mijnPGD: a design for a privacy-friendly and usable PHR SUBMITTED IN PARTIAL FULLFILLMENT FOR THE DEGREE OF MASTER OF SCIENCE
HENK VAN APPEVEN 9956409
MASTER INFORMATION STUDIES HUMAN-CENTERED MULTIMEDIA
FACULTY OF SCIENCE UNIVERSITY OF AMSTERDAM July 9, 2015
1st Supervisor
2nd Supervisor
Dr. Guido van 't Noordende
Dr. Frank Nack
ACKNOWLEDGEMENTS This master thesis research was made possible with the help and support of Paulien Melis of Waag Society and Guido van 't Noordende of UvA and Northend Systems. The contributions by Paulien and Guido were made possible through support of the COMMIT/project. Northend Systems is an Amsterdam-based start-up that develops Whitebox, a privacy-friendly system for the exchange of health information between health care professonials. I also would like to thank Oscar van Dijk, Lucien Engelen, Fatma Karapinar and Jan Kremer for sharing their professional insights on Personal Health Record Systems. Finally, I thank all the participants of the focus group, who provided me with the essential user perspective.
mijnPGD: a design for a privacy-friendly and usable PHR Henk van Appeven University of Amsterdam
[email protected] 1.! INTRODUCTION Over the past ten to fifteen years, medical professionals have increasingly moved from paper medical records to electronic health records (EHRs). This development has been pushed by governments across the Western world, who believe that the widespread use of linked electronic health records by health care professionals (HCPs) and institutions can reduce costs, improve care and make patients more mobile. To enable the exchange and integration of these electronic patient data, governments and health care providers have set up inter-connected electronic health record systems (iEHRs)1, which are designed to break the so-called ‘information silos’ that still characterize much of health care. Simultaneously, there has been a growing interest among patients, businesses and HCPs in personal health records (PHRs), which help patients take control over their own health data, and support self-management of health and care. Ideally, these PHRs are 'tethered' to the EHRs of their HCPs, thus enabling patients to gather their entire medical history in one place, and allowing them to share their data with the outside world. Typical examples are Microsoft's HealthVault, the governmentsponsored ehealth.gov.au-PHR in Australia, and Patiënt1 in the Netherlands. The Dutch Federation of Patients and Consumer Organisations in the Netherlands (NPCF) has joined forces with GPs and health insurance companies to make PHRs available to all patients in the Netherlands by 20202. The UK has similar plans for a nationwide connected PHR system by 20183. PHRs are believed to benefit both patients and HCPs, as they can contribute to the integrity of health data (e.g. medication verification), improve communication between patients and HCP (e.g. e-consults), and allow HCPs to access all kinds of interesting personal health data (e.g. from self-monitoring devices). In addition, these data, once aggregated and anonymized, are thought to be a ‘goldmine’ for research and policy. However, the digitization of health data and the exchange of these data between medical professionals, and between professionals and patients, raises all kinds of security and privacy concerns. This is especially critical for health data, which are generally seen as the most sensitive data people can have about themselves [Nissenbaum]. The principle of medical secrecy4 is potentially put at risk through the increasing use of inter-connected health data systems, especially if these systems use a centralized architecture (e.g. the Dutch LSP), or are based on commercial, cloud-based solutions (e.g. Microsoft’s Healthvault).
Consequently, even as PHRs claim to put patients in full control of their health data, this does not necessarily solve the privacy predicament surrounding electronic health records. Another challenge facing PHRs is the so-called “paradox of interest and adoption” [Nazi]. Whereas interest among patients in PHRs is generally high, adoption has so far been limited, due to usability problems, privacy fears and the perception that PHRs are linked to disease and illness. In this paper, we present a design for an interconnected personal health record system (iPHR) that aims to overcome these two challenges. It outlines the requirements for an iPHR that is privacy- and security-friendly, attractive and easy to use, and gives patients and citizens a more active role in the management of their health data.
2.! APPROACH AND OUTLINE To gain a better understanding of the requirements for a privacy- and user-friendly iPHR, we conducted extensive research, involving a literature study, expert interviews, a review of eight typical PHRs5 and a focus group session with (potential) users. In Chapters 3 to 6 we present the results of literature study, expert interviews6 (referenced by the interviewee names in italics), and PHR review. Together they provide the necessary context for a design of a privacy- and user-friendly iPHR. First, we introduce the concept of PHRs and explore the "paradox of interest and adoption". We then discuss the concept of privacy, key to any PHR design, from a philosophical, legal and technological perspective. We conclude this section by looking at the broader design and usability aspects of a PHR. In chapter 7 we present the results of the focus-group session, adding the perspective of real (potential) users to our study of PHRs. Based on these insights, we present our design of a privacyand user-friendly iPHR in chapter 8. We conclude by exploring possible implementation issues (9), an outline of future work (10), and a conclusion (11).
3.! PERSONAL HEALTH RECORDS 3.1! What is a PHR? There are numerous definitions of a Personal Health Records (PHRs)7. In this thesis we use the broad definition used by the Markle foundation in the United States8: "A PHR is an Internet-based set of tools that allows people to access and coordinate their lifelong health information and make
1
In the Netherlands, the Zorginfrastructuur is a good example. This centralized system channels patient data to other HCPs through a national switching point (LSP). 2 See http://tinyurl.com/pzcfdat 3 Source: http://tinyurl.com/puc98mk. Retrieved on 31 January 2015.
4 See principle 8 of the Hippocratic Oath: "What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to
myself, holding such things shameful to be spoken about." Source: http://www.pbs.org/wgbh/nova/body/hippocratic-oath-today.html 5
See Appendix I. See Appendix IX for a list of the interviewees. Interview transcripts are available on request. 7 See Pluut (2012) for an overview. 8 This definition is widely used in papers on the subject (e.g. [Kaelber, Pluut]), and also inspired the definition for PHRs adopted by the 6
appropriate parts of it available to those who need it. PHRs offer an integrated and comprehensive view of health information, including information people generate themselves, such as symptoms and medication use, information from doctors such as diagnoses and test results, and information from their pharmacies and insurance companies."
are available on the market10, both in market share, economic model, type and functionality, and design and usability. It also makes clear that there are widely different policies as far as security and privacy and sharing and access are concerned11.
It is common to distinguish three types of PHRs [Tang, Pluut, Kaelber, Kim]: •!
Standalone PHRs: These records are managed and controlled by the patient themselves, and have no connection with health records held by their GP, pharmacy or hospital.
•!
Tethered PHRs: These records are connected to a specific health care provider. A typical example would be a patient portal that is provided and managed by a hospital.
•!
Interconnected PHRs: These records are linked to a number of health care providers, and offer the patient an integrated view of their health care records, in addition to their own information.
Figure 2. PHR independence and complexity of eight PHRs12 The investigated PHRs also show varying degrees of 'interconnectedness' (see figure 2), according to the degree in which patients can share information and interact with more than one HCP. The survey suggests that giving patients full (automatic) access to their HCP records is still problematic, especially if this involves more than one provider. As figure 2 shows, the complexity of a PHR increases as the number of connections with providers grows. In fact, only one PHR, MijnUMC, gives full automatic access to HCP records. Not surprisingly, this is a patient portal tethered to a hospital13, which means it has only one connection.
3.3! Putting PHRs into context
Figure 1. An interconnected PHR9 It seems clear that the full potential of a PHR can only be realized if they become truly 'interconnected', because only then will patients have a full and comprehensive view of their health information [Kaelber, Krist, Tang]. In the present situation, personal health data are stored across various unconnected records (so-called ‘information silos’), which affects communication between HCPs and patients, and hampers patient health self management [Engelen, Karapinar, Kremer]. It also carries potential health risks, because it compromises the completeness and correctness of health data [Archer, Engelen, Karapinar]. This is especially true for medication, where the integrity of data is critically important [Staroselsky, Karapinar].
3.2! A survey of PHRs In Appendix I we give a detailed review of eight representative Personal Health Record systems. It shows the variety of PHRs that Federation of Patients and Consumer Organisations in the Netherlands (NPCF) [Bierma, Kool]. 9 Following this hub-and-spoke model, a stand-alone PHR would have no spokes at all, and a tethered PHR just one [Kaelber]. 10 The eight PHRs are deemed to be representative of the market. The selection includes Patient1 and Health Companion, the two PHRs which scored highest in reviews by NPCF. 11 More on privacy and security in chapter 5. 12 Based on [Tang].
PHR systems do not function in vacuum, nor of course does their design and implementation14. They operate in a particular context, with values, legal standards, financial motives, technology, and various stakeholders all playing their part. Appendix II gives an overview of all these aspects, and shows how they impact the design of a PHR15. It also lists the main benefits of a PHR, and describes the risks and challenges involved in their implementation. In the next three chapters we will discuss some of these issues in detail, focusing first on adoption and use, then on trust, privacy and security, and finally on design and usability.
4.! ADOPTION AND USE The uptake of PHRs among patients is still low, despite their widespread availability and the very high interest for PHRs shown in consumer research [Nazi, Kaelber, Kool]. In this chapter we explore this "paradox of interest and adoption" [Nazi], first by describing the current and future use of PHRs and then the crucial factors for adoption.
13 14
More on the various functionalities of PHRs in paragraph 6.2.
This paper adopts the holistic design approach advocated by [Van Gemert], which states that eHealth technologies can only be successful if they take into account issues of finance, management and technology throughout their design, implementation and evaluation. The importance of context in design is echoed by many other authors on PHRs [Archer, Pluut, Greenhalgh]. 15 This overview is based on the expert interviews (see Appendices IX, X and XI) and the literature review.
4.1! Current and future use of PHRs A number of recent studies among Dutch citizens [Gijsbers, RVZa, Van der Steen] show that only 2 to 10 per cent actually use a PHR. However, 60 to 70 percent say they would consider using a PHR in the future. A similar proportion wants to have access to the records held in their doctor's EHR. Clearly, there is a wide gulf between stated interest in PHRs and actual adoption and use. From international studies, we know that adoption and use of PHRs have so far been highest among people with disabilities and chronic conditions, frequent users of healthcare services, and people caring for elderly parents [Archer, Kool, Markle Foundation, Pluut]. This suggests that context is critical. Apparently, many people only start using use a PHR when there is a specific need, e.g. when they or their relative becomes ill or needs frequent care (like pregnant women or IVF patients) [Kool, Van der Steen]. This point is also made by several of the experts interviewed for this thesis. "A PHR is like fire insurance. You only need it when there's a fire", as Lucien Engelen of the REshape Center puts it.
ways. These include lofty values such as autonomy and empowerment [Pluut, Kool, Bierma, Engelen], personalization [Kremer] and prevention [Engelen], but also more practical benefits like improved health [Van Dijk], medicine verification [Karapinar, Van Dijk], better communication with their HCPs, and emergency access to patient data16 17. However, it's clear that perceived benefits are not sufficient to persuade people to actually use a PHR. As we have seen, environmental, personal, technological and health factors all come into play before patients decide to use a PHR and, more importantly, keep using it. Figure 318 shows the interplay of these various factors.
As far as the future potential of PHRs is concerned, some say that an adoption rate of 40 per cent is achievable, considering the ageing population in Western societies, the rise of chronic diseases and the growing interest in health self-management and selfmonitoring tools [Kool, Kremer, Karapinar, Engelen]. Whether this is realistic, remains to be seen. At present, stated interest in PHRs is highest among so-called ‘critical citizens’, who are generally more interested in healthy lifestyles and health selfmanagement, and have higher digital literacy [Gijsbers]. However, this group constitutes just 11 per cent of the population. It seems likely that significantly higher adoption rates are only possible if PHRs start to reach the pragmatic health care users, who account for 45 per cent of the population. However, at present they are less eager to adopt a PHR, either because they do not know about it or because they associate it with being ill [Gijsbers, Van der Steen]. This might imply a repositioning of the focus of PHRs from disease to health [Engelen, Kool, Krist]. Or, as Lucien Engelen puts it, “from cure to care, to prevention, to wellness”. Another critical factor is the digital divide that holds back adoption among the elderly, the less educated, ethnic minorities and people on lower incomes [Archer, Pluut]. This group is also more open to active promotion and support of PHRs by their HCPs [Gijsbers, Van der Steen]. However, the digital divide is expected to narrow once internet literacy and use among these groups grows [Engelen, Karapinar, Kremer, Van Dijk]. Finally, there is the matter of privacy and security. According to Gijsbers, about one in three consumers say they would only consider using a PHR if the security of their data is guaranteed. More on the barriers for adoption in the next paragraph.
4.2! Crucial factors for adoption Getting people to adopt and use a PHR, implies that they can see the benefits. PHRs are believed to help patients in a number of 16 17
For a full list, see Appendix II under ‘Benefits’ It should be noted that these are claimed benefits. There is surprisingly little high-qualitative and comprehensive research into the real impact of PHRs on patients, due to the relative novelty and limited adoption of the technology [Goldzweig, Pluut]. The limited research that is available, shows insufficient evidence of any real effects on either health outcomes or cost and efficiency [Archer, Goldzweig, Greenhalgh, Pluut]. However, there is some evidence to suggest that online access to HCP records improves safety through patients identifying errors in their medication list
Figure 3. Adoption model of PHRs, listing crucial factors Based on the literature [Archer, Kaelber, Kool, Logue, Pluut, Tang], the expert interviews and the views expressed by Dutch consumers [Gijsbers], we are able to distinguish eight crucial factors determining the adoption and use of a PHR: 1.! Do users have a specific health need, sufficient digital literacy and a preference for health self-management? 2.! Does the patient’s HCP promote and support use of the PHR? 3.! Does the PHR add something to the existing channels (relative advantage)? 4.! Is the information stored in the PHR safe and secure?19 5.! Is the PHR user-friendly?20 6.! Are users able to interact with the information stored in the PHR, e.g. by allowing them to make an appointment or share information with others?
[Mold]. In addition, several studies suggest that patients who use a PHR, especially those with a chronic condition, are satisfied with the service, and value the fact that they have access to more information [Archer, Mold Pluut]. 18 Based on the PHR adoption model of Logue et al. 19 20
More on privacy and security in chapter 5. More on usability in chapter 6.
7.! Does the PHR give access to the information stored in the HCP's EHR? 8.! Does the PHR allow for direct feedback from the HCP, e.g. through chats or e-consults? These factors are not equally important for all users. Some consumers care more about privacy and self-management, whereas digital literacy and active promotion by the HCP is more crucial for others [Gijsbers]. A full list of factors impacting the adoption of PHRs can be found in Appendix II (see under Challenges).
5.! PRIVACY AND SECURITY Health data are among the most sensitive information people hold about themselves, and the security and privacy of their data is obviously a concern when people decide to use a PHR [Gijsbers, Van der Steen, RVZa]. However, not all patients are equally concerned about this issue. What’s more, privacy concerns often depend on the specific contexts in which information is being shared and on the trust relationship patients have with their HCPs and PHR providers.
5.1! Control, context and trust Privacy has traditionally been described as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" [Westin]. In other words, privacy is the right to control access to our personal information. This definition is echoed in our description of PHRs, which highlights the ability for patients to control access to their health information. However, recently leading scholars have claimed that this emphasis on access control fails to do justice to “the indignation, protest, discomfit, and resistance” provoked by modern-day information technologies [Nissenbaum, Solove]. They have moved away from the traditional concept of informational privacy, trying instead to ground privacy in the specific contexts in which human beings and patients operate. Helen Nissenbaum, in particular, has been influential by introducing the concept of privacy as "contextual integrity" [Nissenbaum]. She states that whether certain information can be shared in a given context very much depends on: •!
the people sharing the information (doctors, patients, etc.);
•!
the type of information being shared (medication details, health monitoring data, etc.);
•!
and the so-called ‘transmission principles’ guiding the sharing (confidentiality, reciprocity, etc.).
To illustrate how this works, consider the provision in Dutch patient law that allows a GP to share patient information in emergency situations (see also paragraph 5.2). Although this could be seen as a violation of the principle of confidentiality enshrined in the Hippocratic Oath, in this specific context, it clearly serves the patient's health interests. This means that in Nissenbaum’s view the contextual privacy of the patient is not violated.
21
See also the COMMIT Trusted Health Care Services research project (http://tinyurl.com/q7o5nvq) 22 To illustrate the importance of trust: some 80 per cent of Dutch citizens say they would not use a PHR offered by a large commercial company like Google or Microsoft [RvZa]. 23 See: http://tinyurl.com/q35ehhs for an overview. 24 See: http://tinyurl.com/nudjcmn
Others underline the key role of trust in patient privacy [Ehrismann, Li, THECS21]. According to Ehrismann, a person’s decision to use a PHR and to share information, is driven by a privacy calculus that is embedded in a trust-based social contract. This trust is shaped by two things: the integrity, benevolence and competence of the person or institution behind the PHR, and the capability, reliability and security of the technology [Ehrismann, Li]. Once a relationhip of trust is established, people are not only more likely to adopt a PHR, they also tend to have more positive views of its benefits and less negative views of its privacy risks [Li]22.
5.2! Privacy as a legal right Privacy has been enshrined as a fundamental right in the constitutional law of many countries. In addition, there are numerous statutes, rules and regulations across the world protecting (health) data and privacy23, with the European data protection directive 95/46/EC24 and the American HIPAA act25
as the best known examples. In the Netherlands, the right of privacy is protected by a number of laws, of which the Wet bescherming persoonsgegevens (Wbp, Data Protection Law) is the most important26. The Wbp is an implementation of the European data protection directive and, among other things, gives Dutch citizens the right to know what is done with their data. Specific privacy rights for Dutch patients are laid down in the Wgbo27. This law stipulates that, as a general rule, doctors and other care professionals should keep patient information confidential (‘medical secrecy’). There are important exceptions: if patients give their explicit consent, information can be shared with other HCPs. Furthermore, no consent is needed if the information is shared with HCPs directly involved in treatment, HCP stand-ins or for scientific purposes (provided the data are anonimyzed). The Wgbo is currently under review28, with the intention to strengthen the privacy rights of patients further, including the right to consult records electronically, receive an electronic copy of their records, the option to allow electronic sharing, and the right to deny access to (parts of) their records to specific HCPs. As yet there is no legal protection for ‘patient secrecy’ in fully patient-controlled PHRs, as these do not fall under current medical and privacy law [Kaelber, Pluut, NPCFa]. This may seem superfluous (after all, the patient is in full control of his data, presumably guaranteeing their informational privacy), but it raises concerns about patients or health data processors being coerced (socially, financially or by law enforcement) to share sensitive data with third parties or the state [Pluut, RVZb, Woodman].29
5.3! Privacy by design Believing that normative values and laws in themselves are insufficient to protect the privacy of citizens, consumers and patients in modern information technologies, privacy experts have proposed the concept of Privacy by Design (PbD), that tries to incorporate privacy in the design of a system and protects privacy proactively.
