What Do HIEs and Cracked Windshields Have in Common?

Mahmood Sher-Jan, CHPC, ID Experts

If you are a patient, like most, you are probably assuming that your protected health information (PHI) is well “protected” by those who are custodians of the data. You also may think that the data is yours and you control its primary and secondary use. I hate to be the bearer of alarming news but both of these assumptions may be faulty. The topic of “who owns patient data in EHRs” was extensively explored in a great blog post by Doug Pollack of ID Experts, which has already generated well over 100 comments on the HIMSS’ LinkedIn group alone. I encourage anyone interested in the topic to check it out.

In this post I want to explore another PHI privacy implication related to sharing of the data through health information exchanges (HIE) and further through the Nationwide Health Information Network (NwHIN). ModernHealthcare.com reported that CHIME has raised a red flag to Dr. Farzad Mostashari, head of the Office of the National Coordinator for Health Information Technology at HHS. My first impression to CHIME’s suggestion that the ONC “should devote more time and resources to identifying and publicizing best practices among existing health information exchanges,” was that security and privacy issues must be at the root of their concern. However, the real issue behind the objection, as it turns out, is the risk from imposing governance restriction to the HIE & NwHIN business model and making sure that restrictions that could limit the downstream monetization of the patient data (albeit de-identified) by 3rd parties are excluded or limited.

It is no secret that the biggest challenge facing HIEs is the lack of a sustainable business model once the gov’t subsidies end. So creating a business model to help sustain these entities is key to their viability. What are patients willing to sacrifice for the benefits gained from HIEs and NwHIN? Since patients are a fragmented bunch, how can they mobilize against forces of capitalism that see a gold mine of value in the bit streams floating between these exchanges? I think the potential benefits from HIEs are still conceptual and not well understood or documented. The risk to the confidentiality, integrity, and accessibility of patient data, on the other hand, is much more real in this brave new world made up of health information exchanges.

Let me explain my choice for the title of this blog post. When a car is driving behind a gravel truck, there’s a chance that a piece of gravel falls and hits its windshield causing damage well beyond the point of impact. What if multiple cars are driving side-by-side? The chance of one of them getting a cracked windshield is higher. The gravel truck represents the multitude of online security threats while the cars are HIEs. Since HIEs share/exchange data by design, the impact is felt by many, including patients, participating providers & plans, and other HIEs connected through the NwHIN. A car’s damaged windshield can be treated so the cracks don’t keep expanding to the rest of the windshield. But we have no clue at this point about how to contain any damage to the patient data once it is digitized and released into the wild. We need to be very thoughtful about the HIEs governance issues and make sure that our rapid march towards creating a totally connected healthcare ecosystem does not leave us cracked beyond repair!

Mahmood Sher-Jan, CHPC, is the Vice President of Product Management at ID Experts. He brings to ID Experts over 25 years of domestic and international solutions development and deployment across Healthcare, Financial, and Retail industries.  Mahmood’s experience spans startups to fortune 100 enterprises.  He holds patents in fraud prevention and secure ID solutions.  Mahmood is responsible for strategy and development of Breach Prevention & Risk Assessment products and services for ID Experts. He is a graduate of the University of Washington with a degree in Computer Science and an MBA from University of Redlands.