Under Trump’s administration, no other sector will undergo as many fundamental changes as healthcare. President-elect Trump’s healthcare policies have been particularly vague; although he is intent on repealing Affordable Care Act, we are not certain about his solutions for replacing it, other than the proposal to allow health insurers to compete in multiple states.
While the exact outcomes of such proposal remain to be carefully analyzed, the idea behind it – fostering competition and relying on the invisible hand of the free market – may be a sound solution to our nation’s health information technology challenges. Over the past decade, despite spending billions of dollars, government interference in the health IT market has only resulted in small victories and big failures. Although every medical provider is now using an Electronic Health Records (EHR) system, physicians are frustrated with their EHR systems, exchanging medical data remains to be a major challenge and cyber-security attacks undermine the privacy of patients more than ever. Many of these challenges could have been addressed in the recently announced rules of Medicare and CHIP Reauthorizations Act (MACRA). However, CMS lost this golden opportunity by making a set of extremely complicated rules that ignore both medical practice and basic economics.
In the following, I lay out a set of recommendations for fostering interoperability and protecting patient privacy as the two most important challenges in the health IT domain over the next four years.
More than a decade ago, President Bush established the Office of the National Coordinator for Health IT (ONC) and assigned it with spearheading the efforts to create a nationwide system in which medical data of all Americans are securely stored and privately exchanged between those physicians who need to access such data to provide better medical care at lower cost. Achieving these goals could have resulted in over $78 billion dollars of annual savings. Despite significant support from the Obama administration, we are still very far from achieving those goals. While the entire US health care system is now digitized, most electronic health records (EHR) systems fail to interoperate. That is, they archive medical data electronically but cannot exchange such data with EHRs used by other providers. The situation is akin to a system of disconnected computers that work independently but cannot send and receive data to and from other computers.
The lack of interoperability is purely an economic problem
Health information will not be exchanged unless all of the involved parties have a clear financial incentive to do so. The reason that information exchange in the health care system has lagged behind other industries is the fact that anti-kickback laws prevent the healthcare industry to treat information as a commodity and therefore eliminate the incentive to trade information.
Consider the financial industry as an example. Credit card holders can swipe their card at almost any location in the world and exchange a part of their financial information with a vendor. Two parties exchange information as long as they both benefit from doing so. For instance, if the vendor charges extra for credit card payments, some users may prefer to pay in cash rather than exchanging information via their credit cards. More importantly, since banks are legally allowed to charge the vendor and the card holder a service fee, they also have a clear financial incentive for enabling and fostering the exchange of information.
Anti-kickback laws largely limit similar business models in the health care industry. Although ownership of medial data belongs to providers, they are not allowed to charge others for allowing access to such data. This lack of incentives creates an imbalance in the information market. While there is a large demand for medical data, supply is limited because there is no incentive for physicians and hospitals who have these data to provide data to those who need them. More importantly, the intermediaries such as electronic health record vendors have disincentives to remove the technical barriers of exchange simply because they are not get paid to do so.
Data blocking is not the reason for the lack of interoperability
ONC has coined the term “data blocking” to describe the technical obstacles that EHR vendors intentionally create to limit information exchange. ONC’s solution to data-blocking is to conduct in-the-field surveillance and check EHRs at the location of hospitals and physicians’ offices to make sure that they are interoperable and are not limiting data exchange. This solution is impractical, extremely expensive and seriously threatens patients’ privacy.
ONC ignores the fact that exchanging information is not in the best interests of many medical providers. The “inability to exchange” is actually a preferred feature of an EHR system for many providers as it enables providers to keep their patients and prevent them from migrating to other providers. Recent studies show in the states where it is easier and cheaper for patients to obtain their medical records, the proportion of patients who switch their primary care physicians and specialists increases by 11% and 13%, respectively. Prior research also identifies competition among medical providers as a barrier to their engagement in exchanging health information and shows that providers who are more competitive, such as for-profit hospitals and those with smaller market shares, are much less likely to exchange health information with others. In many instances where data flows smoothly and providers can access data if they choose to, access to information barely happens. For example, while research shows that looking up patients’ information can significantly lower the number of test orders, clinicians do so in less than 10% of the ED counters, even when there is no technical barrier to block the data exchange.
To enable interoperability, anti-kickback laws should be repealed
To create interoperability and enable data exchange, we should follow the solutions that have been proven to be successful in every other industry. In the current system, providers have very little incentive to receive data and absolutely no incentive to send data. The current safe harbors of anti-kickback laws result in information silos with even thicker walls and lead smaller practices and individual physicians to adopt an EHR system which is subsidized by a larger hospital. Such laws coupled with the ill-designed payment systems have turned medical data into a property that serves the interests of its owners only if kept private and not shared. I have previously discussed how to solve this problem by designing business models that encourage the exchange of information through both patient mediated solutions and centralized health information exchange platforms. These market based proposals would eliminate the most important barriers to interoperability and significantly enhance health information exchange. However, to implement these solutions, the government should allow medical providers to meet the demand for information by charging a fee for supplying it.
Cyber-security & Privacy
Privacy breaches are more likely to happen in the health care industry than any other sector. According to the data provided by the Office for Civil Rights (OCR), since late 2009, the medical information of more than 155 million American citizens has been exposed without their permission through about 1,500 breach incidents. Heavy reliance of US hospitals on EHR systems and their weak cyber-security practices have turned them into lucrative and easy targets for ransomware attacks in which hackers lock down the computer systems of hospitals and ask for a ransom to allow hospitals to have access to their own computers.
To prevent these breaches and protect patient privacy, OCR should allow the healthcare industry to learn from its failures and create larger incentives for medical providers and their business associates to protect patient privacy. In the long run, a cyber-insurance market will ensure the privacy of patients by creating incentives for different entities of the healthcare sector to prioritize security practices and privacy policies. In a previous post, I discussed the following solutions in detail.
Increase penalties of data breaches
Protecting customer privacy is among the most important activities of businesses in every industry, except the health care industry. For most companies, spending on digital security is considered a strategic investment. It is a necessity without which many of the current businesses will immediately vanish. Due to limited competition and the nature of their services, medical providers and their business associates have little financial incentive to safeguard their patients’ privacy. The only major consequence of breaches are the subsequent OCR audits and the possible penalties. It is therefore necessary for OCR to create a strong incentive for the healthcare industry to invest in digital security and protect patient privacy by increasing the penalties of data breaches.
Allow healthcare industry to learn from its failures
After a breach happens, OCR conducts a thorough investigation to identify its causes. Through these audits, OCR also ensures that the victim organization has put corrective and preventive policies in place to avoid future incidents. Although the lessons learned from each breach can prevent other similar incidents, OCR does not share the details of its investigations. OCR should provide detailed reports on how each breach happened, and how other health care organizations can avoid similar occurrences.
Promote cyber-insurance in the healthcare industry
In the long run, the cyber-insurance market can fundamentally improve how patient privacy is viewed and managed in the health care sector. To underwrite the privacy risk of health care organizations, cyber insurance companies will be willing and able to conduct timely and efficient audits and proactively manage their clients’ privacy protection efforts. Health care organizations will also have a direct economic incentive to reduce their cyber insurance premiums by addressing their security weaknesses and preventing privacy breaches.