25
See: http://www.hhs.gov/ocr/privacy/ See:
http://tinyurl.com/o4pocky 27 See:
http://tinyurl.com/po8a65x 28 See: http://tinyurl.com/oewqezu 29 This point was also raised by Guido van 't Noordende, maker of Whitebox, during the Third Document Freedom Day at the European Parliament in 2013. Source: http://tinyurl.com/q9fpl2c 26
Groundbreaking work in this respect has been done by Ann Cavoukian, who was the first to formulate the seven principles of PbD30 [Cavoukian]. Since then, the concept has received backing from privacy authorities across the world31. Privacy by Design has also been included as a guiding principle in the EU Commission's proposals for a new European Directive on Data protection32. Recently, the Dutch Council for Public Health and Health Care (RVZ) has championed the inclusion of PbD principles in the design of e-health applications like PHRs [RVZb]. Taking our inspiration from the PbD principles, and considering the evidence from the expert interviews and the literature [Borking, Gajanayake, RVZa, THECS, Van der Steen, NPCFa]33, we are able to formulate eight requirements that, ideally, should be met when designing a privacy-friendly and secure iPHR: 1.! Patients should be able to choose who has access to their PHR; by default, no information is shared, nor should the design assume or promote automatic sharing. Users should also be able to conceal certain information, and restrict access in time; 2.! Patients should be able to see how their data has been accessed or changed by others (logging); 3.! Patients should be sure that the data which they share is not shared with third parties, or used for other purposes without their consent (contextual integrity); 4.! If patients choose to share their (anonymized) PHR data for secondary use, this should only be allowed under strict guarantees that these data cannot be traced back to individual patients. 5.! The security settings must be easy to understand and operate (usability, transparancy); 6.! All PHR data should be encrypted, and PHR data identifying the user of the PHR should be stored separately. 7.! Patients should be free to use the PHR and any of its functionalities, and should not be forced to share their data with others if they do so. 8.! Open international standards should be used, so that patients are free to move their PHR data to another provider (portability). These requirements are not absolute. As we will see, in the design of an iPHR there are several potential trade-offs to consider, for instance between privacy and usability, or between full access control and context and trust (more on this in chapters 6, 8 and 10).
6.! DESIGN AND USABILITY Failure to put the user central in the design of e-health applications and PHRs, due to limited resources and a developerdriven design process, is seen as a major contributing factor to their low adoption [Dabbs, Kool, Segall, Tang, Van Gemert]. As Van Gemert puts it, "people simply stop using technologies that do not correspond in any way with their daily lives, habits, or rituals". User-centered Design (UCD) tries to counter this by involving patients actively in the design process, not only by asking them about their wishes and needs, but also by letting them test every iteration during the development process [Rogers]. 30
See: http://tinyurl.com/qees7vm See resolution by International Privacy and Data Protection Commissioners. Source: http://tinyurl.com/qjfbqfu 32 See art. 23 in Chapter IV of EU proposal. Source: http://tinyurl.com/6rzj4se 33 NEN 7510, 7512, 7513 and 7521. See: https://www.nen.nl/ 31
In this chapter we explore these issues, first focussing on general principles of usability in the design of e-health applications and PHRs, and then on the functional requirements of an iPHR.
6.1! Usability requirements For interactive products like iPHRs to be usable, they need to have good utility, and be effective, efficient and safe to use. Learning how to use them should also be easy, and this knowledge should be easy to remember for users [Rogers]. To achieve these goals, designers have followed a number of design and usability principles, of which Nielsen's heuristics are probably the best known34. Nielsen stresses the vital importance of simplicity, transparancy, user control, consistency and flexibility in design, qualities that also seem crucial in the design of an iPHR. In addition, there is the matter of accessibility to consider. Many users of PHRs suffer from chronic diseases [Archer, Kool, Markle Foundation, Pluut], which means that they struggle with visual, cognitive, or physical limitations. It is for this reason that the W3C has formulated Accessibility Guidelines35, which designers of web content should follow to make their websites accessible to disabled people. In the Netherlands, adherence to these guidelines is compulsory for all publicly funded websites36. There is also a potential trade-off between usability and security and privacy [Wiljer, NPCFa]. PHRs should be secure, but also ensure easy authentication, verification and password recovery, otherwise users will refrain from using them, or worse, adopt sloppy passwords practices [Gajanayake, Kaelber]. Access controls should also be specific, to guarantee maximum privacy, but not be overwhelming. And the interface should communicate trust, with transparant security controls and clear privacy policies [Han, THECS]. Other specific usability issues often cited in the context of PHRs are data portability (to prevent provider lock-in), mobile and offline access, use of multimedia and visualizations, advoidance of medical jargon, modularity, easy connection to apps/sensors, and documentation and user support [Archer, NPCFa, Tang, Van Dijk].
6.2! Functional requirements Little consensus exists on what information and functionalities to include in PHRs. According to Tang, an ideal PHR should include as much relevant data as possible. This implies that the PHR is fully interconnected with the EHRs of HCPs and includes data from a large variety of sources (patients, HCPs, devices, etc.). Others stress that PHR functionality should be geared to specific users, such as pregnant women or people with disabilities [Archer, Greenhalgh]. In his review of PHRs, Archer lists a number of recommended data elements, including diagnoses and problem list, medications and monitoring data. The HIMSS organization lists a similar data set, but leaves out monitoring data [HIMSS]. Another more comprehensive list that is often cited, is CCR/CCD37, which has been gaining ground as a standard for the exchange of medical data. It is this list that inspired the NPCF proposals for a basic PHR that is to be introduced in the Netherlands by 2020 [NPCFa]. For a full overview of recommended data elements see Appendix III.
34
See: http://www.nngroup.com/articles/ten-usability-heuristics/ See: http://www.w3.org/WAI/intro/wcag.php 36 See: https://www.webrichtlijnen.nl/. For the situation elsewhere in the world, see http://tinyurl.com/o9ldjfp. 37 See: http://www.astm.org/Standards/E2369.htm 35
It should be noted that these recommendations are still very much care-and cure-oriented, with less stress on prevention and health monitoring. As our review of eight current PHRs shows (see Appendix I), these aspects are gradually gaining ground. These recommendations also say little about what users can actually do with this information. In its latest white paper on PHRs, the NPCF says surprisingly little about user interaction, beyond the obvious storing, viewing and consequent sharing of information with HCPs or third parties [Archer, NPCFa]. However, in an earlier NPCF study [Pluut], lists several additional interactive features, including social networks, appointment scheduling, prescription renewal, health recommendations and e-consults [Pluut]. These features can also be found in international studies [Archer, HIMSS, Tang], with Tang stressing the ability of PHRs to establish an ongoing connection between patient and physician. Interestingly, no study explicitly mentions the option that patients, once they have access to their HCP’s EHR data, should also be able to share these with others. So what do the patients want themselves? Due to the limited adoption of PHRs, there are few studies of actual PHR users. In general, the preference for functionalities appears to vary with the patient's illness [Archer]. Patients also seem to have a preference for practical features and tools, like appointment scheduling or econsults [Engelen, Kool, Kremer]. This is echoed by a recent NPCF study among patients [Van der Steen], which shows that almost 9 in 10 respondents want their (future) PHRs to include an alert in case certain medications are incompatible. Respondents also show great interest in the data that their HCPs hold on them. More than eight in ten say they want their PHRs to provide full access to their HCP’s EHR records. They also want to make sure these records are complete and correct, and get informed what EHR data their HCP shares with others. A comparison with our review of eight current PHRs (see Appendix I), shows that none meets the minimal lists of Archer and HIMSS, let alone the more extensive list of the NPCF. Most do however include a problem list, information about medications and allergies, (emergency) contact information and, to a slightly lesser degree, a diary and the option to store monitoring data. About half offer (some) access to their HCP’s EHR, appointment scheduling, medication verification and e-consults. Only one PHR includes the option to renew prescriptions, and none offers functional status information, referrals, healthcare instructions or a medication incompatibility alert (top priority in the NPCF study quoted above).
7.! INVOLVING THE USER To get a clearer view of the requirements of a user- and privacy-friendly PHR, we conducted a focus group session with six (potential) users38. In this chapter we outline the research questions which we set out to answer in the focus group, and describe its setup and participants. We then present the main results.
7.1! Focus group set-up and methods The focus group session was organized in cooperation with the Waag Society, an Amsterdam-based institute with a long trackrecord in health care innovation. The session, which was held on June 12, 2015, focused on the two main challenges surrounding the successful introduction and adoption of PHRs: privacy, and design 38
Recruiting sufficient participants proved to be quite challenging. This may be due to the fact that patients, especially in Amsterdam, are becoming increasingly research wary. There is also reason to believe that many people confuse PHRs with the LSP, the controversial switching point for EHR data. Finally, they might find the topic of PHRs too
and usability. Its aim was to find answers to the following specific research questions: Q1: What kinds of information do users want included in their PHR and in what order? Do they just want to manage their own information, or do they also want to have access to their doctor's EHR? And to what extent do these wishes reflect their specific needs and skills (kind of illness, age, digital literacy etc.) Q2: How do they want to interact with this information? Do they just want to view it, or do they also want to have the option to correct, add to it, and share it? Q3: With what parties do they want to share their PHR data? And to what extent does this depend on information type, context, and relationship of trust? Q4: What other functionalities do they want included in their PHR? Do they want e-consults, warnings and alerts, prescription renewal, and mobile access? Q5: To what extent are users willing to sacrifice privacy and security for usability and low cost? Or is this a false dichotomy? And to what extent are users willing to accept third-party use, e.g. for research? The focus group session lasted 120 minutes and included the following elements39: •!
An individual part, where participants were asked to describe their personal patient journey.
•!
An interactive session, where participants were asked in pairs to list their functional requirements, ordering them according to priority, and indicating sharing preferences.
•!
A short follow-up questionnaire that was e-mailed to the participants after the session40.
The participants included three men and three women, in ages ranging from 46 to 84. They all have experience with health care, either as patients, or, in one case, as carer of a child. Most have undergone some kind of surgery or other procedures for their health complaints, and often had to deal with a complex network of HCPs, including GPs, dieticians, specialists and hospitals. None had previous experience with using a digital PHR or a patient portal.
7.2! Focus group results In this section we discuss the main results of the focus group session. For a full report and transcript we refer to Appendix IV. General Although none of the six participants uses a PHR, they all said the session has increased their awareness of what PHR can mean for healthcare self-management and the exchange of information between patient and HCPs. Asked whether they would use a PHR in the future, two said yes, two said they would consider it, and two said no. Having all information in one place and the option to access and share information were seen as the main benefits of using a PHR. Functionalities There was surprising agreement on the preferred functionalities, irrespective of health needs and/or skills. All
sensitive, or fail to see any concrete benefits for themselves. In the end, the participants were found in the wider network of the author. 39 See Appendix V for examples of focus group materials. 40 This questionnaire replaced a planned plenary discussion on three use cases, which had to be scrapped due to time constraints.
participants listed medications and procedures and hospitalizations as must-have functionalities. Four out of five wanted their problem list and their provider list included. Other top scoring functionalities were laboratory tests, referrals, family history, insurance details, health care instructions, a health summary, consultation reports and allergies (See Table 1 in Appendix IV for a full list). Opinion was divided on the inclusion of financial details in the PHR, with some participants welcoming this as a tool to raise cost awareness among patients, and others fearing too much cost transparency could withhold people from seeking necessary treatment. Interestingly, interactive functionalities like e-consults and prescription renewal were not seen as must-haves. Selfmonitoring data scored very low, possibly because participants have no experience with this. Access and sharing Most participants agreed that the PHR raison d'etre lies mainly in its potential to improve the exchange of information between patient and PHR. However, they all stressed that it should be the patient who decides who has access to their information, preferably on a case-by-case basis. Trust and context appears vital here. Asked with whom they want to share their information, their GP, arguably the HCP whom patients trust most, scores highest. Two participants even suggested they would be willing to share their own logindetails with their GP. Three participants said they would not mind if their dietician shared their diet habits with their GP without their prior consent. The hospital specialist, the carer and their partner similarly people with whom most patients share a strong trustbased relationship - come second, third and fourth respectively. (See Table 2 in Appendix IV for a full list) Asked what information they want to share, medication comes first, presumably because erroneous or missing medication information is an obvious health risk. Other popular data elements for sharing are provider list, laboratory test, problem list and procedures and hospitalizations. Participants also want to have the option to give full access to a trusted person, who can manage and/or share their records when they are no longer able to. Interestingly, some stressed this does not necessarily need to be their carer or partner. In addition, participants want to have the option to share a summary of their PHR details with the outside world in case of emergencies.
their (anonymized) data for research, or to accept less security in exchange for better usability or lower cost. To avoid the security risk of sharing information through the internet, one participant suggested the use of iPads or other tablet devices, which users could bring along when visiting their HCPs. Finally, there was some fear that PHRs will replace direct faceto-face contact with HCPs, e.g. for financial reasons. For the participants, PHRs are primarily tools for enhancing their current relationship with their HCPs, not a replacement. Usability As we have seen, participants want to have control over who has access to their data. This should be translated into the design of a PHR, with access levels to be determined on a case-to-case basis, and with clear logging of who has accessed their information when. The same modular approach should be employed for the functionality of the PHR, so that users can decide what data elements and features they wish to have included. To avoid users being overwhelmed by too many choices, one participant suggested the use of two or more default profiles, to be determined on the basis of general user details (age, gender, health history, etc.), or on the basis of a short questionnaire, which users fill in when registering their account. For instance, these profiles could be either soft-holistic or hard-functional, each with their specific sets of functionalities. In general, participants agreed that the PHR should by default only provide a limited set of features, with users having the option to expand or change these through a central dashboard. Another interesting suggestion also involved the interface. To make a PHR more attractive and easy to use, the central dashboard could be designed using the metaphor of the body, with each functionality linked to a specific body part. Alternatively, recognizable icons representing the various functionalities could also help users navigate the interface.
8.! A DESIGN OF mijnPGD Based on the privacy and usability requirements outlined in chapters 4, 5, and 6, and the feedback from the focus group (ch. 7), we can now present a design of a privacy- and user-friendly iPHR.
Adoption There was strong agreement that not all patients are able or willing to use a PHR, because of limited (physical or mental) ability, insufficient digital and health literacy or lack of need. Other factors quoted as possible barriers to adoption and use were cost (only two said they would be willing to pay for a PHR) and the time investment involved in learning and setting up a PHR (e.g. transfer of existing paper records). Some participants observed that at present many PHRs appear to be rather care- and HCP-oriented, without much room for health self-management and patient autonomy. One of the participants suggested that a more patient-centric approach, with tools for personal story-telling through images, diaries or cartoons, could make a PHR a more attractive tool for some users. Others observed that the abundance of functionalities available in PHRs can be overwhelming for some users. Obviously, privacy and security were also concerns, although only one participant mentioned it as a reason to refrain from using a PHR. Participants were doubtful whether their information is really safe on the internet, and want strong protections for the security of personal health data. They also appear reluctant to share
Figure 4) Homepage of mijnPGD
We first discuss the general principles guiding our design, focusing on access control and usability, and then present the main components. Figure 4 shows the homepage of mijnPGD. The full mock-up can be found in Appendix VII.
8.1 General principles The design of mijnPGD aims to meet the eight requirements for a privacy-friendly and secure iPHR laid down in paragraph 5.3, while allowing for potential trade-offs with context, trust and usability. This means that mijnPGD gives patients full control of their PHR. They determine on a case-by-case basis who has access to their health data (read rights) and who can edit (write rights) and share these data on their behalf (access control rights). User permissions can be revoked at any time and are restrictive. By default, only patients have full reading and writing rights for their own data. To prevent potential breaches of contextual integrity (where information flows outside its intended original context), they are also the only parties who can decide to share that information with others. Access control can only be delegated to a limited number of trusted persons (carers, partners or a trusted HCP)41. If patients decide to allow their HCPs access to their PHR, the HCPs can view that information and import it into their system. However, they cannot change it, nor can they share it with others, unless they are designated to be a trusted person with writing or sharing rights. Patients, however, can share information that HCPs share with them. After all, it is information about them. (They cannot change it, though, to guarantuee the integrity of medical data). Access is always symmetric: sources of information (either patients or HCPs), automatically have access to these data in the target system. To avoid users being overwhelmed by too many privacy controls, and to do justice to the contexts of specific care, some access controls are managed on a group level. For instance, if patients decide to share their current medication list with their GP, details of all drugs in this category (including self-entered information on frequency of medication use and possible adverse effects) are shared by default. A second tier of privacy controls then allows them to hide specific sensitive information if they wish (e.g. antidepressants). Care providers are also grouped. If a patient shares access with one HCP (e.g. a pharmacy), users are given a list of related HCPs as additional share options. These suggestions can either be rule-based (all pharmacies or specialists involved in a treatment), or generated intelligently (based on previous sharing behaviour). Access rights are also grouped for a limited number of optional trusted persons: by default, these have access to all information in mijnPGD. Finally, patients can give easy access to an emergency summary of their PHR by sharing a time-limited code, which they carry with them on a card. Privacy-by-design also implies transparancy. This is achieved in three ways. Firstly, users of mijnPGD have a privacy dashboard, where they can manage all access rights to their information ('Delen met', see appendix VIIe). Secondly, access logs give a detailed history of who has accessed, edited or shared what information at what time. Finally, users are frequently invited to review access rights. They are also given a warning before access rights are about to expire, so that they can extend them in time. Time limits depend on information type and context, and can be adjusted by the user. 41
Not giving access rights to HCPs, especially GPs, may not correspond with legal constraints or professional oblications: once information is known to a HCP, there may be cases where even HCPs that are not trusted
mijnPGD optimizes usability by offering a fully modular setup, allowing users optimal freedom to adjust it to their preferences. By default, the number of data elements and features is limited to key functionalities, to avoid confronting first-time users with too many options. Elements that are not used can be hidden from view. A central dashboard with easily recognizable icons allows easy navigation. mijnPGD also lets users engage actively with their information and the outside world (e.g. GPs). It also offers user support and accessibility options for disabled users. The design is meant to be clean and simple, facilitating access on mobile devices.
