JOE WILSON, a thirty-eight-year-old software engineer from Pittsburgh on his first trip to Las Vegas, is feeling out of sorts as he walks into the casino. The free drinks help his mood, and he discovers after his third that he has a serious gambling problem. At the casino’s cage, where cash, credit card capacity, and creditworthiness are turned into chips, Joe liquidates the $6,324 in his checking and savings accounts and another $8,121 from his credit cards. Twenty hours and ten drinks later, this money runs out on the craps table, but Joe secures an- other $24,983 in cash, which represents 40 percent of his retirement account and 30 percent of the equity in his home. The casino was able to find out this information about him—as well as his marital status, the names of his last three employers, the number of years he has lived at his current address and worked for his current employer, the lapsed status of an earlier life insurance policy and the paid status of another, and the absence of liens against his assets—in less than five minutes, based on his name and Social Security number. In twelve more hours, Joe has burned through the last of his cash. Then the chest pain starts.
Leaving Las Vegas. Joe is rushed to a community hospital a few blocks from the casino. He is drunk, dizzy, and disoriented and cannot give the emergency room (ER) doctors any information about his medical history. But he is able to produce a tattered insurance card from his wallet, which includes his Social Security number, listed as his “Member ID.” The hospital’s admissions clerk spends twenty minutes on the phone to confirm that Joe is indeed covered by the health insurer in Pittsburgh and that she should collect up to $500 from Joe for his visit; but the insurer’s “information specialist” cannot say exactly how much, because he cannot tell from “the computer” if Joe has met his deductible yet that year. He can tell the hospital nothing else about Joe—not his medical history, the names of his physicians, or any medications he might be on—because “the computer” has no other information about him. That information is “in the other computers.”
Joe’s condition worsens; the ER physician diagnoses a heart attack and prescribes intravenous metoprolol, a generic beta blocker. What she does not know is that until a month earlier, Joe had been taking 20 milligrams per day of Paxil (paroxetine) for depression. But a month before Joe’s trip to Vegas, his employer’s health plan had switched to a new pharmacy benefit management (PBM) company, which required Joe and his coworkers to fill their medications for chronic conditions via mail order. One of Joe’s doctor’s three medical assistants had faxed the doctor’s usual handwritten prescription for Paxil to the mail-order pharmacy.
The mail-order pharmacist misread the prescription as “Plendil,” a calcium channel blocker often used for the same purposes as beta blockers and commonly dosed at 10 milligrams per day but occasionally at 20 milligrams for patients with congestive heart failure.1 Joe had been dutifully taking the medication for the past few weeks, walking around with dangerously low blood pressure caused by high levels of the unneeded medicine. Joe’s depression had also been slowly, imperceptibly returning—hence his unusual appetite for alcohol, which lowered his low blood pressure even further, resulting in wooziness and cognition problems severe enough to render Joe vulnerable to the casino’s temptations.
In the ER, the metoprolol does the trick within minutes of entering Joe’s blood-stream: His blood pressure plummets, he goes into cardiac arrest, and he dies.
___
HIT market failure. The underlying cause of Joe’s death is health information technology (HIT) market failure. If the state of U.S. medical technology is one of our great national treasures, then the state of U.S. HIT is one of our great national disgraces. We spend $1.6 trillion a year on health care—far more than we do on personal financial services—and yet we have a twenty-first-century financial information infrastructure and a nineteenth-century health information infrastructure. Given what is at stake, health care should be the most IT-enabled of all our industries, not one of the least. Nonetheless, the “technologies” used to collect, manage, and distribute most of our medical information remain the pen, paper, telephone, fax, and Post-It note.
Meanwhile, thousands of small organizations chew around the edges of the problem, spending hundreds of millions of dollars per year on proprietary clinical IT products that barely work and do not talk to each other. Health care organizations do not relish the problem, most vilify it, many are spending vast sums on proprietary products that do not coalesce into a systemwide solution, and the investment community has poured nearly a half-trillion dollars into failed HIT ventures that once claimed to be that solution. Nonetheless, no single health care organization or HIT venture has attained anything close to the critical mass necessary to effect such a fix.
