Yasnoff on eHealth

In an op-ed article in Business Week online posted 12/19/08, I describe how health record banks (HRBs) can solve the problem of making complete patient records available at any point of care while providing electronic medical records (EMRs) to all physicians and fully protecting individual privacy. I then outline the policies that the new Obama Administration should adopt to encourage the development of health record banks with only relatively modest new Federal expenditures.

I think these issues are particularly timely and relevant since funding for health information technology is being included in the Economic Recovery bill currently being drafted. Funding alone will not solve this problem; the expenditures must be directed towards a feasible and sustainable system.

In brief, the Federal Government should take four steps to create an effective health IT system that delivers complete patient records at any point of care:

I believe that these policies will lead to an effective, self-sustaining, private-sector health IT system that provides heavily subsidized EMRs to all physicians and fully protects individual privacy.

There are more details about these and related issues in the new book just published by HIMSS entitled, “Personal Health Records: The Essential Missing Element in 21st Century Healthcare” which I co-authored with Holly Miller, MD, MBA, and Howard Burde, Esq. It provides a comprehensive overview and discussion of the many issues pertaining to the adoption and use of personal health records, with chapters on PHR architecture (including the health record bank model), PHR law, and PHR business sustainability models.

In this posting, I wanted to respond to a few FAQs about the policies I’ve recommended.

How much would your plan cost?

Since there are about 100 million Federal health beneficiaries, the new HRB account benefit of $12/person/year would cost a maximum of $1.2 billion/year (if everyone signed up). This amounts to 0.2% of health care costs. Conservative analyses can easily demonstrate health care cost savings of 2% as a result of HRB accounts through improving chronic disease management and avoiding preventable hospitalizations due to outpatient adverse drug events, duplicative imaging studies, and unnecessary repeat laboratory work. This 2% total savings amounts to ten times the proposed payment for a health record bank account. But even if these estimates are grossly inaccurate, the savings most certainly will be at least as great as the expenditures, not counting additional value from more timely and complete availability of information to medical researchers, public health officials, and policymakers (with consumer consent).

Won’t a health record bank cost more to operate than your $1/person/month estimate?

The recent Center for Information Technology Leadership report on Cost and Value of Personal Health Records (PHRs) estimates the cost of an “interoperable PHR system” (i.e., a health record bank) at $8/person/year if there are 500,000+ subscribers. My own data shows that the cost will be about $6/year (50¢/person/month) with 1 million subscribers. So the estimate I use of $1/person/month is, if anything, a bit too high.

How much will it cost to subsidize electronic medical record systems for physicians?

To subsidize each physician at the rate of $5,000/yr for an Internet-accessible EMR system (which would cover most of the EMR system cost) would require about $10/person/year. The way I get $10 is that there are about 600,000 physicians and 300 million total population in the U.S. Therefore, there are about 500 people/physician — therefore, to get $5,000/physician, the cost/person is $10.

What is the business model for a health record bank?

Revenue would be about $5/year from advertising to consumers (like the advertising you see on Google) and $12/year from reminders and alerts, for a total of $17/year. The reminders and alerts would be services such as: 1) notifying you instantly if the HRB account of any of your loved ones is touched by an emergency room physician; 2) “prevention advisor” giving you reminders of anything you need to do to stay healthy (e.g. colonoscopy, etc.); or 3) medication reminders (for each dose and/or for refills). The first two would be paid by consumers (or perhaps even by health plans), the last one by pharmaceutical firms. In any case, I think $1/person/month (or $12/year) in revenue for all reminders is very conservative, even allowing for the fact that some consumers will not want to pay for any of them.

Expenses would be $6/year for the basic operation of the bank and $10/year to subsidize each physician in the amount of $5,000/year for an Internet-accessible EMR system.

With revenue of at least $17/year and expenses of only $16/year, a health record bank is profitable. And this analysis includes not only the cost of the HRB itself, but also subsidies for all the EMRs for physicians. Finally, note that I have not invoked (or tried to capture) a penny of health care cost savings in this business model.

***

In summary, health record banking provides a self-sustaining, private-sector health IT solution that can deliver complete patient records at any point of care, subsidize EMRs for physicians, and fully protect privacy. While it is highly likely that HRBs will result in substantial health care savings, their financial sustainability is based solely on the new value that they create for consumers.

In my last posting, I explained why the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not really assure our privacy. This time I want to address another widespread myth – namely, that personal health records (PHRs) have no privacy protection. The news here (thankfully) is good – it turns out that publicly-available PHRs are in fact subject to quite stringent privacy protections under Federal law. In view of this, the frequent calls that are heard to extend HIPAA privacy “protections” to PHRs are misguided at best. HIPAA does not protect privacy and, as you will soon see, extending that “non-protection” to PHRs would actually eliminate our existing protections.

