Recent Comparative Studies of Health Systems

As America continues to wrestle with the thorny thicket of health care reform, there are a number of recent reports chronicling and comparing approaches to health care and health reform in different countries that are worth a read.  For example:

• The Organisation for Economic Co-operation and Development recently released Health at a Glance 2011: OECD Indicators, which provides “comparable data on different aspects of the performance of health systems in OECD countries.” The U.S. spends 2 ½ times more than the OECD average health expenditure per capita (which amounted to 17.4% of GDP in 2009). (OECD explores why in a separate addendum, “Why is Health Spending in the United States So High”.) Yet, with the exception of cancer care and acute care in hospitals, it is not clear Americans are getting improved quality for the greater expenditures. As reported by CQ HealthBeat and by the Commonwealth Fund, “hospital services cost much more in the United States and pharmaceutical prices are much higher compared to other countries;” “there are fewer practicing physicians per 1,000 population, fewer doctor consultations and shorter hospital stays;” “more CT scans, knee replacements, and Caesarean sections;” and “comparatively high hospital admission rates for preventable conditions like asthma, diabetes and hypertension.”

• Strengthening Primary Care: Recent Reforms and Achievements in Australia, England, and the Netherlands, a recent report by Sharon Willcox, Geraint Lewis, and Jako Burgers of the Commonwealth Fund, evaluates efforts to improve access to, and the quality of, primary care in these countries– and suggests what the U.S. can learn from these initiatives. These countries have been focusing on three primary care reform strategies: promoting coordination of care, reforming primary care payment, and improving quality and access. As the abstract summarizes, “[q]uality improvement strategies include postgraduate training programs for family physicians, accreditation of general practitioner (GP) practices, and efforts to modify professional behaviors–for example, through clinical guideline development. Strategies for improving access include national performance targets, greater use of practice nurses, assured after-hours care, and medical advice telephone lines. All three countries have established midlevel primary care organizations both to coordinate primary care health services and to serve other functions, such as purchasing and population health planning. Better coordination of primary health care services is also the objective driving the use of patient enrollment in a single general practice. Payment reform is also a key element of English and Australian reforms, with both countries having introduced payment-for-quality initiatives. Dutch payment reform has stressed financial incentives for better management of chronic disease.”

• Bradford H. Gray, Thomas Bowden, Ib Johansen, and Sabine Koch, also of the Commonwealth Fund, review the extent of adoption of “meaningful use” (as defined in federal regulations) in three countries with extensive experience with electronic health records, Denmark, New Zealand, and Sweden in Electronic Health Records: An International Perspective on “Meaningful Use.” Although these European countries have high levels of EHR adoption, they have not reached 100% meaningful use, with the greatest weakness being in information provided to patients. The authors suggest that the U.S. could learn from these experiences the value of “providing economic incentives to encourage adoption and designating an organization to take responsibility for standardization and interoperability.”

• International Profiles of Health Care Systems: Australia, Canada, Denmark, England, France, Germany, Italy, Japan, the Netherlands, New Zealand, Norway, Sweden, Switzerland, and the United States, edited by Sarah Thomson, Robin Osborn, David Squires, and Sarah Jane Reed and published by the Commonwealth Fund, provides an overview of the health systems in these countries– including “health insurance, public and private financing, health system organization, quality of care, health disparities, efficiency and integration, use of health information technology, use of evidence-based practice, cost containment, and recent reforms and innovations.”

• The Commonwealth Fund also recently released results of an international study of patients with complex care needs in eleven countries: Australia, Canada, France, Germany, the Netherlands, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the U.S. Although it identified significant care coordination issues, it found that “patients who have a medical home reported better coordination of care, fewer medical errors, and greater satisfaction with care than those without one.” In addition, the study also found “that patients in the United States are much more likely than those in 10 other high-income countries to forgo needed care because of costs and to struggle with medical debt.” 27% “were unable to pay or encountered serious problems paying medical bills in the past year, compared with between 1 percent and 14 percent of adults in the other countries,” and 42% did not see a doctor, fill a prescription, or receive recommended care. The authors conclude that “[t]he United States in particular has opportunities to learn from abroad-including the use of purchasing power to lower prices, payment innovations, and the use of information systems and care system redesign efforts that are under way in several countries.”

Of course, there are a variety of reasons the experiences in other countries may not take root in the United States.  But we still should be aware of these efforts and critically evaluate whether we might transplant any of them as seeds of reform here.

