Providers are obsessed with the issue of protected health information (PHI) and this obsession comes at a very direct cost in terms of efficacious patient care and improved outcomes. All worst-case scenarios revolve around the negative public relations, cost, and legal implication of an inadvertent or criminal breach of patient health data. An absolute prejudice against the interoperability of patient data and access to patient data for the purposes of health care improvement is the result.
Much of this is driven by misunderstandings of the Federal Health Insurance Portability and Accountability Act (HIPAA). HIPAA was designed to facilitate the interoperability and interchange of patient health data between providers, payers, and patients themselves. Towards that goal, HIPAA contains directives designed to help insure the security of patient data with the understanding that once security could be reasonably assured, portability would be naturally enabled.
Unfortunately, most of the medical industry has never been able to get past the security part of HIPAA. There is little understanding of why the security mandate exists (to promote portability and use) and even less understanding of HIPAA’s other two mandates. Namely: a) That patient health records belong to the patient, not the provider or payer. And that b) Patient health records must be used to help improve the state of patient care and health outcomes.
Instead what is happening is that providers hide behind the security mandate in order to deny the other two mandates (use of patient records and ownership of patient records). The reasons they do this are complex but include the fear of career risk among health care professionals as well as a general fear of the negative business impacts that portability implies. After all, if a patient can easily take their business across the street from one provider to another, why wouldn’t they?
Patient records today are primarily stored within so-called Electronic Health Record (EHR) systems, also sometimes known as EMR (Electronic Medical Record) and PMS (Practice Management Systems). The vendors of these systems see an existential threat to their business model should they enable easy and efficient interoperability with and access to the patient records stored in their systems. They too relentlessly work against any enablement of easy patient record access.
Discussions regarding the consequence of a patient record breach inevitably revolve around a hypothetical headline in, say, the Wall Street Journal. Health care boards of directors, CIOs, and CEOs lie awake fearing that any day now their institution will be the subject of a headline detailing that they leaked confidential patient information. And that millions of health records are now out there on the open (black) market.
These fears drive the aforementioned career implication. Healthcare CIOs, in particular, are relentless in their obsession with keeping a lid on the use and dissemination of patient health data. For them, there is only downside — a breach would certainly mean the end of their career. Likewise, there is no upside — CIOs do not share in the success stories that accrue from the open and easy interchange of patient records. As a result, healthcare CIOs become relentless defenders of the status quo. For the rest of us, the salient features of that status quo in the United States are rising health care costs and lowering health care outcomes.
And that is the headline to which we need to pivot people’s attention, starting with the boards of directors of the major hospitals. We need to move them away from a fear of a headline announcing a breach and towards a fear of a headline heralding that their institution failed, or was failing badly, in its charge of patient care. Failed because their institution chose a reactionary default of restricting access to patient’s own records for the purpose of protecting individual careers, institutional reputations, and corporate bottom lines.
Choosing that default because that was the course of action that best covered their collective asses, irrespective of how badly it hurt the cause of patient care.
As always, the Federal Government is providing some guidance here. HIPAA violations levied against institutions for arbitrarily withholding access to and interoperability of patient records in the service of patient care are now the third most prevalent type of violation. But there needs to be more. The media, in particular, needs to use its bully pulpit to root out instances of arbitrary withholding, it needs to identify the institutions and individuals responsible, and it needs to detail qualitatively how that has negatively impacted patient care.
At the same time, hospital boards of directors need to find ways to reward visionaries in health care. They need to find ways to reward those CIOs, those CTO (Chief Transition Officer), and especially those CMOs (Chief Marketing Officers) in their efforts not to restrict access to and availability of patient records but in their efforts to expand that access, even with the small risk premium that improvement carries.
Those are the headlines we need to see and once we see them, we will see health care costs go down and patient outcomes go up. Plain and simple.