Sunday, December 31, 2006

Confidential data -- an eye for an eye?

Sorry for the blog silence -- I've been on holiday.

While I was away, I saw this interesting poll in USA Today (12/28/06). Over 100 security professionals were asked "How should companies that expose confidential data be penalized?".

Here are the results:
  • 48% -- Make the CEO's private information public
  • 26% -- Criminal fines
  • 24% -- Civil fines
  • 2% -- No penalty necessary

Half (!) of the respondents supported an "eye-for-an-eye" type of justice. This has interesting implications in the medical world ("Doctor, you released my colonscopy results so we're now going to publish yours on the web...").

Finally, remember this was a poll of security professionals -- just imagine what a poll of patients might find.......


Tuesday, December 26, 2006

Money alone won't solve the EHR problem

The amednews recently published an article detailing the saga of a practice that had a failed EHR implementation. The article notes that something like 1 out of 3 EHR implementations ends up in failure, which the article defines as a de-install. If you include the EHR implementations that are permanently stuck -- meaning that the practice implements basic scheduling and billing, but nothing else -- that could mean that 1 out of every 2 EHR implementations are effectively failures.

I don't want to get into whether the EHR system or vendor itself contributed to the failure described in the article; both of the vendors mentioned in the article are supported by MAeHC (the practice left NextGen and is now buying eClinicalWorks) . To me, the most important point raised in the article is that lack of money is not the only issue hampering greater EHR penetration -- it's not even clear that it's the most important obstacle.

Factors that contributed to the failure cited in the article are:
  • Insufficient upfront attention to workflow or process changes required to maximize the EHR's potential
  • Inadequate project management experience and resoures at the practice-level
  • Inexperience with contracts -- writing, negotiating, and managing

This confirms for me that EHR investments are probably not worth it (particularly for small practices) unless they're done under the umbrella of an effectively-managed, community-based program (whether driven by a hospital, IPA, PHO, or RHIO/HIE).

Community-based because there's scale in project management, vendor selection, and contract management, and because patients and physicians will get much more value from EHRs that are coordinated with their medical trading partners (other physicians, hospitals, diagnostic centers in their communities).

Effectively-managed because too many of these programs give scant attention to the project and change management piece of the implementation -- they're usually driven by whiz-bang technology plans (with the requisite clouds and lightning bolts) laid out by IT specialists, and assume that templates and worksheets handed to the practice by EHR vendors and others will take care of the rest. In most cases, they can't and they won't.

I wouldn't recommend that the government or anyone else dump money into EHR programs unless they're managed under a community-focused program umbrella, laying out clear goals and timelines, coordinated interoperability with key trading partners, funding keyed to execution and adoption milestones, and implementation approaches that force behavior change, and maximize and monitor success.

Programs that fund EHRs on a "retail" model -- meaning that they just make money available to physician practices through grants or tax breaks or other practice-focused incentives -- are destined for high rates of failure and could very well cause more harm than good.

Saturday, December 23, 2006

All health care is local

The Archdiocese of Boston is considering selling the Caritas Christi hospital network, according to a story in the Globe a couple of weeks ago. I hope they don't sell it to a national healthcare chain, because I think that would be a setback to the ongoing effort to create a sustainable regional connectivity infrastructure in the Commonwealth.

What's the connection between the two? The business case for HIEs relies on vertical synergies -- hospitals, physicians, and insurers who share the same patients and collaborate locally to make the handoffs of care coordination as smooth as possible. The value driver here is economies of scope -- getting value by better coordination across the different layers of healthcare services.

This runs at odds with the horizontal synergies that drive national healthcare chains -- hospitals across the country, for example, who share the same management and suppliers, but NOT the same patients. These chains focus on economies of scale -- getting value by better production coordination in a single layer of healthcare service (such as hospitals or insurers). Think Starbucks. Think Walmart.

Vertical strategies are inherently patient-centric, whereas horizontal strategies are provider- centric (or insurer-centric) . Problem is, the quality of care in the US already suffers from being too provider-centric. Horizontal strategies make sense in many industries -- in healthcare, they will make a very bad situation even worse.

In practical terms, a national chain entity will be much less likely to participate in a local HIE, because their IT strategy will be driven by the goals of their national parent, not their local partners. And while their national goals aren't necessarily contrary to local goals, they usually are. And even when corporate and local goals are aligned, it's usually coincidental, it takes a lot of effort to convince corporate management that they're aligned, and it's nearly impossible to coordinate project plans even when the goals are aligned.

Massachusetts is a national leader in regional collaboration in health IT. The biggest reason for this is that the leading players in health care in the Commonwealth are non-profit, Massachusetts-based, Massachusetts-focused companies. This is true on the supply side, where the biggest players are Partners, Caritas Christi, CareGroup, Baystate, Fallon, Berkshire, and Hallmark Health, among others. It's also true on the (commercial) demand side, which is dominated by Blue Cross Blue Shield of Massachusetts, Harvard Pilgrim, Tufts, and Fallon.

