Yesterday’s New York Times article on privacy and security of electronic health records, coupled with an article in the Wall Street Journal last week on WalMart’s foray into electronic health records, points to what could be an ominous twist in the movement to expand the use of EHRs and health information exchange in health care delivery. Large businesses -- burdened by spiraling costs of health cost premiums -- are increasingly investing in technologies to gather health information on their employees to try to more directly manage (and, they hope, stanch) the growth of these costs.
I completely sympathize with the plight of these businesses -- MAeHC is a small business, after all. I also applaud their recognition of the key role that EHRs and clinical IT can play in improving health care delivery. Yet, their whole approach raises serious concerns for patient privacy. By creating proprietary systems to gather and control the health data of their employees, these companies are, perhaps unwittingly, stumbling into the most important and fragile issue in the health IT debate.
There is an irony in all of this. Some existing privacy laws, which were designed for paper-based records, don't make sense in an electronic world, and indeed, are in some cases presenting obstacles to better management of electronic data in ways that no one could have anticipated at the time. Many of those laws were designed to prevent employers from getting access to sensitive information that could affect a person's employment status. Employers need to be hyper-sensitive to those concerns. If they appear to be violating the spirit (even if not the letter) of those laws, it will sow seeds of patient distrust and perhaps draconian laws that will undermine not only their own efforts but also the many community-based efforts around the country that are working hard to do this the right way, namely, using IT to empower physicians and patients to improve the cost-effectiveness of care.
While there is a crying need to bring modern IT systems to health care delivery, this effort won’t be economically or morally sustainable if it’s not based on trust. Patients and physicians have to trust the systems being created. Otherwise, patients won’t agree to having their data in these systems, and physicians won’t agree to using them because they’re concerned about their patients’ privacy and about the legal liability associated with breaches of confidentiality. But neither patients nor physicians will trust these systems if they aren’t set up with privacy as a fundamental design consideration, rather than a bolt-on afterthought.
The reason that employer- and insurer-based schemes are problematic is that they undermine what I think of as a core principle of health information exchange – the need to create the healthcare equivalent of a Chinese Wall between those who collect and aggregate the data on behalf of providers to facilitate direct care delivery, and non-providers who would use the data for any purpose other than direct treatment of patients. Just because electronic data is more easily available for treatment purposes doesn’t mean that we permit it to be more easily available for other purposes. Data collection and aggregation may happen in a new way (ie, using EHRs and secure networks), but access has to happen the old way (ie, explicitly negotiated among the owners and key stakeholders). This is the principle behind such leading community-based efforts as the MA-SHARE, RIQI, IHIE, HealthBridge, THINC, and MAeHC.
So how do you do that? Create, operate, and govern these systems by building on the trust engendered in today’s physician-patient relationship. Patients have a well-placed trust in their physicians. Physicians will only use the systems if they’re valuable from a user design perspective and they promote their patients’ welfare. Rather than setting these systems up as proprietary company systems, they need to be set up more like public utilities. Put hospitals, physicians, and patients in joint control of these systems so that they are designed, managed, and governed by those who are going to be using the systems. These key stakeholders will get behind investments in “wiring” the care delivery system to improve quality, safety, and efficiency; what they won’t get behind is investments whose primary aim is surveillance.
I suggest that employers should get out of the business of trying to electronically capture their employees’ detailed health information, and into the business of getting health care providers to embrace information technology that improves the quality, safety, and efficiency of care. It's fair for them to want better data to measure performance, but they can get that without demanding access to detailed patient information. They can create urgency for better system performance using basic supply chain management principles that they're very familiar with: Invest in their healthcare delivery supply chain by setting basic technology and interoperability requirements for their suppliers (ie, providers), and facilitate their providers’ ability to meet these standards.
So, the program would run as follows. First, require physicians to use EHRs, help physicians pay for the upfront costs of getting outfitted with solid EHR systems, and train them and their staff to use the systems effectively. Second, require them to participate in data exchange networks that facilitate the effective coordination of care and the efficient transmission of clinical information. Third, put in place a new funding model that redirects reimbursement toward paying physicians for improving peoples’ health and away from paying them for the volume of care delivered and/or complexities that arise with their patients due to poor physician performance.
All of this is, of course, easier said than done, and no one knows that better than those of us slogging away in the trenches. But if Walmart and Pitney Bowes and IBM and UPS spent more time working with existing community-based efforts, and less time building their own proprietary data warehouses, it would happen faster than they might think, and it would be lasting and sustainable. There are many community-based efforts out there trying to do just this, and they could benefit enormously from the resources (financial, technical, and managerial), encouragement, and old-fashioned kick-in-the-pants that only the business community can provide.
I think the message employers should send to their employees is: “We don’t want your personal health data, but it's in everyone's interest to better monitor the overall performance of our insurer/provider network because the quality, safety, and cost of health care affects all of us.” That would reinforce the message that they’re not trying to undermine the sanctity of the doctor-patient relationship, but rather, trying to improve the performance of the overall system to better serve physicians, patients, and purchasers alike.