This is the textbook definition of a market failure. All but the most zealous free-market ideologues recognize that some markets simply do not work. Indeed, reasoned free-market champions often deconstruct specific market failures to elucidate normal market functioning. The most obvious examples of such failures (such as public transit and the arts) are subsidized by society at large because such subsidies yield benefits to the public that outweigh their costs. Economists refer to these net benefits as “positive externalities,” defined as effects that cannot be captured through the economic equation of direct cost and benefit.
The positive externalities of an HIT system approaching the functionality of our consumer finance IT system include reduction of medical errors like the one that killed Joe Wilson; elimination of tens of thousands of redundant and expensive tests, procedures, and medications, many of which are not only wasteful but harmful; and the coordination and consistency of medical care in ways only promised by the theoretical version of managed care. These public health benefits are well beyond the reach of a health care system characterized by the complexities of medicine and conflicts of multiple parties working at economic cross-purposes. They are trapped outside the economic equation, positive externalities of a stubbornly fee-for-service health care system that inadvertently rewards inefficiency, redundancy, excessive treatment, and rework...
Health Care’s Blue Screen Of Death: Reboot Or Reform?
The compulsion today is to find the elusive “business case” for health care IT. Legions of IT vendors and consulting companies have struggled to cobble together “the ROI” (consultantspeak for “return on investment”) to prove that an individual health care organization would benefit by investing in better IT and that the failure to date has been merely a cultural problem on the demand side (“the doctors won’t use computers”) or a sales problem on the supply side (“it’s all vaporware”). These objections are hardly sufficient to stop a force as revolutionary as IT. The practical reality is that the typical ROI is modest at best, ephemeral for most, and attainable only well past its investment horizon—a dressed-up way of saying that it exceeds the political capital of its current CEO and CIO. If there were a strong business case for a health care organization to break from the pack and build out a twenty-first-century IT system, we would have no need for this paper—or, for that matter, this entire issue of Health Affairs. If the health care IT market worked, it would have worked by now.
The ability of the gambling industry to liquidate Joe Wilson’s assets within minutes is an example of IT market success; the inability of the health care industry to catch a simple medical error during his half-day in the ER is an example of IT market failure. All parties involved in consumer financial transactions have an economic interest in seeing that those transactions work as smoothly as possible. Not so all parties involved in health care’s myriad transactions.
The business case for no HIT. The first step in understanding the real intractability of the problem is ignoring the rhetoric. There is a veritable cottage industry involving the articulation of moral outrage over the health care quality “crisis,” much of it public relations spadework for someone’s political or commercial ambition and most of it culminating in a the naïve insistence that the system is on the verge of collapse and cannot go on like this. Actually, it can and will go on like this forever, absent any major intervention by the nation’s largest health care purchaser—the U.S. government.
Why? Because in the crude fee-for-service (FFS) reimbursement system inherited by that purchaser in the 1960s and fundamentally unchanged since then, the Las Vegas hospital has little real interest in knowing Joe’s medical history. In most cases, access to such information would represent a reduction in billable services. In an industry rife with dirty little secrets, this is health care’s dirtiest: Bad quality is good for business. And the surest road to bad quality is bad or no information. The various IT systems out there are expensive to buy, implement, and train staff to use, but this expense pales in comparison to all of the pricey and billable complications those systems would prevent...
This article was published in the fall of 2005. Change a few NHE numbers and then- leading wonk names, it could have been written yesterday. Read it closely, all of it. It is excellent.
Now, we might also consider some thoughts stemming from "Property, Privacy and the Pursuit of Integrated Electronic Medical Records" (Hall, Turnage, and Turnage, PDF), another incisive piece.
...Even though e-health is growing steadily and will soon exist in some form just about everywhere, the electronic systems that are in place rarely interconnect -- a problem that is getting worse rather than better. The RAND Corporation summarizes that “the ability to share information from system to system is poor.” This is because there “is no market pressure to develop HIT systems that can talk to each other.” Instead, the “piecemeal implementation currently under way may actually create additional barriers to the development of a future standardized system because of the high costs of replacing or converting today’s non-standard systems.The authors note that ongoing legal uncertainties regarding "ownership" of patient-identifiable medical data (is it "property"? whose "property"?), coupled with strict federal and state-level privacy regulation of PHI (Protected Health Information) comprise significant potential barriers to effective, nationally seamless HIE (Health Information Exchange).