Of course it's not all roses and sunshine here, and we still have a long way to go, but the strength of these local players -- who have the incentives and discretion to make local decisions -- creates a fertile (though still fragile) environment for HIEs. We need more local leadership, not less, and I'm thus nervous that the HIE movement will take a step backward if the second biggest hospital system in the state becomes an outpost of a national behemoth.

An analyst quoted in the Globe article stated that Caritas would benefit from a national chain merger because it would "help them coordinate the installation of new information systems...".

The question is, coordinate with whom?


Full disclosure: Caritas Christi and many of the other healthcare entities mentioned in this blog are members of my Board of Directors, and one of the the Caritas Christi hospitals is a participant in our pilot projects. I have not discussed or consulted with any of these entities regarding the issues that I've written about here.

Saturday, December 16, 2006

We don't know what we don't know

Two friends recently sent me emails alerting me to security breaches in the health care industry. Since MAeHC is launching health information exchanges in 3 communities beginning in early 2007, we're very interested in such news.

One breach was a theft of back-up tapes containing medical claims of 130,000 Aetna subscribers (my health insurer!). The other breach came from the theft of a laptop with medical information of 38,000 Kaiser Permanente members in Denver.

I found out about these within the same week (they actually occurred about 1 month apart), and it got me wondering about the incidence of such events generally, and whether it might be getting worse as more data becomes electronic.

There's been a steady drumbeat of news on such breaches since the infamous ChoicePoint blunder in 2005, and the US recently crossed the dubious milestone of 100 million security breach victims since the counting began with Choicepoint.

The best (and most accessible) data I'm aware of is maintained by the Privacy Rights Clearinghouse, which tracks breaches on its website. My quick-and-dirty assessment of the data on the website suggests the following:

The frequency of all reported breaches is increasing. 413 reported breaches in the last 2 years -- 106 in 2005 and 307 in 2006.

Health care providers are a very small part of the problem. Sources of breaches breaks down as follows -- non-clinical commercial enterprises (37%), federal/state/local government (29%), universities (25%), hospitals and ambulatory providers (9%).

Breaches involving medical data may be increasing. 16% (69) of these breaches involved health data, but this share almost doubled over time, from 11% of breaches in 2005 to 19% in 2006.

Most medical breaches are committed by hospitals and the government. Hospitals accounted for most medical breaches (39%), followed by government (20%), health insurers (13%), physician offices (10%), and universities and ancillary services (9% each).

Big breaches involve institutions that have a lot of data. The biggest breaches by far in terms of number individuals affected have been by banks and by the government, which one would expect since they are the institutions that have a lot of data.

Most reported breaches do not seem to involve theft of data for the data itself, but rather, they involve theft or improper destruction of files, tapes, and computers that happen to have private data in them. Not to dismiss the importance of breaches, but the actual damages resulting from these breaches are likely much much smaller than the gross numbers suggest.

There are all sorts of cautions with making too much of this data: is this better reporting or higher frequency of actual breaches? what other types of breaches never get reported? is it higher incidence as well as higher frequency? is the reporting consistent across sectors and over time? are the differences statistically significant (both across sectors and over time)?

Assuming the data are somewhat representative of reality, they seem to highlight some important points for EHRs and health information exchange.

First, the world is full of data repositories. Financial institutions, the government, universities, hospitals, health insurers -- all hold huge stores of our personal information already. The discussion of whether to have a repository in an HIE needs to be had in that context.

Second, what's not reported is at least as important as what is. MAeHC's experience with health care providers is that bigger organizations like insurers and hospitals have a very small frequency of big data spills, which get reported, and small organizations such as physician offices have a high frequency of tiny data spills, which never get reported. Also, it's pretty well known that one of the biggest sources of breaches are insiders, who are often found out but are not publicly reported (for example, this week's Information Week article, the ongoing problem of medical staff trying to peep at VIP's medical records, and the now well-known story of the Diva of Disgruntled who posted confidential information of Kaiser Permanente patients on-line).

Third, breaches seem to be committed by organizations of all sizes and levels of sophistication. Physician offices -- as they become more interconnected with each other and with existing repositories of data -- could add many more chinks to the health data security armor. This isn't because they're irresponsible, it's because they don't have the staff or experience to even know how to address it.

For example, how many physician offices have already gone to Staples, bought a $30 Linksys box, and set up a wireless network that they don't realize is akin to leaving their medical charts in the parking lot in front of their office? How many are remotely accessing their computers using retail products and services that don't have industry-standard authentication and encryption? They haven't really had to worry about all of this up until now, because they're protected by the high friction of exchanging paper records -- the very same friction, by the way, that prevents huge improvements in quality, safety, and cost of care.

We need to get rid of this friction, of course, because the benefits are so huge, but it has to be done under some type of policy and management umbrella that doesn't undermine security. HIEs can play a very beneficial role in this regard, because they can provide the policies, processes, staffing, experience, and technology to bring physicians "onto the grid" in a way that protects everyone's interests.

