Fortunately, Dossia is not only in compliance with all applicable laws and regulations, but, having had to market our personal health record system through large employers, we have had to meet much more challenging security and privacy standards than our competitors, who market directly to consumers.  I am very familiar with exacting security and privacy standards from working inside a company that had to manage sensitive financial information for postal services and their customers because of our postage meter business.

In the last decade, my immersion in security and privacy issues increased exponentially for a variety of reasons:

• Pitney Bowes Management Services took on more large financial services and health services customers, and managed major functions like print and mail, which caused us to be exposed to a considerable amount of personally identifiable information.  Not surprisingly, our customers demanded security and privacy protection far in excess of what the law required.
• Pitney Bowes Management Services also became a major provider of mail and print services to more government agencies like the FBI, the U.S. House of Representatives, and the Justice Department, which had their own security standards.  After the 9/11 and anthrax bioterrorism events, these security standards became even more exacting.
• As Pitney Bowes expanded its reach into the consumer and small business customer space this past decade, we began accepting credit cards, which meant that we had to withstand the audits and scrutiny of the major credit card auditors for American Express, Mastercard, and Visa.

I learned a great deal about security and privacy.  Some of the most important insights that I take with me into my new assignment are the following:

• A system dependent on privacy and security is only as strong as its weakest link. Therefore, every system needs to be stress-tested at multiple points at all times, to make sure that there is not even a single point of weakness. Moreover, a system that is large, expensive, and highly secure in many places, but has more potential points of failure than a less expensive system in which there are fewer points of failure can actually be less safe. There is an optimal level of spending on security at any given time.
• The most frequent and, often, most serious security breaches do not occur because of technological flaws in a system, but because of human failures.  A private investigator and security Kevin Mitnick wrote a very insightful book some years ago called The Art of Deception, in which he made the point that he could find the most sensitive information about anyone from even the most secure system. For example, when he was retained by a party to a divorce proceeding to learn about the other party’s salary and benefits from an employer, he would pretend to represent the employer’s CEO and would demand payroll information on an individual from someone who should not have surrendered it.  He would play upon an employee’s fear of upsetting the CEO and that employee’s desire to be helpful and would get access to information that should not have been available to him.
• Closely related to the previous point, security and privacy systems have to be compatible with how individuals function within various processes.  If the process is made too cumbersome because of security protections, people who need to function more efficiently will find a way to work around or even disable security and privacy systems.  The ultimate goal is to maximize security and privacy, based on how people will use a system, not to achieve a theoretical maximum level that will not get achieved because people compromise a system.
• Maximizing security and privacy is not a one-time effort.  Those seeking to compromise systems keep improving their skills, so those protecting the systems have to keep improving their vigilance and the effectiveness of their efforts.
• Among members of the public, there are differences among people in their attitudes toward privacy.  There are also differences for a single individual in terms of privacy concerns relative to different categories of information.  A privacy policy and system needs to recognize that individuals will care differently about whether information is disclosed, to whom it is disclosed, when it is disclosed, and how the disclosure will take place.  To the degree that we secure informed consent from individuals, we also need to understand that individuals have diverse ways of locking in on the data that is relevant to them giving informed consent. We also need to be as upfront with people every time there is potential for their data to be shared, and to have a dialogue with them that gives them a reasonable opportunity to give an informed consent.  They should be aware of the risks of disclosure, but also the benefits to them, and should make a knowledgeable decision.
• There are cultural norms that privacy policies and procedures have to respect.  One example of this was the absurdly legalistic view that individuals could not be identified by their last name in a doctor’s office waiting room because of HIPPA privacy rules.  The theory was that other people would know who they were, and that having strangers hear their last name violated their privacy.  One day, I listened to a receptionist adhere to this rule by calling a black adult patient by his first name.  Many adult black people from an older generation feel that being called by their first name is insulting and disrespectful.  To many adults, including me, having a stranger address me by my first name is disrespectful and condescending.  Requiring doctor’s office employees to deal with strangers on a first name basis without getting their prior permission is stupid.
• No security system is ever invulnerable to breach as long as human beings have something to do with it.  The goal is to strive to have zero breaches, to minimize their seriousness, and to learn from them when they happen, so that they never happen again.

