Tuesday, July 31, 2007

The Dark Side of eHealth

In a comment on last Thursday's post on eHealth for Safety, Dr. Hamza Mousa, a physician and system developer in Egypt, provided a link to his blog post concerning a website that appears to be brokering exchanges in blood and organs, outside of any official process or mechanism for organ donation and transplantation. He raises both the privacy and public safety issues associated with such sites.

We all know that the Internet is used for all kinds of nefarious purposes - kiddy porn, hate mongering and the like. We know that the Internet health care space is filled with quackery and sites that seek to take advantage of people in desparate circumstances.

This will be a constant struggle for those of us who promote the Internet as a tool to enhance the health and well-being of patients. I'm not sure what we can do about such sites. One thing we can be certain of is that for all the good eHealth can do, some people will be motivated to exploit the technology and the people who use it.

Monday, July 30, 2007

Trust and Understanding

Friday's post on Making Progress Towards EHRs generated some lively discussion about the health sector's state of readiness with respect to EHRs and other information and telecommunications technologies. I agree that we are at a tipping point with respect to the capability of ICTs to revolutionize the work of health professionals. However, the skeptic in me keeps niggling away about the human issues that still must be addressed before we see health care providers embracing the technology in the way those promoting eHealth envision; i.e. a world of happy healthcare providers willingly and enthusiastically sharing information with one another and with other stakeholders in a collegial and collaborative way.

Central to it all is trust and understanding. By and large, I don't think the major players in the health sector trust and understand each other. In particular there is a great divide between those who provide health care and those who pay for it. At the 100,000 foot level we all agree on the basic tenets of health care and eHealth, but when it comes to implementing eHealth on the ground, different agendas and points of view come into play. Many eHealth initiatives are sponsored by the payer community (Government or private sector) who want to see improved efficiencies and happier customers. These initiatives are often regarded with suspicion by health care providers who fear unwanted intrusion into their daily work and relationships with patients.

I don't think that there is any maliciousness at play here. Everyone wants to do a good job providing excellent care to patients while at the same time making a decent living. Unfortunately each of the different stakeholder groups sees the promised eHealth world differently.

Witness the gaps (well documented in many of the papers noted on this site) in meaningful end-user involvement in the development of requirements and the design of eHealth systems. Many eHealth system developers live in a Dilbert world where users are seen as just another component in a complex business process that is better understood by engineers than by knowledgeable health care practitioners. This is particularly acute when the paymasters for the eHealth initiative is a government or insurance company rather than the health care providers, or some group acting on their behalf. He who pays the piper calls the tune. This lack of involvement promotes distrust, and ensures that we will not understand one another.

The answer is information governance. While the technological capability may exist for eHealth, and while health care providers are becoming more technically savvy, without some mechanism for brokering consensus about eHealth systems requirements, the rules and standards governing eHealth and a respected approach to enforcing those rules and standards, I fear that our eHealth initiatives will continue to flounder or fail to realize their real potential.

There is some progress being made towards information governance, particularly with respect to the privacy issue. But privacy is only one of a range of issues that must be addressed before we cross the tipping point into eHealth Nirvana. This is what I believe will take the time. Implementing technology is a lot easier than changing attitudes or building trust. The technology will be in place long before the human part of the system matures to the point that we will realize the full benefit of eHealth.

Friday, July 27, 2007

Making Progress Towards EHRs?

The May 28, 2007 issue of InformationWeek included a comprehensive article titled Why Progress Toward Electronic Health Records Is Worse Than You Think. It cuts through much of the hype about the US experience with EHRs and cites a number of examples.

While there is evidence of an increase in the use of electronic health information systems, the long sought-after change in health care provider behaviour, data-sharing, is lagging far behind. The most encouraging example cited was the Indiana RHIO created by the Regenstrief Institute, which was developed over 30 Years! "The secret of success is having patience," says Dr. Marc Overhage, Regenstrief's director of medical informatics.

My own experience is that any successful system in health care takes at least 10 years from first concept to full implementation and integration into business processes (not including implementation of straightforward and mature HIS's - note the near-obsession with PACS as an early win in the EHR game). 30 years is not unrealistic for the integration of many disparate systems and the associated changes in health care provider behaviour through what amounts to a complete re-engineering of the care delivery process. Most proponents of EHRs will argue that that's not good enough.

Perhaps not, but it is reality.

Thursday, July 26, 2007

eHealth for Safety

I came across this website, eHealth for Safety , commissioned by European Commission Information Society. The site is a little light on content, but does feature an interesting paper, eHealth for patient safety: towards a European research roadmap. The paper summarizes many of the published findings already in the literature. Its a good and balanced overview document that promotes eHealth as an enabler of improved safety while acknowledging the safety risks associated with health IT. The site has got a good links section as well for those interested in IT and patient safety.

