Carin Alliance
This week I am talking to Ryan Howells, Principal at Leavitt Partners and a Healthcare technology specialist and focus on the and also the program manager of the Carin Alliance that is trying to get more data into the hands of patients and building on a multitude of interoperability programs.
We discuss the early challenges they had that found some Data Privacy Officer pushing back and created an uphill struggle to persuade them and all concerned that this was being done in a secure and privacy centric fashion. Ryan reveals one fo the little known facts about customer data governed by the FTC that allows companies to use data in ways the individual might do the consumer harm, but this is acceptable as long as they declare this intention in their user agreement (you know those multi page documents you are to every tim you sign on and use an application). Moving into the healthcare domain requires a more consistent and patient centered approach that applies the principle of do no harm.
We discuss the use of best practices and how they managed to get multiple parties to participate and buy in to a code of conduct that they developed by taking the best parts of existing legislation in other areas and even countries. Their overriding principle boils down to this
“at its core, the current code of conduct essentially says, an individual must consent to the use of data and the sharing of their information across systems, and this third party app has to act in my best interest, and that third party app also needs to ensure that any downstream application that uses this data is held to the same standard that the initial app has actually been held to.”
You can find apps and companies that comply with this at MyHealthApplication that has links to all the companies that have signed up and comply with the certification framework for the code of conduct.
How did they achieve this incredible consensus – as Ryan describes it building consensus is hard as Gov Mike Leavitt discovered so he wrote a book on this: Finding allies and building alliances which forms much of the approach they take to creating consensus. Their Incremental point was to highlight the fact that all the participants have a common pain and used this as the anchor point to get buy in
Its an Identifier not an Identity
Listen in to hear Ryan share details of their new Digital Membership ID card that authenticates individuals and creates an identifier (not an identity), how that trust is created and enforced and the way in which companies compete in this new world (hint – Apps are now competing on their privacy, compliance, and consent) and the key points in creating a Digital ID that includes equitable access, protection of the most vulnerable and solutions and IDs that allow the individual control of data, and the important work of the Vaccine Credential Initiative.
Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next week at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.
Listen along on HealthcareNowRadio or on SoundCloud
Raw Transcript
Nick van Terheyden
And today, I’m delighted to be joined by Ryan house. He’s a principal at Leavitt partners, but also the program manager for the Karen Alliance, and part of the vaccination credentialing initiative for verifiable health data.
Ryan, thanks
Nick van Terheyden
for joining me today.
Ryan Howells
Thanks for having me, Nick.
Nick van Terheyden
So help the listeners understand a little bit about you your background, how you came to this role. And you know, some of your history that sort of relevant to all of this.
Sure, happy to next. So my background is all really in healthcare technology worked for consulting companies work for startups, vendors, organizations, health plans, and others, and came to live with partners about five years ago, where we focused exclusively on items of national importance that were a policy, convening some type of a best practice around the industry coming together as a public private partnership could actually help. And so one of the big projects we started about five years ago now was the Karen Alliance. And the Karen Alliance is focused exclusively on business to consumer data exchange, how do we get more data health data, personally identifiable health data in the hands of individual patients, members, consumers individuals at scale? And how do we build on this infrastructure of fire API’s to 21st Century Cures initiated as well as all of the O and C and CMS interoperability rules? And what does that a new future start to look like?
Nick van Terheyden
And we’re actually in a little bit of a new age at this point, we’ve had new regulations that sort of try and address the whole concept of inflammation blocking. You know, this is certainly my experience, this is a long journey to try and get data out to the patients, you know, lots of resistance, some for economics, some for other principles, you know, occasionally technical. Tell us a little bit about, you know, the heritage of the current Alliance, how it came about, and you know, what you’ve done to date?
