I. Introduction
The traditional, paper-based model of patient medical information now lies on its long-awaited death bed. Recognizing the need to expand the use of information technology in health care, both the federal government and health care policy advocates have been actively supporting the adoption of electronic health records (“EHRs”) specifically, and health information technology (“HIT”) generally, to reduce medical errors, measure quality, and coordinate care among all health care providers. Now, with a technological approach to achieving these industry goals firmly established in the health care debate, the question has shifted from whether we should employ electronic health records at all, to what the proper implementation of an EHR system should look like
In solving this primary issue of system design and implementation, this paper will first outline the characteristics and benefits of electronic health records in the United States and then present and address four legal and organizational barriers critical to an effective EHR system. First, consumer privacy and data security protections must exist at all levels, encrypting health information and requiring patient authorization before medical files are used in most circumstances. For the most part, the privacy subtitle of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), or §§ 13400-13411 of the American Recovery and Reinvestment Act of 2009 (“ARRA”), already effectively deals with these privacy concerns. Second, Congress must also establish clear laws on medical professional liability for both providers and software developers when electronic records are used, transmitted, and relied upon. In general, liability should be placed on doctors when they misuse EHRs and on developers when systems unreasonably fail. Third, an effective EHR system must employ open standards and fully support interoperability if the information contained in an electronic record is to be truly usable in our health care environment’s distributed clinical setting. This includes both content and technical standards, requiring all EHRs to use the same language and operate on all platforms and devices. Because interoperability lies in such potential conflict with the patient privacy barrier mentioned above, getting this architecture right the first time is of particular concern. Finally, financial issues such as installation and maintenance costs and structuring incentives for providers of all sizes to proactively adopt EHR systems present a final barrier for electronic health record implementation. Doctors and institutions must recognize a return on their investment in this new system if they are to voluntarily adopt electronic health records, and the “uncertainty gap” between federal incentives for physicians to adopt EHR technology, such as those currently provided by the HITECH Act, and the actual costs to each physician and provider must be closed.
Effectively implemented, a national, networked, and interoperable system of electronic health records will improve health care efficiency and safety, save billions of dollars annually, and lead to the economic and social benefits that come with the resulting improvement in both primary care and in the prevention and management of chronic disease. Across the board improvement in clinical outcomes is the goal; a system of electronic health records is merely an effective and heretofore unutilized tool to achieve that goal. In order to realize these improvements, however, these legal and organizational barriers must be overcome and a necessary shift must take place in the culture and attitude of the health care industry and its care providers—a shift towards the acceptance of technology as a necessary tool and value-adding improvement to health care delivery and communication. In the end, an effective EHR system will protect consumer privacy while remaining fully interoperable—much like the financial and related industries have done —as well as employ open standards that securely store medical data over a distributed, accessible network—much like sensitive information is currently stored on networks like the Internet—creating a permission-based information exchange fully open to innovation, development, and access by patients and authorized providers alike.
II. Electronic Health Records
A. What Are Electronic Health Records and EHR Systems?
1. General Overview
In its most general form, an electronic health record is a “patient’s medical file, which is stored electronically and maintained by a health care provider.” The EHR contains a patient’s complete medical history—just like their assortment of paper charts in most institutions today—and streamlines such tasks as “ordering prescriptions and tests, informing clinical decisions, and developing a longitudinal record of events, decisions, and information pertaining to a patient’s care.” Because of this, electronic records have been described as forming the “central nervous system of the health care system,” seeking to “link or otherwise leverage the patient safety information contained in existing silos such as hospital [medical records].” An EHR system, then, creates standards for the creation, access, and transmission of individual electronic health records. With a secure, distributed network of medical records, it allows for such capabilities as viewing, ordering, and messaging records; documenting and managing care; and analyzing, reporting, and researching medical treatments and administration.
Creating a system of electronic health records requires much more than simply “computerizing the current setup,” however. Though merely digitizing the current system of paper records would go a long way in facilitating access to patients’ medical records, an EHR system that will achieve the goals of improved clinical care and a more efficient overall health care system must take advantage of the underlying efficiencies and breadth of medical information processing that Internet-era technologies provide. Computerizing an inefficient system will simply make it inefficient, faster; to be truly effective, then, EHRs must combine wide ranging health information and data into an accessible format, facilitating electronic communication and connectivity and transforming the underlying system processes themselves.
2. Core Functionalities of an EHR System
With this in mind, most institutions and commentators understand that EHRs do much more than keep records. Also, while there is no universally accepted definition for an electronic health record or an EHR system, there is significant agreement as to just what the essential components are, with the Institute of Medicine identifying a comprehensive list of eight such “core functionalities” that electronic health records and effective EHR systems must employ.
First, at a basic level an electronic record must contain certain data about patients, including past laboratory test results, allergies and other medications that the patient is taking, medical and nursing diagnoses, patient demographics, and clinical narratives. Second, EHRs should display and organize the results of all types of patient procedures—such as laboratory test results and radiology procedure results—to allow for quicker access by providers when this information is needed, reduce unnecessary testing, and increase patient safety by enabling quicker recognition and treatment of medical problems. Third, computerizing the entry and management of medical orders or other patient instructions within an EHR system eliminates a number of existing administrative hurdles. For instance, computerized provider order entry (“CPOE”) necessarily follows from the digitization of medical records, reducing lost orders, eliminating mistakes based on illegible handwriting, generating related orders automatically, and reducing the time to fill orders and prescriptions.
A fourth essential element to an effective EHR system lies in decision support; computer-based reminders and notifications—part of the broader category of clinical decision support systems (“CDSS”)—can detect adverse consequences to human-prescribed medications or treatments based on the patient’s medical history or list of currently prescribed drugs, allergies, or conditions stored in the EHR itself, or even automatically push unsolicited recommendations to providers when certain conditions are met. Moreover, EHR systems should fully leverage their electronic connectivity and facilitate online communication among health care team members, other care partners like laboratories and pharmacies, and patients. Types of online communication include email, website private messaging, Internet messaging programs like Google Chat, “integrated health records” within and across institutions, telemedicine, and home telemonitoring. Additionally, this later service—patient home monitoring—and other forms of patient education and the electronic provision of care by doctors can allow for more constant, controlled care by doctors and self-help remedies for patients who are often unaware of such solutions.
Finally, two other administrative categories round out the Institute of Medicine’s list of essential characteristics. For one, administrative tasks such as electronic scheduling systems for hospital admissions and inpatient and outpatient procedures and visits, billing and claims management, and immediate insurance validation are obvious administrative components to an EHR system. Computerized tools and software could also be used to “identify individuals who are potentially eligible for clinical trials, those who should be informed about drug recall, or candidates for chronic disease management programs” or organ transplants as well. Second, interoperable and standard-formatted records would reduce the time and money currently spent on abstracting clinical data from charts for resource-consuming public and private reporting requirements at the federal, state, and local levels for patient safety, quality, and public health.