Wednesday, July 25, 2007

HIPAA Privacy and Security

Noted US privacy and security expert Dr. William Braithwaite gave a Keynote address at the Fourth Health Information Technology Summit in March titled Will Privacy and Security Concerns Impede HIT Initiatives? Identifying Issues and Practical Solutions. The Healthcare Update News Service has posted a video of Dr. Braithwaite's address.

The presentation gives a general overview of HIPAA compliance and activity throughout the United States. If you have a spare 33 minutes today, put on your headphones and watch.

Links and information were gleaned from Neil Versel's Healthcare IT Blog.

Tuesday, July 24, 2007

eHealth and Ethics

In order to address the privacy and safety rights of patients we need a sound ethical basis on which to understand, interpret and balance the issues associated with eHealth. Professor Eike-Henner Kluge, Professor of Philosophy at the University of Victoria has written a paper titled Ehealth, the USA Patriot Act and other hurdles: the black lining on the silver cloud that defines the ethical basis of eHealth and EHRs and explores issues such as the impact of national legislation to combat terrorism on eHealth, the development, harmonization and enforcement of standards, and the education and certification of Health Informatics Professionals.

An excellent paper well worth the read.

Monday, July 23, 2007

Procurement Woes

In many parts of the world eHealth initiatives are run or funded by government organizations. As a result, they are subject to greater public scrutiny than most ICT projects. Procurement is one area rife with risk for government project managers and project sponsors. These risks include:
  • Conflicts of interest - should there be any real or perceived linkages between the vendor and project principals - no matter how small or insignificant
  • Competition - or lack thereof - especially in cases where the procurement is system-wide such as selecting a system for GPs where the procurement decision alters the marketplace perhaps putting some unsuccessful vendors out of business and limiting choice for end users
  • Immature business models where the roles and functions of the vendor, purchaser and users are poorly defined leading to breakdowns that undermine project success
  • Criticism and censure by public oversight bodies
  • Inflated costs due to a poor understanding of the risks and liabilities
Once again the NHS has been singled out for criticism by the British Parliamentary Public Accounts Committee for a major procurement action in a report titled Dr Foster Intelligence: A joint venture between the Information Centre and Dr Foster LLP. The conclusion and recommendations included the following statements:
  • By failing to advertise the deal or hold a competition, the Department and Information Centre let it appear that the joint venture offered an advantage to one company at the expense of others.
  • Without an open competition, the Information Centre cannot demonstrate that it paid the best price for its 50% share of the joint venture, as there are no tenders or other benchmarks for comparison.
  • In developing the joint venture deal, the Department's Commercial Directorate did not follow established good practice in public sector procurement.
  • The cost of professional advice on the joint ve£nture (Dr. Foster Intelligence) increased from an initial estimate and contract for £284,000 to between £1.75 and £2.5 million on a £12 million investment.
  • The Department and Information Centre could have reduced the need to rely heavily on professional advice by making use of wider government experience on forming public private partnership.
  • It is unclear what benefits the Information Centre will receive from the joint venture.
  • In the first year the joint venture made a loss of £2.8 million compared with the expectation that it would make a small profit.

Friday, July 20, 2007

How about a Safety Commissioner?

Here's my thought for the day. In Canada and in other jurisdictions we have had great success in driving a health information privacy agenda with the enactment of privacy legislation and the appointment of Privacy Commissioners to receive complaints from the public and to oversee legislative compliance.

Perhaps we should do the same with patient safety.

Discipline and oversight of such matters is currently left with professional colleges for actions by health professionals as individuals, but I don't think anything exists to monitor and respond to incidents that have systemic causes, or are perpetrated by organizations.

With somewhere between 7000 and 23,000 Canadians dying each year due to medical error, and knowing that there are real risks associated with the systems we are implementing, the time is right for patient safety legislation and the appointment of a Safety Commissioner.

Like the more progressive Privacy Commissioners in this country, the Safety Commissioner's role would be one of leadership, promoting patient safety, objectively investigating safety incidents, and ordering changes to individual and systemic clinical and business practices and behaviors to improve safety for patients.

Its something worth considering.

Thursday, July 19, 2007

eHealth Risk Exposure

In my research on eHealth risk I have identified two classes of risk. First, risk to patients (and to a lesser extent health care providers)– which encompasses privacy, security and safety risk, and second, risk to the organization (or health system at large) which encompasses project, operational and business risk.