Beyond Innovation and Competition, Health IT Edition

Last year I published a piece called “Beyond Innovation and Competition,” questioning the dominance of those values. Economists celebrate innovation and competition as the main source of future growth. Innovation has become the central focus of Internet law and policy. While leading commentators sharply divide on the best way to promote innovation, they routinely elevate its importance. Business writers have celebrated search engines, social networks, and tech startups as model corporations, bringing creative destruction and “disruptive innovation” in their wake. Maximum innovation is the goal, and competition is billed as the best way of achieving it. Players in the vast and dynamic tech marketplace are supposed to constantly strive to innovate in order to attract consumers away from rivals.

In the piece, I explain how both competition and innovation can be as destructive as they are constructive. There are many social values (including privacy, transparency, predictability, and stability), and companies can compete for profits in ways that erode those values. In an era of inequality and hall-of-mirrors stock market valuations, innovations of marginal or negative impact on society at large can be vastly overvalued by a stampede of fickle investors.

The shortcomings of the innovation and competition story also play out in health information technology. Stimulus legislation in 2009 provided many carrots and sticks for doctors to digitize their recordkeeping systems, ranging from bonuses now to reimbursement haircuts later this decade if they fail to implement the technology. Congress structured the incentives to encourage a competitive and innovative marketplace in health information technology. But many doctors are shying away from implementation, in part because they fear that the fast and loose ethics of the market can’t mesh with a medical culture of constant commitment to quality care.

Susan Jaffe’s article for the Center for Public Integrity examines doctors’ fears about adopting any given software suite. According to Jaffe, “570 different electronic health systems certified by private organizations for non-hospital settings may be used to qualify for the” stimulus funds. The long-term consequences of the choice make the jam-shopping examples in Barry Schwartz’s book The Paradox of Choice seem quaint:

The systems can vary in appearance, content, organization and special features. Some can be customized by users in different ways, at no cost or some cost, or not at all. Some are compatible with other systems now, eventually or, some critics say, maybe never. . . . The costs of the systems remain daunting, despite the bonuses, particularly in areas that have been hit hard by an ailing economy.

The pricetag varies widely depending on the type and size of the medical practice, whether new computers are purchased and the extent of customization, among other things. Software alone can cost from $2,000 to $10,000 per doctor. All told, the cost jumps to about roughly $20,000 per doctor, according to a regional extension center consultant who advises physicians in northeast Ohio. On top of that, manufacturers charge hefty annual fees for technical support and periodic upgrades that together can amount to about 35 percent of the upfront costs. The systems are priced in a way that does not make comparison shopping “easy or necessarily valid,” said Dottie Howe, a spokeswoman for the Ohio regional extension center. There is no basic price because each company offers different components, features, options, and level of technical support. . . .

Most manufacturers will also charge the doctors to move the information in their current system to the new one. There could be extra [ongoing, monthly] charges to connect to other systems too.

Doctors have also been burned by sharp operators that emphasize slick salesmanship over solid service:

[T]he Southwest Family Physicians group is worried . . . They bought an electronic health record system five years ago that is now nearly obsolete. The manufacturer was taken over by another company that provides minimal technical support . . . “The salesman said ‘you’re buying a Cadillac, this is going to be the greatest thing,’ ” [one doctor] recalled. But that system can’t display an X-Ray image or send a prescription electronically to a pharmacy. “We’ve got the Model T Ford,” he said.

It does appear that regional extension centers are doing some work to keep pricing reasonable. Jaffe’s article focuses on Ohio, where five “preferred vendors” “agreed to charge prices ‘as good as or better than’ prices offered to other regional extension centers, to provide onsite assistance when a practice turns on its electronic health record system for the first time, offer technical support for at least six years, and limit annual cost increases for continuing technical support, among other things.” But consider the bizarrely proprietary nature of pricing data:

Whether the five preferred vendors offer a better deal than their non-preferred competitors is not known because the state regional extension center doesn’t have pricing information from non-preferred vendors, said Howe, the spokeswoman for the state’s regional extension center. Pricing from the preferred vendors are confidential, she said. And despite their preferred status, the five companies do not guarantee that eligible health care providers who purchase their systems will receive the government’s bonus payments.

I discussed the troubling degree of secrecy in health care before, and I’m very sad to see it persist here. The doctors in Jaffe’s story are making reasonable demands: to be able to understand the nature of the commitment they are making, to avoid big financial losses, and not to be burned by fly-by-night operators attracted only by the government subsidy money. They want to assure that the basic health care values of access, cost-control, and quality are reflected in the software they use.

