Wednesday, February 28, 2007

What is the federal approach to privacy and HIT?

While I was away on vacation last week, HealthcareITNews published the following: "Federal privacy panel leader resigns, raps standards". It describes how privacy expert and advocate, Paul Feldman, has resigned his position as co-chair of the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community (AHIC).

For those of you who don't know, AHIC is an advisory group -- chaired by HHS Secretary Mike Leavitt -- that is supposed to make recommendations to the federal government on how to accelerate HIT adoption. Since 9 out of its 18 members are federal or state government employees, I'm not sure how much of a "community" it really is, but that aside, it's chaired by the Secretary himself so it's clearly important. (Then again, since the government is responsible for 2/3 of all health care spending in the US, maybe the government is under-represented on this panel. And maybe we should more seriously consider a single-payer model since we're almost there anyway. But I digress.....)

It's hard to know from the outside what's really behind public resignations of this type, but the very fact that it's happened is not good. Feldman's letter of resignation cites the following:

We have determined we are unable to continue given that the workgroup has not made substantial progress towards the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network (NHIN)...We support the development of an NHIN with strong and enforceable privacy and security rules in place and believe that the failure to achieve a privacy framework acts as a significant barrier to a robust and secure environment for e-health.

It would be one thing if this was an isolated incident. Unfortunately, it comes on the heels of a GAO report whose title says it all: "Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy". And last summer, the National Committee on Vital Health Statistics issued a report with similar findings.

While I wouldn't say this is much ado about nothing, I do think it's much ado about the wrong thing. Both Feldman and the GAO focus on the need for standards for a national network, citing President Bush's goal of having this in place by 2014.

As interesting as that discussion might be, I don't think an interoperable national network is going to happen by 2024, let alone 2014. Indeed, we don't even know what we should argue about because we don't know what such a network would look like, let alone when it would be created. For example, if the only justification for a national network is to aggregate deidentified data for population health measurement, there are a whole host of issues that we don't have to argue about. Worrying about too many of these details now is like fretting over relocation policies for coastal communities displaced by rising seas from global warming -- let's worry about it if the time comes.

Where we should focus attention is on where the action is: state- and local-networks. Many such networks will be up and running in the next few years (including three MAeHC networks before the end of this year). Yet, there is tremendous variation in state privacy policies at present. For many states, HIPAA is the binding constraint. For others, like Massachusetts, state privacy standards are much higher.

Anyone putting systems in place right now is basically making up a whole bunch of stuff as they go (with varying degrees of diligence). They're doing this because they have to. Federal and state laws aren't nearly clear or detailed or coherent enough, lessons learned in one state don't always translate to other states, and the urgency to get systems in place won't wait for the law to catch up.

Yet, the question remains, shouldn't a citizen of Louisiana or Ohio expect to have the same basic privacy protections as a citizen of New York or Massachusetts? That question won't be answered by setting policies for a national network that may never be built -- rather, it requires discussion of how to regulate state- and local-networks that are already being built, and in particular, on whether HIPAA and other federal privacy statutes and regulations provide an adequate floor of privacy protections for such networks.

The federally-sponsored Health Information Security and Privacy Collaborative (HISPC) is currently doing an inventory of state-level privacy policies, which is a necessary step in the right direction. (The MA-HISPC project is doing this work for Massachusetts.) The first results from this work are going to be presented in Washington on March 5-6. Whether this work is progressing nearly fast enough to address what's already happening on the ground remains to be seen.......

Monday, February 26, 2007

A sober discussion on the state of health care

The March 2007 issue of Boston magazine ("Here's to your health") has a fascinating roundtable discussion on health care delivery in Massachusetts led by Jerome Groopman (local physician and writer for the New Yorker), and including:

  • Paul Levy (Beth Israel Deaconness Medical Center)
  • JudyAnn Bigby (MA Secretary of HHS)
  • Paula Griswold (MA Coalition for the Prevention of Medical Errors)
  • Charlie Baker (Harvard Pilgrim Healthcare)
  • Kathleen Davidson (formerly of Boston Medical Center)
  • Victoria McEvoy (MA General West Medical Group)
  • Teresa Schraeder (New England Journal of Medicine)
  • John Wong (Tufts-New England Medical Center)

(It looks like Boston delays on-line availability of its current issue, so if you want to read this in the near future you'll have to either buy it or speed-read it while you're in line at the grocery store).