Peter Croll and Jasmine Croll of the Queensland University of Technology in Australia have published a paper titled Investigating risk exposure in e-health systems that brilliantly addresses the former. It considers and integrates the analysis of a range of risk issues including quality, usability, privacy and safety.

We are all aware that eHealth systems operate in a complex environment of people, process and technology. Any assessment of risk must consider and balance the wide array of risks associated the system and the environment in which it will operate. The QUiPS model described in this paper goes a long way to addressing this need.

Wednesday, July 18, 2007

Government's Role in eHealth

I’ve always struggled with the role of government in health care, and more recently in eHealth. I’m a supporter of publicly funded healthcare. What better insurance pool than the entire population of a nation? And who better to set the rules around regulation of an industry that affects the health and well-being of every citizen?

Governments and government-sponsored agencies are good at several things: infrastructure for one, and rules, regulation and enforcement for another. Think about our road systems. Governments usually build and maintain the roads. They set the rules for driving on the roads, and they enforce those rules with police forces. By and large they do a pretty good job.

But they don’t run trucking companies, or car dealerships, or the myriad of businesses that spring up along transportation arteries to take advantage of a traveling public. Those things are better left to market forces and private initiative, which by and large do a pretty good job.

So what should government and government-sponsored agencies do in eHealth? In my own opinion it’s just like the road system:

Planning and Strategy – to drive consensus on how the all stakeholders in the eHealth game will approach their own applications and how they will interact with one another.
Infrastructure – like secure high-bandwidth networks, systems to identify and authenticate citizens be they patients or health care providers, secure communications systems to support public health and other services.
Standards – to define minimum requirements for security, safety, usability and interoperability for everything running on the infrastructure.
Rules of behavior – defining acceptable uses for the information and services flowing through the network and acceptable behaviors with respect to privacy and safety.
Enforcement – to ensure that standards are adopted and rules obeyed.

As a general rule, governments should stick to systemic initiatives and avoid getting involved with application systems and other activities that impacts healthcare workflows or the complex interactions between stakeholders. They are not close enough to the action to understand end-user needs or impacts.

In those instances where governments are funding the development and deployment of eHealth applications, they should behave as any prudent investor would. Government should avoid direct involvement and intervention, but is within its rights to demand action and behavior that will deliver promised results.

So what would the ideal situation look like?

The government would lead on the development of an eHealth strategy based on consensus amongst eHealth stakeholders, would establish a common eHealth infrastructure that would otherwise be outside the purview, competence or capacity of any other stakeholder, set and enforce standards and the rules of engagement for eHealth participants.

Health care organizations and providers (including regional collectives such as health regions or districts) would worry about their own priorities for eHealth applications and undertake development and deployment of eHealth systems in response to the needs of their communities.

Government could participate in local application initiatives as a prudent investor, focusing on results and value for money, but letting the community determine its own needs and approach to development and deployment.

Tuesday, July 17, 2007

I've Got Nothing To Hide!

One of the most familiar retorts to the notion of personal privacy is the “nothing to hide” argument. The basic notion is that if you have something that you want to keep private (i.e. something to hide) there must be some suspicious motive for your position. It must be illegal, or immoral, or so inappropriate that somehow the rest of us have a right to know about it.

Many jurisdictions have privacy legislation in place to protect health information. But these statutes invariably exempt actions by governments where homeland security, public health or other law enforcement activities are involved. In our post 9/11 world (or 7/7 world in the UK), governments all around the globe use the “nothing to hide” argument to justify intrusions into our day-to-day lives. While the population might acknowledge that some intrusions are warranted to fight terrorism, we would do well to be skeptical about the motives of government bureaucrats and over-zealous law enforcement officials who may be tempted to use the information for purposes other than what was intended; a phenomenon known as function creep. Click here for a good example of function creep.

Privacy consultant Patrick Lo passed on an excellent paper written by Daniel Solove of George Washington University titled ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy that explores and debunks this argument.

Highly recommended. Download and read.

Monday, July 16, 2007

Mr. Granger Bids Adieu

Richard Granger is stepping down after five years at the helm of the UK NHS’s National Program for IT. This is probably the largest single eHealth initiative in the world. Subject to scathing criticism, particularly in a recent report by the UK Parliament’s Public Accounts Committee, Granger gives his parting shots in an interview with CIO Magazine.

I recall some remarks made by Canada Health Infoway President Richard Alvarez during his keynote speech at eHealth 2007 in Quebec City. Alvarez commiserated with Granger and recognized the challenge of implementing national health information infrastructures. Like it or hate it, the UK NHS is on the bleeding edge of eHealth blazing trails that other nations will inevitably follow…. or avoid. Either way the global eHealth community will benefit from the UK’s learnings.

