Archive for December, 2008

A Health IT Plan for the Nation

Saturday, December 20th, 2008

In an op-ed article in Business Week online posted 12/19/08, I describe how health record banks (HRBs) can solve the problem of making complete patient records available at any point of care while providing electronic medical records (EMRs) to all physicians and fully protecting individual privacy. I then outline the policies that the new Obama Administration should adopt to encourage the development of health record banks with only relatively modest new Federal expenditures.

I think these issues are particularly timely and relevant since funding for health information technology is being included in the Economic Recovery bill currently being drafted. Funding alone will not solve this problem; the expenditures must be directed towards a feasible and sustainable system.

In brief, the Federal Government should take four steps to create an effective health IT system that delivers complete patient records at any point of care:

  • 1. Restore the right to medical information privacy (see my previous post for a detailed explanation about why HIPAA currently does not ensure privacy protection);
  • 2. Give all patients the right to a no-cost electronic copy of their medical information at least at the time of service (which they could direct to their HRB account);
  • 3. Make the cost of an HRB account (up to $12/year) a covered benefit for all Federal health beneficiaries (with encouragement to the private sector to do the same). This latter “pay for results” policy would only result in expenditures when consumers opened an HRB account — having the account would ensure health care savings at least 10 times the covered cost.
  • 4. Establish a regulatory framework for HRBs to provide oversight. Each HRB would be required to demonstrate compliance with privacy protections and other operational rules designed to protect consumers.
  • I believe that these policies will lead to an effective, self-sustaining, private-sector health IT system that provides heavily subsidized EMRs to all physicians and fully protects individual privacy.

    There are more details about these and related issues in the new book just published by HIMSS entitled, “Personal Health Records: The Essential Missing Element in 21st Century Healthcare” which I co-authored with Holly Miller, MD, MBA, and Howard Burde, Esq. It provides a comprehensive overview and discussion of the many issues pertaining to the adoption and use of personal health records, with chapters on PHR architecture (including the health record bank model), PHR law, and PHR business sustainability models.

    In this posting, I wanted to respond to a few FAQs about the policies I’ve recommended.

    How much would your plan cost?

    Since there are about 100 million Federal health beneficiaries, the new HRB account benefit of $12/person/year would cost a maximum of $1.2 billion/year (if everyone signed up). This amounts to 0.2% of health care costs. Conservative analyses can easily demonstrate health care cost savings of 2% as a result of HRB accounts through improving chronic disease management and avoiding preventable hospitalizations due to outpatient adverse drug events, duplicative imaging studies, and unnecessary repeat laboratory work. This 2% total savings amounts to ten times the proposed payment for a health record bank account. But even if these estimates are grossly inaccurate, the savings most certainly will be at least as great as the expenditures, not counting additional value from more timely and complete availability of information to medical researchers, public health officials, and policymakers (with consumer consent).

    Won’t a health record bank cost more to operate than your $1/person/month estimate?

    The recent Center for Information Technology Leadership report on Cost and Value of Personal Health Records (PHRs) estimates the cost of an “interoperable PHR system” (i.e., a health record bank) at $8/person/year if there are 500,000+ subscribers. My own data shows that the cost will be about $6/year (50¢/person/month) with 1 million subscribers. So the estimate I use of $1/person/month is, if anything, a bit too high.

    How much will it cost to subsidize electronic medical record systems for physicians?

    To subsidize each physician at the rate of $5,000/yr for an Internet-accessible EMR system (which would cover most of the EMR system cost) would require about $10/person/year. The way I get $10 is that there are about 600,000 physicians and 300 million total population in the U.S. Therefore, there are about 500 people/physician — therefore, to get $5,000/physician, the cost/person is $10.

    What is the business model for a health record bank?

    Revenue would be about $5/year from advertising to consumers (like the advertising you see on Google) and $12/year from reminders and alerts, for a total of $17/year. The reminders and alerts would be services such as: 1) notifying you instantly if the HRB account of any of your loved ones is touched by an emergency room physician; 2) “prevention advisor” giving you reminders of anything you need to do to stay healthy (e.g. colonoscopy, etc.); or 3) medication reminders (for each dose and/or for refills). The first two would be paid by consumers (or perhaps even by health plans), the last one by pharmaceutical firms. In any case, I think $1/person/month (or $12/year) in revenue for all reminders is very conservative, even allowing for the fact that some consumers will not want to pay for any of them.