In 1986, the Electronic Communications Privacy Act (ECPA) was enacted (also known as the Stored Communications Act or SCA). The purpose of this law was to protect the privacy of electronic communications (primarily e-mail) and also data stored by a remote computing service. Specifically, ECPA prohibits the operator of a publicly-available remote computing service (such as a PHR) from releasing any information to any private party for any reason without the consent of the subscriber. Unlike HIPAA, there are no exceptions for treatment, payment, health care operations, or anything else. Therefore, at least for publicly-available PHRs, such as Microsoft HealthVault or Google Health, the organization holding the information MUST GET YOUR PERMISSION before releasing any of your data to any private party. The law is not long or complicated – I urge you to read it yourself if you have any doubts.

While the ECPA law was not expressly directed to PHRs (which were not really contemplated in 1986), or the Internet (which had yet to gain widespread attention and use), Congress did specifically consider the issue of health records in its deliberations. Senate Report No. 99-541, (1986), said “[t]he Committee also recognizes that computers are used extensively today for the storage and processing of information. With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information. For example, physicians and hospitals maintain medical files in offsite data banks, …” (emphasis added, quoted from page 7013 of this recent Federal Appeals Court decision) Therefore, it was clearly the intent of Congress to protect our electronic medical records with this law.

Unfortunately, this does NOT mean that all PHRs are protected by Federal law. Only those that are “publicly-available” are included. While this clearly would apply to generally available web-based PHRs, systems provided only to specific individuals by employers, insurers, and even healthcare providers are less likely to be considered “publicly-available.” Therefore, ECPA protection is limited. So you are only covered if you use a PHR that is available to anyone. Clearly, it would be good to extend this strong Federal protection to all PHRs.

Another reason for concern if you use a PHR that is supplied by a HIPAA “covered entity,” (which would include physicians, hospitals, employers, and health insurers) is that HIPAA, as explained before, does not protect your privacy. The holder of the information is allowed to release your data WITHOUT your consent for “treatment, payment, or health care operations” (TPO) without the necessity of keeping any records of such disclosures to prove their legitimacy after-the-fact. And even if a PHR from a HIPAA covered entity were to somehow be considered “publicly-available” and therefore be subject to ECPA, the legal argument is that HIPAA provides the consent required under ECPA for TPO uses (and therefore your information could still be released without your consent).

Having read this far, it should now be quite clear to you that extending HIPAA “protections” to PHRs makes no sense and would actually have the effect of making these systems just as unaccountable as everything else covered by HIPAA. On the other hand, extending the EPCA law to all PHRs (not just those that are “publicly-available”) would truly give us all strong Federal privacy protections (at least for our PHRs).

It has been widely asserted, and most people believe, that the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of health information. Unfortunately, this is a myth. Just as the “P” in HIPAA does not stand for “privacy,” it turns out that the HIPAA Privacy Rule, which went into effect in 2002, actually eliminates privacy protection, and does so in a way that prevents privacy violations from being detected, monitored, or audited.

At this point, I’m sure you are quite skeptical — as you should be. After all, you’ve heard over and over that HIPAA protects your privacy. Furthermore, you’ve signed those long HIPAA forms at every doctor’s office, clinic, and hospital. You’re wondering “How can this be so?” I urge you to read on and find out the real story.

First, let me describe the basic provisions of the HIPAA Privacy Rule. It says that your health information cannot be disclosed without your consent with three exceptions:

These so-called “TPO” exceptions (named for the first letter of each) seem quite reasonable. After all, you want your medical information to be used for your treatment — that’s the primary purpose of having it recorded. You also want your information to be used to process your insurance claims — that’s why you have insurance (assuming you’re not one of the tens of millions who don’t have insurance — but that’s another subject). And you also want every health care organization to be able to perform routine operations, such as monitoring the quality of care that is provided. So what’s the problem?

The problem is this: Who decides whether a particular disclosure of your health information falls under the TPO exceptions, and can be done without your consent? It’s whoever has the information — the hospital, health plan, insurer, etc. And when they make that decision, they do NOT have to inform you that a decision is being made. You have NO input and NO right to appeal or review.

What’s even more disturbing is that once a decision is made to disclose your information under the TPO exceptions, THERE IS NO REQUIREMENT FOR ANY RECORD OF THE DISCLOSURE. That’s right — incredibly, disclosures of health information under the TPO exceptions do not need to be recorded. Therefore, you cannot find out who has received your health information if it was provided under a TPO exception (as determined solely by the holder of the information). So in addition to not having an opportunity to be involved in the decision about whether a given disclosure qualifies as TPO, you can’t find out afterwards if the organization is really following the TPO definitions appropriately or just disclosing your information to anyone they wish (and justifying it as falling under the TPO exceptions).

