Feds Look to Automate Blue Button

Seek New Input on Standards, Security
Feds Look to Automate Blue Button

The federal government is launching an initiative to make the increasingly popular Blue Button patient portal feature more automated. The goal is to provide patients with more ease and choices for securely downloading and transmitting their personal health information.

See Also: Virtualization: Your Untapped Advantage Against Cyberattacks

The new "Automate Blue Button" initiative, spearheaded by The Office of the National Coordinator for Health IT and the Department of Veterans Affairs officially, will kick off on Aug. 15. It will debut with a webinar aimed at attracting technical experts with innovative ideas to help develop standards and pilot the emerging technology, says Doug Fridsma, ONC director of standards and interoperability and chief scientist.

The Blue Button concept, developed a few years ago by the Markle Foundation in collaboration with other groups, allows individuals to click on a button of a patient portal to securely download and store their health information, or to authorize transfer of medical data from one physician to another.

More than 1 million people currently use Blue Button, says Fridsma. Of those, about half are U.S. veterans who were among the first people offered the Blue Button service when the VA launched it two years ago as a feature on its MyHealtheVet patient portal. Other Blue Button users include Medicare beneficiaries and some individuals who have coverage provided by private insurers Aetna and UnitedHealth Group.

"Blue Button is a movement," says Fridsma. "Once people get access to their information, they want to move it and to do useful things with it," he says.

Blue Button can potentially play a much bigger role in private sector also, as the HITECH Act's Meaningful Use incentive program focuses on improving patient access to their health data, and engagement, he says.

Kickoff Effort

To emphasize the importance of the Automate Blue Button initiative, Dr. Farzad Mostashari, national coordinator for health IT, is expected to give some opening comments to webinar attendees this week to kick off the effort, says Fridsma. ONC and VA hope the webinar will be attended by technical experts and innovators that can help develop standards and pilot new Blue Button developments.

As Blue Button is built out, other functionality could include allowing patients to authorize that their health information from doctors' e-health record systems automatically be sent to the patient's own personal health records or another destination of their choosing, including provider-to-provider transmission, says Fridsma.

That sort of functionality could allow patients to easily gather all their latest health data, such as information that gets generated during a visit to an allergist, he said. "The system could be set up so that every time there's new information, you get it," he says. "Set it and forget," he says.

Other possibilities for Blue Button include patients subscribing to receive and gather from multiple sources their health data in a destination besides a personal health record, perhaps similar to how consumers can subscribe to various news feeds or podcasts on their mobile devices, Fridsma says.

New Blue Button capabilities could tap existing standards, such as specifications from the National Strategy for Trusted Identities in Cyberspace, the Direct Project, and others, he says. The purpose of the kick-off webinar this week is to get a discussion going about standards and interoperability specifications that could allow Blue Button to become more automated, yet secure.

"The goal is to have the community talk about this," he says.

Privacy First

As brainstorming discussions kick off about expanding Blue Button capabilities, security and privacy issues need to be front and center, suggests Deven McGraw, director of the Center for Democracy & Technology's Health Privacy Project.

"It will be important for the HHS Office for Civil Rights to issue guidance on how to deploy appropriate security controls for Blue Button access," says McGraw, who is also co-chair of the HIT Policy Committee's Privacy and Security Tiger Team.

For example, "patients will need to be issued credentials in order to be able to access their health information, and ideally should have a way of easily alerting providers about any errors they see in the records," she says.

"Providers should not set the security controls so high that it discourages patients from participating - but at the same time, there will need to be some baseline security measures adopted in order to ensure that individual authorizing a patient's record is authorized to do so, for example, the patient, an authorized family member or health care proxy," she says.

Additionally, if future Blue Button capabilities allow transmission of patient records to a variety of third parties, many of those potential players - like independent PHR vendors - currently are not required to abide by the HIPAA Privacy and Security rules, says McGraw.

"Instead, patients need to protect their own privacy by reading and understanding the third party's privacy policy. This is not an ideal scenario," she says.

The Center for Democracy & Technology has called for baseline consumer privacy legislation that also protects health data that would apply to commercial entities, both on-line and off-line, she says.

"Patients can be warned with a short, understandable screen - before they download - that they may be about to download data into unprotected environments," she says.

The Markle Foundation's multi-stakeholder-developed recommendations on Blue Button call for such an "alert" screen or pop-up, and the HIT Policy Committee also endorsed this idea, says McGraw.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network