Using 'Blue Button' for Records AccessSecure Websites Enable Patients to Download Information
In an interview (transcript below), Lemieux points out that the Department of Veterans Affairs and Medicare soon will implement the concept, which has been endorsed by 46 organizations.
He explains how the approach to downloading patient records:
- Helps organizations comply with certain federal regulations, including HIPAA;
- Addresses privacy and security issues, building on the Markle Connecting for Health Common Framework for Networked Personal Health Information;
- Enables patients to share records with other caregivers or add them to personal health records or other health histories.
LeMieux is an expert on policy and technology for emerging personal health information tools and services. Since 2004, he has managed Markle's research and policy development for electronic personal health records and collaborative efforts on patient engagement as a means to transform healthcare. He is the lead writer and editor of the Connecting for Health framework.
He formerly directed the launch of health benefit decision support tools at WebMD and led project teams creating interactive applications at WellMed, Discovery Channel and Mayo Clinic.
ANDERSON: The Markle Foundation recently announced that 46 organizations have voiced supporting for the set of privacy and security practices for its "blue button" approach to offering patients electronic access to their records. So please describe how the approach works, why you believe it's needed, and whether it offers access to an entire electronic health record or just certain portions of it.
LEMIEUX: The blue button emerged from public/private collaboration, so no one organization really owns the idea. In fact, we are likely to see a lot of organizations implementing download capability. The idea is very simple. You would log into a secure website, you would click the blue button to download your pertinent health information, and once you click that button you would download an electronic copy to the desktop or the device that you are using. Once you downloaded that copy, it's yours to keep and share as you like. You also need to protect it, and that's why our policy recommendations include practices to help people make important choices about downloading their information.
So we envision a day when secure websites offered by doctors, hospitals, insurers, pharmacies, personal health information services and health information exchanges all offer the download capability or blue button as an option for people to keep track of their health records and their information.
And to your question about what you would be able to download, it would really depend on what the source of that blue button has. For example, a pharmacy might have your medication list, and a doctor might have your recent lab results. An insurer might have how much you paid for certain services, when those services happened and things like that. So the idea is that the individual would be able to download this information from various sources and use it how they wish.
ANDERSON: What technologies and strategies does the blue button approach use to ensure privacy and security?
LEMIEUX: We've been working on privacy and security for quite a while as it relates to personal health information services, and what we've learned through collaboration is that privacy can be protected when technology and policies work together -- specifically, when a comprehensive set of information practices guide technology choices and implementation. So the blue button ... should be offered in a secure online environment that soundly and publicly addresses a bunch of recommended practices on the technology and policy side. And we've actually written those through our collaboration into a body of work called the Markle Connecting for Health Common Framework for Networked Personal Health Information. It includes things like consent. It includes audit trails. It includes minimizing identifying information and several policies along the lines of notification in case a breach, creating a chain of trust, contracts -- a whole compendium of policies.
Now specific to the download button, our recommendations fall into two basic areas. One is that we want people to make informed choices about downloading information, as we would with any consumer-directed activity. That means letting them know the implications of downloading information in plain language and giving them actual information to minimize the risk. For example, you wouldn't want somebody to download sensitive information to a shared computer without knowing what they are doing. So there should be plain language to let them know those types of risks.
Secondly, we have specific authentication and security practice recommendations for the download. For example, we recommend practices to distinguish between a request for download by a human being versus one by some type of automated process. We also recommend that download requests be logged in audit trails so that they can be tracked over time. All of these recommendations are at our website at www.Markle.org or www.Connectingforhealth.org.
ANDERSON: I understand that the U.S. Department of Veterans Affairs and Medicare are now implementing the blue button approach. Can you describe briefly the size and scope of those two projects?
LEMIEUX: Well, the president said that veterans will have the blue button at the "My Healthy Vet" website to download their health information, and Medicare has committed to launching a blue button on its beneficiary portal, MyMedicare.gov, as well....Obviously they each have potential to reach tens of millions of people, and their leadership in this area provides an excellent example for the whole health sector by making information available for download through the simple click of a blue button for those people that have logged into their secure sites.
ANDERSON: Do you anticipate the developers of electronic health record systems, patient portals, or health information exchanges might incorporate the blue button approach?
LEMIEUX: We actually do expect that. We think that the blue button is a basic fair information practice, letting people see copies of information. The individual could use it how they like. For example, some people might spot an error in records that they've downloaded and be able to notify and request a correction. Others might create their own spreadsheet and track their health themselves, while others might upload it into an application that meets their specific needs. For example, somebody with diabetes could track things like blood sugar, lab results, preventive care, medication or insulin, and they could do that in some type of secure, password-protected service on the web or even a smart phone.
So we do expect many organizations to respond, not only by supplying the blue button themselves and allowing people to download information that they already show them in a secure web browser, but also in developing ways to add value to the individual's health information download, with the individual's permission, of course. You could imagine services springing up that allow people to graph their data or use it in a way that helps them visualize and track their progress as well as share the information. We think that allowing the information to be downloadable allows for a great deal of innovation and value-added applications and services.
ANDERSON: The federal rule that describes how hospitals and physicians must make meaningful use of electronic health records to qualify for the new Medicare and Medicaid incentive payments under the HITECH Act requires that they must provide electronic copies of records to patients upon request. So does the blue button approach help them fulfill that requirement, and would you like to see meaningful use requirements for future stages of the incentive program include a more specific requirement for a blue button type of download capability?
LEMIEUX: We absolutely think that the download capability is a good means for providers and hospitals to fulfill the patient engagement components of the meaningful use rule. Certainly, the meaningful use rule and the final rule on EHR software standards support the individual's ability to receive electronic copies of very pertinent information, like summaries of doctor visits, or lists of medications you are taking, or results from a lab. And even outside of meaningful use, the HITECH Act that's part of the economic stimulus package that passed last year says that people can request and receive electronic copies of their health information....
So we have a very broad range of organizations -- provider groups, insurers, technology companies, consumer and patient advocates, privacy advocates -- in agreement that the download capability of the blue button should be an option for healthcare providers and hospitals to fulfill some of those patient engagement components that are a very important part of the meaningful use rule. When you think about it, it makes perfect sense that the public, which is providing a taxpayer subsidy of health IT under the HITECH Act, should see some direct benefits from these investments. You get secure, convenient, timely access to information that can make a difference on one of the most important things in your life -- and that's your health. That is why we are excited about the basic simplicity of the download button and the ability for people to take physical possession of copies of their information. And we think that there will be a lot of innovation and uses that show value to individuals because each person's health is different.
ANDERSON: Just to follow up, the meaningful use rule was recently finalized for stage one of the incentive program, and there will be another rule for later stages of the program. Would you hope that those future rules would include a more specific requirement for record download capability along the lines of the blue button?
LEMIEUX: The recent paper that we released recommends that the download capability be part of the definition of qualified health information technology -- the information technology that providers can use to achieve meaningful use goals. We think that there is a lot of support for the blue button implicitly in the stage one requirements of the rule, and we'd definitely like to see it be used in procurement requirements for health IT projects and grants.