In foreign policy, President Reagan was famous for his “Trust but Verify” approach. In stark contrast, the HIPAA Privacy Rule is a “Trust but Keep no Records That Would Allow Verification” approach. While all of us hope that decisions about disclosing our health information are being made in a reasonable and equitable way, THERE IS NO WAY TO FIND OUT if this is indeed the case.

I want to make it clear that I am not accusing any health care organizations of disclosing private health information inappropriately. I believe, as I would guess you do, that the overwhelming majority of folks in the health care industry handle our information with the utmost care and integrity. But I also know that there are always some bad apples and that accountability and monitoring are absolutely necessary. HIPAA provides NO accountability — the lack of records of TPO disclosures means there is no way to know (even after the fact) if there are improper or illegal disclosures.

For those who may still be skeptical of my claim that no records are required for TPO disclosures, here is the actual text of the provision in the Code of Federal Regulations that says that you cannot get an accounting of TPO disclosures of “protected health information” (emphasis added):

TITLE 45, PART 164_SECURITY AND PRIVACY
Subpart E. Privacy of Individually Identifiable Health Information
Sec. 164.528 Accounting of disclosures of protected health information.
(a) Standard: Right to an accounting of disclosures of protected health information.
(1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:
(i) To carry out treatment, payment and health care operations as provided in Sec. 164.506;

So the forms you’ve been signing in doctor’s offices, clinics, and hospitals, are not, as many believe, “consent forms.” They are your notification about the provisions of HIPAA — essentially, you are being notified that YOUR PRIVACY IS NOT ASSURED. And it doesn’t matter if you sign or not — the HIPAA provisions apply to you regardless.

Finally, why is this important? First, you should be able to control your health information in the same way that you have the right to decide what treatments you receive. Second, inappropriate disclosure of health information can hurt you by, for example, damaging your ability to get a job. Third, if we are going to covert our mostly paper medical records to electronic form, we need to do a better job protecting privacy because everyone knows that electronic records create more risks because they are more easily accessible.

Prior to the adoption of the HIPAA privacy rule in 2002, it was a long-established legal principle that you have the right to control all access to your own health records. As we make the transition to electronic health records with health record banks, we need to reinstate this important legal right.

Over the past year, as the majority of communities developing health information exchanges struggle to make progress (with a few failing outright), health record banks (HRBs) have received increasing attention as a model for successful community health information infrastructure (HII). There is a growing realization that other approaches do NOT solve the critical problems of HII that are addressed by HRBs, namely,

In addition to the previously cited independent report endorsing health record banking in October, 2007, from the Information Technology and Innovation Foundation, a new study released last week by the California Health Care Foundation, Gauging the Progress of the National Health Information Technology Initiative, declared that the current approach to HII that envisions a “network of networks” known as the Nationwide Health Information Network (NHIN) is “impractical and cannot be implemented.”

As a result, more communities are pursuing the development of HRBs. The State of Oregon recently received a $5.5 million Medicaid Transformation Grant from CMS (Centers for Medicare and Medicaid Services) to create the Health Record Bank of Oregon. The State of Arizona, also the recipient of a Medicaid Transformation Grant, is taking a close look at the HRB model. The State of New Jersey just enacted legislation creating the New Jersey Health Information Technology Commission, which is tasked to create “The Health Information Bank of New Jersey.” The State of Mississippi is evaluating the HRB approach. Greater Louisville (KY) and the State of Washington, among the earliest adopters the health record banking approach, are both continuing their efforts to build effective HRBs. (comments from readers on additional HRB activity would be welcome!)

In a further sign of the acceptance of the HRB approach, a recent RFP from the National Governors Association’s State e-Health Alliance requesting bids on a research project to develop recommendations for potential governance and business models for HII specifically included health record banking as one approach to be evaluated.

So isn’t this all good news for health record banking? Yes … and no. Of course, those of us who have been promoting the advantages of this approach over the past several years are pleased to see more widespread awareness and adoption. The Health Record Banking Alliance, formed in 2006 to bring together folks interested in HRBs, is growing. However, as often happens with new ideas, popularity can lead to misunderstanding as more people embrace the model without fully appreciating all of its implications.

The fact is that developing HII, even with the HRB approach, remains a complex and difficult problem. Issues of organization, governance, policy, stakeholder cooperation, marketing, financial sustainability, public trust, and technology must all be addressed simultaneously. Furthermore, having a financial strategy for maintaining an HRB does not automatically guarantee an easy financial path for STARTING one. For example, it is relatively easy to envision how a company like Federal Express can be a sustainable, ongoing concern once its infrastructure and customer base is established over a wide geographic area. But building FedEx from a new startup organization to that point remains one of the great business achievements in recent memory.