Tuesday, December 12, 2006

Happy Holidays from AHRQ

The Agency for Health Research and Quality will award almost $26 million in grants to support various approaches to improving quality and safety of care through health IT. The Ambulatory Safety and Quality Program is looking at 4 angles on how health IT can be used to improve quality:

Crank through the numbers and you get an average grant size of between $300K-$400K for 70-100 grants. The applications are due Feb 15.

These grants can be tricky because they can be money-losing if you're not careful -- you typically need to have considerable infrastructure in place already just to break-even. That said, AHRQ is the only real source of federal funds for many health IT initiatives across the country. The woefully under-funded Office of the National Coordinator typically gets only $100 million or so per year, none of which goes to local iniatives.

So even though the economics are questionable at best for many if not most potential applicants, they don't have anywhere else to go. With 165 health initiatives across the country scrambling for funding (according to the last count by eHI), competition for these AHRQ grants is expected to be especially fierce this round. If you have a family member involved in health IT and/or health quality research (and the Boston area has more of these folks than any other part of the country), you'll now understand why they might seem a little distracted over the holidays.

Monday, December 11, 2006

All in a day's work

I recently visited two of the practices that we’ve outfitted with electronic health records.

The first was a surgery practice whose head physician “greeted” me with a limp handshake and an icy stare and said: “So, you’re the CEO of the MA eHealth Collaborative? Well, that’s not anything to be very proud of, is it?” And before I could say a word, he turned and walked away. His office manager was mortified.

MAeHC has invested about $120,000 in this practice.

At the next practice, I walked in and standing there behind the front desk was a physician in a white coat, talking with the receptionist. “Are you Micky?” he asked. Still smarting from my first visit, I nodded, but hesitantly. He whipped around the front desk, arms stretched as wide as his grin, and hugged me. Yes, hugged me. “Thank you,” he said.

We’ve invested about $30,000 in this practice. Go figure………

Saturday, December 09, 2006

A PHR from my health insurer? No, thanks.

The buzz continues on personal health records. I got a call yesterday from a reporter asking for my views on PHRs. The Markle Foundation's Connecting for Health initiative just released a new report on PHRs (full disclosure: I'm on their Steering Committee). Paul Levy has recently written about Aetna's PHR on his blog.

I saw Aetna's October press release launching their PHR. I'm an Aetna subscriber, and unfortunately, the press release is all I've seen of their PHR. Actually, that's not really true -- they also have a video tour of their PHR on their website. What they don't seem to have is a place for me to actually create a PHR.

Until I can create one I won't know for sure, but I'm kind of hard-pressed to see what Aetna (or any health insurer) could offer in a PHR that would interest me anyway. I'm already able to access all of my claims on their website through their Aetna Navigator tool -- a great tool which has been there for years. I don't use it very often, but I like knowing it's there.

Through claims, Aetna knows a lot about what they've paid people to do to me -- give me a physical, a colonoscopy, some meds, a cholestrol check. What they don't know is the results of these activities. Was my colonoscopy normal? Do I have high cholestrol? That information is contained in my physician's record, which happens to be in a paper chart in Wellesley MA (I can't access it, but I know where it is!). If I had an Aetna PHR, it wouldn't have much more than my claims information, unless I typed it in........which means it wouldn't have much more than my claims information.

I pay thousands of dollars per year in premiums to Aetna. I'm just one customer, but I wish that my health insurer would devote much more money, PR, and imagination to getting an EHR into the hands of my doctor, and stop wasting my premium dollars on a PHR that I can't create and probably wouldn't use even if I could.......

Thursday, December 07, 2006

You can't get blood (or data) out of a stone

More details are now out on the Wal-Mart/Intel health records project. Turns out that it's a personal health records project called Dossia sponsored by the Omnimedix Institute. The project has gotten a lot of attention in the last couple of days. From what I can tell, the effort is, at best, a harmless sideshow. I just hope that it doesn't suck the wind from the sails of the many health IT efforts across the country today.

The reason I think this is a sideshow is that it is based on a faulty presumption, namely, that we can spur EHR penetration by giving PHRs to droves of individual patients. Those patients will want data to fill those PHRs, so the theory goes, and they will, in turn, pressure their physicians to purchase EHRs. Think of millions of patients, with their health-version of Quicken, pushing the "Download" button to get data from pharmacies, hospitals, labs, and physician offices.

The main problem with this approach is that it assumes that there's enough health data out there to make it worth my time as a patient to push the "Download" button. I don't think there is. Furthermore, I think it's a stretch to think that this approach will give enough push to the demand-side to affect HIT penetration.

First, on the availability of data. You have to get data into computers before you can get it out of them. Only 9% of physicians have a good EHR according to the CDC. Hospital use is higher but still not great. According to the American Hospital Association, 37% of hospitals have moderate to high IT implementation, and only 30% have implemented such functions as "access to medical records" and "access to medical history". Perhaps even more telling, a whopping 65% of hospitals say that fewer than 50% of their physicians use the IT that they've implemented.