8.1 Components The design of mijnPGD consists of seven webpages. These are: 'Dashboard' (see Appendix VIIa): The dashboard is the central homepage of mijnPGD and gives users an overview of key data elements and features, categorized into five large boxes. Two smaller boxes on the top right represent a calendar and an alert/warning function. By clicking on the icons, users go the respective pages. The five large boxes return in the navigation menu on the left, which is visible on each page. Other permanent elements are a top bar with settings, sign-out and profile; a second top bar with accessibility options; and a footer menu that gives access to general information. More elements can be added by clicking on 'wijzig'. 'Dashboard/wijzig' (see Appendix VIIb): On this page users can add or remove data elements and features from their homepage, change the order of the boxes, and choose to hide them, in case they do not use them. 'Medicijnen' (see Appendix VIIc): This page gives an overview of medication used by patients. The listed drugs can be imported directly from their doctor's EHR, or added manually. Users can choose to share their present and/or historical medication lists with the outside world. If so, they can choose to hide specific drugs they want to keep private. An alert warns them about incompatible drugs. By clicking on the medication name, users can access a page with more detailed information. 'Medicijnen/details' (see Appendix VIId): On this page users get detailed information about a specific drug they use. They can also record drug intake and adverse effects, renew prescriptions and contact their GP or pharmacist through an e-consult to ask questions about their medication. Again, users can choose to hide information, if they want to keep it private. 'Delen met' (see Appendix VIIe): This page functions as a privacy dashboard, where users control access rights to their information. It contains the functionalities described above. 'Samenvatting' (see Appendix VIIf): This page contains a summary of the PHR. It can be shared with HCPs or others in the standard way, or by giving HCPs access in emergency situations. 'Sitemap' (see Appendix VIIg): This page lists all the pages in mijnPGD, and shows how they fit into the overall structure. By default, the website contains a number of static pages. Further pages are created dynamically as information about individual HCPs or drugs (or other health data) is added. The design of these pages follows the design principles illustrated in the mock-up.
persons need to share this information with other HCPs. How to provide patients with transparancy and/or control over this aspect is an open issue.
9. TALKING TO THE OUTSIDE WORLD As has become clear, mijnPGD can only realize its full potential if it is connected to the outside world. Although it lies beyond the scope of this paper to describe in detail how this should work, we propose a basic system architecture here, hoping to lay the groundwork for a future implementation of mijnPGD. We first discuss the basic components, and then describe the exchange of patient data in detail.
9.1 Basic components Appendix VIIIa gives an overview of all the system components that enable an interconnected PHR, and also highlights potential privacy and security risks. Let's look at some components in more detail. Registration: Users of mijnPGD need to register before they can log in and use their PHR. Setting up an own sign-up system is an option, but involves users remembering (possibly unsafe) additional passwords. Third-party identification services could provide an alternative, but are either not available for PHRs (DigiD42), unattractive for privacy reasons43 (Facebook, Google), or still undeveloped or marginal (QIY44, Persona45 and OpenID46) . Authentication: If users of mijnPGD wish to share data with a HCP, they need to be sure that this HCP is qualified and registered. In the Netherlands, all HCPs are registered in the national BIG register47. BIG provides a web service that can be incorporated into any webiste or e-health application. The UZI-card or -certficate, which both contain the BIG-code, could provide an alternative48. Authorisation and access log: As we have seen, authorisation is dynamic and differentiated, with each authorisation specifying type of information, duration and permissions. To give patients extra control, access logs give a detailed history. Emergency codes give time-limited access to the patient's health summary in emergencies. Interactive applications: E-consults with doctors need to be private and secure. Several options are available on the market, of which Cryptocat49 and Chatsecure50 score high on security51. Other well-know options, like Google Hangouts or Skype, seem less safe. An attractive alternative might be FaceTalk52. To connect monitoring apps to mijnPGD, Healthvault53 and Apple Healthkit54 provide several APIs. Whether they are safe, remains to be seen. There is also the risk of user lock-in, which may be undesirable. Medical info: In the Netherlands, thuisarts.nl55 provides extensive online information on health and diseases. The information is monitored by the NHG (Dutch GP Society). Trusted medication information can be found on the site of the Dutch Medicines Evaluation Board56. Unfortunately, there are no webservices or APIs for either. Web and data servers: All PHR data should be encrypted and securely stored, with data identifying the user being stored separately. Communication to the web server and the data exchange server should be encrypted as well. Data could be stored in the cloud for reasons of reliability and scaleability, but this raises 42
See: https://www.digid.nl/en See: http://tinyurl.com/n97w3k3 44 See: https://www.qiy.nl/en/ 45 See: https://www.mozilla.org/en-US/persona/ 46 See: http://openid.net/ 47 See: https://www.bigregister.nl/en 48 https://www.uziregister.nl 43
potential security and privacy concerns, if these servers are situated in legal domains that offer less safeguards from (state) intrusion.
9.2 Data exchange mijnPGD should enable the easy and secure exchange of patient data between patient and HCP. How this is accomplished, very much depends on the direction of the information flow and the degree to which information cannot only be viewed, but also be imported and exported (see Appendix VIIIb for a model). For inbound data (from HCP/EHR to patient/PHR), there seem to be four options available. Firstly, patients could be given individual accounts, which allow them to log in to their HCP website, where they can view their information, and (optionally) import it into their PHR. Secondly, patients could receive a (timelimited) reference to specific information in the EHR, which they then import. Thirdly, patients could share writing access to their PHR, so HCPs can enter medical information manually into their patient's PHR. Option four does something similar, but achieves this by way of automatic synchronization between EHR and PHR. At present, the first option seems less viable for our purpose. Although there are a number of patient portals in the Netherlands that allow patients web access to their data (such as lab results and medication), these systems only give access to one provider. Allowing access to all data would imply logging into several accounts, which is rather cumbersome, and defies the purpose of an interconnected PHR. The LSP, the Dutch data switchpoint for HCPs, should in principle be able to provide patients access to all their data, but has security and privacy issues related to its centralized nature and it's broad opt-in policy [Van 't Noordende]. The second option could overcome the problem of multiple log-ins by using references. Whitebox is a distributed iEHR that uses this method to exhange data between HCPs. In contrast to the LSP, there is no central switching point. Only HCPs who are given explicit access to information, are authorized to use this data. This makes the system scaleable, without increasing the inherent security risks. The HCP distributes access to a patient's data by sharing a protected URL directly with other HCPs. This reference allows them to set up an encrypted connection with the patient's EHR records. Whitebox could easily be extended to patients. It could also be used to automatically import data into the PHR, so that patients always see up-to-date information when they log in. The third option also shows promise, because EHR data is written manually into the PHR. However, it remains to be seen whether HCPs have the time or inclination to do this. The fourth option, which provides automatic synchronization, seems feasible, but requires that all HCPs use the same standardized exchange system, which is quite a challenge, and may carry with it security risks if it employs a centralized infrastructure. Sharing outbound data (from the patient's PHR to HCP or other private parties) seems less of challenge, as this does not necessarily require the exporting of data. For now, the account-based solution seems the appropiate option. However, as more and more patients are expected to use a PHR in the future, a reference-based system 49
See: https://crypto.cat/ See: https://chatsecure.org/ 51 See: http://tinyurl.com/p3ekrr6 52 See: http://facetalk.nl 53 See: https://www.healthvault.com/us/en/connection-center 54 See: https://developer.apple.com/healthkit 55 See: http://thuisarts.nl/ 56 See: http://english.cbg-meb.nl/medicines-information-bank 50
appears more viable, as this allows HCPs to obtain PHR information in a unified way, without the need for multiple log-ins.
law and better Privacy by Design might offer necessary additional protections.
10. DISCUSSION AND FUTURE WORK
Q4: How can we ensure that mijnPGD is truly interconnected?
We believe the design of mijnPGD as presented in chapter 8 represents a model for iPHR that is attractive and easy to use, and will hopefully give patients and citizens a more active role in the management of their health data. However, mijnPGD only provides a preliminary framework. It does not resolve all the inherent tensions that are present in the design of a privacy-friendly and usable iPHR.
mijnPGD is designed as an interconnected PHR, which means that it necessarily involves multiple HCPs and other external parties (see chapter 9). Implementing this may be quite a challenge, due to the fragmentation of present e-health and EHR technology. A gradual, flexible approach, that starts with a limited number of HCPs, seems advisable. Preferably, mijnPGD should easily plugin into existing infrastructures, without the need for HCPs, so crucial for its success, having to learn and use an additional system.
As far as Privacy by Design is concerned, we have seen possible trade-offs between tight privacy controls and usability [Engelen, Kaelber], between full access control, context and trust [Nissenbaum, Ehrismann], between patient control and the integrity of medical data [Do, Karapinar, RVZa, RVZb], and between privacy and the use of anonymized data for science [Engelen, RvZa, RVZb]. These tensions can only be resolved in the day-to-day practice of "engineering privacy" [Spiekermann]. Similar issues emerge as far as usability and functionality is concerned. mijnPGD is designed to be user-friendly, reflecting general principles of usability and current user preferences (as gathered from the focus group, expert recommendations and relevant consumer surveys), but it remains to be seen whether this is sufficient to persuade patients and general citizens to use it. Implementation of mijnPGD creates additional trade-offs. Connecting the PHR to the outside world is crucial for its succes, but brings with it privacy and security risks, that need to be considered. Chapter 9 suggested ways of limiting these risks, for instance by using a decentralized approach, where EHR and PHR are connected through mutually authenticated encrypted channels. This brings us to formulate four questions that, we think, should guide further development of mijnPGD: Q1: How can we make sure that mijnPGD serves a clear need? mijnPGD should be a relevant product, that is not only adopted, but used on a permanent basis to the satisfaction of both patients and HCPs. This implies a clear view of potential benefits, integration of PHR use in existing care relations, and a viable business model. The latter might imply designing and marketing mijnPGD so that that it also appeals to general (younger?) citizens. Q2: How can we guarantee that mijnPGD is truly user-friendly? Further iterations should maximize usability, so that is attractive to use and accessible to people with less digital literacy or limited (physical or mental) ability. This might involve options for storytelling, easy import of existing (paper/digital) files, a patient-centric interface, default profiles for specific user groups, data analysis, summaries and visualization [Tang], and full mobile access. Q3: How can we optimize the balance between privacy and usability? As we have seen, it is vital that users of mijnPGD should not be discouraged by intrusive privacy controls, while still maintaining high standards of security. This also implies striking the right balance between full access control by the patient, and allowing for specific care contexts and existing relationships of trust with carers or HCPs. A related point is whether the privacy of a PHR should be wholly entrusted to patients or carers, who may be sensitive to pressure or wary of too many privacy controls. A patient secrecy 57
See: http://tinyurl.com/nkhapao
To answer these questions, we suggest the following iterative and user-centric development process [Rogers, Van Gemert]: Stage 1: Involve more users and HCPs > redesign Further focus group sessions with (potential) PHR users should be held to improve the mock-up. To get additional perspectives, these sessions should preferably include younger patients, specific patient groups (e.g. diabetes patients) and general citizens. In addition, one or two focusgroup sessions with HCPs are advisable. Stage 2: Build a high-fidelity prototype In this stage, a working online version of mijnPGD is built. This prototype should include all the basic functionalities of the mockup, including at least one or two interactive functionalities (e.g. econsults). Stage 3: Evaluate prototype with selected group of experts and users (both patients and HCPs) > redesign The high-fidelity prototype is tested with limited number of experts and/or users, using heuristic evaluation, cognitive walkthrough, or think aloud as possible evaluation methods [Rogers, Jaspers]. Stage 4: Start pilots with basic version of mijnPGD > redesign For the pilots, collaboration with Whitebox should be explored. It provides a flexible solution, that can easily be scaled, and already has a network of supportive HCPs. The pilots should preferably cover hundreds of patients and HCPs and involve various target groups (e.g. patients with chronic illnesses, general citizens). Stage 5: Build and market final product ( > redesign) The main challenge here is finding a viable business model and ensuring continued support of HCPs. Further iterations of mijnPGD are developed with input from permanent user panels.
11. CONCLUSION 'Better health is not a science problem, it’s an information problem', says Thomas Goetz, well-known author on health data, in his Ted talk from 201057. In this paper, we have explored one way of improving health by giving patients and citizens a more active role in the management of their health data. Based on evidence from experts, a literature study, a review of eight typical PHRs and a focus group session we presented a design for a user- and privacy-friendly iPHR. mijnPGD aims to solve two problems: 1) how do we ensure that an iPHR safeguards the health data of its users, and 2) how do we solve "the paradox of interest and adoption", that bedevils so many existing PHR models. mijnPGD is designed to be fully modular, and can easily be adjusted by its users. It also allows users to engage actively with their information and the outside world. Most importantly, users
can determine on a case-by-case basis who has access to their health data and who can edit and share their information on their behalf. It does this without overwhelming users with too many privacy controls, thereby increasing usability and permanence of use. We also presented a programme for further development of mijnPGD, which puts the specific contexts of future users at its core. Hopefully, this will result in a viable and succesfull product, that is both privacy- and security-friendly and attractive to use.
12. REFERENCES
!!
Markle Foundation (2003). The Personal Health Working Group, final report (http://tinyurl.com/ooe7243).
!!
Markle Foundation (2011). The Public and Doctors Largely Agree Patients Should Be Able To View, Download and Share Their Health Info (http://tinyurl.com/6393bgo).
!!
Mold, F., de Lusignan, S., Sheikh, A., Majeed, A., Wyatt, J. C., Quinn, T., ... & Ellis, B. (2015). Patients’ online access to their electronic health records and linked online services: a systematic review in primary care. British Journal of General Practice, 65(632), e141-e151.
!!
Nederlandse Patiënten Consumenten Federatie (2015). Notitie rondom het Basis-PGD (NPCFa)
!!
Nazi, K. M. (2013). The personal health record paradox: health care professionals’ perspectives and the information ecology of personal health record systems in organizational and clinical settings. Journal of medical Internet research, 15(4).
!!
Nissenbaum, Helen (2009). Privacy in context: Technology, policy, and the integrity of social life. Stanford University Press.
!!
Pluut B. (2012). Wetenschappers over het PGD. Een literatuurstudie naar persoonlijke gezondheidsdossiers. In opdracht van: Nederlandse Patiënten Consumenten Federatie.
!!
Archer, N., Fevrier-Thomas, U., Lokker, C., McKibbon, K. A., & Straus, S. E. (2011). Personal health records: a scoping review. Journal of the American Medical Informatics Association, 18(4), 515-522.
!!
Bierma L, Heldoorn M, Pluut B, ter Brake H. (2013). Het persoonlijk gezondheidsdossier. De visie van patiëntenfederatie NPCF. (NPCF, http://tinyurl.com/ojyuroh).
!!
Borking Consultancy (2014). Ongedolven goud: van data naar info (http://tinyurl.com/q2phvy8)
!!
Cavoukian, Ann (2000). Privacy by design: The 7 foundational principles." Information and Privacy Commissioner of Ontario, Canada.
!!
Raad voor Volksgezondheid en Zorg (2014). Patiënteninformatie (http://tinyurl.com/q86hmwv) (RVZa).
!!
Dabbs, A. D. V., Myers, B. A., Mc Curry, K. R., Dunbar-Jacob, J., Hawkins, R. P., Begey, A., & Dew, M. A. (2009). User-centered design and interactive health technologies for patients. Computers, informatics, nursing: CIN, 27(3), 175.
!!
Raad voor Volksgezondheid en Zorg (2015). Advies Consumenten eHealth (http://tinyurl.com/p95g6a7) (RVZb).
!!
Rogers, Y., Sharp, H., & Preece, J. (2015). Interaction design: beyond human-computer interaction. John Wiley & Sons.
!!
Do, N. V., Barnhill, R., Heermann-Do, K. A., Salzman, K. L., & Gimbel, R. W. (2011). The military health system's personal health record pilot with Microsoft HealthVault and Google Health. Journal of the American Medical Informatics Association, 18(2), 118-124.
!!
Segall, N., Saville, J. G., L’Engle, P., Carlson, B., Wright, M. C., Schulman, K., & Tcheng, J. E. (2011). Usability evaluation of a personal health record. In AMIA Annual Symposium Proceedings (Vol. 2011, p. 1233). American Medical Informatics Association.
!!
Ehrismann, M., Stegwee R. (2014) Trust in eHealth services, A practice driven review of the literature (THECS).
!!
Solove, Daniel J. (2006). A taxonomy of privacy. University of Pennsylvania Law Review 477-564.
!!
Gajanayake, R., Lane, B., Iannella, R., & Sahama, T. (2013). AccountableeHealth systems: The next step forward for privacy. Electronic Journal of Health Informatics, 8(2), e11.
!!
Spiekermann, S., Faith Cranor L. (2009). Engineering privacy." Software Engineering, IEEE Transactions on 35.1, 67-82.
!!
Gijsbers L., Vegter F., Wallien M. (2012). Zorgconsumentenonderzoek, Van EPD naar PGD. (NPCF, http://tinyurl.com/p7y8bz8).
!!
!!
Greenhalgh, T., Hinder, S., Stramer, K., Bratan, T., & Russell, J. (2010). Adoption, non-adoption, and abandonment of a personal electronic health record: case study of HealthSpace. Bmj, 341.
Staroselsky, M., Volk, L. A., Tsurikova, R., Newmark, L. P., Lippincott, M., Litvak, I., ... & Bates, D. W. (2008). An effort to improve electronic health record medication list accuracy between visits: patients’ and physicians’ response. International journal of medical informatics, 77(3), 153-160.
