The push to create a nationalized electronic medical records system has been stepped up with a massive influx of another $20 billion in government funding and new mandates. Independent studies estimate the real costs to taxpayers will run at least $75 billion to $100 billion over the next ten years, as CNN Money just reported. The goal is to put the health records of all citizens into a government computer network within the next five years. The medical records from every doctor office, clinic, hospital, laboratory, pharmacy and diagnostic facility in the country would be interconnected “to ensure the uninhibited flow of health data” among all stakeholders and federal agencies, according to the Department of Health and Human Services Department.
The accelerated adoption of a national health information technology (IT) has been led by a partnership of stakeholders and government officials. State governments have successfully enacted more than 130 health IT bills in the past 18 months, according to the National Conference of State Legislatures.
What is being envisioned, as we’ve seen*, is distinctly different from traditional health department disease registries. National health IT would put government officials in the position of overseeing the healthcare decisions made by consumers and their care providers, tracking chronic disease management, and monitoring compliance with public health performance measures. We’ve been told, though, that national electronic medical records (EMRs) under the direction of the HHS National Coordinator, will improve “quality” of health care, increase efficiency and cut healthcare costs, and reduce medical errors.
Once our personal heath information is in digital form and in a centralized government network, there will be no turning back, which makes going in with both eyes open so important. We continue our ongoing series* examining the evidence behind these promoted benefits and the various concerns being raised about EMRs, with a look at two documents few in the public have ever seen. Written by stakeholders, these reveal the real costs, risks and feasibility for hospitals and healthcare providers when instituting health IT. Most troubling, were the legal arguments being made to overcome issues of invasions of privacy and the inability of consumers to opt-out or give their consent for their personal health information to be accessed or used.
VA scandal
While the evidence to date has failed to provide credible support for claims that EMRs improve health outcomes for patients, save lives, reduce medical errors, or can yet protect privacy and security, problems were put in the national spotlight last week when the VA story broke.
The Veterans Administration has taken the lead on computerizing its entire medical record system throughout its 155 hospitals, 881 clinics, 135 nursing homes and 45 rehabilitation centers. Its universal medical records network is one of the few health systems in the country to go nearly paperless, and it’s been held up as an example of the benefits possible with health IT.
But, as we learned last week, continuing software glitches since August 2008 had not been disclosed to the public until the Associated Press obtained internal documents under the Freedom of Information Act. These revealed that VA patients around the country have been being given the wrong doses of medications and exposed to medical errors, some of which might have been life-threatening. As AP reported:
The VA's recent glitches involved medical data—vital signs, laboratory results and active medications—that sometimes popped up under another patient's name on the computer screen. Records also failed to clearly display a doctor's stop order for a treatment, leading to reported cases of unnecessary doses of intravenous drugs such as blood-thinning heparin.
As the AP uncovered: “VA medical centers reported that automated dispensing machines sometimes printed out the wrong patient name when filling prescriptions for outpatients, according to an internal VA memo dated Nov. 5.”
The chairman of the House Veterans Affairs Committee launched an investigation of the computer glitches last Thursday, calling the problems a sign of a “dangerous lack of accountability.” The problems had been kept quiet and then downplayed as inconsequential and nonthreatening, said Rep. Bob Filner. “VA bureaucrats consistently refuse to provide necessary information regarding the serious problems that affect veterans and this pattern of secrecy is disconcerting and does enormous harm,” he said.
If the VA’s electronic medical records, that are supposed to be the nation’s best example of how well they work, are having these major and ongoing problems surface, many called for caution before rushing forward to fund or mandate them throughout our entire nationwide healthcare system. As we’ve seen, doctors and hospitals are not adopting EMR to a notable degree and are voicing a wide range of problems in the reality of EMRs — from impractical costs of implementation, nonfunctionality in work flows especially in acute care and emergency settings, increasing inefficiencies and inaccuracies in charting, reducing productivity, failure of the performance measures to improve patient outcomes, and safety issues.
Even the Joint Commission, which accredits health care organizations and programs in the United States, has issued several Sentinel Event Alerts about adverse events due to “computerized provider order entry, automated dispensing cabinets, electronic medical records, clinical decision support, bar coding or RFID, virus threats to information security, CT scanning technology, and the loss of patient data.” Its December 11th report said “there is a dearth of data on the incidence of adverse events directly caused by HIT overall,” but the United States Pharmacopeia MEDMARX database includes 176,409 medication error records for 2006, of which about 25% involved computer errors.
Finding healthcare systems reticent to institute EMRs, government agencies are taking increasingly heavy-handed tactics. Last month, New York state began requiring hospitals to invest in EMR systems that are connected to, and are interoperable with, the State Health Information Network to enable the information to be shared, as part of its hospital certification of need process. This certification process is required before a hospital can expand, engage in any new construction or other capital improvements. The new mandate will cost Mount Sinai Hospital more than $34 million for a new EMR system, according to GovHealthIT.com.
