The social uses of data stored in EHRs and the privacy protections needed

EHRs either make sense clinically or economically on an individual patient or practice basis, or they don't, depending on which study you read. 

Let's assume that implementation does not make economic sense, or that implementation is cost-neutral, at the individual practice level.  Should the EHR implementation agenda be advanced nevertheless?

The argument goes like this: aggregate data will point to new findings regarding safety, efficacy and efficiency of different treatment modalities for patients with the same or similar diagnoses.  Providers can then be incentivized (through P4P, or its subset, value-based purchasing) to follow the preferred approach. 

This has the potential to help all of us, but of course there is also the potential for inappropriate sharing of personal health information.  HIPAA doesn't quite help in these circumstances (there are some aspects of EDI, RHIOs, etc. not contemplated when the HIPAA rules were being written, not all that long ago) though some fixes may be in the works.  See news regarding NCVHS letter to HHS promoting expansion of HIPAA (and a copy of the NCVHS letter, too), though it's worth noting that's been in the works for about a year).

"Secondary" use of health data -- i.e., use of data "for non-direct care, including analysis, quality, research, payment, provider certification, marketing and commercial activities" -- is the subject of ongoing review and consideration by an AHIC workgroup and by AHRQ.

Update 7/20/07:  The Washington Post reports on concerns about holes in HIPAA and proposed legislation to tighten it up; Jeff Drummond, at the HIPAA Blog is dismissive of what he sees as folks getting all hot and bothered about not all that much.

Here's hoping that the potential for using all this data we're collecting for the collective good isn't mucked up by the federales and -- dare I say it -- the lawyers.

-- David Harlow

New study: EHRs really do save money over time

OK, so there's a study to back up any statement you may want to make about EHRs. 

Last week, it was: EHRs don't improve outcomes.  This week, it's: EHRs save money over time.  This week's study was based on a much smaller sample size, and the major cost savings was on staff time spent pulling charts.  Both studies were limited to ambulatory care settings.

-- David Harlow 

Spin on the study that says ambulatory EHRs don't improve health care

Here's the scoop, from Archives of Internal Medicine, via Reuters/Yahoo, via iHealthbeat:

The study found that EHRs did not affect 14 of 17 quality measurements evaluated. In two of the areas, better quality was associated with EHRs, while in one area, worse quality was associated with EHRs, according to researchers at Stanford University and Harvard University.

The study was based on a survey of 1.8 billion physician visits in 2003 and 2004, 18% of which used EHRs.

"Our findings were a bit of a surprise. We did expect practices [with EHRs] would have better quality of care," Randall Stafford of Stanford, said, adding, "They really performed about the same."

The story ends there for most folks.

However, the WSJ Health Blog guys, being either more thorough or more easily duped (I'd guess the former), conclude with the study's authors' observations that correlation doesn't equal causality, more study is needed, the data is old, EHR systems implemented since the time the studied data was collected are oh-so-better, there's room for improvement, etc.

The value of system-wide implementation of EHRs may ultimately be at the system level, not at the patient level -- the ability to identify and implement best practices based on massive quantities of data seems likely to "lift all boats," as it were.  The study focused on indicators physicians already knew aboout; perhaps the key value in EHRs in improving population-wide health will be the ability to identify new indicators. The question remains: how does this technological imperative get funded at the individual practice level if the benefit is at the system level? 

(See past HealthBlawg posts on EHRs.)

-- David Harlow

News of first HIPAA security audit trickles out

While neither the federales nor the hospital in question has confirmed the story, an Atlanta hospital has reportedly been the target of a HIPAA security rule audit.  This month, Computerworld reproduced the laundry list of inquiries and document requests presented by the feds.  An instructive list, and worth the attention of other covered entitites.

HIPAA enforcement continues to gather steam.

Based on a recent government-funded study, it appears that many covered entities have been experiencing some confusion about the precise nature of their obligations under HIPAA.  In the face of heightened scrutiny and enforcement, compliance becomes an even more important priority.

The Harlow Group LLC, together with its affiliated experts in complementary disciplines, stands ready to assist covered entities with compliance audits, planning and implementation of their HIPAA compliance strategies.

-- David Harlow 

IRS offers further clarification of EHR safe harbors

The IRS recently issued a Q&A document clarifying a handful of questions raised by the memorandum on the EHR safe harbors issued last month. 