!!
!!
HIMSS (2007). Personal Health Records Definition and Position Statement (http://tinyurl.com/pvlhlet)
!!
Jaspers, M. W. (2009). A comparison of usability methods for testing interactive health technologies: methodological aspects and empirical evidence. International journal of medical informatics, 78(5), 340-353.
Tang, P. C., Ash, J. S., Bates, D. W., Overhage, J. M., & Sands, D. Z. (2006). Personal health records: definitions, benefits, and strategies for overcoming barriers to adoption. Journal of the American Medical Informatics Association, 13(2), 121-126.
!!
THECS (2013). Requirements for Trusted Health Care Services (not published)
!!
Kaelber, D. C., Jha, A. K., Johnston, D., Middleton, B., & Bates, D. W. (2008). A research agenda for personal health records (PHRs). Journal of the American Medical Informatics Association, 15(6), 729-736.
!!
!!
Kim, Jeongeun, Hongju Jung, and David W. Bates (2011). History and Trends of “Personal Health Record” Research in PubMed. Healthcare informatics research 17.1: 3-17.
Van Gemert-Pijnen, J. E., Nijland, N., van Limburg, M., Ossebaard, H. C., Kelders, S. M., Eysenbach, G., & Seydel, E. R. (2011). A holistic framework to improve the uptake and impact of eHealth technologies. Journal of medical Internet research, 13(4).
!!
!!
Kool, R. B., & Kremer, J. A. M. (2014) Explorerende studie over de toekomstige rol van het persoonlijk gezondheidsdossier.
Van der Steen J., Van Haastert C. (2015). Rapport ‘Persoonlijk GezondheidsDossier’. Ervaringen en wensen met betrekking tot het Persoonlijk Gezondheids Dossier (NPCF, http://tinyurl.com/ocyvyds).
!!
!!
Krist, A. H., Peele, E., Woolf, S. H., Rothemich, S. F., Loomis, J. F., Longo, D. R., & Kuzel, A. J. (2011). Designing a patient-centered personal health record to promote preventive care. BMC medical informatics and decision making, 11(1), 73.
Van 't Noordende, G. (2010). Security in the Dutch electronic patient record system. Proceedings of the second annual workshop on Security and privacy in medical and home-care systems. ACM, 2010.
!!
Westin, A. F. (1967). Privacy and freedom.
!!
Wiljer, D., Urowitz, S., Apatu, E., Leonard, K., Quartey, N. K., & Catton, P. (2010). Understanding the support needs of patients accessing test results online. The Journal of Healthcare Information Management, 24(1), 57-63.
!!
Woodman J., Hardip Sohal A., Gilbert R., Feder G. (2015). Online Acces to medical records: finding ways to minimise harms.
!!
Li, H., Gupta, A., Zhang, J., & Sarathy, R. (2014). Examining the decision to use standalone personal health record systems as a trust-enabled fair social contract. Decision Support Systems, 57, 376-386.
!!
Logue, M. D., & Effken, J. A. (2012). Modeling factors that influence personal health records adoption. Comput Inform Nurs.
14. LIST OF APPENDICES I.!
A SURVEY OF EIGHT PHRs a.!
GENERAL CHARACTERISTICS
b.! DATA ELEMENTS AND FEATURES II.!
A CONCEPT MAP OF PHRs
III.!
OVERVIEW OF RECOMMENDED DATA ELEMENTS
IV.!
FOCUSGROUP REPORT AND TRANSCRIPT
V.! VI.!
FOCUSGROUP MATERIALS: PATIENT JOURNEY AND ICONS QUESTIONNAIRE a.!
QUESTIONS
b.! ANSWERS VII.!
MOCK-UP OF 'MIJNPGD' a.!
DASHBOARD
b.! DASHBOARD/WIJZIG c.!
MEDICIJNEN
d.! MEDICIJNEN/DETAILS e.!
DELEN MET
f.!
SAMENVATTING
g.! SITEMAP VIII.!
SYSTEM ARCHITECTURE a.!
BASIC COMPONENTS
b.! DATA EXCHANGE IX.! X.!
LIST OF INTERVIEWEES INTERVIEW CODING SCHEME
APPENDIX I: A SURVEY OF EIGHT PHRs a. GENERAL CHARACTERISTICS
Patiënt1 (NL)
Mijnzorgnet (NL)
Zorgdoc (NL)
Mijn UMC Utrecht (NL)
Standalone
Standalone with focus on communities
Interconnected with focus on medication
Tethered (patient portal)
SecurityA
All information is encrypted before it is stored on the PHR servers (at rest). All traffic with the web server is encrypted (in transit).
All data is stored securely according to Wbp standards. It is not clear All information is encrypted, as well as all traffic. All servers are part of whether stored data or data in transit are encrypted. the E-zorgnetwerk, a secure network for healthcare providers.
Authentication
Only BIG registered healthcare professionals can apply for a verified account with Patiënt1Pro, the professional version of Patiënt1.
Professionals can login using their UZI or by choosing their own login and password. Patients login using their DigiD and sms (two-factor authentication). An additional code is needed to access information of (other) patients.
TYPE
SECURITY AND PRIVACY
APPENDIX I: A SURVEY OF EIGHT PHRs CBP registered CPB registered
Privacy
All data is stored securely according to Wbp standards. Mijnumc also gives security tips for patients to enable security self management.
Zorgdoc does not use DigiD, claiming this is only allowed for tethered Users log in using their DigiD and SMS, after authentication by the PHRs, where the provider knows the patients and is able to identify UMCU hospital. Authorized carers need a separate account. them. Instead Zorgdoc uses a login and a password for patients. Health professonals are authenticated by using a controlled list of BIGregistered healthcare professionals. They also need a Zorgdoc Medver account. CPB registered
Not registered with CPB.
Access
User can share information through their personal health plan. A health Patients can invite care team members (doctors and others) to their plan is initiated by a verified health professional, and activated by the PHR. patient. All professionals that have access to the health plan, also have access to (parts of) the PHR. A professional can invite other (nonverified) professionals to a health plan, but only after consent by the patient. A patient can deny access to specific health professionals.
Patients can authorize health professionals to acces their records. This All team members have access to all records, including e-consults. can be full permanent access, or on a case by case basis for 24 hours. Patients automatically have access to all their medical records. All health professionals need to have a Zorgdoc account. Access is authorized by sharing a unique code. Patients can also authorize family or friends. Access can be either read, read or write or administrator. Patients can decide to share their data only with individual care professional, or with their care team.
Access logging
?
Yes
No
Emergency access
Yes, through Med1Pas, a USB creditcard which contains a summary of No the PHR. The patient can decide what information to store on their Med1Pas. The Med1Pas can be accessed by anyone without a password. The pass can be used abroad, all information is translated into six languages, including English.
Yes. Patients can give emergency acces to their health summary to all health professionals. Access is authorized by sharing a unique code that is valid for 24 hours after first access. Summary includes personal details, emergency contact details, present medication and allergies and contraindications.
?
Level of access authorization
Personal health plan
Document, or diary entry. There is no read/write distinction, nor are there time limits.
Either all records, or emergency summary.
No
Access expiration
No
No
Yes
No
Carer authorization
Yes, although is not clear how this works.
No
Yes
Yes
Store data
Yes
Yes
Yes
Yes
View data
Yes, patients have access to their personal health plans, although there Yes does not seem to be any direct connection with EHR of health professional.
Yes, patients can load medication data from their GP.
Yes
Share data
Yes. Data can be exported to Med1Pas, which contains medical summary. Data can also be shared with health professonals through personal health plan. Not clear whether patient can share information with carer or family/friends.
Yes
Yes
No
Link with EHR
No
No
Yes, if health professional has a paid account with Zorgdoc through Medver.
Yes, portal is tethered to hospital. All patient records are accessible.
Standards
No
No
?
No
Privacy policy
Yes, but very limited.
Yes, See https://app.mijnzorgnet.nl/veel-gestelde-vragen/ algemeen#privacyModal
Yes. See https://www.zorgdoc.nl/texts/privacy
?
User agreement
Yes
Yes. See https://app.mijnzorgnet.nl/veel-gestelde-vragen/ algemeen#eulaModal
Yes. See https://www.zorgdoc.nl/texts/terms_and_conditions
?
Usability
Very good
Very basic interface. Old-fashioned look. Limited functionality.
Very good, although options when entering medication data manually can be a bit overwhelming.
?
Search function
No
No
Yes. Patients can search for registered medicines and health professionals.
?
Accessibility
No explicit compliance
No explicit compliance
Yes, includes spoken guide.
No explicit compliance
Dashboard
Yes
No
Yes
No
Charts
Yes
No
No
No
Mobile access
No
Yes (but uses standard website)
No
Yes, but no specific apps.
Recent activities
No
Yes
Yes
No
Support
Yes, includes FAQs and a contact number. Extensive written instructions on features.
Yes, but limited. Includes some FAQs.
Yes, includesd spoken guides, FAQs and possibility to ask questions. No forums or extensive help functions.
Yes. Includes manual, phone number, e-mail and FAQs. Also YouTube instruction video.
Owner
Patient1 BV
Radboud UMC, Jan Kremer, Bas Bloem
Zorgdoc Nederland BV
UMCU
Commercial
Yes
No
Yes
No
Cost
PHR is free. Med1Pas costs 24,95 euro.
No
Free for patients, paid service for health professionals
No
Website
https://www.patient1.nl
https://app.mijnzorgnet.nl/
https://www.zorgdoc.nl/
https://www.umcutrecht.nl/nl/Ziekenhuis/Mijn-UMC-Utrecht
Zorgdoc mainly focusses on involving patients in managing and verifying their medication information. Since 2008 all health care professionals in the Netherlands need to consult a recent medication list before seeing their patients.
UMCU is one of the first hospitals to give patient full access to all their hospital records.
Yes
ACCES AND SHARING
LEGAL
USABILITY
GENERAL
ADDITIONAL INFO Patiënt1 claims to be the largest PHR in the Netherlands. Was given the Mijnzorgnet orginally focussed on patient communities, but later highest score by NPCF in an evaluation of Dutch PHRs. switched to providing a PHR. Focus is on specific patient groups, such as pregnant women. For more information, see interview with Jan Kremer, co-founder and owner of mijnzorgnet.
Patients know best (Europe and Asia)
Microsoft Healthvault (worlwide)
Health Companion (US)
eHealth.gov.au (Australia)
Standalone
Interconnected
Interconnected with focus on prevention.
Interconnected
Complies with HIPAA and HITECH Act security standards. All information is encrypted, as well as all traffic.
All eHealth record data is stored in a secure data centre in Australia, in line with the Australian Government Protective Security Policy Framework.
Documents are stored for 30 years, even after cancellation. All information is encrypted, both at rest and in transit.
TYPE SECURITY AND PRIVACY
Security
All data are encrypted at patient level. Data are encrypted when All backed-up media is encrypted, as well as all traffic between servers and systems and between doctors and patients. sent (https). Patients are encouraged to choose strong passwords.
Authentication
Health care providers set up their patients’ accounts, verifying the identity of each patient. Patients also need to sign a consent form, which allows their doctor to hand over their data. The patients can then invite other clinicians to access their accounts, either from other institutions which PKB has verified, or from unverified institutions which the patient trusts. Members of a care team gain access after verification by the team coordinator, who is linked to institution. Users are automatically logged out after specific time period.
Users either need a Microsoft account to log in, or they can use Facebook or Users need a login and password to register and log in. Accounts are verified Users need an official MyGov-account to register. If registration is done OpenID. A HealthVault-record contains data of one person. One account can with a PIN if users log in using an unknown device. offline, they need a special code. Professionals need to be registered and hold a large number of records, which all can be managed and/or shared identified. individually. Users are automatically logged out after 20 minutes.
Privacy
PKB claims to be compliant with data protection regulations in the UK, EU as well as the United States. Not registered with CPB.
There is a privacy policy, but no HIPAA protection, as HIPAA only applies to ‘covered entities’, including health plans, healthcare clearinghouses, and healthcare providers. Microsoft is not a covered entities.
Access
Patients can invite care team member, doctors can invite patients and care team members. All team members need to be registered. It is not clear whether access rights for care professionals also include write rights (e.g. medication, or appointments).
Users control what kind of information they share, and what this person can Users can share information with providers that are connected to Health do with that information (read, write). The sharing feature is not intended to Companion. Not clear whether they can share information with family be used with health care providers. They can access their patients’ members or friends. information if their EHR is connected to Healthvault (either through Direct project (only US)), or through apps). Doctors can share their patients’ EHR records through Healthvault-compatible apps, through Direct (only US), or by sharing Continuity of Care-compatible documents.
Health care professionals have access to their patients’ personal health summary, which is maintained by their GP. If patients choose to include these, they also have access to their medication and to their lab results and diagnostic reports. Users can also give codes to providers to give them access to restricted content. Access can be either read or write, or both.
Access logging
Yes
Yes
Yes
Yes
Emergency access
Yes. Patients can give a carer full access to their records, or they can download their information on a mobile app. It is not clear how someone can access this mobile information when the owner is incapacitated.
Emergency summary is contained in a wallet card or profile sheet, or can be accessed online by using an emergency access code which is provided on the wallet card or profile sheet. Emergency access can also be obtained by sharing a (non-encrypted) access code through email.
?
Yes. Access overrides any usual access controls and is provided under specific conditions when consent cannot be obtained: threat to life, or public health and safety.
Level of access authorization
Record level (read, write and with time limit), and shared connection level.
Information type level. In addition, individual items can be marked as confidential, so that others with whom records or apps are shared, cannot see it.
Document and data entry level (through feature called ‘For your eyes only’).
Document type level and provider. Users can remove all or any files, but cannot change them. All documents are digitally signed to assure integrity.
Access expiration
No
Yes
?
?
Carer authorization
Yes
Yes
?
Yes
Store data
Yes
Yes
Yes
Yes, in personal section. Medical files go in clinical section, which is managed by providers.
View data
Yes
Yes
Yes, from selected health care providers.
Yes. Patients can see everything. Doctors can see everything in clinical section, provided the patient allows acces, plus certain parts of the personal section (e.g. allergies and adverse reactions). Doctors have also acces to information through their own information system, if this is compatible.
Share data
Yes (only patients)
Yes
Yes, with selected health care providers.
Yes, patient can give access to professionals. They can share access with others (a so-called authorised or nominated representative) with a personal access code.
Link with EHR
No, but doctors and patients can manually upload patient records. Automatic processing if standards are used. Patients can export records in CDA format to share with doctor.
Yes, only in US (through Direct, a secure method for transferring health data). Yes, with selected health care providers. Or through Direct, a secure method No, but nominated healthcare providers can upload a patient summary using for transferring health data. special software.
Standards
Yes. PKB users can use either EMIS GP (a GP medical records system used in the UK) or CDA (an xml international standard).
Yes. Continuity of Care document (CCD), Continuity of Care record (CCR) or Blue button (only US).
CCD, Direct
?
Privacy policy
Yes. See http://help.patientsknowbest.com/Privacy-policy.html? pid=185807000000009003
Yes. See https://account.healthvault.co.uk/help.aspx?topicid=privacypolicy
Yes (no weblink)
Yes. See www.ehealth.gov.au/internet/ehealth/publishing.nsf/Content/ ehealth_privacy
User agreement
Yes. See http://help.patientsknowbest.com/User-agreement.html
Yes, see https://account.healthvault.co.uk/help.aspx? topicid=CodeofConduct&culture=en-GB
Yes (no weblink)
?
Complies with HIPAA.
Complies with Australian Government Protective Security Policy Framework and legislation ( Personally Controlled Electronic Health Records Act 2012 and Privacy Act 1988).
ACCES AND SHARING
LEGAL
USABILITY
Usability
Rather poor (e.g. not everything is translated into Dutch, and some advertised Very good! functionalities are missing).
Very good, although website can be a bit overwhelming.
?
Search function
No
No
No
Yes
Accessibility
No explicit compliance
No explicit compliance
No explicit compliance
Conforms to international standards. See: http://www.ehealth.gov.au/ internet/ehealth/publishing.nsf/Content/Accessibility
Dashboard
Yes
Yes. Can be modified.
Yes
Yes
Charts
Yes
Yes, measurements can be displayed as charts
Yes
?
Mobile access
Yes, with Android and iOS app. Note: application is only available to patients Yes, both webbased and through apps. at Patients Know Best customer hospitals.
Yes, with special apps for iOS and Android.
Yes, with one specific app: my child’s eHealth record.
Recent activities
No
Yes
Yes
Yes
Support
Very extensive (however, everything is in English).
Yes, includes help function and customer support.
Wizard guides users through setting-up process of records. Information on access controls and privacy is somewhat summary.
Yes
Owner
Radboudumc
Microsoft
Health Companion
Australian government
Commercial
Yes. PKB software is free for patients; it is the clinicians who pay.
Yes
Yes
No
Cost
No
Free
Free for patients. Insures, employers and wellness partners have to pay.
Free
Website
https://my.patientsknowbest.com/auth/dashboard.action
https://account.healthvault.co.uk
https://www.healthcompanion.com/
http://www.ehealth.gov.au/internet/ehealth/publishing.nsf/Content/home
Dutch implementation of PKB is still in development. It is mainly used in various pilots conducted by the Radboud REshape Center in Nijmegen, under the umbrella of Here is my Data. For more information, see interview with Lucien Engelen, head of Reshape, who introduced PKB in the Netherlands.
Microsoft Healthvault is one of the biggest commercial products available on Health Companion was given the highest score by NPCF in evaluation of the PHR and patient portal market. It is highly adaptable, and can be non-Dutch PHRs. connected to EHR systems by use of SDKs and an API.
GENERAL
ADDITIONAL INFO eHealth.gov.au is the only state-sponsored PHR in the world. However, uptake, especially among health care professionals, is so far limited. Many doctors consider it a challenge to manage and consult both a PHR and an EHR for their patients.
b. DATA ELEMENTS AND FEATURES
Patiënt1 (NL)
Mijnzorgnet (NL)
Zorgdoc (NL)
Mijn UMC Utrecht (NL)
Yes
Yes
Yes
No
Health summary
Yes
No
Yes
Yes
Diagnoses and problem list
Yes
Yes
Yes
Yes, as far as known within UMCU
Procedures, hospitalizations
Yes. Includes Surgery (structured list)
No
No
Yes
Medications
Yes. Includes medication history and RVG-number (semi-structured list).
