TR: What about the public-health benefits? Systems that house large quantities of patient data could enable new types of research studies.

KB: Absolutely, that’s something I get really excited about. It will totally break open our knowledge base. For example, I have been diagnosed with low-pressure glaucoma, which is fairly unusual. No one knows what causes it. I would love to be able to search the system for anyone with this form of glaucoma and start to look for similarities.

I’d love to be able to do that too, except it would potentially violate the privacy rights of all of those individuals if they hadn’t agreed to specifically let you see their records. If they were to elect to share their information to help others find similarities as she suggested, that would be fine, but we should not assume everyone will do that, and we would have to have a process for this election upon diagnosis.

The first issue to cover is whether the Internet will be used as the medium of record transfer, if point-to-point connections will be established using the phone system or another network, or if an entirely new network will be created to facilitate these transfers, like the financial network. This article assumes the first option, especially since citizens will supposedly have access to the information online.  A separate network would be a much better solution, but would cost much more to deploy.

Why does it matter?

What are the non-privacy-related implications of Internet-accessible health records vs. them being on paper in a drawer? Most of them have to do with hacking, bribery and blackmail. Let’s say someone pays the Database Administrator of the health system $1,000 to change your health records to indicate you saw the doctor about gonorrhea (or they simply use a stolen doctor’s account, or they’re a hacker, etc. etc.). Now, they give you a call, letting you know that they’ll tell your wife unless you pay $10,000. Blackmail is a huge possibility. This is possible now, but only by those who work with patient information physically.

One effect of the centralized hackable database of health records would be the illegal issuance of prescriptions for drugs like Valium, Oxycontin, etc. for a fee. All that would have to happen is a falsified entry into the database, and you can go down to the store and pick up your bottle. I don’t necessarily oppose loosening rules on prescription drugs, but creating a new electronic black market for health record falsification could prove dangerous. After considering this possibility further, it would be possible to remove prescriptions from the system as well, possibly endangering lives.

So we should just use paper?  Come on!

Now, I’m not necessarily against digitizing health records. If each citizen, on the initialization of their record, was given a private key, and all the records were encrypted with the matched public key, and kept in a large central database, that would be fine. Yet, there are problems with this too since in an emergency, the health records wouldn’t be accessible unless the patient was conscious and able to type their passphrase. Therefore, there would have to be an override of some sort, which would destroy the security of the system. This override could be a “health safety deposit box” provided to patients optionally by a private corporation, which would contain their passphrase for emergency use, and would be authorized for query by the living will of the patient. This is the only possible way I can see for centralized health records to be implemented securely, but it seems to be unworkable at the moment.

So what about decentralization, which is what we currently have with paper and with the SAFEHealth system. If the records were kept by the doctor, and encrypted with both his and the patient’s public keys (for patient confidentiality), that would be secure. Of course, assuming the medium of transfer is the Internet, the decryption and changes would have to be done on a standalone computer to prevent the cleartext from being retrievable from the Internet, and any transfer to another office would involve re-encrypting the files with the other doctor’s public key, transferring of the result to an Internet-enabled machine, and the reverse process on the other end to read the records. Because this is painful and time-consuming, doctors and administrative assistants (I like ‘secretaries’ better, but whatever) would obviously skirt the security here. And human involvement to decrypt would still be needed in emergencies. I’ve just sent an email to SAFEHealth asking for more information about their system:

Hello,
I’m interested in learning more about how your system works at a deeply technical level. Could you please point me to an explanation of exactly how records are stored, accessed, encrypted, decrypted, which keys are used, who generates those keys, and what network protocols are used to access the information? Thanks.

The only workable solution seems to be the patient signing away the rights of the government to make his/her health records potentially public information. We’ve seen various scandals involving medical industry employees already, like Octomom. Many people would sign this, especially if they went to different doctors all the time. Many people don’t care about their medical records being public, so they’d do it for convenience. But at a process for removal from the system at any time should be available for all patients. A system like this might complicate seeking diagnosis for things like alcoholism, opiate addiction, and mental health for fear that one’s employer might find out about the condition. Any patient should be able to elect to use paper instead, and be responsible for the transfer of his/her medical records to medical professionals for treatment.

But it’s for your own good!

A dangerous assumption is that we must force the patient to allow doctors access to their medical records for his/her own good. The fourth amendment exists to prevent this very thing from happening. It could also be argued that random searches of homes would discover meth labs and would save children, but it is unacceptable in this country because of our natural right to privacy. One way to assure access in case of emergency for those who have privacy concerns is by using a living will to allow access to the paper records assuming they’re filed somewhere accessible. Private companies could provide medical record storage facilities for profit, and could be called in case of emergency need of the records (or as I described before, the passphrase to unlock the records).