Yeah. So when we first started, we started talking about this idea that an individual patient could use an app of their choice to then be able to access their health information from any health system in the country, because we started on the clinical side, as a country with 21st Century Cures and some of the lnc policies that were out there. And then we’ve moved now to the to the health plan side. But when we did that, Nick, we had these first initial conversations, there were chief privacy officers literally running out of the room, they’re just absolutely saying there is no way not on my watch, it will never happen. We were in the hallways trying to calm people down, Nick saying, Listen, it’s okay. It’s been done in other industries, we can do it here, we can protect the data, we’re going to do it in a way that is consistent with the privacy best practices of current day, not of HIPAA, you know, 20 plus years ago. But we’re going to build on that we’re going to build on HIPAA, we’re going to build on CCD sec, pa in California GDPR, around the country around the globe, like we’re going to take and HIPAA as well, all of those best practices, and we’re going to create an ecosystem now that harnesses all of those. And so in that kind of, as big as to go to start, we kind of now came to this idea of not only do we have an infrastructure now on the clinical side with EHR vendors that actually support an ability for apps to actually connect access to this information. But as of July 1, every major payer in the country that’s a CMS payer, including all the state Medicaid agencies are also going to have that same fire API infrastructure where apps can come in, they can register, they can get independently certified as an option there. And then they can actually the consumer can actually direct their data from any clinical or health plan data source. So now they have a full picture of not only the clinical information about themselves, but also how it affects their pocketbook, what their out of pocket costs look like. whether or not their health plan is going to cover their specific treatment protocols. That is certainly transformative, especially when you get into folks with chronic conditions.
Nick van Terheyden
So it sounds fantastic from a patient perspective. You know, I think I I recognize the experience that you described with privacy officers sort of bristling at the concept. If you think back to the early days, what were some of the insights or or perhaps some of the suggestions or directions that you’re able to take to overcome that resistance? Because my sense of it is that still exists, I imagine you can still find folks that would run out of the room, hearing some of this, how did you overcome that? What what helped in that process?
So it does definitely still exists, Nick, and it’s in, it’s still a big issue. And it’s still something that we are tackling, I would not say that we have solved it in any sense of the word. But we’ve made a lot of good progress. So I think one of the first one of the first things we tackled Nick is we said, what we’re really talking about here is data moving between regulated environment. So data that’s moving from the HIPAA regulated environment, to the FTC regulated environment, which Oh, by the way, most of your health data is in only rephrase that most of your data, or overall consumer data, whether it’s energy data, or financial data, or other data is in that FTC regulated environment. Now, basically, what the FTC says, and I’m grossly oversimplifying here is under section five A of the FTC act, it says do no harm to the consumer. And the FTC is going to go and enforce the terms and conditions of the privacy policy and the terms that are in the app itself. So if the app says I’m going to do nefarious things with your data, as long as they do nefarious things, then the FTC says it’s okay.
Nick van Terheyden
Now, if you declare that you’re going to do nasty stuff, that’s okay.
That’s absolutely okay. As long as you stated in your privacy policy terms and conditions.
Nick van Terheyden
Why do you mean on page 5757? That
no one reads Nick that absolutely no, but that’s exactly right. Well, of course, that’s never going to work in healthcare, right, there’s just no way that that’s ever going to work. And nor should it work in healthcare, or, frankly, any other industry. Well, the only exception to that is a situation where the industry has come together, and agreed on a code of conduct some type of set of principles or best practices around how that data should be used, managed, and accessed by consumers, and how the app should handle that. So that’s what we said we needed to start with, if we in order for the FTC to ensure that they can enforce this code of conduct, we had to agree on what that code actually is. And so we brought a number of multi sector stakeholders together, there were over 60 organizations, individuals, patient advocacy organizations, and others that came together and said, you know, let’s agree on the set of best practices or principles for how to handle the data. And again, what we did is we took the best of HIPAA, we took the best of ccpa, best of GDPR, and put them all together and said, Here are the set of principles. And what we did is we actually raised the bar we felt in terms of privacy and security and consent. And at its core, the current code of conduct essentially says, an individual must consent to the use of data and the sharing of their information across systems. And this third party app has to act in my best interest. And that third party app also needs to ensure that any downstream application that uses this data is held to the same standard that the initial app has actually been held to. And what we have found Nick, which has been phenomenal, and we’re humbled by it is that the industry has adopted this at scale. Health Plans are actually using this today, we have a website called my help application calm that actually lists all the websites that have attested to this code of conduct. We actually even have a certification infrastructure now where there’s a group called ynap, that does this certification for HIPAA today, that actually, Lee and his team has been able to create a certification framework around the code of conduct. So we’re starting to build this ecosystem, and it’s very nascent stages at this point of how these apps that are currently not covered by HIPAA should protect the data and the Code of Conduct is foundational for that.