The Dossia team has done a superb job building an exceptionally secure personal health records platform.  I plan to improve it continuously.

In early 2009, the Obama Administration included significant funding in the ARRA stimulus legislation for the upgrading of medical records in physician offices, and directed the U.S. Department of Health and Human Services and the Federal Trade Commission to issue regulations, which would implement a transition process over a multi-year period.  Those regulations are largely in place and the legislation and regulations have enabled Dossia and the other players in the market, including Microsoft and Google, to get anchored in a relatively stable, coherent regulatory environment.

When many members of the public do not understand is the difference between electronic medical records, which a physician or hospital might maintain on their patients or a pharmacy, or insurance company might maintain on its customers, and a personal health record, which the patient or customer maintains on his or her own.  Even the Executive Branch of the federal government and members of Congress did not understand the difference when we started four years ago.

Many people ask us: why should a patient maintain a record separate from the records held by these other parties?  After all, could not the patient simply be given online access to these other records when he or she needs that access?  There are three big reasons why the Dossia founders, of which there are now ten companies, including Pitney Bowes, my old company, have invested in a separate personal health record business (although the founder employers’ only role is to give Dossia access to their employment base for marketing and enrollment purposes. The employers never have access to any individual or population health records.):

• The majority of Americans access more than one doctor, one pharmacy, one hospital, and one health plan.  Having your records scattered all over the place is not a good way of managing your own or your family’s health.  None of us who have to file an income tax return or manage our personal or household budgets would feel comfortable if we had to access relevant financial information in several record systems we did not control and could not consolidate.  Dossia is like Quicken in its goal of consolidating records from multiple and disconnected systems.
• To manage your health, getting records put together in one place is essential.  Bad health outcomes sometimes happen because individuals forget to tell a doctor or dentist that they have been taking a particular medication, or that they have a particular health history.  For example, something as simple as whether a person is taking a blood thinner medication for a cardio-vascular condition becomes very relevant for even the most routine surgical procedures.  Recently, I scheduled a minor surgical procedure to get a mole removed from my back, and was asked if I were taking a blood thinner.  Like most males over 45 years old, I am taking an aspirin tablet, which I was directed to stop taking a few days before and after the surgery, but, if I had been taking Plavix, Cumidin, or one of the more potent blood thinners (which, fortunately, I am not), the consequences of my physician not knowing about these medications could have been serious.
• Sometimes records get damaged, lost, or destroyed.  When we formed Dossia in late 2006, one of the first parts of the country that indicated an eventual interest in a portable patient-controlled record was New Orleans, since many paper and some electronic records were destroyed.  Many residents moved to Houston, Baton Rouge, and other cities but lost permanently any health records that had been in physicians’ offices, hospitals, or pharmacies in New Orleans.  Sometimes, hospitals have a policy of destroying certain records, like imaging tests, after many years of inactivity relative to a patient, simply because the electronic storage of that test is cumbersome and expensive.

Microsoft and Google are better known than Dossia in the personal health record space, but Dossia is different in four key respects:

