Why Consumer Control Really Matters

As HealthVault has begun to penetrate into the mainstream clinical arena, the idea of consumer control is beginning to sink in with folks for whom it was really just an abstract idea before. Frankly, it makes many in our industry a touch uncomfortable - because until now health has been a paternalistic enterprise, and consumer control feels different.

Too many of my conversations follow the same predictable path. Folks get really excited about the idea of HealthVault, and they start thinking about how they could provide better care with more complete information, or by pulling data from home monitoring devices. When I repeat that it's the consumer's copy - that patients choose what goes into the record and what goes out - people nod and say of course that makes sense. Then they start to think about that more - wait, can the user edit what is in their record? Can they choose not to send some of the device readings? Can they delete items in their record? Yes, yes, and yes I say --- that's what controlling your own information means.

And this is where things sometimes get sticky. The next part of the discussion goes, How can I trust that data --- I can't make clinical decisions based on information that comes from a patient! And from there we embark on a long process of talking about how consumer control makes HealthVault work where other systems have not ... and how we have to find a way to move forward with some new thinking. Usually we end up in a great place - but after having the same discussion for the zillionth time yesterday, I realized that a more public dialogue might go a long way.

Now, let me at get my personal bias out of the way - not a HealthVault or a Microsoft bias, but a personal one. As I said in my very first post on this blog, I'm a Libertarian at heart. For me that means I believe in individuals. I believe that individuals are the best judges of their own interest and should be permitted to succeed - or fail, of course - on the basis of their own actions. As I've gotten older, I've learned to see shades of grey in all of this, and I certainly grant that people make nutty decisions every day. But deep down I still, simply, believe our best chance at success as a planet is to trust in individuals to do the best they can for themselves and their families. So there you go; Sean in a nutshell.

Now, that's all well and good - but the reality is that my personal beliefs are not what led us to identify consumer control as one - perhaps the most important - of the core principles on which we created the HealthVault ecosystem. We were out to solve a problem, not push an agenda - and we believed that the only way to truly create data liquidity on a cost effective basis within healthcare was to engage the consumer as a first-class participant in the exchange. Not as a passive recipient of care, but as an active, responsible part of their care team.

Loosely-coupled care networks

How and why does this make a difference? Why not simply soldier down the standard path - RHIOs and NHINs and HIALs and HIEs and whatever you want to call them? Let's be completely clear: these are super-important ideas too. Our Amalga product is the backbone supporting RHIOs in Wisconsin and Washington, DC. We are right now at work thinking hard about how HealthVault can play an important role in these networks. They are a key piece of the puzzle, but at the end of the day, they are simply not enough. "B2B" networks that act on behalf of the patient require a tight coupling of governance, trust, motivation, dollars and technology that is simply unlikely to ever come together in a truly ubiquitous way. We will see success in some regions - but they will never provide the complete coverage that is important in a world where people change jobs like they change clothes, scatter across the world and form and re-form care relationships at the rate we see today.

Consumers - individuals - can change this dynamic. By making it easy and expected for consumers to obtain and control a copy of their medical data, we can achieve a "loosely-coupled" exchange that can happen today, between all of the diverse constituents in the healthcare ecosystem. But this isn't just magic - in order to realize the benefits, we're going to have to think differently - we have to really believe that on balance patients will be responsible and active custodians of their own information.

By definition, moving data between loosely-coupled participants means that the information has to leave the protected confines of provider control. After all, if there were point-to-point trusted connections between providers, sharing wouldn't be a problem in the first place!

Given that reality, how can we do the best job possible of ensuring that information reliably gets from point A to point B? Our premise is that the consumer is the best - and the only practical - actor that can help make this happen.

Patients as custodians of their information

First of all, patients generally "are" where the data is needed. If I need care during a trip to Maine - I'm in Maine. So if I have access to my health information, I'm in a position to share it with the emergency room staff at the hospital. Even if I'm not there physically - say if my son has an accident during a trip to his grandparents - I know where he is and can identify who should be receiving information in a way that his primary care doctor simply can't.

This is also an important concept as we begin to think about home monitoring or other situations where care happens but providers aren't present. Self-measurement by definition relies on consumers to act as responsible agents, whether measuring by hand or with automated devices. Using a device is no guarantee of accurate results if consumers act in bad faith.

