Over the past year, several payers, employers, and commercial vendors have announced personal health record projects. Few of these are widely deployed and few are fully integrated into ambulatory or hospital-based electronic record systems. The earliest adopters of personal health records have many lessons learned that can inform these new initiatives. We present three case studies—MyChart at Palo Alto Medical Foundation, PatientSite at Beth Israel Deaconess Medical Center, and Indivo at Children's Hospital Boston. We describe our implementation challenges from 1999 to 2007 and postulate the evolving challenges we will face over the next five years.
The definition of Personal Health Records (PHRs) is still evolving.1 Implementations to date have ranged from web pages for patients to enter their own data manually, to physician-hosted patient portals giving patients access to their electronic health records (EHRs), to employer/payer portals which give patients access to claims data. The intent of all of these systems is clear—to give patients better access to their own healthcare data and enable them to be stewards of their own information.
Traditionally, clinical records have been sequestered in hospitals and provider's offices. Although HIPAA mandates that patients can access their medical records, it does not specify the manner in which this access is given, so most patients must visit the medical records departments of caregivers to obtain paper copies of their charts. As more clinicians adopt EHRs and a nationwide health information network (NHIN) is implemented, more and more patients will demand access to records online. Such access raises many questions. What information should be shared? How should patients be authenticated? How should privacy be protected?
At the height of the “dot.com” era, health information websites became very popular and attracted significant venture-capital funding. Although the number of visits to healthcare information websites grew substantially in the early 2000s, public opinion surveys demonstrated that consumers were interested in receiving more than just health information from unknown sites; they were interested in receiving information that was endorsed by their own physicians and getting in touch with their own physician offices.2 This led EHR developers (both commercial and institutional) to develop products linking clinician and patient, such as web-based patient interfaces to their information residing in the EHR. In this paper, the authors share their collective experiences from operating PHRs in their respective institutions: a university hospital, a community-based multi-specialty group practice, and a children's hospital.
Three Early PHR Implementations (see feature summary in appendix A)
Vendor Created, Clinic Hosted
In 1999, Epic Systems (Madison, WI), an established vendor of ambulatory care EHR systems, decided to develop a patient portal to their EHR product, which they called MyChart. The Palo Alto Medical Foundation (PAMF) worked with Epic to develop the functionality requirements for a PHR that was integrated with their EHR. PAMF became the first customer of MyChart, which was implemented at the end of 2000.3 Since then, over 90,000 patients have used PAMFOnline (www.pamfonline.org, the PAMF version of MyChart), representing approximately 45% of the primary care base of the Palo Alto division of PAMF. Across the US, 2.4 million patients are using MyChart.
MyChart has rich functionality that enables the patient to review most of the contents of the medical record, except for progress notes. The patients can view their diagnoses, active medications, allergies, health maintenance schedules, immunizations, test results (including graphical display), radiology results, appointments, and demographics. In many cases, relevant health educational resources are automatically linked to key terms or phrases in the patient's medical record, such as a diagnosis of diabetes. In addition, patients can communicate with the physician office to request an appointment, request a prescription renewal, update demographic information, update immunization status, or update a health maintenance procedure. The patient can also request advice from an advice nurse or from their own physicians. The most popular features of the integrated PHR are access to lab test results and communication with physicians.4
As of September 2007, 26,000 patients login to PAMF's MyChart each month, sending 20,000 secure messages.
Self Built, Hospital Hosted
In 1999, a group of clinicians and patient advocates in New England suggested that Beth Israel Deaconess Medical Center (BIDMC) should share all of its electronic records with patients, since all healthcare data ultimately belongs to the patient. In 2000, BIDMC went live with a hospital-based personal health record, PatientSite (www.patientsite.org).5
PatientSite includes full access to problem lists, medications, allergies, visits, laboratory results, diagnostic test results, and microbiology results from 3 hospitals and 72 ambulatory care practices. In addition to these hospital- and ambulatory clinic-provided data, patients can amend their own records online, adding home glucometer readings, over-the-counter medications, and notes. Full secure patient-doctor messaging is integrated into the system. Convenience functions such as appointment making, medication renewal, and specialist referral are automated and easy to use. Clinical messaging is the most popular feature (20 per month per 100 patients), followed by prescription renewals (4 per month per 100 patients), followed by appointment making (2 per month per 100 patients), and referrals (2 per month per 100 patients). Use of these features over time is shown in Figures 1 and 2.