• Dossia, as the agent for all of its users, secures all of the user population records and gets them downloaded from insurance plans, pharmacies, and providers.  This is called “pre-populating a record.”  Microsoft and Google depend on the user going to each separate data source and directing it to download health records to their “vaults.”  You can imagine how time-consuming and difficult it is to do that, and, as a result, despite their stronger name recognition, the Microsoft and Google vaults are not used actively by many who have signed up for them.
• Dossia’s model is to integrate with other employer-based health programs and benefits, including wellness and prevention programs, chronic disease programs, and health benefits and services.  Microsoft and Google have an excellent array of personal health applications, but they are stand-alone and they depend on the user’s ability to figure out how to integrate them in an overall health plan.
• Dossia has done the legal and conceptual work to allow it to have a single caregiver for a family to open up and manage the records for all the family members.  To our knowledge, no one else has this capability. The health care system is based on a model that each individual manages and controls his or her own health information, and, while I believe that works for most adults, there have always been three populations, children, the elderly, and people with certain kinds of disabilities, that need caregivers who have access to their health information.  One of the best uses of Dossia at our existing customers is the ability of mothers to manage the scheduling of immunizations and school physicals for their children.  Keeping track of who needs what shot at what time is challenging for busy parents.  Dossia helps solve that problem.  Microsoft and Google, like every other electronic health record, expect every individual to access his or her individual health record.
• Dossia has integrated medical and dental records, and, over time, will integrate records from a wide range of non-traditional health-related providers such as alternative and complementary medicine providers, nutritionists, fitness trainers, and behavioral health counselors.  The mistake lawmakers and public commentators make relative to health records is that they believe people have, or should have, a single primary care physician. The term “medical home” implies that there is a goal of having every patient get funneled to the same doctor for all purposes all of the time.  This is not the real world.  People change practitioners. People are mobile and get care whenever and wherever they need it, often far away from home. People seek care from alternative practitioners.  More and more people will access care from outside the United States, as they have been doing for a long time.  We had an emergency hospitalization for one of our children six years ago in Florence, Italy, when we were on vacation, and had voluminous and complex records, which we have no electronic medium in which to store.  Most electronic health record systems are what we call “tethered” to a particular doctor, hospital, or health plan.

Given the compelling value proposition for Dossia, why do we not have millions of users today?  There are many possible explanations, but I would suggest three primary reasons:

• Like every start-up business, it takes time to get customers comfortable with the offering.  In this environment, selling to users through employers has been challenging because of the bad economic environment from 2007 on, the uncertainty around the survival of employer-based health care during the pendency of the health care reform legislative debate, and the thinning out of HR and Benefits Departments, which has made large companies much less ambitious on health-related initiatives.
• In the early years, there was a great deal of uncertainty about privacy laws and regulations, which, thankfully, recent legislative and regulatory pronouncements have largely cleared up.  In our first rollout with a major company, 90% of the people who wanted to sign up were scared away by ominous-sounding privacy disclosures and consents, which were put in place to cover a wide range of possible legal risks, which turned out to be unfounded. From this point forward, we expect much easier sledding.
• The expected primary source of health-related information was the claims data from health insurance plan administrators.  This has been harder to secure because insurance companies are not organized to download member data in bulk to health record systems.  They are organized to feed that data to print-based systems to mail individual transaction data, through what is called an “explanation of benefits” statement, to an individual member.  They have attempted to direct members to the insurance plan’s own patient-specific portals, but, by their nature, these portals are incomplete representations of a person’s health history.

I am more optimistic than ever about the future of Dossia for three reasons:

• We have solved many of the technical, legal, operational, and communications problems that we confronted in our early days.  We have some very demanding customers, and have secured their trust.
• We have a more compelling set of applications than ever before, and we are continuing to develop partnerships with prestigious organizations like the Mayo Clinic, Healthways, and Vanguard Health, in addition to applications like the Healthcare Bluebook, which helps consumers select and price physician and other health-related services.  The usefulness of the record is increasingly good and will only improve.
• We have an increasingly large body of knowledge about the value proposition for personal health record systems like Dossia, and are reinforcing the value through continuous research.

More will follow as Dossia enters a most exciting time.  I am pleased to have the opportunity to be of service to our employer customers and those who use Dossia.

Recently, I re-read Michael Lewis’ great book Moneyball, which, on the surface, is a book about baseball, and, particularly about Billy Beane, the General Manager of the Oakland Athletics.

Lewis, who wrote books such as Liar’s Poker, Panic, and The Big Short, is clearly intrigued by fields of endeavor in which individuals succeed because they recognize the value of data when others are operating more by the seat of their pants.  Lewis described a baseball talent evaluation marketplace in which Billy Beane, who was obsessively driven by performance statistics, battled baseball scouts, managers, and coaches who tended to evaluate players based either on their visible physical and athletic skills or the performances these individuals observed.  As a result, when Beane overruled his organization and made decisions based on his statistical analyses, he tended to acquire undervalued talent and get a premium price when he disposed of overvalued talent.

