Across the country, groups of CIOs, healthcare IT experts, and attorneys are sitting in committee rooms and holding conference calls trying to solve vexing policy and governance issues raised by the prospect of interoperable electronic health records (EHRs). With a focus on making the most of short-term federal incentives, these policymakers are wrestling with a host of thorny issues that they have never had to tackle before or ones that have previously seemed intractable. Some of these are central to the current debate about spurring health IT adoption; others await resolution once more health information exchanges get off the ground.
A review of the draft plans for state-level health information exchange (HIE) organizations reveals that some of the issues deal with authentication, trust, cooperation among competitors and sustained financing; other contentious issues about privacy, consent and sensitive data seem to hinge on a debate between an established “enterprise-centric” view of data vs. an emerging model built around the patient or consumer.
What follows is a status report on six challenging health IT policy issues and some comments from experts about why they are tough to solve.
1. Sustainable funding. High on the to-do lists for newly formed state-level HIE groups is developing a business model that provides sustainable funding. Some integrated delivery networks and multi-stakeholder HIEs are working toward sustainability, but very little progress has been made yet on state-level models. Although it provides more than $400 million in startup funding, the HITECH Act does not ensure long-term sustainability of any HIE effort, and requires states to raise matching funds.
John Moore, an analyst with the Cambridge, Mass.-based Chilmark Research, which is preparing a study of state HIE development, notes that many failed RHIOs and HIEs have developed sustainable business plans in writing, but very few have actually been able to make them work. He adds that the HITECH matching fund requirements rise from $1 for every 10 federal dollars in 2011 to $1 for every three federal dollars in 2013. “Some states are going to have a hell of a time raising enough money to make it to self-sufficiency by the fourth year,” Moore says.
Jeff Bauer, the futures practice leader of ACS Healthcare Solutions, agrees. He notes that many states are facing huge financial problems from unfunded pension bills coming due as people retire in the next few years. “In every state capital, as health IT is competing with so many other vital interests, will funding for HIE survive?” he asks.
While states will consider subscription or access fees for providers, another possible model is emerging in Vermont, which in 2008 passed a law a imposing a fee of two-tenths of 1 percent on all medical claims to fund health IT efforts. It is expected to raise $32 million over seven years to help fund EHR adoption and HIE development. Moore notes that the Wisconsin HIE is seeing strong early results with 40 percent of physicians surveyed saying access to patient data is changing how they order prescriptions and the number of diagnostic tests ordered. “Those savings are largely going to the payer, so it is not unreasonable to have some type of fee on transactions,” he says. “It's not clear which model will emerge,” Moore says. “There will be experimentation on things like taxes on transactions, but it is going to be a tough sell.”
2. Privacy and consent. Having each state work through the same series of difficult privacy and consent issues might be inefficient, but it may also be necessary, because so many state laws already on the books relate to these topics and must be complied with or amended. To take just one example, the state of California's long-running and contentious effort to develop consensus around how patients should consent to have their data shared as well as the treatment of sensitive data such as substance use and HIV/AIDS information, highlights the complexity of the issues.
“There is no question that there are two issues we are absolutely stuck on: consent and sensitive data,” says Pam Dixon, executive director of the World Privacy Forum and co-chair of the California Privacy and Security Advisory Board (CalPSAB). She says the group is having trouble finding middle ground between consumer group representatives like herself and those who represent large healthcare organizations.
Industry representatives have labeled “unworkable” a proposed hybrid model that would require consumers to specifically opt out of sharing most information but opt in before sensitive information could be shared, she says.
“We are having a tug of war between a traditional HIPAA-centric approach and a new approach that needs to emerge,” she says. Although the discussion has been going on for two years, Dixon is optimistic that a compromise will be reached. “We have 20 people in the room who are very knowledgeable about this topic,” she stresses. “If we can't come to a consensus, nobody will. Consent and sensitive data issues are the first two buttons on the vest. We have to do those first, and if we don't get them right, it doesn't matter what else we do on other issues.”
3. HIE and federal confidentiality laws. At the national level, some organizations would like to see changes to the federal confidentiality regulations which state that without written authorization from the patient, physicians cannot access patients' substance use history and current treatment regimen, except in cases of emergency. Getting those written authorizations each time data is accessed may prove antithetical to the way HIEs are set up to work.
In February, the Patient Protection Coalition, a group of attorneys who work in the field, issued a 10-page proposal suggesting how to amend the federal confidentiality law to ease participation of substance use treatment providers in health information exchange. “All this would do is to allow exceptions that facilitate electronic health exchange among providers with a focus on care, limited to five data elements,” explains Renee Popovits, an attorney with Frankfort, Ill.-based Popovits & Robinson. “Keeping substance use records out of HIEs will only prolong the stigma attached to addiction, rather than treating it as an illness.”
But the proposal has drawn a cool response from some advocacy groups concerned about the misuse of the information to discriminate against people seeking help for alcohol and other drug problems. And because it is such a divisive issue, Popovits says it is unlikely to be taken up by Congress. But the Substance Abuse and Mental Health Services Administration could possibly make changes from a regulatory standpoint, she adds.