Second, patients have more motivation than anyone to secure their information in a way that makes them comfortable. It's hard to complain about the lost laptop if it's your laptop. Armed with effective tools like those available through HealthVault, I think it's reasonable to believe that consumers will do a far better job than the larger healthcare ecosystem at protecting their personal information.

Even if you believe that consumers aren't capable of making good privacy decisions for themselves - who in the system will do better? We've already established that this data moves outside of any single protected network - so my primary care doctor can't do it. The government can't do it. Microsoft can't do it. Consumers are our best and only option.

In truth, providers implicitly share information this way every day ... using faxes, asking patients to be couriers of films and folders, speaking to strangers on the telephone based on business cards, accepting prescriptions written on scraps of paper, reading hand-written measurements taken at home, and so on. It's almost funny to watch these channels be accepted without question - and then listen to folks suggest that somehow sharing information electronically creates a "trust problem."

The not-so-funny part is that this perception - together with a fear of legal liability - slows down progress that could really matter. But by putting a copy of an individual's information squarely within their control - we can completely identify where the responsibility of the source provider starts and stops. HIPAA helps us with this already, today.

But can I trust the data?

On the receiving end, providers accepting information from a patient have to do what they've always done - make a judgment about the integrity and completeness of data provided to them. In a loosely-coupled system, the data generally comes from sources unknown to the recipient -- so this will always be the case.

But unlike today's world where that judgment is pure gut, HealthVault can provide ways to increase confidence - not by taking away consumer control, but by providing tools that allow providers to review the data's "pedigree" - at least as long as it has been within the HealthVault system. For example, HealthVault keeps an audit trail for each piece of information in a record, so recipients can determine which application originally created it, if it has been modified, and if so by who.

Digital signatures can offer an even stronger level of confidence. Information that comes into HealthVault can be digitally signed using a certificate known only to the original source provider. If a consumer grants access to that data, providers can independently validate the signature and thus gain confidence of the source of the information. However, this only works if the source and the recipient share trust in a certificate authority - something that isn't always the case. There is no silver bullet - in a loosely-coupled world we have to be prepared to do the best we can.

All of the clinical systems that have connected to HealthVault have had to work with this concept - some show all information as "patient entered" ... others use user interface cues to identify information that has different levels of "provenance."

What do we really want to happen?

At the end of the day, each of us has to decide what we really are trying to make happen. We can insist on 100% tightly-coupled provider-to-provider data exchange -- dramatically slowing down progress, choosing not to solve problems we could solve today, and frankly fooling ourselves as existing "in the wild" exchanges take place anyways while we look the other way.

Or, we can take a multi-faceted approach, embracing loosely-coupled systems like HealthVault that include consumers as a first-class participant in the healthcare ecosystem - empowering them to help themselves by moving data between otherwise disconnected islands, and incorporating new information captured away from providers in the home.

We think the right path is pretty obvious.

Comments (6)

  1. Tom M. Gomez says:

    Sean – good commentary –

    "Digital Certificates (Trust), Audit Trails & Loosely Coupled Systems" – Yes that pretty much sums up the obvious pieces to fold together – the 1-2-3 PHR messaging points for persisent highlights to the stakeholders and skeptics alike….. Regards,

  2. linda says:

    I call a hospital, ask to pick up my records, give them my name.  I walk into the hospital and pick up full records, MRIs and the like -no id check, nothing.

    I tell my doctor about the pain I’ve been having, who i’ve seen, what they said – no validation but my recollection.

    We need to remember the world we live in today.  Small improvements can actually make big changes on the way to our nirvana.

  3. NCooke says:


    Is the IsImmutable Property on the HealthRecordItem applicable when an HCO is fearful of their consumer changing the data?

  4. Grahame says:

    > I tell my doctor about the pain I’ve been having, who i’ve seen, what they said – no validation but my recollection

    Doctors are doing all sorts of validation while you are telling them this. A huge amount that they can’t do for information that is written down. They probably won’t tell you what their evaluation is, but that doesn’t mean it doesn’t exist

  5. Sean Nolan says:

    NCooke —

    Great question! The "immutable" property is defined on a per-type basis, not on a per-item basis. The original idea was that certain types just don’t make sense to edit. However — we haven’t actually come up with a use case within the platform for this bit yet, and so all of our types have it set to false.

    However, even without this the HCO really does have the abliity to track that kind of change within the HV system. By using the audit information available to them, any receiver of data can see if an item has been changed — and if so they can ignore it, or at least request more information of the patient.

    Hope that’s helpful!


Skip to main content