Over 35,000 unique patients actively use the system, with the number growing every month since it went live as shown in Figure 3.
Self Built Research System, Institution-neutral Hosted Service
In 1998 researchers at the Children's Hospital Informatics Program (CHIP) at Children's Hospital Boston developed the concept of Indivo in a planning grant6 and began implementation in 1999. They built the Personal Internetworked Notary and Guardian (ping7, renamed Indivo8 in 2006) with funding from the National Library of Medicine (National Institutes of Health) under the Next Generation Internet Initiative,9 and the Advanced Networks programs.10 Critical to the success of the model, the code base of Indivo8 has always been open source, the application programming interface (API) is fully published and open, and all communication and messaging protocols adhere to public and freely implementable standards.
The Indivo architecture11 is based on a subscription model which can integrate source data from diverse hospital EMRs as well as other electronically accessible healthcare databases. Indivo enables patients to maintain electronically collated copies of their records in a storage site of their choosing. Access, authentication, and authorization all occur on one of several available Indivo servers, which are also responsible for encryption of the record.
Indivo is a personally controlled health record (PCHR), which is a subset of PHRs. The idea of strict patient control is central to the Indivo project.12 Individuals decide who can read, write, or modify components of their records. The PCHR is a container for storing a copy of the data owned by the patient—once loaded into the system, the data within the PCHR is hers and hers alone. Subsequent access to the records is allowed only with patient consent—for identified, de-identified, and even aggregated data. This strict control model is intended to promote widespread adoption by inspiring complete confidence that the system will maintain privacy and confidentiality and further that the individual will be empowered to benefit from the value of her own health care information.
As the system has evolved, the range and size of deployments has increased. Early deployments focused on sharing laboratory information with patients. In 2003, the Canadian Research Council used the Indivo open source codebase to interface with an open source electronic health record and pharmacy information systems. In 2005, Indivo was tested in a clinical trial in an employee health promotion program at the Hewlett-Packard Corporation. The goals of this pilot study were to test the value of a PCHR for influencing knowledge, attitudes, beliefs, and behavior around influenza prevention. Tailored and targeted decision support was delivered through PCHRs based on survey responses and record contents. The PCHR deployment included a survey tool, a decision rules engine, and a messaging function. In 2006, the Indivo application was demonstrated in a networked environment integrated with a Record Locator Service as part of one of the NHIN Prototype Architecture demonstrations funded by the Department of Health and Human Services. Indivo is now in production at Children's Hospital Boston as part of the hospital's new patient portal, and at the Massachusetts Institute of Technology as a PCHR for employees and students. CHIP investigators have also proposed models for large-scale cohort research, including genomic studies in which patients may use PCHRs to stay informed about research study results and opportunities to participate in trials, while preserving their ability to remain anonymous.13 It was recently announced that Children's Hospital Boston will collaborate with Dossia (www.dossia.org), a nonprofit corporation created by AT&T, Applied Materials, BP, Cardinal Health, Intel, Pitney-Bowes, sanofi-aventis and Wal-Mart. The Children's Hospital Informatics Program and the Dossia founders will work together to adapt a version of the existing, open-source Indivo system to provide secure, portable, personally controlled health records for employees and their dependents, plus retirees of Dossia's founding companies. Indivo will remain an open source, independent, free product.
As of September 2007, Indivo has been used and evaluated in trials of several hundred individuals, including patients at Children's Hospital Boston and employees at the Hewlett-Packard Corporation. Enrollment has begun in a trial of students and employees cared for by the university health service at the Massachusetts Institute of Technology. An initial deployment of 3000 patients at Children's Hospital Boston has also begun, which will include three formal evaluation trials. 500 patients in Canada use Indivo in a clinical pilot roll-out as part of the MyOscar project. Indivo will be used in the Phase I personally controlled health record deployment for employees of the Dossia founders in late 2007. A large scale Phase II of the Dossia deployment is planned for 2008.