Lori Evans, deputy commissioner of the New York State Department of Health in charge of its Office of Health IT Transformation, said the certificate of need process will help to rectify compliance with EMRs.
Before heading the NY health IT initiative, Ms Evans was Senior Advisor at the Office of the National Coordinator for Health Information Technology at the HHS, responsible for EMR adoption. Prior to that she was Vice-President of the eHealth Initiative and Director of the Connecting Communities for Better Health Program. Connecting for Health is a New York-based public-private collaboration of more than 100 stakeholders in health IT. It is operated by the Markle Foundation and supported by the Robert Wood Johnson Foundation. Its steering group, established in 2002, has taken the leadership role in developing the policy and technical frameworks to “clear the way for an interoperable health information infrastructure.”
Inside report: HIE (health information exchange)
This brings us to the first paper to share with you. It was written for health information exchange collaboratives, of stakeholders (RHIOs) working to implement EMRs to enable the sharing of electronic health information. In 2006, Ms Evans, along with co-authors at Manatt Health Solutions (which provides legal and consulting services in health IT) and the American Hospital Association, wrote an Executive Brief, “What Hospitals and Health Systems Need to Know.” It offered business and legal advice, based on the lessons learned from over 150 projects tried across the country.
Costs.The first revelation came in the exorbitant costs involved in the planning, development and implementation, and operating of EMRs. We never hear the full story of just how much healthcare resources must be diverted to implement these systems.
In the planning phase, alone, it revealed, the costs for a hospital “generally range from $300,000 to $1,000,000 and involve intensive educational sessions, meetings, business planning, readiness assessments, vendor selection, and legal and organizational costs.”
During the development and implementation phase, the costs “will depend on the scope of the project, including the technical and business approaches, as well as decisions about how different project costs are shared among the parties.” It explained:
Costs can range from $3 million to $10 million, depending on the technology platform selected, the vendor, and the number and complexity of the interfaces that need to be built, among other considerations. Costs will be considerably higher if they include implementing e-prescribing, EHRs or other information systems in provider settings, and/or population health improvement applications, such as disease management initiatives or public health surveillance and reporting.
Then, to keep the systems operational, it reported: “Generally speaking, operational budgets range between $2 million and $5 million annually.”
What’s in it for hospitals? The extent to which a hospital will benefit from information exchange will depend, the paper reported. “Hospitals show variable health IT adoption, depending on their size.”
[S]mall hospitals, especially those serving the safety net and rural areas, exhibit very low technology adoption rates, and nearly all small providers face economic hurdles to EHR adoption. For these hospitals, participation… is likely to impose significant economic hardship.
While not saving costs for most providers and hospitals, the Manett paper said, however, that hospitals are critical to making EMR work. “If you can’t get hospitals on board, you can’t do it.” But with healthcare providers operating in a competitive marketplace with thin margins, “competitive issues often pose the largest barrier in the early planning stages… and it is not uncommon for early meetings to include a number of cautious skeptics around the table.” Hospitals also have “practical concerns about the forces driving the initiative and how the information could be used.” State and federal funds were said to be necessary in order to build and support EMRs in hospitals.
While this paper said federal expenditures in supporting the institution of health IT have been limited, the amount of taxpayer dollars it described that had been spent just back in 2005 were not trifling. The Agency for Healthcare Research and Quality, for instance, had authorized $139 million in grants to drive the adoption of health IT, it reported. These grants were spread across 38 states to a number of health care stakeholders; five grants of $1 million annually for five years were awarded to states to specifically develop health information exchange networks.
Congress has also focused considerable attention on federal policy and funding for health IT, it said.
Federal agencies are also employing more heavy-handed techniques to compel compliance, as with the latest regulation in New York. The Centers for Medicare and Medicaid Services has a number of initiatives designed to encourage HIE, it reported, “including a pay-for-performance demonstration program for doctors who treat Medicare patients.”
New York state, where Connections for Health is based, has put special emphasis on EMRs and spent considerable amounts of state moneys, the report revealed. The $1 billion capital financing program, New York Health Care Efficiency and Affordability Law for New Yorkers Capital Grant Program, was created by the state in 2004. At the time of this Executive Brief, it revealed:
“The state is currently considering applications for the first phase of the health IT initiative in which it is anticipated that a total of $53 million in grants will be distributed. Grants will likely be between $50,000 and $10 million and will support the development of clinical information exchange projects, the creation of e-prescribing capabilities and the use of EHRs.
As the Executive Brief explained, the NYSDOH had created a high-level, multi-stakeholder committee to develop a plan for the stakeholder group by June 2006. The New York State Department of Health’s health IT implementation program then came under the direction of the paper’s co-author, Ms Evans.
