Esther Dyson's PHI conference

I spent all day Friday, September 30, at the Personal Health Information workshop, hosted by Esther Dyson of Release 1.0, at the New School in New York City. It was interesting and a lot of fun.

I am a database guy, not a health systems guy. I signed up for the workshop mostly for mercenary reasons. My company makes data management tools; if there is some new work going on in the health field that will require a lot of new personal health information to be stored, then I figured I should find out about it. I learned a lot, so satisfied my main goal. More importantly, though, I came away with a better sense of where health delivery systems, at least in North America and most of Europe, are likely to go over the next decade.

A "Personal Health Record," or PHR, is a record that captures the interesting information about you and your medical history. It records, for example, allergies, medications that you take, current and past diseases or injuries, and information about any treatment you're receiveing, or have received. Obviously, a PHR is useful to a doctor who sees you for a normal checkup, or during a visit you make because you're sick or hurt. A PHR would be a tremendous advantage to emergency services personnel treating you for a serious injury if you're unconscious.

The conference attendees included a number of physicians, some practicing and some who had moved into public policy or entrepreneurial jobs. The strong concensus was the PHR is critical to the future of health services delivery. Several stated baldly that people are dying today because they get no care, or the wrong care, because doctors and EMTs don't know enough about their medical status or the medications they use.

I'm not a health services guy; I can't prove that claim. I do know that the understanding of, and treatments for, many diseases are getting more sophisticated. Drug interactions are increasingly complicated. The availability of individual genomic information, and a steadily increasing understanding of the genetic basis for many diseases, mean that future prevention and treatment will rely on a doctor's access to the actual nucleotide sequence for a patient.

Obviously, there are a lot of important social policy issues that need to be addressed in order to make PHRs work. An individual's right to privacy is one. At the same time, doctors and others need access to the record in emergencies. Insurance companies ought not to be able to deny coverage to someone based on the contents of his PHR.

Though no one at the workshop said so out loud, the PHR is just another form of digital identity. Much work has been done on building digital identity management systems already (see, for example, directory servers and the Liberty Alliance). The technical infrastructure for managing digital identity is already sophisticated. Granted, a PHR has more, and more complex, data (nucleotide sequences, medical images, lists of medications and dosage frequencies and more) than does the list of preferences you have for your Gmail account, but those differences are technical, not fundamental. We should expect to see early PHR systems build on the digital identity infrastructure already used to store and manage other kinds of identity.

There was a good deal of discussion at the workshop on who would store PHRs and where they would be kept. My bet is that there will never be a single central repository of patient identity; rather, your PHR will be broken into pieces, with each piece stored and owned by the person or organization who cares most about it. An insurance company and a patient are interested in different pieces of a PHR; ownership will split along organizational lines. A chronically ill patient under the ongoing care of a doctor needs much more frequent access to his rapidly-changing PHR than does a healthy patient who sees her doctor once a year; the chronically ill patient is likely to have much more control over his PHR.

Since PHRs need to be readily available, it's reasonable to assume that they will be on-line, protected by access restrictions and encryption. I expect that independent services will spring up to store and manage these records, or at least the parts of them that are of most concern to patients. I would not be surprised to see Google, or some competitor, offer this service. PHR is digital identity, and the big online service providers are good at managing digital identity.

Already there are analogues for the PHR. In the US, your insurance company knows a lot about your medical history, because it processes claims that doctors and hospitals make about treatments they provided to you. The insurance record concentrates on services, procedure codes, allowed fees and accounting for payments, but there is a lot of information there about you. Your doctor knows when you came in and what happened during your visits. Your pharmacist knows what drugs were prescribed for you, and what your dosage and course of treatment were. Not all of this information is in electronic form today, and tying it together is often impossible, but that will change.

The PHI workshop was exciting: New trends in computer and medical technology are driving us toward big distributed systems with important privacy and public policy issues that have to be solved. There are plenty of smart people working on this stuff; I bet that the demos at next year's workshop will be good.