So, the vast majority of data is still on paper. And even for the data that is electronic, no current systems that I know of have the ability to respond to an outside "query" (like a "Download" request from a PHR). With no physician data and no hospital data readily accessible, Dossia could prove to be very thin record indeed for quite awhile. There are no healthcare analogues to financial behemoths like Fidelity and Vanguard who can deliver a lot of data to a lot of people with a push of a button.

The structure of health care delivery will also make it difficult for even a Wal-Mart to have the leverage to drive higher IT adoption among physicians in this way. Walmart may have 1.3 million employees nationally, but most of them are distributed store-by-store in different health care markets across the country. With about 4,000 retail units in the US, each store employees about 325 employees. So they're spread pretty thin geographically.

On the supply-side, health care delivery is probably the most fragmented sector of our company -- it's very local, among both physicians and hospitals. With fragmentation on the demand- and supply-side of the equation, it's hard to see how a national player like Wal-Mart can exert influence on any given locality. For example, if I'm a doctor or hospital in a community with a Wal-Mart, I'm not going to have that many Wal-Mart employees as patients. So how much influence can their individual "Download" requests really have on my decision to purchase an EHR? In Bentonville, Arkansas, they can probably exert a lot of influence. I'm not sure they can in any other local markets. Sure, there are other employers involved, but it's hard to imagine that their employees' collective demand for PHR data will trickle through to the supply-side.

It's clear that Wal-Mart and many many other purchasers are absolutely fed up with spiralling costs and the seeming inability of the health care sector to modernize itself, and I think their frustration is absolutely justified. I just wish they'd channel their energy in more productive, collaborative ways.......

Wednesday, December 06, 2006

Privacy Request: Denied.

Yesterday's Guardian had a startling article on the British National Health Service's approach to patient privacy. The NHS is spending 24 billion pounds (ie, really really serious money) on wiring health care nationwide. They're providing EHRs to all physicians, linking them all up over a national network, and creating a national repository of patient-identified clinical data.

Back to the article. Patients have requested to opt out of the national network and repository, and the Government has rejected their requests!

Polls show that 53% of patients are opposed to having their data on the system, and as a result, 52% of general practitioners are opposed to providing their patient's data to the system without their patients' specific consent. Despite this overwhelming display of distrust, according to the article:

[T]he Department of Health said nobody could have genuine grounds for claiming "substantial and unwarranted distress" as a result of having their intimate medical details included on a national computer system, known as the Spine. For that reason, "it will not agree to their request to stop the process of adding their information to the new NHS database".

Yikes!! On top of the increasingly shrill reports of the technical problems the NHS project is suffering, it's hard to imagine that this project is going to get back on track anytime soon.

Back here in the colonies, we at MAeHC are also setting up data exchanges and repositories in our three pilot communities, but we're going with an opt-in approach, meaning that we won't exchange any patient's data without his/her specific, written consent.

This approach certainly takes longer and is definitely more logistically challenging than an opt-out (or the NHS approach of no-choice), but it appropriately puts the burden on us to get the trust of patients and physicians before we start letting their data fly. The very early returns on our experiment are that patients are overwhelmingly opting in -- still early, still small sample, but encouraging nonetheless. In the long run, I think this will build a deeper foundation for the whole enterprise going forward. When problems arise -- and they will arise -- patients will be more forgiving than if we hadn't asked their permission in the first place.....

Tuesday, December 05, 2006

Privacy rules

Sunday's NYT article touched on so many issues it was hard to address them at one sitting. The article asserts that concerns about privacy and security are the major obstacle blocking passage of pending bills on health IT. I wish that was true because it would mean that privacy concerns had become a higher priority than they have been up until now, and that there was agreement on all of other vexing issues in this area. Alas, I don’t think either is true.

Privacy and security are clearly important considerations on lawmakers’ minds, but equally if not more important barriers are:
  1. lack of budget
  2. blurry policy options, stemming from the complexity of health care delivery and little to no understanding at the federal level of the complexity of these issues
  3. disagreement (mostly ideological) on the role of government generally, and the divvying up of power between federal- and state-levels specifically
  4. lack of awareness among the public (or more specifically, voters) of the urgency of taking steps to improve the quality and efficiency of our care
The following commentary from iHealthBeat is indicative:

"Prospects look pretty good" for the 110th Congress to pass health IT legislation in 2007, Michael Zamore, a policy adviser for Rep. Patrick Kennedy (D-R.I.), said in an interview for an iHealthBeat special audio report. According to Zamore, health IT is a "great candidate" for bipartisan efforts because "it's teed up, it's kind of ripe, it's been kicked around, it's had a false start or two," and the "ideas have been percolating and vetted.