No
Yes. Zorgdoc includes a list of all known and registered medicines in the Netherlands. Yes. Doctors can add prescriptions, or they can ask another clinician to approve and If there is a conflict between various medications, or between a medication and the prescribe it. Once the prescriptions is complete, it appears in the patient’s medications patient's health, the user is warned. list.
Symptoms
Yes
Yes, in diary
No
Yes, in diary or e-consult
Contraindications
?
No
Yes
?
Adverse drug events (ADE)
Yes
No
No, although patients are given the opportunity to mention adverse reactions as a reason for stopping with a certain medication
Yes. Patients can report ADEs through e-consult.
Allergies
Yes (structured list)
No
Yes
Yes
Immunizations
No
No
No
Yes
Genetic info
No
No
No
No
Functional status
No
No
No
No
Vital signs
Yes
No
No
Yes
Healthcare instructions
No
No
No
No
Organ donations
No
No
No
Yes
Medical devices
No
No
No
No
Contact lenses
No
No
No
No
Cochlear implant
No
No
No
No
Laboratory tests
?
No
No
Yes (pathology (e.g. a blood test) and diagnostic imaging (e.g. an ultrasound) reports.
Medical images
?
No
No
No
Audio results
?
No
No
No
Family history
No
No
No
No
Social history
Yes
No
No
No
Contact information
Yes
Yes
Yes
Yes
Emergency contact(s)
Yes
No
Yes
Yes
Provider list
Yes (with search function)
No
Yes
Yes
Sensor and monitoring data
Yes. Includes diabetes diary, weight, body circumference, INR (International Normalized Ratio), HbA1c (glycated hemoglobin), cholesterol, ketones (in urine), alcohol, FEV1 (lung funtion test), blood pressure, lithium level, and temperature.
No
No
Yes. Includes an extensive list, ranging from weight to calories and sleep.
Prevention and wellness
Yes. Includes nutrition check, a snack meter and weight management.
No
No
No
Insurance details
Yes
No
No
No
Financial details
No
No
No
No
Calendar
No
No
No
Yes
Medical information (e.g. wiki)
Yes (‘Encyclopedia’, which is curated by medical professionals)
No
No
No
Referrals
No
No
No
No
Care plan
Yes, requires collaboration of professional and patient. Is initiated by professional through patiënt1Pro, a separate platform for authorized professionals.
No
No
No
Consultation reports
Yes
No
No
Yes
Physician notes
?
No
No
Yes
Hospital discharge summary
?
No
No
Yes
Diary/personal notes
Yes, but only for diabetes patients.
Yes
No
Yes
Social networks/chat
No
Yes
No
No
Communities
No
No (has been abandoned)
No
No
Appointment scheduling
No
No
No
Yes, but not for all specialisms.
Medication verification
Yes. Extensive options for monitoring of medication, including adverse effects and allergies.
No
Yes
Yes. Patients can add info on medication history not know at UMCU.
Prescription renewal
No
No
No
Yes, but only after consultation and agreement with specialist . Orders are sent by fax to pharmacist of patient.
E-consult
?
No
No
Yes. Reaction time: three days. Not for emergencies. Also to report side-effects of medicine use. Layout: forum. Consults are not doctor specific, but directed at specialism. It is possible to add files.
Health recommendations
No
No
No
No
Warnings/alerts
No
Yes
No
No
Questionnaires or forms
No
No
No
Yes, e.g. intake forms.
Child development section
No
No
No
No
Extra modules or apps
There is a mobile app for diabetes patients.
Yes. Mainly geared at pregnant women and young mothers.
No
No
DATA ELEMENTS
Personal Personal details Clinical
Results
Histories
Contact details
Monitoring and prevention
Insurance and finance
Other
FEATURES AND TOOLS
Patients know best (Europe and Asia)
Microsoft Healthvault (worlwide)
Health Companion (US)
eHealth.gov.au (Australia)
Yes
Yes, including emergency profile.
Yes
Yes, with contact details etc.
Health summary
No
Yes
Yes
No
Diagnoses and problem list
Yes
Yes
Yes
Yes
Procedures, hospitalizations
?
Yes
Yes (unstructured)
Yes
Medications
Yes.
Yes
Yes, but no separate box for adverse events.
Yes. Includes a personal medication list and a Prescription and Dispense View, which is accessible for providers (with software link). The Prescription and Dispense View displays the name and date a medication has been prescribed, the strength or dose of the medication, the direction for consumption (e.g. take one capsule daily) and the form of the medication prescribed (e.g. capsule, tablet, inhaler, etc).
Symptoms
Yes (with graphical interface/timeline)
No
Yes
?
Contraindications
No
Adverse drug events (ADE)
?
No
No
?
Allergies
Yes (structured)
Yes
Yes (structured)
?
Immunizations
No
Yes
Yes
Yes
Genetic info
Yes (sequence upload)
No
No
?
Functional status
No
No
No
No
Vital signs
Yes (structured)
Yes
Yes
?
Healthcare instructions
No
No
No
No
Organ donations
No
No
No
Yes
Medical devices
Yes
Yes
Yes
?
Contact lenses
No
No
Yes
?
Cochlear implant
No
No
Yes
?
Laboratory tests
Yes (structured) with upload of radiology scans etc.
Yes
Yes
Yes (categories: pathology, virology, bacteriology, endoscopy, lab, radiology, allergies)
Medical images
?
Yes. Includes X-rays, CT scans, Ultrasounds and MRIs. Upload through HealthVault Connection Center.
Yes
?
Audio results
Yes (for speech therapists)
No
?
?
Family history
No
Yes
Yes
?
Social history
No
Yes
Yes, includes smoking, alcohol, substance use, sexual activity)
?
Contact information
Yes
Yes
Yes
Yes
Emergency contact(s)
No
Yes
Yes
Yes
Provider list
No
Yes
Yes
Yes
Sensor and monitoring data
Yes (structured)
Yes, includes blood pressure, cholesterol, food & drink, weight, height, body Yes, includes vital signs (blood pressure, heart rate, respiratory rate, height, weight), dimensions, exercise, body composition, menstruation, peak flow. Allows import from spreadsheets. on, menstruation, peak flow. Allows import from spreadsheets.
?
Prevention and wellness
No
Yes. Includese Steps, Exercise, Food and drink and weight management.
Yes. Includes Diet and exercise, Rest and mental health, Alcohol and smoking, Oral health, Driving safety.
No
Insurance details
No
Yes
Yes
Yes
Financial details
No
No
Yes
Yes
Calendar
Yes
Yes
Yes (for appointments)
?
Medical information (e.g. wiki)
Yes (‘Library’, which is specific for patient/complaint)
Yes
No
No
Referrals
No
No
No
No
Care plan
Yes (but does not work in Dutch version of site)
No
No
No
Consultation reports
No
No
?
Yes
Physician notes
No
No
?
Yes
Hospital discharge summary
No
No
Yes
?
Diary/personal notes
Yes (with option to upload documents)
No
No
Yes
Social networks/chat
Yes
No
Yes
No
Communities
No
No
Yes
No
Appointment scheduling
Yes
No
Yes, if account is linked to healthcare provider, by using the "Messaging" tool.
No
Medication verification
No
No
Yes
Yes
Prescription renewal
No
No
No
No
E-consult
Yes
No
Yes
No
Health recommendations
No
No
Personalized health recommendations based on evidence-based guidelines and physician-designed algorithms.
No
Warnings/alerts
Yes (symptom reminders)
Yes (on dashboard)
Yes
Yes, e.g. for health checks, and immunisations
Questionnaires or forms
?
No
No
No
Child development section
No
No
No
Yes, to monitor growth etc.
Extra modules or apps
Yes
Yes. Data from apps or devices can be imported through Healthvault Connection Center. Some devices can be connected automatically.
No
No
DATA ELEMENTS
Personal Personal details Clinical
?
Results
Histories
Contact details
Monitoring and prevention
Insurance and finance
Other
FEATURES AND TOOLS
APPENDIX II: A CONCEPT MAP OF PHRs
PERSONAL HEALTH RECORDS
CONTEXT
State Decentralization Budget cuts Health reforms
Society Personalization Fragmented health care Self care Quantified self Ageing population Digital literacy
Economy IT companies Big Data Disruption
Technology Digitalization Cloud Mobile eHealth Health monitoring apps Data-driven health Social media
Money Selling PHR and associated apps (by PHR provider) Collecting and selling health data (by PHR provider/pharmaceutical firms/insurers) Selling personal health data (by patient)
DESIGN
Values Self-management Autonomy Participation Decentralization Personalization Holism Patient-centric Transparancy Context Trust Control Privacy Contextual integrity Anonymity Confidentiality Sharing data for science Safety Efficiency
Laws
Stakeholders Patients GPs Pharmacists Dieticians Other health professionals Hospitals Clinics Insurers State GP labs PHR providers Pharmaceutical firms IT companies Science
Related systems LSP White Box EHRs/XIS Patient portals
Self diagnosis Social network Chat Communities Community support Communication with GP E-consult Appointments Referrals Prescriptions Medicine verification Emergency summary Personal health plan Alerts Reminders Notifications Questionnaires or forms Weight management Prevention Child development section Biometric data Extra modules or apps Sharing information Link with EHR Link with LSP Authorization
Personal profile Medical information Medication Allergies Adverse reactions Symptoms Calendar Diary Personal notes Physician notes Consultation reports Patient letters Hospital discharge summary Measurements Medical devices Genetic info Family history Immunizations Organ donations Emergency contact details Insurers information Lab results Medical images Audio results Financial information
Target groups Patients Citizens GPs Pharmacists Dieticians Other health professionals Family Friends Carers
Standards Privacy by design NEN7510 NEN7512 NEN7513 NEN7521 CDA EMIS CCR/CCD THECS requirements
Features and tools
Data elements
Wgbo Wbp Right to access records Ownership Medical record duty Medical secrecy Patient secrecy?
IMPLEMENTATION
Security Authorization Two-or three factor authentication Login Passport Sms Pin Uzi-pass DigiD Encryption Access logging Access expiration Password retrieval Distributed architecture
Privacy Access control Specification of roles Medical secrecy Patient secrecy Anonymity Confidentiality Contextual integrity Perception of privacy Communication of trust Transparency alerts Genetic profile Big data
Benefits Autonomy Empowerment Personalization Better health Prevention Patient safety Compliance Medicine verification Less ADEs Emergency access Efficiency Insurance Better communication Feedback from doctor Insights in own health Innovation Disruption Research and science
Challenges For providers/health professionals Revenue model Marketing (Illness or health?) Lack of active promotion Conservatism (Fear of) disruption Overconfidence in security Fragmentation (data silos) Adaptability and flexibility App or web centric? Lean development Standardization Interoperability Scope Feature creep Scale Technology Bureaucracy Commercial pressures Budget cuts Staff engagement Lack of clear health gains For patients No automatic link with EHR Access restrictions Shadow records Time limits Lack of privacy and security Confidentiality No legal protection for patient secrecy Trade-off privacy/security and usability Lack of incentives Lack of feedback Relative advantage Level of satisfaction with existing relationship Level of education Digital literacy Health literacy Fear of technology Gender, ethnicity, income Behavioural impact Short-term focus of patient Fear of autonomy (on the patient’s part) Usability Learning curve Lack of support and coaching Paternalism
Usabililty Context- and user-specific Costumization and personalization Accessiblity Multimedia (Video-)chat Other interaction Single point of access Offline/online acces Size of display Mobile Wearables (smart watches) Connection with sensors Alerts Sharing, printing, etc. Support/help Balance between structured/ unstructured information Non-intrusive privacy and security controls Understandable medical information No jargon Speed Downtime
Risks Patient is made responsible for their own health. `Profit and technology driven and not value driven. Interests of state and provider outweigh those of patient. Patient is pressurized to share/sell data.
APPENDIX III: OVERVIEW OF RECOMMENDED DATA ELEMENTS
APPENDIX IV: FOCUSGROUP: REPORT AND TRANSCRIPT Date: 16 June 2015 Place: Waag Society in Amsterdam Duration: 120 minutes Session language: Dutch Link to audio file: http://tinyurl.com/focusgroup-session Key: P1, P2, P3, P4, P5 and P6: participants PM: Paulien Melis (moderator) HA: Henk van Appeven (author) GN: Guido van ’t Noordende (supervisor) Transcript sections (indented) are in Dutch. See end of document for colour coding scheme.
1) Introduction and welcome Duration: 0:00 – 3:48 (only partly recorded) In this section, participants are asked to introduce themselves, telling something about their background and their age. Next, PM and HA introduce themselves, explaining the work of the Waag Society, and the research behind this focus group session. Participants are then asked to sign a consent form, in which they allow the information gathered in the session to be (anonymously) used in this report and the final research paper. 2) Patient journey Duration: 3:48 - 15:34 Participants are asked to describe their own patient journey, or the journey of a patient they know or care for (e.g. a child). This is intended as a warming-up exercise, and gives insights into the information flows flowing throught the health network, from patient to HCP, and from HCP to HCP, and so on (see Appendix IV). At the end of the exercise the moderator asks the participants to share their experience of describing this journey. PM: Hoe was het? P5: Nou ik zei net al, behalve gezondheidszorg zit er natuurlijk nog een heel scala omheen, zoals school enzo. PM: In dit geval heel specifiek, omdat het om een kind gaat. P5: Ja! Maar dat is natuurlijk vaker het geval, bijv. dat er een werkgever bijzit. PM: Dat is zeker interessant om in ons achterhoofd mee te nemen, want we gaan het zo ook nog wat specifieker hebben over je eigen gezondheidsdossier, je persoonlijke dossier, en met wie je dat wel of niet zou willen delen. En deel je dat bijv. met een school, etc. P5: In dit geval was het heel nuttig om het wel te delen, met de school, bedoel ik. Dat ze niet alleen het verhaal van de ouders hebben, maar ook nog een objectief verhaal. PM: OK, dank jullie wel.
3) Introduction Personal health record Duration: 15:34 - 28:16 In this section PHRs are introduced as a topic. The moderator starts by asking the participants if they have ever heard of the term PHR. PM: Wie kent de term? P2: Nou, die bestaat al een aantal jaren. PM: Nee, dat klopt, het is zeker niet nieuw. En wat verstaat u eronder? P2: Nou, ik heb er nooit zo erg over nagedacht, maar ik kan me er wel een voorstelling van maken. Dat daar in zit: wie je bent, een aantal kenmerken van je persoon, je leeftijd, geslacht (toevallig is dat nou in het nieuws, want niet iedereen wil dat, man/vrouw), en dat daar vervolgens je ziektegeschiedenissen, als je die hebt, in staan. Waarbij je natuurlijk moet afvragen hoe ver je daarin moet gaan, en ook hoe ver je daarin terug moet gaan. En hoever moet je in de details gaan. Medici, vooral specialisten, hebben natuurlijk behoefte aan detaillering, maar lang niet iedereen heeft die behoefte, natuurlijk. PM: Hoe is dat voor de anderen? Delen jullie dit beeld? Of zien je andere dingen? P1: Ik denk ook aan uitslagen, foto's. Misschien dat je ook scans of röntgenfoto's in je PGD wil bekijken. P4: Ik ben ook wel geïnteresseerd in het verleden. Mijn ouders leven niet meer. Als ik een ziekte krijg, die misschien erfelijk is, kan ik dat misschien over dertig jaar in het dossier van dan terugkijken, en vinden. Dus die koppeling met ouders, bijvoorbeeld, zou handig zijn. P5: Voor mij is ook de vraag van wie is dat dossier. Is dat mijn eigen dossier, beheer ik dat zelf, of doet iemand anders dat... HA: Jazeker, daar komen zo nog over te spreken. PM: Zijn er nog mensen die toevallig al een eigen PGD gebruiken? (All participant say they do not use a digital PHR at the moment) P6: Ik heb wel een map waar ik alles indouw, maar dat is geen PGD. PM: Ja, dat is de papieren versie daarvan. P6: Want je krijgt ontzettend veel papieren, als je in het ziekenhuis belandt, die douw ik dan allemaal in een map. Veel daarvan is totaal overbodig, maar je weet het niet. Ik ga dat niet uitzoeken. Erin en klaar! HA: Zijn er mensen die een patiëntenportaal gebruiken? P3: Wat is dat precies? HA: Dat is een digitaal dossier dat je wordt aangeboden door het ziekenhuis waar je behandeld wordt, waar je bijvoorbeeld afspraken kan maken, of een medicatieoverzicht kan inzien. Echt gekoppeld aan het ziekenhuis. PM: Dat is dus een communicatiewebsite tussen het ziekenhuis en de patiënt. (All participants say they do not use a patient portal) P6: Nou, als je een chronische aandoening hebt, is dat natuurlijk heel handig. P4: Voor mij zou kosten ook wel een onderdeel zijn. Wat geef je uit, wat kost je ziekte. P6: Die zou je in je dossier willen hebben? P4: Ja! P2: Maar dat weet je toch helemaal niet? PM: In het ziekenhuis vinden alle financiële stromen natuurlijk buiten jezelf plaats, tenzij er een eigen risico geïncasseerd moet worden. Maar daar zie je helemaal niet wat behandelingen nou kosten. P4: Nou die gegevens zijn zeker ergens te vinden, die zijn te koppelen. P6: Of bij de verzekeraar, het is wel een beetje zoeken, maar ik heb wel alles kunnen vinden. P2: Maar willen we dat? P6: Nou, ik wilde weten wat het allemaal gekost had. Ik wilde weten of het klopte. PM: Waarom dan?