The most common mistake now being made by new HRB enthusiasts is to consider a health record bank to be purely an IT project. While the technology is clearly important and non-trivial, existing techniques and methods are more than sufficient to handle the job. Indeed, most of the component technology pieces that constitute an HRB, such as Personal Health Record (PHR) interfaces, consent management systems, and health information repositories, already exist and, in many cases, are in routine production at many sites.

What does not exist is the organizational, governance, marketing, and financial mechanisms to support the technology — and these are the difficult challenges. This is best illustrated by imagining the scenario of a community that was successful in building the perfect technical infrastructure for an HRB. Let us assume such an HRB functioned ideally in every respect — it could accept deposits of any arbitrary medical data using any reasonable data format or standard, provided easy-to-use interfaces for both consumers and providers enabling consumer control of exactly what is accessible by whom, had state-of-the-art security protections, could automatically generate relevant reminders to consumers and providers, and was implemented in a high-reliability system environment that guaranteed nearly 100% availability around the clock.

Would such an HRB be useful? Not at all, because it has NO DATA. Furthermore, it has NO USERS. Also, it has NO FINANCIAL SUSTAINABILITY and NO GOVERNANCE. Without addressing the questions of how the data ACTUALLY gets in (as opposed to whether it CAN be deposited), how patients and providers are successfully encouraged to USE the system, and how it will be GOVERNED and PAID FOR, all the fabulous technical capabilities of this “perfect” HRB have no value whatsoever.

Therefore, the strategy of issuing an RFP to “build a health record bank” is highly unlikely to succeed, particularly if directed to health IT vendors. Building the IT infrastructure for an HRB is essential, and doing it right is extremely important. But it is truly the LEAST difficult problem to be solved on the road to successful HRBs. To succeed in creating a truly effective and sustainable HRB, close attention must be focused on acquiring data and encouraging usage within an organizational framework that provides trusted governance, and developing and deploying a business model that can reliably generate the revenue needed for ongoing operations. Simply building the IT system alone is not nearly enough.

Today’s CNET story, “AOL, Netflix and the end of open access to research data”, describes how two large so-called “anonymized” databases have been re-identified, compromising the privacy of everyone in them. This provides yet another example of why “anonymized” data is a myth — and reinforces the need to avoid the release of large datasets of medical records, even if they are supposedly “de-identified.”

The first incident described involves the release of 500,000 people’s movie ratings by Netflix in 2006. To protect the privacy of their subscribers, Netflix carefully removed all personal information. They offered $1 million to anyone who could develop an algorithm that would improve their movie recommendation system — a worthy goal. However, this week researchers announced that they successfully re-identified the data using publicly available information.

A similar scenario occurred when AOL publicly released “de-identified” search data for 500,000 of its users. Some were re-identified within days.

The lesson in this is simple: THERE IS NO SUCH THING AS ANONYMIZED DATA. To some extent, it can always be re-identified. For those who are interested in more details, computer scientist Dr. Latanya Sweeney’s Data Privacy Lab at Carnegie-Mellon has been studying this issue for years and developing the theory needed to understand it.

So what are the implications for medical data? As previously described in this space (Protecting Privacy While Searching Health Record Banks), each person’s complete health records need to be stored in a central location with all access under the control of that individual (or whomever they designate). To provide the tremendous research benefits available from searching this data, queries should be submitted to health record banks, but NO DATA SHOULD EVER BE RELEASED. Instead, the result of a query would be a count of the number of matches and a carefully controlled demographic summary. In this way, re-identification is prevented since no actual data is available. This allows all of us to have the fruits of medical research WITHOUT having to give up our privacy.

Let’s hope Netflix and AOL have learned their lesson and that other organizations — especially health care institutions — are paying close attention.

One of the key unanswered questions about health information infrastructure over the past several years has been, “Do we have enough trained people to build it?” Over the past year, I’ve been privileged to have the opportunity to serve as the principal investigator of a research project sponsored by the U.S. Department of Health and Human Services (Office of the Assistant Secretary for Planning and Evaluation) to begin to address this question. This work represents the first attempt to quantify the workforce requirements for building the health information infrastructure in the U.S. A presentation summarizing the final results was given to the American Health Information Community (AHIC) Electronic Health Record work group in late September, and the complete final report has recently been posted. Here is the Executive Summary:

Nationwide Health Information Network (NHIN) Workforce Study

Executive Summary

For the past several years, the nation has been working to improve health care through the widespread implementation of electronic health records. One clear prerequisite for accomplishing this goal is the availability of a trained workforce to implement the developing Nationwide Health Information Network (NHIN). While it is generally acknowledged that the nation does not have a sufficient number of trained specialists for this purpose, no prior studies have produced any quantitative estimates of the workforce requirements. Accordingly, the current research was designed to further our understanding of NHIN workforce issues by collecting, assessing, and analyzing existing knowledge and data in this domain with the objective of producing an initial estimate of the number of people needed.

