Personal Health Records (PHR) information and news for consumers from CCHIT

As part of the development of criteria for personal health records (PHR), the CCHIT Work Group has spent a great deal of time discussing your privacy and how your PHR should handle it.

Here are some of the areas we expect CCHIT Certified PHR products to meet:

• Consent. You should be in control of your personal health information and how it is used. PHRs that meet certification requirements must include safeguards that require you to give your explicit consent before your account is opened, or allow you to opt out of the service. It also must allow you to decide if your data can be collected, displayed, accessed, stored, released or disclosed.
• Controlling Access to your Information. Your PHR should give you the ability to decide what information is private and to restrict access to it. Your PHR provider must get your permission to gather or disseminate
  any information about you. You also decide who else can view information in your PHR, and limit the types of information that can be viewed.
• Conditions of Use. The conditions for using your PHR should be explicitly explained to you, and you have the right to challenge your PHR provider if it does not comply with the conditions of use. If conditions of use are changed, your PHR provider is required to notify you of the changes.
• Amending the Record. You should have the ability to change or request changes to your health record via email or telephone, and the telephone number of customer service must be posted on the Web site of your PHR provider.
• Account Management. Your PHR provider must have a way for you to terminate your account, if you wish, and to confirm that all your personal data has been deleted from the system.
• Document Import. Your PHR system should be able to retrieve health records, explicitly label and manage your personal health information and be able to distinguish between data entered by you and data retrieved from other sources.
• Data Availability. Your system should allow you to view or print your health information whenever you need it.

Both Google and Microsoft are sure to have a presence in personal health records. But how do Google Health and Microsoft Health Vault compare?

Amy Tenderich of Diabetes Mine took the time to sit down with spokespeople for both products to get the inside story.

Google Health: Is It Good For You?

Slowly but surely, using the Internet for your health needs is becoming as mainstream as shopping on the web: no longer futuristic, but is it for everyone? And perhaps more importantly, are mainstream commercial health platforms from companies like Google and Microsoft really useful for people with specific chronic illnesses? I thought it would be interesting to hear their side of the story.

Microsoft HealthVault: Coke, Pepsi, or Intel Inside?

When Microsoft launched its HealthVault application last year — the first major commercial Personal Health Record (PHR) system on the open web — the Wall Street Journal reported that “Consumers are just not that excited about these services.” A year later, I’m wondering: have they given us reason to be more excited now? Last week, I grilled HealthVault’s rival Google Health about the progress they are making.

 

 CCHIT Town Call on PHR Certification [56:35m]: Play Now | Play in Popup | Download (28)

On October 10, CCHIT hosted a Town Call on PHR certification. The hour-long call provided two avenues to ask questions—via phone or via online comment.

CCHIT has provided its responses to those questions below.

For those of you who missed the call, the slides are provided, below. You can listen to the call by pressing the “play” button above, or by downloading the mp3.

Responses to questions

Kary asked: Can you tell us how you are addressing the standard medical language especially with consideration being given to a interoperable PHR world wide? What format is likely to to utilized given that even CPT is modified specifically for the US?

Since much of the data arriving in a PHR originates from systems in care provider systems (EHRs), the coding standards for EHRs are the most likely ones to be used eventually in PHRs. Regarding a universal, coded ‘medical language’ that will work worldwide, that is still a ways off in the future.

V J Kulkarni asked: Will there be “conditional” certification like the one for EHRs?

Conditional certification for EHRs is available for products that have all the necessary features, but have not yet been installed in a ‘live’ site. We don’t know yet if conditional certification will need to be offered for PHRs, since there’s less of an issue with installation.

Lee Castonguay asked: I’m concerned that it may be premature for CCHIT with so many models coming out. MS says Healthvault is NOT a PHR. How are you going to avoid confusing the public?

The Advisory Task Force and the PHR Work Group are working hard to have certification accommodate all the various models for delivering personal health information to consumers, but be simple enough not to confuse the public. It is possible that there may be several ‘flavors’ of PHR certification. Some examples could include linked PHRs, independent PHRs or perhaps even PHR platforms. But again, the more we try to differentiate, the more potential for complexity and confusion. Perhaps the best thing is to determine which distinctions are absolutely imperative to make and then keep it as straightforward as possible.

Dennis Melamed asked: With whom can I follow up the question about doctor/patient privilege. Your answer stating that information coming from a doctor and stored in PHRs is news. I’ve not heard that anywhere. Once it is in the patient’s possession, how can it automatically be PHI. For example, fitness for duty reports, which has patient information in them, are not considered to contain PHI by HIPAA. So I’d like to further explore the distinction you are making.

