Healthcare & SSI ??? Use Cases for All

From IIW

Healthcare & SSI, Use Cases For All


Wednesday 7C

Convener: Leah Houston

Notes-taker(s): Scott Mace


Tags for the session – technology discussed/ideas considered:


Healthcare, SSI


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Leah Houston MD

www.hpec.io

I am a physician and had my identity stolen. Our identity as physicians is not only being tangibly stolen by health companies, but also poached from the background as well. Hitech coerced physicians to adopt EHRs. It was designed to capture your data as patients, my data, to deny you services, deny me payment. They see what the average is after doing analytics, everybody below this bar doesn’t get care, doesn’t get services. Leads to this crisis in healthcare. SSI is what we need. Important people realize for an individual patient to have sovereignty, they need to interact with a self-sovereign system. I found Dr. Adrian Gropper, working on a self-sovereign system for patient records. Maria is also working on patient privacy and data.


Maria: Why didn’t personal health records work?


Adrian: They are very expensive for physicians. Also require patients to do work. Transiting a personal health record makes it hard for the doctor to process into their workflow. Also in the long run, we start having implants, things being monitored 24x7. You can’t stream that through a PHR.


Maria: Certified nurse midwife. We had an EHR, women could access, for out of hospital birth. But I’m new to SSID.


Adrian: This is the teachable moment.


Leah: How many people want to take your healthcare records with them? (Most raise hands)


Q: I would love to control my health data no matter where it sits. But my MRIs are huge.


Q: My wife wants them. The healthcare companies are doing data migrations and they’re doing them wrong. I want access to them no matter where they are.


Q: Is HIPAA a two-way street?


Q: There is the need for portability. Encryption at rest and in transit is good.


Adrian: There’s a ton of guidance. You have an absolute right to request your records for yourself or to be sent wherever you want. As long as the doctor has a reasonable way to send it. You could say I want it in encrypted form, the question is do they support the kind of encryption you want? Sometimes yes, sometimes no.


JohnnnyCrunch: Try going to an external healthcare provider, providing records from your Google drive. This is the role of where the DID method specs could manage the automation of compliance for BAAs. It’s the physician who signs the document attesting to the validity of your records. The interesting issue, do I sign it with my self key or my organization key? I as a doctor want to keep my own medical records, all my cases, but if I leave organization A, all of my records are tied up in that EHR. What rights as a physician do I have to access those records? The answer is a Web of trust right now. Epic had no idea if I was practicing as a hospitalist at Stanford, or as an independent physician.


Adrian: What matter is what Alice the patient chooses to identify Johnny the doctor as. Could be via email address. May have a Direct email address. Johnny has a DID has some info associated with it. Johnny has two verifiable credentials: his license, and the hospital. Certificates held by each. Alice doesn’t need a credential. Only patient portal user ID and password. The third actor is the user agent from some company. Could be Epic. The user agent Johnny uses to access Alice’s records wherever they are. FIDO has a self-sovereign public/private key pair. Trust me, I was built by YubiKey. Just pointed out the certificates in HIPAA and healthcare that matter. And no others.


Q: NPI?


Adrian: We recommend, also Fred Trotter, the NPI address have a Direct email address to be linked. Very useful thing. It doesn’t change anything. Just a well-known place.


Q: I don’t know how well NPIs are working. The spec has three.


Johnny: People don’t know how to manage it. This is how it is today. If want to export record out of EHR, travel to India. How does the flow state work today?


Adrian: I’m not sure how it can ever work. Figuring out how to get a hospital to sign a health record or a piece of a health record is very difficult. To layer on top of FHIR signatures of any significance in a health record makes me laugh.


Leah: The information in EHRs is invaluable to me as a doctor. It doesn’t matter if the health system is willing to sign that certificate. You know your medical history for the most part. I personally believe you should have one medical record. Lots of inaccuracies filling it out multiple times. HTM vs. hypertension.


Adrian: It’s called Apple Health. Does that meet your requirements?


Q: Works with Sherpa? 98.6?


Q: Who the early adopter customers might be?


Leah: I would like to think it’s the individual patients. Pick up their decentralized identities as soon as they’re usable enough.


Q: Mothers are early adopters.


Adrian: When you take this away from the hospital, now you can join a patient group. Whether expectant mothers or chemo patients. They should make it easy for other patients to navigate the system. Nothing to do with how you use Apple Health. Can interact with licensed practitioners without interference and censorship of the hospital.


Leah: First step is untether the physicians from these systems. In a digital space so when they are having a conversation with you, you should adopt this platform, it’s interoperable.


Q: Lobbyists want to push one commercial thing over others.


Leah: Each physician is caring for 600 to 1000 people. If there’s enough of a network effect. Both physicians and patients are pissed off at the system.


Adrian: And neither has any economic power.


Johnny: We have a sick care system. More and more there are engaged patients.


Leah: Cardiologist told me I will be fired if I take a certain number of people in the cath lab. Physicians are terrified of the system.


Adrian: We want a system that does telemedicine by default. As long as you assume telemedicine by default, it makes sense. An easy way to organize what we’re talking about here.


Johnny: I track my dad’s healthcare through my Apple health. It’s tied to the device. When I present, doctors are thinking I have my dad’s symptoms.


Adrian: 100 times more important as machine learning and AI gets going. No way to factor in social determinants of health. It’s not to prevent identity or harm to individual patient. It’s the decision making algorithm. You have to do all of this in the context of how will society use the data, including non-HIPAA data, to determine the value of putting in a stent.


Johnny: This is a slippery slope. A machine learning method, your fitbit data. You can end up in a high-risk pool.


Leah: The data is dirty.


Johnny: It’s a money question. What’s the value of her life. This is why mammograms are done at age 40. Colonoscopies are the same way at age 50. If you suddenly put a price point, then you have a personal responsibility you are ignoring, the leap would be you are paying a higher premium. Gets into anonymization of data, plausible deniability that it’s me.


Leah: I need to fix malaligned incentives. People getting in sometimes too much healthcare. Would anybody sign up for a self-sovereign record system now?