"David Merritt, project director at the Center for Health Transformation, said the opportunity still exists to pass a bipartisan conference bill during the 109th Congress' lame-duck session codifying the Office of the National Coordinator for Health IT and allowing hospitals anti-kickback exemptions to provide physicians with health IT equipment.

"Let's not throw away all the progress we've made up to this point simply because of the change in power," Merritt said. However, Zamore and Merritt agree that identifying funding for health IT initiatives with current budget deficits will be a challenge (Rebillot, iHealthBeat, 11/15).

The Democrats on the Hill (especially Ed Markey) do place a greater emphasis on privacy concerns than do the Republicans (outgoing Connecticut Republican Congresswoman Nancy Johnson's bill was silent on the issue, for example), so maybe this will rise in importance in the new Congress. In this environment though, I think cash (or lack thereof) will still be king......

Monday, December 04, 2006

Do the right thing

Yesterday’s New York Times article on privacy and security of electronic health records, coupled with an article in the Wall Street Journal last week on WalMart’s foray into electronic health records, points to what could be an ominous twist in the movement to expand the use of EHRs and health information exchange in health care delivery. Large businesses -- burdened by spiraling costs of health cost premiums -- are increasingly investing in technologies to gather health information on their employees to try to more directly manage (and, they hope, stanch) the growth of these costs.

I completely sympathize with the plight of these businesses -- MAeHC is a small business, after all. I also applaud their recognition of the key role that EHRs and clinical IT can play in improving health care delivery. Yet, their whole approach raises serious concerns for patient privacy. By creating proprietary systems to gather and control the health data of their employees, these companies are, perhaps unwittingly, stumbling into the most important and fragile issue in the health IT debate.

There is an irony in all of this. Some existing privacy laws, which were designed for paper-based records, don't make sense in an electronic world, and indeed, are in some cases presenting obstacles to better management of electronic data in ways that no one could have anticipated at the time. Many of those laws were designed to prevent employers from getting access to sensitive information that could affect a person's employment status. Employers need to be hyper-sensitive to those concerns. If they appear to be violating the spirit (even if not the letter) of those laws, it will sow seeds of patient distrust and perhaps draconian laws that will undermine not only their own efforts but also the many community-based efforts around the country that are working hard to do this the right way, namely, using IT to empower physicians and patients to improve the cost-effectiveness of care.

While there is a crying need to bring modern IT systems to health care delivery, this effort won’t be economically or morally sustainable if it’s not based on trust. Patients and physicians have to trust the systems being created. Otherwise, patients won’t agree to having their data in these systems, and physicians won’t agree to using them because they’re concerned about their patients’ privacy and about the legal liability associated with breaches of confidentiality. But neither patients nor physicians will trust these systems if they aren’t set up with privacy as a fundamental design consideration, rather than a bolt-on afterthought.

The reason that employer- and insurer-based schemes are problematic is that they undermine what I think of as a core principle of health information exchange – the need to create the healthcare equivalent of a Chinese Wall between those who collect and aggregate the data on behalf of providers to facilitate direct care delivery, and non-providers who would use the data for any purpose other than direct treatment of patients. Just because electronic data is more easily available for treatment purposes doesn’t mean that we permit it to be more easily available for other purposes. Data collection and aggregation may happen in a new way (ie, using EHRs and secure networks), but access has to happen the old way (ie, explicitly negotiated among the owners and key stakeholders). This is the principle behind such leading community-based efforts as the MA-SHARE, RIQI, IHIE, HealthBridge, THINC, and MAeHC.

So how do you do that? Create, operate, and govern these systems by building on the trust engendered in today’s physician-patient relationship. Patients have a well-placed trust in their physicians. Physicians will only use the systems if they’re valuable from a user design perspective and they promote their patients’ welfare. Rather than setting these systems up as proprietary company systems, they need to be set up more like public utilities. Put hospitals, physicians, and patients in joint control of these systems so that they are designed, managed, and governed by those who are going to be using the systems. These key stakeholders will get behind investments in “wiring” the care delivery system to improve quality, safety, and efficiency; what they won’t get behind is investments whose primary aim is surveillance.

I suggest that employers should get out of the business of trying to electronically capture their employees’ detailed health information, and into the business of getting health care providers to embrace information technology that improves the quality, safety, and efficiency of care. It's fair for them to want better data to measure performance, but they can get that without demanding access to detailed patient information. They can create urgency for better system performance using basic supply chain management principles that they're very familiar with: Invest in their healthcare delivery supply chain by setting basic technology and interoperability requirements for their suppliers (ie, providers), and facilitate their providers’ ability to meet these standards.

So, the program would run as follows. First, require physicians to use EHRs, help physicians pay for the upfront costs of getting outfitted with solid EHR systems, and train them and their staff to use the systems effectively. Second, require them to participate in data exchange networks that facilitate the effective coordination of care and the efficient transmission of clinical information. Third, put in place a new funding model that redirects reimbursement toward paying physicians for improving peoples’ health and away from paying them for the volume of care delivered and/or complexities that arise with their patients due to poor physician performance.

