Summary of Adrian Gropper Critique of Health Companion

Drummond Reed posted this link to a presentation by Health Companion on the ProjectVRM news group.  Drummond suggested Health Companion may be VRM friendly as the presentation used many of the words familiar to the VRM community.  Adrian Gropper said that the Health Companion presentation showed all that is wrong with the USA Health IT infrastructure and was VRM unfriendly.  Drummond asked Adrian if he could give an online critique and question and answer session on the system.  Adrian agreed and Lucas from GigoChat set up an online session for Adrian to comment on the Health Companion presentation.  The discussion lasted about an hour during which Adrian focussed on particular slides and answered Drummond's questions.
The slide at the 3 minute 53 second into the Health Companion presentation drew particular criticism.  Adrian explained how the Health Standard C-CDA document approach was not working. This is because the standards are extraordinarily complex and difficult to implement, doctors do not want to use them, and they add to complexity not reduce it.  He mentioned that $30Billion+ has been spent by the USA government on what is at best a $10Billion dollar problem.
The support of the Law mentioned in the slide is that the Law attempts to enforce compliance through penalties.  Penalties in this area are problematic and difficult to impose and only lead to unnecessary expense and rigidity.
Adrian posed the question that if institutions gave API access to data then Exchanges become unnecessary.
Adrian then considered the slide at 6minutes 23 seconds into the presentation.  This slide compares the transmission of Health Data through the Direct Project to the transmission of email.  Adrian pointed out that this is not a good analogy because, unlike email, two parties cannot transmit information between each other without the approval or authorisation of a certified exchange party.  As Adrian pointed out if exchanges are unnecessary for the transmission of data then the Direct Project simply adds an unnecessary, costly, intermediary.
Adrian then briefly discussed the way things could go with particular reference to the problem caused by the conflation of authorisation with authentication in systems that required intermediaries.  He discussed how by giving individuals access to their own information and having independent authentication would remove intermediaries in the transmission of health information.  He then cited the work of UMA and the linking of personal clouds in making this happen.
He believed that giving individuals control over who accesses the information on their personal devices could lead to a change in behaviour of institutions who would like to get access to that clearly private data.  Given that institutions want access to an individual's private data then it is reasonable that the individual should get access to the data on them held by institutions.
On the value of personal clouds and every individual storing their own personal data Adrian made the following statement.
 "Much better to be able to provide access to information than a copy of that information."
Drummond Posted a Reply and another summary of Adrian's session. This follows.
As Kevin explained, Adrian's core thesis was that this presentation about how health care data exchange is evolving, given at the Stanford Medicine X conference last September by the Chief Innovation Officer of Heath Companion, a startup founded by a few doctors, makes it sound like they are doing VRM for healthcare, but in fact the picture it paints is far removed from reality. Adrian explained the three primary reasons this is so:
  1. First, the trust model that Health Companion advocates in the presentation is not in fact working.
  2. Second, the document-based model for healthcare data exchange has been a disaster.
  3. Third, the economic incentives are all for institutions and vendors—they provide no motivation for patient-centricity/patient empowerment.
Following are some of Adrian's key supporting points for each:
  • Under the Obama administraton, the U.S. government invested $30B to get healthcare providers to convert to EMR (Electronic Medical Records)
  • This includes the C-CDA standard (based on HL7) for document-based exchange of PHI (Protected Health Information) or PHR (Personal Health Records)
  • The fundamental problem is that doctors don't want incoming documents from other doctors
    • They don't want to see the results of tests they did not order
    • They are not sure of the provenance (source and validity) of the data
    • They don't want to merge those records with the doctor's own records
  • So, after all this money was spent focused on a document-based exchange model, now the industry is collectively realizing they should be using a policy-neutral RESTful API model based on access tokens
  • FHIR (Fast Heathcare Interoperability Resources) is being developed on top of HL7 to provide a RESTful API for health data
  • The $30B spent by the U.S. government encouraged a massive wave of consolidation in the EMR industry (which was a $10B industry before that)
  • Only a few large players can compete at that scale—the large spending knocked out the smaller players
  • The large players are hardball about vendor-lock in, so none of that money got spent on interoperability
  • Now that the money has been spent, the only way to incent interoperability is penalties, which have a large political cost
  1. Move from document-based exchange to RESTful public APIs that are policy-neutral
  2. Eliminate trust intermediaries/brokers and let trust be negotiated directly between peers
  3. Let individual patients control access via their own authorization manager (AM) as envisioned by the UMA (User Managed Access) protocol
  4. Personal health records do not all have to be aggregated in a PDS (Personal Data Store) or personal cloud, rather the data can live in the system where it was created and be accessed via that system's API using OAuth access tokens managed by an UMA AM
  5. This way, the data itself does not need to be copied (creating both more security and privacy problems), only access rights need to be copied (and potentially even traded)
  6. This is the architecture being pursued by the new HEART (Health Relationship Trust) Working Group at the OpenID Foundation that Adrian along with Eve Maler and Debbie Bucci as co-chairs, and Justin Richer are leading.