Nick van Terheyden
So I’ve got to go back. And I think, you know, foundational sort of incremental point in my mind is, you know, creating that sort of consensus opinion. But I got to ask, how did you get 60 people with highly different views and opinions coming from, you know, provider? patient, you described all of these groups? How did you get them? I’m assuming they’ve agreed, right? This code of conduct is agreed and everybody signed up to it.
It is Well, we certainly started with those 60 plus organizations and individuals, but then we extended it out for public comments. So we got a bunch of public comments on this too, because we wanted the you know, the input Every one in the healthcare community to relate and we got some great feedback there, too, I would say that the process of consensus building is super hard. Leavitt partners does have a framework for how to do that Governor Levitt actually wrote a book called finding allies and building alliances, which actually really lays out a framework for how he did this in the federal government. And then how we’re doing this now we run about 30 of these alliances a year neck and each one of these alliances are very different. Some are very short term, some are longer term like Karen. But this process of consensus building has to do with at its foundation, we have a common pain, and the common pain that each of these individual healthcare entities and organizations felt was, at least at the time 21st Century Cures requires us to actually create API’s to provide app based access. So we know that this is coming. And we know that these rules are going to require us to do that. And so what we did is we started with that common pain. And that was a pain felt because they didn’t know how they were going to do that. And they recognize that if they could come together and develop a consensus approach for how they wanted to handle that, that would be better than each individual organization trying to do that on their own. And that’s really where we started from.
Nick van Terheyden
Interesting. So finding the common area of challenge and getting people to coalesce around that file, let’s call it was sort of Central plus, obviously, the insights to be able to navigate that that, you know, allowed you. So now you’ve got consensus, you have a standard, you know, best practices, you’ve got all of these people. Tell us a little bit about what’s happening. You’ve got, you know, a number of folks signed up sounds like we haven’t got enough yet. We’ve got to get more. How’s that going? Any experiences from that that you can share?
Yeah, so it’s been great. So since that initial forming and the forming of the code itself, you know, we’ve seen that being adopted in production. As part of that process, you know, obviously, the OMC interoperability rule came out. And then what happened is the CMS interoperability came rule rule came out. And then so all the payer community said, Well, what is this thing about app registration? And what is this thing about, you know, moving regulatory environments? So they all started coming in? What is fire mean? Like, how do you spell it right? Like, there’s all these conversations around that. And and so we brought the payer community online with where the provider community was, as well as a whole bunch of other different what they call HL seven fire accelerator programs, where the industry was really driving the standards development process. And so the other things that we’ve accomplished, we’ve developed what’s called the Karen ID for blue button, which is all of your explanation of benefit information, all your claims data, that’s actually involved at the health plan level, CMS did that back in 2018, we developed an implementation guide, ran through the standards process with an HL seven and partnered with them, there’s now an HL seven st one guide to make that happen, that’s being implemented at scale all around the country. And so apps can now have a standardized way to access this data through an API based on that implementation guide, we’re going to have dental and vision claims in the near future, we’re also working on another implementation guide around a digital membership ID card. So just like we do in the physical world, now you provide them your ID card, they get that information, that health plan runs an eligibility check on you, and then they can provide you with additional data, same things gonna happen in the digital world, now you can provide a digital representation of your ID card, give it to your provider, that provider then and or that payer can actually then send you back information accordingly. That helps us, you know, advanced the idea of how do we start to liquidate some of that data exchange when an individual makes that request. And then we’re making we’re doing a lot of work in the digital identity space to neck, which happy to talk about as well.
Nick van Terheyden
Um, so before we get to that, let’s talk a little bit about, you know, the the bringing of all of this together. You talk about the standards, and the overall sort of requirement to have downstream apps comply with this. One of the push backs that I hear frequently is, okay, that’s all great. But how is all of that being enforced? Because we know there are bad actors out there, unfortunately. And they tend to muddy the water for many who have good intentions. How are you dealing with that?
