This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare CIO for 16 hospital system and creator of this week in Health. IT a channel dedicated to keeping health IT staff current and engaged. Today we are joined by Jim St. Clair. He is the Chief Trust Officer for lume, which is a patient-centric data exchange platform.

Special thanks to our influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you wanna be a part of our mission, you can become a show sponsor as well. The first step is to send an email to partner at this week in health it.com.

I wanna take a quick minute to remind everyone of our social media presence. We have a lot of stuff going on. You can follow me personally, bill j Russell, on LinkedIn. I engage almost every day in a conversation with the community around some health IT topic. You can also follow the show at this week in health IT on LinkedIn.

You can follow us on Twitter, bill Russell, HIT. You can follow the show. . This week in, in HIT, on Twitter as well. Each one of those channels has different content that's coming out through it. We don't do the same thing across all of our channels. We don't blanket posts. We're actually pretty active in trying to really take a conversation.

I. In a direction that's appropriate for those specific channels. We really want to engage with you guys through this. We are trying to build a more broad community, so invite your friends to follow us as well. We want to make this a dynamic conversation between us so that we can move and advance healthcare forward.

Today we are joined by Jim Sinclair. He is the Chief Trust Officer for lume, which is a patient-centric, uh, data exchange platform. Jim, welcome to the show. Thank you very much, bill. It's a pleasure to be here today. Is it a pleasure? 'cause if people aren't watching this, if they're listening in the, uh, podcast, you gotta get this picture of this zoom meeting.

The first ride when? When Disney World opened, when Magic Kingdom opened. Wow. My, uh, my daughter's a huge fan. I'm. I mean, that's a Christmas gift idea starting to float around in my head. Of course, it's only in the middle of June, but that's how much lead time I need for Christmas ideas, by the way. Oh, there you go.

We, that's perfectly fair. I have my wife's birthday's next week, and so I'm starting to panic as to what I have to get slid in. So I need, I need six months lead time. You're working on one week ? Yeah, right? Yeah, yeah. I do. Better under pressure. Golly. Patient-centric data exchange platform. Let's talk about patient-centered, uh, I mean, we're gonna talk about patient-centric interoperability.

What is patient-centric interoperability and why should providers really want to pursue that? Absolutely. And the first thing is, I want to give you credit. So in our first conversation, I. We were talking around an exchange on LinkedIn and you had mentioned the fact that 49 outta 50 states still own patient information in the EHR, and I have brought that up now in conversation four or five times and it's been kind of a philosophical game changer in there.

So putting things in the context of patient control of data. And where we stand between a combination of globally with things like the General Data Protection Act, or regulation, excuse me, GDPR and the Pan-Canadian Trust Framework and the new EU guidance on On Data Governance Act. And then here in the US the history of HIPAA and now of course the 21st Century Cures Act.

I, I think it's been a little mixed, but we are getting. More of what I see is, uh, a resurgence of the concept of being in control of your information and the rights and access that you have to that information and how the patient should be at the center of it. And I think it's also really cool that we're getting into the world of wearables and Apple Health Kit and other technologies to allow you to collect information about yourself.

What Matic is really concerned about is enabling that with technology and standards and architecture. That, that empower you as the patient to be able to better manage your information, make you a better consumer, and hopefully, ultimately ex exclude. I, I improve the caregiving experience. Yeah. And I just wanna let people know this is not a paid spot.

So you and I, I, I have you on just because I want to talk about patient-centric interoperability. It happens to be what TIC does. And so from time to time you'll hit on and appreciate that I us in a DIFFERENTION conference. It was announcement. Apple has ramped up their sharing capabilities, and now with their Apple Health record, you can now choose to share that.

With family members, with other family members to who might be a part of your care circle or, or some entity like that. You could also choose to share it with other doctors or a healthcare fiduciary, if you will. I mean, is this just a sign of what's going on in the policy and regulatory world and in, in the technology architecture world that's enabling this, that, that all this happening now?

I, I think it is, and for me, my personal concern, belonging to several foundations and consortia and ISO and IEEE, where we're looking at standards for that, it's admirable and it's applaudable to be able to start sharing. I. Your health information with family members to assign health information, access to family members to get them involved.