Technology. The Executive Brief then addressed whether the technology was actually ready:
The short answer is that there is no one commercial technology product for RHIOs, and the suite of technology components for HIE is emerging but lacks standardization or commercial maturity. Stakeholders involved in RHIO projects today must be comfortable with being pioneers and navigating new terrain.
Privacy and Security. The most disturbing section was the one answering the question of whether privacy and security could actually be achieved. Instead of answering that, however, its focus was on whether HIPAA (Health Insurance Portability and Accountability Act of 1996) would in any way put up roadblocks to the free exchange of electronic health information among this collaboration of stakeholders. Regular JFS readers will already know the answer:
Fortunately, in most HIE projects, HIPAA creates parameters but not roadblocks. HIPAA permits hospitals to share protected health information for treatment, payment and health care operations (such as quality improvement) without patient authorization Given the fact that most HIE projects are focused on using data for these purposes, they generally can be implemented under HIPAA without establishing a patient authorization process.
State privacy laws, however, pose more formidable challenges. Many states have laws that are more stringent than HIPAA and require patient consent for the disclosure of health care information, particularly for highly sensitive information, such as mental health, HIV/AIDS and genetic testing data…
Collaborations may want to go beyond the letter of the law to build public trust, or for business or risk management purposes.
Which brings us to the second report you have to read to believe — just in case anyone still believes protecting privacy is a concern.
Outmaneuvering the law
In 2005, an important Policy Brief was produced by lawyers at The George Washington University School of Public Health and Health Services, Department of health Policy, funded by the Robert Wood Johnson Foundation. Titled “Charting the Legal Environment of Health Information,” it outlined the legal issues surrounding the gathering, sharing and disclosing of people’s health information, especially with the development of EMRs. While stakeholders read this, few consumers did.
Law has a profound impact on health care, since it offers a means of assuring that major advances in care are implemented in a manner consistent with equally important economic and social goals…. Notwithstanding the reluctance and slowness with which physicians have embraced the use of electronic health information… a major driver of this change has been the federal government itself.
What few consumers know is that HIPAA requires covered health care providers to comply with the electronic exchange of health information for claims payment and eligibility purposes for all federally subsidized health care, as this legal policy brief explained:
HIPAA requires covered entities, including health plans and most health care providers, to comply with electronic data interchange standards as well as transmit health data electronically for claims payment and eligibility purposes. More recently, the Medicare Prescription Drug, Improvement and Modernization Act (commonly known as the Medicare Modernization Act or MMA) authorizes the Centers for Medicare and Medicaid Services (CMS) to develop and administer electronic data systems to facilitate provider quality measurement activities in connection with Medicare program administration. The law also directs the Secretary to condition hospital payment on the electronic reporting of quality indicators and to tie the level of payment to quality measurement (i.e., “pay for performance”).
Under the Rule, covered entities are permitted to use or disclose personal health information (PHI) without specific individual authorization for treatment, payment and health care operations… Although the legal experts with whom we consulted believed that HIPAA poses some challenges to the establishment and use of electronic health data systems, the experts agreed that although the HIPAA issues needed to be addressed and carefully analyzed, rather than ignored, ultimately HIPAA was not likely to be a substantial legal barrier.
This report also explained to policy makers that the key motivations for creating a national electronic medical records system is to enable stakeholders to monitor and compel compliance of healthcare providers to their most profitable performance measures. While they are couched as being clinical “guidelines” for improving “quality” of care, by making them compulsory for accreditation and pay-for-performance measures, in reality they have the force and effect of law. Wavering from these “professional practice standards” could put doctors and hospitals at risk for being personally liable and vulnerable to claims of malpractice.
One of the most significant new drivers of modern health information systems is the incorporation of health information measurement and reporting capabilities into national industry accreditation standards. For instance, the National Committee on Quality Assurance (NCQA), an industry-based quality measurement and accreditation organization, measures the performance of health care organizations, health care institutions, and health professionals against quality metrics. Another example of quality measurement from a large purchaser perspective is the Leapfrog Group for Patient Safety, which has developed guidelines for hospital care and which is now focused on physician care. Even more significantly perhaps from a legal standpoint, the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) has now proposed to make the collection of data on patient race, ethnicity, and primary language spoken a basic aspect of organizational accreditation for managed care organizations and integrated systems, and in both ambulatory and institutional settings.