Yeah, so getting a little bit more detailed at its core is what we call the app registration process. So this is the ability for an app to come to a data source and go through some type of a process associated with ultimately getting what’s called Client OAuth secret. And when they get that secret, what that does is it allows them to then use the individual members username and password that they have actually authenticated with, through smart on fire from the app to then authenticate the user in using the app and then being able to get the data out. Well, that app registration process, Nick, right now, is certainly manual. There’s different ways to do that. We’ll be publishing a little bit later this year, some best practices on how that actually operates. But what’s great about that, is that right now, there is an ad, there is an ability for apps to self attest that they’re following the Karen code of conduct. According to the CMS rule, and the UNC rule, any app can connect, but there is going to be one, there’s going to be want to be some member education around the apps that are adhering to a higher standard versus those that potentially may not be. And even though an individual member can choose any app they want, or they could choose no app at all, they could just actually access the data themselves. And say I have I want access to this. And here’s the form and format that I request. But if they decide to use an app, they can be able to go through that. And then we’re working on some technology mechanisms to say, for example, the carrot Alliance or someone else could actually submit some type of a token that says a job token that says, hey, look, they’ve actually signed the code of conduct, we can attest that they’ve signed it. So digitally, they can know any of these data endpoints to know that they’ve been, they’ve attested to that. And ultimately, we have the certification framework now to they can say, look, they’ve also been certified by a third party. So what that does is it starts to create this ecosystem of trust, right? You know, and an app that is formed in a garage potentially, would be treated a little bit differently than an app that is connected to CMS and the Veterans Administration, and Humana and Cigna and CVS, health and others, that that kind of ecosystem of trust starts to start to be developed because we start to have these core components that can build that out.
Nick van Terheyden
So for those of you just joining, I’m Dr. Nick, the incrementalist and today I’m talking to Ryan, house principal at Leavitt partners, we’re talking about the Karen Alliance and the innovation, the connectivity that sort of arisen as a result of bringing this group together under a sort of common pain as you described it, we were just talking about enforcement. And, you know, the ability for individuals to come and access this data. As you sort of roll this out, bring other people on, you obviously have to start to scale this automated. You know, trust is an incredibly important thing. How do you maintain that whilst you sort of allow for the broader expansion? What are you thinking about that?
Yeah, so trusted enforcement, let’s take those together. I think on the enforcement side, you know, now that the FTC, you know, we have this code of conduct, the FTC can start to enforce that both for apps that have attested, but even for apps that have not attested to, there’s some ability to enforce that. In addition, there’s private sector enforcement too. And what I mean by that is, you know, this is a small community now, and I’d say small healthcare super large. But as far as the folks that are actually involved in and coding this out, you know, it’s a pretty small community. And, and these apps are starting to compete based on privacy and security and consent. You know, people think it’s nefarious, but most of the folks that are building these apps are all have healthcare background, and they’re saying, you know, we don’t need to get high trust certified, but we’re going to go do it anyway, you know, we’re going to make sure that the data is super secure, because they realize if they lose the trust of the consumer, they don’t have a business. And so many of them are running out, getting certified, getting, making sure that they are a trusted end point. And so to your point, Nick, you know, how do you build that trust ecosystem out? You’re gonna see this evolve over time. But I think what you’re seeing is that it’s still a very small community, we believe there’s only roughly 60 apps in production that have actually connected to a fire API. So we’re not talking 10s of 1000s, right. And given we now have this real, this infrastructure that has been starting to build out, we can start to say if there becomes 10s of 1000s, we can follow a similar approach with all of these apps going forward.
