More on Blue Button Plus and MU2

My last post, based on comments from Frost & Sullivan health IT analyst Nancy Fabozzi at last week’s Healthcare Unbound conference, has generated a bit of controversy. Fabozzi said that “Blue Button Plus is totally disruptive,” possibly eliminating the need for some providers to get full-fledged patient portals in order to meet Meaningful Use Stage 2 standards.

In the comments under that post, David Smith of, a health improvement consortium in three Western states, correctly pointed out that MU2 requires not just that providers give 50 percent of patients electronic access to their records, but also that 5 percent of patients actually view, download and/or transmit information back to their doctors or hospitals. I also got an e-mail from a GE Healthcare executive reminding me that of the view/download requirement as well as the fact that EHR technology had to be certified by an ONC-approved certification and testing body.

The viewing and downloading certainly can be accomplished with Blue Button Plus apps or widgets. In fact, ONC’s Lygeia Ricciardi has said Blue Button Plus could be part of the Stage 3 rules.

Transmitting would seem to necessitate a portal since HIPAA demands — and patients should expect — security when sending protected health information over the Internet. Standard e-mail doesn’t cut it, but e-mail following Direct Project protocols does. MU2 already sanctions Direct Project for health information exchange between healthcare entities. There is no reason why it can’t work for individuals as well, as Dr. Deborah Peel’s Patient Privacy Rights Foundation is trying to facilitate.

This might be a bit unwieldy, asking each patient to set up a Direct e-mail address, but remember, providers only need 5 percent to do so in Stage 2. I see it as perfectly feasible that some small physician practices could bypass the portal and just make do with freely available resources like Blue Button Plus — though Blue Button Plus app developers likely will charge fees — and open-source Direct standards.

UPDATE, July 18, 12:40 a.m. CDT:

HHS itself says Blue Button Plus meets MU2 standards.


Blue Button Plus is a blueprint for the structured and secure transmission of personal health data. It meets and builds on the view, download, and transmit requirements in Meaningful Use Stage 2 for certified EHR technology in the following ways —

Structure: The recommended standard for clinical health data is the HL7 Consolidated Clinical Document Architecture or Consolidated CDA. The C-CDA is a XML-based standard that specifies the encoding, structure, and semantics of a clinical document. Blue Button Plus adopts the requirements for sections and fields from Meaningful Use Stage 2.

Transmit: In alignment with Meaningful Use Stage 2 standards, Blue Button Plus uses Direct protocols to securely transport health information from providers to third party applications. Direct uses SMTP, S/MIME, and X.509 certificates to achieve security, privacy, data integrity, and authentication of sender and receiver.

It sounds to me like compliance is just a matter of making sure that a Blue Button Plus app is certified as an EHR module.