    Expenses would be $6/year for the basic operation of the bank and $10/year to subsidize each physician in the amount of $5,000/year for an Internet-accessible EMR system.

    With revenue of at least $17/year and expenses of only $16/year, a health record bank is profitable. And this analysis includes not only the cost of the HRB itself, but also subsidies for all the EMRs for physicians. Finally, note that I have not invoked (or tried to capture) a penny of health care cost savings in this business model.


    In summary, health record banking provides a self-sustaining, private-sector health IT solution that can deliver complete patient records at any point of care, subsidize EMRs for physicians, and fully protect privacy. While it is highly likely that HRBs will result in substantial health care savings, their financial sustainability is based solely on the new value that they create for consumers.

    Some PHRs Already Have Strong Federal Privacy Protection

    Wednesday, December 10th, 2008

    In my last posting, I explained why the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not really assure our privacy. This time I want to address another widespread myth – namely, that personal health records (PHRs) have no privacy protection. The news here (thankfully) is good – it turns out that publicly-available PHRs are in fact subject to quite stringent privacy protections under Federal law. In view of this, the frequent calls that are heard to extend HIPAA privacy “protections” to PHRs are misguided at best. HIPAA does not protect privacy and, as you will soon see, extending that “non-protection” to PHRs would actually eliminate our existing protections.

    In 1986, the Electronic Communications Privacy Act (ECPA) was enacted (also known as the Stored Communications Act or SCA). The purpose of this law was to protect the privacy of electronic communications (primarily e-mail) and also data stored by a remote computing service. Specifically, ECPA prohibits the operator of a publicly-available remote computing service (such as a PHR) from releasing any information to any private party for any reason without the consent of the subscriber. Unlike HIPAA, there are no exceptions for treatment, payment, health care operations, or anything else. Therefore, at least for publicly-available PHRs, such as Microsoft HealthVault or Google Health, the organization holding the information MUST GET YOUR PERMISSION before releasing any of your data to any private party. The law is not long or complicated – I urge you to read it yourself if you have any doubts.

    While the ECPA law was not expressly directed to PHRs (which were not really contemplated in 1986), or the Internet (which had yet to gain widespread attention and use), Congress did specifically consider the issue of health records in its deliberations. Senate Report No. 99-541, (1986), said “[t]he Committee also recognizes that computers are used extensively today for the storage and processing of information. With the advent of computerized recordkeeping systems, Americans have lost the ability to lock away a great deal of personal and business information. For example, physicians and hospitals maintain medical files in offsite data banks, …” (emphasis added, quoted from page 7013 of this recent Federal Appeals Court decision) Therefore, it was clearly the intent of Congress to protect our electronic medical records with this law.

    Unfortunately, this does NOT mean that all PHRs are protected by Federal law. Only those that are “publicly-available” are included. While this clearly would apply to generally available web-based PHRs, systems provided only to specific individuals by employers, insurers, and even healthcare providers are less likely to be considered “publicly-available.” Therefore, ECPA protection is limited. So you are only covered if you use a PHR that is available to anyone. Clearly, it would be good to extend this strong Federal protection to all PHRs.

    Another reason for concern if you use a PHR that is supplied by a HIPAA “covered entity,” (which would include physicians, hospitals, employers, and health insurers) is that HIPAA, as explained before, does not protect your privacy. The holder of the information is allowed to release your data WITHOUT your consent for “treatment, payment, or health care operations” (TPO) without the necessity of keeping any records of such disclosures to prove their legitimacy after-the-fact. And even if a PHR from a HIPAA covered entity were to somehow be considered “publicly-available” and therefore be subject to ECPA, the legal argument is that HIPAA provides the consent required under ECPA for TPO uses (and therefore your information could still be released without your consent).

    Having read this far, it should now be quite clear to you that extending HIPAA “protections” to PHRs makes no sense and would actually have the effect of making these systems just as unaccountable as everything else covered by HIPAA. On the other hand, extending the EPCA law to all PHRs (not just those that are “publicly-available”) would truly give us all strong Federal privacy protections (at least for our PHRs).