The Personal Internetworked Notary and Guardian (PING):The Policy Implications of a Patient-Controlled Electronic MABSTRACTThere have been many attempts to create longitudinally-integTABLE OF CONTENTSPART I: INTRODUCTIONPART III: THE PERSONAL INTERNETWORKED NOTARY AND GUARDIAN3.2 System architecture – a bird’s eye view3.3 File system and data representation3.4 Privacy and security3.4.1 Encryption3.4.2 Authentication3.4.3 AuthorizationAcknowledgementsThe Personal Internetworked Notary and Guardian (PING): The Policy Implications of a Patient-Controlled Electronic Medical Record Daniar Hussain, Andrew Werner, Neil Desai Department of Electrical Engineering and Computer Science Massachusetts Institute of Technology, Cambridge, MA May 16, 2002 MIT Course 6.805 Prof. Hal AbelsonABSTRACT There have been many attempts to create longitudinally-integrated, nation-wide electronic patient record systems ever since information technology has infiltrated the medical profession. This paper compares two recent attempts – a legislative attempt in the Universal Health Identifier (UHID) mandated by the Health Insurance Portability and Accountability Act (HIPAA) and a technical attempt under development at Children’s Hospital and MIT called the Personal Internetworked Notary and Guardian (PING). The paper uses these as a case study of two very different approaches to the medical records problem, and examines why UHID failed, and how PING is likely to succeed. PING’s technical architecture is examined in depth, and it is compared and contrasted to UHID’s stated objectives. Practical market, policy, and legal issues surrounding the national deployment of PING are examined. 2TABLE OF CONTENTS 1 Introduction 1.1 Overview 1.2 The medical record problem 2 Unique Health Identifiers 2.1 Introduction and Background to HIPAA 2.1.1 HIPAA Overview 2.1.2 Legislative History 2.1.3 Inside HIPAA 2.1.4 The White Paper and UHID 2.2 Proponents of UHID 2.2.1 Overview 2.2.2 Computer-based Patient Record Institute 2.3 Opponents of UHID 2.3.1 Privacy Concerns 2.3.2 Case Study of a National Identifier 3 Personal Internetworked Notary and Guardian 3.1 Design objectives and obstacles 3.2 System architecture – a bird’s eye view 3.3 File system and data representation 3.4 Privacy and security 3.4.1 Encryption 3.4.2 Authentication 3.4.3 Authorization 3.4.4 Audit 3.4.5 Dealing with system attacks 3.5 Integration and interface with existing health-care systems 3.6 Medical and public health research 3.7 Current prototypes 4 Advantages of the PING system 4.1 Goals met by PING 4.1.1 The role of PING in a medical information system 4.1.2 Continuity of Care 4.1.3 Accurate record keeping 4.1.4 Collections 4.1.5 Fraud and law enforcement 4.1.6 PING and the UHID 4.2 Impacts: What PING can offer 4.2.1 The proactive patient 4.2.2 Interactive health communication defined 4.2.3 The modern health consumer 4.2.4 Risks of IHC 4.2.5 PING as Interactive Health Communication 4.3 PING and the real world 34.3.1 PING and the Consumer 4.3.2 Institutional barriers to adoption 5 Conclusion 6 Acknowledgements 4PART I: INTRODUCTION 1.1 Overview In recent years, medical records have been increasingly kept in electronic form. A computerized patient record keeping system brings with it many advantages; however, the often fragmentary nature of patient records impede the utilization of medical informatics technologies to their fullest extent. A legislative solution emerged in 1996: a national mandate for a scheme that would assign every individual in the United States a unique identifier, so as to facilitate the gathering of health information across organizational boundaries. This met with substantial opposition from privacy organizations and citizens concerned the threat that such a system would pose to the confidence in which their health information would be held. There exists an alternative solution. Due to the increasing ubiquity of information technology, it is now possible to imagine a patient owned medical record, accessible from many points and to many people, all under the supervision of the entities with the most direct interest in the patients’ health information – the patients themselves. The Personalized Internetworked Notary and Guardian, or PING, is a project currently under development as a joint project between the MIT Laboratory for Computer Science (LCS), the Children’s Hospital Informatics Program (CHIP), and Harvard Medical School. PING is designed as an adjunct to existing hospital medical record systems, enabling the creation of a lifetime personal medical record, owned by the patient. We contend that PING solves the “medical record problem” better than the unique health identifier or a similar system, as PING effectively leverages technology to enable a solution that is tailored to suit the educated health care consumer’s needs. 51.2 The medical record problem The practice of medicine generates large quantities of information. The enormous complexity of modern health care practice has been accompanied by an increase in the power of the means used to manage medical data. The move to a computerized medical record-keeping system brings with it several substantial advantages.1 First, increased ease in accessing a patient’s medical record can improve the quality of healthcare service received by the patient. Second, medical research programs can benefit from the increased massing of data provided by a unified, electronic database, centered in a hospital or some other locus of health service. Finally, electronic record-keeping lowers administrative costs. In recent years, substantial progress has been made toward the successful implementation of computerized patient records. However, the full potentialities of a computerized patient record-keeping system have yet to be realized. The modern patient is likely to obtain health care in a variety of geographic locations, from a variety of providers,2 fragmenting the patient’s medical record across geographic and institutional boundaries. For patients with complex medical conditions, moving information essential to the proper administration of health care between a variety of providers can prove to be extraordinarily difficult.3 The problem lies not only in the movement of electronic information from one organization to another, but also in the management of many legacy records