Ultimately, then, what these eight core characteristics of an EHR system represent are the technical requirements and application-layer features that, as many advocates have agreed, will maximize the advantages of the impending digitization of how patient medical information is stored and accessed. The method of achieving this functionality lies in a fully interoperable system of electronic records—one where complete patient data, the basic building blocks of an EHR system, is securely available for the types of functionality the Institute of Medicine and other commentators envisage. After the benefits of electronic health records are presented below, the suggested methods of employing such an interoperable system will be discussed in Part III, infra.
B. The Benefits of Electronic Health Records and an EHR System
Expounding on the above-mentioned EHR characteristics, there are a number of potential industry-wide benefits to employing an EHR system that may only be realized—or fully realized—through an integrated, interoperable setup. In fact, electronic medical technologies like EHRs are perceived by some leaders as the only feasible means to markedly improve the health care system in the United States in the near future. In general, then, benefits occur at all levels: individuals would get more continuous care and better coordinated decisions from providers sharing ubiquitous access to the patient’s complete medical profile; payers would pay for fewer duplicated or unnecessary tests and procedures; doctors would face less risk of error when making decisions; researchers would provide better feedback on certain populations of patients (such as those with diabetes, for instance) to improve care and care processes; and “the whole of society would benefit from a real-time, steadily enhanced knowledge database about what works to promote wellness, health, and to lower health care costs.” While this list goes on, there are essentially two major categorical benefits to implementing an interoperable EHR system: cost and efficiency savings for all participants throughout the health care industry and improvements to the health and safety of patients.
1. Cost and Efficiency Savings
The United States health care industry, absorbing a projected $2.5 trillion in 2009 and 17.6% of the nation’s gross domestic product, is arguably the “world’s largest, most inefficient information enterprise.” While the U.S. devotes significantly more of its economy to health care as compared to other developed and developing countries, its share of GDP has been considerably higher than every other Organization for Economic Cooperation and Development country, including Canada (10%), France (11%), Germany (10.6%), Japan (8.1%), the United Kingdom (8.4%), and even Switzerland (11.3%). It is with these suffocating costs in mind that many commentators on health care reform promote EHR systems as a significant cost saving device — promising reductions in waste, gains in communication and efficiencies, and new accountabilities and checks — despite the projected expenses of purchasing, implementing, and operating this significant change to the industry’s technological infrastructure.
Most of these cost savings result from a combination of effects that take place along the entire health care value chain: “fewer duplicated tests; reduction in administrative expenditures; a decrease in medical errors and adverse drug events linked to ignorance about the patient’s allergies, medical history, and other prescription drugs; and, from the provider’s perspective, from improved mechanisms for calculating and recording charges.” More specifically, with a fully interoperable system, all of a patient’s doctors and care providers would have access to his electronic health records, no matter where they are stored and regardless of which facility the patient is being treated, removing any possibility of unnecessary diagnostic tests that have either already been performed or do not need to be administered. This type of error prevention— resulting in less lengthy hospitalization, surgeries, or unnecessary care—combined with reductions in administrative costs—like data entry, communication delays, and time—serve to lower total costs for care providers.
There exist, however, a number of limiting factors in the assessment of EHR systems as a cost-reducing and efficiency-increasing measure. First, while it is easy to assert that such IT upgrades will cut costs, EHR adoption rates within U.S. health institutions and by care providers still remain far too low to support solid conclusions. Though roughly 24% of physicians used some form of an electronic health record in ambulatory settings in 2006, that number falls to just 9% when requiring at least four of the above-mentioned Institute of Medicine core functions, such as electronic prescribing.
Adoption rates also vary considerably by practice size and type of electronic functionality: solo or small physician practices have much lower rates than larger practices have, and only 5% of hospitals use some form of computerized physician order entry. One possible explanation for this disparity lies in the fact that most of the benefits that result from EHR systems affect “the entire health care system through improvements in quality of care and reduction of costly errors and duplication in the system with the benefit coming over a long period of time.” Many of these benefits do not directly impact physicians in their office, at least in the short term where “there is a large upfront investment in hardware, software, maintenance, and retraining of employees with no guarantee of any near-term return on that investment.” With so much uncertainty, no immediate gains for most doctors, and the principal share of benefits going to larger entities like hospitals, insurers, and pharmacies, a shift in incentives is necessary to achieve the level of voluntary adoption needed to realize the fullest benefits of an EHR system (or to install one at all). Furthermore, “studies examining the impact of these technologies” on the limited number of providers using them “are not easily generalized; most studies are limited to single-site evaluations, often academic hospitals that have developed their systems internally and incrementally, sometimes for decades.” Most U.S. hospitals are not like this and must consider purchasing commercially developed information systems.
Acknowledging these constraints, many commentators and analysts have still estimated considerable cost savings for providers who employ EHR systems. A 2007 study projected net economic benefits of EHR implementation to range from $8,400 to $140,100 per physician, over five years. Others have found savings estimates of $77.8 billion per year after the institution of a “standardized, interoperable national system” of electronic health records, an estimated range of $142-$371 billion in net potential savings over fifteen years after projecting efficiency savings and savings from health benefits that would come from an EHR system, and an actual $16.7 million in savings over ten years for hospitals operating a CPOE system.
Perhaps most significant, however, is a recent landmark study synthesizing and assessing data on the relationship between HIT and both costs and clinical outcomes in Texas hospitals. The Texas study “evaluated whether increased automation of hospital information was associated with decreased mortality, complication rates, and costs and length of stay,” incorporating the means and extent to which doctors used information technology in their treatment as opposed to blindly indicating whether EHR systems or some other form of HIT was present. The researchers studied the effects of automation on four medical conditions commonly believed to be sensitive to clinical guidelines: myocardial infarction, congestive heart failure, coronary artery bypass grafting, and pneumonia. While certain technologies had more pronounced effects on certain medical conditions—for instance, a higher score for decision support systems was associated with much lower costs for coronary artery bypass grafting—and although the use of electronic notes and records was individually correlated with a very slight increase in the costs of all patients, the study concluded that for nearly all clinical conditions, higher CITAT scores for the use of electronic decision support systems, order entry, and test results were overwhelmingly associated with statistically significant lower mean hospital costs. “Of the 15 associations tested in these categories, 14 demonstrated an inverse relationship between the information technology score and total costs, and 10 of these were statistically significant.”