The challenge is how to move an enterprise representing one-sixth of US GDP, with 13 million employees and potentially almost 300 million patients, from a decentralized, fragmented, paper based world, to an integrated, automated, networked world where information follows the patient, information-based tools can aid in decision making and quality, and population health data can be mined to improve the quality and outcome of care for all...
Who owns medical information? Patients, providers, both of the above, or no one? The law provides incomplete, unclear, and somewhat inconsistent answers ... property rights must be clearly established so that the respective parties know their legal default positions ... The relevant parties are in a quandary over who owns or controls what and so they do not know for sure what needs to be done to construct any particular information network model ... Accordingly, it matters a great deal to real-world actors who has exactly what rights in different aspects of medical record information.
Medical information has considerable commercial value. “[A] well-established multimillion-dollar business exists that utilizes secondary health data as its primary resource,” for purposes such as marketing to physicians or conducting medical research. Legal uncertainty or agnosticism over valuable property rights can spark a land grab that hoards rather than develops these productive assets. Once one party stakes its ownership claim, then so must all the other competing parties, for fear of being trumped. But, fencing off the terrain of medical information destroys the commons that might have supported valuable public goods. Witness the A.M.A.’s proclamation quoted above that physicians own the medical information they collect. Likewise, the Center for Studying Health System Change observed that hospitals’ greatest concern with I-EMRs is “losing competitive advantage by relinquishing control of ‘their’ data. They view[] clinical data as a key strategic asset, tying physicians and patients to their organization.”
Legal logjams also arise from privacy protections. Medical privacy is important, but we may be protecting it to a fault...
...From the economic perspective of investing in medical information, the lack of clear property rights plus the presence of strong privacy protections is the worst of both worlds. Privacy protections increase the costs of developing I-EMRs and uncertain property rights decrease the returns. How these barriers and uncertainties are resolved could determine the kinds of networks that will emerge and how efficiently they can form...
Hall et al point out that "facts" cannot be "owned." In a general, mundane sense, that is indeed the case -- not that it has ever stopped various commercial interests from trying to lay exclusive claim to all manner of public domain information. And, then, there's the complicating factor of myriad "facts" that go to "proprietary information" and "intellectual property," which are indeed "owned" and jealously guarded by their proprietors (not to mention the marketable "likenesses" of celebrities).
I have blue eyes. Who cares? I am 5'10" tall. Who cares? No one -- including me -- can really profit from knowing those facts. I weigh 170 lbs -- which makes my BMI (Body Mass Index) 24.4. Suddenly, things are a bit different, and if I weighed 50 lbs more (220) my BMI would be 31.6 (officially "high"), which would perhaps be of commercial partisan interest to [1] people trying to sell me weight loss products and services, [2] employers wanting to minimize their health care benefits cost risks, and, relatedly, [3] insurance companies (life or health) looking for an excuse to raise my rates or exclude me from coverage.
We pretty much all understand the potential adverse implications of trafficking in peoples' personal data, ranging all the way from targeted marketing to all other manner of gumshoeing and discrimination (regarding which your EHR/HIE clinical information comprise a potential treasure trove) to financial and identity theft.
GUMSHOEING "USE CASE"
(Courthouse News, June 20, 2011)
(CN) - Federal medical-privacy laws do not preempt California's own rules against doctors disclosing patient information to debt collectors, the state Supreme Court ruled.HIPAA is unique in that it reverses the otherwise default legal custom of "federal preemption" -- i.e., where state law and regulation conflict with their explicit federal counterparts, the latter typically prevail. With respect to HIPAA, state law/regulation found to be "more stringent" in the protection of PHI trumps HIPAA regulation.
The unanimous court revived Robert Brown's longtime crusade to hold dentist Rolf Reinholds accountable under California's Confidentiality of Medical Information Act.
Way back in 2000, Reinholds billed Brown $600 for a permanent dental crown that Brown claimed he never received. Brown refused to pay the bill, and Reinholds sent the matter to a bill collector and a credit agency, along with a copy of Brown's dental charts and the charts of Brown's minor children.
