mHealth World Congress

I was in Boston last year for mHealth World Congress. Much of the focus was on new ideas and startups, while this year the emphasis was on the activities and lessons learned of systems, payers, and providers. The event was tiny compared to the mHealth Summit, but it felt bigger than last year.

There were a few things that hit home. These conferences, and some of the lessons learned from them, aren’t totally applicable to most players in healthcare. The presentations from organizations like Cleveland Clinic, while very impressive, are far from what most hospitals and health systems can do today (or ever will.) That’s fine because we need the early adopters that can spend money to test, fail, and share those learnings with the broader industry.

We still don’t really know what patient engagement means or how to achieve it in a sustained way. Some of this relates the the open-endedness of the term "patient engagement," while some of it relates to the challenge of sustaining good response rates from consumers for health related services (apps, messaging, etc.).

Several people from Cleveland Clinic did a presentation on the internal process the Clinic has created for defining, designing, building, and distributing new technology. It was rather impressive and extensive. Cleveland Clinic has unique problems. It has opened up access to data, it has a capable internal development team, and it quickly realized the need to create a thorough governance process for building technology within the enterprise. They wanted have some control over the one-off apps the specific departments and services were creating. Additionally, they bring developers to the users — the departments and clinicians — as they are creating technologies.

The best quote was from an IT representative from Cleveland Clinic who said opening up access to clinical data without a properly defined strategy around access is "like giving machine guns to monkeys." He mentioned vendors clamoring to get access to data and the need it that quickly arose to control data. This is similar to what Kaiser has done with its opening up of the Interchange API.

Exposing personal health records and protected health information is risky for data owners, or covered entities. It seems to be more of an all-or-nothing approach, which isn’t surprising considering the risk. Cleveland Clinic created its own Web services on top of Epic, which few systems could have done. It maintains these Web services and creates apps that use them.

What was more interesting to me is that Cleveland Clinic has about 1,200 patients that have agreed to provide feedback, testing, and validation of apps that the Clinic is considering or building. It’s a great way to get feedback from real patient users. Cleveland Clinic is also trying to expand MyChart to provide tailored services like scheduling and messaging to providers.

In the patient engagement sessions, the conclusions really boiled down to two things: (a) there is no “one size fits all” solution, and (b) standalone apps are not the answer. All of the strategies presented included some amount of social and gaming to incentivize and keep users coming back. But they were also tailored specifically to different users, based on profiles, so it wasn’t just generic apps and services.

What was particularly interesting was some of the behavioral economics that is being applied to wellness and engagement programs, with regret theory being one that had very strong results for Blue Shield of California. I didn’t catch the name of the behavioral economics company that helped Blue Shield design its program.

Speaking of Blue Shield of California, its internal wellness program has delivered impressive results. I think it was close to half of the 5,500 people that work at Blue Shield participate in the program, and the outcomes are fantastic. Significant reductions — upwards of 50 percent in smoking, BMI, and blood pressure — were cited for those engaged in the program. Blue Shield is starting to see cost data that shows the ROI on its programs.

The really great part about the Blue Shield program, and the part that is going to make it the hardest to repeat, is that it seems to be ingrained in the culture of Blue Shield. It’s not a wellness program you could package and sell to employers off the shelf. Blue Shield has created a culture, and seems to have wellness champions, that help drive engagement in wellness as a part of the organization. This aspect is really hard to repeat, but the results suggest other larger organizations should try to mimic it. This is an employer-based program that doesn’t seem to be rely or even include providers.

Another insight that I tend to forget when I think about engagement is socioeconomic and community factors. I was on a panel with Nebeyou Adebe from the Louisiana Public Health Institute. The panel was sponsored by BettrLife and was also focused on patient engagement strategies. The Institute is incorporating community anchors such as churches and is assisting consumers with challenges such as being able to afford healthy food options. Nebeyou said they tailor the SMS campaigns for different groups of users.

One other random quote I enjoyed related to HIPAA. I think it was a data architect from Partners who said every vendor tells him, "We are HIPAA compliant." His point was that not all vendors need to meet HIPAA, but if they sell to large enterprises they need to understand that HIPAA is not the only relevant standard. Increasingly, consumer and privacy standard are emerging that are broader than HIPAA . Vendors should be aware of why and how these apply to the data collected and stored.

Overall it was a good conference and some really cool projects were represented. Hopefully some of the successful things being done will start to trickle out to other organizations.


Travis Good is an MD/MBA involved with health IT startups. More about me.

  • Ann Farrell

    It’s my understanding no vendor or organization or product can be “HIPAA Compliant” – it’s a combination of data security, architecture and people – all working together.
    You can have all the policies in place and automated, MDM, MAM, and MSM and content management software in place – “containerize” your data etc. but if an MD puts patient PHI on a thumb drive (happens every day) and leaves it somewhere, the organization is not “HIPAA Compliant”. The vendor provides one piece of the security puzzle – whatever the standards.

    Re BYOD – this can be HIPAA nightmare. MDs are bargaining with CEOs/CIOs mandating EHR(CPOE/clin doc) adoption for MU incentives, to use their iPads/Android tablets for EHR and now increasingly phones for subset of processes. Currently, there is limited integration. RNs are in worse shape having to do even more than MDs do in EHR, i.e. BCMA and vital sign data collection/often MDI enabled, as well as enter care plans and documentation.

    To date, many EMR vendors shrunk large (14″) EHR screen designs to smaller size screens (at times bumping off right columns of key forms, such as MARs!), as interim “mobile” solution. Or they virtualize systems and MDs lose the UI multi-touch features they love (pinch and swipe). Enterprise EHR vendors designed systems for large screens and not POC use, so are now are scrambling to bring out (phased) “native mobile” apps – increasing risk of HIPAA violations regardless of data structures or security systems.

    Till now, MDs mostly viewed data and images on tablets, but needed second device to enter orders or do heavy documentation. Thus BYOD didn’t save money, it doubled number of devices CIO supports and opened HIPAA can of worms. Recent data indicate nearly 89% of workers use their personal smartphones for work purposes. However, 41%of their personal devices are not password protected, and 53% access unsecured WiFi networks with their smartphones. More than 80 % of MDs use smartphones or tablets, but very few take basic security precautions,such as using encryption to protect their data from unauthorized users. Studies of out-of-the-box security configurations have found that most mobile phones do not meet more than 40 percent of security requirements, such as the ability to encrypt information.
    So the perfect storm of MU/mobile IT proliferation and HIPAA rules is upon us. To date, PHI security has been by far #1 concern of consumers re EHRs, and very low on organization priorities. We’ll see if upping fines with HIPAA Omnibus gets execs attention with money tight and all trying to do “more with less”.

↑ Back to top

Founding Sponsors

Platinum Sponsors