Nick van Terheyden
Fantastic. So you You teased a little bit and I think, you know, highly relevant to what’s going on around vaccination. But, you know, there’s this issue of verification of identity. You know, we have some challenges, you know, you talked about a digital ID, it’s, it’s interesting to me that, you know, we don’t have such a thing, or at least not in general. Use, you know, the current form is, you know, your picture ID which anybody that has college age children and knows what the hell they’re doing now. Those that those IDs are not quite as perfect as people think just to be clear, so tell us a little bit about the digital ID
Sure. So, um, you know, other countries, other industries, this is not a new concept, but certainly us healthcare, this is definitely a new concept. And here’s the current, you know, idea or or paradigm in US healthcare. Number one, it’s kind of like Waiting for Godot, right, we’re all waiting for a national patient identifier that’s going to solve all our problems, right? That’s kind of number one, which is not a whether it happens or not, I’m not here to argue one way or the other. But I would say that’s not solving our problem, because that’s what’s called an identifier, not an identity. And I’ll explain the difference here in a second. The second thing is that we treat identity as an organizational level issue, right? Every time I go to a new organization, or new health plan, or new provider, I’m reestablishing my identity with them. And then now I have all these multiple identities and usernames and passwords, I have no idea what they are, well, we’ve totally flipped that model around Nick and said, you know, what, I have my own identity, I’m my own individual, I need to create my digital identity, one time, it needs to be trusted, similar to how I do, you know, in the physical world today, and then I can be able to use that or federate that across multiple different endpoints. And there’s standards out there that allow for this to happen. It’s what’s called the NIST 863 dash three for the nerds out there that want to read some standards related material that and we’re promoting the use, and so is the O and C have an identity assurance, level two and authenticator, assurance level two, what does all that mean? It means that I, as an individual, can now establish my identity, using multiple trusted identifiers, that could include my driver’s license information, my passport information, all of those things related to it. And all of that kind of makes up my digital identity itself. And then I can start to federate that across systems. So we’re building an infrastructure to make that happen, as well as a federation approach in healthcare.
Nick van Terheyden
So, you know, that lots of practical challenges of the sea resistance, you know, you’re tracking the, I’m sure you sort of thought about all of those, you’re handling all of that. Any thoughts before we sort of run out of time as to how people can think about this, to be more accepting that this isn’t just another, you know, nefarious project to sort of track? Because I’m sure people are going to go, not everybody thinks this way. But there are certainly some,
yeah, no, it’s a great point. So one, it’s got to be equitable, right? Whether you have a government issued ID or you don’t, you’ve got to find a way to make sure everyone’s included in this. Number two, you’ve got to protect the most vulnerable, absolutely. Number three, it has to be person centric, and person consented, right. So you’re, you’re not going to use trackable sources of where you’ve logged in or how you’ve logged in. It’s an actually identifier, as a digital identity that you have you control. And it may be established through an identity provider, there are many that are out there, and then the ability for then you to be able to use that across multiple systems. But all of that is all consent based, and you’re the one who control that. So it’s all it’s all part of that ecosystem that we’re developing. But it’s absolutely privacy first by design.
Nick van Terheyden
You know, that’s really interesting, I think you sort of hit the majority of the points. And just to be clear, so that everybody understands all of that’s built into the standard.
Right, that? Well, the NIST standard itself actually outlines the ability for identity proofing individuals, and then the ecosystem that we’re developing will and the Federation environment that we’re building will actually promote the use of that privacy by design approach.
Nick van Terheyden
So I’m going to go out on a limb here and say there’s potential for using this for vaccine concerns and, you know, put to one side where the vaccine mandates, you know, not jumping into that. But just the ability to say this really is the person that received the vaccine, there’s an opportunity to sort of tie that all together effectively.
Absolutely. There’s an opportunity for that. There’s also an opportunity to digitally sign the data so that we can avoid fraud, right. So we’re using in that other initiative that we mentioned before, the W three C’s verifiable credential, sand standard to digitally sign the data. So I know for certain that the data came from the Mayo Clinic that is important for a whole set of use cases that we don’t have time to get into now, but that we’re building out that ecosystem with a number of EHR partners, as well as a number of national pharmacies and others, which will help to be able to build trust in the ecosystem, both b2b and b2c.
Nick van Terheyden
Wow, that’s really interesting. I can’t think of one group that’s really going to be upset about that. That’s college aged students for all Right. I know So, um, all right. Well, as usual, unfortunately, we’ve run out of time, but really fantastic progress, I think very exciting. We’ll put notes together, including links to the current Alliance. And, you know, the website that you mentioned, my health application. Just remains for me to thank you for joining me. It’s been a fascinating conversation. Ryan. Thanks for joining me on the show today.
Thanks, Nick. It’s been a pleasure.
