Sunday, November 30, 2008

Health Information Technology: Past Predictions, Current Reality, and Future Potential - Part 1 of 3

Health information technology (HIT) was predicted to control healthcare costs and improve care quality, but results show much room for improvement. Adoption rates are very low and those using HIT have seen poor to mediocre return on investments. Much can be improved by realigning economic benefits, having a better way to handle standardization, and using a cohesive HIT implementation strategy that encourages innovation.

In my next series of posts, I will discuss HIT's potential and evidence of its benefits; explain why adoption has been slow; and examine the need for a big picture blueprint. I will then present a new, comprehensive roadmap for achieving the initial predictions.

Initial Predictions

According to a Rand study published in 2005, "Widespread adoption and effective use of electronic medical record systems (EMRs) and other health information technology … improvements could save the U.S. health system as much as $162 billion annually by greatly improving the way medical care is managed, greatly reducing preventable medical errors, lowering death rates from chronic disease, and reducing employee sick days." [Ref:]

HIT's Potential

According to a recent report by the Congressional Budget Office (CBO) titled, Evidence on the Costs and Benefits of Health Information Technology, electronic health records (EHRs)* can enable healthcare providers (practitioners, clinics, and hospitals) to deliver healthcare more effectively and efficiently by, for example, helping them to:

  • Focus on appropriate preventive care
  • Identify harmful drug interactions or possible allergic reactions to prescribed medicines
  • Manage patients with complex chronic conditions
  • Enter notes about a patient's condition and care directly into a computerized record, thereby eliminating medical transcription
  • Eliminate or reduce the need to physically pull medical charts from office files
  • Prescribe lower cost generic medicines
  • Reduce duplication of diagnostic tests.

HIT's Benefits: Return on Investment over the Past 5 Years

Despite HIT's potential to save money by increasing efficiency, and by improving quality at the same time, its return on investment (ROI) is not uniformly positive. Understanding why can be difficult since there are different types of benefits of HIT, as well as different groups who receive those benefits. In fact, one essential group is actually hurt in important ways.

The two basic types of benefits HIT can produce are:

  • Economic, reflecting decreased cost and increased profit
  • Care quality, reflecting positive outcomes resulting from delivery of appropriate and effective care.

And there are at least three groups to be considered:

  • Providers of healthcare services
  • Consumers (patients and other people using health services and products)
  • Health plans (insurers).

Following is a brief description of how this all plays out.

Economic Benefits (and Losses) of HIT to Providers

Based on the same CBO report, the economic benefits (cost savings/margin improvements) to providers may be:

  • Internal, which means the savings go to providers through their use of HIT
  • External, which means the savings go to someone other than the provider using HIT.

In integrated healthcare delivery system (such as staff-model HMOs in which clinicians are paid a salary, including Kaiser Permanente and the VA), the providers are paid on a contractual basis, not fee-for-service (FFS). The savings are thus internal, primarily driven by increased efficiency.

For nonintegrated providers, who are paid on a FFS basis, however, savings are external. This creares little incentive for them to adopt HIT. There are at least two additional reasons for this unintended consequence:

  • Many nonintegrated clinicians might not be able to reduce their office expenses or increase their revenue sufficiently to pay for their HIT, whereas integrated systems have the revenue to cover the costs.
  • Our healthcare system is set up in a dangerous manner: FFS providers who keep patients well and deliver care most cost-effectively will receive less reimbursement than those whose patients become ill, receive more tests, and get most costly treatments. Use of HIT, therefore, can reduce their profits by improving the cost-effectiveness of care rendered. According to a 2005 RAND research study cited in the CBO paper, "Most providers are paid on a fee-for-service basis; if they were to reduce health care costs by providing fewer or less expensive services, they would have to submit lower charges to insurers, and as a result, their payments would decline." Some even argue that this can result in worse care if it leads to over-treating (delivery of unnecessary care). [Ref:]

Economic Benefits of Provider HIT to Consumers and Health Plans (Insurers)

It is logical to conclude that both consumers and health plans gain when providers use HIT to lower utilization rates. Consumers benefit because they need less care and face lower charges. Health plans benefit because there is lower payout to the providers.