Moneyball was a great book for many reasons, including its insights about how people trained and developed in a system in which a particular world view predominates have difficulty adapting to a different world view, even in the face of compelling facts.

However, what I picked up this time was how a handful of dedicated baseball fans, many of whom were engineers, rose up against the power structure of Major League Baseball in the 1980’s to gather statistical data that so-called “experts” had never collected.  For example, Lewis described Project Scoresheet, an informal baseball fan-based data collection system managed by a writer named Bill James, who wrote a series of books called Bill James’ Baseball Abstracts.

For example, James and the Project Scoresheet fans understood that, while it is clearly relevant in evaluating hitters to collect data enabling fans and teams to calculate batting average, determining where each hit was placed was valuable supplementary data, because it enabled talent evaluators to determine whether a player’s pattern of hitting would work across a wide variety of Major League Baseball fields, given their non-uniform dimensions.

However, what Lewis reported is that not only did Major League Baseball not capture some extremely relevant performance data, it was uncooperative in sharing the information it collected.  Lewis commented that it seemed absurd that, for an event for which individuals paid varying amounts of money to watch, they could not access the data that described that event.

There is a parallel to the health care industry.  Government agencies and others who pay for the health care we receive, whether it is a large employer or a large insurance company, get a great deal of data about our health care transactions.  The hospitals, clinics, and, sometimes, the medical practices we patronize, also collect a lot of data as well. What they share with us, however, is delayed, incomplete, sometimes inaccurate, and not provided to us in a user-friendly form.

I chair a personal, patient-controlled, portable, private, secure health record company called Dossia, based in Cambridge, MA.  When this initiative was started four years ago, the founders, one of which was Pitney Bowes, could not have imagined how difficult it would be to get some health care providers and insurance companies to give our participants, the employees who participate in employer health plans, the health data that had been collected as a result of their health care system encounters. Insurance companies report individual transactional data to patients with the same kind of obscure coding that health care providers and some government administrators use for their multiple purposes, not of which are centered around the needs of patients.

Moreover, this data is shared with us in paper form when we receive an Explanation of Benefis, or the EOB.  This EOB is not particularly helpful to someone who is not a health care professional in terms of explaining to us what happened when we visited the doctor.  While many insurance companies and some integrated health plans and payers like Kaiser-Permanente have made their electronic health records accessible to patients, these records are only usable when a patient is part of that health care system or health plan.  Moreover, the data that originates from health care encounters outside the system does not get captured.

For example, since Kaiser-Permanente is in seven states, if you were a Kaiser member who needed to consult a physician in New York or Connecticut when traveling there, you would have to consult with a physician unconnected to the Kaiser system.  It is not automatic that the transaction record will become part of the Kaiser record.

Similarly, if you moved from California, in which Kaiser is licensed to do business, to a state in which it is not, your record would not follow you.  The onus would be on you rather than Kaiser to get a copy of that record.

The same issue exists with respect to insurance plans.  Insurers and third-party administrators all have electronic health records usable when you are in their health plan or when you make a claim they process from an out-of-network encounter. However, they do not capture pharmacy, behavioral health, or other health data from a system they do not administer if an employer carves out a piece of its benefits program to be administered by a different benefits manager.

At Pitney Bowes, multiple insurance companies share the benefits management for the medical claims, but the company has a separate pharmacy benefits manager, and behavioral health services provider.  None of the insurance companies would include the pharmacy and behavioral health events in their electronic health records.

That is why ten companies, including Pitney Bowes, started Dossia and continue to build its capabilities.  The record is electronic and may not even have as much clinical data capability as Kaiser’s record or those of the different insurance plans, but it has four huge advantages in terms of its capabilities:

• It can be comprehensive, pulling in data from all different sources, including biometric data from the patient’s daily activities;
• It is portable, meaning that it will not stay with the plan or clinical care provider that owns it.  This is a patient-controlled record.
• It is designed to be easy for patients to use.  Clinical electronic health records, as well as insurance-centric records, were designed for the benefit of clinicians and to help insurance companies and health care providers manage relationships with payers, not for ease of use by patients.  I do not blame them for this; the systems were created for different purposes and are hard to retrofit for patient use.
• It is designed to be usable by the caregiver for a family.  Clinical and insurance records treat every patient or plan member as if he or she were unconnected to any other patient or plan member. Dossia is designed to help the caregiver, usually a mother, sign on to the record, and get immediate access to all of the family’s health information, not just her own.

