Sharks, Bees, and Health Privacy Paranoia

Fred Trotter

July 5, 2007

You probably do not need health care privacy. Or at least, no more than you already have.There are stringent laws in place to ensure that your doctor does not blab your private information. Moreover, health software architects like me obsess about the security details of the just-forming Health Internet (what the Nation-Wide Health Information Network is destined to become) so that generally, someone is going to have to do something gravely against the law or technically stupid to get your health information data out in the open.That does not mean privacy violations do not happen.

They do, and they can be tragic. But we need to start being realistic about what issues we are going to focus on in the age of government funded health IT adoption, and privacy concerns do not warrant that focus.This is a “sharks vs bees” issue. Shark attacks are scary as hell. Bee attacks are not particularly scary. But far more people each year are hurt and killed by bees than sharks. Bees are so common and everyday that everyone forgets that in the right circumstances the little buggers can kill. This is an area of human psychology called “risk assessment”: Basically we respond more to vivid, visceral, and unlikely threats than to more likely but mundane threats (such as terrorism vs global warming). We must become aware of this problem as we move into the age of health data liquidity. We need to stop responding to “movie plot” risk assessment.What’s Really ImportantThe issue that the e-patient community should be focusing on, in regard to health information exchange, is accuracy. Inaccurate health data hurts people far more frequently and significantly than privacy violations.

This has been a problem already for years, but when your health data is liquid, it can mean that crappy data would follow you everywhere.Too much of the health informatics discussion has been hijacked by people who think we should be focused on preventing health information transfers without our permission. That is really not very important. For the most part, transfers that happen without our permission will still be in our interests, just like the fax data transfers that happen today. The story of the doctor who betrayedthe patient by blatantly violating his privacy and leaking humiliating details to an employer whocruelly fires the patient is deeply visceral. Look at all of the emotion words in the previous sentence. We must keep in mind that this type of privacy violation is very, very rare, despite histrionic claims to the contrary.What is far more important than ensuring that our privacy is not violated?

Making sure that whenhealth information transfers occur, we have mechanisms available to make sure that the data being transferred is correct.Have you ever checked your credit score? Have you ever requested copies of all your medical records and really studied the contents carefully? Have you ever done a detailed interview with a reporter? Ordered for more than five people at a restaurant? Have you ever played that game “gossip” at camp? If you have had any of these experiences, you know that when relaying information, significant errors are the rule. It is really difficult to take a bunch of complex and detailed information from one person, give it to another person, have that person enter it into the computer and have even 90% of that information be correct.

I can assure you in no uncertain terms that you have errors in one of your health records. The only questions are, “How difficult it is to detect and fix those errors?” and “What potential harm can those mistakes cause?”I firmly believe that if you provide a doctor who passed the tests required to practice in the United States (or any other wealthy country) with all of the accurate information about your health issue, you are probably going to get very high quality health care from that individual. He or she might not be able to fix your problem, but could probably tell you how to get the best care.

I can also assure you that the five minutes that your doctor can afford to spend with you is not enough time for them to get that information from you. We, as patients, frequently get bad care because the health system forces doctors to operate with an information deficit. They just do not have the time to get the information they need about you.Doctors need details about your health care to make the right decisions, but you have no way of knowing which details they need. Giving all the details takes time, and that is just what doctors do not have.More and more, information systems will be relied upon to provide that context for doctors. Once your doctor can get health records instantly transferred from one institution to the next, he or she will rely on the details in there, instead of asking you the same questions again and again. A computer will provide your doctor with all or most of your details, and then he or she will discuss the important details with you.

This must happen if we are to have any hope of addressing the doctor shortage worldwide.That process is going to be deeply broken, though, if doctors are getting inaccurate details. They will make decisions based on good assumptions made from bad data.Bad data is dangerous.I was the chief architect for Houston’s prototype health information exchange. In that role, I spent lots of time studying health information exchanges that were really functional. One story I heard several times was about the benefit from heath information exchange for detecting drug seekers. Some patients, who were obviously frauds, were gaming several clinics and hospitals and getting 10 times the amount of painkillers that a single patient can take and live. Think elephant doses.

The Health Information Exchange was able to detect that and prevent the patients from gaming the system. Sounds pretty cool, right? Health record exchange hard at work!But what about a false positive? Imagine a patient with real pain issues. Many patients suffer from severe chronic pain that often can only be treated with serious pain medication. Imagine that a pain patient changes cities and goes to a new doctor. The patient is having a bad day and the meeting with the doctor does not go well. The doctor comes away with the impression that the patient is a drug seeker. She marks this fact in the clinic EHR, so that her colleagues at the clinic can avoid being “taken in” by the patient.The patient, who must have pain medication, goes to a new doctor. But now, the doctor can see that the patient was labeled as a drug seeker at the first clinic. Indeed, it is obvious to the second doctor that this patient is desperate for narcotics. The diagnosis of “drug seeker” is confirmed.