We are seeing the opening stages of a battle between a medical sector committed to maintaining its own autonomy and traditions, and a tech sector that wants to commoditize health data in as standardized a form as futures markets homogenized corn grades, or credit scores tranched residential mortgage backed securities. Commenting on the demise of Google Health, an informatics expert said that “Google is unwilling, for perfectly good business reasons, to engage in block-by-block market solutions to health-care institutions one by one, and expecting patients to actually do data entry is not a scalable and workable solution.” To be sure, the company can’t expect to make the same profit margins in the health sector as it does in the online ad business. But the “instant millions” ethos of Silicon Valley doesn’t fit well with a sector where we are in principle committed to serving everyone, regardless of ability to pay.

Economist John Van Reenen has observed that the US has a particularly innovative economy in part because our markets are so good at crushing badly run firms. It’s probably good that garden equipment suppliers, toothpaste makers, and pie bakers know they can be out of business in a month or two if they’re “off their game” for a short time. But if I just entrusted three years of medical records to a vendor who suddenly went out of business, I’d take little comfort in the idea that a marginally better competitor had knocked it out of the market. The transition to a new vendor can be slow and costly—doctors in Jaffe’s story speak of seeing 1/3 to 1/2 less patients over weeks or months as they learn a new system.

At a Yale SOM Health Care conference in 2009, the Chief Medical Officer of a major player in the field once remarked to me that choosing an HIT vendor is “like a marriage—you don’t end the relationship lightly.” I first thought that remark was self-serving. But the more one examines the HIT field, the more important it appears to get standard recordkeeping, support capabilities, and interoperability right at the outset, rather than leaving doctors to negotiate the wreckage of several generations of battling systems. Think about how chaotic online music sales seemed before iTunes. Perhaps Apple (whose iPads are already beloved by many docs) is going to bring a swift and highly profitable order to this field, too. I hope the ONC and other decisionmakers will well-regulate whatever behemoth eventually emerges, vindicating the public values that competition and innovation are unlikely to promote.

Photo credits to  Aleksandar Šušnjar, Jakub Halun and loki11.

The Right to Life, Liberty… and the Internet?

This month, the United Nations (UN) Human Rights Council recognized access to the Internet as a human right. The report was written by UN Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank La Rue, and it separately considers access to Internet content and access to the infrastructure required for Internet access. The report cites over 2 billion Internet users worldwide and notes that the Internet has becomes a key means through which individuals can exercise their right to freedom of opinion and expression. La Rue concludes that “there should be as little restriction as possible to the flow of information via the Internet, except in few, exceptional, and limited circumstances prescribed by international human rights law.”

The report seems motivated by recent episodes of political unrest such as the Arab Spring uprisings. La Rue states that the Internet is “one of the most powerful instruments of the 21st century for increasing transparency in the conduct of the powerful, access to information, and for facilitating active citizen participation in building democratic societies.” He notes that countries have been increasingly censoring online information through 1) arbitrary blocking or filtering of content, 2) criminalization of legitimate expression, 3) imposition of intermediary liability, 4) disconnecting users from Internet access, and 5) inadequate protection of the right to privacy and data protection. La Rue recognizes some legitimate reasons to restrict Internet access, like in the case of cyber- attacks, but focuses on how countries often abuse their power and infringe on the rights of their citizens:

In many instances, States restrict, control, manipulate and censor content disseminated via the Internet without any legal basis, or on the basis of broad and ambiguous laws, without justifying the purpose of such actions… Such actions are clearly incompatible with States’ obligations under international human rights law, and often create a broader “chilling effect” on the right to freedom of opinion and expression.

La Rue specifically notes his concern with the “three- strikes-law” in France and the UK’s Digital Economy Act of 2010. Both of these proposals are anti-piracy measures that would impose penalties against Internet users for illegal file sharing and violation of intellectual property rights. The end result could be suspension of Internet service if copyright infringers disregard warnings. La Rue considers that

Cutting off users from Internet access, regardless of the justification provided, including on the grounds of violating intellectual property rights law, to be disproportionate and thus a violation of article 19, paragraph 3, of the International Covenant on Civil and Political Rights.

Article 19 of the ICCPR concerns the right to freedom of expression.

The fundamental human rights doctrine, the Universal Declaration of Human Rights (UDHR), was penned in 1948 just after the end of WWII. In part based on Franklin Delano Roosevelt’s Four Freedoms, the document was largely a response to the atrocities seen in the war. Article 19 of the UDHR states that

“Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”

The drafters left the definition of ‘media’ open in anticipation of new technologies, and the Internet and its extraordinary proliferation in recent years is the most relevant form of media in our time.

