Eventually, every time a doctor's office wants to check on a new patient's history or a parent wants to sign up a kid for summer camp, money will flow into HealthRadius. What companies like Healtheon/WebMD Corp. have become for the Web-based administrative side of health care, Rosmann's company will be for the patient-records side of it, he says.
Rosmann, 56, who formerly worked as a health-care consultant, has had to make his pitch many, many times, to venture capitalists, state health officials, doctors, and health-care administrators. Though they may expect the caricature of an Internet-start-up entrepreneur with plans as big as the sky -- a young, brash, fast-talking braggadocio -- what they get instead is the calm assurance of Joe Rosmann, with his mellifluous voice that never rises or rushes. Like a family doctor explaining your test results, he provides instant reassurance with his smile and bearing.
Reassurance is an important element of Rosmann's plan. To make it work, he must collect and distribute the type of information that everyone agrees should be held in utmost privacy: medical records. Without strict assurance of the data's security, Rosmann says, his company could never meet the requirements of health-care privacy laws -- newly tightened in the wake of consumer outrage over privacy violations. And just as important, without that security, Rosmann could never sell anyone on the idea.
And these days it's a Herculean task to ensure that Web-based transactions are private and secure. Still, for cost, speed, and simplicity, Rosmann wants to do it all -- including data collection and access -- over the Web.
His approach seems to be working. HealthRadius, based in Bellevue, Wash., will expand its immunization-records service to four new states this fall and expects to have more than half a million physicians involved within two years. Although the company took in just $100,000 in revenues last year, venture capitalists value the company at about $20 million. Rosmann expects revenues of close to $5 million this year.
Four years ago, when Rosmann launched HealthRadius, doctors and health-care administrators were just beginning to eye the potential of the Internet. Washington state health officials brought Rosmann in to study how to salvage a failed medical-records-exchange initiative, the Community Health Information Network. Their request, he says, was straightforward: "Get something simple started to prove that you can safely exchange medical-health records and automate the transactions between doctors, health plans, and hospitals."
Out of that effort came two companies: Rosmann's and a payment-exchange provider called Pointshare. Rosmann's response to the state's request was to break into the potentially enormous health-care-records field through the single entry point of children's immunization data. That category is a good testing ground for the broader health-records field, he believes. For one thing, parents must frequently provide immunization records to new schools, new summer camps, and new doctors. A child typically has seen three doctors and had 23 immunizations by age six, according to HealthRadius's research. Who wouldn't want to make managing and exchanging all that data easier? Rosmann believed it was a market waiting to be served.
One of Rosmann's key early contacts was information-law specialist John R. Christiansen of the Seattle office of law firm Stoel Rives LLP. Christiansen began consulting for HealthRadius in the fall of 1996. "There is no standard-setting organization out there" for electronic medical records, Christiansen says. "You can't just go out there and say, 'What are the steps I need to take?" He advised Rosmann to draft his contracts with clients in a way that holds HealthRadius to an unusually high level of liability for the privacy and security of the data it collects. Only by doing so could Rosmann hope to reassure the doctors, health insurers, and parents who were HealthRadius's targeted customers.
If you're going to put your business on the line like that, you'd better make sure you can live up to your promises. So the first person Rosmann brought on board was not a health-care adviser, but information-security veteran Gene Shook, now vice-president of the company's operations and development. Rosmann and Shook, working together in their quiet offices on the outskirts of Seattle, laid out a long list of steps they would take to keep medical data both secure and private.
First, they needed to be able to verify the identity of any client trying to access their records over the Web. Then they had to encrypt the data sent to and from HealthRadius servers so that only people holding the keys to unscramble it could read it. In addition, since participating doctors' offices would submit information directly to the HealthRadius database when they performed immunizations, the company had to guarantee an even greater level of security for those transactions. Different employees at doctors' offices -- even those using the same computer -- would need to have varying levels of access; for instance, some workers would be able to read but not edit patient records.
The first employee Rosmann brought on board was Gene Shook, who took charge of security.
Shook will soon install a VPN, which will offer a high degree of security. In the meantime, he turned to the encryption built into standard versions of Netscape Navigator and Microsoft Internet Explorer (called Secure Socket Layer encryption) and other Microsoft tools. For authentication, Shook currently uses the access-control system built into the Microsoft Windows NT operating system as well as the company's own custom-developed access-control system.
To ensure that changes that are made to HealthRadius's database are verifiable and legally valid, Shook decided to use a method that should soon become more widespread: digital signatures that use public key interchange (PKI). Those digital signatures, provided through an authorized third party, verify two parties to each another, like a secret handshake. Washington state has recently authorized a Utah company called Digital Signature Trust to act as the licensed certificate authority for supplying digital PKI signatures. Anyone in the state can sign up with Digital Signature Trust and receive the hardware or software to generate digital IDs. Two parties that are both using those digital IDs -- for instance, HealthRadius and a physician's office -- can be certain that the information that was sent exactly matches what the other party receives. In Washington, such electronic documents can now legally take the place of paper.