P6: Nou, omdat ik heel goed geholpen ben. Dan denk ik, in het geheel van de gezondheidszorg, wil ik wel weten hoeveel ons dat allemaal samen gekost heeft. Hoe die verhouding dan ligt. P3: Ik zou het niet willen weten. HA: Waarom niet, P3? P3: Omdat ik weet dat ik een dure patiënt ben. Dus ik wil niet weten hoeveel ik de gemeenschap ga kosten. HA: Dat zou je remmen om de zorg te zoeken die je nodig hebt? P3: Ja. Dan zou ik me schuldig voelen. HA: Ja, dat kan ik me heel goed voorstellen. P2: Ik heb in november, december in het ziekenhuis gelegen, en ik denk dat het heel veel heeft gekost, maar ik ben daar nooit achterheen gegaan. P6: Nou, ik was gewoon nieuwsgierig, ik wilde het weten. P1: Ik vind het ook wel interessant. Ik heb een scan gehad. En dat is echt hartstikke duur. Dat vind ik toch wel interessant om te weten. P6: Ik heb ook wel eens een onderzoek geweigerd, ik vond het onzin. En toen was mijn argument dat ik het zonde van het geld vond. Toen zeiden ze: mevrouw, daar hoeft u zich geen zorgen over te maken. Toen zei ik: Dat doe ik wel. Want het bepaalt mede ons aller premie. P4: Het kostenbewustzijn van patiënten zou je, wat mij betreft, kunnen meenemen in zo'n dossier. P6 (talking to P3): Jij zou dat bijvoorbeeld niet willen? P3: Nee. P6: Dat is wel een algemeen punt: Wil je alles wat er in een dossier kan, ook echt erin hebben. P2: Zo’n kostenoverzicht is wel erg vrijblijvend. Je bent ziek, je krijgt verzorging enzovoort, en je stapt genezen weer de wereld in. En dan kun je wel nagaan hoeveel het je kost, maar het is heel erg vrijblijvend. Want je doet er verder niks mee, met die gegevens. P6: Nee, maar wel in de discussie over de gezondheidszorg... P2: Waarom? PM: Ik denk dat dit wel een heel erg cruciaal element is. Hoe je je verhoudt tot? Sommige behandelingen zijn noodzakelijk, terwijl, zoals jij (P6) al zei, bij anderen behandelingen je de relevantie ontgaat. Dat is wel een kostenbewust aspect. P2: Nou in het algemeen is dat wel nodig, maar individueel zet dat geen zoden aan de dijk. Kijk, die behandeling van mij, het was ernstig, ik wil dat best zeggen, ik had hartfalen eind november, ik was bijna dood. Nou, dat heeft heel veel geld gekost, daar ben ik van overtuigd. Maar wat doet het er in de discussie over de kosten in het algemeen in Nederland toe? Niks! Nul-komma-nul! P6: Het is een maatschappelijk gegeven. P2: Nee, dat is het juist niet. Het is een individueel gegeven. HA: Nou ja, het mooie van die dossiers is natuurlijk, die zijn, als het goed is zo flexibel opgebouwd, dat jezelf kan bepalen welke onderdelen je wil gebruiken en welke niet. En wat je vervolgens met die gegevens doet. Dus ik kan me voorstellen dat P3 zegt, dat wil ik helemaal niet weten, en voor P4 en P6 wel. P2: Nee, natuurlijk, dat is prima. P6: Sommige mensen willen altijd alles weten, en anderen willen juist niks weten. PM: Het maakt ook uit welke behandeling is. Bijv. bij oogmetingen, als je naar een andere oogarts gaat, worden alle metingen weer opnieuw gedaan. Dus ook al is het een individueel geval, daar zouden de patiënten ook een brug kunnen slaan. Ik schrijf het op, dan komen we daar later nog op terug. HA concludes this part of the session by a short explanation of PHRs. He stresses the fact that the patient is in full control in a PHR, and that a PHR contains both information from the users themselves as information from their HCPs. He also distinguishes PHRs, which are ideally interconnected to a number of HCPs, from patient portals, which are exclusively tethered to one hospital or GP, and from systems like the Dutch LSP, which exchange information between HCPs, without actively involving the patient. He also stresses that PHR allow patients to actively engage with their information (e.g. by sharing it, or by correcting and adding to it) and interact with their HCP (e.g. by setting up an e-consult).
Table 1: Functionality preferences (overview of findings from interactive session part 1:
Key: green = must have, black = should have, red = should not have. Functionalities in italics were added by participants as wild cards.
4) Interactive session part 1 Duration: 28:16 - 1:16:41 In this section, participants are asked to list their favourite functionalities (data elements, features and tools), dividing them in a Yes (should haves) and No (should not haves) list, and choosing their five favourites (must haves). They work in pairs (P1 and P2, P3 and P4, P5 and P6) and use ready-made icons, that represent the various options (see Appendix IV). Wildcards are provided to add extra options. Participants can write down any disagreements or other comments on the provided posters. See table 1 for an overview of the findings. This part is concluded with a plenary discussion. There are no sound recordings of the separate sessions. Plenary discussion (47:38 – 50:54) PM: Ik was benieuwd naar dingen die heel erg tegenstrijdig waren, waar jullie echt van mening verschilden. Ik kreeg een beetje de indruk dat jullie toch grotendeels dezelfde ideeën hebben. P2: Eigenlijk wel, ja. P4: De drieslag is: ben je in principe voor of tegen voor zo'n vastlegging. Zo nee, dan stopt het. Zo ja, dan kun je kijken, wat stop je er dan in. Ten derde kun je kijken of er nog luxe dingetjes, handige dingetjes zijn die je erbij wil hebben, dat is volgens mij een beetje het proces. Als je niet in principe tegen bent, dan ben je dus voor, dan je heb je basisdingen, en daaromheen heb je dan de extra toeters en bellen. PM: Delen jullie deze opmerking? P4: Kijk als je tegen bent, dan wil je er eigenlijk niks in, dan ben je tegen vastlegging, en centralisering van gegevens, want dat is wat je aan het doen bent. P6: Maar je bent niet in principe voor of tegen. Je merkt dat het heel moeilijk is om alleen maar te denken wat wil ik nou vastleggen voor mezelf. Want dan denk ik steeds: ja, dat wil ik bij de hand hebben, voor het geval ik met mijn dokter of iemand anders een gesprek heb, dat ik dat dan paraat heb. Dus daar zit steeds bij dat ik iets wil delen. Want ik hoef mijn donorcodicil voor mezelf niet in dat PGD te hebben. Maar ik wil wel dat het allemaal op één plek is. HA: Het krijgt pas een waarde op het moment dat je er iets mee kan doen. Dat je het deelt met anderen, en.. P6: Ja! Dan ga je nadenken, waar moet het dan aan voldoen, zodat het veilig is, etc., dat er geen misbruik van gemaakt wordt. Dus ik vind het moeilijk om die dingen uit elkaar te houden. PM: Dat is ook zo, het is een heel precair onderwerp. P5: Dat is wel grappig. We hebben als joker ingezet: eigen notities, en artikelen die je wil bewaren. Dat is natuurlijk vooral voor jezelf. P2: Inderdaad. Maar daarom is ook de privacy ook heel belangrijk, natuurlijk. Dat die op een of andere manier gewaarborgd is. Dat zie ik nog niet zo erg zitten, eerlijk gezegd. Dat is echt een heel groot probleem. Lunch break (10 minutes) Continuation of plenary discussion (1:00:35 - 1:16:41) PM: Hoe ervaren jullie het nou om hier over na te denken? P2: Wel nuttig. P6: Wel frustrerend. PM: Waarom? P6: Omdat je steeds moet besluiten of ik het wel een goed idee vind, of niet. PM: Ingewikkeld is het, hè? P6: Ja, ik vind het ingewikkeld.
P2: Ja, het is ingewikkeld. P5: Ik word er wel ietsje blijer van. Ik denk wel: het heeft wel lollige kanten! P4: Alles op één plek, lijkt me ontzettend handig. Maar ook dat je, net als bij Google Docs, kunt aanklikken: dit wel, en dit niet. Dat je vergaand zelf die keuze kan maken. En daarna wat je wel wil delen, met wie. Dat zou heel erg de regiefunctie moeten zijn, die je zelf houdt. Met een soort van dashboard voor je dossier. P1: En als ouder? Tot welke leeftijd zou je dan het dossier van je kinderen moeten bijhouden. P2: En in hoeverre ben je eigenlijk de baas over je eigen dossier? Ik bedoel, wat is de rol van huisarts en specialist? Want die vullen daar ook het een en ander in. PM: Daar zijn ook een aantal variaties in mogelijk. Ik denk dat door de bezuinigingen in de zorg dat nu ook echt kritisch zal worden bekeken. En dat met de komst van dit soort dossiers, die discussie nog echt gevoerd gaat worden. En dat hopen we onder andere ook met dit soort onderzoeken te doen. Wil jij als arts dat de patiënt zelf meer de regie gaat nemen, dan zul je daar ook de communicatie op moeten gaan afstemmen. Zover zijn ze nog niet, we zitten echt in zo'n omschakeling. Vanuit bezuinigingen moet je het allemaal zelf gaan doen, welke rol speel je daar dan in. Ik denk dat iedereen daar nog echt zoekende in is, daar zullen we zeker nog enkele slechte voorbeelden van gaan ervaren. P5: Is het de veronderstelling dat dit geld gaat opleveren? PM: Nou, ze zeggen heel simpel, bijvoorbeeld als je gevallen bent, als oudere, en je hebt je heup gebroken. Je revalidatie in het verpleeghuis gaat van zes naar drie weken. Dat betekent dat je dus thuis de behandeling moet afmaken. Dus je moet thuis heel veel dingen zelf gaan doen. Dit is maar een voorbeeld. HA: Kijk, er zijn twee redenen om te zeggen dat het bijdraagt aan lagere kosten in de gezondheidszorg. Ten eerste preventie: als mensen een beter inzicht krijgen in hun eigen gezondheid, en in hun eigen leven, dat zal dat leiden tot gezonder gedrag. En ten tweede: er zit nu redelijk wat ruis in informatiestromen in de gezondheidszorg. De informatie is niet allemaal goed op elkaar afgestemd. Klopt niet altijd. Het idee is dat als je de patiënt tot regisseur maakt van die informatiestromen, dat is toch de ervaringsdeskundige bij uitstek, dan in ieder geval op één plek alle informatie klopt. Dat is het idee, in elk geval. Dat zou een deel van die ruis eruit moeten halen, die nu leidt tot heel veel inefficiëntie, en zelfs: mensen worden er gewoon ziek van, omdat niet de goede mensen op het goede moment de goede informatie hebben. P6: Die ruis zit ook bij mij. HA: Da's waar. In hoeverre is de patiënt überhaupt in staat is om die rol te vervullen. P4: Voor mij is dat zelfbeschikkingselement, dat je zelf de verantwoordelijkheid hebt over je informatie, minstens zo belangrijk. PM: Klopt. Je ziet nu die tegengestelde krachten op die gezondheidszorg ontstaan, als het gaat om financiering. Patiënten moeten zelf de regie, maar niet iedereen wil dat. P2: En niet iedereen kan dat. GN: Er wordt heel wat zorg eerder stopgezet door bezuinigingen. Dat gaat vaak om hoogspecialistische, dure zorg. De regiefunctie ligt dan vaak de patiënt, maar soms nog wel degelijk de huisarts, en dat wordt ook nog wel gefinancieerd. En daaromheen heb je de wijkverpleegkundige, en een hele rij van andere zorgverleners, die de regie voeren. Maar wat betreft de informatie: het is inderdaad interessant om te weten: wie veroorzaakt de meeste ruis: de zorgverlener, of de patiënt? Dat moeten we allemaal nog gaan ontdekken. P6: Je hebt twee dingen: je hebt ruis en je hebt betrouwbaarheid. Als ikzelf overzicht heb over mijn dossier, ook al is het een papieren map, dan kan ik het ook controleren, of ik wel het goede medicijn krijg. Of ik inderdaad dat onderzoek wel nodig heb. Want ik ben degene die alles meemaakt. Maar in dat traject dat ik heb beschreven in mijn patiëntreis, heb ik tenminste 50 mensen gezien, in een traject van vijf dagen opname en een maand voortraject. Vijftig mensen! Terwijl ik zelf niet dat gevoel had, hoor. Omdat ze goed op elkaar waren afgestemd, maar het waren toch wel heel veel mensen. En als die allemaal met mijn gegevens omgaan, dan kan je er wel vergif op innemen, dat daar dingen mis kunnen gaan. P2: Of daar allemaal dingen aan toevoegen... P6: Ook dat, precies! P5: Was dat ook zo? P6: Nou ze hadden heel goede protocollen, dus dat liep eigenlijk als een trein. P5: Wat was er dan anders zijn geweest als je zo'n dossier had gehad? Zou het dan anders zijn geweest? P6: Nee, maar dan zou ik wel dat hele traject kunnen vaststellen. Dat heb ik nu ook wel gedaan, maar op een andere manier. Er wordt zoveel tegen je gezegd, en sommige dingen blijven hangen, en andere weet je niet meer.
Participants choose favourite functionalities during focus group session PM: En omdat het specialistische informatie is, is het heel moeilijk te beoordelen welke elementen nu heel belangrijk zijn en welke niet. En misschien heb jij één detail onthouden, terwijl het meest cruciale stukje informatie voorbij is gegaan. P5: Maar met zo'n dossier heb je dan toch steeds niet de garantie dat je dat dan wel goed doet? PM: Nee, dat klopt. Behalve als je een slag dieper gaat, en kijkt naar het niveau van informatie. Een arts kan zeggen, dit is de meest cruciale informatie, die staat hier. En een laag dieper, zit bijvoorbeeld allerlei ondersteunende informatie, of adviezen. P6: Kijk het gaat niet alleen om informatie inzien, of delen, of wat dan ook. Je moet 'm ook verteren. Je moet 't verwerken. En de vraag is of dit daar een functie in heeft, of niet. Ik zal je uitleggen wat ik bedoel. Ik heb zelf een opname gehad om geopereerd te worden aan mijn darmen. En ik heb een strip gemaakt van die hele opname. Alles wat tegen me gezegd is, de grappen die zijn gemaakt. Die zijn er allemaal in gekomen. Daar staat in wezen een heleboel informatie in, bijv. wat er tegen me gezegd is. Vooral natuurlijk wat me is opgevallen. Er wordt ook een heleboel gezegd in een poging om je gerust te stellen, om contact te maken, noem maar op. En dat is eigenlijk mijn dossier, van die opname. Dat vind ik met dit het lastige. Het is eigenlijk gedacht buiten mij. PM: Hoe is dat voor de andere? Delen jullie dat? P2: Als ik even aan mijn recente ervaring in de medische wereld denk, daar is me ontzettend veel ontgaan, dat kun je wel zeggen. Niet alleen omdat ik een paar dagen buiten bewustzijn was, maar ook daarna. Er gebeurt zoveel om je heen, en om jou. Ik heb het lang niet allemaal gevolgd, helemaal niet. P6: Nee, dat is natuurlijk een groot verschil. Daar heb je gelijk in. HA: Er zit in het dossier, dat is een van de icoontjes die we jullie hebben gegeven, ook een dagboek. Dat kun je natuurlijk zo breed als smal opvatten als je wil. Die strip kan daar natuurlijk ook een plaats in krijgen, het gaat tenslotte
om persoonlijke ervaringen, als een soort biografie hoe jij het hebt ervaren. Dat perspectief kan heel interessant, niet alleen voor jezelf, maar ook voor zorgverleners. Daar zit natuurlijk ook een psychologisch aspect aan. P1: Jij hebt die strip toch gegeven aan het ziekenhuis? (asking P6) P6: Het ziekenhuis heeft nog niet gereageerd, en het is nu een half jaar geleden, of nog langer. Ze zijn nog steeds niet in staat om mij te ontvangen, om die strip aan hen te geven. Ik vind het heel intrigerend waarom dat niet gebeurt. Ik heb verschillende ingangen gekozen, en ik heb nog geen enkele reactie gehad, behalve van de coördinerende verpleegkundige. Aan hem heb ik het persoonlijk gegeven. P2: Heel merkwaardig! P6: Ik heb dus gezegd: ik heb die strip gemaakt, en ik zou het leuk vinden om die aan jullie te geven. Maar de organisatie is niet in staat om dat gebaar te ontvangen. PM: Iemand nog aanvullingen? P4: Ik denk dat dat een heel persoonlijk proces is. Voor u is dat een strip, hartstikke goed, en voor een ander is dat de vraag of de meting van bijvoorbeeld zijn bloeddruk nou boven of onder een bepaalde waarde zit. Die harde kant en je eigen verhaal, je beleving, die kunnen naast elkaar bestaan, denk ik. Daar hebben we tenslotte ook nog Facebook voor. P6: Uit onderzoek blijkt dat mannen dit beter doen dan vrouwen, wat jij beschrijft. Mechanisch denken, instrumenteel denken over je lijf. Vrouwen verwerken die informatie heel anders. PM: Of zoals ze wel 'ns zeggen: vrouwen gaan naar de huisarts, mannen gaan gewoon dood. Een vrouw is veel meer met de verwerking van dingen bezig, terwijl de man denkt, nou ja... P3: Dat vind ik wel heel generaliserend hoor! PM: Ja, dat is het natuurlijk ook. P4: Mag ik nog heel even wat toevoegen, dat is een kernzin, dat mag wat mij betreft wel met een marker worden onderstreept. U zei: het gaat niet over mij, als het gaat over dat dossier. Ik zie dan voor me mapjes, terwijl je ook de metafoor van het lichaam kan gebruiken, als toegang, in plaats van een rij mapjes. Dat zou al een heel andere benadering geven. Dat je dus een vorm kiest om dat ook visueel te maken. HA: In de veronderstelling dat dat daarmee dus gebruiksvriendelijker wordt, en mensen het dan eerder gaan gebruiken, of meer gevoel bij hebben? P4: Ja, precies. P3: Die logo's die we hebben gebruikt, dat helpt natuurlijk ook al. P4: Ja, dat ook. HA: Mijn idee zou ook zijn om die logo's niet alleen hier voor deze oefening te gebruiken, maar ook voor het dossier dat ik ga ontwerpen. In de hoop dat dan gelijk duidelijk is, wat de bedoeling. Want tekst alleen, dat werkt vaak niet. Maar ik vind jouw (P4) idee wel heel leuk, om de metafoor van het lichaam te kiezen. Nou ja, het lichaam is ook weer een reductie, je hebt ook nog de ziel, en de geest, en het hart! Hoe geef je die dan een plek? Bijv. als het gaat om psychisch welzijn, hoe heb jij het ervaren. P6: En wat doe je als je bij de psychiater loopt? HA: Nou ja, dat zijn ook zorgverleners, natuurlijk. P1: Hoe bepaal je nou wat je er wel of niet wat je er in wil hebben? HA: Het is aan jezelf om te bepalen wat je erin zet, en met wie je het vervolgens deelt. Dat is eigenlijk de volgende stap in de oefening.