All of this is, of course, easier said than done, and no one knows that better than those of us slogging away in the trenches. But if Walmart and Pitney Bowes and IBM and UPS spent more time working with existing community-based efforts, and less time building their own proprietary data warehouses, it would happen faster than they might think, and it would be lasting and sustainable. There are many community-based efforts out there trying to do just this, and they could benefit enormously from the resources (financial, technical, and managerial), encouragement, and old-fashioned kick-in-the-pants that only the business community can provide.

I think the message employers should send to their employees is: “We don’t want your personal health data, but it's in everyone's interest to better monitor the overall performance of our insurer/provider network because the quality, safety, and cost of health care affects all of us.” That would reinforce the message that they’re not trying to undermine the sanctity of the doctor-patient relationship, but rather, trying to improve the performance of the overall system to better serve physicians, patients, and purchasers alike.

Thursday, November 30, 2006

Hi, I'm from WalMart and I'm here to help.....

Yesterday’s WSJ reported on a WalMart/Intel collaboration in digital health records. I don’t have a well-formed opinion yet on whether this is good news or bad news for the HIT adoption effort that many of us are engaged in, partly because the article didn’t provide a whole of detail on what this collaboration is actually doing. So let me proceed, but with caution. John McDonough asks whether this might be a “disruptive technology”. I don’t think so. He also asks whether this will complement the work of MAeHC and others involved in promoting HIT adoption. I do think so.

On the technology question, it’s not obvious what’s meant by “digital records for employees” and “portable electronic records.” Patients don’t document medical care, physicians do. And only 10-15% of physicians have EHRs, and most of the country’s 7600 hospitals don’t have accessible data either, so unless this is really a program giving digital records to physicians – and then giving patients access to those records – I don’t see how patients will benefit much.

Perhaps the WalMart model will be based on models that are already out there for the two types of data that are already electronic: claims and prescriptions. Health insurers are well down the road toward providing claims-based PHRs for patients, and AHIP has even brokered a deal for portability of the data across health plans. Revolution Health is going to build a portal that allows patient access to health financial information and health education information. KatrinaHealth is a patient-centric digital record of prescription information. None of these incorporate any hospital or physician information (ie, what we typically think of as our medical records) for the same reason noted earlier, namely, the data isn’t accessible electronically.

So, I don’t think this is a “disruptive technology” from a technical or innovation perspective – I personally don’t believe that there’s a technology magic bullet out there (though we all keep wishing for one!). The main obstacles, as always, are structural (our health care delivery and financing system is broken) and cultural (providers are notoriously independent and resistant to change, and patients think they get the best care in the world, even though there’s tons of evidence that they don’t).

I also don’t think it’s a “shift left” a la Andy Grove. You can’t get data out until someone puts it in, so I don’t think there are any good shortcuts here. It also has to be good data -- you can’t aggregate data that isn’t structured, so having physicians use word processors rather than real EHRs won’t facilitate data warehouses and will actually set them back 10-15 years. I agree that we don’t want to have complex technology be a barrier to adoption, but it needs to be sophisticated enough to deliver value.

That said, I do think this WalMart effort might exert “disruptive pressure” which could push the agenda forward and be very helpful to efforts such as MAeHC. The problem in HIT is that there’s no compelling reason for physicians to adopt EHRs or for providers to link up their systems once they have them. Most efforts to date have focused on the supply-side (ie, providers) because there’s been no real pressure from the demand-side (patients and employers, and their proxies, the insurers). Pay-for-performance may be an indirect means of forcing technological transformation, but it’s indirect. By contrast, when working with their other supply chains, WalMart, GM, Intel, and others insist that their vendors set up electronic data interchange systems that allow real-time inventory management, order management, delivery tracking, etc. If employers start thinking of their health care supply chain in the same way – and require that providers have EHRs and interoperability – they will fundamentally alter the pace of change by creating urgency, where none really exists today. Patients will be the main beneficiaries in the end.

I think it’s fair for all of us to be concerned about anything related to healthcare that WalMart is involved in, because their business success is based on cost-reduction, not on maintaining high quality products or service, and they apply this approach to their suppliers and to their employees alike.

I also worry that there could be an element of coercion in their model as described. Will they derive revenue from selling the de-identified data from the warehouse? Will they ask patient permission to sell this data (HIPAA doesn’t require it)? Will they share the revenues with their employees? My fear is that the answers to these questions aren’t on the side of their employees. WalMart of course would argue that the data is theirs since they’re holding it, paying for it, and de-identifying it (I guess possession is 9/10 of the law, or something like that). Yet another reason that we should move away from our system of employer-sponsored health benefits, but I’ll wait for John McDonough to open up that can of worms……

Tuesday, November 28, 2006

Promising data on clinical performance measurement

A lot of us hold the faith that pay-for-performance will be key to getting wider adoption of health IT systems in physician offices. This faith rests on the assumption that we can get doctors to use EHRs to record clinical data in ways that are meaningful, easy to gather, and comparable across physicians and over time. An article in the most recent issue of the Archives of Internal Medicine highlights the opportunities and challenges here and I think will be just the beginning of a much richer and more realistic discussion of these issues.