This is why I am passionate about doing what the baseball Project Scoresheet people did, with the help of Bill James, with respect to baseball records in the health records space.  Patients need to take control of their own information.  This information does not belong to the insurance companies or the health care providers.  It is a record of a part of our life, so we should own and control it, and get easy and free access to it in the way we want it, not the way the government, providers and insurance companies want to provide it to us.

The combination of cell phone cameras, the ability to upload digital images to web sites, and the broad reach of user-generated content on sites like YouTube and Facebook mean that all of us have the potential to live our entire lives out in the open, not unlike the lead character played by Jim Carrey in “The Truman Show” a few years back. Scott McNealy, the Chairman of Sun Microsystems, made the comment almost a decade ago that, with the Internet, there is no privacy and all of us need to get over it. He’s right.

What does that mean? I have always operated on the assumption that when I was CEO of Pitney Bowes, I am always playing the role of company leader even in my private life. Everything I say can be captured and broadly reported, and my conduct will reflect well or badly on the Company no matter where I am. I particularly notice this when I am going into the doughnut shop in my town at 6:30 am on a Saturday. Whatever I say to an acquaintance is public, whether I like it to be or not. Government officials in this country are in public 100% of the time, whether they want to be or not. Leaders of any large organization are in public at all times.

If something is public, it also generally has the ability to be permanently-recorded. As Senators Clinton, Obama, and McCain are discovering, whatever they have done in their lives never disappears. As a society, we need to ask ourselves whether the preoccupation with mistakes political candidates and other government officials have made years or even decades before discourages highly-qualified individuals from taking on public service. Likewise, for all of us, whatever we do or create is likely to be permanently recorded somewhere if someone had the will or ability to record it when it happened.

Our children need to understand that the silliness of whatever they posted on Facebook or some other web site will be with them at age 30, 40, 60, or even 80. How a future employer, peer, marriage partner, child, or even grandchild will understand their behaviors and what’s recorded about them is beyond control or prediction. We are moving into uncharted territory for which we are unprepared. In a blog entitled Myspace and Facebook = The New Background Check talks about new methods, via online social networks, which allow employers to screen potential candidates for hire. Further advising individuals to be aware of the information that they are posting on the internet that can then be accessed by anyone and can have negative implications on how you are perceived professionally.

All of us need the freedom to make silly or stupid mistakes at some points in our lives to learn how to make decisions as we get older. My daughter and I are big fans of the TV show Friends. In one episode, two of the male characters, Chandler and Ross, are looking back at a video taken of one of their conversations in the late 1980’s. They are dressed in the hot fashion of the times, the look popularized by the TV show Miami Vice

During the conversation, they are looking at clothes they used to wear even earlier and comment on how silly they “used to dress.” The implications of this episode are that we will have many more contemporaneous records of our silliest behaviors, and we will not be able to judge at the time how silly they will look years later.

We implicitly recognize that certain embarrassing behaviors need to be expunged from public records, such as arrests, and we are very careful to prevent non-serious criminal convictions from affecting our ability to get employment. I am deeply concerned about large portions of our society that cannot vote or hold many types of employment because they committed a non-serious crime as a young person, even if they have lived an exemplary life for a very long time since. I also am deeply concerned that, even if public records do not reflect what happened to someone as a young person, the private records will be ample and definitive for someone wanting to bypass restrictions on what is available in public records. In the online Washington Post article entitled “Every Click You Make”, sheds light on the debate concerning privacy issues on the internet, or lack thereof.

I do not have the answers to these difficult questions, but I know that we need to adjust our thinking about privacy, about how information is collected, but, most important of all, how it is used and evaluated years later. We need to teach our children enduring values, and to think about the future implications of what they are doing today. We have not yet come to terms with what Tim Russert and his colleagues correctly concluded.