A new report to Congress recommends steps to ease the secure sharing of patient information, paving the way for better coordination of care and improved patient outcomes. For example, the report recommends the creation of incentives to help overcome the "blocking" of data exchange or reluctance to participate.
Although the federal government has spent $31 billion so far on HITECH Act incentives for hospitals and physicians to "meaningfully use" electronic health records systems, Congress has been scrutinizing whether the investment has paid off in enabling the sharing of health information.
Some security and privacy experts say that while the report spotlights some of the key barriers to secure health information exchange, some of the concerns may be overstated.
For instance, Micky Tripathi, CEO of the Massachusetts eHealth Collaborative, says intentional information blocking among healthcare providers is generally not a widespread problem.
"There are bad apples in every group of humans, and healthcare providers are no exception," he says. "In my experience, malicious information blocking for competitive purposes is very, very rare, and is certainly not a big factor or even a major factor impeding health information exchange. The biggest impediment to information exchange up until now has been lack of demand. That has changed, and now that we have strong demand, we're seeing the market respond and I expect interoperability to grow dramatically over the next couple of years."Report Findings
The Health IT Policy Committee, which advises the Office of the National Coordinator of Health IT, recently submitted its Report to Congress: Challenges and Barriers to Interoperabilityas mandated by Congress.
The report delves into the various technical, operational and financial challenges that the healthcare sector faces in achieving health information exchange. Among the issues related to privacy and security listed in the report are:
- Misunderstanding about HIPAA and other privacy laws has led some to refrain from sharing information.
- Applying privacy laws that were originally designed to address paper-based processes to today's electronic transactions has been problematic.
- Designing electronic systems and rules to accommodate varying state privacy and security laws has been challenging.
The advisory panel makes four key recommendations to accelerate health information exchange:
- Develop and enhance incentives that drive interoperability and data exchange, such as by focusing on delivery of coordinated care. For example, payers could decline to reimburse for medically unnecessary duplicate testing that could have been avoided if information was shared.
- Develop and implement health information exchange vendor performance measures for certification and public reporting;
- Set payment incentives to encourage health information exchange. Include specific performance measurement criteria and create a timeline for implementation.
- Convene a summit of major stakeholders co-led by the federal government and the private sector to act on ONC's recently unveiled 10-year interoperability roadmap.
Drilling down on the report's recommendations pertaining to payment incentives to help accelerate interoperability, the HIT Policy Committee specifically addresses the problem of information blocking, which involves healthcare providers refusing to share of clinical information.
Sometimes information blocking is related to misinterpretations and misunderstandings about HIPAA and other privacy laws, the report notes.
"There are many examples where misinterpretations of complex privacy laws inhibit providers from exchanging information that is permitted under HIPAA," the report notes. "Also, many providers do not fully appreciate that the HITECH Act gives patients the right of electronic access to their EHR-stored information. As the Centers for Medicare and Medicaid Services defines new payment incentives ... it should incorporate mechanisms that identify and discourage information blocking activities that interfere with providers who rely on information exchange to deliver high-quality, coordinated care."Other Recommendations
The document also outlines some previous recommendations made by the HIT Policy Committee to ONC, including:
- Explore regulatory options and other mechanisms to encourage appropriate sharing of certain sensitive information, including substance abuse and mental health data;
- Provide guidance about best practices on the privacy considerations associated with sharing of individuals' data among HIPAA covered entities and other community organizations;
- Guide efforts to establish "dependable rules of the road" and to ensure their enforceability in order to build trust in the use of healthcare big data.
David Whitlinger, executive director of the Statewide Health Information Network of New York - the state's health information exchange - says privacy and security issues clearly represent some of the biggest hurdles to overcome before achieving nationwide data exchange.
"Privacy and security regulations vary across different states, and those difficulties are exacerbated even more in sharing sensitive health data, such as mental health, substance abuse, HIV, reproductive health, and information about minors," he says. EHR platforms don't easily support compliance with varying laws when data is exchanged, he notes.
But he points out that industry players are discussing the use of various technologies that "tag" sensitive information so that patients have more control over what part of their health records can be shared among healthcare providers. Also under discussion are policy issues such as "giving patients complete control over their data, so that they ultimately make the decisions about what subsets of data they'll share," he notes.
Tripathi says the biggest barrier to health information exchange, from a privacy and security perspective, "is the heterogeneity of privacy rules that any particular provider faces, which has a paralyzing effect on electronic information exchange."
For instance, in Massachusetts, HIV and genetic test results require consent from patients for each disclosure, he notes. "So even though a Direct [secure email] transaction doesn't require any special consent, certain types of payloads may trigger other consent requirements. So ... as a healthcare provider ... I will hesitate to send out anything until I understand which laws pertain and whether that data my EHR sends triggers any of those other laws."What's Next?
Members of Congress now must decide whether to act on the HIT Policy Committee's various recommendations.
An aide to Sen. Lamar Alexander, R-Tenn., chair of the Senate Committee on Health, Education, Labor and Pensions, says in a statement provided to Information Security Media Group: "Sen. Alexander is focused on making electronic health records something that physicians and hospitals look forward to instead of something they endure, and he looks forward to hearing what recommendations [the HIT Policy Committee] outlined in [the] report."
While the report notes that steps could be taken to begin implementing various recommendations within the next six months, some healthcare IT experts say it could take years for comprehensive health information to be securely and readily exchanged among healthcare providers by using health information exchange organizations and EHR systems.