Access To Healthcare Data: A Song of IHE and FHIR

Let’s talk about Plaid for a second. This young(ish) startup has blown the Fintech space apart by doing the hard work of connecting disparate dots and simplifying access to the nation’s financial data — which was borderline impossible just a few years back. Without Plaid, we wouldn’t have Venmo, Robinhood, Mint… The Cambrian Explosion of utilities and tools at consumer fingertips that followed wouldn’t have ever occurred without a simple solution designed strictly for access. So, how could America benefit if this were to happen in healthcare & why hasn’t it happened yet? 

When we started Particle Health, we wanted to solve ‘data sharing’ in healthcare. We didn’t know what that meant, exactly, but like many entrepreneurs and innovators in the past (cough cough Health Vault), we did know that it was a problem. So we conceptualized a food-chain of health data organizations.

Patients and Consumers (people) create data within Orgs like Hospitals, Clinics and Labs (within EMRs), or even tech companies like Apple (think wearable devices that track your vitals). Then the ownership kind of shifts to those Orgs that have ‘rights’ depending on their relationships with those people. Some apps take rights, some hospitals take rights, most EMRs take rights. Those Orgs can then share data with 3rd Parties

Here’s where it get’s a little bit tricky. According to HHS & HIPAA, Covered Entities (e.g. Hospitals) can share with 3rd Parties, with and without Patient Authorization. For Treatment (a provider needing to see your record to help you), Payment (a health insurance company billing you) and Operations (a risk adjustment, audit or analysis of care) — referred to TPO in the biz — no patient permission or authorization is needed (some state-by-state nuances here). This means doctors, payors or Medicare can access your info without asking you. 

For non-TPO purposes, things like non-medical insurance claims, life insurance, disability insurance, patient and consumer access (like an App wanting to access your data), and many other use cases, you need express patient permission in the form of a HIPAA Authorization. But, according to HIPAA, if a patient submits a request form, that Org or 3rd Party must release it to the patient in a timely fashion and in the format of their choice. 

So, we started talking to as many Orgs and 3rd Parties as we could, looking for organizations that might be open to patient-centric access. We had a few rules from the get-go: 

(1) We are focused on operationalizing the patient’s right to access. This typically comes in the form of a HIPAA Authorization form, or a formal request from the patient to exercise their right to retrieve a copy of their medical records in the format of their choice.

(2) We are not selling hospital-to-hospital, clinic-to-clinic. The cycles are too long, the integrations too intense, the process too expensive. 

(3) We are not selling to EMR vendors. They’re too big and fragmented too. 

Even though we didn’t want to sell to them, we wanted to learn about hospitals. How do they share data and what’s the problem here? Overwhelmingly, hospitals run a ‘Release of Information’ or ROI process. Most use 3rd party administrators to help carry the extra burden, like CIOX, who in turn do much of the work. Typically they’d recieve a request in the mail, make hard copies of the requested records, then mailing them back, faxing or sending a CD — some do thousands a day... Providers have 30-days to comply and for the most part, they take the whole month. 

Alternatively, you can use a patient portal to log into your account and access some of your information, but not all of it. 

The problem occurs if you’ve ever been to several providers — you literally have to call & get someone on the phone to get a new password to your portal — just to get a portion of your data.

Consequently, only about 28% of patients actually access their medical records through portals — and that’s way up from the past (Meaningful Use required providers to have ONE login per year due to the low uptake of the service). Hospitals don’t really like sharing data for a few reasons: 

(1) It’s sensitive. If they had a really easy way to access it, more breaches might ensue, lawsuits might erupt and things could get bad. This is a huge & valid concern for all provider entities. 

(2) They don’t want a different hospital to get their patients. Money is money and a sick patient taken away can cost a hospital millions of dollars. 

(3) It’s proprietary and valuable. A hospital can look at large patient populations across different care pathways and create new IP based on what they learned... or just sell de-identified versions.

Then we moved up the data food-chain & learned about HIEs. These 3rd Party groups are regional and usually connect a large portion of hospitals, clinics and labs in the area together. “Whoa”, we thought, if we could connect to them, state-by-state, we wouldn’t have to sell to all these darn hospitals. But, HIEs are really governed by their hospital customers— they move slowly, dislike risk and don’t want to share data outside of their own walls. We figured that a patient authorized request to any organization holding patient information should work for an HIE, right? 

The ‘P’ in HIPAA stands for Portability, not Privacy. 