Economic Benefits of Consumers-Facing HIT

Consumer-facing HIT consist of personal health records (PHRs), which give consumers information and guidance for managing their own health, and the option to share certain information with the providers. The economic benefits of these tools reflect the same benefits derived when providers use HIT. That is, by helping consumers to remain healthier longer and receive more cost-effective care, consumers and health plans save money, while nonintegrated providers receive less revenue.

Care Quality Benefits of HIT

Key to improving care quality (safety and effectiveness) is to use HIT decision-support tools that promote use of evidence-based guidelines.

For consumers, higher quality care means better results (outcomes), including fewer diagnostic and treatment errors, more effective procedures, and better preventive care. It could even mean lower costs since poor quality can cost more, which means quality improvement would also benefit health plans.

Unfortunately, improving care quality can have the unintended consequence of diminishing providers' incomes. According to the CBO report:

The quality of health care could be improved through the use of clinical decision support systems to remind physicians to schedule tests, help diagnose complicated conditions, and more effectively implement appropriate protocols for treatment. In addition, the extensive data about patients that the use of EHRs generates might allow researchers to inform evidence-based guidelines and compare the effectiveness of different treatments for different patients as well as the effectiveness of different designs for the delivery of care.

Like the benefits from delivering care more efficiently, however, benefits that stem from improving the quality of care—and the potential cost savings that accompany them—are primarily realized by patients and insurers rather than the providers who generally make the investment in health IT that leads to those benefits. Seldom are providers directly compensated for improvements in the quality of their care. Indeed, if those improvements, for example, cut down the number of hospitalizations and office visits, they might actually reduce a provider's compensation, especially in the case of providers paid on a fee-for-service basis (as is commonly the case). Improvements of that kind might enhance a provider's reputation and thereby attract more patients over the long run. But those outcomes would not necessarily increase a provider's income or lower his or her costs. (Also, some providers might discount the value of those benefits because they already had what they considered to be a sufficient number if patients and felt no need to add new ones.)

A possible benefit of improving care through the use of health IT, however, might be to lower malpractice insurance costs for providers. A number of firms that sell liability insurance for physicians are beginning to offer discounted premiums to practices that use EHRs.

So, the economic and quality improvement benefits of HIT are yielding modest and mixed ROI at best, which is one reason HIT is not realizing its potential. A second reason is low rate of HIT adoption, which I discuss in my next post.

* Note that EHRs and EMRs are closely related and sometimes used interchangeably. The somewhat ambiguous distinction is that EHRs aggregate patient data for use among multiple providers, whereas EMRs are used by a single provider.

Saturday, November 22, 2008

A Novel Way to Protect Personal Health Information

In a previous post, I wrote about the thorny issue of protecting people's personal health information. I recommended that, when it comes to personal health records (PHRs), a consumer ought to have a combination of controls to protect one's privacy. That is, a consumer ought to be able to implement a one-time authorization to share limited data sets personal health information (PHI) with specific types of providers. In addition, he/she ought to have granular control over whom, if anyone, gets to see the rest of their PHI by enabling the person to authorize particular types of providers to receive each PHI data element, and be guided by warnings and alerts. This means the consumer needs a clear-cut way to recognize the authorization status of each piece of data in every PHI category, and to be instructed along the way.

I'll now describe how our Personal Health Profiler™ (PHPro™) does it.
Following is a screenshot of a small section of the PHPro report. On the left there are little button colored red, green, and yellow:
  • The little RED button in the left-hand column (displaying a closed lock) means only the consumer is permitted to view the data on that row; it is locked from everyone else.
  • The little GREEN button (displaying an open lock) means the consumer has authorized certain types of providers to view the data on that row.
  • The little YELLOW button (also displaying an open lock) means the data have been pre-authorized for certain people to view using rules logic.

click to enlarge

To see who is permitted (authorized) to see particular data, or to change the permissions, the person clicks the left of that item. The following Authorization Form then appears:

click to enlarge

By clicking the boxes on the form, new types of providers can be added for authorization, and existing providers can be removed.