Among a lot of interesting threads in the discussion was the following:

  • Quality measurement is difficult in part because physicians currently resist measurement, rightly (Bigby), wrongly (Levy), or innately (Baker);
  • Financial incentives that differentiate among physicians using quality measures are problematic because they are too crude (McEvoy), or they measure the wrong things (Groopman, Bigby);
  • One of the biggest problems in health care is that we don't devote enough resources to primary care (Groopman, McEvoy, Baker, Levy), but we're not going to get new money into the system, and reallocating funding from specialties to primary care is pretty much impossible unless Medicare does it first (Baker);

The biggest disconnect (I couldn't tell if it was a real difference of opinion) was on the issue of whether the system is in crisis because of too much change or too little change.

Making the case for too much change, Schraeder argues that the intrusion of "industry" into what has traditionally been been a "non-profit public service" has taken control away from physicians, which presumably has hurt the quality, safety, and efficiency of care. (Schraeder's assertion is only true if you think of independent physicians as being "non-profit" which, of course, they're not.) McEvoy argues that current quality measures imposed by insurers are distorting care away from higher quality, by forcing physicians to spend too much time on the wrong things (and collect data on the wrong things), and not enough time listening to and managing patients.

On the other hand, others argued that the problem is that we've had too little change. Groopman notes that physicians misdiagnose patients perhaps 20-25 percent of the time in the traditional model. Though the Boston article doesn't elaborate on this point, Groopman's article (What's the trouble?) in the January 29 issue of the New Yorker does. In it he describes how snap diagnoses that often turn out to be wrong are the result of traditional and long-standing physician training and decision-making approaches. Not, as McEvoy suggests, from being forced to see too many patients or from the need to fill out templates. Furthering the argument that we need more change, not less, Wong points to the now well-known results from "How good is the quality of healthcare in the United States?" that we only get good care 50 percent of the time.

At one point in the discussion, Charlie Baker noted that the problems of health care are "profoundly more difficult than most people realize." After reading the various viewpoints in this discussion, I think that Baker is a wild-eyed optimist....

Thursday, February 15, 2007

Keeping my fingers crossed for Kaiser

There was a depressing story in today's Los Angeles Times about Kaiser's $4 billion EHR implementation project. Apparently, technical problems with the project have dramatically increased costs (by about $1 billion) and are also threatening patient safety. Not suprisingly, morale seems to be dropping faster than George Bush's credibility (okay, maybe not that fast), and it's not clear that management has fully grasped the seriousness of the situation, as reflected in the following pair of quotes:

"This is the worst [technology] project I have seen in my 25 years in the business," said Andrew Brewer, a systems analyst for Kaiser who worked on the project for two years before voluntarily leaving the HMO last week.

"This is one of the largest and most ambitious efforts anywhere in the world to modernize our healthcare system," Kaiser Chief Executive George Halverson said. Considering that, he said, "it couldn't be going better."

As one who's also on the front lines of EHR implementations, I feel Kaiser's pain. Large-scale EHR implementation is extremely challenging, and the end-users are usually not nearly as flexible and forgiving as they should be given the immaturity of the technology.

Though they're a continent away, I'm worried about Kaiser's implementation, because a failure at Kaiser will reverberate throughout the healthcare industry. Why is that? It's because when you tick off the key success factors for effective EHR implementation, Kaiser seems to have it all.

As an HMO, they are both insurer and health care provider, which means that they stand to capture all of the benefits of their EHR. They can order their physicians to use the systems in ways that offer the greatest value, and they can fully capture all of the gains that accrue from better outcomes, higher safety, and cost efficiency. They've got world-class researchers who can use the EHR data to not only better measure their own progress, but to also generate tons of interesting and ground-breaking research. Finally, they've got an extremely capable staff, and they're using one of the best EHR products from one of the most highly regarded EHR companies in the industry (Epic).

In short, if Kaiser can't get this done, and also show that they're getting real value after it's up and running, there'll be a lot of disillusionment about the prospects of getting it done among the 80% of physicians who don't have an EHR today -- physicians who don't have anywhere near the sophistication, resources, and incentive that Kaiser has.

