Thought Obamacare was messy? Wait until electronic health records come online

As the nation continues to fight over the Obamacare mandate that everyone have reasonable health insurance, and both proponents and opponents struggle with its complex policy and technology implementations, a bigger disconnnect is looming. The potential snafu centers on the national electronic health records (EHR) system mandated during the Bill Clinton and George W. Bush administrations and now starting to gain meaningful deployment as a key federal deadline of 2015 nears.

There are several contradictions in the EHR mandate and how the medical industry operates, as well as between EHR policies and older laws such as HIPAA (the Health Insurance Portability and Accountability Act). Although many could be anticipated, the health care industry largely has ignored them, preferring to do things as it always has. Never mind that the federal agency that sets the policies for EHRs — the Office of the National Coordinator (ONC) in the Health and Human Services Dept. — has been increasingly aggressive in crystallizing the rules and showing tangible approaches to foster data sharing and patient access, which often goes against the way medical providers operate.

[ Also on InfoWorld: The savvy tech strategy behind Obamacare • Consumerization comes to electronic health records • The rough road to reliable data exchange among EHRs • Patient engagement will be tough task for health tech • The iPad revolution is coming to a hospital near you | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

Even where medical providers aren’t clinging to old ways, the federal mandates are proving very difficult to comply with, as privacy, security, integration, sharing, and effectiveness requirements create fundamental conflicts that technologists may not be able to resolve. In fact, an increasing number of providers are returning federal incentive dollars or accepting federal noncompliance fines because they can’t figure out how to make it all work.

In the next few years, we’ll see a similar breakdown in the status quo as occured several years ago when the consumerization movement, in the form of BYOD for mobile devices, both changed the relationship between IT and users and created a contradiction between compliance and effectiveness. In health care, I could see several of these collisions become visible at the recent HIMSS 2014 conference, which gathers nearly 30,000 health care practitioners, vendors, payers, and policy makers around health IT.

Bill Fera, a principal in Ernst & Young’s advisory practice, sees a split emerging between the haves and have-nots in the health care industry: Organizations that have both the money and technical talent being clearly more successful in figuring out how to satisfy the mandates than those who lack one or both. He’s also seeing many providers rethink their EHR efforts to be less “best of breed” and to rely on a smaller number of established vendors, similar to how the ERP industry coalesced around SAP, Oracle, and Infor. He also sees an increasing trend to outright mergers and less formal affiliations that let multiple organizations use the same technology and platforms. Finally, he’s seeing ONC solidifying its requirements and model systems, because there’s now enough experience to do that, versus the “theoretical” recommendations from the early days.

I believe the collision will ultimately be a good thing, but it will also be painful. The goals of the health care reforms set out 20 years ago and now being implemented are good ones — the three standing ovations Hillary Clinton, considered the mother of health care reforms due to her controversial efforts in 1993, received when she spoke at HIMSS show the health care industry largely agrees. But achieving them is no sure bet.

Contradiction 1: Proprietary medical systems and the mandate to exchange patient data EHRs are like ERP deployments: Even though only a handful of vendors’ systems are used to create them, every one is customized to the hilt to reflect the various business and medical processes they record and facilitate. If you remember the first wave of ERP systems in the late 1990s and early 2000s, most delivered negative ROI.

Why? Because they were overcustomized, cost gobs of money, delayed deployments for years in many cases, and become too expensive to maintain, much less update. Even today, when two companies merge, the ERP integration effort becomes a big money and time sink. Though they use the same technbology platform, they’re implemented too differently to be able to simply move one company to the other’s ERP system as is.

EHRs are much more complex than ERP systems because they have to deal with hundreds or even thousands of medical treatment processes. In addition, they support the hugely complex billing systems for each major insurer and government payer — whose own validation systems are designed to discover reasons not to pay, which means there’s much more accountability and analysis needed in EHRs for billing than you likely realize.

