Sunday, December 31, 2006

Confidential data -- an eye for an eye?

Sorry for the blog silence -- I've been on holiday.

While I was away, I saw this interesting poll in USA Today (12/28/06). Over 100 security professionals were asked "How should companies that expose confidential data be penalized?".

Here are the results:
  • 48% -- Make the CEO's private information public
  • 26% -- Criminal fines
  • 24% -- Civil fines
  • 2% -- No penalty necessary

Half (!) of the respondents supported an "eye-for-an-eye" type of justice. This has interesting implications in the medical world ("Doctor, you released my colonscopy results so we're now going to publish yours on the web...").

Finally, remember this was a poll of security professionals -- just imagine what a poll of patients might find.......


Tuesday, December 26, 2006

Money alone won't solve the EHR problem

The amednews recently published an article detailing the saga of a practice that had a failed EHR implementation. The article notes that something like 1 out of 3 EHR implementations ends up in failure, which the article defines as a de-install. If you include the EHR implementations that are permanently stuck -- meaning that the practice implements basic scheduling and billing, but nothing else -- that could mean that 1 out of every 2 EHR implementations are effectively failures.

I don't want to get into whether the EHR system or vendor itself contributed to the failure described in the article; both of the vendors mentioned in the article are supported by MAeHC (the practice left NextGen and is now buying eClinicalWorks) . To me, the most important point raised in the article is that lack of money is not the only issue hampering greater EHR penetration -- it's not even clear that it's the most important obstacle.

Factors that contributed to the failure cited in the article are:
  • Insufficient upfront attention to workflow or process changes required to maximize the EHR's potential
  • Inadequate project management experience and resoures at the practice-level
  • Inexperience with contracts -- writing, negotiating, and managing

This confirms for me that EHR investments are probably not worth it (particularly for small practices) unless they're done under the umbrella of an effectively-managed, community-based program (whether driven by a hospital, IPA, PHO, or RHIO/HIE).

Community-based because there's scale in project management, vendor selection, and contract management, and because patients and physicians will get much more value from EHRs that are coordinated with their medical trading partners (other physicians, hospitals, diagnostic centers in their communities).

Effectively-managed because too many of these programs give scant attention to the project and change management piece of the implementation -- they're usually driven by whiz-bang technology plans (with the requisite clouds and lightning bolts) laid out by IT specialists, and assume that templates and worksheets handed to the practice by EHR vendors and others will take care of the rest. In most cases, they can't and they won't.

I wouldn't recommend that the government or anyone else dump money into EHR programs unless they're managed under a community-focused program umbrella, laying out clear goals and timelines, coordinated interoperability with key trading partners, funding keyed to execution and adoption milestones, and implementation approaches that force behavior change, and maximize and monitor success.

Programs that fund EHRs on a "retail" model -- meaning that they just make money available to physician practices through grants or tax breaks or other practice-focused incentives -- are destined for high rates of failure and could very well cause more harm than good.

Saturday, December 23, 2006

All health care is local

The Archdiocese of Boston is considering selling the Caritas Christi hospital network, according to a story in the Globe a couple of weeks ago. I hope they don't sell it to a national healthcare chain, because I think that would be a setback to the ongoing effort to create a sustainable regional connectivity infrastructure in the Commonwealth.

What's the connection between the two? The business case for HIEs relies on vertical synergies -- hospitals, physicians, and insurers who share the same patients and collaborate locally to make the handoffs of care coordination as smooth as possible. The value driver here is economies of scope -- getting value by better coordination across the different layers of healthcare services.

This runs at odds with the horizontal synergies that drive national healthcare chains -- hospitals across the country, for example, who share the same management and suppliers, but NOT the same patients. These chains focus on economies of scale -- getting value by better production coordination in a single layer of healthcare service (such as hospitals or insurers). Think Starbucks. Think Walmart.

Vertical strategies are inherently patient-centric, whereas horizontal strategies are provider- centric (or insurer-centric) . Problem is, the quality of care in the US already suffers from being too provider-centric. Horizontal strategies make sense in many industries -- in healthcare, they will make a very bad situation even worse.