La Rue, however, does not just depend on this as a basis for his claim that removing Internet access is a deprivation of the basic human right of freedom of expression. He elaborates on how the Internet facilitates the realization of other human rights-

The right to freedom of opinion and expression is as much a fundamental right on its own accord as it is an “enabler” of other rights, including economic, social and cultural rights, such as the right to education and the right to take part in cultural life and to enjoy the benefits of scientific progress and its applications, as well as civil and political rights, such as the rights to freedom of association and assembly. Thus, by acting as a catalyst for individuals to exercise their right to freedom of opinion and expression, the Internet also facilitates the realization of a range of other human rights.

But even if Internet access constitutes a human right, many countries lack access to basic commodities such as electricity, let alone the necessary infrastructure and technologies to access the Internet. La Rue rests on the positive obligation of countries to work towards promoting or facilitating freedom of expression. He encourages countries to develop a “concrete and effective policy… to make the Internet widely available, accessible and affordable to all segments of population.”

La Rue’s report remains the first recommendation in a series of negotiations on how to adopt access to the Internet as a fundamental right. As La Rue concludes, “given that the Internet has become an indispensable tool for realizing a range of human rights, combating inequality, and accelerating development and human progress, ensuring universal access to the Internet should be a priority for all States.”

La Rue is right to understand the internet as a means to effectuate development. The implications for healthcare can, of course, be staggering. An internet connection is no substitute for bread or medicine but that connection  makes widely available medical techniques and public health information and makes “remoteness” a somewhat antiquated concept. If global health is to substantially  improve, internet access will ultimately be key.

Personal Health Records: Is Unraveling Inevitable?

I look forward to reconnecting with everyone who is attending the health law professors conference in Chicago.  My presentation will be applying some of the ideas of Scott Peppet (on self-quantification and unraveling) to personal health records.  I found these ideas from Peppet’s post on biometric identification particularly interesting:

The biometric technologies firm Hoyos (previously Global Rainmakers Inc.) recently announced plans to test massive deployment of iris scanners in Leon, Mexico, a city of over a million people. . . . [T]he company’s roll-out strategy is explicitly premised on the unraveling of privacy created by the negative inferences & stigma that will attach to those who choose not to participate. Criminals will automatically be scanned and entered into the database upon conviction. Jeff Carter, Chief Development Officer at Hoyos, expects law abiding citizens to participate as well, however. Some will do so for convenience, he says, and then he expects everyone to follow: “When you get masses of people opting-in, opting out does not help. Opting out actually puts more of a flag on you than just being part of the system. We believe everyone will opt-in.” (For the full interview, see Fast Company’s post on the project.)

I’ve previously looked at the limits of individualist accounts of autonomy in work on pharmaceuticals (here and here), and scholars like Robert Ahdieh are questioning individualism in law & economics generally.  As Nic Terry has argued, many of the critiques of CDHC apply to PHRs, and vice versa.

As of a few years ago, “it wasn’t illegal to hire and fire people based on their smoking habits” in 21 states. I think there will be many difficult questions raised in coming years by the growth of medical records of all types, and how many secondary uses of them are permitted.  For example, some dating sites will now verify the income and assets of their users.  How soon before they (and other certification and evaluation intermediaries) start vouching for health profiles?  Does law have a role in these situations?  I’ll try to explore these questions, and I’ll post more details about the presentation after getting some feedback.

The Normative Meets the Practical: Who Should Can Lead ACOs

One of the many $64,000 questions in the accountable care organization (ACO) debate has been who should lead these organizations.  In a policy adopted in November 2010, the American Medical Association (AMA) made clear its view that ACOs must be physician-led.  The American Hospital Association (AHA) refrained (at least in its public letter to CMS) from asserting its entitlement to the ACO helm, based, for example, on its management experience and pools of capital.  Instead, it simply urged CMS to “defer details of the organization, such as leadership and management structure, to each ACO.”

CMS seems to have heeded the AHA’s advice because its recently released proposed rule does not directly take on this normative debate.  (See Summary of CMS Proposed Rule on Accountable Care Organizations recently posted by Jordan T. Cohen for an overview of the proposed rule.)  While “ACO participants must have at least 75 percent control of the ACO’s governing body” to be eligible for participation in the Shared Savings Program (proposed Section 425.5(d)(8)), the definition of “ACO participant” in the proposed rule includes physicians and hospitals, among others (proposed Section 425.4).

