Sunday, February 17, 2008

Health care and datastores

One possible killer app for personal datastores is medical record keeping. Right now, (in the US, at least) every health care provider I use has its own copy of my medical history. It's generally not hard to get your old provider to send your new provider your records, but the point is that they need to be sent at all. The inevitable result is a multitude of small mistakes and discrepancies as essentially the same form gets filled in or transcribed over and over again, leaving you to wonder what sort of large mistakes and discrepancies might creep in while no one's looking.

Joe Andrieu relates a story of Doc Searls dealing with just such problems -- in a state with universal health care -- in his own case [The story in question starts with the section marked "User centrism as system architecture," but as usual the whole post is worth reading]. As he says, a personal datastore would make the whole situation much simpler. Your medical data is part of your datastore. You give your providers permission to read and update it. There's only one copy of it, so all the data replication problems go away. You control access to it.

If you want a new provider to have access, just say so. You could even give blanket permission to any accredited hospital, in case of emergency. This permission would, of course, live in the world-readable part of your datastore.

I have to say it sounds beautiful, and I'm confident that it, or something functionally equivalent, will eventually happen. But how do we get there?

Given that this is very personal medical information, privacy is a major concern. Health care providers (again in the US, at least) are bound by strict privacy rules. Without digging into the details of HIPAA, one of whose aims is actually to promote electronic data interchange, suffice it to say that achieving HIPAA compliance has been a long, expensive and sometimes painful process for the US medical industry.

One result of this process is that providers (and any other "covered entities") are limited in what they may disclose to other parties. While the intent of the privacy rules seems very much in harmony with the idea of a personal datastore, the realization laid out in the law is very much built on the idea of each provider having its own data fiefdom, with strictly limited interchange among the various fiefdoms.

By contrast, in a personal datastore world, providers would never have to worry about disclosing data to other providers. In fact, it would be best for a provider never even to take a local copy, except perhaps for emergency backup purposes, since the patient's datastore itself is the definitive, up-to-date version. This could be particularly important if, say, a patient in a hospital is also being treated by an unaffiliated specialist. Anything one of them does is automatically visible by the other, unless there is a particular reason to restrict access.

The geek in me is fascinated to once again see the concepts of cache coherency and abstraction turning up in the larger world (whence we geeks are only borrowing them). But the health care consumer in me is concerned that the less-than-abstract form of the law, together with the need to implement it, has almost certainly produced a system with far too much inertia to switch to a datastore-centered approach anytime soon.

Obstacle one is that hospital's data systems just aren't set up for it, and after going through the wringer to get the present setup in place, they are not going to be in any hurry to implement a new scheme. Even with that out of the way, it is the providers that are on the hook to ensure privacy. They will want some assurance that relying on personal datastores does not expose them to any new liability.

That in turn will depend on personal datastores having been shown to be secure and reliable. Which is why, although I have no doubt that medical record keeping would be a great application for personal datastores, it seems unlikely to be the first, "killer" app that breaks them into the mainstream.

On the other hand, in chasing down the links for the lead paragraph, I ran across this post on Joe Andrieu's blog about Microsoft HealthVault. It looks like a step in the right direction, but curiously enough, only health care providers can access your vault directly. You can't.

No comments: