Why we’re launching a Consumer Directed Exchange (CDEx) project

If your first question is “what’s Consumer Directed Exchange?” please feel free to google it and come back.

Last week, Alliance for Better Health launched the first regional effort in the United States toward facilitating CDEx for Medicaid Members.

Here’s my short (?) version of what/why/how

We consumers (people?) are becoming increasingly aware of the information that others have acquired about us. We implicitly trust Facebook, Google, Apple, etc. to keep our information safe, and share it with others only when we choose. As health care has evolved from paper, there is now an extraordinary quantity of our health information that is stored digitally in hospitals, medical offices, and (yes – see above) Apple, Google, etc. When a provider of health care services needs your health information so that they can better serve you (or serve you at all), they can sometimes access this information through traditional means of health information exchange. There are several ways to do this, and I won’t cover them today. A short overview is here. Note that there is a difference between the activity of health information exchange (the verb) and an HIE (Health Information Exchange – the noun).

We usually give permission for care providers to exchange our information. The Health Insurance Portability and Accountability Act (HIPAA) and the important but often overlooked HITECH Modifications to HIPAA provide the framework for how, when and why our information is shared. A key feature of the regulations is that they apply to HIPAA Covered Entities (CEs) and Business Associates (BAs). The HITECH mods made big changes to the definition of a BA, and in so doing, made it very important for a BA to have robust security & privacy technical and process infrastructure. By making these changes, HHS shifted the responsibility for a BA’s behavior from the CE to the BA, so long as a business associates agreement (BAA) is in place. Before the mods, a CE needed to be certain that the BA had the right infrastructure in place, so they developed big spreadsheets with workbooks that every vendor would need to complete in order to document how mature they were. With the modifications, this shouldn’t be necessary, as the BA is now legally liable for any breach, rather than the CE, so the BA just needs to attest to the CE that they do have such infrastructure. Alas, old habits die hard, and most CEs (unfortunately) still make their vendors do the security workbook, or complete Hitrust certification as evidence of appropriate infrastructure. This isn’t wrong, but it’s also not necessary, and it creates thousands of hours of unnecessary work on both sides, as vendors need to complete security workbooks and then the security workbooks need to be reviewed, approved, or rejected/revised, etc.

But what if the food pantry, homeless shelter, city mission, or community health worker needs this information in order to help you? Traditionally, these folks are not CEs – nor are they BAs (they don’t have the security infrastructure or policies in place in order to satisfy the requirements of a BAA) and therefore the CEs and BAs (and their lawyers) don’t feel comfortable sharing health information with them. With good reason, as they lack the infrastructure required to keep information safe. These entities are therefore called Non-covered entities (NCEs).

In addition to the NCEs, information sharing between CEs and between BAs is sometimes less fluid than we would like. Have you ever arrived at a care provider’s office and found that the information that was supposed to be shared with them by another provider wasn’t there? Labs, imaging reports, a consultation report, a discharge summary .. all of these are often simply unavailable despite our expectation that they would/should/could be. We all have anecdotes – so I’ll share one: in 2015, my dad was having a procedure in San Francisco (at the “Best Hospital in the world,” and his physician in Boston (at the “Other Best Hospital In the World”) was to send dad’s records over. Both hospitals have electronic health records. Both hospitals had dad’s written permission to communicate with each other. When dad arrived .. guess what? No records. The SF hospital demanded that we hand them paper. Citing HIPAA, they refused to accept electronic transfer.  No, I’m not making this up. The solution? From my home in New York, I logged in to the patient portal for the Boston hospital (with dad’s username/password) downloaded them to my computer, “printed” them to a pdf file, logged in to my Doximity account, and faxed them to the San Francisco hospital. They accepted a fax.  This is consumer directed exchange. Albeit a perverse version of it.

When traditional methods fail, we use consumer directed exchange. Would most people have been able to do what I did? Probably not. Certainly not Medicaid members – who have neither the technical tools nor the e-fax capability of Doximity.

How can we make this all easier for everyone?

If knowledge is power – how do we make sure that the information upon which knowledge will grow – is available and portable? If I want my health information to be shared with ____, how can I make that happen quickly and easily?

This is the core problem we’re working to solve: we plan to make it easy for anyone to share their health information with whomever they please. Here’s how:

  1. Verify that you are who you say you are.
  2. Give you access to as much of your health information as we can access on your behalf. For our initial launch, this will be whatever is in our regional Health Information Exchange, Hixny. But we’re building this solution so that it can access other data sources too, and we hope that the tool we build will be used by others – both nationally and internationally – as our code will be shared under an open source license, and can be used freely by other organizations. This will not be a proprietary solution.
  3. Help you share the information. It’s yours. Once you control it, you can do anything you like with it. You can print it, share it with the person sitting next to you, even tweet it (but we don’t recommend twitter as a transfer mechanism, btw). We’ll help you choose the best method. The key is that you are doing the sharing. There is no “consent” or “authorization” or anything else that is part of this exchange, because no CE or BA is doing the information exchange. The consumer is directing the exchange. As they should.

Our hypothesis is that with better access to information, better decisions can be made – avoiding unnecessary or harmful interventions. We’re excited to launch this initiative regionally, and hope to see it spread across the nation.