In practical terms, a national chain entity will be much less likely to participate in a local HIE, because their IT strategy will be driven by the goals of their national parent, not their local partners. And while their national goals aren't necessarily contrary to local goals, they usually are. And even when corporate and local goals are aligned, it's usually coincidental, it takes a lot of effort to convince corporate management that they're aligned, and it's nearly impossible to coordinate project plans even when the goals are aligned.

Massachusetts is a national leader in regional collaboration in health IT. The biggest reason for this is that the leading players in health care in the Commonwealth are non-profit, Massachusetts-based, Massachusetts-focused companies. This is true on the supply side, where the biggest players are Partners, Caritas Christi, CareGroup, Baystate, Fallon, Berkshire, and Hallmark Health, among others. It's also true on the (commercial) demand side, which is dominated by Blue Cross Blue Shield of Massachusetts, Harvard Pilgrim, Tufts, and Fallon.

Of course it's not all roses and sunshine here, and we still have a long way to go, but the strength of these local players -- who have the incentives and discretion to make local decisions -- creates a fertile (though still fragile) environment for HIEs. We need more local leadership, not less, and I'm thus nervous that the HIE movement will take a step backward if the second biggest hospital system in the state becomes an outpost of a national behemoth.

An analyst quoted in the Globe article stated that Caritas would benefit from a national chain merger because it would "help them coordinate the installation of new information systems...".

The question is, coordinate with whom?


Full disclosure: Caritas Christi and many of the other healthcare entities mentioned in this blog are members of my Board of Directors, and one of the the Caritas Christi hospitals is a participant in our pilot projects. I have not discussed or consulted with any of these entities regarding the issues that I've written about here.

Saturday, December 16, 2006

We don't know what we don't know

Two friends recently sent me emails alerting me to security breaches in the health care industry. Since MAeHC is launching health information exchanges in 3 communities beginning in early 2007, we're very interested in such news.

One breach was a theft of back-up tapes containing medical claims of 130,000 Aetna subscribers (my health insurer!). The other breach came from the theft of a laptop with medical information of 38,000 Kaiser Permanente members in Denver.

I found out about these within the same week (they actually occurred about 1 month apart), and it got me wondering about the incidence of such events generally, and whether it might be getting worse as more data becomes electronic.

There's been a steady drumbeat of news on such breaches since the infamous ChoicePoint blunder in 2005, and the US recently crossed the dubious milestone of 100 million security breach victims since the counting began with Choicepoint.

The best (and most accessible) data I'm aware of is maintained by the Privacy Rights Clearinghouse, which tracks breaches on its website. My quick-and-dirty assessment of the data on the website suggests the following:

The frequency of all reported breaches is increasing. 413 reported breaches in the last 2 years -- 106 in 2005 and 307 in 2006.

Health care providers are a very small part of the problem. Sources of breaches breaks down as follows -- non-clinical commercial enterprises (37%), federal/state/local government (29%), universities (25%), hospitals and ambulatory providers (9%).

Breaches involving medical data may be increasing. 16% (69) of these breaches involved health data, but this share almost doubled over time, from 11% of breaches in 2005 to 19% in 2006.

Most medical breaches are committed by hospitals and the government. Hospitals accounted for most medical breaches (39%), followed by government (20%), health insurers (13%), physician offices (10%), and universities and ancillary services (9% each).

Big breaches involve institutions that have a lot of data. The biggest breaches by far in terms of number individuals affected have been by banks and by the government, which one would expect since they are the institutions that have a lot of data.

Most reported breaches do not seem to involve theft of data for the data itself, but rather, they involve theft or improper destruction of files, tapes, and computers that happen to have private data in them. Not to dismiss the importance of breaches, but the actual damages resulting from these breaches are likely much much smaller than the gross numbers suggest.

There are all sorts of cautions with making too much of this data: is this better reporting or higher frequency of actual breaches? what other types of breaches never get reported? is it higher incidence as well as higher frequency? is the reporting consistent across sectors and over time? are the differences statistically significant (both across sectors and over time)?

Assuming the data are somewhat representative of reality, they seem to highlight some important points for EHRs and health information exchange.

First, the world is full of data repositories. Financial institutions, the government, universities, hospitals, health insurers -- all hold huge stores of our personal information already. The discussion of whether to have a repository in an HIE needs to be had in that context.