After a few months, we had talked to ~10 HIEs, actually got 3 contracts signed and then… stagnation. We simply couldn’t get speed, resources & energy to take our idea into practice within a startup timeframe, despite the revenue opportunity, low lift and low risk pilot proposition. 

The problem really isn’t theirs, however. HIEs were born out of the HITECH Act and were given decreasing federal funding year-over-year. The idea was that they would sell to hospitals and create sustainability over time. What ended up happening was the hospitals, their clients, took strong & influential positions of low risk and minimum required participation. Hard to blame hospitals though, thin margins, increasing regulatory and security requirements, and of course tons of sick patients to care for — in the end, HIEs never really got where they were aiming. Providers couldn’t agree on data standards and the dream of regional interoperability & all the good things that come from it didn’t really grow the way many folks had wished. I will add that there are some stellar HIEs out there that are doing pretty amazing things… more on that in another post, perhaps.

We never thought about hanging our hats because we felt like we were getting closer to something. And one day we found that something— our answer came in the form of the large, national, trusted exchanges. These groups were not building new technologies, but rather ‘mutually agreed upon rules’ comprised of EMR vendors, tech platforms and other types of health data Orgs. What these groups basically state is, “if you follow our ruleset, we will allow you to exchange data across all participating members” — and the members were impressive — Cerner, AllScripts, athenahealth… even Epic. At the time, I didn’t know that some of these networks actually spun out of government associated bodies. Vague signals turned into flashing lights and we were beginning to get focused on a single direction for the first time.

Just around this time a coincidental thing happened — Information Blocking legislation, part of the 21st Century Cures Act, came out along with the new Trusted Exchange Framework and Common Agreement. 

What this meant for patients was now these Orgs, with patient data, would need to share information via an API with a valid HIPAA Authorization and there would be a big push towards participating in a national exchange, like the ones we were working with. Sure, it might take time to get these efforts up & running and sure, there will be pushback, but the most interesting thing to me is that it just makes sense. Patients should get easy & secure access to their data at some point and the country has found a way to do it. 

If we could design the perfect patient-centric data access tool, what would it look like? 

(1) The patient or consumer would be able to leverage their HIPAA (ahem *portability*) rights within any secure & trusted solution they choose. Remember when we tried to use HIPAA Authorized Requests (via an HIE) to get patients their data before? It didn’t actually work— but it can — in fact, we can do it electronically today. 

(2) The patient or consumer wouldn’t need to search for their data, repetitively login to portals and scrape portions of their data — they would be able to just… do it. That might sound impossible, but *surprise* it’s happening today with providers and payors whom need patient data to make decisions. 

(3) Security and privacy would be at the core of the design. End-to-End connections would mean no public facing end points & patients would give specific instances permission — no confusing ‘sharing profiles’ where I can set rules like ,“all research groups can access my information, but not commercial research.” There would be no conflated incentive programs where sharing means my HSA account gets $5. I would just be able to share my data within any workflow & process a claim in 1 hour, as opposed to 30+ days. 

And the benefits for patients, whom are used to manually faxing and collecting records themselves is massive: 

Second Opinions, Claims Adjudication, Prior Auths, Benefits Management, Personalized Care, Underwriting, Corporate Wellness, Care Coordination, PHRs, Risk Adjustment, Consumer Apps and more…

Not to mention, providers, whom are already paying to be members of these networks & are losing money by internally handing (sometimes) thousands of faxes a day — or paying third parties to manage their Release of Information process — can benefit in the form of actual revenue. More on Particle’s model in a different post. 

What we envisioned in the beginning is already taking shape  —  Particle Health is a single API, just like Plaid, that can access more than 200,000,000 unique, standardized, machine readable medical records across 5,000,000 unique healthcare organizations, built on top of patient-based permissions. 

It’s now our job to make it insanely easy for trusted, innovative solutions to leverage our API to cut costs and provide better health services. 

It’s been a real journey over the last 18-months and as a result we have a novel way of accessing full medical records. It’s been fun watching other innovative groups execute different methods, all of which have very valid and valuable differences. What I hope we can do at Particle is provide a trusted & secure onramp to a future-state where healthcare interoperability is national and accessible for both large enterprises and solo entrepreneurs thinking up the next idea to consumerize healthcare. What I really can’t wait for is the impending renaissance of new applications, solutions & tools to come — when access to patient data is easy & secure, what will we build? 

Troy Bannister