This study gathered information through a series of four focus groups, five site visits, and direct communications with health information technology (HIT) vendors. The anticipated NHIN work was divided into three separate categories of activities for the purpose of assessing workforce:

Assuming a 5-year time frame for NHIN implementation, results indicated that 7,600 (+/- 3,700) specialists are needed for installation of EHRs for the approximately 400,000 practicing physicians who do not have them already. For the hospitals needing EHRs (about 4,000), approximately 28,600 specialists are needed. Finally, about 420 people are needed to build the HII systems in communities to interconnect all these other systems. These data represent the first ever quantitative estimates of the workforce needed to implement the NHIN.

These estimates should be considered preliminary and imprecise as they are based on a very small number of reports: eight for physician EHRs, four for hospitals (no data were available for other types of health care institutions), and two for communities. Furthermore, since all reported data was retrospective, the various estimates are based on information collected inconsistently at different times and under varying circumstances. Insufficient information was available to be able to characterize meaningfully the different types of personnel needed, although at least 15 different job titles were identified and defined. There was also inadequate information to allow workforce estimates for different architectures for the three major activities, despite general agreement from the expert panels that differences in architecture may have a significant impact on the personnel needs. Similarly, there was not enough data to assess or categorize the impact of size of practice or institution on workforce. However, there were some indications that the personnel requirements per physician are higher for smaller physician offices (three physicians or less). Also, the workforce data relates only to installation of systems; ongoing support and maintenance were specifically excluded. Finally, it is notable that there is no available data about the current number of specialists working in the three areas, so it is not clear whether these estimates indicate a shortage of personnel.

Further research is needed to confirm and refine these estimates, as well as overcome the limitations of these results. Nevertheless, these first-ever quantitative estimates of the workforce needed for NHIN implementation will inform such additional studies, lead to an improved understanding of this important domain, and ultimately help ensure that adequate numbers of personnel are available for this critical work.

Today, the Information Technology & Innovation Foundation released a new report, Improving Health Care: Why a Dose of IT May Be Just What the Doctor Ordered.  The report recommends health record banking as the way to develop an effective health information infrastructure. It also recommends four specific actions by the Federal government:

This report is a nice synopsis of the current situation and the rationale for health record banks. My recommendation is that you take a close look at it.

October 4, 2007 — Today, Microsoft announced their HealthVault(tm), a secure consumer-controlled repository for health and medical records available to all consumers at no charge. It was described as a consumer-centric approach to addressing fragmentation of health information — in other words, a health record bank. Microsoft’s recognition of the need for such a repository is thoughtful and positive, and the release of HealthVault will do much to focus the discussion about health information infrastructure toward the health record banking approach. It may even be important in moving the nation forward in solving the problem of making your complete health records available whenever and wherever you may seek medical care. This posting explores this important new development — what it is, what it isn’t, and how it relates to solving the overall problem.

Health Record Banking

As those of you who’ve been following this blog know, health record banking involves establishing consumer-controlled repositories that hold complete copies of each person’s medical record. Like all good ideas, health record banking is fundamentally simple. Each person keeps an up-to-date copy of their lifetime health record in an “account” with a health record bank (HRB). All access to the information in the account is controlled by the account-holder (the consumer), who makes the information available to health care providers whenever necessary. Each consumer may also access their own record as needed.

HRBs would have exclusive responsibility as the agent of each consumer, and would be required to follow stringent privacy and confidentiality practices to protect the information (either via open and transparent community oversight or legally-mandated government regulation). HRBs would provide everything needed for an effective nationwide health information infrastructure: 1) consumer-controlled access to complete medical records; 2) financial sustainability; 3) incentives for physicians to acquire and use electronic health record (EHR) systems in their offices; 4) privacy protection; 5) stakeholder cooperation; and 6) availability of health data for consumer-authorized secondary uses such as medical research.

Through consumer-authorized searching, HRBs would promote appropriate secondary use of electronic health care information. When public health authorities or medical researchers query HRB(s), information from all account-holders that have agreed to allow that particular use of their data would be searched. Confidentiality can be assured by limiting the response to the query to only the number of records that meet whatever criteria were submitted (so no actual patient data is released). If needed, a message to be sent to each account-holder matching the query conditions could be included. This would, for example, allow notification of account-holders of their eligibility for a clinical trial (see the previous posting on this topic for more details). If fees are charged, the revenue could be shared with account-holders as an incentive to allow such use.