Second, what's not reported is at least as important as what is. MAeHC's experience with health care providers is that bigger organizations like insurers and hospitals have a very small frequency of big data spills, which get reported, and small organizations such as physician offices have a high frequency of tiny data spills, which never get reported. Also, it's pretty well known that one of the biggest sources of breaches are insiders, who are often found out but are not publicly reported (for example, this week's Information Week article, the ongoing problem of medical staff trying to peep at VIP's medical records, and the now well-known story of the Diva of Disgruntled who posted confidential information of Kaiser Permanente patients on-line).

Third, breaches seem to be committed by organizations of all sizes and levels of sophistication. Physician offices -- as they become more interconnected with each other and with existing repositories of data -- could add many more chinks to the health data security armor. This isn't because they're irresponsible, it's because they don't have the staff or experience to even know how to address it.

For example, how many physician offices have already gone to Staples, bought a $30 Linksys box, and set up a wireless network that they don't realize is akin to leaving their medical charts in the parking lot in front of their office? How many are remotely accessing their computers using retail products and services that don't have industry-standard authentication and encryption? They haven't really had to worry about all of this up until now, because they're protected by the high friction of exchanging paper records -- the very same friction, by the way, that prevents huge improvements in quality, safety, and cost of care.

We need to get rid of this friction, of course, because the benefits are so huge, but it has to be done under some type of policy and management umbrella that doesn't undermine security. HIEs can play a very beneficial role in this regard, because they can provide the policies, processes, staffing, experience, and technology to bring physicians "onto the grid" in a way that protects everyone's interests.

Tuesday, December 12, 2006

Happy Holidays from AHRQ

The Agency for Health Research and Quality will award almost $26 million in grants to support various approaches to improving quality and safety of care through health IT. The Ambulatory Safety and Quality Program is looking at 4 angles on how health IT can be used to improve quality:

Crank through the numbers and you get an average grant size of between $300K-$400K for 70-100 grants. The applications are due Feb 15.

These grants can be tricky because they can be money-losing if you're not careful -- you typically need to have considerable infrastructure in place already just to break-even. That said, AHRQ is the only real source of federal funds for many health IT initiatives across the country. The woefully under-funded Office of the National Coordinator typically gets only $100 million or so per year, none of which goes to local iniatives.

So even though the economics are questionable at best for many if not most potential applicants, they don't have anywhere else to go. With 165 health initiatives across the country scrambling for funding (according to the last count by eHI), competition for these AHRQ grants is expected to be especially fierce this round. If you have a family member involved in health IT and/or health quality research (and the Boston area has more of these folks than any other part of the country), you'll now understand why they might seem a little distracted over the holidays.

Monday, December 11, 2006

All in a day's work

I recently visited two of the practices that we’ve outfitted with electronic health records.

The first was a surgery practice whose head physician “greeted” me with a limp handshake and an icy stare and said: “So, you’re the CEO of the MA eHealth Collaborative? Well, that’s not anything to be very proud of, is it?” And before I could say a word, he turned and walked away. His office manager was mortified.

MAeHC has invested about $120,000 in this practice.

At the next practice, I walked in and standing there behind the front desk was a physician in a white coat, talking with the receptionist. “Are you Micky?” he asked. Still smarting from my first visit, I nodded, but hesitantly. He whipped around the front desk, arms stretched as wide as his grin, and hugged me. Yes, hugged me. “Thank you,” he said.

We’ve invested about $30,000 in this practice. Go figure………

Saturday, December 09, 2006

A PHR from my health insurer? No, thanks.

The buzz continues on personal health records. I got a call yesterday from a reporter asking for my views on PHRs. The Markle Foundation's Connecting for Health initiative just released a new report on PHRs (full disclosure: I'm on their Steering Committee). Paul Levy has recently written about Aetna's PHR on his blog.

I saw Aetna's October press release launching their PHR. I'm an Aetna subscriber, and unfortunately, the press release is all I've seen of their PHR. Actually, that's not really true -- they also have a video tour of their PHR on their website. What they don't seem to have is a place for me to actually create a PHR.

Until I can create one I won't know for sure, but I'm kind of hard-pressed to see what Aetna (or any health insurer) could offer in a PHR that would interest me anyway. I'm already able to access all of my claims on their website through their Aetna Navigator tool -- a great tool which has been there for years. I don't use it very often, but I like knowing it's there.