Also, EHRs are supposed to exchange data with other EHRs, whether directly or through what’s called a health information exchange (HIE). The huge differences in EHR data and processes makes the already Herculean task of HIE integration even more difficult because a larger organization might need to interact with multiple HIEs, each with its own custom methods.

There’s no national HIE standard because that’s not how the United States operates: The market gets to decide what works, which is great for meeting local needs but terrible for tasks like integration. There is an effort under way to create a national HIE standard that the regional HIEs could use, as could individual providers, but it’s still in early stages — and won’t likely be mandated.

Finally, there’s a government mandate called Meaningful Use, which requires that patients engage with their medical providers and their own medical data, such as by accessing test results online or consulting with physicians over email or phone. In fact, the regulations require that all medical providers make a patient’s medical records available electronically to any patient who wants it.

Such engagement is supposed to empower patients to be partners in their well-being, as well as reduce costs by avoiding in-hospital treatments and reducing relapses. (In fact, cost savings was a key goal of the Clinton and Bush policies that led to the EHR mandate.) The feds have a standard called Blue Button for displaying that patient data, but it’s basically a big ASCII data dump, nothing a normal person can parse. A more useful version of Blue Button is being promoted, but adopting it requires EHRs to format their data in comprehensible, consistent ways, not just dump it out. Few EHRs are designed to do that.

Thus, we have a mess of proprietary EHR systems with highly customized processes, a set of HIEs that use different standards and protocols to connect them, and a mandate to provide human-readable data from these disparate systems. What could possibly go right?

Contradiction 2: HIPAA privacy implementations and the mandate to exchange patient data Although “privacy” is nowhere in the 1996 HIPAA law’s name, enforcing confidentiality of patients’ personal health information is a major component of the law. It also formalized some of the major operational goals for EHRs and HIEs, as well as provided assurance that insurers couldn’t deny coverage to people in employer-sponsored plans based on information the insurers could access legitimately. In an era where insurers used medical data unrelated to claims to deny or cancel coverage and where some employers sought to avoid or remove employees who might have expensive medical needs, that privacy mandate was a big win for patients.

But HIPAA’s focus on privacy works against the portability of health information that the original Clinton-era policies, HIPAA, and the later HITech (Health Information Technology) Act all sought to deliver. Before a provider can release any medical information about you to another provider, it needs your signed consent. Employees of your medical provider are covered, but not contractors such as ambulance services and home aides, specialist referrals, dentists, optometrists, and so on. They each need to get permission to see your medical data.

Most HIPAA forms you sign have a clause that allows the provider to release your medical data to others involved in treating you. But that’s all on paper. If you have an accident in Boston but live in Maine, that Boston ER needs proof from your Maine doctor that you consented to sharing your information. That usually happens by fax, which can delay treatment. (There are some exceptions for emergencies, but the burden of proof is on the provider that it was an emergency.)

There is no standard release, so many providers need to read what you signed to see if they’re covered — that’s why there are very complicated, labor-intensive systems in place to validate these consents, creating a huge, avoidable burden on the health system.

In the context of EHRs and HIEs, that permission is usually represented by a check box saying you agreed to share personal health data — but other providers don’t know what you actually signed, putting therm at risk. The feds are working with several nonprofits to come up with standard permissions that can be reduced to check boxes that would be shared across EHRs, so no one has to fax and read the actual signed permissions. However, that’s years away. Meanwhile, some EHRs keep a scan of the signed consent, so it can be faxed when needed.

Then there’s the mental health issue: HIPAA and HITech give special protections to mental health conditions, requiring they not be shared even within a provider’s organization unless extra permission is attained. The stigma around mental health is one reason for this extra protection, but that separation is technically difficult to enforce: An EHR can automatically mask out mental health treatments in the EHR based on the use of their treatment codes, but it can’t scrub the doctor’s free-form notes related to mental health, for example.