HRBs can also provide incentives for physician EHR adoption and use. The HRB would either pay a small fee for each deposit of a standardized electronic report of an outpatient encounter, or provide very low-cost access to an EHR system to physicians via the Internet. This would help ensure that all patient information was electronic — a requirement that is not being addressed in current efforts. These HRB incentives explicitly recognize that the benefits of physician office EHRs primarily accrue to other healthcare stakeholders. Note that this would also allow HRBs to enforce standardization of health care information — payments for deposits would be contingent on following standards and HRBs would only provide EHRs that did so.

HealthVault in the Context of Health Record Banking

So what does HealthVault do? Essentially, it can function as the “cubbyhole” server that makes individual complete records available for care (a previous posting describes implementing a health record bank with two servers — a “cubbyhole” server allowing access only to one record at a time for clinical care and a “searching” server for research queries). This of course depends on whether HealthVault is able to directly receive medical information from health care providers across the nation, certify the source of each data item, and ensure (to the satisfaction of physicians) that the information cannot be altered by consumers and therefore can be relied upon for decision-making. This would indeed be a major contribution.

In order for this to occur, consumers must be convinced that the information in HealthVault is totally under their control, and that its privacy and security is protected. Microsoft has taken major steps to ensure the security of HealthVault, and has also agreed to abide by the Privacy Principles of the Coalition for Patient Privacy, a major bipartisan health privacy advocacy group. They are seeking or have received outside independent security certification (backed by independent audit) and are doing the same in the privacy domain. Clearly, establishing trust with consumers is essential to the success of HealthVault.

HealthVault Does Not Fully Solve the Health Information Infrastructure Problem

However, HealthVault does not address at least two important functions required to solve the overall health information infrastructure problem. First, it does not provide for searching consumer health records. Of course, consumers can decide to send their data outside the HealthVault for searching, but then it is no longer in the protected environment. As previously discussed in this space, searching the data is critical not only for public health and medical research, but also for certain clinical functions such as notifying consumers when a drug they are taking has been withdrawn from the market. Therefore, a complete solution requires adding search capability.

Second, HealthVault does nothing to address the biggest problem of all with respect to electronic health records — that most of the information in doctor’s offices is still recorded on paper. Only about 1 in 5 physicians use an electronic health record (EHR) system today. While adoption of EHRs is continuing, it is slow — primarily because the business case for EHRs in physician offices is not good. Most of the benefits of such systems accrue to others in the health care sector besides the physicians. Therefore, physicians are reluctant to pay for them — and financial incentives for physicians are needed so that physicians will all convert to EHRs.

As noted above, health record banks can address this problem by either paying physicians for deposits of encounter reports (the eHealthTrust business model ) and/or by directly providing low-cost Internet-based EHR systems to physicians funded by the revenue received by the health record bank. In the absence of such financial incentives for physician EHR adoption, most health records will remain paper based and cannot readily be stored or processed electronically.

HealthVault and Communities

For those communities working on establishing health record banks, HealthVault is good news even though it is not the solution for the entire problem. Now communities have the option to use HealthVault as their “cubbyhole” server — at no charge. To complete their health information infrastructure, communities still need to establish a trusted multi-stakeholder organization to provide local governance to ensure trust. That organization would then engage a for-profit health record bank service provider to establish and operate a secure searching server and deliver low-cost EHRs to physicians using an effective business model that ensures sustainability. While these are by no means trivial tasks, HealthVault may allow community health record banks to be established more quickly and more easily by supplying part of the needed infrastructure — thereby reducing the upfront investment requirement.

The real question is whether consumers will have sufficient trust to store their data in Microsoft’s HealthVault. Only time will tell.

by William A. Yasnoff, MD, PhD, and Deborah Peel, MD*

In a recent editorial, Modern Healthcare argues that the current national health information technology (IT) efforts should be abandoned since they can’t succeed unless “the federal government mandates a single healthcare information technology platform for all healthcare providers and heavily subsidizes its adoption.” While we agree that the current efforts are not progressing well, we are not willing to dismiss health information technology’s potential to improve care, increase efficiency, and reduce costs.

Health Record Banks and Consent Management Tools Can Overcome Problems with Current Health IT Efforts

Over the past several years, more than enough time and energy has been spent trying to automate our existing, inadequate system of health information “exchange” between various healthcare stakeholders. Not only have these efforts failed to solve the problem of making complete patient records available, they are also numbingly complex, frighteningly expensive, and a massive threat to privacy. It is time to use ‘smart’ technology and build a system of Health Record Banks that can provide more complete electronic patient information with informed consent whenever and wherever needed. Health record banks with independent consent management tools that automate the process of obtaining permission for each release of information can make the records needed for safe and effective medical care available while fully protecting every individual’s right to health information privacy.