As these three systems have evolved, we have learned a great deal about data sharing among patients and providers. The challenges we encountered and their solutions to date have been remarkably uniform across our three institutions.
Challenge #1—Should the Entire Problem List Be Shared?
All three of our organizations made the decision to share the entire problem list with patients and our experience to date is that it is appreciated by patients and supported by clinicians. We all share full text descriptions of problems rather than simple ICD9 codes. PAMF created “patient friendly” terms to make the medical diagnoses easier to understand and hyperlinked the diagnoses to explanatory information.
The decision-making process to share all problem list entries included debate about several issues.
We debated the sharing of psychiatric diagnoses such as Schizophrenia or Munchausen's. Would sharing such detail impede patient therapy or erode trust in clinicians? BIDMC sought approval of leaders in the psychiatry department, who agreed that sharing the full detail of problem lists/diagnoses but not full text psychiatric notes with the patient would be an appropriate approach that would likely encourage helpful discussion between providers and patients. Clinicians also debated sharing problem list entries which are considered highly private with patients online i.e., sexually transmitted diseases, HIV, and substance abuse treatment. All three of our organizations determined that as long as appropriate security measures protected patient confidentiality and state laws were followed, we would share such problem list entries openly with patients. Technical security measures included requiring HTTPS encrypted connections, designating all web pages as 'do not cache’, and using browser instructions that the page was already expired to prevent any trace of the data being left within the browser or on the computer that accessed it. Note that in some states, local laws restrict the exchange of data regarding diagnoses of mental health and HIV, but California and Massachusetts do not have legal barriers to including this information on the patients' problem lists, visible to the patient.
Challenge #2—Should the Entire Medication List and Allergy List Be Shared?
All three of our organizations made the decision to share the entire medication list. As with the problem list, no complaints have been received via the formal feedback mechanisms used for communicating issues to our application support staff.
Clinicians debated showing medications for HIV, substance abuse treatment and psychiatric treatment. In Massachusetts, there are laws preventing the sharing of such restricted drugs from health plan databases. However, there are no restrictions on the sharing of provider or retail pharmacy data with patients, so we are able to show a complete medication list from these data sources.
Enabling patients to reconcile their own medications via a PHR is a powerful way for providers to meet Joint Commission outpatient medication reconciliation requirements, which necessitate asking the patient about active medications to ensure the medication list is accurate at each site of care. Thus, all three organizations have made a special effort to show medication trade names to patients as well as generic names to help the patient reconcile their electronic list with the medications they know they take. We have taken two approaches to patient editing of the medication list. PAMF handles this by providing a link for the patient to report changes to their medication lists. A Registered Nurse will investigate the discrepancy and update the medication list as appropriate. BIDMC elected to display the clinician maintained medication lists side by side with patient maintained medication lists, clearly identifying which data was provider-based and which data was patient-based. Further, BIDMC created a drug/drug interaction decision support system which displayed the interactions and contraindications in the consolidated patient and provider maintained medication lists. Since the information in Indivo is owned by the patient, users may annotate the contents of their medication list at any time. A challenge addressed by the user interface in Indivo is to transparently and definitively show the origin of documents—for example a medication list from a hospital information system.
We all agreed to share full allergy data with patients. Typically, EHRs and PHRs do not differentiate true hypersensitivity reactions from minor side effects well. Consequently, standard drug-allergy checking algorithms used by most applications produce a high number of false positives. At PAMF, patients can request an update to their allergy list and a registered nurse will update the medical record. At BIDMC and Indivo, patients may add annotation specifying the substance causing the reaction, the severity of the reaction, the observer of the reaction and the level of certainty of the reaction.
Challenge #3—Should All Laboratory and Diagnostic Test Results Be Shared with the Patient?
Laboratory and diagnostic tests results may present bad news to a patient—a first time diagnosis, a recurrence of a disease or a worsening existing condition. Furthermore, release of laboratory test results is affected by the type of results, whether they are normal or abnormal, and local state laws. We all agreed to share all laboratory and diagnostic test results with patients except those restricted by state law. Each of us implemented workflows to minimize the delivery of bad news via the PHR.