I recommend reading the Summary and Conclusions and Recommendations sections of the Parliamentary report (pages 3 - 7) before reading Granger’s interview. The two viewpoints provide an interesting counterpoint. Which account is truer? I’d be interested in your views.

Friday, July 13, 2007

Perspectives on PHRs

There's a lot of buzz and hype about Personal or Patient Health Records (PHRs). A PHR is a health record that is in the control of the individual patient, who makes it available as required to their health care providers. There are a great many risks associated with PHRs, but with giants like Microsoft and Google making noise about entering the space, anything can happen.

The California HealthCare Foundation has published a report titled Perspectives on the Future of Personal Health Records. It briefly explores the PHR from six perspectives:
  • The Big Picture Perspective
  • The Consumer Perspective
  • The Physician Perspective
  • The Clinical Technology Perspective
  • The Employer Perspective
  • The Public Health Perspective
Though very high level and supportive of the concept, the report doesn't sugarcoat the risks that must be addressed before PHRs can become a reality.

Another useful reference is the paper Personal Health Records: Definitions, Benefits, and Strategies for Overcoming Barriers to Adoption. The paper summarizes a symposium of the AMIA College of Medical Informatics in 2005.

Both publications are worth a look for anyone interested in PHRs.

Thursday, July 12, 2007

Wrong About Justen

OK. I was wrong. In yesterday's post about Whistleblowing I made some unkind and unsubstantiated comments about Justen Deal, the young man who blew the whistle on Kaiser Permanente's eHealth Record Management System. I just got off the phone with Justen who, in our hour long conversation, proved himself to be a quite mature and not-at-all arrogant person. He took his action after exhausting all other means of bringing problems with the system to the appropriate authorities and in full awareness of the consequences. Sorry Justen... please turn that smack into a pat on the back.

Understanding eHealth Success and Failure

The success or failure of health information systems is the result of a complex mix of people, organizational processes and technologies. I continually look for theories that help to explain the interaction between these dynamic elements.

I came across a paper presented at the 2002 International Conference on Systems Sciences titled Structuration Theory and Conception-Reality Gaps: Addressing Cause and Effect of Implementation Outcomes in Health Care Information Systems written by Angelina Kouroubali at the University of Cambridge in the UK. It applies the work of Anthony Giddens and Richard Heeks to a case study on the Isle of Crete.

Further Googling took me to the source paper for Heeks' work titled Why Health Care Information Systems Succeed or Fail. As is always the case, technology accounts for only one small part of eHealth success or failure. Heeks' model is based on the acronym ITPOSMO which stands for Information, Technology, Processes, Objectives and values, Staffing and skills, Management and structures, and Other resources: money and time. Heeks also developed a method for eHealth Project Risk Assessment called the Design-Reality Gap Technique.

These are three very good references. Download and read!

Wednesday, July 11, 2007

Dealing with Whistleblowers

I was scanning the web looking for leads on a story that has been circulating about Kaiser Permanente and a major failure of its reported $4 billion eHealth records management system. It started with a Computerworld article based on a 722 page internal report outlining the inadequacies of the system. Following up on yesterday's post on "Critical Reading" I was curious to find out how bad this system really was. BIG systems always have BIG problems, and my gut tells me that the fact that Kaiser commissioned such a comprehensive review of its system is a good thing.

More interesting though is how the story came to light. Justin Deal, a 22 year-old Kaiser employee was incensed at the waste and problems the system was causing and took it upon himself to send an email to 120,000 Kaiser employees. The Wall Street Journal quoted the email in part:

"In a blistering 2,000-word treatise, Deal wrote: “We’re spending recklessly, to the tune of over $1.5 billion in waste every year, primarily on HealthConnect, but also on other inefficient and ineffective information technology projects.” He did not stop there. Deal cited what he called the “misleadership” of Kaiser Chief Executive George Halvorson and other top managers, who he said were jeopardizing the company’s ability to provide quality care.

“For me, this isn’t just an issue of saving money,” he wrote. “It could very well become an issue of making sure our physicians and nurses have the tools they need to save lives.”"

Wow... How would you respond if you saw an email like that in your inbox?

Was Justin Deal right? Was he wrong? After reading his blog, I would have smacked him. He sounds like an immature, arrogant, self-righteous kid. [PLEASE NOTE Retraction of this comment] Although... I must admit I was once like that myself.

The issue here is how do we deal with whistleblowers.

Like Kaiser's system, many of our eHealth systems will have MAJOR problems. So much so that some people will feel compelled to expose waste, mismanagement, fraudulent acts, and errors that hurt people. We tacitly support the notion of whistleblowing, but as organizations we fail to provide a legitimate outlet or channel for people to voice concerns. They then turn to the media or other methods of exposing what they believe to be misdeeds.