I think that there have been historical complaints about caregivers and how family members as caregivers in conjunction with care teams had limitations under HIPAA and others for access to information. So it's exciting to see that be realized, whether it's compelled by regulation like the 21st Century Cures Act.

Or just good marketplace things. What, what I and the sort of international consortia that I participate in represents are saying, Hey, that's all great, but there should be frameworks and standards for that sort of information exchange and that ability to extend. Access and authorization to that data using available tools and architectures and standards and policy that that not only fulfill that idea that I can get access to my aging mother's medical records to assist with their caregiver and their care teams, but, but that there is a process and, and standards in place for being able to authorize that and have a security framework, quite frankly.

We're gonna about use cases because I, I think there are some powerful use cases, but what's, what's the problem? You talk about the standards bodies, you talk about security, you talk about privacy. But I mean, to be honest, I mean this is a pretty heavy lift for Apple, I would think, because a lot of the data in the medical record is.

Standardized. It's put in by people who did not study to be data entry clerks. They actually studied a lot longer to not be data entry clerks, and they're really not that great at it, to be honest with you. It ends up all, all ends up in the notes, or it all ends up in, in different types of formats.

There's not a lot of standards per se. I mean, there are SNOMED and other.

Getting to where we wanna get to with patient, uh, driven interoperability. A absolutely, and I am blessed to be able to offer perspectives from my work around other physicians and folks in the industry to kind of comment on this concept of identity. And I think so much. We've historically looked at identity in the context of privacy and security and what I have access to in terms of my information.

They may be willing to share with a provider, but they're not gonna share in a telehealth engagement at home because no one else in the family knows about it. And so. Problems with data entry, just as an example that's come up in the last 24 hours. 17 states in the US have driver's license that allow you to put X to identify your gender beyond male or female.

On the other hand, you go into an epic dropdown menu and there's no x, and then you have to get more specific into how you identify gender and how that information is shared. . Either between you and your provider, how that provider shares it with somebody else who comes back and says how it's okay to share that and whether or not you've authorized that kind of sharing, so, so just the concepts of the patient identity and what they wish to share about their identity and information not only is hard, I.

In, in most traditional encounters. Capturing that information in electronic records is difficult, and I think you've also spoken the fact that these are people that are not designed to be nor set out their career to be data entry clerks. And then add to that challenges around the data entry platform that they may have.

There's rooms for error, there's rooms for requirements for correction. There's rooms for having to determine if authorization and sharing information is good or bad as part of the engagement. That that paints a very challenging picture as to how identity factors into the care coordination and caregiving for an individual.

I'm looking at this, this Apple announcement that clearly Apple is concerned about privacy. They say the data is encrypted in transit and at rest. Users have granular control over which types of data to share and with whom, whom, and then they spend an awful lot of time on making sure the person who is holding the phone is and, and accessing the phone is the person who owns the phone as well.

Those are some of the key elements, aren't they? They're standard standpoint. Yeah, absolutely. Those are all applaudable. I mean, unfortunately in my work in some of the international standards bodies, I don't see Apple representatives, so I can't always say to how they derived some of their architectural approaches, but certainly the concept around

Ensuring that the right person has the device that that person has access to the right data. Those, those are all headed in the right direction for, for what we're trying to do conceptually. There's a whole bunch of use cases that people don't take into account when you think about this and in certain industry luminaries who have spoken out.

Maybe in caution, again, I wouldn't say against this, but caution about this, that, hey, when we put the medical record in the hands, the, the of the individual, they're gonna have a lots. And they're gonna be ill equipped to answer those questions. And maybe this is beyond the scope of this conversation, but that is part of the challenge, right?

We've just given them a, a deluge of information about them. They're gonna find some things that are correct, some are incorrect. They have five addresses listed, and they really live with this one and whatnot. You could, you could end up creating an awful lot of traffic back to the clinician, the clinician's office, the front, the IM department, and all that as.

I mean, is that one of the things that slows them down in the adoption of this? I think it does, and I, I realize that you said it may be outside the scope of this conversation, but I also think it's heading that way inevitably, which is to really begin to examine. I. How much a person is in charge of their health information now, and how much tools, like what we have or what Apple have, give the ability to be in charge of their information going forward.