If possible, it is useful to have a provider review test results prior to its becoming available for the patient—if they can be reviewed in a timely manner. Giving the provider a chance to annotate, explain, or deliver the results verbally (especially when the results are abnormal) can enhance the communication of the results and the patient's understanding of them. On the other hand, it is important to get all results back to the patients without fail. One way of balancing the timeliness, appropriateness of delivery, and state law restrictions is to set timeliness expectations with the physicians and back them up with automated release of all results after some defined period of time. PAMF encourages its physicians to review and release test results as quickly as possible to the patients. Most test results are released to the patients as soon as the physician has reviewed them. As a backup, to ensure communication of results to the patient, the system will automatically release normal results to patients within a day and abnormal results within 3 days, without further action from the physicians. Unfortunately, some state laws, including California, prohibit communication of specific test results via electronic media (even though HIPAA guarantees access to results on paper) causing special processing to occur in order to prevent access to these results by electronic means.
At BIDMC, all results are released to the patients immediately except the following:
HIV results are not released due to state restrictions on the communication of HIV testing.
Cytology/Pathology results are held for 1 week to ensure the clinician can relay the results to the patient personally.
MRI/CT testing which is done to stage cancer progression is held for 1 week to enable personal communication with the patient.
Early in the implementation of PatientSite, some clinicians were reluctant to share results with patients, fearing that sharing information with patients could result in a stream of phone calls and emails about abnormal but clinically insignificant results. BIDMC solved this problem by creating configurable clinician specific preferences, enabling providers and patients to agree ahead of time what to share. However, conflicts among clinicians occurred. If the primary care giver wants to share labs, but the cardiologist does not want to share this information, automated dispute resolution is needed. In consultation with clinicians, BIDMC developed a simple business rule - the least restrictive clinician wins. Clinicians, regardless of specialty, make a one time decision about data sharing preferences for all the patients in their practice. As long as one caregiver is willing to enable the sharing of lab data (and assume the responsibility of explaining these results to the patient), then result data is shared.
Indivo reports all permissible laboratory data to patients, including negative results.14 In the Indivo model, the PHR is populated by subscription agents, so when a hospital, clinic, laboratory or pharmacy makes clinical data available to the subscription agent, the Indivo record is populated at the next subscription update. Hence, the Indivo system is agnostic as to whether there is an embargo on results for a fixed period of time; rather this responsibility is pushed back to each institution which provides a data source to Indivo.
Challenge #4—Should Clinical Notes Be Shared with the Patient?
Ultimately the patient has the right to examine the entire medical chart, including progress notes. However, the level of explanation required to help the patient understand their contents impedes sharing clinician notes with patients. Currently, most PHRs do not include progress notes for this reason. Currently, none of our institutions shares full text notes electronically with patients.
Other reasons for reluctance to share notes include the fact that clinicians may use notes to record personal thoughts, not intended to share with patients. Some clinicians may be willing to write notes with patient sharing in mind, but clearly note sharing must be configurable by each note author. To add to the complexity some clinicians in our institutions have said they would share some notes with some patients, but not all notes with all patients.
In 2008, BIDMC will pilot note sharing by enabling clinicians to approve each note they write for sharing with the patient who is the subject of the note. Other approaches, such as the least restrictive clinician business rule for results sharing will not work with notes because of strong clinician desire to retain ownership of the content. To address the concerns of physicians about sensitive information in clinical notes being shared with patients, the Children's Hospital Boston Information Services Department is creating a new clinical note type so that at the clinician's discretion, information thought inappropriate for sharing with the patient in a PHR, can be sequestered in a separate document. Those documents would, however, still be available to clinicians via a standard release through the medical records department.
Challenge #5—How Should Patients Be Authenticated to Access the PHR?
Since the United States does not have a national identifier or specific patient authentication system for healthcare, it is challenging to uniquely identify a patient and grant electronic access to their health records. Accurate authentication is critical to maintaining the medical integrity of the record and its privacy protection. All three of our organizations implemented username and password granted by our institutions.