The legal status of information in PHRs is a new and complex area that can’t be dealt with properly in a short Q&A format. We did not mean to imply a particular interpretation of HIPAA, or what constitutes PHI under HIPAA law, in our answer to your question. CCHIT endeavors to apply industry standards, rather than create them; however the health information privacy policy area is far from standard at this point. It is an area that will continue to require more analysis and consideration.

VJ asked: Will the PHR be required to meet one hundred percent of criteria, how many yrs will the certification be good for, conditional certification?

Yes, our policy is to inspect and require compliance with all criteria. It is possible, however, that some criteria will apply only to certain PHR models.

We haven’t determined for certain the duration of certification for PHRs, but in all our other domains the certification is valid for 2 years.

Phil Beenhouwer asked: Will you be certifying Google’s ‘Google Health’ and Microsoft’s ‘HealthVault’?

Certification will be open to all PHR product and service providers. We don’t know yet who will apply, or which ones will pass inspection. We’ll start finding out next July!

Lawrence Williams asked: As an active technical committee member of HITSP’s Emergency Responder Use Case (which covers PHR patient data interoperability from on-scene emergency responder care through emergency room treatment) and given the fact that CCHIT states that one of the primary benefits of having a PHR is to “save your life in an emergency”, I urge CCHIT to modify it’s first draft of ‘09 interoperability criteria to reflect the PHR interoperability requirements of HITSP’s Emergency Responder Use Case IS-04.

Thank you for your participation in the call today and for highlighting the emergency responder issues with regard to personal health records. PHRs hold great promise for utility in many aspects of people’s lives in and out of the traditional healthcare settings. CCHIT will continue to keep the emergency responder use case on the list for consideration. We will remain flexible based on feedback from the community at large regarding priorities for 09 inclusion or beyond.

Deven McGraw asked: Is there a key for the “criteria reference” section of the draft criteria?

Good point – we need to add that and we will.

Jim asked: Can you describe how this standard effort compares to the effort to standardize the EMR? Is there a set of data that they have in common and are you working toward the two records communicating?

CCHIT’s PHR certification is a parallel effort to CCHIT’s work in certifying EMRs (we use the abbreviation EHR) for doctors’ offices, hospitals, and emergency rooms. The efforts are being closely coordinated to make sure EHRs and PHRs will be “interoperable” (can communicate and share data).

John Ritter asked: Will a PHR system that has been certified by CCHIT, interoperate with a PHR system that has been certified by other nations?

CCHIT is in discussions with officials from other nations about that kind of long term goal, but we don’t think it is achievable in the next year or two. As long as your PHR is accessible via web browser or other standard technology, you should be able to access it worldwide.

Lynne Chartier asked: I have read the 3 year criteria, and have submitted comments to a central location in my organization. We intend to comment together. In addition, I participate on the PHR workgroup with HL7. The requirements I saw indicate they are in the categories of privacy, security and interoperability. Where are the functionality requirements that Dr. Pettit referred to?

Thank you for your interest. As our guidance from the PHR Advisory Task Force suggested, the Work Group has focused on Privacy, Security, and Interoperability for the first (09) certification year. There are only 2 functionality criteria for 09 at this point in time. They are: PHR 30.01 and PHR 31.01. “the system shall provide the ability to capture account holder provider contact information” and “the system shall provide the ability for the account holder to record his or her own health observations” respectively.

Rita Zielstorff asked: I think that a consumer may be confused between “PHR” and the professional medical record. I don’t see that a specific distinction has been drawn. The consumer should be made aware that the “provider” of a PHR may not be the patient’s health care provider, and that the certification criteria are not meant to apply to the professional provider’s medical record.

We agree that there is need to educate consumers about what constitutes a PHR. Our first version of the Consumers Guide to Certification of Personal Health Records is only an introduction to the PHR topic. In future versions, we hope to begin explaining about various sources of information brought into a PHR, and clearly differentiate between information in the PHR and the original information in a professional provider’s medical record.

VJ asked: How would these criteria apply to patient portals of EHR vendors? Will this be separately tested?

If an EHR vendor wants to display the CCHIT seal to patients using the portal, its PHR capabilities would need to be tested according to the PHR criteria and certified as such. One of the major issues to resolve is regarding the critical differences between portals (or linked) and independent PHRs. Writing test scripts for two different sets of privacy milieus really highlights the ‘apples and oranges’ issue. Suggestions welcome! Thank you for this question.

