ways to capture and integrate patient-recorded observations of daily living (ODLs) into clinical care. Project HealthDesign’s Estrellita (formerly FitBaby) project team, on which I serve as co-principal investigator, uses mobile devices to allow infants’ caregivers to collect ODLs that could point to early signs of health problems in low birth weight infants. This project has allowed us an understanding of caregiver expectations concerning privacy and security of data.

Participating caregivers of pre-term, low birth weight infants – are highly motivated to achieve the best possible outcomes for the infants and to be competent and loving caregivers. Although the ODLs entered into the Estrellita mobile devices may not appear to contain sensitive information, the data, if accessed for other purposes, could be used to harm participants.

For example, a participant might regularly interact with someone who is not a legal resident of the United States. These participants might raise concerns about whether immigration authorities could access their information. An inability to guarantee that such access will not occur has a chilling effect on the information participants share with the Estrellita mobile device, even if sharing this information could enhance the infant’s wellbeing or care.

Similarly, participants fear that social services could interpret information in Estrellita as an indication that the infant should be removed from the home. If, for example, the caregiver reports feeling depressed or forgets to record feeding times, participants wonder whether this information would be shared without their consent. Participants are also concerned that the information could be accessed by insurance providers and used to deny coverage or increase premiums. This uncertainty impacts the quality of the recorded information, which could then impact research quality.

Our project team had once considered including location tracking in FitBaby in order to help refresh participants’ memories and improve the accuracy of data collection, but later decided participants might think the feature too risky.

As a final note, participants in this project include both caregivers and infants. The ODLs collected about both the caregiver’s and the infant’s experiences are integrated in the infant’s PHR, which is accessible by both the caregiver and the clinical care team.  This presents a clearer picture of how the interaction between caregiver and infant ODLs impact outcomes for both. However, this information cannot be incorporated in this integrated fashion into the caregiver and infant’s clinical records due to providers’ liability concerns, which means that this integrated picture cannot be part of the longitudinal clinical record.

Creating stronger, clearer protections for this type of data and resolving uncertainties regarding liability will foster greater certainty for participants. This increased certainty will enhance the utility of the project for the participants and lead to more accurate data collection for research.