The authors of "Assessing the Validity of National Quality Measures for Coronary Artery Disease Using an Electronic Health Record" looked at quality measurement at a large internal medicine practice using a "commercial EHR" (they don't say which EHR they're using). They found that the actual performance of the physicians along several measures was better than their estimated performance, which was calculated from data automatically extracted from their EHRs. They conclude that:
"Profiling the quality of outpatient CAD care using data from an EHR has significant limitations. Changes in how data are routinely recorded in an EHR are needed to improve the accuracy of this type of quality measurement."

My reading of their study is that the authors raise legitimate concerns about the difficulty of using such data, but their conclusion overstates their case. They correctly point out that the real issues are not about technology, per se, but about process -- physicians don't routinely enter data in a way that makes it easy to do accurate calculations. For example, if you don't enter blood pressure readings as numeric data in the blood pressure fields of the EHR, you won't get "credit" for having taken the blood pressure.

More generally, they point to four sources of error:

  1. Wrong diagnosis (ie, person diagnosed as having CAD when they didn't);
  2. Data not entered as numeric or structured data (ie, they may have treated a person with aspirin, for example, but they buried that fact in a text note rather than entering it in the medication list)
  3. Exclusion criteria are not standardized (ie, there's no standard way to record the fact that a patient may not qualify for the treatment in question, which shouldn't count against the physician); and
  4. Measures don't account for patient non-adherence (ie, the patient doesn't comply with the physician's treatment decision, for example, doesn't take a lipid-lowering drug even though the physician recommended it and prescribed it).

Frankly, the only one of these problems that I find new and thus troubling is the third one regarding exclusion criteria, because the others are well known and they will become less severe over time as people get used to them. Entering consistent exclusion criteria is very complicated, however, because they are so measure-, condition- and patient-specific, there are no standards out there that I'm aware of, and the EHRs I'm familiar with don't have a good way to record this information systematically anyway. So, we need to figure out a way to address this issue.

That said, it's not clear how big these problems are in the scheme of things, however. It turns out that even with these problems, the automated measures performed pretty well -- the physicians were at 82% success on the measure they did worst on, which improved to 87% once corrections were made for the issues noted above. On the measure they did best on their scores went from 98% success to 99% after adjustment. While we'd obviously like these measures to be as accurate as possible -- particularly when quality and compensation are on the line -- this level of mis-measurement is surprisingly low given that we're really at the beginning of the beginning of clinical performance measurement.

Perhaps a bigger issue that the study doesn't address is what to do about so-called "ceiling effects." How are we going to tell the difference between physicians who are already high-performing? Is there really a difference between physicians performing at 98% vs 99%? And how do we tell the difference between physicians who are both performing at 100%? This suggests that we'll need increasingly granular measures to show variation in performance, if that's what we want to show. Or, do we just care that physicians get to an acceptably high level?

No one has any answers to this yet, of course, but the data from this study suggest that we may have to figure it out long before at least I thought we would. And doing this without having physicians feel that the goalposts are always being moved could be a much bigger issue than the technical arguments about measures that dominate the conversation today.

Tuesday, November 14, 2006

What would Say say?

The French economist Jean Baptiste Say is famous among economists for Say's Law, which essentially states that supply creates its own demand. When I was taught Say's law in school, it was positioned from the start as a discredited theory that was important to a fringe element, but otherwise largely dismissed by John Maynard Keynes and others in the mainstream of neoclassical economists. Today's article in the New York Times about gastroenterologists made me think that Say's Law, while maybe not generally applicable, might be alive and well in certain sectors of the economy. Health care delivery, for example.

The article describes how gastroenterologists might soon face a crisis as technological advances in imaging technology may make virtual colonoscopies preferable over actual colonscopies. Since colonoscopies are performed by gastroenterologists and virtual colonscopies by radiologists, this could represent a signficant shift of patient traffic away from gastroenterologists.

In a well-functioning market, this trend would, over time, foster decreases in the supply of gastroenterologists. The Times article suggests that this won't be the case, however, because gastroenterologists will find something else to do to make up for the lost income, such as performing other types of procedures. Thus, while the number of colonscopies performed may go down, they will be replaced by other types of gastroenterology procedures. As one physician noted in the article, "We have a lot of organs. The esophagus, the stomach, the small bowel, the liver, the pancreas. I think we've got a lot to do."

This phenomenon is not unique to gastroenterologists. Dr. Jack Wennberg and his colleagues at Dartmouth have made a cottage industry of showing how regional variations in medical practice are directly linked to the relative supply of specialists who perform the practice. Certain regions have more C-sections not because they have more high-risk pregnancies, but rather, because there are more ob/gyn's in the area. The ghost of Say lives on.