Kathleen Furtado asked: How are you funded?

We are a 501(c)3 nonprofit organization. Currently we receive about half our funding from a contract with the Office of the National Coordinator for Health IT, under the US Department of Health and Human Services; the other half of our funding comes from application fees charged when vendors apply for certification.

Peter Harrison, MD asked: HL7 is working on a PHR system functional model, and has issues with the US centric definition of many PHRs developed in the US. What do you see as the relationship between CCHIT and HL7 and how do you plan to reconcile the differences between the two organizations (for example, CCHIT’s definition could be a profile of the HL7 functional model definition)?

The PHR Work Group is drawing heavily on the HL7 PHR functional model, but takes many other sources of information into account as well. There is substantial liaison going on between the work of the two organizations.

Philip Marshall asked: In a prior powerpoint, it was noted that a user would be given the ability to remove their data (or disable their account) if certification was lost, but this isn’t specifically called out in the criteria. Is it assumed that the ability to expunge data (criteria 19.05) covers this situation?

The issue of expungement has been a hot topic of discussion. It is another area where the answer is heavily dependent on the nature of the PHR. An independent PHR may offer the option of complete expungement of the record, but the linked PHR – whose information actually resides in a provider’s record — may only offer the option of removing PHR access to the record.

This is a good catch - we did discuss this as you mentioned earlier but didn’t specifically address the ‘lost certification’ issue in the criteria. It may be covered by 19.05 but we will add this to the discussion for the PHR WG. Thank you.

John asked: Seems the CCHIT concept of PHR is only an online web-based system. Is there no place for disconnected PHR? Is there no place for a PHR on a USB memory stick? The CCHIT Criteria seem to be a mixture of functional requirements similar to the Ambulatory requirements, yet also others are like a service similar to the Network requirements. Is CCHIT looking to a PHR as a service model? Is CCHIT then going to get into reviewing policies of the PHR?

The PHR Advisory Task Force specifically guided our development efforts to accommodate the widest possible variety of PHR models, and not to limit it to online web-based architectures. Some PHRs will look more like software products, others like web services, and everything in between. The Work Group is trying to develop criteria that can be applied across this spectrum.

Kathleen Furtado asked: I’d like to hear how you explain the difference between a PHR and the personal health information that is available on a healthcare provider’s patient portal? How do you explain why we need our records in both places?

The PHR Advisory Task Force recognized that there are several models through which patients may access their health information. We are using the term “independent” to describe PHR services offered and maintained by entities other than the individual’s healthcare providers or health plans; and “linked” for PHR services offered by providers and plans (what you have called a patient portal). We intend to offer certification for both models, but some of the criteria may have to be different.

We are not taking a position on which is better, or whether both are needed by any given patient. It is up to the individual to decide that.

Philip Marshall asked: The CCHIT criteria pertained mostly to privacy, security, interoperability and authentication. There was very little on the functions of the PHR itself. Was that deliberate based on the nascent nature of the PHR industry? Will there be a separate effort to specify criteria for the features and functions required of a PHR?

Yes, we believe it’s appropriate to limit our attempts to specify functionality because of the early stage of PHR development. We are requiring functionality needed to support the privacy, security, and interoperability requirements. More functionality may be added in future years if it appears it would be helpful to accelerating adoption of the technology or needed to protect consumers.

Lloyd Tribley asked: The 2000 US Census identified nearly 20 % of the US population with disabilities. Most Web-based applications are not technically accessible to persons with disabilities using assistive technology not even factoring in sound usability design. It is likely that existing proprietary PHR products are not accessible for use by persons with disabilities.

Assuming that CCHIT is committed to making sure that PHR products “work properly and safely” for all users, what accessible electronic and information technology (AeIT) criteria (such as Section 508 of the Rehabilitation Act) will be used to address these deficits? How will you activity involve persons with disabilities as stakeholders in PHR usability and accessibility product testing?

Thank you for bringing this issue into the limelight, it is a very important consideration and one that the PHR WG has not tackled to any significant degree at this point. We will certainly add it to our work list.

Jim Tate asked: What is the fee structure for PHR Certification? Once certified, how long will the PHR have active certification status? Will the testing process be similar to the current Ambulatory process? (Self-attestation followed by live script demo viewed by jurors)

The fee structure has not been set. First, the criteria have to be developed, the test scripts created, and the pilot test performed. That lets CCHIT determine how much effort is involved in the inspection so fees can be set accordingly.