Through claims, Aetna knows a lot about what they've paid people to do to me -- give me a physical, a colonoscopy, some meds, a cholestrol check. What they don't know is the results of these activities. Was my colonoscopy normal? Do I have high cholestrol? That information is contained in my physician's record, which happens to be in a paper chart in Wellesley MA (I can't access it, but I know where it is!). If I had an Aetna PHR, it wouldn't have much more than my claims information, unless I typed it in........which means it wouldn't have much more than my claims information.

I pay thousands of dollars per year in premiums to Aetna. I'm just one customer, but I wish that my health insurer would devote much more money, PR, and imagination to getting an EHR into the hands of my doctor, and stop wasting my premium dollars on a PHR that I can't create and probably wouldn't use even if I could.......

Thursday, December 07, 2006

You can't get blood (or data) out of a stone

More details are now out on the Wal-Mart/Intel health records project. Turns out that it's a personal health records project called Dossia sponsored by the Omnimedix Institute. The project has gotten a lot of attention in the last couple of days. From what I can tell, the effort is, at best, a harmless sideshow. I just hope that it doesn't suck the wind from the sails of the many health IT efforts across the country today.

The reason I think this is a sideshow is that it is based on a faulty presumption, namely, that we can spur EHR penetration by giving PHRs to droves of individual patients. Those patients will want data to fill those PHRs, so the theory goes, and they will, in turn, pressure their physicians to purchase EHRs. Think of millions of patients, with their health-version of Quicken, pushing the "Download" button to get data from pharmacies, hospitals, labs, and physician offices.

The main problem with this approach is that it assumes that there's enough health data out there to make it worth my time as a patient to push the "Download" button. I don't think there is. Furthermore, I think it's a stretch to think that this approach will give enough push to the demand-side to affect HIT penetration.

First, on the availability of data. You have to get data into computers before you can get it out of them. Only 9% of physicians have a good EHR according to the CDC. Hospital use is higher but still not great. According to the American Hospital Association, 37% of hospitals have moderate to high IT implementation, and only 30% have implemented such functions as "access to medical records" and "access to medical history". Perhaps even more telling, a whopping 65% of hospitals say that fewer than 50% of their physicians use the IT that they've implemented.

So, the vast majority of data is still on paper. And even for the data that is electronic, no current systems that I know of have the ability to respond to an outside "query" (like a "Download" request from a PHR). With no physician data and no hospital data readily accessible, Dossia could prove to be very thin record indeed for quite awhile. There are no healthcare analogues to financial behemoths like Fidelity and Vanguard who can deliver a lot of data to a lot of people with a push of a button.

The structure of health care delivery will also make it difficult for even a Wal-Mart to have the leverage to drive higher IT adoption among physicians in this way. Walmart may have 1.3 million employees nationally, but most of them are distributed store-by-store in different health care markets across the country. With about 4,000 retail units in the US, each store employees about 325 employees. So they're spread pretty thin geographically.

On the supply-side, health care delivery is probably the most fragmented sector of our company -- it's very local, among both physicians and hospitals. With fragmentation on the demand- and supply-side of the equation, it's hard to see how a national player like Wal-Mart can exert influence on any given locality. For example, if I'm a doctor or hospital in a community with a Wal-Mart, I'm not going to have that many Wal-Mart employees as patients. So how much influence can their individual "Download" requests really have on my decision to purchase an EHR? In Bentonville, Arkansas, they can probably exert a lot of influence. I'm not sure they can in any other local markets. Sure, there are other employers involved, but it's hard to imagine that their employees' collective demand for PHR data will trickle through to the supply-side.

It's clear that Wal-Mart and many many other purchasers are absolutely fed up with spiralling costs and the seeming inability of the health care sector to modernize itself, and I think their frustration is absolutely justified. I just wish they'd channel their energy in more productive, collaborative ways.......

Wednesday, December 06, 2006

Privacy Request: Denied.

Yesterday's Guardian had a startling article on the British National Health Service's approach to patient privacy. The NHS is spending 24 billion pounds (ie, really really serious money) on wiring health care nationwide. They're providing EHRs to all physicians, linking them all up over a national network, and creating a national repository of patient-identified clinical data.

Back to the article. Patients have requested to opt out of the national network and repository, and the Government has rejected their requests!