Such separation is also unhealthy: Mental health conditions and treatments interact with physical health conditions and treatments, putting patients and providers alike at risk when this information is obscured. Now that the Affordable Care Act (aka Obamacare) puts mental health on parity with physical health in terms of insurance coverage, maybe we can stop perpetuating the stigma of mental health and treat the patient holistically — and share that critical information among providers without fear. If need be, regulations could be put in place to penalize those who discriminate against patients with such conditions.

Another issue is that the privacy rules could inhibit medical research based on all that electronic patient data. Even when anonymized, it doesn’t take much context to identify who an actual patient was based on a few factors such as age, treatment location, and medical conditions. Right now, that’s a potential privacy breach under HIPAA and HITech. But should it be?

Privacy is important, but the health care system envisioned by those Clinton-era policies is supposed to be a collaborative one where patients are treated as part of the process and providers can’t “own” patients by withholding information from other (competing) providers. That expanded-network notion requires privacy be relaxed within that network, while maintained so that employers, salespeople, and the rest can’t abuse it.

Thus, the HIPAA and HITech laws need to be reformed to allow any provider to obtain a patient’s records to treat that person. The Affordable Care Act forbids the kinds of patient-removal schemes practiced by insurance companies in the past; there are now protections in place that should permit a relaxation of the privacy components of HIPAA, at least for data exchange among licensed health care providers. That’ll make the technology easier to implement as well.

Contradiction 3: Empowered patients and liability for ensuring better health care outcomes The requirements for EHRs and HIEs scare health care providers and their IT staffs in many ways, not just around complexity, inetgration, data portability, and privacy. There are also mandates around new diagnostics and related billing codes (ICD-10) and information security (HL7), for example.

But my sense is that the mandate that scares them the most is Meaningful Use — engaging patients as participants in their care, not merely as treatment recipients.

Some of it is cultural: Doctors and nurses fear that patients will rely on the Web for medical data, subjecting them to all sorts of quackery and hypochondria, though that’s already happened in the era of Google search. Some also fear a patient will argue and question, which of course is one of the goals of the new regulations — doctors are often resistant to considering new or modified treatment methods, for example, and a power balance shift is needed to overcome that.

Other concerns are legalistic: Patients are not subject to HIPAA regulations, so they can share their information with anyone. That can put providers at a disadvantage, as their ability to share data is constrained while the patient’s is not. For example, although a provider must make a patient’s data available for download to wherever the patient wants to store it, that same provider can’t use regular email to communicate any health information to that patient, for fear that others may see it. (That’s why you’re forced to log in to a patient portal to see those messages.) As a result, many providers don’t provide patient data on demand as the law requires — they reason that if email delivery is noncompliant, how can a data dump be compliant?

Then there’s the issue of what to do with personal data from the patient, such as data collected by fitness sensors or from other practitioners (your Chinese herbalist or chiropractor, for example). If a provider lets the patient add that information to the formal health record or even to the patient portal, is the provider liable for reviewing it and assessing it? What if it provides a clue as to the patient’s condition that could affect treatment? Providers are damned if they review it and damned if they don’t.

Also, the feds are encouraging the development of wellness apps that would use patient data, such as from Blue Button data dumps, to help patients manage their health, as well as their family’s. Providers fear they’ll be on the legal hook if the data from their EHRs is misused, misunderstood, or outdated. Although the Food and Drug Administration will regulate medical apps — at least the ones that actually treat patients — it’s very murky territory as to what constitutes treatment versus what consititutes information. Who’s responsible when harm comes to a patient in that gray zone?

One of the overarching goals of the national health care policy is to reduce costs while leading to better health “outcomes.” As the network of providers, information sources, and services — some regulated, some not — grows around the empowered patient at the center, we’ll get both smartly proactive users and stupidly acting ones. Ambulance-chasing lawyers will love the latter ones, at least as long as liability remains an open question.

This article, “Thought Obamacare was messy? Wait until electronic health records come online,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.