There are a number of companies that offer services that can be used for Personal Health Records (PHRs) and Health Record Banks (HRBs). It is helpful to tease out the various functions to better understand what is involved in setting up an HRB.
Patient Identity Proofing
If consumers are going to ask providers to send them copies of their professional electronic health records, providers will need to be confident that it is safe to send protected health information (PHI) to the requested recipient (the consumer). Many providers are worried about sending PHI to the wrong place and being responsible for a patient’s personal data posted on the internet without their permission. One way to assist providers is by authenticating that the consumer is who she says she is.
DirectTrust.org and NATE-trust.org (National Association for Trusted Exchange) and a number of firms who are members of DirectTrust.org or NATE are assigning patients and consumers their own Direct addresses. In the case of DirectTrust.org and member HISPs like IdenTrust, iShareMedical.com, and MaxMD, patients are given Direct addresses at National Institute of Standards and Technology (NIST) Level of Assurance 3 (LoA3) or one step higher, Federal Bridge Certificate Authority (FBCA) Medium. These identity-proofed consumer addresses can be purchased on-line for as little as $10. To “prove” that a consumer is who she says she is, the HISPs require a combination of the following:
- Name
- Valid state drivers license
- Credit card
- Responses to questions against a knowledge base (like Experian, Equifax, and TransUnion do when you ask for your free annual credit report); for example, “which numeric address have you used in the last ten years?”
- US Postal Address (to send to and receive a reply from an out-of-band confirmation)
- Mobile phone number (to send to and receive a reply from an out-of-band confirmation)
- Email address (to send to and receive a reply from an out-of-band confirmation)
Some HRB companies don’t use individual consumer Direct addresses. Instead each installation of the HRB product gets its own Direct address. Providers send copies of EHR records to that Direct address and then the HRB software looks at the patient demographic information in the header of the message and sorts each record into the correct consumer’s account.
Message Management Companies
There are firms such as HealthCelerate and MaxMD that specialize in healthcare message transfer. These services can be used to move data from providers’ EHRs and payers to HRBs.
Health Record Bank Companies
Firms like iShareMedical, HealthCompanion, 360ofMe, Red Kangaroo, and MaxMD offer the connectors, databases, services, and consumer-facing software to implement a health record bank account.
Database Security and Privacy Companies
One of the important attributes of an HRB is that each consumer’s record needs to be stored under a key or keys unique to that consumer. That way, if there is a breach, only one record is exposed, not millions as occurs when one set of administrator credentials can get into the database where millions of consumer records are stored. Companies like SEED Protocol apply this type of privacy and security to existing databases used for HRBs. This is valuable because an existing HRB company can improve the privacy and security of their product without having to completely start over with a new underlying database.
Health Record Bank Trust Network Organizations
Sometimes, connecting providers’ EHRs with consumer PHRs and HRBs can require writing one-to-one contracts about data use, developing point-to-point interfaces, and preparing maintenance agreements. This can slow progress. Organizations like DirectTrust and NATE have brought many firms together to agree on one set of contracts that everyone in the trust network agrees to use and one set of “rules of the road” that everyone agrees to follow. There may be an opportunity for similar "rules of the road" for establishing HRBs among multiple firms providing the necessary HRB functions.
Multiple Functions
Some companies (like iShareMedical and MaxMD) perform more than one of the above functions and can serve as a single source vendor for your health record bank installation. We have provided this delineation of individual functions to help HRB newcomers become familiar with commercial offerings.