PAMF uses in person (face to face) authentication or verification of a written signature with the registration signature on file to authenticate the user. When a legally accepted electronic signature becomes available, this could be employed. PAMF uses the same authentication procedure for password resets.
BIDMC's approach was to delegate all password management to clinicians. An established patient-doctor relationship enables the doctor, with reasonable certainty, to identify an individual. This system has worked well but there are theoretical risks. A patient could impersonate another person and provide falsified identity information, to a clinician, establishing a doctor patient relationship. The patient could then be given credentials to historical data that would reveal the medical secrets of the person they are impersonating. To date, this has not happened, to our knowledge.
The Indivo model requires two types of authentication. The user must authenticate him or herself to the Indivo application, but also must authenticate using credentials from each institution serving as a data source. At Children's Hospital Boston, patients desiring Indivo have accounts provisioned at Registration. They are given a username and password. Children's is exploring strengthening the subsequent authentication events, after account provisioning, with various means of second factor authentication including the mobile phone.15
Challenge # 6—Should Minors Be Able to Have Their Own Private PHR and Should Patients Be Able to Share Access to Their PHR via Proxies?
Each of our institutions has been asked to permit and deny sharing of accounts within families, depending on circumstances. Each of us has developed standard policies to address these issues. (see Appendix B for a sample).
At PAMF, proxies for access to information by someone other than the patient can be established with suitable authentication and consent by the patient. Adolescents present a particularly challenging problem because frequently state laws govern the access and representation of adolescents with regard to special conditions (e.g., pregnancy, sexually transmitted diseases, contraception). In many cases, it is difficult or impossible for software to reliably ascertain the application of multiple, sometimes contradictory state laws. Unfortunately, a consequence of this challenge may be that teenagers may not be able to have a PHR.
At BIDMC, we experienced the same challenging issues and we do not offer personal health records to patients under 18. In the future, we plan to enable users to grant access to their account to others, as might be done in the case of a healthcare proxy.
At Children's Hospital Boston, where most of the patients are minors, accounts are provisioned to families differently depending on age. The first group consists of patients less than 12, where primary guardians have full access to the medical record and all of its contents, and patients, themselves have limited or no access. The second group comprises the patients aged 12 to 18 years, where both parents and patients have access to the record, but specific content and information may be restricted to either the parents or the patients. The third group consists of patients 18 years and older, where they have complete access and control of their medical record, but may still want to allow caretakers access to their medical information, as they transition to the responsibilities of adulthood.
Challenge #7—Should the PHR Include Secure Clinician/Patient Messaging?
Each of us has enabled clinician/patient secure messaging as part of our PHR. The challenge of secure patient messaging revolves around legal liability and reimbursement for medical advice rendered online. At PAMF, by restricting enrollment to PAMFOnline to patients who have an established physician-patient relationship and using prudent professional judgment, legal liability risk is minimal. Lack of reimbursement for online care continues to be a challenge, although there are some payers, including CMS, who are sympathetic with the need to change reimbursement policies in this area and are anxious to conduct demonstration projects.
At BIDMC, physicians were concerned that they would be flooded with messages. Our data do not support this. Examining the volume of clinical messages, we found that the number of messages handled by physicians is quite modest, on the order of 20 messages per month per 100 patients, replacing a roughly equally number of phone calls.5
The Indivo secure messaging system is integrated into the graphical user interface. The tool updates prior work in secure messaging16,17 by integrating directly with a decision rules engine enabling automatic generation of tailored and targeted secure messages augmenting a clinically-oriented provider-patient exchange.
Challenges 2008 and Beyond
Personal Health Records are evolving. With greater consumer awareness or more choices for PHRs such as employer based, payer based or commercial entity hosted, demands for enhanced PHR functionality will require us to revise our current PHR offerings.