What would happen, however, if the person wants to remove the authorization of a provider, but such an action would be unwise since that information could help that provider make better decisions and deliver needed care? The PHPro is designed to give warnings and alerts should this happen. A warning prevents the person from removing the authorization of a certain type of provider when a particular piece of information is absolutely essential, while an alert advises the person not to remove the authorization, but allows the individual to override the alert and remove the authorization anyway.

The following screenshot shows an alert. In this example, the person chose not to allow his/her primary care physician to see information about a serious stomach problem. Since it is inadvisable, a message box appears issuing an alert, which can be over-ridden by the person.

click to enlarge

This is an innovative way to give consumers granular level control over their PHI. Note that the list of provider types can be expanded or contracted easily, and the rules logic for pre-authorizing particular limited data sets can modified as necessary.

Friday, November 14, 2008

Announcement: Released First Open Source Program

Regular readers of this blog are probably aware that I've had lengthy, and sometimes heated, debates with leaders of the open source community about the value of having both free open source software (FOSS) and proprietary software systems. I made the case that inventors who hold patents for truly original and useful breakthrough software programs—and who are compassionate, empathetic, socially-minded individuals—should not be lumped together with people who receive software dubious patents for insignificant inventions. These latter inventors sole purpose is to enrich themselves by "holding other developers hostage" and constraining them from creating health information technology programs that could have great benefit for the greater good. And I fully support FOSS for taking a hard-line stand against such practices!

I made the case, therefore, that FOSS programs, and proprietary programs offered by decent inventors, can live together peacefully for everyone's benefit. For more, see this link to one of my other blogs.

I now want to announce that I've just offered a data conversion program under a free open source license. For anyone interested, it's located at this link:

Saturday, November 08, 2008

Personal Health Information Privacy

Not surprisingly, during the recent National Discussion on Health Information Technology and Privacy held on the web, the issue of privacy was at the forefront. The issue of mental health information privacy was of the utmost concern. I discuss the privacy debate in this post, and offer an innovative solution.

Who Should Own One's Personal Health Information?

A knowledgeable participant at the online conference, Laura Groshong, LICSW, Director, Government Relations, Clinical Social Work Association, offered these wise words:
…I don't think patients want to be the 'owner' of all this data, responsible for sending it to the parties who need it and determining who these are. This is part of the flaw in thinking that patients should become the owner, and discloser, of all their medical information.
When it comes to mental health information, there are special problems. HIPAA has an exception about information being shared with patients if the clinician thinks it might cause harm. This is a significant concern for mental health clinicians when the patient is not ready to hear the specifics of how the clinician has diagnosed them. Patients may be aware that they feel understood by the clinician without knowing the way the clinician understands their problems for quite awhile.
Another concern I have about making the patient the owner of his/her records is how this will be implemented by people who may be homeless, incarcerated, unable to understand the disclosure process, or otherwise off the grid of being able to keep track of their own information.
I agree with her comment. It would be foolish for a consumer to dictate whether or not their primary care doctor or medical specialist should be allowed to view their lab results, imaging studies, etc. since it may be a life threatening decision for which consumers are ill-prepared to make. However, they should have control over whether their employers (or others) get to see this type of health information.

I also agree that mental health information is a special case.

For one thing, most mental health information is not life threatening, except, perhaps, suicidal and homicidal ideation/tendencies. When providers have knowledge that such dangerous behavior is likely, they are required to report to authorities (along with and sex and physical abuse). Consumer/patient consent is not needed.

In any case, I believe consumers should have full ownership/control over whom, if anyone, gets to see any other consumer-generated mental health information. This include information about their cognitions (thoughts, beliefs, perceptions), emotions, behavioral tendencies, psychosocial history, interpersonal relationships, etc. it.

And if some people do not have the capacity to make determinations about sharing their health information, a health proxy (or other "trusted partner") could assist them.