Of course, correlation does not mean causation, and “merely demonstrating that associations were present does not mean that the associations were causal;” hospitals with more and better HIT probably have better resources and performance with regard to quality and costs to begin with. Perfectly randomized, controlled trials of information technology usage in clinical settings are nearly impossible to conduct, however, and Amarasingham controlled for potential cofounders as well as is allowable under current industry conditions, providing a number of significant conclusions nevertheless. For one, “across a large number of hospitals with mostly commercial implementations of HIT, there [are] important relationships between better quality and safety and lower costs,” further supporting and advancing data from single-institution studies. Moreover, “the use of the CITAT instrument to measure how information technology was actually being used in the hospitals is likely pivotal.” Simply digitizing an existing inefficient system does not lower costs or make it more efficient; it is important to study and determine how that technology is being used and whether it is being used effectively—like with the CITAT usage index—to truly determine whether implementing an electronic health records system actually lowers overall costs. This Texas study is significant for taking precisely this approach, and along with the various other recent studies concluding the same cost and efficiency savings from EHR system adoption, it indicates the kinds of cognizable long-term returns on investment that care providers must see if they are to voluntarily adopt such a system.
2. Improvements in Patient Health and Safety
The potential health benefits that follow from an interoperable system of electronic health records can be broken down into two main categories: improvements in patient safety stemming from CPOE, decision support systems, and the ubiquitous access to medical records; and improvements in patient health that come from better disease prevention measures and chronic disease management. Broadly, EHRs can improve both patient health and safety “by supplying information when and where it is needed to help people make better decisions, by eliminating communication and process errors, and by analyzing information about the patient in combination with biomedical knowledge to make patient-specific recommendations.”
With regard to safety, in general, EHR systems can help prevent the roughly 10% medical error rate that occurs each year, primarily by incorporating CPOE and decision support systems, or “reminders, prompts, and links to medical literature to promote accurate, timely, and responsible care.” A number of studies support this conclusion, showing that computerized reminder systems can improve immunization rates for hospitalized patients, reduce prescribing errors, assist physicians in adhering to practice guidelines, and promote more thorough patient medical histories, and the above-mentioned Texas study concludes that decision support systems have been significantly associated with decreased odds for patient complications as well as patient mortality in all of the causes it studied. Additionally, a more recent synthesis of controlled trials assessing decision support systems found improved provider performance and a reduction of errors in 62 of 97 such studies, with the most improvements coming from automatic prompts rather than user-initiated activity. Though these studies suffer from the same aforementioned issues of limited sample sizes, they are nevertheless indicative of real-world benefits to patient safety brought about by EHR systems and the types of electronic order entry and decision support they employ. Other, more specific safety benefits abound.
For one, an EHR system will warn doctors, pharmacists, and other providers about potentially dangerous interactions between a patient’s other drugs and a new prescription or order. Though the current paper-based prescription process is one that has been significantly prone to errors, they are fortunately of a type particularly suited to an EHR system’s electronic solutions. For instance, in making recommendations on an electronic prescription program, the National Committee on Vital and Health Statistics found a laundry list of complaints, including prescribers’ limited access to the latest drug knowledge; an often incomplete and inaccurate medication list or even medical history for their patients; ignorance of potential drug-drug or drug-disease interactions or duplicate therapies; pharmacists’ difficulty reading handwritten prescriptions and their lack of information about the patient’s condition for which the prescription is written; and the frequent need by pharmacists to contact the prescriber by phone to clarify what is ordered and to make changes, a reality that often results in delays for the patient and is time consuming for both the prescriber and the pharmacist. Each of these issues can be corrected by an electronic order entry and alert system that provides all of a patient’s medical information at each point of the prescription process, eliminating both communication and medical errors.
Second, EHR systems might dissuade care providers from practicing and authorizing wasteful “defensive medicine,” unnecessary treatments, and other remedies whose sole motivation is to simply limit medical malpractice liability. Though this will be expounded on below, EHRs and decision support systems would collect and present valuable data on whether particular procedures are warranted and could even create defenses to liability by providing doctors with an easily accessible database of widely accepted medical practices on which to rely. Closely related to this is the overuse and misuse of certain procedures, a reality often based on the current unavailability of data and doctors’ affinity for the status quo in their own individual practice. A major example lies in the unnecessary use of antibiotics; one study, for instance, found that “seventy-three percent of adults who visit primary care physicians for sore throats are treated with antibiotics, even though only five to seventeen percent of adults’ sore throats require antibiotic therapy.” Such excessive use as led to the dangerous emergence of antibiotic-resistant bacteria —a phenomenon that might become much less common if decision support systems could provide guidance to doctors concerning prescription drugs and one of many potential future issues that could be prevented if doctors have readier access to new discoveries and treatments.
With regard to patient health, EHR systems can leverage these same technologies and functionalities to keep people healthier through short-term preventative care, near-term chronic disease management, and long-term disease prevention and management. For instance, with the CPOE and reminder systems discussed concerning patient safety, EMR systems can “integrate evidence-based recommendations for preventative services (such as screening exams) with patient data (such as age, sec, and family history) to identify patients needing specific services” and “remind providers to offer the service during routine visits.” Studies show that EHR reminder systems have increased patients’ compliance with preventative care recommendations made by their doctors.
Electronic Health Record technologies used to manage near-term chronic diseases can be aimed at minimizing costly acute care interventions by monitoring patients with diseases more thoroughly and adjusting therapies and treatments accordingly. More specifically, interoperable EMR systems employing IOM functionalities can be instrumental throughout the disease management process in a number of ways:
Predictive-modeling algorithms can identify patients in need of services. EMR systems can track the frequency of preventative services and remind physicians to offer needed tests during patients’ visits. Condition-specific encounter templates implemented in an EMR system can ensure consistent recording of disease-specific clinical results, leading to better clinical decisions and outcomes. Connection to national disease registries allows practices to compare their performance with that of others. Electronic messaging offers a low-cost, efficient means of distributing reminders to patients and responding to patient inquiries. Web-based patient education can increase the patient’s knowledge of a disease and compliance with protocols.
One study estimated that the savings from these programs would amount to tens of billions of dollars annually, mostly by controlling acute care episodes and reducing hospital use at the cost of increased physician office visits and use of prescription drugs. Additionally, Amarasingham’s much more thorough Texas hospital study also found a modest reduction in hospital lengths of stay for patients (though relationships were less clear than for other sub-domains studied), which is, in itself, an additional health benefit.
Finally, EMR-enhanced preventative programs and disease management will increase patient health through long-term chronic disease prevention. With the same kinds of technologies, screening mechanisms, and relationships between medical data and patient health records, EMR systems have been projected to save nearly $147 billion annually by helping doctors recommend the types of lifestyle changes and medications that reduce the incidence of the biggest, most costly chronic diseases like cardiovascular conditions, diabetes and its complications, and the cancers most strongly associated with smoking and other preventable sources.