I personally have experience with two whistleblowing episodes. In the first case the person, frustrated with the organization, went to the media with allegations of wrongdoing. This ended up badly for everyone. In the second case the person approached a trusted member of the organization's management. The trusted manager took the matter seriously, thoroughly investigated the matter and protected the whistleblower's confidence and identity. Issues were brought to the executive team's attention for action. This case ended up well.

In each of these two cases the whistleblowers had only part of the information and reported issues which, to the outside observer seemed troublesome, but upon investigation were found to be explainable and without malfeasance. The second case did point out some procedural issues that were easily resolved.

In both cases the whistleblowers were acting in what they believed to be the best interests for the organization and its clients. They knew the risks and put their jobs and reputations on the line. That's the challenge with whistleblowers. You're dealing with people who want to help and who care deeply for the organization and its mandate.

A risk management system must have a mechanism for people to report safety issues, privacy and security breaches, project and operational risks, conflicts of interest and wrongdoing. Most important: the person doing the whistleblowing must believe that following the right channel will result in a positive outcome, that their concerns will be taken seriously, and that they will not face retribution. Otherwise we force them to look for other avenues to expose wrongdoing.

Set up a whistleblower reporting system in your organization. A good starting point is Shaping Your Whistleblower System by Gerald Bloch. Don't waste your 15 minutes of fame on a headline or broadcast email subject line like the ones that Kaiser faced.

Check out the Wall Street Journal Health Blog for more discussion on the Kaiser incident.

Tuesday, July 10, 2007

Critical Reading

The most important factor when assessing risk is the availability of complete, accurate and current information. You can’t reliably predict risk outcomes without the all of the facts, or at least as many facts as are available at the time. Where do we find accurate and reliable information about eHealth?

The simple answer is nowhere. Everything you read or hear about anything, be it geopolitics, global warming or eHealth comes from a biased perspective that must be taken with a grain (or a whole shaker) of salt.

I remember when I first lost faith in the mass media as a source of reliable information. It was in December 2001 when I was Chief Privacy and Security Officer at the Ontario Smart Systems for Health Agency (SSHA), a branch of the Ministry of Health at the time. Canada’s national newspaper, the Globe and Mail, broke a story about an SSHA system that had gone live the month before. From the front page the nation learned about security weaknesses and inappropriate behavior by the Agency and its personnel.



Problem was, none of it was true. The reporter had fashioned a scathing article out of a few disparate documents leaked to him by a disgruntled employee. This was my first experience where I actually knew all of the relevant facts of the case and could compare it to what I saw in the media, and the media got it all wrong. To finish this story, the Information and Privacy Commissioner for Ontario conducted a comprehensive investigation that exonerated SSHA. The Globe printed a brief article acknowledging the Commissioner’s report, but buried it deep inside the paper and never repudiated its allegations.

Today, as I scan the net each morning looking for news and resources for the blog, I maintain a skeptical eye. I read, but put little stock in the mass media. They are out for headlines and sales. The mass media dwells on the negative, jumping on an event such as a security breach when it first occurs, quickly losing interest and rarely reporting on the final outcomes of any investigation that may come months later.

Trade magazines are a little better, though while the mass media dwells on the negative, trade journals (paper and online) tend to overstate the positive. With the organizational Chiefs (CEOs, CIOs, CFOs, etc.) as their audience and IT vendors footing the bill through advertising, they are less inclined to report when things go really bad. They don’t want to bite the hand that feeds them.

Blogs are an interesting new source of information, but they are inherently biased. Usually authored by one person, or a group of like-minded people, blogs offer opinion. Facts are filtered to support the blogger’s point of view. In many cases, mine included, blogs are maintained by consultants and companies who want to show you how clever they are in the hope that you will hire them. Treat blogs (including this one) as you would a movie or theatre critic. Find one that represents your point of view, but don’t expect pure truth.

A number of reports and publications are published by organizations mandated to deliver eHealth as a function of public policy (in Canada this includes Canada Health Infoway, the Smart Systems for Health Agency and Ministries of Health). Every country has its proponent organizations. At the international level groups like the WHO and the EU promote eHealth aggressively. You never hear bad news stories from these sources. There is often a blurring of objective fact and marketing hype in these publications which can be useful, but need to be understood in their context of promoting public (i.e. political) policy.

The most reliable sources of information (in this blogger’s biased point of view) are respectable peer-reviewed journals published by professional organizations. Reports by respected public authorities such as government auditing agencies (e.g. the Auditor General in Canada), privacy commissioners and standards producing bodies (e.g. ISO, CSA, ANSI, CEN) can be generally relied upon. But even these documents are products of a point-in-time view of available facts and must be read with that in mind. Their findings can become irrelevant as circumstances change over time.

