Health Internet - The New Consumer-Friendly NHIN
At a recent Boston meeting on health records infrastructure, key stakeholders recognized the potential of patient control as a strategy to address privacy concerns that could otherwise limit ongoing health networking initiatives. MedCommons proposes one possible approach to making the national health information network (NHIN), currently conceived as a provider-to-provider exchange, consumer-friendly and consumer-accessible. We illustrate the need with a true story, propose a novel addition of independent identity service providers to the NHIN and then illustrate how this could be used to transfer the soldier’s CT to the US for a second opinion even as he’s being transported.
On the morning of the Boston meeting, a friend of mine called to say that his son was seriously wounded in Afghanistan and was being stabilized for transport via Germany to the US. He knew that his son had a CT in the field clinic and wanted to get it before the son was transported over four days through to Bethesda. Could the Health Internet be used to help this family?
The NHIN does not have to run like Big Brother. We propose a voluntary identity principle that distributes trust among multiple private and public institutions and gives consumers a choice of who controls their medical identity. Some might pick a particular hospital, others might choose their regional HIE while others could choose a private service such as a bank or telecom that is not a health care business at all.
The institution that manages a patient’s ID on the Health Internet is referred to as the IDP. To authorize health records exchange on the NHIN, an IDP would have to meet strict requirements and receive a NHIN Certificate. A NHIN Certificate is analogous to the SSL certificates issued to banks and other corporations on the Internet. Larger hospitals, military, VA and integrated delivery networks on the NHIN also hold a NIHN Certificate.
The issue and administration of NHIN Certificates could be handled by state or federal agencies or privatized to Verisign and similar services that already do this for the Internet.
We propose a Health Internet consisting of two kinds of certified entities, health care providers and identity providers. Both are chosen and trusted by the consumer but the identity providers are the key to effective competition and innovation.
Small group practices, insurance companies, web personal health records services and search engines would likely not carry NHIN Certificates and would participate in the Health Internet only under the control of the patient trough their IDP.
Substitutability, the central concept of the Boston platform meeting, is a key benefit of this proposal. An IDP that disappoints a patient could be swapped out without impacting the health care providers and a health care service that disappoints could be ignored or disconnected with a simple message to the IDP.
Public health and research users of the NHIN would not be affected since all entities that carry NHIN Certificates could still interact with each other directly under whatever rules and regulations the Certificates represent.
How would this have worked in the case of a soldier shot in Afghanistan and on his way to Bethesda?
- Before entering the service, the son might have picked Verizon as his IDP because they hold an HNIN Certificate and offer a family member override. He would have established the father, who also has a Verizon account as health care proxy.
- Upon induction, the health service saved the serviceman’s IDP selection (their Verizon health ID, possibly in OpenID format - see references below) along with the rest of his personal contact information.
- The father, when notified of the injury, is unsure which doctors will be available to consult on his son’s case, but needs to have the son’s CT scan at the ready as a first step.
- The father decides to do a transfer using a personally controlled health record service because it will give him control of the CT and make it easy to deliver the images to any physician that offers to help. Neither the father nor the health record service has a HNIN Certificate.
- The father goes to the military health service EHR portal. Without logging in, he goes to a form that requests his son’s Verizon health ID along with the MedCommons-type account ID where the CT is to be delivered.
- The EHR portal contacts Verizon for authorization on the basis of shared trust under the NHIN federation.
- When Verizon’s text message to the son goes unanswered, Verizon contacts the father as Health ID proxy. The father reviews the correctness of the familiar-looking MedCommons-type ID as a the destination and authorizes the transfer.
Note that the military health service does not actually know whether the son or the father actually authorized the request but they trust the transaction because the military health service knows that Verizon holds a valid NHIN Certificate.
In summary, the introduction of certified identity providers into the NHIN together with simple and commercially established OpenID protocol can transform the NHIN into the consumer-friendly Health Internet and bring simple regulation and market forces to bear on solving difficult privacy problems.
CODA: As of 10/4, the the soldier is stable, conscious and out of the ICU in Bethesda. A second opinion is in the works at a Boston hospital. The parents and collaborators are able to see and share 1.75 GB of imaging about their son. Let’s all hope for a good outcome and a speedy recovery.
Adrian Gropper is a physician and the CEO of MedCommons
Patient ID on the Internet; October 12, 2007; Blog; http://agropper.wordpress.com/2007/10/12/patient-id-on-the-internet/
Web leaders initiate govt open identity pilot program; September 30, 2009; Health Imaging Editorial; http://www.healthimaging.com/index.php?option=com_articles&view=article&id=18927