Overall, then, by increasing administrative and medical efficiencies, a system of electronic health records can both lower costs and improve patient health and safety. Though implementation costs are a major initial hurdle for most of the small and mid-sized care providers, the benefits are both immediate and long-term throughout the entire industry. Dealing with these costs and incentives, however, is the last step; effective EHR system design must first address the issues of data privacy, provider liability, and system-wide interoperability if EHRs are going to have the industry-changing impact that they are capable of, and if their benefits are to be fully maximized for patients, doctors, and institutions alike.
III. Implementing an Interoperable System of Electronic Health Records
A. Barriers to an Effective System
There are two categories of barriers to the design and adoption of electronic health records: legal barriers and organizational barriers. While the legal barriers include an array of important issues like physician anti-referral and anti-kickback laws, intellectual property rights to patient data and potentially proprietary medical information, federal income taxes, and antitrust possibilities, this paper will focus on the two overarching and most critical obstacles: patients’ privacy rights in their personal medical information and the overall security of the EHR system, and medical professional liability for both care providers and those entities creating, installing, and maintaining the technologies behind EHRs. Additionally, the two biggest organizational barriers that EHRs must overcome include funding and minimizing the financial risks of EHR adoption, and creating a fully interoperable and compatible framework for providers and patients to use and transmit electronic records. Getting these issues right the first time is critical to establishing a long-term EHR system that will allow every participant to realize all of the benefits outlined above.
B. Consumer Privacy and Data Security
Patients understandably cite “privacy, together with security, as their issues of greatest concern about electronic records.” Not only is patient privacy universally referenced as a core ethical principle throughout medicine—the International Medical Informatics Association states as its first “principle of information ethics” that “[a]ll persons have a fundamental right to privacy, and hence to control over the collection, storage, access, use, communication, manipulation and disposition of data about themselves” —but numerous recent surveys indicate that privacy and confidentiality are of increasing significance as well, especially as technology becomes more pervasive throughout the health care industry. For instance, 67% of Americans responding to 2005 California HealthCare Foundation survey expressed concern over the privacy of their health records. Perhaps most alarmingly, one in eight respondents of a recent Pew Internet survey actually “engaged in actions to protect their privacy that might have compromised their healthcare, including avoiding seeing a physician, asking a physician to fudge a diagnosis, paying to keep information out of insurance records, or avoiding medical testing altogether.”
Such concerns are certainly not without merit, especially considering the “multitude of uses and users of this technology,” both currently and as technology becomes more fully and universally adopted. For instance, “approximately ‘150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient’s records during a hospitalization,’” and “over 600,000 payors, providers, and other entities in charge of healthcare providers’ billing data have at least partial access to these records as well.” Considering that “[f]ew controls are currently in place to ensure that information obtained through EHRs is used only for authorized purposes” and that the “implementation of EHR technology will place a vast amount of additional information about the health care of identifiable individuals in the hands of various agencies which have not previously had access to such data,” there is a very real threat of the misuse of sensitive medical information perceived by patients, and any kind of security complication would have far-reaching effects on both quality of care and overall trust in the health care industry on all levels.
In addition to the privacy issues created by those who may be granted access to electronic medical data, security breaches from malicious outsiders pose an added threat for EHR systems. A fully interoperable system like the one that this paper promotes—one that is accessible by anyone, anywhere in the country—could present a large target for anyone trying to illicitly access and transmit private medical data “quickly, cheaply, and with little risk of detection.” For instance, the “security of health information is, in fact, compromised with alarming frequency as a result of computer theft, sale of used computers without removal of data from hard drives, hacking, inadvertent disclosures, and deliberate misuse of information by those with access to it.” Georgetown University Hospital’s attempt to install an electronic prescription test program in 2006 is one recent, practical example of the privacy risks involved in EHRs and the extreme attention to security considerations that an interoperable system requires. Though the hospital securely transmitted its patients’ prescription data electronically, a flawed security control in the software they licensed allowed one consultant in a different state to “stumble upon the online files while installing medical software for a client.”
With so much importance placed on privacy and confidentiality by patients and providers alike, ensuring such protections is the primary goal for an EHR system. Doing so, however, requires two fundamental steps. First, the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, HIPAA Security Rule, and the HITECH Act—the primary statutes governing the security of medical information and certain electronic health information—must be clarified, their enforcement strengthened so that patient privacy and EHR confidentiality are meaningfully protected under the technological realities that exist, and their language amended to recognize the significant dichotomy between “personal care” uses and “other uses” of medical data that exists in patients’ understanding of their privacy. Second, the technology underlying the electronic records and the system used to store and transmit them must actually and adequately protect patient medical information, emphasizing encryption and a preference for patient authorization before their information is accessed.
1. Regulatory Efforts: Furthering the HITECH Privacy Provisions
To address the many privacy and security concerns regarding patient medical information, the U.S. Department of Health and Human Services (“HHS”) promulgated the HIPAA Privacy and Security Rules in 2000 and 2003, respectively. Because Congress did not enact privacy legislation within three years after HIPAA was passed, as required by the act in 1996, HHS developed these rules to assure individuals that their “health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being . . . , strik[ing] a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.” In general, while the rules did create “standards for the security of electronic health information to be implemented by health plans, health care clearinghouses, and certain health care providers,” they did not go far enough to effectively deal with the issues presented by interoperable EHR systems and numerous limitations exist:
The Privacy Rule covers only a narrow range of entities, namely health plans, health care clearinghouses, and health care providers who transmit health information electronically for claims, billing, or health plan purposes. It does not cover employers, marketers, life insurers, or many others who might handle personal health information. The Privacy Rule also does not feature a private cause of action, so its deterrent and remedial effects are limited. In addition, The Security Rule’s standards are extremely vague, leaving a vacuum of guidance that makes meaningful compliance unlikely. A 2007 assessment of HIPAA compliance in fact found widespread confusion and mistakes.
These rules are simply too limited to effectively deal with the complicated security issues that can and will arise when many different types of health care providers and entities interact with an open, interoperable EHR system.
To deal with these shortcomings and “address new threats and opportunities presented by new technologies such an interoperable electronic health records [], personal health records (PHRs), health information exchanges (HIEs), and state and national health information networks (HINs),” Congress enacted an updated set of privacy provisions in the HITECH Act as part of the American Recovery and Reinvestment Act earlier this year. For the most part, HITECH corrects many of HIPAA’s failures, such as the covered entities problem in § 13401, subjecting all “business associates” to HIPPA rules and “making it clear that pretty much any entity that owns or operates any of the components of the emerging health information network in which individually identifiable health information is house is a business associate.” Moreover, § 13402 mitigates the increased risk of malicious security breaches that come with digitization, first requiring “notification of each individual whose [unsecured] protected health information has been, or is reasonably believed to have been, illegally accessed, acquired, or disclosed so the individuals can take whatever steps they can to protect themselves,” and second, because this only applies to unsecured data, it encourages technologies that secure such information.