You can’t ignore any source of information as you try to assess risk in eHealth. Even the mass media teaches you how the mass media is likely to respond if you or your organization is the subject of a security breach or patient safety incident. The key is to read critically and to try to keep it real.

Monday, July 9, 2007

eHealth Risk Workshops

Dates for the next eHealth Risk-Opportunity Report Card Workshop and Health Privacy Professional Workshop at the Waterloo Institute for Health Informatics Research (WIHIR) have been announced. The risk workshop will be held the evening of October 2nd and all day October 3, 2007, and the privacy workshop the evening of October 3rd and all day October 4, 2007.

The workshops are practical "hands-on" case-study oriented events complemented by online lectures. The risk workshop will feature the final version of the eHealth Risk Report Card methodology which has been under development for the past year at WIHIR.

eHealth Risk-Opportunity Report Card Workshop

On-Line Lecture - Review before you arrive - Managing eHealth Risks and Opportunities

On-Site Evening Session (October 2nd)
  1. Introduction to workshop instructors and participants
  2. Introduction to the eHealth Risk Report Card Methodology (interactive lecture)
  3. Introduction to the case study
On-Site Day Session (October 3rd)
  1. Managing eHealth Risk at the facility, regional and provincial levels - real life stories - Guest Lecture by Judy Farrell, Director, Health Information and Privacy, London Health Sciences Centre, London, Ontario
  2. Conducting an eHealth Opportunity Analysis (workshop activity based on case-study)
  3. Conducting an eHealth Risk Analysis (workshop activity based on case study)
  4. Making the Grade - Completing the eHealth Risk Report Card (workshop activity based on case study)

Health Privacy Professional Workshop

On-Line Lectures - Review before you arrive - Privacy Fundamentals, Privacy and the Law, Privacy Roles and Responsibilities, Security Fundamentals for the Privacy Professional, Managing Privacy and Security Risks in Health Information Systems.

On-Site Evening session (October 3rd)
  1. Introduction to workshop instructors and participants
  2. Privacy as an eHealth Risk Issue (interactive lecture)
  3. Introduction to the case study
On-Site Day session (October 4th)
  1. Privacy Governance - Interactive Lecture
  2. Developing and Implementing a Privacy Program - Conducting a Privacy GAP Analysis (workshop activity based on case study)
  3. Conducting a Privacy Impact Assessment (workshop activity based on case study)
  4. Addressing Privacy Risks - How to Co-opt senior management, staff and other stakeholders (workshop activity based on case study)
Both workshops will be held on the campus of the University of Waterloo in Waterloo, Ontario, Canada.

The early bird registration date is August 15, 2007. Register now for the early bird discount.

Thursday, July 5, 2007

A Zero Sum Game

Yesterday I received an email from Lyndon Dubeau, an information security specialist at the Ontario Association of Community Care Access Centres. He sent a link to a Health IT Survey conducted by Kaiser Permanente in conjuction with the Health Care IT Summit focusing on question 10 which reads as follows:
"10. I'm going to read you a statement and please tell me if you agree or disagree with it:

'The benefits of electronic medical records, such as better treatment in an emergency and a reduction in medical errors, outweigh any potential risk to patient privacy or the security of health information.'"

The survey showed that 73% of respondents agreed with the statement, 25% disagreed, and 2% were unsure or didn't know.

Lyndon writes:

"The zero-sum-game approach to question 10 is interesting and pits two risks against each other.

1) The risk of not getting the best treatment in an emergency (a risk that people can relate to and understand)

2) The abstract risk of 'something' bad happening from a privacy/security perspective.

The challenge I face as an information security professional is helping the business understand that it's possible to have reasonable security/privacy controls in place without hampering the ability to get work done."

Lyndon is right-on with respect to the corner health informaticians paint themselves into with the fuzzy logic of public opinion. This isn't an either/or question. It isn't a question of privacy and security of information OR safety. Patients need and deserve both, and quite frankly, we are dishonest when we suggest that patients need to make a choice.

The issue is similar to discussions I had recently with some Waterloo Bootcamp and eHealth Risk Workshop participants. I was asked to comment on an Order by the Ontario Information and Privacy Commissioner that required health organizations to apply strong security measures to personal health information on laptop computers. The suggestion from some participants was that this was an onerous obligation to put on health care organizations struggling to improve and deliver patient care. My reaction was that the Privacy Commissioner's order was not only reasonable, but organizations that failed to apply readily available technologies such as encryption to information on laptop computers were remiss in their basic responsibilities.

