IBM and HIPAAT partner to offer EHR privacy software

By Molly Merrill
12:00 AM

IBM and HIPAAT, Inc., a provider of consent management solutions, have partnered to offer a consent management solution designed to put privacy back into the hands of the patient.

The IBM-HIPAAT collaboration extends patient-driven privacy to Electronic Medical Records, Electronic Health Records, Personal Health Records and Health Information Exchanges.

The companies are integrating HIPAAT's Privacy eSuite software - based on Service Oriented Architecture - with IBM's SOA Foundation for joint projects. The IBM SOA Foundation supports IBM's global healthcare strategy, which is based on the adoption of an asset-based, interoperable SOA approach and the use of open standards and standards-based EHRs to ensure secure and private exchanges of records between authorized healthcare services and benefits organizations.

"IBM is playing an important role in the infrastructure that is needed in order to facilitate the sharing of health information," said Tom Romeo, vice president of federal global business services at IBM. "What HIPAAT brings to the table is privacy - a layer of protection for the patient - which is mandatory in healthcare."

Barry Runyon, vice president of research at Gartner, said using IBM's SOA framework would leverage the company's presence in HIEs and other stand-alone care delivery systems.

"They aren't trying to re-invent the wheel, but are rather integrating, which makes it a lot easier," the analysts said.


IBM and HIPAAT's solution is a privacy-based approach to securely controlling PHI access across diverse healthcare applications and settings. When installed in HIE environments as the "consent engine," Privacy eSuite empowers patients and designated providers to create and record privacy directives. The software then evaluates a provider's authorization to access a patient's PHI based on such directives. A patient can restrict a particular clinician from accessing PHI, even if that clinician, based on a medical role, would typically be granted such access. All access requests are recorded and an audit trail is created.

"The Privacy eSuite is a Web-based SOA service that evaluates the relationship between the patient, the clinician and the PHI. The system checks these relationships, it provides a validation service," said Kel Callahan, head of business development for HIPAAT.

Combined IBM and HIPAAT technologies allow patients to specify who is granted access to their personal health information, what information can be accessed and when. They enable caregivers to implement and enforce patient consent directives, providing "break the glass" access to PHI and EHR data in emergency-care situations, where appropriate.

The break-the-glass functionality occurs at the point-of-care. Callahan says it is up to the implementor whether the "break the glass" scenario should be enacted.

"There is a broad difference in opinion" on how far to turn over the control," he said.


Runyon said consent management is going to be a "hot area" - and not just because of ethical issues like patient privacy vs. patient treatment. There are technical issues as well, he said.

"This is a hard area to get your hands around. It's a tough one and it hasn't been automated up until now. But it's time," he added. "I think it's a good thing, and I don't believe it will hinder patient treatment."

Vendors offering similar solutions include Cambridge, Mass.-based Wellogic, InterSystems and Alpine, Utah-based You Take Control, Inc.

Runyon said HIEs have worked to bring consent management back to the forefront. Other drivers he identified include the crackdown on HIPAA enforcements and the increase in and publicity of identity theft cases.

IBM officials said they are working with partners and clients in the healthcare industry to make information delivery and related business processes more patient-centric.

One initiative benefiting from the IBM-HIPAAT collaboration is the Nationwide Health Information Network trial implementation, now under development by the North Carolina Healthcare Information and Communications Alliance, Inc., or NCHICA. This initiative gives patients and providers transparent access to Privacy eSuite's privacy controls across the broad spectrum of applications enabled by the SOA Foundation.

"We are excited about the IBM-HIPAAT technology and its potential, but we have a lot of interoperability roads to cross," said Holt Anderson, executive director of NCHICA.

There will be a demonstration of the technology in Washington D.C. this September. Holt says they hope to move toward production by 2009-2010.

Holt said policy issues will present the biggest challenge in moving this effort forward "We are excited to try this out and see it in action and for the public to see it in action," he said. "We need the public to weigh in on this."

What are your preferences, priorities and biggest concerns when it comes to personal health information? E-mail me at