Finally, HITECH forces providers to account for many of the disclosures of patient information that providers authorize—such as “out of the ordinary” treatment, payment, and health care operations—that they were previously not required to account for under HIPAA. Accounting for these transmissions of patient information would no longer be administratively expensive under an automated electronic system, and §§ 13405(c) and 13403(b) remove many of these previous HIPAA exceptions to patient disclosure requirements, informing them of who has or had access to their medical information and for what purposes.
On their face, then, these new privacy and security provisions appear to address most of the gaping holes that HIPAA previously left, providing “increased protections to sensitive health care information, giv[ing] individuals better tools for accessing and using their own records, and provid[ing] them with more control over how their personal health information is used by others.” Whether or not this is true depends in large part on how these provisions are applied in practice, however, and two fundamental changes to the HITECH provisions are necessary if an interoperable, cost-reducing EHR system is to be fully implemented. The first of these deals with the “breach notification” provision, § 13402, mentioned above. Simply, notification of any internal or external breach of privacy by any provider or entity should not be limited to breaches of unsecured data; even secured, encrypted medical information that has been subject to unauthorized access should be disclosed to patients and any other related entity that is affected. Such transparency is necessary for all types of EHRs and medical data, developing true patient trust and allowing patients to respond accordingly and plan immediately for any potential resulting issues.
Second, and more fundamentally, HITECH’s patient consent provisions must understand the dichotomy that patients have drawn between the use of their EHRs and medical information for their own personal care, and the use of that information for “other” functions like public health, research, and medical practitioner training. While HITECH importantly allows for reasonable patient restrictions—i.e., when the disclosure is related to payment or health care operations and not treatment, and when the provider has been paid in full—this does not address the growing number of information uses available when all medical data is in an easily searchable and exchangeable format and patients’ increasingly protective view of their information in these “other use” contexts.
In a recent National Forum on HIT privacy, experts and consumers together discussed how to balance the goals of an exhaustive, interoperable EHR system with this “personal use–other use” dichotomy. Though these seem to conflict, the key was the Forum’s recognition that trade-offs exist, and that “one size does not fit all in the health data world.” For instance, health data can easily be categorized into “different tranches that require varying levels of security and privacy [to] provide the opportunity to treat health data in an optimal way” —such as use by providers in emergency patient treatment or for the personal use of patients at the top of this hierarchy, and insurance purposes and evidence-based research at the bottom —each with its own level of required patient consent. Under this framework, then, and in evaluating the dialogue between patients and industry experts, a consensus emerges on how HITECH and future regulation can handle the issue of privacy and patient control.
First, the patient is at the center of the health system, and should accordingly know that a large amount of his information is being collected with full unfettered access to it. He should know at all times the purpose and use of this information, with the default rule allocating ultimate control over personal information to the patient. Second, patient consent should not be required when disclosure is required by law, such as in public health reporting, or when the information has been “de-identified” for non-direct uses like medical research, quality monitoring, threat surveillance, or marketing and advertising. Consent should be required for “other,” non-direct uses that incorporate personal, identifiable information. Finally, with regard to providing direct care to patients, open transmission of EHRs is necessary to maximize administrative and health-promoting value from an electronic system. While patients should be allowed to share their information with whomever they want, opting out should also be available but difficult—patients should not only be advised that this will limit any health care provider’s ability to provide the best care but encouraged not to opt out as well. As an additional trade-off, in the “very limited emergency cases when consent cannot adequately be given and has not been given previously, a ‘break-the-glass’ option that does not contradict the person’s expressed consent limitations may be necessary to serve the best interests of the . . . patient.” In general, then, the right for patients to access and control their information must be balanced with goals and benefits of an open EHR system, and patient medical information is sufficiently granular to allow for these types of trade-offs.
2. Technological Efforts: Encryption Protections to Maintain EHR Privacy
Alongside the fundamental rights aspect to EHR privacy issues lies the technological protections that actually secure the electronic records. Plainly, two characteristics of electronic records and the system that manages them are essential to maintaining patient privacy and allowing for the types of protections, consent, and trust outlined above: data encryption and audit trails to record how the records are being used.
To ensure both the integrity of the medical data stored in electronic records and the securitization of access to those records, the EHRs must be encrypted under established security standards and algorithms. Using the language from the breach notification provisions of the HITECH Act, as mentioned above, this can broadly be read to require medical data to be “unusable, unreadable, or indecipherable to unauthorized individuals.” Though this isn’t expounded on in the Act itself, the Department of Health and Human Services has recently issued guidance on how to encrypt such records, offering a number of practical requirements. Initially, the “successful use of encryption depends upon two main features: The strength of the encryption algorithm and the security of the decryption key or process.” More specifically, EHRs are encrypted according to HITECH and the HIPAA Security Rule by “the ‘use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” Though the National Institute of Standards and Technology documents cited by the HHS detailing the scientific and cryptographic elements of an acceptable encryption algorithm are highly technical, general principles can be extracted.
First, authentication is essential to storage encryption, and must allow both administrators to authenticate “so that they can perform storage encryption management functions, including reconfiguring and updating,” and users to authenticate so that they can access encrypted information.” At a basic level, then, access to electronic health records should be password protected, with an emergency function to allow responders to access a subset of medical information without a password. Second, storage encryption technologies used to secure all EHR data must use advanced cryptographic keys to encrypt and decrypt the data that they protect. The security industry is sufficiently established to provide existing solutions to this issue, and the cryptographic element to data security can be solved by employing some “established and emerging security standards, such as the Internet Engineering Task Force’s Transport Layer Security (‘TLS’) standard or its Public-Key Infrastructure (X.509) standard.” Finally, with regard to management and review of security systems put into place, “audit trails” that record “who did what to whom, when, and in what sequence” are essential to discern certain system malfunctions and determine whether to implement appropriate interventions.
C. Professional Liability
While interoperable electronic health records have the extraordinary potential to provide nearly instantaneous medical updates to all of a patient’s physicians and care providers as that information is created, they raise numerous legal issues regarding medical professional liability and responsibilities for responding to that information. Indeed, though such a “web of physicians has enormous potential to improve the quality of health care as well as increase efficiencies; it also has the potential to alter what the physician-patient relationship means.” Three important implications arise as EHR systems affect professional medical liability: the legal standard of care for physician accountability will evolve, manufacturers of EHR technologies must absorb some of that liability in certain circumstances, and discovery of the truth in litigation can be significantly facilitated.