4. Issues of secondary use. If deciding how patients should consent to have their data shared is a tough issue, even more important may be clarifying how that data will be used. Most people are fairly comfortable with their data moving around for treatment and for public health purposes, says Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology in Washington, D.C. “But after that, everything needs to be re-examined, including secondary uses such as medical researchers' access to EHRs,” she says. “There are a lot of gray areas, and it's not clear who's going to decide who gets access and for what purposes.”
For instance, there are policies at the federal and state level about when and how research can be conducted, she explains, but they don't relate to this newly networked environment where data about you can be pulled from a lot of sources. And although there are rules about how data can be accessed, used and disclosed, there are holes in these regulations concerning how much data can be collected about you.
There are also unanswered questions about the use of “de-identified data,” which can be traded, bought and sold pretty freely. “The rules describing what constitutes de-identified data and making sure it is not re-identified are not robust,” McGraw says. “We need a better governance model,” McGraw says. “It may come from legislation, regulations or HIE agreements.”
Another area that will require work is how personal health records are regulated, especially those operated by businesses not covered by HIPAA. The HITECH Act required HHS and the FTC to conduct a study on federal privacy and security requirements for PHR vendors. Currently they are covered by state laws, which vary widely. “We have always said that is not a great way to protect patient privacy,” McGraw says. “But a flat-out application of HIPAA to PHRs isn't great either because it was written for the healthcare setting, not the commercial Internet and consumers. What is needed is a targeted set of rules that spell out consumer controls of PHRs, ones that better target the risks they face.”
5. Sharing of lab data. Health IT leaders have long recognized that developing standards around clinical lab results delivery is among the most difficult and important aspects of interoperability. But one issue that hasn't received as much fanfare is the legal framework around how laboratory data is shared.
HIPAA regulations defer on laboratory testing issues to the federal Clinical Laboratory Improvement Amendments, which in turn say that test results must be released only to persons authorized by state law to order tests, receive tests or both. So by and large state laws determine whether a lab may disclose results to another provider for treatment. The problem is that lab results release is treated differently state by state, according to Kitty Purington, a policy specialist with the National Academy for State Health Policy in Portland, Me. “Some states don't have ‘authorized person’ statutes,” she says. “Others are going back and revising theirs.”
Purington co-authored a recent report for the Oakland-based California HealthCare Foundation entitled “Electronic Release of Clinical Laboratory Results: a Review of State and Federal Policy.” That study found that, where state law limits release only to the ordering physician, care coordination might be inhibited, because the ordering physician's office can become a bottleneck, as others wait for it to release information to other providers. Differing state laws also create confusion for providers in multi-state regions.
On the issue of whether lab results can be released directly to patients, Purington says the states are “all over the map.” Most state laws view lab results as belonging to the provider that ordered the test; others, such as New Hampshire, view those results as belonging to the patient. Her research found that only seven states have licensing laws that allow direct patient access to laboratory test results. Like other issues involving patient access to their own data, policies surrounding this issue are sure to evolve. The CHCF report recommends that states should “consider reviewing their laboratory release laws and regulations in the context of the patients' interests, assuring that appropriate mechanisms and timeframes allow them access to health care information including laboratory results.”
6. Redefining the NHIN. The same policy questions about whether the evolving health IT landscape should be “enterprise-centric” or “consumer-centric” may be reshaping the conceptual framework surrounding the National Health Information Network. The NHIN was initially conceived and described as a backbone physical network connecting smaller, regional networks. But in a shift in emphasis, it is now being described as a set of standards, services and policies, and the NHIN Workgroup of the HIT Policy Committee has launched “NHIN Direct” as a simple way for physicians and consumers to exchange health information using the Internet.
“It is really a cultural issue,” says David Kibbe, M.D., a senior advisor to the American Academy of Family Physicians. Large healthcare organizations have proceeded with the assumption that they own the data and have a right and an obligation to control that data, he says. The NHIN “network of networks” model is beginning to flounder, as a similar model has in Britain, Kibbe believes. “It was not necessarily a bad idea,” he adds, “but it was so retro in terms of the ways individuals use the Internet that it couldn't withstand scrutiny for more than five or six years.”
Chilmark's Moore describes the shift in focus as “a blessed relief.” Policymakers are seeing they should use existing infrastructure and focus on addressing governance issues, and developing the guidelines and policies such as data use agreements, he says. “They also need to change the focus of NHIN to open it up and have it be about the public,” he adds. “It has been focused so far on provider to provider or provider to payer, and the citizenry has been pretty detached from this so far. They need to make it useful so people will get behind it.”
Of course, it may be unrealistic to expect too much progress on so many policy fronts at once. Fran Turisco, a principal researcher in the Waltham, Mass.-based Emerging Practices division at the Falls Church, Va.-based CSC, and who has studied health IT policy developments in Europe, says that the United States may not be ready to tackle some of these issues yet. “At Stage 1 of meaningful use, you only have to demonstrate the ability to share data,” she says. “Once we get there, then these issues will begin to be worked out.”
Turisco says ONC and state HIEs are trying to build the foundation of a house while other people are already talking about what colors the rooms will be. “You can't address every issue at the beginning,” she adds. “You set the overall strategy, know where you are in the timeline, and then you'll know when it's time to address these issues.”
David Raths is Healthcare Informatics' Senior Contributing Editor. Healthcare Informatics 2010 June;27(6):70-73