Health Record Banks (HRBs) would provide everything needed for an effective nationwide health information system: 1) consumer-controlled access to medical records; 2) financial sustainability; 3) incentives for physicians to acquire and use electronic health record (EHR) systems in their offices; 4) ironclad privacy protection; 5) stakeholder cooperation; and 6) access to health data for consumer-authorized secondary uses such as medical research.

Each person would keep an up-to-date copy of their lifetime health record in an HRB “account.” All access to the information in the account would be controlled by the account-holder (the consumer), who would give permission for the necessary information to be available to health care providers. Each consumer would also have access to their own record, and could add and amend information as desired. All HRB record entries would be marked as to the source of the information. The Health Record Banking Alliance (HRBA) has been established to promote this approach to health information infrastructure.

Independent consent management tools would allow consumers to exercise control of access to each and every data field of their personal health information by specifying (and changing as needed) who has permission to see each item.

How Health Record Banks Work

When seeking care, the account-holder would identify their HRB, having previously granted permission for the caregiver to access his/her records (either all or part) through a secure Internet portal. Confidentiality can be assured when data is sent from the bank to a provider by contractually requiring its use only for the purpose(s) that the patient approved. When the care episode is completed, the caregiver would then transmit any new information generated to that same account in the HRB to be deposited in the account-holder’s lifetime health record.

HRBs themselves would have exclusive responsibility as the agent of each consumer, and would be required to follow stringent privacy and confidentiality practices to protect the information (either via open and transparent community oversight or legally-mandated government regulation). The Independent Health Record Trust bill recently introduced in Congress by Representatives Moore (D-KS) and Ryan (R-WI) with 48 bipartisan cosponsors (HR 2991) would create such a regulatory framework.

HRB operations would be inexpensive — less than $1/person/month once the number of customers is large (over 1 million). This small cost could be paid directly by patients or be included in health insurance benefit plans. Even if the health care savings generated from the availability of more complete patient information amounted to just a small fraction of the published estimates of about 8% of health care costs ($40+/person/month), HRBs would pay for themselves many times over.

How Independent Consent Management Tools Work

Consent management tools permit consumers to instantly give or rescind permission to access their data electronically, set standing consents for data access in emergencies or any routine situation, and view complete audit trails of all uses and disclosures of their personal health information. Keeping all consents in a single independent location is convenient for consumers and makes it unnecessary to set up or remember to change permissions at every place of treatment and with every health professional or organization that holds, stores, or transmits their personal health information. Instead, all data holders would have to check electronically with each person’s consent management system before transmitting or disclosing any data to anyone. And consumers can easily monitor all access and uses of their health records because they will have audit trails of disclosure of their health records in one place.

Consent management tools are also inexpensive: consumers or organizations representing consumers can pay nominal fees to obtain them or be given the tools in exchange for transaction payments from data users to independent consent management tool vendors.

Health Record Banks Can Provide Physician EHR Incentives

HRBs can also provide incentives for physician EHR adoption and use. The HRB would either pay a small fee for each deposit of a standardized electronic report of an outpatient encounter, or provide free access to an EHR system to physicians via the Internet. This would help ensure that all patient information was electronic — a requirement that is not being addressed in current efforts. These HRB incentives explicitly recognize that the benefits of physician office EHRs primarily accrue to other healthcare stakeholders. Note that this would also allow HRBs to enforce standardization of health care information — payments for deposits would be contingent on following standards and HRBs would only provide EHRs that did so.

Health Record Banks Protect Privacy While Enabling Consumer-approved Secondary Data Access

Privacy protection would be assured because no HRB would allow access to any information for any purpose without the patient’s permission. In essence, the HRBs would provide “electronic safe deposit boxes” for each consumer’s medical records. Stakeholder cooperation would be assured because it is the patient who requests copies of his/her records for deposit in the HRB. Under HIPAA (the Health Insurance Portability and Accountability Act), patients already have the right to such copies.

Finally, HRBs promote appropriate secondary access to electronic health care information. When public health authorities or medical researchers query HRB(s), information from all account-holders that have agreed to allow that particular use of their data would be searched. Confidentiality can be assured by limiting the response to a query to the number of records that meet whatever criteria were submitted. The actual data would not be released to any researchers or public officials unless required by federal statute, assuring that consumers can participate without any risk of data or identity theft or loss of privacy. If needed, a message can be sent privately to each account-holder matching the query conditions. This would, for example, allow notification of account-holders of their eligibility for a clinical trial (see the previous posting on this topic for more details). If fees are charged for data access, the revenue could be shared with account-holders as an incentive to allow such use.

Conclusion

So we agree — let’s scrap the current national health IT efforts … and use smart technology instead. With health record banks and independent consent management tools, we can build an electronic health system that delivers all the benefits we want and ensures that privacy rights are strengthened and preserved—so consumers will actually be willing to participate in electronic health record systems. Communities such as Louisville, KY, Washington State, and Texas are already on the HRB path — why not yours?