Debt-collector Stewart Mortenson in turn disclosed the Browns' confidential medical information to the consumer-reporting agencies Experian, Equifax and Trans Union, and also sent along the family's Social Security numbers, dates of birth, addresses, telephone numbers and entire dental histories.
After two years of repeated, unsuccessful demands that Mortensen stop the unauthorized disclosures, Brown sued Reinholds and Mortensen, alleging violations of the Confidentiality Act, which generally prohibits the unauthorized dissemination of medical information.
The trial court found Brown's claims too vague and dismissed them. The Court of Appeal affirmed, though for different reasons. It ruled that Brown's state law claims were preempted by the federal Fair Credit Reporting Act (FCRA).
Not so, the state's high court said Thursday.
Congress chose not address "the scope of a medical provider's duties when furnishing information to a consumer reporting agency" in the FCRA, the court found. And while Congress did address the issue somewhat in the Health Insurance Portability and Accountability Act (HIPAA), it simultaneously allowed "states to continue to regulate to the extent they desired to enact more stringent, privacy-favoring legislation," according to the ruling...
A recent example from Ohio:
Privacy & Information Security Law BlogI could go on. The more I look, the more I find.
Posted at 8:47 AM on May 7, 2010 by Hunton & Williams LLP
State Law Trumps HIPAA in Suit Over Disclosure of Medical Records
Rejecting a defense based on compliance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a federal court in Ohio denied a medical clinic’s motion to dismiss invasion of privacy claims following the clinic’s disclosure of medical records to a grand jury. In Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010), plaintiff Turk had been under investigation for illegally carrying a concealed weapon and for having a weapon while under disability in violation of an Ohio law which provides that “no person shall knowingly acquire, have, carry, or use any firearm” if “[t]he person is drug dependent, in danger of drug dependence, or a chronic alcoholic.” Defendant Cleveland Clinic, where Turk was a patient, received a grand jury subpoena requesting “medical records to include but not be limited to drug and alcohol counseling and mental issues regarding James G. Turk.” When the Cleveland Clinic disclosed Turk’s medical records in response to this subpoena, Turk sued the clinic for violating his privacy rights.
In its defense, the clinic argued that a specific exemption in HIPAA permits such disclosure of medical records in response to a grand jury subpoena. Ohio’s physician-patient privilege, however, provides that a physician cannot testify as to “a communication made to the physician . . . by a patient in that relation or the physician’s . . . advice to a patient.” The court found that the term “communication,” as used in the statute, includes hospital records “and is sufficiently broad to cover any confidential information gathered or recorded within them during the treatment of a patient at the hospital.” Because the HIPAA provision exempting the disclosure would not preempt this more restrictive state law, the court denied the clinic’s motion and refused to dismiss Turk’s privacy claim. That decision may have prompted a settlement, as this week, the court granted a request by Turk to dismiss all of his claims against the clinic.
Lately I've been skulking around down in the bowels of various state laws and regulations pertaining to health information privacy. One good launch pad has been the Georgetown University Center on Medical Rights and Privacy.
A few random snips from their in-depth publications on state laws (Volume 1, Alabama-Montana, PDF; Volume 2, Nebraska-Wyoming, PDF):
New Hampshire: The medical information contained in the medical records in the possession of any health care provider is the property of the patient. [N.H. Rev. Stat. § 332-I:1.]According to this resource, only New Hampshire unequivocally confers full data "ownership" on patients, though, I find the thus far couple of "genetic information" property entitlements interesting as well (e.g., FL and LA).
Medical information contained in the client’s record of a home health care provider is deemed to be the client’s property and the client has the right to a copy of these records upon request and at a reasonable cost. [N.H. Rev. Stat. § 151:21-b(II)(i).]
The medical information contained in the medical records at any licensed health care facility is the property of the patient. [N.H. Rev. Stat. § 151.21(X).]
Virginia: Although patient records are the property of the provider maintaining them, Virginia recognizes a patient’s right of privacy in the content of his medical records. [See Va. Code Ann. § 32.1-127.1:03(A).]