Uh, especially again in reference to the 21st Century Cures Act. Uh, you can walk in to see your doctor right now, look over their shoulder at your medical record, and demand that certain things be corrected are just plain taken out. I think it was an article in Medscape I was reading last week about the challenges this is creating where someone has a substance use disorder that has been diagnosed and is medically diagnosable under ACPT code or others and, and they've said, I just want to take it outta my record.

The difficulty that the provider has legally as well as ethically to say, well, how do I address this? How do I balance my liability as a provider with the legal right that this individual has to. Correct their information. And that's getting off the reservation a little bit, but I just want to tug on that thread that I think as a society, as an information society, we are more and more being enabled and empowered with information at our device or on our laptop, et cetera.

And how we handle that is gonna be . Become an individual responsibility. That individual responsibility has probably been something that's been abstracted out from a lot of our healthcare practices for social cultural reasons, as well as for business and process reasons. And I think just tools from Apple and from ourselves and others are beginning to point back to what to do about that.

Alright, so Lume, let's, let's talk about use cases. Why is this a good thing? What use cases are we going to enable with patient-centric interoperability? So at a high level, I think that certainly myself, the team at Mimetic and the standards and consortia bodies, we participate in believe at a global level that people should have a right to their privacy and to their data access and control and protection over their data.

As we talk about this right now, there's a, there's a headline out that the commissioner in the EU is reexamining more cases for Facebook and Google, and how they're using individual . EU citizens data and whether that fits within the regulatory framework, we don't really have a lot of parallels for that within the us.

Some examples like with the CCPA in California and some work, the Commonwealth of Virginia, some other laws that have come around, but just considering the fact that people should be in charge of their own data or have protection of their data and consent to how their data is used. It is kind of a, a fundamental belief we have that we share with lots of folks on a global basis.

Add to that, within the, the US healthcare industry specifically, as we have talked about so far, this concept that patients can now face or, or now have access to their records and be directly involved with sharing their records, sharing their information to other family members, how you put the individual at the center of that.

And in charge of that conversation and, and facilitating that sort of information exchange, we think is, uh, is, is kind of a fundamental right. I, I can care for my father and my mother who live in another state because they bring me into their care circle. I can now participate in looking at that information, seeing the feedback, seeing potentially some notes.

The doctor is given. 'cause sometimes we're calling our parents, not my parents specifically in this case, but we're calling our parents and they're battling with dementia. They live across the country. Mm-Hmm. . And we, we, we struggle with that. We can't be at the visit, of course, today with telehealth we might be able to be at the visit, but Right.

If we're not there, we we're, we're able to get at least some feedback when they said, well, prescribed me some new medications. And it's like, well, which medications do you know dad? No, I don't. I don't

itt. Or figure out or, or hire a caregiver or, I mean, there's a lot of challenges in doing that. This is one of those use cases where the individual does know the best, I don't know, care circle. They want, because it's not only family members, they might want somebody across the street or a, a friend who's gonna gonna help them with their health, be a part of their care service.

That's well said. And I think what you've seen so far in some of the changing models is that that person may or may not be related, just like you said, someone across the street, someone they trust within a social media circle. Someone that to them represents a trusted element for part of their data exchange and how they facilitate their care and, and so what we're looking at now, and I think

The mechanisms behind Apple's platform. Certainly the mechanisms behind our platform is there's what we call cryptographic trust mechanisms, which is. I, I may or may not know this person, or maybe they're a family member, maybe they're not, but I'm going to grant them a verifiable way that you, as the provider can share information with them that is auditable, that is trusted that.

It helps address the issue of liability because I consider them important as part of my care plan. And I think when you get into certain aspects of, uh, social determinants of health when it comes to the community, other sources of housing, security, et cetera, I. That may involve people that, again, are, are friends, uh, may not be friends, acquaintances, folks that factor in to how a care plan is delivered.

And there needs to be a way that that person can be trusted, both in terms of, of who is receiving the information and how the information's being shared. Social determinants, I think is one of the biggest arguments for, we need a system above the EHRA system that, that collects more information than just the, uh, medical episodes that we have.