—–

*Dr. Peel, co-author of this blog posting, is Founder and Chair of the Patient Privacy Rights Foundation, and leads the bipartisan Coalition for Patient Privacy. She is a practicing Board-certified psychiatrist and Freudian psychoanalyst and earned her MD at the University of Texas Medical Branch in Galveston.  Modern Healthcare recently named her #4 in their list of the 100 most powerful people in healthcare in 2007.

Michael Porter’s Support for Health Record Banks

Many advocates of health care system reform have been avidly reading Redefining Health Care by Michael E. Porter and Elizabeth Olmsted Teisberg (Boston: Harvard Business School Press, 2006), which advocates moving to a system of value-based competition based on results. In it, the authors clearly recommend the health record banking approach:

“Today, medical records are scattered. There are separate records at individual physician offices and at various treatment facilities. Specialists usually send summaries to the patient’s primary care provider or family physician, not the full record of their care. Records are not kept in a form that is easy to integrate.

A trusted third party will be needed to play the role of maintaining, accumulating, and verifying the patient’s records and making them available when, and only when, the patient has given approval.” (page 272)

As work continues across the U.S. and elsewhere to build health information infrastructure (HII) allowing “anytime anywhere access to complete patient information and decision support,” a consensus appears to be emerging on the closely related issues of consumer control to assure privacy and the need for health record banks that is consistent with Porter and Teisberg’s views.

Patient Control of Access to Their Electronic Health Information

With respect to patient control of access to their own health records, a recent report entitled “The Way Forward for NHS Health Informatics” from the British Computer Society reviewed the HII efforts in the U.K. and recommended that “… informed patient consent should be paramount [in the sharing of electronic patient data].” (recommendation 1.12 on page 4)

At the January, 2007, Nationwide Health Information Network (NHIN) Forum in Washington, DC, all four of the vendors demonstrating prototype architectures and every other speaker who discussed the topic agreed that patients should control all access to their electronic medical information. Interestingly, there was essentially no discussion or questioning with respect to this point — it appears to now be an accepted conclusion.

The idea of patient control is not new. Mandl et al suggested this as a key principle in an article in the British Medical Journal in 2001. What makes the recent developments remarkable is that this truly patient-centric view has not been clearly articulated before (at least in the context of an NHIN meeting), much less accepted as a key requirement.

This is a very positive development, as it seems clear that the general public will not accept electronic health information systems unless individuals control access to their own records. For example in a 2005 national survey, 79% of respondents indicated access to such information should require their permission. There is good justification for this. As Mandl et al point out, “If patients feel that they have no control over the fate of their medical information, they might fail to disclose important medical data or even avoid seeking medical care because of concern over denial of insurance, loss of employment or housing, or stigmatisation and embarrassment.”

Finally, Dr. Robert Kolodner, Interim National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services, announced this past week that the upcoming RFPs for “trial implementations” of community HII systems would require technology implementations that allow patients to control the detailed flow of their own information — deciding how they “view, store, and control access.” In this way, the technology will be able to support consumer control at the data item level. While providing such control in health record systems is not currently required by law or policy, incorporating these capabilities ensures that the “technology will not drive the policy” with respect to privacy. This is a wise and prudent approach to HII technology.

Need for Health Record Banks for Secondary Data Use

Another interesting development at the January NHIN Forum was the acknowledgement by all four of the prototype developers that efficient secondary use of electronic health information required the establishment of one or more data repositories to facilitate searching. Activities such as identifying subjects for clinical trials, public health monitoring of disease trends, and assessing potential unexpected outcomes of therapeutic interventions on a population basis, clearly require the availability of searchable databases. As has been pointed out in previous postings here, this creates a need for health record banks where copies of complete patient records can be accumulated under strict patient control.

The provision of consumer control at the data item level will also require the health record bank approach, since it is extremely difficult to provide consumers with the ability to decide what information they wish to share unless the information itself is available to be directly linked to consumer permissions.

The Time Has Come for Health Record Bank Implementation

The State of Washington has recently recognized the advantages of the health record bank approach to HII. After a 16-month process of study and review, the Washington State Health Information Infrastructure Advisory Board (HIIAB) (created by the Legislature) released its final report in December, 2006, recommending the development of multiple health record banks containing consumer-controlled copies of health records from multiple sources. The Governor’s request for $9 million in seed funding for implementation efforts is now being considered by the Legislature.

As I indicated in a recent editorial, it is time for health record banks to be built and made available to consumers. Hopefully, 2007 will be the year that we begin to build the foundation for a safer, higher quality health care system by creating the health record banks consumers need to make their complete electronic medical records available for their care while fully protecting their privacy.