Medical records maintained by health care providers are the property of the provider, or the employer if the health care provider is employed by another health care provider. [Va. Code Ann. § 54.1-2403.3.] Patient records may not be transferred with the sale of a professional practice until an attempt is first made to notify patients of the pending transfer, by mail, at the patient’s last known address, and by publishing prior notice in a newspaper of general circulation within the provider’s practice area. The notice must inform patients that at their written request, within a reasonable time, records or copies can be sent to another like-regulated provider of the patient’s choice or destroyed. [Va. Code Ann. § 54.1-2405.]
Florida: The results of the DNA analysis,whether held by a public or private entity, are the exclusive property of the person tested, are confidential, and may not be disclosed without the consent of the person tested. [Fla. Stat. Ann. § 760.40.]
All “records owners,” i.e., any health care practitioner who generates a medical record, receives medical records from a previous record owner, or the practitioner’s employer, if the employer is designated as the records owner, [Fla. Stat. Ann. § 456.057(1) (defining “records owner.”)] are required to develop and implement policies, standards and procedures to protect the confidentiality and security of medical records.
Louisiana: Medical records of a patient maintained in a health care provider’s office are the property and business records of the health care provider. [La. Rev. Stat. Ann. § 40:1299.96(A)(2)(b).]
An insured’s or enrollee’s genetic information is the property of the insured or enrollee.**
Mississippi: Hospital records are the property of the hospitals. [Miss. Code Ann. § 41-9-65.]
Indiana: Providers are the owners of original health care records and they may use these records without the specific written authorization of the patient for legitimate business purposes, including submission of claims for payment from third parties; collection of accounts; litigation defense; quality assurance; peer review; and scientific, statistical and educational purposes. [Ind. Code Ann. § 16-39-5-3.]
The provider is the owner of the mental health record and is entitled to retain possession of it. [Ind. Code Ann. § 16-39-2-2.]
South Carolina: Under the Physicians’ Patient Records Act the physician is the owner of the medical record. [S.C. Code Ann. §§ 44-115-20.]
___
REPORT FROM RTI (PDF)
Privacy and Security Solutions for Interoperable Health Information Exchange
Report on State Medical Record Access Laws
(August 2009)
A brief excerpt...
State LawsLots of potential digital PHI jurisdictional issues remain with respect to medical data "ownership," access, and disclosures. All of the state statutes and regulations I have examined thus far simply refer to the rights of "patients." Nothing about in-state vs out-of-state legal "residents" (indeed, the term "resident" only appears in reference to patients in long-term care settings or psych facilities). So, for example, say you are a legal resident of a state whose PHI law is "more stringent" than HIPAA (and thus nominally trumps HIPAA) and are treated in a facility in another state where HIPAA is the default, which law governs access to (and release of) your PHI? One might reflexively think it'd be the jurisdiction wherein the medical encounter occurred, but it might in fact not be all that clear.
States use varying terms to describe the health information encompassed by individuals’ right of access, including, for example, patient records, health records, medical records, hospital records, and patient information. In many states, these terms are undefined [see, e.g., W. VA. Code § 16-29-1 (2008) (where state law gives individuals the right of access to all or a portion of the “patient’s record,” a term which is not defined in the statute or regulations)]. However, provisions in several states expressly define the relevant term in detail, specifically including in some instances medical records or information created by others [see, e.g., N.H. Code Admin. R. Ann. Med 501.02(f)(2) (2008)].
Challenges for an Electronic Environment
The fact that states use varying terms (or fail) to define health information that is subject to a right of access may prove problematic. One issue is whether the medical records or health information subject to the individual’s right of access includes material in the record that came from another source. Some health care providers apparently interpret access to medical records or health information as encompassing only information that was generated within their office or facility. In responding to an individual’s request for copies of medical records, some health care providers exclude any information in their possession that was obtained from other health care providers. While some state law provisions clearly define medical record access as including information furnished by other health care providers, most state laws governing doctors and hospitals do not expressly address this issue. The ambiguity in law on this issue, i.e., whether these health care providers must provide access to health information regardless of the originating source, may continue to prove problematic in an electronic environment where any particular health care provider likely will maintain data that originated from myriad sources.
More work for lawyers, 'eh? To wit...