By themselves, industry accreditation standards do not have the force and effect of law, but standards such as practice guidelines prepared by NCQA, The National Quality Forum, The Leapfrog Group, and other measurement systems, as well as formal accreditation standards themselves, signal the increasing importance of quality benchmarking in practice and the need for effective information to support practice improvements. As government payers, private insurers, and industry-self monitoring enterprises all come to embrace information competency, these expectations become part of the standard of professional performance…
Far from making people’s private health information more secure and protected from breaches of privacy, this policy paper acknowledged that EMRs would increase those risks. But it doesn’t take close reading to see that the ability of government officials to gain access to private health information without people’s knowledge or consent could also be viewed as a benefit to the government:
In the “pre-electronic” world of health information, breaches of privacy required overt physical acts of some sort. A health provider might impermissibly divulge information either orally or in writing, carelessly throw out medical records in unsecured trash receptacles, or leave files lying around. If the government wanted to seize private health information, authorities had to make a physical demand for it, thereby placing individuals or information custodians on notice that the information was being sought.
But electronic information increases both the ramifications that can flow from a privacy breach (i.e., the number of persons injured through a single unauthorized disclosure), as well as the potential for government officials (and others) to obtain access to information without individual knowledge or consent (i.e., by culling the data from health data warehouses or central repositories). As the diagrams set forth in Appendix A suggest, the very existence of data warehouses could be perceived as creating unprecedented opportunities for privacy breaches.
A lot of legal loopholes and unaddressed questions exist for which the public has no legal protections in place. Yet, government is moving forward with EMRs before protections to protect consumers’ privacy and rights on how their private health information is used are enacted. The paper listed eight such questions:
1. Whether patients own their own medical records and how their information could be accessed
2. The appropriate use and disclosure of personal health information to third parties (such as “releasing prescription drug practices or psychiatric treatment notes”)
3. The power of government to compel the collection and disclosure of personal health information as part of public health oversight or law enforcement (such as “federal requirements related to the provision of treatment data for purposes of quality measurement”)
4. The power of third-party payers to force the collection and disclosure of information (such as compliance with treatments) as a condition of payment or for purposes of “performance measurement”
5. How data could be accessed as for privately-mounted civil litigation claims based on one or more theories of liability (such as “demands for data as part of legal discovery requests, in order to aid an injured party in fashioning and proving a civil claim of medical negligence, breach of a legal duty, or violation of law”)
6. Questions regarding data access by government law enforcement agencies to support civil or criminal investigations (such as abortions performed)
7. When and how personal health information could be accessed for research, how the data is de-identified, and whether the publication of information is restricted
8. And finally, “the legality of race and ethnicity data collection by the government or private industry for ‘quality’ improvement purposes.”
The most disturbing section of this legal Policy Brief was when it brought out the Constitutional arguments and pointed out that people have no constitutional rights to informational privacy and that by centralizing the data into a national interoperational system, opportunities for breaches of confidentiality increase:
The Constitution itself does not expressly provide for a right to informational privacy. Outside of the Fourth Amendment, the Supreme Court has not articulated a strong standard for a constitutional right to informational privacy. However, the Supreme Court has recognized a limited right to informational privacy as a liberty interest within the Fifth and Fourteenth Amendments in the case of Whalen v. Roe. Specifically, Whalen stands for a narrow right to informational privacy with regard to the disclosure and security of data held in governmental databases – a right that must be protected through adequate safeguards in the governmental system. Yet attempts to interpret the breadth of the constitutional privacy protections articulated in Whalen have been inconsistent at best, leaving us with a right in progress. Thus Whalen has failed to create a powerful constitutional right to medical information privacy.
As a practical matter, how can individual requests for confidentiality regarding certain medical data be honored? This issue is related to the potential interaction of state law protections for patients regarding sensitive medical information, such as diagnoses and treatment for medical conditions, such as mental health, substance abuse, HIV-AIDS, and family planning services. However, breaches of confidentiality become less likely in decentralized system since the requested data is only aggregated for a moment in time to respond to a particular query and then reverts to its original source.
We live in a doublespeak world. Few words and phrases mean what we think they do. Nothing illustrates that better than: "A crisis is said to need immediate government action to modernize our healthcare system and make sure every doctor’s office and hospital in the country is using electronic medical records, because it can cut red tape, prevent medical errors, improve quality of care, and help save billions of dollars each year." Do you see what they are creating? Do you want the government to know everything about you, while it also controls what healthcare you can receive and what care your doctor can provide? Do you see how much control over your body, lifestyle and health decisions the government will have?
If we let evidence rather than rhetoric guide us, then up has become down, bad has become good, wrong has become right… Will enough people know to turn back around?
© 2009 Sandy Szwarc
* Electronic medical records
Health benefits:
Separating myth and evidence about electronic medical records
Security issues:
Electronic medical records — different perspectives sharing the same news pages
The hospital was unaware any medical records had been stolen…
Meaning of “quality of care”:
What doctors are talking about with healthcare reform
Patient lives and medical errors:
Costs don’t just mean financial — EMRs and patient lives
Privacy issues:
Electronic health records — we have ways of making you...