Of course the real problem these people faced was getting healthcare professionals, and in particular physicians who wanted to download their patient records from the hospital system to their own computers, to apply basic security measures. It requires well thought out polices, training and enforcement that some organizations, because of the power politics, are reluctant to implement. I'm sure that a 100 years ago doctors complained about hand washing and how it wasted time that could otherwise be spent with patients.

The survey itself is problematic. Question 10 is a bad question. Given the bald choice between death and disclosure of my personal information, of course I'm more likely to side with safety. I'm encouraged that 25% of respondents saw through this ploy. I would suggest that anyone who uses the data to support less privacy and security is doing a great disservice to patients, health care providers and healthcare organizations.

For an example of an excellent survey of consumer attitudes towards EHR's I would point you to a 2003 survey by the Information and Privacy Commissioner of Alberta titled OIPC Stakeholder Survey 2003. In particular, check out section 6 (pages 31 - 35) for some real information on consumer attitudes, interests and concerns about EHR's.

I invite everyone who reads this post to comment. Is question 10 a fair question?

Short Cuts to Failure

A large number of eHealth initiatives, especially those that are infrastructure oriented, are government sponsored or led. I came across a paper titled Walking Atop the Cliffs: Avoiding Failure and Reducing risk in Large Scale E-Government Projects. The paper identifies six "Short Cuts to Failure". These shortcuts include projects that:
  • Will conduct a cursory stakeholder identification process
  • Will not seek serious partnerships or ongoing information collection with stakeholders, key or otherwise
  • Will curtail the breadth and depth of the feedback collected from stakeholders
  • Will follow a pre-determined path for the project and not develop a plan based on stakeholder feedback
  • Will revert to traditional analysis methods in response to environmental pressure for an answer
  • Will adopt the results of the pre-study of business processes rather than invest in comprehensive investigation and documentation necessary.
The paper includes a review of the literature on project management and illustrates its findings with a case study.

Long gone are the days when IT folks could restrict user involvement to requirements definition and acceptance testing - leaving most of the development process to the engineers and technical analysts. End users must be involved at every stage of the development process and beyond. They're the ones who must live with the system.

I find it interesting that most of these short cuts to failure involve the failure to effectively engage stakeholders or respond to their issues, needs and concerns. I personally am aware of a number of major eHealth projects that fall into this category. Due to time pressure or politics they don't engage stakeholders; especially the end-user health professionals who are supposed to use the systems. On occasion the principals even hold significant stakeholder groups in contempt, hiding ulterior motives for the system such as cost containment or greater control of the health system.

The one conclusion I've come to in my research on eHealth risk is that effective and meaningful stakeholder engagement is MANDATORY for eHealth projects. It will take more effort and time, but its the shortest "Shortcut to Success".

Wednesday, July 4, 2007

Privacy and Security Review and Audit

Are you ready for an audit by a privacy and security oversight agency? Privacy legislation in many jurisdictions gives designated oversight agencies the power to review and audit the privacy, security and information handling practices of health care organizations.

According the Computerworld, health care organizations in the United States are on edge because the US Department of Health and Human Services (HHS) initiated an audit of Atlanta’s Piedmont Hospital for compliance under the HIPAA’s Security Rule. In an article dated June 19, 2007 Computerworld published a list of the 42 policies, procedures and other documents HHS asked Piedmont to provide.

Earlier this year the Information and Privacy Commissioner for Ontario (Canada) conducted a review of the Ontario Smart Systems for Health Agency (SSHA). SSHA provides the technical infrastructure for eHealth in the province of Ontario. The IPC report and SSHA’s response can be found on the SSHA Website.

Do you really have to worry about a review or audit by an oversight agency? I know that in Canada all of the Information and Privacy Commissioner offices are grossly under funded with respect to the review and audit role and would be challenged to undertake any kind of systematic approach to general audit and review. How strong is the capacity of HHS or oversight agencies in other countries to take on an aggressive role in this regard?

Audits and reviews are most likely to be initiated after a major security or privacy breach, or some other event that brings an organization to the overseer’s attention. The chances of being selected at random for a review or audit are likely the same as a plane crash. They happen, but the chances of it happening to me personally are pretty remote.

Tuesday, July 3, 2007

Successful eHealth Projects

The European Union has issued a report titled eHealth is Worth it - The economic benefits of implemented eHealth solutions at ten European sites. This 60 page report provides evidence of the economic benefits of 10 projects widely regarded as successes.