Please realize that I'm not talking about giving mental health consumers access to and control over their providers' session notes, or even giving specific individuals their mental health diagnoses or professional observations prematurely if it is clear such knowledge would cause irreparable harm to the treatment/recovery process. What I am referring to is the information contained in one's personal health record or personal health profile.

So, to me, it's not about having consumers track and control all their health information by disallowing their healthcare providers from accessing essential information needed to make life-saving and wellness decisions. Instead, it's about having control over who gets to see one's mental health information, and who, other than the physician(s) involved in one's care, is authorized to view one's biomedical and genetic information.

Next, I'm going to share some thoughts about the kinds of information that should and shouldn't be under a consumer's direct control. I'll also discuss what to do about it.

Types of Personal Health Information

As I mentioned above, there are some types of personal health information (PHI) that should not be under the direct control of the consumer, at least not without a warning. And even if consumers have some control over that information, it makes little sense to force them to approve each and every piece of data that is shared with their healthcare providers. Other types of PHI, however, should be under a consumer's complete control…every piece, piece by piece.

Determining PHI control in a logical manner requires dividing the information into different categories by classifying them according to some taxonomy. These PHI categories are comprised of "data sets," i.e., groups of related data. Rules can then be applied to these data sets, which dictate the way each particular piece of data in that category is controlled.

I will now offer a possible classification scheme, which divides all PHI into these seven categories, each of which contain one for more data sets:
  1. Personal Identifiers
  2. Personal Demographics
  3. Emergency Medical and End-of-Life Information
  4. Biomedical Health PHI and Genetic Information
  5. Mental Health PHI
  6. PHI regarding Physical Activity, Exercise, Nutrition, Energy Levels
  7. PHI for Research Purposes.
I will also suggest who should, and should not, have access to that information.

1. Personal Identifiers

Personal identifiers include a person's:
  • Name
  • Address
  • Insurance and patient ID numbers
  • Other information that can be used to identify the person to whom the PHI refers.
It is important for professionals providing healthcare to a patient, as well as those paying for a patient's care. It should not be made available to others, however, unless the consumer consents or HIPAA rules demand it. For research purposes, a people's PHI should be de-identified to protect their privacy by removing this data set.

2. Personal Demographics

A person's demographics refer to information that places the individual in a specific group based on such data as:
  • Age
  • Gender
  • Race
  • Religion
  • Family size
  • Level of education
  • Occupation
  • Income
  • Zip code.
Some of these data may be useful in making medical treatment decisions, including one's age, gender, and possibly race. And others may be useful in mental health care. Nevertheless, demographic data are essential for most clinical research.

3. Emergency Medical and End-of-Life Care Information

Emergency medical and end-of-life care information includes such data as:
  • Blood type
  • Allergies
  • Past and current medical conditions
  • Current medications and dosages
  • Emergency contact information (family and physicians)
  • Advanced directives (include living wills and durable powers of attorney).
Any authorized provider delivering care to a person in an emergency ought to have access to this information, even if the person is unable to consent at the time. See this HIPAA flowchart for more.

4. Biomedical Health PHI and Genetic Information

Biomedical health and genetic PHI includes health history, current health status, health risk information, as well as genetic information. This category contains biomedical and psychological data about a person's:
  • Existing symptoms
  • Current and past health conditions/problems
  • Current and past exams and interventions/treatments
  • Risks posing a threat on one's future health status
  • Biometrics (e.g., weight, blood pressure, cholesterol levels, vital signs, etc.)
  • Imaging studies (e.g., x-rays, CT scans, MRIs, ultrasound, etc.)
  • Genetic makeup (of self and family).
Much of this information would be useful for most physicians treating a patient, as well as one's wellness coaches/counselors and others involved with a consumer's physical wellbeing. A one-time consent that authorizes the sharing of such information among one's physicians is justified, as well as allowing a person to authorize other types of practitioners to access specific data in this category.

Note that people with health problems or risks are unlikely to want their employers or health plans (insurers) to have access to this PHI as it may be used to make employment and insurance decisions that are not in their best interests. This issue is complex and includes debates over whether genetic data should be considered private or proprietary, as well as causing various ethical dilemmas.