So, best of luck, Kaiser, in your efforts to turn this around. I'm rooting for you!

Wednesday, February 14, 2007

Is CCHIT becoming the Good Housekeeping Seal of Approval?

The Certification Commission on Health IT recently announced that, in 9 short months, it has certified 55 EHRs. This means that 25% of the EHR market is now certified.

Maybe it's just me, but I wonder if this is an indication that we've set the bar too low. Don't get me wrong -- the CCHIT is driven by people who are way smarter than me on this stuff, and they're doing excellent work. And clearly, the market has suffered from a lack of standardization.

Yet, I had expected (perhaps naively) that CCHIT certification would help drive an industry shakeout. But as I see the numbers and scan the list of vendors who've made the grade, that's looking less likely (go here to judge for yourself). Rather, this is looking more and more like the type of ubiquitous certification - UL and Good Housekeeping come to mind -- that provides a broad level of comfort around very basic criteria that define minimum capability, but don't do much to separate the wheat from the chaff.

There is an argument that the UL-type of very basic standardization is market-expanding (and therefore, good). In markets where consumers have a hard time distinguishing among products on their own (due to product complexity, for example), strong brands will dominate unless other sources of trusted information or assurance are available. For example, I can't tell whether the wiring in my toaster is safe, but the UL label assures me that it's been built according to standards that minimize safety risks -- a valuable assurance that we've come to take for granted in the US and Europe. (I lived in India for awhile where, after a few good electric shocks, I learned to appreciate the safety that this type of certification provides.)

A recent Business Week article argues that CCHIT's approach to this type of market-expanding certification is changing the EHR industry:

EHRs require hardware, software, databases, networks, and, at their most advanced, picture archives of radiology and pathology images. Specialized health-care IT vendors such as Cerner, McKesson, Eclipsys, and Allscripts previously sought to establish widespread EHR networks, with limited success. The new federal government initiatives are reinvigorating the field.

Even as these companies renew their efforts to tap the market, they face increasing competition from deep-pocketed first-time entrants. These include the world's top three diagnostic imaging companies, Siemens , General Electric, and Philips Medical Systems, a unit of Philips Electronics.

It's a tempting argument -- but I think it's wrong. The BW article doesn't recognize that the ambulatory EHR market is different than the hospital market, in part because BW has the usual biz pub bias toward reporting on publicly-traded companies. (I especially like their claim that GE is new to the EHR field.)

Of course, there is value in ubiquitous, trusted certification. However, when it goes too far it undermines its own raison d'etre. Neighborhood Watch signs are a good example. These signs are everywhere, which suggests that they have no effect whatsoever. I'm guessing that once every neighborhood got "certified", it just brought everyone back to square one on crime, because the signs were no longer effective tools for distinguishing one neighborhood from another.

In my view the biggest problem in the EHR market isn't that there are too few entrants, but rather, it's that there are too many. There are over 200 EHR companies in the country today, most of them privately-held; pruning, not fertilizing, is what the market needs to grow. A certification process that gives everyone a seal of approval won't solve that problem.

Saturday, February 10, 2007

Massachusetts among 16 states that don't require notification of data breaches

A new survey published in the Journal of the American Health Information Management Association made me aware of something that hadn't caught my eye before. Massachusetts, my home state, is one of a minority of states that DOES NOT have a data security breach notification law. California, which enacted its law in 2003, has the strongest such law in the country and was the inspiration for many other states' laws. In 2006, 27 states had such laws; beginning on January 1, 2007, 7 more state laws went into effect. But not in Massachusetts.

I'm not sure how much such laws do -- in Massachusetts, for example, TJX recently reported a huge data spill despite the fact that we have no such law, and according to a recent survey by PricewaterouseCoopers, as many as 1 out 6 companies required to comply with the California law do not do so.

Ironically, the market may be taking care of this in ways that it hasn't been able to before. TJX stock plummeted after the Massachusetts Bankers Association directly linked cases of fraud to the data spilled by the company (click here for an interesting description of this).

There is much talk about the need for more transparency in the healthcare market. Most healthcare organizations aren't publicly traded, of course, but the idea is that patients will vote with their feet if they see meaningful differences in health care quality among providers. If data breaches start becoming more widely reported, data security could become another factor that patients use to decide where they get their care.