5) Interactive session part 2 Duration: 1:16:41 - 1:57:10 In this second part, participants are asked to indicate sharing preferences (either Share or For my eyes only) for their top 5 favourite functionalities. If they decide to share the information, they indicate with whom they want to do so. Again, they work in pairs and use ready-made icons, that describe the various options (see Appendix ). Wildcards are provided to add extra options. Participants can write down any disagreement or other comments on the provided posters. At the end of the exercise the moderator asks the participants to share their experiences. See table 2 for an overview of the findings.
Plenary discussion (1:36:38 -1:49:34) PM: Het leek me toch leuk om even kort per tweetal aan te geven wat jullie het meest cruciaal vonden, en waarom? Wie wel, en wie niet? En zitten er nog verschillen in. P1: We vinden het ook wel leuk om nog even te bespreken waarom mensen bepaalde dingen niet in hun dossier willen. HA: We zitten een beetje in een tijdsprobleem, het is bijna twee uur. Ik denk dat het goed is om even te bespreken hoe we verder gaan. PM: Ik wil in ieder geval dit plenair afronden. Ik weet niet of er nog mensen zijn die direct om twee uur wegmoeten, of andere verplichtingen hebben. P4: Ik moet om kwart over twee weg. PM: Nou, als we dan nog een kwartiertje van je tijd mogen, dan heel graag. P3: Wat wij perse niet in het dossier wilden hebben, was de encyclopedie, dagboek, forum, chat, discussie. Wat betreft de kosten, waren we verdeeld. Wat betreft het delen. De vijf belangrijkste dingen in het dossier waren: zorgverleners, medicatie, consultverslagen, verwijsbrieven en behandelingen. Dus heel medisch. En wij vinden dat dat op maat gedeeld moest worden. Vooral als het gaat om verschillende specialisten, de fysiotherapeut, de psychiater, de chirurg. Die hoeven niet alles over jou te weten. Op maat delen, dus. P1: Mooi geformuleerd! P3: We wilden wel alles delen met de huisarts, de partner, de apotheek en de mantelzorger. HA: En met alles bedoel je de vijf dingen die jullie hadden uitgekozen als jullie favoriete functionaliteit. PM: Kun je aangeven wat jullie beweegredenen waren? P4: In principe bepaalt de patiënt wat, wanneer, met wie en hoe lang hij wil delen. Maar de huisarts moet alles weten, want heeft een integrale blik op de patiënt, en die moet ook weten bijv. wie de andere zorgverleners zijn. En voor de partner is het handig dat hij alles kan zien, als je bijvoorbeeld wilsonbekwaam wordt. Voor de apotheek, dat is lastiger, dat moet ook iemand zijn waar je vertrouwen in hebt, een mijnheer of mevrouw achter de balie. En de mantelzorger, dat is ook iemand met wie je al of niet een vertrouwensrelatie hebt, en die bepaalt dan of je het wil delen of niet. Het is wel heel handig om die te informeren, vanwege de grijpbaarheid (?) van je klachten. PM: Reacties van de anderen? P2: Ik hoorde je iets zeggen over je apotheek. Ik heb juist een heel goede apotheek. Want toen ik uit het ziekenhuis kwam met dat hartprobleem, kreeg ik ineens een lijst met medicijnen, terwijl ik daarvoor helemaal niks slikte. En ze belde me speciaal op: klopt dit eigenlijk wel, wat is er eigenlijk gebeurd? Dat vond ik buitengewoon attent. HA: Jazeker. Dat geeft jou dus ook vertrouwen? P2: Absoluut. HA: En de apotheek staat bij jou dus ook bij de partijen met wie je alles wil delen? P2: Nou ja, bij medicatie zit uiteraard de apotheek. Bij de allergieën ook, omdat dat ook samen kan hangen met medicijnen. Dat zijn eigenlijk onze enige twee, van onze vijf die we met de apotheek willen delen. PM: Zijn er heel specifiek dingen die jullie privé willen houden? P1: Nee, want wij dachten, als we er prioriteit aan geven dan impliceert dat eigenlijk dat je het wil delen. PM: Zo kan je het inderdaad benaderen, maar dat hoeft niet voor iedereen zo te gelden. HA: Stel dat het dagboek voor jou een heel belangrijke functionaliteit is, dan kan het zo zijn dat mensen dat niet per definitie willen delen. P2: Dat is absoluut waar. P5: Voor ons was belangrijk dat, als het dan moet zo'n PGD, dan willen we die informatie ook gebruiken bij zorgverleners die we tegenkomen. HA: Dus voor jou ligt de legitimatie van een PGD vooral in dat deelaspect, en niet in zozeer in het feit dat die informatie er is, maar dat je er iets mee kan doen. P5: Ja, dat klopt.
Table 2: Sharing preferences (overview of findings from interactive session part 2)
PM: Dat is volgens mij wel een basisgedachte bij iedereen. Mooi om te zien. Jullie verder nog dingen? P5: We hadden de partner eigenlijk geen rol gegeven, hè? HA: Haha, nou daar gaan we verder niet naar vragen, waarom dat zo is. P6: Wij vonden alletwee wel dat kinderen en mantelzorg er niks mee te maken hebben. Als die dingen moeten weten, dan vertel je dat zo wel. Want anders krijg je dat iedereen zich weer met jouw behandeling gaat bemoeien. En het is maar de vraag of jij dat goed kan overbrengen, en of dat goed wordt begrepen. Het is niet een middel om met je omgeving mee te communiceren. HA: En je maakt geen verschil tussen kinderen en mantelzorger? Want die heeft toch wel een andere verantwoordelijkheid. P6: Kijk, ik kan me voorstellen dat je een vertrouwenspersoon hebt, en dat hoeft niet per se de mantelzorger te zijn. En met die zou je je dossier wel willen delen. En dat kan je partner zijn, of iemand anders. En dat is ook wel wat mensen heel vaak zeggen. In die chaos van informatie, heeft iedereen behoefte aan een vertrouwenspersoon. Maar misschien is het juist wel niet je partner. P2: Ja, dat kan natuurlijk. P6: Niet iedereen heeft zo iemand, natuurlijk. Maar die kies je erop uit dat die om kan gaan met dit soort informatie. Dat is eigenlijk belangrijk. PM: Wat een mooie aanvulling! HA: Ik ben nog wel heel benieuwd. Je zei net met nadruk, dat je er bepaalde dingen er niet in wil. Zou je dat willen toelichten?
P2: Wij hebben relatiegeschiedenis, seksuele geaardheid, encyclopedie, zelf meten. Dat is een privé-functie, mensen moeten zelf weten of ze dat doen, maar medisch is dat denk ik niet echt belangrijk. Nou ja, dat weet ik eigenlijk niet. HA: Stel, dat je je bloeddruk bijhoudt, of je glucose, of je dieet. Ik kan me voorstellen dat je arts of je diëtist geïnteresseerd is in die informatie. P2: Ja, dat kan, maar ze zullen het altijd overdoen. HA: Dat is met dieetgegevens weer wat lastiger, natuurlijk. En hebben jullie nog dingen die er per se niet in moeten. P4: Als je zelf beschouwt als aanhanger van holistische geneeskunst, dan moet alles erin. Je kunt je voorstellen dat je mensen niet vraagt of ze van dertig dingen willen zeggen wat ze er wel of niet in willen. Je kunt ze ook vragen om in te vullen in welk profiel ze zich herkennen, zoals je bij een bank een veilig spaarprofiel hebt, en een beleggersprofiel. Dan vraag je ze: bent u een holistisch type, dat kiest u voor alles, of bent u heel erg technisch, dan kies je voor B, da's bijna niks. En alles daar tussenin. Denk 'ns na hoe je over gezondheid denkt, en pas daar de keuzes op aan, open of niet open, gebruik of niet gebruik. P1: Nou, da's wel een uitdaging. HA: Da's zeker een uitdaging. Ik zit gelijk te denken hoe je dat moet vormgeven. Maar wel heel interessant, wat je zegt. Ben je eigenlijk een holist, P4? P4: Nee, ik denk het niet eigenlijk. P6: Ik heb niet helemaal gehoord wat je vertelde, maar het brengt me wel op een gedachte. Over dat delen en dat inzien. Dit dossier moet een ondersteuning zijn van het gesprek. En niet in plaats van het gesprek. HA: Dat is ook uitdrukkelijk de bedoeling. P6: Ja, maar dat moet je wel afdwingen. Want dat kan heel gemakkelijk bij tijdgebrek en personeelsgebrek, noem maar op, dat ze.. PM: Ik kijk wel even in je PGD... P6: Ja, precies. HA: Nou, je hoort ook wel uit gebruikersonderzoek hoor je vaak dat mensen zeggen: ik kan wel allemaal mijn gegevens bij gaan houden, maar als ze er vervolgens niet naar kijken, dan heb ik er niks aan. Da's precies wat jij (P6) zegt. Dat is echt een succesvoorwaarde. P5: Het werkt andersom. Als je alleen je gegevens krijgt, dan heb je er niks aan. P3: Er moet een gesprek zijn. P6: Het moet toegelicht worden. Als je bijvoorbeeld de verwijsbrieven neemt. Daar begrijp je de helft niet van. Dus als dat dan de communicatie is, dan denk: doe dan maar niet. P4: Ik denk dat de huisarts twee schermen heeft. Eentje voor zichzelf, zoals dat nu is. En een tweede scherm, naar jouw kant gericht. Laten we even kijken, naar de cijfers van vorige maand, je dieet, je uitslagen, of je bloedprikken. P2: Ja, dat zou ik ook wel prettig vinden. P6: Of je hebt gewoon een tablet, met je eigen gegevens, die je meeneemt naar je consult. En dan kan de arts meekijken. (P5 leaves the meeting because of other engagements) 6) Three cases (plenary discussion) Duration: 1:49:34 - 1:50:29 This part is skipped due to time constraints. Instead, the participants are invited to fill in a questionnaire with some additional questions, which they will be sent by e-mail (see Appendix VI) HA: Ik zit even te denken. We hadden nog een programma-onderdeel, en ik kan me heel goed voorstellen dat dat via de mail kan. Vinden jullie het goed als ik jullie nog een aantal vragen via de mail stuur. Daar hoeven jullie niet zeer uitgebreid op te antwoorden, maar ik ben toch wel heel erg benieuwd naar jullie mening daarover. P6: Nou, daar ben ik niet blij mee. Ik ben nu al zoveel tijd kwijt aan het beantwoorden van vragen via de mail. En dan ga ik er veel te diep over nadenken. HA: Nou, dan moet je het niet doen. Alleen maar als je het wil. P6: Nou, stuur maar toe, dan zie ik wel. Als ik het in een kwartiertje kan doen, dan doe ik het.
HA: Ik ga het zo opstellen dat jij het in een kwartiertje dan doen. En voel je niet verplicht. Ik ben al heel blij dat je hier bent geweest.
7) Wrap-up and conclusion Duration: 1:50:29 - 1:57:10 In the final part of the session, the participants were invited to reflect on their experiences, and were asked whether, based on what they have heard, they were willing to use a PHR, if invited by their HCP. PM: OK, tot slot. Hoe was dit voor jullie? P3: Leuk, ja. P2: Jazeker, leuk hoor. P1: Het was voor mij ook heel bewustmakend. Ik had er nooit echt over nagedacht. Dit is wel het begin, als het ooit aan de orde is, dan heb ik al een beetje voorwerk verricht. PM: In zoverre. Er zijn al heel wat PGD's op de markt. Je kan er al zelf mee beginnen. HA: Stel dat jouw huisarts je nu zou uitnodigen, na de sessie van vandaag, om zo'n PGD te gaan bijhouden. Ik ben eigenlijk wel heel benieuwd, van ieder van jullie, zouden jullie met de informatie die jullie nu hebben, ja zeggen, of zeg je, nou, nee, voorlopig vind ik dat niet nodig. Of absoluut niet. P2: Ik moet er over nadenken. HA: Dus je zegt niet volmondig ja. P2: Nee. P1: Ik denk dat ik wel zou toestemmen. Ik heb nog een vraag over dat portaal, van dat ziekenhuis. Die vraag is nog nooit aan mij gesteld. HA: Nee, het is maar net of dat ziekenhuis, of jouw specialist, zoiets heeft. Dat heeft niet elk ziekenhuis. Veel wel, hoor. Tegenwoordig hebben ook veel huisartsen, zoiets, zo'n patiëntenportaal. Dat je bijvoorbeeld afspraken kan maken, of herhaalrecepten kan aanvragen. Maar dat is gekoppeld aan die ene dokter, in tegenstelling tot dit PGD, dat in principe in verbinding staat met het hele netwerk. PM: In revalidatiecentra zie je ook heel vaak portalen, omdat in een revalidatietraject per definitie een groot team aan specialisten betrokkenn is. Dus die proberen dat al veel meer te structureren, meer dan de algemene ziekenhuizen. HA: En jij, P3, zou jij het willen gebruiken? P3: Ik zou er nog even over moeten nadenken. Het gaat erbij mij om hoe veel extra werk het inhoudt. Ik heb het nu allemaal op papier, in een papieren dossier. Maar om om te schakelen naar elektronische dossiers, hoeveel werk dat dan met zich meebrengt. Dat zou mij weerhouden om te doen. HA: Het zal zeker in het begin een tijdsinvestering kosten, het heeft een leercurve. Je moet leren omgaan met zo'n dossier, je moet de informatie omzetten. Maar op termijn zou het ook tot tijdbesparing kunnen leiden, omdat het allemaal efficiënter is. P2: Is het eigenlijk zo dat het er echt gaat komen? Nationaal? Van bovenaf? HA: Het zal niet opgelegd worden, nee. Het kan niet verplicht worden, dat zou zo ingaan tegen het hele concept dat erachter staat, dat jij degene bent die beslist. Maar ik denk wel dat je het zal worden aangeboden, kosteloos. Dat gaat gebeuren, denk ik. En het zal ook actief gepromoot worden. P1: En hebben verzekeraars er baat bij? HA: Dat is toevallig een van de cases die we hadden voorbereid. We hebben het straks over kosten gehad. Een van de ideeën achter dit soort dossiers is dat ze kunnen bijdragen aan meer kostenefficiëntie, en daar zijn verzekeraars natuurlijk zeer in geïnteresseerd. P6: Toch is dat de vraag. Als ik huisarts was, en ik moest altijd dingen doorsturen aan patiënten, dan zou ik dat gewoon declareren. HA: Wat bedoel je? P6: Nou, kijk, als je nu een dossier opvraagt in een ziekenhuis, dan moet je daar vaak voor betalen. Want dat moet gekopieerd worden en worden opgestuurd.
HA: Maar dat kan nu digitaal. P6: Maar digitaal kost ook geld en tijd. Het is niet zo dat dan automatisch wordt doorgegeven. HA: Nee dat is zo. Het verdienmodel is ook nog niet duidelijk. Je kan het wel willen, maar dan...Nou ja, ze hebben nog tot 2020. P6: Als de dokter mij opbelt, dan declareert hij dat ook. En dat vind ik ook terecht. HA: Nou, digitale koppeling van gegevens zou iets minder tijd kosten, toch? Als je automatisch de medicatiegegevens van je dokter via je dossier kan inzien, dan kost dat de dokter geen tijd. Zou jij (P6) het gaan gebruiken? P6: Ik ben niet zo gedisciplineerd in het automatisch vastleggen van dingen. Dus ik weet niet of het zou werken voor mij. Ik zou het nut ervan inzien, dat ik meer greep heb op al die chaos tussen die hulpverleners. En voor het geval ik niet meer voor mezelf kan opkomen. Dat er dan belangrijke dingen vastliggen. Dus ik zou altijd wel een iemand hebben, achter de hand, die er dan bij kan. HA: Die vertrouwenspersoon, waar je het over had? P6: Ja. PM: En jij, P4? P4: Het lijkt me handig voor overzicht. Alles bij elkaar op een scherm, in plaats van in mappen in je bureau. Eigenlijk is het net als bij de ING. Die hebben mijn harde financiële gegevens, en daarnaast heb je een financieel huishoudboekje, dat is beetje de metafoor die ik zou willen gebruiken. De harde kant is dat landelijke centrale dossier van de artsen zelf, en daaromheen een schil van persoonlijke PGD’s, die wel gekoppeld zijn aan de harde kant, aan de uitslagen, de consulten. En de zachte kant zijn de dagboeken, en de verwijsbrieven, en dat soort dingen. Maar daar moet je dan wel weer dingen voor bedenken, qua beveiliging en zo. Dat lijkt me handig. HA: Dank je wel. Dan kunnen we het volgens mij wel afronden. PM: Ja, dat denk ik ook. Iedereen hartelijk bedankt! HA: Maar voor jullie gaan, hebben we natuurlijk voor iedereen een cadeaubon als blijk van onze dank!