Of course, Say's Law doesn't apply everywhere. Purveyors of health IT have implicitly applied Say's Law in the past, but with disasterous consequences. About 20 years ago the CHINs (community health information networks) adopted this Kevin Costner view of economics ("if you build it, they will come") and as a result none of them are still standing. A number of the "RHIOs" out there today may suffer the same fate. We've found in our MAeHC pilot projects that the demand for HIE products and services is actually multi-dimensional and complex. While results delivery and basic electronic data exchange are minimum requirements, applications like electronic referrals tracking, quality data aggregation, and forms routing are also important to physicians. HIEs that launch without deep consideration of what physicians are actually demanding do so at their own peril.

Sunday, November 12, 2006

Every silver lining has a black cloud

Two recent surveys of clinical IT use in the US offer some good news about increased use of clinical IT among physicians. The Center for Studying Health Systems Change, and the National Center for Health Statistics, have both recently issued reports on clinical IT penetration that shows steady growth among physicians over the past five years. Before you get too excited by this trend, however, you may want to take a quick look at some of the underlying data in these reports, because there may be more bad news than good.

I find two things particularly troubling. First, the digital divide is increasing. If you look at which physicians are increasing their use, you find that growth among large practices (especially those with over 50 physicians) is masking pathetically low growth among smaller practices (10 physicians or fewer). The CSHSC study found that while physicians in large practices increased their use of clinical IT systems by 18 percentage points between 2001 and 2005, those in smaller practices increased by only 7 percentage points over the same time. And even after all this growth, the NCHS data show that if you look at all of the physicians who don’t have an EHR, 90 percent of them are in small practices (10 physicians or fewer). Yet, those smaller practices account for the vast majority of the country’s ambulatory doctors (88 percent, according to NCHS), and outpatient visits (87 percent, according to the most recent data from the National Ambulatory Care Survey).

Since most patients go to the doctors who are least likely to have an EHR, less than 1 in 5 office visits (17 percent) are with doctors who use some type of clinical IT. Thus, as bad as the digital divide is among doctors, it's even worse for patients.

The second thing I find troubling is that those physicians who report using clinical IT are using only the most rudimentary types of systems, and those systems, in turn, offer only the most rudimentary types of benefits. The macro data from NCHS makes this abundantly clear. While almost 24 percent of physicians report using an EHR, only 9 percent are using what most of us in the field would really call an EHR (ie, one that has e-prescribing, ambulatory CPOE, electronic results, and electronic documentation). If you asked what fraction are using an EHR that would pass muster by either the CCHIT or the ISO standards, I suspect that we’d have way less than 9 percent.

As another example, take the CSHSC data noted above. While there was general increase in the use of clinical IT systems, most of that change was driven by increased electronic access to guidelines and use of electronic documentation of notes. Guidelines are great, but there isn’t much evidence that access to guidelines by itself does much to improve the quality, safety, or efficiency of care. Similarly, electronic documentation is only valuable when done in a qualified EHR system (for example, one that uses structured data to trigger decision support tools), and I suspect that most of what’s reported here is little more than word processing. Good for eliminating transcription costs, but doesn’t do much for the quality of care.

By contrast, the CSHSC report shows very little growth in the use of functions that have been shown to give value, such as reminders and e-prescribing. Among small physician practices, use of such systems grew at the glacial pace of about 1 percentage point per year between 2001 and 2005. And this growth is on a surprisingly low base of adoption – only 14 percent of physicians in small practices (9 or fewer) reported using e-prescribing in 2005. Reminder generation shows somewhat higher adoption (25 to 28 percent), but similarly slow growth (about 1 percentage point per year).

The bottom line for me on these studies is that growth isn’t happening when we want it to (now), where we want it to (in the practices that see the most patients), or how we want it to (in the functions that offer the greatest value in terms of quality and efficiency). There’s a more insidious aspect to this as well. If we hype clinical IT without guiding how it gets implemented, we run the risk of having large numbers of physicians getting locked into systems that offer relatively little real benefit to patient care. At MAeHC we've found that it's easier to move physicians from paper to a qualified EHR than it is to move them from half-measure electronic systems. If current national trends continue, the tyranny of avoiding “rip and replace” will become a bigger obstacle than it already is today.

Aside from these small quibbles, letting the market take care of this seems to be working out just fine……..

Monday, October 09, 2006

Welcome

I'm going to use this space to communicate some of my perspectives on eHealth. I'll focus on issues where I have the most interest and experience, namely, electronic health records, health information exchange, and the medical, economic, business, legal, sociological, and cultural issues surrounding adoption of information technology in clinical settings.

Please note that the opinions and references expressed in this space are my own. I don't clear my comments with anyone else, so no one else should be held accountable for what I say in this space. In particular, the opinions and references published here do not necessarily represent the views of my employer, the Massachusetts eHealth Collaborative, or its Board members, funders, or any participants in our pilot projects, nor do they necessarily represent the views of any other organization with which I am formally affiliated or advising.