Ready for review.
Establishing a Private, Workable Online Medical Database
-- By
BrendanMulligan
In its 1999 report,
“To Err is Human: Building a Safer Health System”, the Institute of Medicine claimed that preventable medical errors cause as many as 98,000 deaths per year in the United States and upwards of $29 billion annually in lost income, lost production, disability, and additional health care costs. According to the report, decentralization and fragmentation of the health care system are major causes of these errors. Providers lack access to complete patient data at the point of care. Fewer than 2% of the nation's 5,000 non-VA hospitals have what could be considered a full-fledged system.
Proprietary Contribution to a Broken System
Vendors’ commercial systems are proprietary and designed to not talk to other vendors' systems. Further, the Healthcare Information and Management Systems Society (HIMSS), which is a powerful healthcare organization focused on fostering the optimal use of information technology (IT) and management systems for the betterment of healthcare, is ostensibly independent, but acts as a lobby for proprietary owners.
HIMSS hosts the largest and most well-publicized health IT conferences in the country. They charge large sums of money to buy space at conferences and limit the electronic health record vendor association to companies which “design, develop and market their own proprietary electronic health record (EHR) software application.”
People are dying because we lack proper IT infrastructure. The government should take steps to catalyze conversion to a functioning EHR system by (1) incentivizing the use of
VistA? public domain software to improve functionality and streamline formatting and (2) amending HIPAA to safeguard privacy.
Bungled EHR Policy Solutions
To promote the conversion to accessible EHRs, the government initiated two major changes via the stimulus package. First, it commissioned a study on the availability of open source health IT systems to be completed by Oct. 1, 2010. This includes comparing the total cost of ownership of open source to existing proprietary commercial products, ideally providing open source systems with the opportunity to demonstrate much superior value to price ratios. Second, the government earmarked $20B for doctors and hospitals that switch to "functional online databases". The provisions dictate that hospitals must only perform
“one test of certified EHR technology's capacity to electronically exchange key clinical information.” See Table 2. This standard does not meet the hospitals' own bar for internal use of electronic systems.
Perplexingly, the government already developed the most well-used, cost-effective, and comprehensive health IT system,
VistA, and did
nothing to promote its use. The
VistA? successfully integrates databases throughout the Veteran's Health Administration, the largest hospital system in the US. Its interface, and all updates (500–600 patches per year) are provided as public domain software and used by many private hospitals. The stimulus dollars might have incented hospitals to integrate onto
VistA? —which has been established for as little as
“1/10th the price” of proprietary software. Instead, perhaps to ward off well-rehearsed critiques of socialism, the government threw money into a proprietary black hole that promises lower standards than the government demands of itself.
Lost, Stolen, and Mislaid Private Health Information
A health database must also address concerns over medical privacy. Much of the debate surrounding health care information centers on safeguarding data from being
“lost, stolen or mishandled.” See also, Robert A. Gerberry, Legal Ramifications of the Formation of Digital Hospitals, 14 Health Law 27, June, 2002. “Faced with stories of confidential medical records being accidentally posted on a web site, and being emailed to all members of a computer network, patients continue to fear the misuse of confidential medical information. Online providers need to protect against the electronic misappropriation of health information by complying with confidentiality laws that seek to protect patient information.”
These concerns are legitimate. In a recent survey of IT professionals,
“seventy percent said senior management does not view privacy and data security as a priority. Eighty percent of respondent organizations had experienced at least one incident of lost or stolen electronic health information in the past year.” Over the last few years, the personal health information of
“hundreds of thousands of people” has been compromised because of security lapses at hospitals, insurance companies and government agencies.
The government responded to these concerns with changes to Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any time private health information is
“accessed, acquired, or disclosed” by or to an unauthorized person,” the Department of Health and Human must be notified. If the breach affects more than 500 residents of the same state, major media outlets must be notified. This will be enforced by penalties of $50,000 for actions of willful neglect, undefined, but presumably the failure to adopt safeguards required by law.
Lingering Problems with HIPAA-Acceptable Private Health Information Sharing
The above change may increase hospital vigilance in protecting medical privacy
(e.g.), but it fails to stop the easiest breach of private health information. HIPAA permits patients’ personal health information to be shared among more than 600,000 organizations without patients’ consent. 45 C.F.R. § 164.506 states that with limited exceptions “a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section.” Health care operations are defined extremely broadly, including activities such as business planning, management and administration, the sale or transfer of a covered entity, fundraising, and data analysis for plan holders or other sponsors. There are almost no discernible restrictions.
This rule is indefensible even with paper files but increased, easy, and remote access to personal health data make it particularly dangerous. As we move towards integrated EHR system, this provision must be changed. Congress could start by revisiting the House’s
2004 STOHP Act, which makes consent the core of disclosure. In effect, the change would require individuals to give or withhold consent before their personal health information is used or disclosed before each routine purposes, instead of a one-time consent as in effect now.
There are really two
topics here, and it would be worth the effort of choosing between
them. The HIPAA issue you raise is a matter subject to political
deadlock. Any legislation that tries to move in the area will
immediately be subject to encrustation with all the other conflicting
claims by all the other parties who believe that free market
capitalism means that government should never do anything that hurts
their business, which has generated enough money to put a cousin or a
brother in the Senate. All you can really do is to reprint earnest
staff reports that will never get enacted. VistA? , on the other hand,
can be developed, as you point out, by executive action alone, if the
Administration is prepared to take some heat from people whose
proprietary software businesses would be wiped out by it. There are
technical issues you should have described to some extent, and you
should have discussed OpenVistA? , which is the Free World's attempt to
meet some of those technical problems. You might also have discussed
the possibility of following in the steps of Finland, which now runs
its national system of hospitals on its version of the VistA? we
developed and put into the public domain for them. Obviously I think
this aspect of the situation would make the VistA? portion of the
essay the one to expand, but either way, you will do a far more
effective job if you don't have to give away half the
space.