A better way to share and store electronic health records

Missy Krasner faces a big challenge in taking care of her aged mom, who sees eight doctors for different medical issues. Krasner discovered that these doctors have no way other than fax to share data with one other, so each has an incomplete picture of her mom’s medical status. That creates risk of misdiagnosis, bad drug interactions, and so on. Most of her providers allow Krasner to download her mother’s medical data, but they use different formats, none of which is human-friendly or integrated. As a result, she must interpret and manage dozens of data files.

Krasner is also a former policy adviser on health IT issues at the Office of the National Coordinator (ONC) at the federal Health and Human Services Dept. The ONC is the agency charged with implementing Obamacare, and it was responsible under the George W. Bush administration a decade earlier for setting the policies for the national electronic health records (EHR) mandate and the health information exchange (HIE) efforts that precipitated the current health tech scramble. Krasner was also a marketing executive at Google Health, the now-defunct personal health records (PHR) cloud-based vault.

[ Also on InfoWorld: The rough road to reliable data exchange among EHRs • Patient engagement will be tough task for health tech • The iPad revolution is coming to a hospital near you • iPads have won the hospitals, but Android may win the patients. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

Krasner is more able than most people to navigate the system, understand the data, and know how to share it. Yet even for her, it is hard.

Could commercial cloud storage systems bridge some of the gaps? Krasner thinks so, and since fall 2012 she has been advising Box on the topic while also working as a health care startup scout for VC firm Morgenthaler Ventures.

The first steps in Box’s effort were revealed this week when the company announced it achieved federal HIPAA and HITECH compliance certification (which competitors such as Dropbox have yet to earn) for storing health information while maintaining patient privacy, as well as getting smaller EHR providers to use Box for cross-provider data exchange, small-facility EHR sharing, and PHR use.

The data-sharing problem in today’s systems Today, a bunch of companies called health information exchanges (HIEs) are trying to connect different EHRs, but overall HIEs are struggling to succeed.

PHR systems, such as Microsoft Health Vault, let patients keep copies of their own medical records. Typically, a PHR is either tied to a specific EHR system or does not have a conduit from at least some of your health care providers.

Even if you’re a patient at a so-called integrated provider like Kaiser Permanente, you’re likely to use unaffiliated providers for dental and optometric needs, and your provider may even send you to a separate caregiver if you need specialty care. More commonly, you have a primary physician in a smallish medical group and specialty providers at other doctor firms. They may take the same insurance, but they’re not likely to have the same EHR nor be able to share your records with each other.

In the absence of a dependable, workable HIE system, the providers still fax each other — and even then some information never is shared. Likewise, if health care providers offer you a way to get copies of your medical records, they’re in different formats and perhaps tied to specific PHR systems.

Due to these HIE and PHR limitations, your health data remains scattered, at least outside of your primary provider’s systems.

Where a company like Box can help address today’s gaps Box is taking baby steps toward addressing these questions with its move this week. They do nothing to solve the health-records readability issue, though a program pioneered by the Veterans Administration called Blue Button Plus may eventually take care of that need.

Box’s efforts don’t deal with the need for secure email exchange between providers on different email systems, but an ONC venture called Project Direct is piloting a national secure email system for health care providers. HIPAA requires all providers to transmit health information over secured systems, which is why you have to sign into a patient portal to email your doctor, rather than use your normal email client.

HIPAA also requires that only authorized caregivers have access to your data, and HITECH requires that any access be tracked, which is why Box pursued the certifications. Thus, medical providers can safely use Box for data storage and exchange, which is exactly what Box wants, whether the providers go through Box directly or via an HIE or EHR provider.

For patients, there are no HIPAA or HITECH concerns; as with paper records, you’re free to secure or not secure, share or not share your own records as you see fit. But if caregivers are using Box, they’ll be more likely to provide a simple Box-based transfer to patients, who may already know the Box name.

Using a service like Box (or Microsoft HealthVault) can also be more convenient for both caregivers and patients. For caregivers, such a third party is not part of their EHR system, so their legal responsibility under HIPAA and HITECH ends once the data is put in patients’ PHRs. But today, many EHRs provide their own PHR systems for use by patient, and because those are “tethered” to an EHR system, the health care provider has to manage the PHRs as if they were still in the EHR system, keeping them subject to HIPAA and HITECH.

For Box, it makes sense to try to be the file-sharing glue in an industry where information is so fragmented and sharing is so hard. That’s why Box has taken the step of offering business associate agreements to hospitals and other providers — a BAA is essentially an agreement taking on liability for securing patient data on behalf of others, a commitment avoided by even some HIEs. A hospital or large medical practice simply won’t do business around digital health records without a BAA in force, even if HIPAA and other regulatory technical requirements are established. In fact, the feds say a BAA is “generally required” for a third-party provider to be considered HIPAA-compliant.

Still, Box is not likely to become the document storage platform for large-scale health care providers, such as Humana, Kaiser, the VA, or larger county health departments. However, there are plenty of small physician practices, community hospitals, and so on that have little IT savvy or budget and aren’t big enough for one of the larger EHR providers like Epic, Cerner, AllScripts, Siemens Health, Greenway, or Netsmart.

When I asked Box’s enterprise general manager Whitney Bouck, she wouldn’t speculate how far Box might go into the digital health records business, making it clear the company is still in the exploration phase. Moving beyond the role of a storage provider and into the management of records or into services like coordinating and categorizing the disparate records downloaded into a common Box repository would require a big shift in both domain expertise and software development. It’s more likely at first that Box will have other companies do that kind of work, with its service as the underlying storage and access technology.

The consumerization of health care IT Whatever Box does in the future, the notion of using a commercial storage service for health records storage and sharing makes a lot of sense. People know the companies, after all, and probably have used cloud storage already. That goes a long way toward encouraging real user and provider adoption (meaningful use, as the feds call it).

It’s no surprise that Microsoft and Google were early entrants in the PHR business, Microsoft in fall 2007 and Google in spring 2008. Google pulled out in 2011, I suspect, because it couldn’t apply its information-mining, ad-supported business to personal health data, whereas Microsoft probably has a longer view tied into its Office 365, Windows Azure, and SkyDrive businesses.

Box and competitors like Dropbox have an easier economic proposition: charging providers and HIEs for the service, if not patients directly. After all, businesses already pay for enterprise cloud storage. Indeed, Box now has a business selling its enterprise storage service to health care companies for nonmedical records sharing.

Much of what health care IT builds internally, such as for data access, is hard to use, bureaucratically complicated, and limited in relevant functionality. Even systems like the highly regarded Kaiser Permanente patient Web portal are hard to navigate and have that clunky IT feel. The user experience delivery by health care IT is no better than what IT organizations anywhere deliver — and cause so much user complaint.

Taking a consumerization approach, which really means a good user interface for a service designed for broad engagement, might be just what the health care industry needs to get real adoption and value from all those digital records now stuck in silos.

This article, “A better way to share and store electronic health records,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.