Hi all—this is Paul, I'm a co-founder at PatientBank. We gather medical records online. Feel free to send any questions, comments, or feedback my way. My co-founders and I will be around ready to answer!
How do you handle authentication and authorization? Suppose I have a nefarious enemy who attempts to use your service to obtain my medical records so he can poison me or embarrass me or something. How does he fail?
We make it really easy to request medical records, but we also verify requesters' identity before allowing them to view medical records we collect. We actually use an awesome YC company called BlockScore to handle a lot of that (https://blockscore.com/)!
"BlockScore complies with the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland"
I wasn't really able to get the details on that page, but it seems like they do verification by checking personal information like name, birthday and address against a database and ask a few multiple choice questions related to them. How is that not easy to circumvent if the attacker has that set of information? (can probably be obtained by a social attack on the victims bank)
In addition to identity verification, there are two more things we do to protect the privacy of our patients!
1) If the electronic signature on a given request doesn't match the name of the patient, we make sure that the patients are who they say they are before moving on with gathering the medical records.
2) If one tries to sign up on behalf of another patient, we require a Power of Attorney (POA) document!
It appears that PatientBank acts as a decentralized medical records/Release of Information office that may communicate with a number of physicians and hospitals. I'm curious though, how are you collecting the medical records? Are these interfaced directly from EHRs, or some other method? Do you handle releasing to 3rd parties (legal, etc); the article seems to hint that it's directly to patients and immediate family. Lastly, when a patient has shared their records with a new physician via PatientBank, is there any functionality for exporting these records into the physician's organization's EHR? Or will relevant data need to be manually copied into the new chart?
Great questions! So while the way a user orders medical records on PatientBank is the same across all U.S. hospitals, we have 5-6 different ways hospitals can fulfill those orders. These vary from fax or even snail mail to integrations. We actually opened up a lot of our performance data from hospitals here, if you're interested: https://www.patientbank.us/stats/about!
About exporting the data we gather to a new PHR and integrating the new information to patient's existing chart:
There seems to be a couple options!
1) Once we gather your records, we will work on creating a shareable summary of your health history. In that case, the physician can look at that summary via our web portal.
2) In many cases, most EHRs support the upload of PDFs. So, the documents you share can be "integrated" to hospital's EHR. This already happens in large hospital networks when hospitals gather medical records on behalf of patients before their appointments! When hospitals receive the records via fax or mail, they scan the pages to the EHR. Obviously, in the future, easier ways to export data (via EHR integrations) could be extremely valuable to patients and physicians!
In general most providers are never going to read through a bunch of scanned pages exported from another provider's chart. They just don't have enough time.
Are you worried about the consolidation going on among hospitals i.e the fact that it seems like hospitals are becoming part of a group and thus end up having unified medical record systems?
For example, Palo Alto Medical Foundation has hospitals spread across the Bay Area. Some of the hospitals don't offer all the services but if you walk into a new branch for a specialized treatment, your new doctor will simply look up your old record or order it internally if they are not yet on the network.
Great point. We are seeing ongoing consolidation among hospitals and large physician groups. However, patients still deserve to have easy access to their own data. This is largely handled with patient portals that give patients access to some of your data. PatientBank gives you full control of your complete record, including information not necessarily located in your patient portals and information located in separate systems that do not communicate.
Can you tell us some about the technology you're using? I'm curious if a newfangled immutable database like datomic would be a good fit for medical recods. Also, do you do any schema'ing besides what's provided by your database (JSON Schema/XML Schema/etc)?
Our data is primarily stored in postgres. We've looked into using Mongo to store FHIR-compliant documents, which is the newest standard (and best standard, IMO) proposed by HL7.
Haven't looked at that many immutable databases, but they seem interesting. Most of the time medical data does not require many writes (rarely are two doctors editing your record simultaneously), but the audit trail that datomic provides could be very useful as a built-in feature.
Hi Paul. I'd love to see your service take off. I've spent a few years in healthcare IT and think that the world would be a better place if you succeed.
With that said, there are a number of startups that have struggled with similar ideas. How are you different from, say, PicnicHealth?
Thanks for the kind words, tkiley! There are a number of great products out there to help people manage their medical data. But that's a big problem to tackle, and we're focused on one small piece of it—requesting medical records. In fact, our market often differs from folks who use a personal health record. Many of our users have been asked by their doctor, their insurance company, or a lawyer to gather and share their medical records and they just want help with that process.
I love this idea. I have been kicking it around myself. Glad to see caliber of team and execution on it. How much of a schlep is this currently? How automated is the product? Are you cold calling medical offices behind the scenes to collect on behalf of your users?
Awesome—excited to hear it! We have 5-6 different ways hospitals can respond to PatientBank orders for medical records right now. These range from fax or even snail mail to automated integrations—we do whatever it takes to help the hospitals comply. For the first few orders, some hospitals are slow to respond or skeptical, but we start seeing a significant behavior shift after 10-20 orders. You can check out hospitals' performance stats here: https://www.patientbank.us/stats/about.
How does this integrate with popular EHRs? Most support this type of record sharing between each other and ways to share those records with the patient themselves.
We certainly plan to integrate more directly with EMRs in the future, but at the moment we just go through hospitals' medical records departments. We have 5-6 different ways hospitals can respond to our requests.
What we've optimized for is simplicity—while our process for getting medical records from hospital A may var from our process with hospital B, we abstract all of that away and make the ordering process the same for all U.S. hospitals.