Colour coding scheme
Functionalities Access control and sharing Barriers for adoption Benefits Usability
APPENDIX V: FOCUSGROUP MATERIALS: PATIENT JOURNEY AND ICONS
APPENDIX VI: QUESTIONNAIRE a.! QUESTIONS Persoonlijke gezondheidsdossier
26-06-15 09:31
Persoonlijke gezondheidsdossier Acht stellingen en drie casussen *Vereist
1. Stelling 1: Een PGD helpt me om beter grip te krijgen op mijn gezondheid * Markeer slechts één ovaal. 1
2
3
4
5
Helemaal mee oneens
Helemaal mee eens
2. Stelling 2: Een PGD kan mijn dokter helpen omdat alle informatie over mij op één plek bij elkaar staat. * Markeer slechts één ovaal. 1
2
3
4
5
Helemaal mee oneens
Helemaal mee eens
3. Stelling 3: Doktoren en andere zorgverleners weten vaak niet welke medicijnen ik gebruik. * Markeer slechts één ovaal. 1
2
3
4
5
Helemaal mee oneens
Helemaal mee eens
4. Stelling 4: Een PGD heeft alleen maar zin als je ziek bent. * Markeer slechts één ovaal. 1
2
3
4
5
Helemaal mee oneens
Helemaal mee eens
5. Stelling 5: Als mijn dokter mijn PGD niet regelmatig inkijkt, heeft zo’n dossier geen zin. * Markeer slechts één ovaal. 1
2
3
4
5
Helemaal mee oneens
https://docs.google.com/forms/d/18wj9BWGbsGgGMo7ibER72BdCsuauOeKkOK_kJYtdIK8/printform
Helemaal mee eens
Pagina 1 van 3
b.! RESULTS
APPENDIX VII: MOCK-UP OF 'MIJNPGD' a.! DASHBOARD https://mijnpgd.nl/dashboard Instellingen
mijnPGD
mobiel Dashboard
Afmelden Profiel
html-versie
lees voor
DASHBOARD Accessibility options for users with disabilities
Gezondheid Netwerk
Metingen
KALENDER
GEZONDHEID
Uitslagen
Overig
zoom in
The dashboard is the central homepage of mijnPGD and gives users an overview of key data elements and features, categorized into five large boxes and two smaller boxes.
medicatie
operaties
aandoeningen
consultverslagen
wijzig
MELDINGEN wijzig wijzig
NETWERK mijnPGD lets users engage actively with their information and the outside world (e.g. GPs).
zorgverleners
verwijsbrieven
delen met
e-consult
Users can modify contents and order of boxes by clicking on ‘wijzig’.
wijzig
Easily recognizable icons, respresenting the various data elements and features, allow easy navigation through the website.
UITSLAGEN laboratorium The design of mijnPGD is clean and simple, facilitating access on mobile devices.
wijzig
METINGEN apps en apparaten wijzig
Users can access instructions on use of this page by clicking on this button. Further assistence is available under Help.
OVERIG verzekeringen
dagboek wijzig
A transparant privacy policy helps to communicate trust
Privacy
Over ons
Contact
Sitemap
Help
b.! DASHBOARD/wijzig https://mijnpgd.nl/netwerk/dashboard/wijzig Instellingen
mijnPGD
mobiel
Afmelden Profiel
html-versie
lees voor
zoom in
DASHBOARD/wijzig
Dashboard Gezondheid Netwerk Uitslagen
KALENDER
sla op
GEZONDHEID
Metingen
medicatie
Overig
aandoeningen
behandelingen
verberg
MELDINGEN
consultverslagen verberg
verberg
On this page users can add or remove data elements and features from their homepage, change the order of the boxes, and choose to hide them, in case they do not use them.
allergieën / contra-indicaties
familiegeschiedenis
zorgplan
inentingen
sociale geschiedenis
samenvatting
hulpmiddelen
donorcodicil / wilsverklaring
sleep om onderdelen te verwijderen of toe te voegen aan blok Changing the contents or the order of the boxes is accomplished by simple dragging. The html-version of this page provides accessible alternatives for interacting with the content.
sla op
NETWERK zorgverleners
verwijsbrieven
delen met
e-consult verberg
in geval van nood
forum
sleep om volgorde van blokken te veranderen
afspraken
sla op
UITSLAGEN laboratorium
Boxes can be hidden from view.
verberg
beeldmateriaal
sla op
METINGEN apps en apparaten
verberg
eten en drinken
bloeddruk
hartslag
gewicht
glucose
ademfrequentie
sla op
OVERIG verzekeringen
financiën
dagboek
Users can cancel or save changes by clicking on either of these buttons.
verberg
kalender
encyclopedie
annuleer
Privacy
Over ons
sla op
Contact
Sitemap
Help
c.! MEDICIJNEN https://mijnpgd.nl/netwerk/medicijnen Instellingen
mijnPGD mobiel Dashboard Gezondheid
Afmelden Profiel
toon html-versie
lees voor
zoom in
MEDICIJNEN Op deze pagina ziet u een overzicht van uw medicijnen.
medicijnen Netwerk Uitslagen Metingen Overig
Onder het kopje ACTUEEL ziet u de medicijnen die u nu gebruikt. De medicijnen die u in het verleden gebruikte, staan onder het kopje GESCHIEDENIS. U kunt ervoor kiezen om het medicatie-overzicht rechtstreeks te koppelen aan uw elektronisch dossier bij uw huisarts of apotheek. Zie de pagina ‘koppel aan EPD’ voor uitleg hoe dit in zijn werk gaat. Wilt u dat niet, of is een rechtstreekse koppeling niet mogelijk, voeg dan zelf uw medicijnen toe. Klik daarvoor op voeg toe. U krijgt dan een lijst te zien van alle erkende medicijnen waaruit u kunt kiezen. U kunt ook zelfzorgmedicijnen toevoegen. Als u een bepaald medicijn beter niet kunt gebruiken, omdat u er allergisch voor bent, of omdat u het niet mag combineren met andere medicijnen, krijgt u een waarschuwing. Klik op het -teken voor meer informatie.
This information box is visible if user clicks on question mark next to first box.
U kunt per medicijn aangeven of u het gebruik wil stoppen of wijzigen. Als u het gebruikt stopt, komt het medicijn in uw geschiedenis te staan. Ook kunt u het medicijn helemaal verwijderen. Voor de volledigheid van uw dossier is het aan te raden zo weinig mogelijk gegevens te verwijderen. Deze informatie kan belangrijk zijn voor uw zorgverlener! Klik op de naam van het medicijn voor meer informatie. Daar kunt u ook een herhaalrecept aanvragen, en bijhouden of u last heeft van bijwerkingen. U bepaalt zelf wie toegang heeft tot uw medicijngegevens. U kunt ervoor kiezen om alles te delen, of alleen uw actuele overzicht. Klik daarvoor op het
-teken. Ook kunt per medicijn aangeven of het privé moet blijven. Klik daarvoor op het
- teken.
Voor het delen van de medicijngegevens in uw samenvatting, gelden andere regels. Ga daarvoor naar de pagina ‘Samenvatting’.
verberg
HUIDIGE MEDICIJNEN This alert warns user that this medicine may be incompatible with other drugs they use, Clicking on it provides more information.
medicijn oogdruppels bloeddrukverlager
voorgeschreven door Paul van der Veen Peter Jansen
dosering
eerste gebruik
min. 3 druppels per dag
01/05/2015
stop
wijzig
verwijder
3 x per dag 1 dragee
15/06/2015
stop
wijzig
verwijder
voeg toe
GESCHIEDENIS medicijn cholesterolverlager
voorgeschreven door
dosering
gestopt
Paul van der Veen
2 x per dag drie tabletten
01/10/2014
verwijder verberg
User can hide history box by clicking on ‘verberg’.
Privacy
Over ons
Contact
Sitemap
Help
d.! MEDICIJNEN/details
https://mijnpgd.nl/netwerk/medicijnen/oogdruppels Instellingen
mijnPGD Dashboard
mobiel
MEDICIJNEN/details
Gezondheid medicijnen
Afmelden Profiel
toon html-versie
lees voor
zoom in
Op deze pagina vindt u meer informatie over uw medicijn en kunt u een herhaalrecept aanvragen. Ook kunt u hier bijhouden hoe en wanneer u het medicijn gebruikt, en of er bijwerkingen zijn.
Netwerk De informatie op deze pagina kan belangrijk zijn voor uw zorgverlener. Als u uw medicatielijst hebt gedeeld met uw zorgverlener, heeft hij of zij ook toegang tot deze pagina. Wilt u dat niet, klik dan op het - icoontje.
Uitslagen
verberg
Metingen Overig
On this page users get detailed information about a specific drug they use. They can also record drug intake and adverse effects.
This information is visible for everyone who has access to the medicine list, unless the specific drug is hidden from view. Users can hide information on use by clicking on the eyebutton.
Users can renew prescriptions by clicking on ‘vraag aan’.
MEDICIJN
GEBRUIK
Soort
oogdruppels
Generieke naam
dextran 70
RVG
10187
Sterkte
1/3 mg/ml
Leverancier
Alcon
Verpakking
flacon van 15 mm
Reden van gebruik
Droge ogen
Eerste gebruik
01/05/2015
Voorgeschreven gebruik
Minimaal drie druppels per dag
Werkelijk gebruik
OVER DIT MEDICIJN Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer nec odio. Praesent libero. Sed cursus ante dapibus diam. Sed nisi. Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum. Praesent mauris. Fusce nec tellus sed augue semper porta.
Reden voor afwijkend gebruik
HERHAALRECEPT
Bijwerkingen
Vraag om een herhaalrecept bij uw arts of apotheek vraag aan
E-CONSULT Users can contact their GP or pharmacist through an e-consult to ask questions about their medication.
Stel een vraag aan uw huisarts of apotheek mail
chat
telefoon
videochat
Opmerkingen
Privacy
Over ons
Contact
Sitemap
Help
e.! DELEN MET https://mijnpgd.nl/netwerk/delenmet
mijnPGD
Instellingen
mobiel
toon html-versie
Afmelden Profiel
lees voor
zoom in
NETWERK / delen met
Dashboard Gezondheid
Op deze pagina ziet u een overzicht van mensen die toegang hebben tot uw informatie. Staat er nog niemand in dit overzicht, en wilt u uw gegevens graag delen, klik dan op ‘voeg toe’. Ook kunt u naar de pagina gaan waar de informatie staat. Klik daar
Netwerk
op het
delen met
-icoontje.
U bepaalt altijd zelf welke informatie u met wie deelt, en voor hoe lang. Voor alle toestemmingen geldt een maximale termijn. Daarna kunt u de toestemming zelf verlengen.
Uitslagen Metingen Overig This page functions as the privacy dashboard where users control access rights to their data. Access rights can also be controlled from individual pages.
Als u iemand machtigt om uw informatie in te zien, dan krijgt die persoon een mail met daarin een link die eenmalig toegang geeft tot uw PGD. Daarmee kan hij of zij dan een account aanmaken en inloggen. Let op: u kunt alleen informatie delen met zorgverleners die erkend zijn volgens het BIG-register. De toestemming geldt alleen voor dat deel dat u openstelt. Wilt u bepaalde delen in uw gedeelde dossier afschermen, dan kan dat door te klikken op het - icoontje. Wilt u zien wie uw gegevens heeft geraadpleegd, ga dan naar de pagina ‘geschiedenis’. Als u wilt, kunt u iemand aanwijzen als vertrouwenspersoon. Dat kan uw partner zijn, of een mantelzorger, of iemand anders die u vertrouwt. Deze persoon heeft dan toegang tot al uw gegevens (leesrechten). Eventueel kunt u hem of haar ook machtigen om uw dossier bij te houden (schrijfrechten) of informatie namens u met anderen te delen (deelrechten). U kunt maximaal twee vertrouwenspersonen aanwijzen.
verberg
Voor het delen van uw samenvatting gelden andere regels. Ga daarvoor naar de pagina ‘Samenvatting’.
Users can decide to share their complete PHR with one or two trusted persons. These persons can also be given the right to change, add and remove information (‘schrijfrechten’) or share information (‘deelrechten’).
This information box is visible if user clicks on question mark above. It can be hidden by clicking on ‘verberg’.
VERTROUWENSPERSOON naam
relatie
schrijfrechten
deelrechten
vervalt op
Gerben Jansen
partner
ja
ja
01/10/2015
verleng
voeg toe
trek in
Permissions can be revoked at all times.
verberg
ZORGVERLENERS Users can give BIGregistered health care professionals access to their data. Access is only ‘reading’ and allowed on a case- tocase basis.
naam Paul van der Veen
relatie
toegang tot
vervalt op
huisarts
medicijnen
01/08/2015
verleng
trek in
aandoeningen
01/09/2015
verleng
trek in
bloeddruk
01/09/2015
verleng
trek in
voeg toe
All permissions are timelimited. An alert warns users that permissions are about to expire.
verberg
OVERIGEN
Users can give other private persons access to their data. Access is only ‘reading’ and allowed on a case-to-case basis.
naam Hans van Appeven
relatie
toegang tot
vervalt op
broer
medicijnen / actueel
01/10/2015
verleng
voeg toe
trek in
verberg
Privacy
Over ons
Contact
Sitemap
Boxes can be hidden from view.
Help
f.! SAMENVATTING https://mijnpgd.nl/gezondheid/samenvatting Instellingen
mijnPGD
toon html-versie
mobiel
lees voor
zoom in
SAMENVATTING
Dashboard Gezondheid samenvatting Netwerk
Op deze pagina ziet u een samenvatting van uw persoonlijke gezondheidsdossier. Deze gegevens kunt u delen met zorgverleners, bijvoorbeeld in noodgevallen. De gegevens op deze pagina kunt u op een handige manier delen. Klik daarvoor op de button met het printen op een handzaam pasje, zodat u ze altijd bij u heeft in uw portemonnee.
Uitslagen
-teken. Ook kunt u uw gegevens
Als u wil, kunt u hulpverleners in noodgevallen toegang geven tot deze samenvatting. Maak daarvoor een speciale toegangscode aan, die u altijd bij u draagt. Na activering door de hulpverlener is de code 24 uur geldig.
Metingen Overig
Afmelden Profiel
This page contains a summary of the PHR, which can be shared with HCPs, for instance in emergency situations..
U bepaalt zelf welke gegevens u bewaart in uw samenvatting. Wilt u weten welke gegevens relevant zijn in noodgevallen, praat daar dan over met uw huisarts. Wilt u uw gegevens aanpassen, klik dan op wijzig.
verberg
PROFIEL
Geslacht
[email protected]
E-mail
26-09-1963
In geval van nood/In case of emergency
O pos.
Bloedgroep
06 12345678
Telefoonnummer
man
Geboortedatum
Damrak 1, Amsterdam
Thuisadres
Henk van Appeven
Naam
Fam. Van Appeven
Telefoonnummer PNO
Verzekeraar
AB 123456710
Polisnummer
wijzig
ALLERGIËEN EN CONTRA-INDICATIES
HUIDIGE MEDICIJNEN medicijn Users can modify the contents of the boxes by clicking on ‘wijzig’. Boxes can also be hidden from view.
eerste gebruik
oogdruppels
01/05/2015
bloeddrukverlager
15/06/2015 verberg
reanimeren bij hartstilstand
omschrijving
ernst
hooikoorts
matig
antihistaminica
zeer
wijzig
WILSVERKLARING EN DONORCODICIL
orgaandonor
020 12345678
verberg
OVERIGE GEGEVENS aandoeningen
nee
medische apparaten
ja
wijzig
Users can share their summary with HCPs in the standard way, or by sharing a timelimited emergency code, which they carry with them on a card. The code is generated by clicking on ‘maak code’. The summary can also be printed.
deel
hartpatiënt
print pas
pacemaker maak code
verberg
wijzig
verberg
Privacy
Over ons
wijzig
Contact
Sitemap
Help
g.! SITEMAP https://mijnpgd.nl/sitemap Instellingen
mijnPGD
mobiel html-versie lees voor
SITEMAP
Dashboard
Afmelden Profiel
zoom in
Gezondheid Netwerk Uitslagen Metingen Overig
This page lists all the pages in mijnPGD, and shows how they fit into the overall structure.
By default, the website contains a number of static pages. Further pages are created dynamically as information is added. The design of these pages follows the design principles illustrated in the mock-up.
Algemeen • registratie • nieuw wachtwoord aanvragen • inlogpagina • dashboard • wijzig dashboard • profiel • instellingen • geschiedenis (logs) • privacy • sitemap • over ons • contact • help • faq • mobiel Gezondheid • aandoeningen • behandelingen • medicijnen • informatie per medicijn • herhaalrecept • allergieën/contra-indicaties • inentingen • hulpmiddelen • consultverslagen • zorgplan • familiegeschiedenis • sociale geschiedenis • donorcodicil/wilsverklaring • samenvatting/noodprofiel Netwerk • zorgverleners • informatie per zorgverlener • delen met • koppel aan EPD • verwijsbrieven • afspraken • e-consult • in geval van nood • forum Uitslagen • laboratorium • beeldmateriaal Metingen • apps en apparaten • beweging • eten en drinken • gewicht • bloeddruk • glucose • hartslag • ademfrequentie Overig • dagboek • encyclopedie • kalender • verzekeringen • financiën
Privacy
Over ons
Contact
Sitemap
Help
APPENDIX VIII: SYSTEM ARCHITECTURE a. BASIC COMPONENTS
b. DATA EXCHANGE
APPENDIX IX: LIST OF INTERVIEWEES
Oscar van Dijk Owner of MedicineMen, an Amsterdam-based company that develops e-health applications. One of their products is Emma, a website and smartphone application that helps patients monitor their drug intake. More info: http://www.medicinemen.eu/ https://play.google.com/store/apps/details?id=eu.medicinemen.emma
Lucien Engelen Director of REshape Center in Nijmegen, a research institute for e-health innovation, connected to the Radboudumc. Also responsible for Here is My Data, a platform for patient health data, and the Dutch implementation of Patients Know Best. More info: http://radboudreshapecenter.com/ http://www.hereismydata.com/ https://twitter.com/lucienengelen
Fatma Karapinar Chief pharmacist at Lucas Andreas Hospital in Amsterdam. Currently doing research on the use of e-health applications, including PHRs, for medicine verification. More info: http://www.sintlucasandreasziekenhuis.nl/teamlid/karapinar-f-chef-de-clinique https://nl.linkedin.com/pub/fatma-karapinar/26/191/280/nl
Jan Kremer Gynaecologist at Radboudumc, professor in patient-oriented health innovation and founder of zorgnet.nl. Also member of the Raad voor Volksgezondheid en Samenleving. More info: https://www.radboudumc.nl/OverhetRadboudumc//Hoogleraren/Pages/JanKremer.aspx https://twitter.com/JKNL
APPENDIX X: INTERVIEW CODING SCHEME
Interview transcripts are available on request.