Polls show that 53% of patients are opposed to having their data on the system, and as a result, 52% of general practitioners are opposed to providing their patient's data to the system without their patients' specific consent. Despite this overwhelming display of distrust, according to the article:

[T]he Department of Health said nobody could have genuine grounds for claiming "substantial and unwarranted distress" as a result of having their intimate medical details included on a national computer system, known as the Spine. For that reason, "it will not agree to their request to stop the process of adding their information to the new NHS database".

Yikes!! On top of the increasingly shrill reports of the technical problems the NHS project is suffering, it's hard to imagine that this project is going to get back on track anytime soon.

Back here in the colonies, we at MAeHC are also setting up data exchanges and repositories in our three pilot communities, but we're going with an opt-in approach, meaning that we won't exchange any patient's data without his/her specific, written consent.

This approach certainly takes longer and is definitely more logistically challenging than an opt-out (or the NHS approach of no-choice), but it appropriately puts the burden on us to get the trust of patients and physicians before we start letting their data fly. The very early returns on our experiment are that patients are overwhelmingly opting in -- still early, still small sample, but encouraging nonetheless. In the long run, I think this will build a deeper foundation for the whole enterprise going forward. When problems arise -- and they will arise -- patients will be more forgiving than if we hadn't asked their permission in the first place.....

Tuesday, December 05, 2006

Privacy rules

Sunday's NYT article touched on so many issues it was hard to address them at one sitting. The article asserts that concerns about privacy and security are the major obstacle blocking passage of pending bills on health IT. I wish that was true because it would mean that privacy concerns had become a higher priority than they have been up until now, and that there was agreement on all of other vexing issues in this area. Alas, I don’t think either is true.

Privacy and security are clearly important considerations on lawmakers’ minds, but equally if not more important barriers are:
  1. lack of budget
  2. blurry policy options, stemming from the complexity of health care delivery and little to no understanding at the federal level of the complexity of these issues
  3. disagreement (mostly ideological) on the role of government generally, and the divvying up of power between federal- and state-levels specifically
  4. lack of awareness among the public (or more specifically, voters) of the urgency of taking steps to improve the quality and efficiency of our care
The following commentary from iHealthBeat is indicative:

"Prospects look pretty good" for the 110th Congress to pass health IT legislation in 2007, Michael Zamore, a policy adviser for Rep. Patrick Kennedy (D-R.I.), said in an interview for an iHealthBeat special audio report. According to Zamore, health IT is a "great candidate" for bipartisan efforts because "it's teed up, it's kind of ripe, it's been kicked around, it's had a false start or two," and the "ideas have been percolating and vetted.

"David Merritt, project director at the Center for Health Transformation, said the opportunity still exists to pass a bipartisan conference bill during the 109th Congress' lame-duck session codifying the Office of the National Coordinator for Health IT and allowing hospitals anti-kickback exemptions to provide physicians with health IT equipment.

"Let's not throw away all the progress we've made up to this point simply because of the change in power," Merritt said. However, Zamore and Merritt agree that identifying funding for health IT initiatives with current budget deficits will be a challenge (Rebillot, iHealthBeat, 11/15).

The Democrats on the Hill (especially Ed Markey) do place a greater emphasis on privacy concerns than do the Republicans (outgoing Connecticut Republican Congresswoman Nancy Johnson's bill was silent on the issue, for example), so maybe this will rise in importance in the new Congress. In this environment though, I think cash (or lack thereof) will still be king......

Monday, December 04, 2006

Do the right thing

Yesterday’s New York Times article on privacy and security of electronic health records, coupled with an article in the Wall Street Journal last week on WalMart’s foray into electronic health records, points to what could be an ominous twist in the movement to expand the use of EHRs and health information exchange in health care delivery. Large businesses -- burdened by spiraling costs of health cost premiums -- are increasingly investing in technologies to gather health information on their employees to try to more directly manage (and, they hope, stanch) the growth of these costs.

I completely sympathize with the plight of these businesses -- MAeHC is a small business, after all. I also applaud their recognition of the key role that EHRs and clinical IT can play in improving health care delivery. Yet, their whole approach raises serious concerns for patient privacy. By creating proprietary systems to gather and control the health data of their employees, these companies are, perhaps unwittingly, stumbling into the most important and fragile issue in the health IT debate.