One of the Q&A's seems to represent significant backpedaling by the IRS from its earlier guidance, which said docs had to provide hospitals access to PHI except as prohibited by law.  Now the IRS recognizes that the physician may have contractual obligations to patients and that the hospital and physician may negotiate terms and conditions of access.  It's the fifth of six points set forth in the latest guidance:

Q5 -- What type of restrictions, if any, may a medical staff physician impose on the hospital’s access to electronic medical records created by the physician using the Health IT Items and Services subsidized by the hospital?

A5 – A physician may deny a hospital access to such records if that access would violate federal and state privacy laws or the physician’s contractual obligations to patients. Also, the hospital and physician may agree on reasonable conditions to the hospital's access. For example, their agreement could allow the hospital to access a patient’s medical records only when that patient becomes a patient of the hospital, and could deny the hospital access to nonmedical information such as billing, insurance eligibility, and referral information.

Works for me.

-- David Harlow

The strange case of the arrogant physician, and related musings on the propriety of physician blogging and other online behavior

Every tragic hero succumbs to a fatal flaw. Consider the hubris on the part of Flea, aka Dr. Robert Lindeman who was, until a couple of weeks ago, the defendant in a med-mal trial who was blogging about his own case (and his take on opposing counsel, the jurors, and his own defense) -- until his lawyer finally must have made him stop.  On cross-examination, he acknowledged his nom de blog, and the case settled the next day -- an outcome presumably preferable to having his blog posts read to the jury.

This takes the questions about propriety of physician blogging to a whole new level.

And while we're on the subject of physicians and their on-line behaviors, let's stop and think for a moment about the epochal AMA-Sermo deal.  Fascinating idea: let physician share notes, including notes about patient drug reactions/side effects (anonymized, of course) in a physician-only online community.  The service is free to physicians, thanks to sponsorship by financial services firms and industry analysts -- who have access to the physician postings, and presumably expect to be able to use the information gleaned from the postings to their benefit.

There's the opportunity for benefits to physicians (particularly those in solo and small practices) and to medical care generally thanks to the communication tools available through Sermo -- including, for example, the world's biggest journal club.

There is also the potential for unintentional release of personally identifiable health information (through a combination of potential physician error, other human error, and hacking), and also the propagation of anecdotal reports on a larger scale and faster speed than has been possible in the past.

A better pathway to sharing of data in a meaningful way for the benefit of patients -- i.e., sharing information so as to develop new or revised protocols for care (evidence-based medicine) -- may be the broad dissemination of EHR systems and the use of data collected through EHRs.  Thomas Goetz presents this point succinctly (and pooh-poohs some of the privacy concerns outlined above) in a recent post on his blog, Epidemix.   

Update 6/13/07: Goetz' related opinion piece in the NY Times (promoting VistA Lite) was pooh-poohed in turn by Micky Tripathi and Matthew Holt.

-- David Harlow

IRS finally green-lights hospital underwriting of physician EHR systems

The safe harbors for hospital funding of physician EHR system acquisition have gone largely unused to date.  That should change -- at least for the tax-exempt hospitals -- now that the IRS has issued its eagerly-awaited memorandum regarding "Hospitals Providing Financial Assistance to Staff Physicians Involving Electronic Health Records."  It's refreshingly short for a government document on such a heavily-chewed-on topic.  I'll quote the operative language in full:

We will not treat the benefits a hospital provides to its medical staff physicians as impermissible private benefit or inurement in violation of section 501(c)(3) of the Code if the benefits fall within the range of Health IT Items and Services that are permissible under the HHS EHR Regulations and the hospital operates in the manner described below.

A hospital that is otherwise described in section 501(c)(3) of the Code enters into Health IT Subsidy agreements with its medical staff physicians for the provision of Health IT Items and Services at a discount (“Health IT Subsidy Arrangements”). These Health IT Subsidy Arrangements require both the hospital and the participating physicians to comply with the HHS EHR Regulations on a continuing basis. The Health IT Subsidy Arrangements provide that, to the extent permitted by law, the hospital may access all of the electronic medical records created by a physician using the Health IT Items and Services subsidized by the hospital. The hospital ensures that the Health IT Items and Services are available to all of its medical staff physicians. The hospital provides the same level of subsidy to all of its medical staff physicians or varies the level of subsidy by applying criteria related to meeting the healthcare needs of the community.

This memorandum does not apply to a hospital that allows its earnings to inure to the benefit of one or more medical staff physicians through arrangements that are other than Health IT Subsidy Arrangements, because the hospital would not be considered to be described in section 501(c)(3) of the Code.

The AHA is happy for its tax-exempt hospital members.  Presumably the AMA will be happy too.