If one thinks this article is scathing to the whole idea of digital health records, he/she should have a look at this one.  While some of the same concerns and many more are brought up, different fears are addressed.  The corruption of government employees would also be a danger (which I touched on with the DBA bribe example earlier), but some of the later examples (the police officer having access) are a little unfounded and paranoid.

Microsoft and Google both have products for storing large amounts of health information.  When stories like this are appearing all the time, that really concerns me.  I’ll finish up with a good quote from this article.

“Ironically, HIPAA creates felony penalties if a doctor or hospital abuses the data, but there’s absolutely no penalties for a Microsoft or a Google because they’re not covered by the law,” Brailer said. “It’s nothing that they’re doing wrong. It just shows you the state of mind of Congress when that rule was written 10 years ago, because they never ever envisioned there would be online services managing health information.

“I think that’s a very high priority, because one consequence of the President-elect ramping up people’s attention to this is that people will come back to a lot of their fundamental worries about the protection of their health information,” Brailer said.

I look forward to comments and suggestions for this post.  This is definitely a hot-button issue at the moment, and any constructive criticism will be appreciated, and probably responded to.

Update 4/10/2009

So, Lawrence Garber, Principal Investigator for SAFE Health, and I have had a great email thread going on the security details of their system.  It sounds pretty good, but there are still concerns.  Apparently, they use HTTPS over a VPN, which isn’t a bad solution for network traffic security.  Yet, the last response I received from him indicated the following:

There’s no need or requirement to encrypt the data on the server because it’s within our physically, password-protected, and firewall secured datacenter. However passwords and credentials are encrypted.

So, again, we’re back to the unhackable datacenter with unencrypted data idea, which, from personal experience, isn’t a good idea.

We received it a few days ago, but had to buy a faucet fitting for it since it didn’t come with a 3/4” female faucet adapter. After $4 at Home Depot, it works perfectly. We bought ours with a fluoride filter as well as a ceramic filter, giving us the best water we’ve had in quite a while. I highly recommend these as this is the second Doulton filter I’ve been very happy with in my lifetime.

“Diarrhea kills five times as many kids as AIDS,” said John Oldfield, executive vice president of Water Advocates, a Washington, D.C.-based organization that promotes clean water and sanitation.

“Everybody talks about AIDS at cocktail parties,” Oldfield said. “But nobody wants to hear about diarrhea,” he said.

This is interesting too:

“There needs to be a rational system for how to apportion scarce funds,” said Helen Epstein, an AIDS expert who has consulted for UNICEF, the World Bank, and others.

Maybe we should allocate them per country or per region such that the amount of money for a given epidemic or other health concern is proportional to the need (now I’m starting to sounds like a communist, but bear with me) for that treatment. Now, of course there will be issues with estimating how much of each treatment a country might need in the coming year, especially first aid materials, but for most illnesses (see AIDS and malaria) we can probably safely use this year’s statistics to estimate the amount of treatment that needs to be available next year. Therefore, the various charitable organizations that accept donations for healthcare, as well as the World Bank, should accept money with a policy that it will be used as efficiently as possible rather than promising to use the money for AIDS, cancer, etc.

The problem with this is it doesn’t sound like you’re addressing a particular problem when you do it, so you can’t use it to prop up your ego. If one were to lose a loved one to cancer and he/she wanted to donate to a cancer fund, the only ones available would be the general healthcare funds and specific cancer research organizations. Another problem is that it wouldn’t make any difference to reform the policies of the organizations, because they could just split up into multiple entities (cancer, AIDS, malaria), and the money would be mis-allocated in the same fashion. The only real way is to outlaw receiving or donating funds for specific types of healthcare, which is completely insane.

So, do we make it cool to donate to diarrhea? That doesn’t seem possible to me. Perhaps in cases of foreign aid, we should only allow general donations because of this resource mis-allocation problem.

I decided today that I wanted to track my calories burned per day on a nice line graph. I did it, and I think I will continue. The total is automatically calculated by the PHP data source. This was made using my Mephisto Plugin for Open Flash Charts.

Now I only need one meal a day! Thanks to this energy packed combo meal, I can get all the calories and protein I need for a daily sitting at my desk! And its so good for me – look at those veggies on there!

When are people going to stop buying these products? At least I have heart disease on my side.