1. New Standards of Care
Normally, in medical malpractice actions, “the standard of care imposed on physicians and other health care providers is defined as the degree of skill and care ordinarily practiced by a reasonably prudent practitioner in the same field of practice and under similar circumstances at the time the case arose.” The first issue that may arise stems from EHR adoption and the resultant predicted reduction in medical errors: as this occurs, “plaintiffs may be emboldened to argue that a health care provider does not meet the standard of care if it does not utilize interoperable records.” As digitization becomes more ubiquitous, late-adopting physicians might expose themselves to liability for not accessing information before or during patient treatment that could have prevented an adverse medication reaction—information that would have been available had that physician employed a decision support system or other feature of electronic health records. Moreover, because interoperable EHR systems “could arguably provide a physician with information that would allow him to take more aggressive diagnostic steps and discover [any] problem[s]” sooner, the “physician who is not prepared to access the most up-to-date information may well find herself accused of ‘causing’ an allegedly foreseeable harm” —harms that become foreseeable because of the technological advancements that EHRs bring.
The standard of care applicable to physicians and medical professionals could expand in other ways as well. For instance, electronic systems bring many additional people into a patient’s treatment—from other physicians and colleagues to the nurses and administrative staff that input patient data. Given that “electronic communication can and does ignore borders, its broader utilization could potentially erode the geographic bounds by which the standard traditionally was, and in some states still is, defined.” Jurisdictional issues would abound, and plaintiff-friendly forums would expose physicians to expanded liability, encouraging them to shy away from using electronic records or promoting their adoption.
As a result of the very likely expansion of the standard of care, physician liability must be balanced against the interests of promoting EHRs and the benefits they bring to patients and providers. It would be a “great irony” if the “tort system, ostensibly designed in part to deter unsafe practices, deters instead the adoption of EHRs based on theories that either using or not using EHRs caused the alleged harm.” The law should therefore promote the growth of EHRs by sheltering physicians and care providers from these potential risks. Specifically, measures should encourage liability in instances where doctors fail to employ significantly adopted EHR technologies—especially those that are the cheapest and quickest to implement; they should discourage liability in borderline negligence cases when technology may be new or where patients have notified of any such risks; and jurisdictional issues will be minimized as electronic health technologies should increase the national standard of care as opposed to a more localized approach that some states still employ. To a large extent, regulations issued by the HHS and Centers for Medicare and Medicaid Services in 2005 establishing “exceptions” and “safe harbors” for certain health care entities who provide financial incentives to spur the adoption of EHR technologies—regulations which led to the adoption of 42 C.F.R. §§ 1001.952(x) and (y) on electronic prescribing and other EHR items and services—addressed this with the correct approach.
2. Manufacturer Liability after Reasonable Reliance by Physicians
A second major liability implication of EHR systems centers on how and to what extent EHR system vendors will be included in lawsuits because their technology or product possibly contributed to the alleged injury. Initially, because such liability “would turn significantly, but not solely, on the nature and details of the vendor’s undertaking,” it is to be expected that vendors, who will most often have to indemnify care providers to some extent to entice them to buy their EHR technology, will attempt to cover their liability exposure through contractual disclaimers and insurance. In a competitive market for EHR services, however, most vendors will make claims about their products and why they are superior and, ordinarily, contractual liability, which occurs when a vendor promises one thing in the contract but does not fully deliver on that promise, would step in to provide some recourse for physicians who use those products. For instance, decision support system vendors, who claim the “best evidence-based sources available” for physicians to base their decisions, could theoretically open themselves up to potential liability if important medical developments were not included in the information base. However, when one “provides information to a health care professional, it can reasonably be assumed that the professional will subject that information to all the usual ‘filters’ and will not rely upon that information to the exclusion of other appropriate source. This is the core premise of the ‘learned intermediary’ doctrine,” which places responsibility on physicians to not blindly trust such products and serves to relieve vendors from liability to a certain extent.
Therefore, “[a]s long as it is reasonable to assume that CDSSs only provide information that is subject to [competent human intervention by physicians], the rationale that underlies the ‘learned intermediary doctrine’ will apply, and the responsibility will continue to rest primarily on the physician.” If an interoperable EHR system is to be fully adopted and utilized, however, this liability framework cannot exist; there must be conditions for vendor liability to a certain extent and some level of justifiable reliance by providers that limits their liability. Conveniently, the Food and Drug Administration’s approach to medical software regulation provides a valuable basis on which to attempt to devise some liability scheme between providers and vendors. Under its comprehensive risk assessment approach, the FDA classifies medical software on the basis of five factors:
- the seriousness of the disease or condition being diagnosed or treated,
- the amount of time available before the practitioner uses the information provided by the software,
- whether the data output departs from customary use or data presentation,
- whether the information is individualized for each patient, and the relative risk to the patients if the software fails, and
- the extent to which the practitioner would be exercising independent judgment in assessing the conclusion reached by the software.
Based on these factors, then, “software applications are classified as high-, moderate-, or low-risk and this classification affects the strictness of the FDA’s scrutiny and the fullness of the regulatory requirements.”
In the EHR liability context, this same framework can be used to classify the relative risks of individual EHR technologies—whether it is a risky decision support system or a more reliable electronic prescription application—such that the riskier the technology (i.e., the greater the potential risk to the patient), the more responsibility the physician would have to doubt that technology’s output and seek independent confirmation, and subsequently, the greater the liability he would potentially face. Likewise, the more reliable the EHR technology is, the less likely a physician would be responsible to invoke his own independent confirmation analysis and, consequently, the greater the potential liability the vendor would face. Under this framework, the question of liability becomes “to what extent a reasonable and prudent physician would have relied on the device’s output under the circumstances,” carving out a “justifiable reliance” exception to a system of medical professional liability otherwise borne entirely by care providers and determining liability between providers and vendors based on the relative risk of that EHR technology.
3. Implications on Discovery
Finally, EHR systems have significant implications in the litigation context, specifically regarding discovery. For instance, patients “may find it very hard to establish that the [EHR] system was responsible for [their] injuries unless the inputs provided to the system, the actions taken by users, and the outputs and actions generated by the system are faithfully recorded in a form that can be understood by an expert.” Other discovery issues abound: “will printouts of EHRs accurately reflect the provider’s activities? Will fragmented screen displays, physician shortcuts, and system inflexibilities impede discovery and distort the medical record? Will EHRs record all of the provider’s activities accurately, comprehensively, and chronologically, or will files be disjointed, confusing, and incomplete?” Effectively solving these discovery issues will hinge primarily on the integrity of the EHR system itself and the reliability of audit reporting discussed in Part III.B.2, supra.
Though these technologies could certainly assist a patient-plaintiff immensely in discovery as well, providing a system of computerized records and chronology of events far more comprehensive than paper files built upon dictation and physician notes could ever be, they are just as likely to extend the scope of discovery against care providers beyond the limits now imposed in paper medical record cases. Again there exists a trade-off between protecting patient rights and safety on the one hand, and encouraging physicians to voluntarily adopt a universal, interoperable system of electronic records on the other. Possible policy solutions to this issue include “immunity against liability under certain circumstances, as well as privileges against disclosure” or sufficiently narrowed “safe harbors against liability if certain forms of prescribed conduct are followed” by physicians and care providers employing EHR services.