Challenge #1—PAMF and BIDMC PHRs are Institution-based and Patients Will Want a Single PHR That Works with All Their Sites of Care
Over the next several years, products are likely to be introduced that will enable the patient to connect to numerous data sources and consolidate data from pharmacies, clinics, and hospitals. Patients will be able to view consolidated data and add their own entries such as over the counter medications, quantitative measurements such as glucometer readings, and qualitative observations such as self report of subjective symptoms or notes. Thus, we will need to modify our existing PHR systems to support a service oriented architecture that permits multiple applications to retrieve our institutional data with patient control and consent. Providing such an architecture will require the nation to create and adopt national standards for clinical data content transmission, terminology and security to ensure interoperability.
Challenge #2—PAMF and BIDMC PHRs Do Not Currently Support Electronic Data Input from Outside Institutions
Our focus groups with patients indicate that they do not want a PHR specifically, they want coordinated care among all their providers. Tracking a comprehensive medication list across all sites of care should reduce errors, improve quality and reduce the frustration of all the stakeholders who ask the patient for a consolidated medication list. As a data steward, the patient can elect to share and include data in their PHRs from multiple providers. Methods to do this could be highly variable - an extract of all consolidated data placed on a USB drive and handed to a clinician, a printout of the data from all sites of care, a patient's health website accessible to providers or even a community data exchange among providers controlled by the patient. There may be great value in enabling all PHR systems to accept incoming data from outside entities. This could include import of Continuity of Care Document (CCD) data from transportable media, data fetching via a service oriented architecture over a network, or scanning of paper documents provided by the patient.
Challenge #3—Patients May Want to Integrate Knowledge Sources on the Internet with Their PHRs
Today, if a consumer searches the web for health related information, the lack of search precision yields results of mixed relevance. For example, a 42 year old man searching for hypertension therapies may receive web pages about hypertension in pregnancy. Patients will likely want to integrate online knowledge bases and decision support systems with their personal health records. PAMF's PHR currently includes links from medical terms to information resources vetted by PAMF. Alternatively, the PHR operator could work with publishers of online consumer resources to enable a specific search based on demographics, labs, problems or medications, while at the same time protecting confidentiality.
Challenge #4—Patients with Specific Diseases May Want to Connect to Communities of Others with Similar Diagnoses
Many patients, especially those with chronic diseases, will seek interaction with other patients and families to compare care experiences, therapies, and lessons learned. Since PHRs contain information about a patient's clinical status including problem lists and current therapies, patients may want to access others with similar healthcare issues. This could take the form of a chat room, forum, email list or subscription to electronic information. The evidence for benefit of such community forums has not been established, but some patient communities have responded favorably. To the extent that patients want to connect to online communities through their PHRs and share certain health information, that would require modification of a PHR to provide a private, secure matchmaking mechanism to enable patients to connect to communities.
Challenge #5—Patients May Wish to Participate in Clinical Trials, Post Market Pharmaceutical Vigilance, or Public Health Surveillance via Their PHRs
Patients may be inspired by the societal benefit of sharing their deidentified personal health record data with researchers, public health entities or regulatory bodies.18 Conceivably, systems to provide incentives for individuals to share data for secondary uses including population health, quality measurement, and clinical trials may evolve. This requires functionality in PHRs to enable such patient controlled data sharing activities with trusted secondary data users. CHIP, though a Centers for Disease Control and Prevention Center of Excellence in Public Heath Informatics as well as through National Institutes of Health grant support has been developing models in which individuals share data with public health authorities and researchers to support population health monitoring.19 The Indivo open API model supports development of an ecosystem by enabling individuals to connect their PCHR to third party applications and services.
The increasing prevalence of personal health records over the next five years will create many policy and technical challenges for healthcare institutions, payers, and employers, However, it may also provide a great opportunity. Providing patient control of healthcare information exchange is appealing, since it solves many of the privacy and consent issues faced by organizations desiring to exchange data today. By placing the patient at the center of healthcare data exchange and empowering the patient to become the steward of their own data, protecting patient confidentiality becomes the personal responsibility of every participating patient. This may accelerate healthcare information exchange as it simplifies consent models among producers and consumers of healthcare data. Our experience to date at three institutions demonstrates that personal health records which share data among patients and providers can successfully be deployed, but require careful attention to policy around privacy, security, data stewardship, and personal control.