There is an irony in all of this. Some existing privacy laws, which were designed for paper-based records, don't make sense in an electronic world, and indeed, are in some cases presenting obstacles to better management of electronic data in ways that no one could have anticipated at the time. Many of those laws were designed to prevent employers from getting access to sensitive information that could affect a person's employment status. Employers need to be hyper-sensitive to those concerns. If they appear to be violating the spirit (even if not the letter) of those laws, it will sow seeds of patient distrust and perhaps draconian laws that will undermine not only their own efforts but also the many community-based efforts around the country that are working hard to do this the right way, namely, using IT to empower physicians and patients to improve the cost-effectiveness of care.

While there is a crying need to bring modern IT systems to health care delivery, this effort won’t be economically or morally sustainable if it’s not based on trust. Patients and physicians have to trust the systems being created. Otherwise, patients won’t agree to having their data in these systems, and physicians won’t agree to using them because they’re concerned about their patients’ privacy and about the legal liability associated with breaches of confidentiality. But neither patients nor physicians will trust these systems if they aren’t set up with privacy as a fundamental design consideration, rather than a bolt-on afterthought.

The reason that employer- and insurer-based schemes are problematic is that they undermine what I think of as a core principle of health information exchange – the need to create the healthcare equivalent of a Chinese Wall between those who collect and aggregate the data on behalf of providers to facilitate direct care delivery, and non-providers who would use the data for any purpose other than direct treatment of patients. Just because electronic data is more easily available for treatment purposes doesn’t mean that we permit it to be more easily available for other purposes. Data collection and aggregation may happen in a new way (ie, using EHRs and secure networks), but access has to happen the old way (ie, explicitly negotiated among the owners and key stakeholders). This is the principle behind such leading community-based efforts as the MA-SHARE, RIQI, IHIE, HealthBridge, THINC, and MAeHC.

So how do you do that? Create, operate, and govern these systems by building on the trust engendered in today’s physician-patient relationship. Patients have a well-placed trust in their physicians. Physicians will only use the systems if they’re valuable from a user design perspective and they promote their patients’ welfare. Rather than setting these systems up as proprietary company systems, they need to be set up more like public utilities. Put hospitals, physicians, and patients in joint control of these systems so that they are designed, managed, and governed by those who are going to be using the systems. These key stakeholders will get behind investments in “wiring” the care delivery system to improve quality, safety, and efficiency; what they won’t get behind is investments whose primary aim is surveillance.

I suggest that employers should get out of the business of trying to electronically capture their employees’ detailed health information, and into the business of getting health care providers to embrace information technology that improves the quality, safety, and efficiency of care. It's fair for them to want better data to measure performance, but they can get that without demanding access to detailed patient information. They can create urgency for better system performance using basic supply chain management principles that they're very familiar with: Invest in their healthcare delivery supply chain by setting basic technology and interoperability requirements for their suppliers (ie, providers), and facilitate their providers’ ability to meet these standards.

So, the program would run as follows. First, require physicians to use EHRs, help physicians pay for the upfront costs of getting outfitted with solid EHR systems, and train them and their staff to use the systems effectively. Second, require them to participate in data exchange networks that facilitate the effective coordination of care and the efficient transmission of clinical information. Third, put in place a new funding model that redirects reimbursement toward paying physicians for improving peoples’ health and away from paying them for the volume of care delivered and/or complexities that arise with their patients due to poor physician performance.

All of this is, of course, easier said than done, and no one knows that better than those of us slogging away in the trenches. But if Walmart and Pitney Bowes and IBM and UPS spent more time working with existing community-based efforts, and less time building their own proprietary data warehouses, it would happen faster than they might think, and it would be lasting and sustainable. There are many community-based efforts out there trying to do just this, and they could benefit enormously from the resources (financial, technical, and managerial), encouragement, and old-fashioned kick-in-the-pants that only the business community can provide.

I think the message employers should send to their employees is: “We don’t want your personal health data, but it's in everyone's interest to better monitor the overall performance of our insurer/provider network because the quality, safety, and cost of health care affects all of us.” That would reinforce the message that they’re not trying to undermine the sanctity of the doctor-patient relationship, but rather, trying to improve the performance of the overall system to better serve physicians, patients, and purchasers alike.