Another issue is whether any of this PHI should be sent to public health agencies if there is reason to believe that a person has a seriously contagious illness, or if there are multiple people in a region with a health problem that indicates a possible outbreak (pandemic, epidemic, or terrorist attack). This issue is addressed by the HIPAA Privacy Rule and Public Health.

5. Mental Health PHI

Mental health PHI includes all psychological, psychiatric, and psychosocial information. This broad category encompasses information about one's perceptual, emotional, cognitive, behavioral, and social life. It includes a huge diversity of information, such as:
  • Excesses of emotion, mood, affect including anger toward others/resentment, anger toward oneself, depression, anxiety, guilt, shame/embarrassment, jealousy/envy, pessimistic about the future, manic periods/emotional excitability, low frustration tolerance, easily irritated/annoyed, impatient, lack of adequate temper control
  • Deficits of emotions, mood, affect including lack of pleasure/enjoyment, feelings of boredom/emptiness, flat or grossly inappropriate affect, unawareness of one's emotions, apathy, lack of empathy, remorse, tender emotions, and cool indifference
  • Instability of emotions, mood, affect including bipolar symptoms
  • Excesses of activity, drive, impulse, behavior including compulsions and restlessness, psychomotor agitation or tension, hyperactivity and poor impulse/urge control, reckless behavior, failure to adequately consider the consequences to one's actions, poor or lack of planning & decision-making, indecisiveness, kleptomania, pathological gambling, pyromania, trichotillomania, compulsive sexual activity, compulsive spending, workaholism
  • Deficits of activity, drive, impulse, behavior including poor work effort/motivation, loss of initiative, disinterest, poor planning, failure to persist on task, procrastination, difficulty making decisions, passive-aggressive behavior, irresponsible behavior, psychomotor retardation, lethargy, lack of activities of daily living (ADL) skills
  • Eating problems including excessive eating (overeating), poor appetite, excessive dieting or fasting, vomiting or use of laxatives, binging and purging, body weight
  • Sleep problems
  • Sexual problems and issues including sexual abuse; general information; violent sexual thoughts and fantasizes; sexual dysfunctions
  • Physiological symptoms related to one's physiology including gastrointestinal problems, autonomic nervous system symptoms, motor tension and overactivity, cardiopulminary symptoms, motor lethargy, numbness, tingling sensations, paralysis, sexual problems, and more
  • Psychosocial stressors and interpersonal problems including family strife, problems with work or school, problems with one's living situation or working environment, legal problems, financial problems, etc.
  • Psychoactive substance use including caffeine, nicotine, alcohol, and illicit drugs
  • Maladaptive cognitive styles on mental symptoms/dysfunctions including ultra-conservatism (avoids constructive risk-taking), pessimism, helplessness, hopelessness, lack of self-efficacy, perfectionism, inflexibility, dogmatic style, preoccupation with organization/order, paranoid ideation (non-delusional), lack of trust, suspiciousness
  • Primary dysfunctional cognitive schemas including irrational beliefs, negative self-concept and global self-appraisals, non-delusional inflated appraisals of self such as narcissism, self-centeredness, grandiosity, attention/approval-seeking; manipulative behavior; exhibitionism; negative global appraisals of others/prejudice
  • Secondary dysfunctional cognitive schemas including low self-efficacy; pessimistic future expectations; sense of wrongness, unfairness, entitlement/deservingness; causal attributions (responsibility)
  • Coping styles
  • Maladaptive levels of alertness, attention, concentration, vigilance, concentration (vigilance deficits and attentional excesses)
  • Identity problems and confusion including multiple personality symptoms, depersonalization and derealization symptoms, gender-identity problems
  • Post-traumatic stress disorder
  • Disturbances of consciousness and orientation
  • Memory problems and amnesia including psychogenic fugue, immediate and short-term memory impairment, recent and remote memory impairment, paramnesia, general memory impairment information
  • Abstract thinking, intelligence, dementia, pseudodementia
  • Problems with insight and judgment
  • Executive functioning impairment and non-verbal communication learning disabilities (including dyslexia, dyscalculia, dysgraphia, directionality difficulty)
  • Disorders of receptive or expressive communication
  • Disturbances of thought process and form
  • Hallucinations and illusions
  • Perceptual agnosias
  • Conversion disturbances
  • Delusions
  • Obsessions
  • Peculiar, odd, eccentric behavior or appearance
  • Overconcern with body shape or size
  • Grossly defective/disorganized behavior
  • Self-directed violence/aggression including suicidal and self-mutilation behavior
  • Other-directed violence/aggression and anti-social behaviors including violent and non-violent conduct problems
  • Interpersonal rejection, avoidance, abandonment, social withdrawal, social anxiety, under socialization, interpersonal indifference, shyness, dependency, passivity, loneliness, insecurity, passivity/unassertiveness, proneness to peer-pressure, pattern of unstable/poor relationships
  • Defense mechanisms employed including mature defenses, neurotic defenses, immature defenses, and narcissistic defenses
  • Early (childhood) psycho-social experiences
  • Factitious disorders.
Is it worth computerizing such mental health information? I say YES it is because failure to digitize and share such PHI:
  • Prevents the mental health field from developing its potential (e.g., by not allowing de-identified data "from the field" to be used to the study and improve treatment effectiveness)
  • May increase risk (e.g., makes it difficult to do an assessment of medication side effects, especially if multiple medications are taken)
  • Keeps a wealth of consumer-generated information from being used for treatment planning and delivery
  • Prevents consumers from taking advantage of a new generation of computerized self-help tools that increase self-understanding, and offer help with coping and problem solving
  • Makes it nearly impossible to deliver care through a "whole-person" (mind & body) approach.
At the same time, failure to protect a person's psychological information is destructive and simply unacceptable, whether it is in electronic or paper form.