D. Interoperability
As mentioned throughout this paper, for doctors and patients to fully extract the benefits of an electronic health record system, the medical data underlying that system must be completely interoperable across the various types of hardware storing that data as well as the applications that access, transmit, and display it. Interoperability touches at the core of the purpose and power of EHR systems—that is, “their ability to access [medical] data from many different sources, subject it to common processing and analysis, and send it back out to various authorized parties in the data network, all seamlessly and transparently” —and the current use of multiple, incompatible systems is fundamentally inconsistent with this.
Interoperability primarily means semantic interoperability, or “the ability of information systems to exchange information on the basis of shared, pre-established, and negotiated meanings of terms and expressions.” For an EHR system, this “implies that all or part of an EHR created or updated on one such system can be transmitted to other vendors’ systems in a way that permits the receiving systems to interpret and utilize the transmitted data as efficiently and effectively as they use their own internally created EHRs.” Further, this means that proprietary data formats and digital locks restricting access to proprietary records must be replaced with universal standards for storing that data, much like Extensible Markup Language (XML) has been used on the Internet to standardize electronic document encoding, creating instead “a system of standards rather than a standard system.” While a number of current obstacles have unfortunately made it such that the health care industry is far from achieving interoperability in the data it creates and collects, the technology to address these obstacles does exist, federal regulatory mandates can be used to effectively overcome them, and a technological framework for interoperability can be outlined as well.
1. Obstacles to Achieving EHR Interoperability
One major obstacle to full EHR interoperability lies in the complex and often variable medical language used by the health care industry itself. For instance, terminology often “varies between medical specialties, locales, and health care facilities, and it also varies with clinical context,” such as the often used abbreviation, “MS,” which stands for “mitral stenosis” in cardiology, “multiple sclerosis” in neurology, “morphine sulfate” in anesthesia, and “magnesium sulfate” in obstetrics. Without some way of reconciling these various definitions, or properly providing a mechanism to translate various conflicting abbreviations or terminologies, EHRs won’t be able to effectively communicate with each other.
Closely related to this issue is the fact that electronic records currently produced by different vendors “employ proprietary internal representations of medical information that are generally incompatible with one another.” More specifically, while many hospitals and care providers use electronic records, “different proprietary information models” used by each individual provider or vendor, as well as “inconsistent data quality,” have made it difficult for the industry as a whole to share and collect patient data. For instance, in Sweden, where one such study of various EHR systems was conducted, there existed more than 50 “national quality registries . . . collecting patient data from health care units for quality control and clinical research.” One of the quality registries there is the National Diabetes Registry (NDR) which recommends the health care units responsible for the care of diabetes patients, to report data back to the central NDR server periodically or at least once per year.” Because the information entry system contains a “list of predefined variables which need to be mapped to the local variables within each hospital or health unit’s EHR system,” partial mapping for some EHRs can lead to doctor’s simply choosing not to enter information out of inconvenience. Moreover, doctors wishing to add new terms or features as their science evolves can find long wait times for vendors to implement them as well as added costs potentially prohibiting such upgrades.
Finally, financial disincentives and other business reasons for both care providers and EHR system vendors constitute a further obstacle to interoperability. For instance, providers may disfavor an interoperable approach “because it makes it easier for patients to change doctors by allowing complete patient files to be shared or transferred electronically to other facilities.” Indeed, without interoperability and a free exchange of medical data, “the health care enterprise hopes to gain a comparative advantage by imposing high costs on consumer switchover and by exercising market leverage over small-niche players such as solo physicians and community hospitals.” Clinicians and providers may also resist facilitating the sharing of patient data out of legal concerns as well. For instance, providers may be concerned that other clinicians scrutinizing their EHRs may accuse them of malpractice, and clinicians may be concerned about their sensitivity to confidentiality issues, as any added openness brought about by an interoperable system—as opposed to a network of proprietary ones—could create more of an opportunity for unauthorized access or inadvertent distribution of private data, for potentially malicious purposes. Finally, EHR system vendors may also find interoperability financially “unappealing because it makes it easier for providers who use one [vendor’s] EHR system to switch to another by enabling patient EHRs to be easily transferred between systems.” With interoperability, vendors no longer have the leverage to discourage providers from switching that comes with the “difficulty of transferring hundreds or thousands of EHRS between different systems.”
2. Designing an Interoperable Framework that Overcomes These Obstacles
While these obstacles present significant threats to an interoperable EHR system, federal legislation mandating current technological solutions provides the best mechanism to achieve true nationwide interoperability. The first such technological solution, or key characteristic in achieving interoperability, lies in storing the electronic records data in an open, standardized file format. Second, the EHR must implementing a common language—or “common exchange representation” (“CER”) as some commentators have used — under which EHRs can communicate to eliminate the above-mentioned compatibility issues inherent to medical scientific terminology and the currently fractured, proprietary EHR setups. These two characteristics are both interrelated and necessary to achieve interoperability.
Generally speaking, a CER is an “artificial language” containing data format specifications to represent the information contained in EHRs, characterized by “well defined syntax and semantics” and “capable of unambiguously representing the information in any EHR.” Though there are many competing CER standards existing with no clear “winner” among them, the Medical Markup Language (“MML”) standard developed since the 1990s provides an excellent example of the types of goals and structural characteristics that a CER should employ. Much like its web-based counterpart, XML, MML’s purpose is “to provide a standardized way to exchange medical documents and other clinical data.” To do so, it provides a uniform file format to store medical data: first, there is a local “header” in each file for metadata and information like patient demographics, the document’s creator, time and place of creation, and diagnostic information; second, Health Level 7’s XML-based document markup standard, Clinical Document Architecture (“CDA”), is used to specify the structure and semantics of the patient data that the file contains, including text, images, and other multimedia.
Moreover, in order to “promote longevity of all [encoded] information,” “minimize the technical barriers to implement the standard,” and “promote [an] exchange that is independent of the underlying transfer or storage mechanisms,” CDA and standards like it not only implement open, simplified, and uniform markup, they addresses the proprietary language problem through the use of “domain knowledge governance,” a process by which the “development and maintenance of a semantically interoperable representation for health information [is] coordinated internationally and across health disciplines.” For instance, the Systemized Nomenclature of Medicine, Clinical Terms (“SNOMED-CT”) that the HHS has adopted provides an open source of clinical terminology, standardizing medical terms across all major disciplines, so that EHR systems can exchange normalized expressions. By providing standardized markup to contain patient medical data as well as employing a central, normalized set of medical terminology like SNOMED-CT, electronic standards like CDA can achieve interoperability for the EHR system that uses them by removing the incompatibilities of existing proprietary formats and those resulting from the health care industry’s own fragmented and incompatible record-keeping.