HIPAA May Provide Basis for State Law Private Cause of Action___
[McGuire Woods, LLP, 06/23/11]
The Health Insurance Portability and Accountability Act (HIPAA) imposes requirements on healthcare entities involved in the exchange of health information to protect the confidentiality of such information. It provides both civil and criminal penalties for individuals who improperly handle or disclose individually identifiable health information. HIPAA does not create a private right of action, under federal law. However, a recent decision by a district court in Missouri held that HIPAA may form a basis of a state law “negligence per se” claim.
In I.S. v. Washington University, E.D. Mo., No. 11-235, 6/14/11, the U.S. District Court for the Eastern District of Missouri, refused to dismiss plaintiff’s claim for negligence per se, despite its reliance on HIPAA, and remanded the case to state court. In this case, plaintiff alleged that defendant made an unauthorized release of certain medical records to plaintiff’s employer, which resulted in harm to the patient. Under Missouri law, the elements of a claim for “negligence per se” are: 1) a violation of a statute; 2) the injured plaintiff was a member of the class of persons intended to be protected by the statute; 3) the injury complained of was of the kind the statute was designed to protect; and 4) the violation of the statute was the proximate cause of injury.
In asserting negligence per se, the plaintiff relied solely on HIPAA to meet the required elements of the claim. Defendant moved to dismiss this claim in federal court on the basis that HIPAA does not create a private cause of action. However, plaintiff contended that its reference to HIPAA in its negligence per se action was merely to establish the legal duty of care rather than a means to find a private cause of action under HIPAA, and that the case should be remanded to state court as it is not a matter of federal subject matter jurisdiction. Ultimately, the court agreed and declined to dismiss the negligence per se claim, although it did remand the case to state court.
The Washington University case is not the first case to hold that HIPAA may be referenced as a basis for a state law claim. For example, in Acosta v. Byrum, 638 S.E. 2d. 246, 253 (N.C. Ct. App. 2006), the North Carolina Court of Appeals allowed a plaintiff to make an intentional infliction of emotional distress claim against a psychiatrist by relying on HIPAA. In that case, the psychiatrist allegedly allowed an office manager to have access to medical records that were used to cause harm to the patient. The plaintiff used HIPAA to establish the standard of care element required in a claim for negligence. The trial court dismissed the claim stating that HIPAA does not create a private cause of action. However, the appeals court reversed, not because HIPAA creates a private cause of action, but because the court found it appropriate to use HIPAA as establishing a standard of care in making claims that the defendant violated a standard of care.
The cases above illustrate the interplay between HIPAA and state law and open the doors to future lawsuits where plaintiffs use HIPAA as a basis for private claims. The risks of such private causes of action are only expected to increase, particularly with the expanded duties that will be laid out in the forthcoming final regulations to HIPAA, which are being modified by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. These final regulations will contain provisions that update HIPAA and extend yet-to-be-finalized health data privacy and security rules to healthcare entities, including funding for heightened HIPAA enforcement...
CODA
How a Broken Medical System Killed Google Health
Google would have had to fix a balkanized U.S. health-care system to make the service catch on.
WEDNESDAY, JUNE 29, 2011 BY DAVID TALBOT, MIT Technology Review
At the end of this year, Google Health will flatline. The service couldn't encourage many people to import or analyze their health data, and experts say its untimely death is, in many ways, an extension of U.S. health-care providers' failure to share data across institutions, or make it easy for patients to obtain it.Interesting.
Google's free online service lets people upload, store, analyze, and share their health information. But there are hundreds of different health-care institutions in the U.S. that use different systems to record and store data, and many doctors don't use electronic records at all, making the task of retrieving and updating data extremely difficult for the average person, says Isaac Kohane, who directs the informatics program at Children's Hospital in Boston, and codirects Harvard Medical School's Center for Biomedical Informatics.
For Google to make its service attractive, it would have had to solve this health IT mess, which is in the early stages of being addressed through recent national policy moves. These include 2009 federal stimulus incentives for doctors and hospitals to adopt electronic medical records, and for hospitals to share data with one another.
Kohane says it will be at least five years before data flows smoothly enough to make something like Google Health worthwhile. "Google is unwilling, for perfectly good business reasons, to engage in block-by-block market solutions to health-care institutions one by one," Kohane says, "and expecting patients to actually do data entry is not a scalable and workable solution."...
No comments:
Post a Comment