Life. We know that 80% social determinants, you know, education, socioeconomic, all the decisions that we make in the grocery store, et cetera, that attributes to health even more than our medical visits in a lot of cases. Mm-Hmm. , absolutely. You almost need a more comprehensive record that tells the whole story of who I am.

What a wonderful example. And in having a comprehensive record as to who I am that's gonna contain a range of sensitive aspects or, or data points that in, in certain combinations you'd be willing to share with one party, but not with another party. Right. Obviously the housing a. Your local housing agency that's managing your housing doesn't need to know your whole clinical record.

Conversely, there may be aspects of your housing security and where you live that you're very hesitant to share with your provider except under certain circumstances. So enabling that ability for you to be selective in sharing that information or information enabling a family member to share that information are kind of paramount to your holistic care plan.

Jim, I was thinking of one more use case and this. Sort of an, uh, an odd one, but it is with all the malware, with all the, uh, ransomware that's going on right now, I sort of want a copy of my medical record digitally, just in case my health system happens to get ransom and doesn't pay the ransom, and my medical record goes away.

So it's a very different model than we have in the us but some of the consortia that I'm involved with, such as my data, global inventions, a world where you have a trusted data vault that your information resides, and then from there you share that as necessary depending on the interactions. And I think to your, your example about, uh, ransomware, where fundamentally it's getting into sensitive data.

Either preventing an organization from access to that sensitive data or to threaten them with releasing that sensitive data that they control, be it health or be it electronic records for colonial's pipeline, et cetera, and being able to take that under your control in some way or before, before ransomware takes it out from a central location, you have access to that information.

Or moreover, . Are able to have that information move to your control are, are probably great strategies going forward. I'm involved with some groups that are, that are working on the NIST standards or, or looking to implement the NIST standards for zero trust architecture and zero trust Architecture is a principle that I.

No one device on the network trusts another device on the network. Well, how do I enable that framework of trust where two devices are able to communicate, but recognize when a threat or ransomware is coming in? And the principle, I think, applies here as well when you're trying to share your own personal data.

All right. So Jim, you've mentioned these groups. Give us an idea of some of the groups that are, are working on this and where they fit, because they're not all working on the same things, they all have sort of their area of specialty. What are some of the groups you're working with? Sure. Absolutely. Um, I'm sure everyone's familiar with ISO and and IEEE as standards bodies on a parallel effort.

I'm involved in a couple groups from HL seven that look to be able to adopt some of the concepts that we're working on from an identity standpoint. The Linux Foundation includes, uh, such organizations as the Hyperledger Foundation, the Linux Foundation for Public Health. And both of those have software development consortia for things like decentralized identity platforms, cryptographic exchange overseas, or activities such as, uh, the Sovereign Foundation, which is a global, global foundation that enables that exchange what we call self-sovereign identity, um, and self-sovereign identity architecture.

My Data Global, a Human Colossus Foundation, uh, a new organization called ID Union, which is specifically in Germany and expanding to the rest of the rest of Europe over time in the eu. All of these are involved in either similar technological efforts or standards development or consortia around principles and enabling new policy.

You, you, you said Hyperledger. Nothing like more than blockchain has gone through the complete hype cycle. I mean, it ran straight up and then straight down in terms of people don't wanna talk about it in healthcare, but it really does have some, if you think about the immutable record and the concepts and the architecture around blockchain, it really does lend itself well to, again, the protection of the identity.

Just the whole mechanism for it was almost designed for this. Exchange. Why hasn't it really taken off? Absolutely. Well, one more organization I would plug within the Linux Foundation is the trust over IP Foundation of which we are a steering committee member. Trust over IP takes the attitude that while there's lots of talk about blockchain and healthcare, specifically, blockchain is what we call a utility within the layer and and much like the OSI model, there is a layer one for that utility around blockchain.

Layer two for certain other communications protocols. Layer three is the W three C worldwide, uh, web consortium verifiable credential model. And I think it hasn't taken off because in some cases it's a square peg round hole. I've been involved in blockchain and healthcare for about four years, and if you address a conversation in healthcare around how Bitcoin or Ethereum is gonna solve a problem, it, it tends to turn the audience off.