The report focuses on lessons learned in eHealth initiatives and has distilled the reasons for success down to six key factors:
  1. Commitment and involvement of all stakeholders: All phases of eHealth development, implementation and deployment have to besupported by citizens/patients, health providers,industry, authorities, and third party payers.
  2. Strong health policy and clinical leadership that guides a flexible and regularly reviewed eHealth strategy: While the strategy should be directed by a long term vision of a citizen-centred health delivery system, it must address concrete needs of actors in the system. The strategy should include achievable, shorter term goals that create an eHealth investment dynamic. A big-bang approach with ambitious goals to be achieved over a short period of time is not recommended.
  3. Regular assessment of costs, incentives and benefits for all stakeholders: Considering purely financial return on investment at an institutional level, or potential benefits for only one of the stakeholders, may lead to suboptimal decisions. Particular attention should be paid to include all users, some of whom are often neglected in such assessments.
  4. Organisational changes in clinical and working practices: This is indispensable in order to optimise the use of ICT-enabled solutions and realise the benefits. Such changes should be facilitated by greater legal certainty in using eHealth solutions.
  5. Strong clinical leadership, good organisational change management, multi-disciplinary teams with a well-grounded experience in ICT and clear incentives: The combination of skills of the people involved will make the difference between success and failure, not the specific eHealth solution. Skills development through continuous education and training is essential.
  6. Long term perspective, endurance and patience: Beneficial eHealth investment is like a good wine. It takes a considerable amount of time (about 5 years) to mature and develop its potential fully.
These findings are consistent with my own analysis of the success factors for benefits realization. I have created a Benefits Realization Gap Analysis Tool that includes most, if not all of these factors as part of the eHealth Risk Report Card Methodology. It is available for free download at www.ehealthrisk.com.

Monday, July 2, 2007

Google Health

As we sit around contemplating data models, nomenclatures, privacy impact assessments, and technical architectures for an interoperable electronic health record (EHR), the real world is racing ahead of us. Consider this.... One day we may wake up and find that many of our patients have their own online Google health record. Dr's are using their iPhones to access not only the Google health record, but diagnostic images. Maybe that latest ultrasound will be available on YouTube.

This is not as far-fetched as it sounds. Many of us leading the charge in health informatics are old fogies, locked into the technological concepts of the 1970's, 80's and 90's. We still think websites are pretty cool, while our kids (most of whom are now adults) are texting one another with a coded language that certainly doesn't look like Snowmed or ICD-10.

This involves not only new technology, but new ideas, new ways of relating to one another and new values. Perhaps the biggest risk to what we are all now calling the EHR is that our work will be eclipsed by a marketplace and a generation that doesn't have the patience for our bureaucratic approaches to EHR development. I would liken our state to the recording industry. We're working with 8-track tapes that give us quadraphonic sound while our kids are downloading iTunes.

Blogger Vince Kuraitis has written an analysis titled Connecting the Dots...Google Health Promises to Create and Dominate Next Generation PHRs. Also check out this post linked from the Clinical Cases and Images Blog for an example of what you can see on You-Tube.

Is the Google initiative a bad thing? No, not at all. Its certainly a little scary to those of us who really worry about things like patient safety and privacy. However, if we are to achieve our goals for eHealth (for example the Canada Health Infoway goal of providing EHRs to 50% of the Canadian population by 2010), maybe the Google approach is the way to go... and perhaps we won't have a choice. It may happen in spite of us.

Sunday, July 1, 2007

Never Learned Much From What Went Right!

I remember an old friend and colleague, a country lawyer working for the Department of Justice of an eastern Canadian province who once said to me, "I never learned much from what went right." We were working on the aftermath of a particularly troublesome project that not only failed, but where the principals ended up in prolonged legal action.

That troublesome project taught everyone involved a lot of very important lessons.... lessons that I apply to this day in my consulting practice.

The overwhelming number of posts on this blog will be about bad news. Unfortunately, we rarely publicize our successes, and when we do, the commentary is often accompanied by more hype than evidence.

Every eHealth project is a success if we can harvest learnings and experience. Much in the eHealth world is experimental. At this stage of eHealth evolution the things that don't work can be just as valuable that the things that do. Perhaps more so. How many improvements in aircraft design, crew training, air traffic control and emergency response have come from the investigations of air crashes? Quite a few.

Unfortunately, health care is dominated by a blame-oriented culture. This is due in large part to the political nature of health care in many parts of the world. Publicly funded health care is a wonderful thing, but it exposes us to political influences. The prevailing attitude is "Failure is not an option". This means that failures are buried, hidden or swept under the carpet rather than studied for the valuable intelligence they contain.

As you read the posts on this site, be thankful to those people who are sharing their experiences with us, both successes and failures. Its through this sharing of experience that we will improve the success to failure ratio for all eHealth initiatives.