Naturally, we will draw upon our experience in testing other health IT. We use a combination of documentation review, jury-observed virtual demonstration, and technical testing for EHRs and it is likely we’ll use those tools for PHRs as well.

Jim Kretz asked: For a topic of such importance to the future of healthcare, why is the conference call scheduled for late on a Friday afternoon preceeding a three day weekend?

We’re sorry if the time proved inconvenient for you. In covering multiple time zones and many different stakeholders, there’s really no time slot that’s perfect for everyone. But for those who could not join the call, we’re going to post the recording online, as well as posting all the online questions and answers, so you won’t miss anything.

Jim Tate said: Glad to see that CCHIT’s Certification for PHRs is gathering steam. The certification process for EHRs brought stability and direction to a badly fragmented market. I bet we’ will see the same positive outcome for PHRs.

Thank you for your support and encouragement!

Have more questions? Feel free to post additional questions here, and we’ll be happy to provide a response. And remember, CCHIT is accepting Public Comment on PHR Criteria until October 28.

On Friday, October 10 at 4 PM Eastern / 1 PM Pacific, the Certification Commission will host a Town Call to introduce you to its new personal health record (PHR) certification, currently under development

Participant Dial-In Number: 1 (877) 313-5342
Conference ID Number: 65204557
View the presentation or Ask a question

What does the CCHIT certification of PHR mean?

It’s a reasonable question. And that’s why the Certification Commission created the Consumer’s Guide to Certification of Personal Health Records, a quick overview of certification—and its benefits—written with consumers in mind.

Today’s consumers want better access to their personal health information and that of their families. They also want to decide who to share it with, and under what circumstances. In our electronic age, patients can have the power to access and control their own personal health record. There are now dozens of organizations that offer systems for accumulating and storing personal health information, either online, on a personal computer, or on the computer systems of health care providers.

Certification is designed to make sure that these products meet a minimum level of security, interoperability, and functionality.

We’re excited to share the Consumer’s Guide with you. And we hope that it helps explain the value of certification for PHR.

The Certification Commission holds regular public comment periods, during which we encourage individuals and organizations to provide feedback on our progress.

The members of the CCHIT PHR Work Group are eager to get your feedback:

In our time together since July 2008, we have reviewed a breadth of guidelines, standards, and functional models supported by guidance from the PHR Advisory Task Force to create this first set. This is a work in progress. The certification process should work to foster patient empowerment in their health and health care. The roster of work group members is indicative of the diversity of uses and environments that we considered in supporting innovation in personal health records.

We invite you to take the opportunity to read the PHR Work Group’s introduction to the PHR criteria and to review the first draft of the PHR criteria for yourself.

Then, if you’d like, take a moment to register for the public comment period and provide your feedback. We’ll be accepting your input on this draft until October 28.

Or, if you’d like to get some more insight on the certification of personal health records, we encourage you to plan on attending the CCHIT Town Call on PHR, October 10.

If you are thinking about using a personal health record (PHR) to better manage personal health but aren’t sure what you should look for, you may be asking questions such as these:

• With PHRs offered by physicians, health insurers or online providers, how do I begin to make a choice that is right for me or my family?
• Everyone is worrying about electronic data and privacy today, so how can I be sure that the PHR I choose has adequate security?
• Will I be able to share access to my personal health information with those I trust such as my doctor or an emergency department?

There is a program developing to help you answer these questions. The Certification Commission for Healthcare Information Technology (CCHIT®) is an officially “recognized certification body” in the US for health information technology – a private, nonprofit organization that is to electronic health information products what Underwriters Laboratories is to electrical products. The Commission applies standards, tests products, and awards a “seal of compliance” to health information products.

If you buy an electrical product, you should expect to see the UL® seal. If you choose a health information product, you should look for the CCHIT certification seal.

The Certification Commission already certifies electronic health records used in doctor’s offices and hospitals. The Commission will launch a new program for personal health records in mid-2009 that will emphasize privacy, security and the information sharing capabilities of PHRs.

Stay tuned for more details.

In an effort to provide broader consumer and industry strategic guidance for its new Personal Health Record (PHR) certification development, the Certification Commission assembled a special PHR Advisory Task Force.

This volunteer task force, composed of advocacy organizations, health care providers and businesses, with consumer health care and PHR experience, assisted the Commission in assessing the current landscape and advising on the appropriate direction for the PHR Work Group.

The PHR Advisory Task Force has published its recommendations, designed to guide the Certification Commission on its certification efforts surround personal health records. For more information, see the CCHIT press release on PHR.