That that's different than applying architectural standards into a layered approach that shows how they align to the way NIST recommends you do something the way that, uh, an ISO standard recommends you do something. And the trust over IP Foundation to me, is one of the first attempts to build an architectural framework that makes sense to everybody.

That, that isn't just, Hey, let's throw some blockchain at the problem, takes a, a interoperable architectural approach to doing things and, and. That being a new effort. We're celebrating our first birthday this month is why I think there is still some maturity and standards that haven't caught up with perhaps the maturity and technology in the industry.

I think the closing question that, and I, I apologize, not having more time. Clearly I can, I can generate another 15 questions that you and I can talk about for the next hour. I think the question is, okay, I'm a provider. I believe in this, I have a couple of approaches that I can go, I can say our portal is enough that's patient-centric something and it's patient engagement of some kind.

That's, that's one level of sort of engagement. On the other side, I could say, all right, no, I'm, I'm willing to go all in here, and I want to get a platform for patient-centric interoperability. What's the path that a healthcare system could take? Really to, to enable this for their community. I've been in the game for a long time in terms of technology and consulting, whether public sector, healthcare and others, and I've never been one just to say, Hey, just buy the software.

That's, that's always an ultimate outcome. But the first thing is really taking a look at the process flows and how you want to be able to use it. Being all in is great. I would still recommend, say, uh, a framework or, uh, an approach around, say, 21st Century Cures Act compliance, or I want to make sure my population's SDOH information is included, and then look to how do we incorporate standards with that.

And then finally a software solution and, and I could offer more details privately and separately about how our approach is to doing that, but it has to be, I think, built on a framework of standards and mature technologies that at the end of the day will meet security compliance needs that will meet illegal and regulatory requirements, et cetera.

Who's driving that kind of conversation within, within the health system? Is it on a clinical level? Is it ACEO? Is it ACIO? Because when I think about that, I agree a thousand percent. You don't start with technology. You always start with what's the problem set? What are we trying to solve? What's the measure for having solved that problem?

And then let's put it, put an architecture and a plan together for solving that problem. I agree with that. That makes perfect sense. But who kicks that conversation off? Great question. I think it varies a bit from organization to organization, and I don't have a perfect answer. I can say within lumme we created what's known as the lulum Metic Exchange, which is a free membership model open consortium that has participation from Providence Health Systems, healthcare professionals, some of the IT and revenue cycle professionals, as well as organ

Organizations outside of healthcare such as MasterCard, HireRight, and others, where we meet and discuss these as process flows and use cases to adopt a, a consortium driven approach to how to approach these problems. So it's no one particular opinion or one particular office or an IT centric approach or a clinical centric approach, but try and get all of those participants at the table and come up with joint use cases together.

Is, is there, and I said my last question, two questions ago. Yeah. Is, is there a problem if my local health system in a medium market has a patient-centric interoperability approach, but I've traveled in my lifetime and gone to different places, is there a, a challenge where, you know, if we don't adopt this nationally, that it, it's gonna have limited impact or, or limited use cases for the individual?

I think that we're both aware of not just interoperability challenges, but the ability for getting your information in Topeka, Kansas when you've just moved from New Orleans, and how that, how that data exchange takes place. I would like to think that I. Certainly post covid and and post pandemic. We seem to have a lot more folks relocating and resettling in different ways that will lend itself towards the demand of saying, I want to get all of my data from wherever it was into a central place, or I want to be able to

Pull my information from Topeka now that I live in New Orleans. So whatever that case is a, and I think that's going to result in some market demand for information we haven't had before, and hopefully work out what some of those problems might be. Whether or not a solution is adopted locally or national.

Jim, thanks for coming on the show. I reserve the right to call you back whenever I wanna really go in depth at any time into some of these architectures. You bet. I'll be watching for the interoperability bat signal, the flash . Sounds good. Thanks. Take care. Thank you, bill. Have a great day, sir. Thank you.

What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show. It's, it's conference level value every week.

They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google, overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today, send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders.

Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.