So, who should be authorized to access a consumer's mental health PHI? Well, it depends on what the particular information is in this category.

It is no surprise that mental health practitioners would benefit from having access to the vast majority of this information since it is helpful with treatment planning and delivery. They would also benefit from combining this information with the certain biomedical and genetic information (e.g., to determine if medication side-effects or medical illnesses are presenting as or exacerbating one's physiological symptoms, to understand if psychological stress or emotional distress are adversely affecting one's physiology, etc.).

Integrating some of this mental health information with their patients' biomedical information would also benefit non-psychiatric physicians and other non-mental health providers by helping them understand their patients' health status and needs in an integrated whole-person manner that encompasses both the mind and body. This comprehensive information would, for example, help these professionals:
  • Determine if there are adverse side effects of medications taken, which present as psychological symptoms
  • Gain insights into their patients' motivation and ability to self-manage acute and chronic conditions
  • Be aware when psychological problems are adversely affecting their patients' physical health; for example:
    • There is a strong connection between optimism, coping skills, and physical health. Researchers found that depression is a precursor to heart disease, with certain depressed patients being 50 percent more likely to develop or die from heart disease than those without such symptoms, even though they had no prior history of heart disease. Depression, therefore, likely affects not only the mind but also physical health by being linked to increased blood pressure and abnormal heart rhythms, as well as chronically elevated stress hormone levels, which can increase the heart's workload.
    • Disturbances of physiology that are related in some way to situational/psychological conditions, but without actual permanent end-organ damage, include migraines, functional bowel disease and types of chronic pain. And disturbances where actual physiological and psychological pathologies are evident include hypertension, peptic-ulcer disease, hyperthyroidism, asthma and chronic skin disorders.
    • As many as 25 percent of all outpatient visits can be accounted for by psychological factors that cause physiological disturbance with no permanent organ damage (as in migraines, functional bowel disease, and types of chronic pain). That's the narrow definition of psychosomatic illness. The percentage rises to around 50 percent of all ambulatory care if the definition is expanded to include conditions where actual physiological changes occur (such as in hypertension, hyperthyroidism, asthma, and chronic skin disorders). The percentage rises even higher when the definition of psychosomatic is widened to include serious physiological disorders, such as autoimmune disturbances that tend to appear or flare up with significant life changes and stress.
  • Knowing when psychological problems are adversely affecting a patient's physical health helps a provider determine when to make a referral to a mental health professional. This is important because:
    • Psychological interventions are becoming a necessary component of treatment, or even the treatment of choice, for many psychophysiological (mind-body) disorders. When mental healthcare specialists render treatment for psychological disorders, such as depression, patients realize better outcomes for lower cost compared to treatment delivered in general medical practice.
    • Research demonstrates that behavioral healthcare enhances physical health, raises the body's ability to recover from illness and surgery, and prevents biological illness by helping to alleviate stress, promote physically healthy lifestyles, and strengthen the immune system.
    • There is a wealth of research demonstrating how the treatment of psychological and behavioral aspects of illness decrease medical utilization and costs, which can more than offset the cost of providing the behavioral interventions, resulting in total cost savings. An example of this "medical cost offset effect" is research that found attending to the psychological needs of patients diagnosed with somatization disorder reduces the annual cost of their medical care by almost one-third.
Now to the question: Who should control a consumer's mental health information? I assert that it should be the consumer him/herself, and the information should be controlled at a granular level of detail. That is, the consumer should determine who is authorized to view each piece of data, andeveryone else should be blocked from seeing it.

