CCHIT announced yesterday that the blue ribbon PHR Advisory Task Force has released their recommendations for the follow-on PHR Workgroup to use in developing certification guidelines for PHRs. CCHIT will then use these guidelines to certify PHRs in much the way they now are certifying EMRs. Apparently, simply having the HON code is not enough for a PHR and in the future you may see some form of CCHIT certification label on a PHR website as well.
Thankfully, the Task Force recognized that the last thing that was needed was another definition of what a PHR is and differed to existing definitions. Likewise, the Task Force recognized that a lot of work has already been done under the guidance of The Markle Foundation’s Connected for Health initiative encouraging the workgroup to begin their work here rather than reinvent the wheel. Lastly, and most importantly, the Task Force did recognize that this is a young, rapidly evolving market and “a big tent” approach should be used to be inclusive rather than exclusive of new technologies, features and functions.
There are three main areas of focus recommended for certification development, Privacy (you knew that was coming), Security (logical extension of former) and Interoperability/Portability. The full details are in this brief slide presentation that the Task Force prepared for the workgroup, following are my thoughts:
Privacy is often bantered about as the reason why consumers are reluctant to adopt and use a PHR. The Task Force says much the same thing. I say rubbish. The issue is not privacy, it is value delivered and does the value delivered exceed the risks that one is taking in using a given application. Also, there may be (heck, there already are) PHR business models that use consumer data to subsidize the service. Is this something that would cause an application to not be certified?
The Privacy decision needs to be left to the consumer to decide. The best thing that CCHIT can do on this front is to insure that privacy policies are clearly visible, easy to read and understand with full disclosure and can be downloaded and printed.
This is an area where CCHIT may play a larger role with PHR certification. There is security of the system, security of the data (both on servers and in transmission) and security of the record. Security of the system would address access, (e.g. single sign-on), back-up/redundancy and availability. Security of data addresses how data is physically stored on servers (encrypted) and transmitted, again encrypted. Then there is security of the record, which will be critical for provider adoption as they will want to have assurance that the records they are looking at have not been tampered.
No role here for CCHIT even if it is there core competency. Let the market work this one out as consumers will determine what is indeed interoperable to serve their purposes.
I’m just not that comfortable wth this whole PHR certification process that is being pushed by the Feds through CCHIT. This market is still far too immature for any prescriptive certification process. Rather, let’s defer to frameworks for the next five years and see where we are at at the end of that time. A lot is happening right now and much will change in those five years. I’m pretty confident that the market and the consumer will figure this one out and not some quasi-government blessed entity looking for the next thing to do after they get all those EMRs certified.