Now, of course, we'll have to wait and see who jumps on the bandwagon, what kind of spending they're prepared to commit to, and how the rollout of new EHR systems will affect health care delivery.

Update 5/17/07:  Not everyone is so thrilled.  Some observers believe that, in an abundance of caution, the IRS may have gone too far by requiring equal access to subsidies for all docs on a hospital's medical staff, and requiring that the docs provide access to patient data that's in the EHR.  Seems to me that while the IRS may be a little heavy-handed here, hospital access to data in the EHR is a good thing, not a bad thing; the data in such a system should be protected by a business associate agreement (BAA).

-- David Harlow

Open source EHR? VistA Lite goes for CCHIT certification with a wiki-based support model. Hmm.

Modern Healthcare reports on the adaptation of VistA for small physician offices:

CCHIT closed applications on Feb. 14 for its fourth batch of testing of electronic health-record systems for the ambulatory-care environment with a record 35 applications received. CCHIT does not reveal the names of system developers seeking certification, but one of them self-disclosed: WorldVistA, the not-for-profit corporation formed in 2004 to develop an open-source version of the VA's VistA system for use outside the VA.

WorldVistA is now the lead developer on the VistA adaptation, which has had the working names VistA Lite and VistA Office EHR, or VOE, and started under a contract initiated in 2004 by the CMS . . . .

The WorldVistA team's credentials are impressive, but will a donation-supported, wiki-based EHR system really be a practical solution for small physician practices?  Physicians would like to get some clinical return on EHR investment (hey, we all know that even a free system isn't really free).  The recent PricewaterhouseCoopers report about clinical returns on hospital IT investment is encouraging (see FierceHealthIT post with link to report), but it seems to me that most small physician practices will be looking for something with more immediate demonstrable benefits, with even lower initial technical and financial hurdles.  (Some might even prefer to start with the AdSense-funded EHR, though that of course raises a host of other problems.)

-- David Harlow

CMS launches DOQ-IT University

From a CMS press release issued today:

The Centers for Medicare & Medicaid Services (CMS) today announced the national launch of DOQ-IT (Doctor’s Office Quality Information Technology) University, or DOQ-IT U, to support health information technology (HIT) in physicians’ offices.

DOQ-IT U is an interactive, Web-based tool designed to provide solo and small-to-medium sized physician practices with the education for successful HIT adoption, including lessons on culture change, vendor selection and operational redesign, along with clinical processes.  The nationally available e-learning system is available at no charge.

"CMS is pleased to launch DOQ-IT University, the first of its kind e-learning platform, to provide assistance to physicians across the United States in the adoption and implementation of electronic health records and care management practices," said CMS Acting Administrator Leslie V. Norwalk, Esq.  "DOQ-IT U’s interactive platform, self-paced curriculum, and associated tools provide physicians with easy access to the resources they need to help ensure that patients receive the highest quality of care at all times."

The elearning website is here (quick free registration required).

See earlier HealthBlawg post on a CMS DOQ-IT-related P4P demonstration project here, and a link to a MA Medical Law Reports article on the subject here.

-- David Harlow

Privacy worries: medical bloggers and, yes, the Google EHR

Physicians have written about patient cases for their peers and for the general public for years and years.  Oliver Sacks, Atul Gawande and the weekly case report from MGH in the New England Journal of Medicine come to mind as current examples of this long tradition.  This thing we call the blogoshere, though, due to its speed and informality, raises the potential of inadvertent breaches of patient confidentiality (and, of course, the potential for liability under HIPAA and state laws).  A recent entry in iHealthBeat notes:

Physicians and other health care workers are attracted to blogs because of the anonymity they provide. While some medical bloggers write on uncontroversial topics, others use the outlet to discuss patients, sometimes in graphic or crude detail, according to the [Detroit] Free Press.

And therein lies the potential problem.  Education, as well as adoption and enforcement of blogging policies by physician organizations and institutions, can help protect medical bloggers from potentially overstepping the bounds of propriety -- and the law.

But who will keep Google in check?  The latest from the Googleplex is news of AdSense-funded free EHRs for physicians.  Google says physicians can nix the ads by paying a $250 monthly fee.  I know Google says they don't read the content of the EHRs (just as they don't read your gmail, etc.), they just analyze it in order to feed you targeted ads.

With a tip of the hat to John Christiansen, one must ask: if a physician who opts for the ad-subsidized version orders a federally-reimbursed service or product whose ad pops up next to a patient's EHR, are we in anti-kickback territory? 

-- David Harlow