With two EHR systems documenting drug seeking behavior, the whole city is now “wise” to the patient’s status as a drug addict.The only problem is that this patient is not a drug addict at all. Pain sufferers being labeled as addicts are already a problem in our society. Real pain patients who are labeled as drug seekers have a difficult time getting treatment. Misinformation in health information exchange could make this problem much worse. Many, many patients change doctors because they are not getting proper pain treatment.This is just one example of why it is important for patients to be concerned about the accuracy of the information in their medical record.

The Simple Solution

Making sure health data is accurate as it moves between health institutions is a boring problem. It reminds me of balancing my checkbook (which I do not do at all), paying my taxes (which I do not do carefully enough), or cleaning my office (which I do rarely). Tracking the accuracy of your health data is boring, mundane, uninteresting, and tremendously important. It’s a lot more like managing the risks due to bee attacks than the risks due to shark attacks.As an engaged patient, your main concern, as we enter the age of the Health Internet, should be, “How can I make sure that the details that are moving around me are as close to correct and updated as possible?” and “Once I find a mistake, how do I ensure that it is not copied again and again to the EHR systems at my various doctors’ institutions?”I believe the solution is simplicity itself. Literally.

“Keep It Simple, Stupid.” We need to enforce simple mechanisms of data transfer so that we can monitor them effectively. Some people are proposing protocols of health information that are so complex, it would take months for a qualified software engineer to understand how they work.The simplest method available for transferring health records in a way that respects patients’ rights to engage in their own healthcare is the Direct Project ( The Direct project is a secure method of transferring healthcare documents and messages point-to-point. It works like fax or email. When you have a health record at point A and you want it to end up at point B, just press the “send” button. It is based on secure email, which is a known-good set of standards that has been working securely and reliably for decades.The only other standards-based legitimate alternative to Direct is the IHE protocol, which is tremendously complex. It has features that we will all need eventually, but it is truly the opposite of simple.

A Call To Action

We need to stop obsessing about privacy and start advocating for methods that help us ensure that when our health data starts moving, it will decrease, rather than increase, medical errors. We need to start advocating for simple ideas that will really work. I have just the thing to get started. As an e-patient, get involved in your local health information exchange efforts, and advocate the following:

  1. Advocate for the Direct protocol.
  2. Direct-only health information exchange is fine.
  3. Exchange based on Direct and the IHE protocol is fine too.
  4. No proprietary or “roll-your-own” health information exchange protocols; we need universal transferability and only the IHE and Direct protocols offer that.
  5. IHE by itself is not OK because the protocol is too complicated.
  6. This is where the rubber meets the road: Insist on “the patient’s right to carbon copies.”

Direct is designed from the ground up for patients to be peers on the health information exchange network. Microsoft is already offering a Direct email address to its HealthVault users. Google, in a rare case of serious catch-up, will soon be matching Microsoft with Direct support in Google Health. You, as a patient, can get your very own secure clinical email address today. As a health care provider, you can go to Surescripts, which has partnered with the AAFP to provide physician accounts on the Direct network.Because that is possible, you can ask the implementers of the local health information exchanges to allow patients to request that all transfers of health data regarding a patient are sent to that patient, too. Eventually, as this idea takes hold, any patient will be able to make a simple request at the front desk of the local doctor’s office: “Please automatically send me a copy of any correspondence regarding my health that you send to anyone. Please cc the patient at”Of course, there are some data transfers that we will never have the right to see, like certain requests from law enforcement.

But HIPAA gives us the right to know when requests for our records are made. Rather than just getting notified, wouldn’t be nice to actually get a digital copy of your health record or important messages at the same time? This is actually the simplest and easiest thing for clinicians to implement as well. No matter how the HHS rule-making goes regarding the changes to HIPAA regarding accounting of disclosures, cc’ing the patient on every disclosure is very likely to vastly exceed the requirements.Then we, as e-patients, can watch the streams of our data moving around in the health care system. When there is a mistake in our data, we will have the opportunity to exercise our rights under HIPAA and correct it. We need simple mechanisms like this in place so that we, as engaged patients, can ensure that we do not fall victim to a new class of medical error, due to transferred inaccurate patient data. This will not make the process of ensuring the accuracy of our data easy, but it will at least make it possible.Let’s make health information exchange something that is done with patients…not to patients.

Copyright: © 2011 Fred Trotter. Published here under license by The Journal of Participatory Medicine. Copyright for this article is retained by the author, with first publication rights granted to the Journal of Participatory Medicine. All journal content, except where otherwise noted, is licensed under a Creative Commons Attribution 3.0 License. By virtue of their appearance in this open-access journal, articles are free to use, with proper attribution, in educational and other non-commercial settings.

Fred Trotter

Fred shapes our software development and data gathering strategies, which doesn't stop him from getting elbow-deep in the code on a regular basis. He is co-author of the first Health IT O’Reilly book Hacking Healthcare, and co-creator of the DIRECT protocol mandated in Meaningful Use. Fred’s technical commentary and data journalism work has been featured in several online and print journals including Wired, Forbes, U.S. News, NPR, Government Health IT, and Modern Healthcare.

Connect with CareSet Today

Let's start a conversation to explore how CareSet's comprehensive healthcare data insights can empower your business for data-driven success.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.