Friday, October 15, 2004

The Chips Are Down

DaffodilThe FDA this week approved the use of the Applied Digital 4Verisign implantable chip in humans. The chip has been in use for some time in animals, to identify pets and livestock. The technology is straightforward: the chip is implanted under the skin, in the subcutaneous tissue, ideally in the right upper arm near the triceps, and contains RFID transmitter which is activated by a hand-held scanner. Contrary to some media reports, the chip stores no medical data, but only a a unique 16 digit identifying number. This number is used to securely access an online database and retrieve information specific to the patient.

The dream of centralized patient information is hardly new. Current medical record technology is little removed from the 19th century - often handwritten and illegible, decentralized, and paper-based. EMR's are gaining acceptance, but are costly, and standards for data structure, communication protocols, and interchange between different vendors and applications are incomplete and not uniformly implemented. My EMR cannot get or send patient information to yours, nor can it easily obtain from, or relay information to, hospitals, pharmacies, insurance companies, or emergency rooms. Even laboratory data - the most widely implemented medical electronic data exchange - varies from one laboratory to the next, and is only partially standardized.

The long-term solution to such standards and interface barriers would appear to be secure database access over the internet, as is currently done in banking and e-commerce. The Verisign chip is being touted as a first step toward just such a system. But color me very, very skeptical about the likelihood of ever seeing a system of this nature in practice. The obstacles seem insurmountable.

A myriad of problems present themselves when addressing online patient medical databases. Some of these include:

bullet Security and Privacy Issues: From start to finish, many of the hurdles to such a system lie in the securty and privacy realm. Who enters a patient in the system? How do we know you are who you say you are? A quick look at the driver license, SSN, and voter registration systems should give one considerable pause. Fraudulant and duplicate entries would be common, and could pose enormous problems and risks. Imagine you get added to the database under someone else's name, to fraudulently obtain health insurance coverage, or are a duplicate name and date of birth with another person. You are severely allergic to penicillin, and your alias or name clone is not, and you end up dead from an anaphylactic reaction, after receiving it while unconcious in an emergency room. Who's responsible? And could hackers or terrorists wreak health havoc by gaining entry to the system? If the Pentagon and banking system can be hacked, the health care databases will be no less vulnerable to cyberterrorism.

And who gets to access your personal health information - a treating doctor, presumably, but let's say you just fired him or her and don't want him accessing your information any longer - can you block access to specific providers? Insurance companies? Hospitals? Lawyers? Government agencies, such as Medicare, Medicaid, workman's compensation?

Then consider the problem of partial information access - for example, information about substance abuse or mental health issues. Such information is generally held to a higher standard of privacy than general medical information in many states. Can you allow the doctor at your company to know about your diabetes, while not revealing your history of bipolar disorder, or substance abuse? The complexities of who gets access to which information are daunting, so say the least.

bullet Database Updates and Accuracy: Who gets to add, edit and delete information from your medical history database? Can your naturopath make an entry about weak adrenals or body toxins? How about your dentist, or pharmacist, or massage therapist? Anyone who has taken a medical history knows that a patient history can be devilishly difficult to obtain with accuracy: prior surgeries and their dates, medications and dosages, allergies, family history - can vary wildly from one provider to another, or from alternative sources such as family or old medical records. What about medical differences of opinion? Dr Jones thinks you have chronic fatigue syndrome, while Dr. Smith is convinced you're a neurotic hypochondriac. And Dr. Johnson understood you to say you had a history of uterine cancer, when you actually had fibroids. But the cancer diagnosis is now in you database. Who is authorized to change that information?

bullet Database Currency: How up-to-date is the information in the centralized database? To maintain patient medical data currency, the system would have to be universally accessible and ubiquitous in utilization. Ol' Doc Watson, who still writes his chart notes in longhand and doesn't own a computer, isn't likely to enter your severe reaction to his prescribed medication, or log the highly-contagious disease you've acquired, onto the database servers at the Health Information Agency. And, by the way, who will manage this database - government? private companies? insurance carriers? Microsoft? Will it be as reliable as, say, Windows?

The downsides of such centralization of medical information vastly outweight the benefits, in my opinion. And is universal access to medical information really needed? The vast majority of health information is communicated at the local level, within the community where the patient lives, or occasionally to nearby regional medical centers. Rather than compromise privacy and information integrity with a massive centralized medical database and implanted patient RFID chips, it would be far more useful to focus efforts on standardization of information management at the local levels, with policies to encourage the use of standard terminology, communication technologies and protocols (such as XML web services and SOAP), while maintaining the flexibility, security, and privacy of the current decentralized medical information system.