6. PHI regarding Physical Activity, Exercise, Nutrition, Energy Levels

PHI regarding one's level of physical activity, degree of exercise, nutrition, and energy drains and boosters would be useful to all healthcare providers, and at would be key information for wellness coaches/counselors.

7. PHI for Research Purposes

All the PHI data sets above would be useful for different types of clinical research. Since personal identifiers are not necessary for this type of aggregate analysis, the data should be de-identified before being sent for research. If the person's identity is guaranteed protected, I don't see an urgent need for authorization, although it will likely be required. I'd even go so far as to recommend that consumers and their healthcare providers be paid by those using their PHI for research, even when the information is de-identified. I say this because such payments may promote greater use of electronic health record systems in general, as well as support research efforts.

How Consumers can Control their PHI

There are at least two mechanisms by which consumers can control their digitized PHI: Use of limited data sets and granular authorization controls.

Limited Data Set Control

One method is to predefine "limited data sets" in which only a particular sub-sets of PHI in the categories discussed above shared with particular types of authorized persons. In some cases a consumer would have to consent only one time to authorize particular healthcare professionals to access and share their PHI. In other cases, no consumer consent may be required (e.g., for the protection of public health). And in still others, consent may be required every time.

These data sets may include information from one or multiple PHI categories. Note that there may be times to allow a consumer to override a limited data set in order to restrict access to particular pieces of data.
To make all this happen, a health information technology tool must automatically manage a variety of rules that define the data sets, authorize the appropriate recipients, and give a consumer the ability to override the rules when appropriate.

Granular Authorization Control

Granular authorization control means giving a consumer the ability to authorize access to certain types of healthcare professionals, and prevent access from others, for each and every piece of data in the various PHI categories. This may include overriding certain limited data sets, as well as having complete control of all other data sets.

For convenience sake, the consumer should be able to authorization each piece one time, and then be able to update the authorizations whenever desired. In addition, if a consumer fails to authorize certain providers of specific information they need to do their jobs effectively, or if s/he removes the prior authorization of those professionals, a warning should appear informing the consumer that this action is unwise. Likewise, if the consumer (mistakenly) authorizes certain provides to access certain sensitive data they do not need, another alert should appear letting him/her know what is being done.

Combined Control in Personal Health Records/Profiles

When it comes to personal health records (PHRs), there ought to be combined controls. That is, a consumer ought to be able to implement a one-time authorization of limited data sets for certain PHI, as well as authorizing the rest of their PHI via granular control, and be guided by the warnings and alerts as describe above. This means the consumer needs a clear-cut way to recognize the authorization status of each piece of data in every PHI category, and to be instructed along the way.

I know of no PHR that has these capabilities. However, the personal health profile we've developed already does it! See this link for more.