Overall, an interoperable EHR system will give clinicians everywhere, for the first time, access to a “longitudinal medical record with full information about each patient.” Interoperability, however, remains a fundamental requirement to ensuring that widespread electronic health record adoption creates this social and economic benefit—“[w]ithout interoperability, EHR adoption will further strengthen the information silos that exist in today’s paper-based medical files, resulting in even greater proprietary control over health information and, with it, control over patients themselves.”
E. Installation Costs and Provider Incentives
Finally, financial barriers, including both the high costs of initial implementation and provider uncertainty regarding short- and long-term returns on investment, continue to present significant disincentives for EHR adoption. Both of these barriers stem in large part from a perceived lack of any business case supporting EHR use by providers, which is in turn based largely on “dysfunctional market dynamics and incentive structures” that do not enable providers to adequately recognize the benefits of electronic health records. For instance, “economic incentives in the health care industry generally do not reward good performance, reducing the motivation of self-interested health care actors” like most providers to adopt EHRs. When inefficient and suboptimal care can be rewarded by more visits, tests, procedures, and revenue, incentives are low for doctors and hospitals to adopt a system that will reduce those income streams, regardless of how inconsistent they are with the profession’s values. Additionally, while the primary purchasers of EHR systems are doctors and hospitals, nearly 80% of the potential economic benefits that these and other HIT systems generate “inure to insurers and health care group purchasers, including the federal government, in the form of lower premiums and enhanced worker productivity.” Both the high costs and misaligned incentives, then, have worked to build a persuasive argument against adopting EHR systems.
1. Monetary, Time, and Administrative Costs to EHR Adoption
Foremost in the minds of many doctors and hospital administrators lie the significant costs and difficulties associated with introducing a new EHR system into medical practice. By one estimate, the purchase of an EHR system is roughly $33,000 per doctor, with an additional $1,500 per month, per doctor, for maintenance. Other estimates cite similar initial outlays, with one survey estimating $120,000 to $175,000 for the total cost of ownership of an EHR system per physician over five years; another reporting an initial $140,000 price tag for an EHR system installed in a four-person medical practice with an additional $40,000 annual maintenance cost; and a Pennsylvania hospital study finding that “the median capital spending per bed for HIT in 2006 was $6,912, while the median HIT operating cost per bed was $14,528.”
In additional to creating capital expenses, transitioning to an EHR system also places significant administrative costs onto health care providers. For instance, “office systems must be redesigned; users must adopt uniform ways of recording data to fit system requirements and must forego their own shorthand and terminology; data from paper records must be entered into the electronic system; all staff members must learn to be proficient with the system, and their training takes time away from patient care; and patients may be concerned about providers spending considerable time inputting data into computers during examinations, leaving less time for human interaction between the clinician and the individual being examined.” Perhaps most significant of these, however, is the potential increase in time and attention that a new EHR system may require of physicians. Though clean and intuitive interface design plays a significant factor in reducing this issue, one study initially found that the use of EHRs during consultation “increased the time that doctors spent on activities other than interacting with patients by as much as [28%] and that this did not change with improved computer proficiency.”
2. Creating Incentivizing Structures to Redress Provider Uncertainty
Finally, and as mentioned above, poor existing incentives for doctors and hospitals have further complicated the issue of high capital expenditures for installing an electronic health record system, creating a cognizable “uncertainty gap” between what providers will be paid to adopt EHR technology, and what the actual costs to each provider will be. To address the inadequate market incentives promoting the use of EHR systems and stimulate adoption, Congress has already offered up to $44,000 through the HITECH Act for the “meaningful use of certified EHR technology” over a five year period beginning in 2011. While Congress may have felt that $10,000 per year, per doctor is enough to induce a critical number of doctor’s to acquire and use EHR technologies by 2015, however, significant and looming uncertainty over Medicare and Medicaid reimbursement rates, combined with the high capital expenses and uncertainty over the actual predicted cost savings of EHR use, have created a gap that must be filled by either increased financial incentives or some other mechanism by which doctors can reasonably expect a return on their investment. Indeed, “[b]eyond the issue of Medicare incentive payments for EHR technology not yet specified, to be used in ways that haven’t yet been defined, doctors are manifestly not confident about the longer term issue of whether short-term incentive payments will be converted to sustainable economic returns.”
To restore this necessary confidence among physicians and health care providers so that they will recognize an adequate return on their investment and voluntarily adopt EHR technology, Congress should build onto the support it started in the HITECH Act, increasing governmental investments in EHR systems to incentivize their adoption. Current uncertainty and high initial costs have proven to be too formidable opponent to the conservative approach that doctors and hospitals have taken in analyzing EHR adoption. To defeat this, not only must Congress provide the financial stimulus through structured incentive payments, it should do so quickly, promoting the broad adoption of an interoperable, standards-based EHR system as soon as possible to realize the compounding savings early. Given the nature of the savings curve—i.e., as some analysts have shown, net savings through EHR use will begin slowly, increasing rapidly after the first five years —and the fact that the health care market has been heretofore totally inadequate in stimulating EHR usage and adoption, there is “substantial rationale for government policy to facilitate widespread diffusion of interoperable HIT” and EHR systems. Indeed, the government is particularly suited to administer such a comprehensive incentive program, as the Agency for Healthcare Research and Quality, the HHS’s “health research services arm,” has served as a “major source of funding and technical assistance for health services research and research training at leading U.S. universities and other institutions” since its inception.
IV. Conclusion
As the costs and inefficiencies of America’s health care industry near insurmountable levels, the administrative, cost-saving, and quality of care benefits that technology can bring have become more critical than ever. Fortunately, with attempts at reform fixed firmly in public discourse, our health care system is well poised for industry-wide change, and a distributed, interoperable system of electronic health records is the first giant step towards achieving that change. While numerous obstacles continue to impede the adoption of such a system—including consumer privacy and the security of patient medical data; medical professional liability in the context of new communicative technologies; establishing nationwide standards on which a system can operate seamlessly and efficiently; financial disincentives for physicians and providers to adopt new EHRs; and, perhaps most importantly, the embedded culture within the medical profession of resisting technological changes in the way doctors deliver care—all of these can be overcome with the adoption of current technological solutions and limited, targeted regulation to promote such adoption. Overall, the adoption of an electronic health record system throughout our health care industry not only represents a fundamental change in the way the medical profession does business, communicates with its patients, and delivers care, but a change that carries significantly reduced costs, an increased role for patients in their health, better care, and a plethora of short- and long-term societal benefits as well.
* * * * *