Similarly, the proposed rule simply requires that the “ACO’s operations must be managed by an executive, officer, manager, or general partner whose appointment and removal are under the control of the organization’s governing body and whose leadership team has demonstrated the ability to influence or direct clinical practice to improve efficiency processes and outcomes” (proposed Section 425.5(9)(ii)). The proposed rule does not address who or what would make the best such leader.

The proposed rule, however, clearly preserves a role for physicians to form and lead ACOs. For example, it recognizes that ACOs may be comprised of professionals in group practice arrangements and networks of individual practices, independent of hospitals (proposed Section 425.5(b)).

In addition, “[c]linical management and oversight [of the ACO] must be managed by a full-time senior-level medical director . . . who is a board-certified physician . . .,” and “[a] physician-directed quality assurance and process improvement committee must oversee an ongoing action-oriented quality assurance and improvement program” (proposed Sections 425.5(9)(iii) and (iv)).

The proposed rule also builds in a preference for ACOs comprised of all physicians or physician groups with fewer than 10,000 assigned beneficiaries by proposing to exempt them from the 2 percent net savings threshold adjustment under the one-sided model (proposed Section 425.9(c)(4)(i)).  It also proposes to vary confidence intervals, which affect the minimum savings rate, by the size of the ACO in the one-sided model “to improve the opportunity for groups of solo and small practices to participate in the Shared Savings Program” (Preamble to proposed rule at Section II.F.10).

But on a practical level, the specifics of CMS’ proposal may — unintentionally, perhaps — give hospitals the greater chance to take the reins, at least initially.  An apparently leaked CMS internal discussion document reflects some level of concern that physicians may have a hard time taking the lead with ACOs.

The proposed rule’s regulatory impact analysis estimates that the average start-up investment and first year operating expenditures for an ACO in the Shared Savings Program will be $1,755,251.  In addition, the proposed rule uses a 6-months claims run-out (proposed Section 425.7(a)).  Presumably, that means ACOs — assuming they satisfy all program requirements — will not see a dime of shared savings for more than eighteen months.  CMS also proposes to withhold 25 percent of any earned shared savings accrued in a given year to ensure repayment of any losses to the Medicare program in subsequent years of the three-year ACO agreement (proposed Section 425.5(d)(6)(iii)).

Even if private physicians can amass the capital to make these upfront investments, there of course is no guarantee they will regain their outlays. A recent study published online by the New England Journal of Medicine, as reported by the American Medical Association, found that participants in CMS’ Physician Group Practice Demonstration did not recoup, at least in the initial years of the demonstration, all of the money they invested to establish ACOs.  As the AMA summarized:

Early adopters, for the most part, did not recoup their set-up costs in the first three years of operation.  The 10 integrated health systems that were studied spent an average of $1.7 million to take part in the demonstration project.  Eight received no shared savings payments in the first year of the project.  Six got a payment in the second year, and five received a bonus in the third year.

The Everett Clinic in Washington, for example, reportedly spent approximately $1 million on infrastructure for its ACO but recouped only $129,268 in shared savings during the first four years of the demonstration project.

According to a 2007 report from the National Center for Health Statistics (NCHS), in 2003-04, 80.6 percent of office-based medical practices in the United States consisted of one or two practitioners and 94.8 percent had five or fewer practitioners.  The risks associated with forming an ACO are considerable for these smaller practices to absorb, especially when, at best, the ACO will see 75 percent of its portion of any shared savings upwards of eighteen months down the road and could instead be responsible for its share of losses.  It is not clear how many small practices are willing and able to assume these risks without some substantial financial or management support.  Not surprisingly, the AMA’s statement on the proposed ACO rule specifically identifies “the large capital requirements to fund an ACO” as a significant barrier that must be addressed if physicians in all practice sizes and settings will be able to successfully lead and participate in ACOs.

Another aspect of the proposed rule that may present a particular challenge to independent physicians is proposed Section 425.11(b)’s requirement that “[a]t least 50 percent of an ACO’s primary care physicians must be meaningful [Electronic Health Records (EHR)] users, using certified EHR technology as defined in §495.4, in the [Health Information Technology for Economic and Clinical Health (HITECH)] Act and subsequent Medicare regulations by the start of the second performance year in order to continue participating in the Shared Savings Program.”

Physician practices indisputably have increased their use of EHR systems in recent years.  According to the National Ambulatory Medical Care Survey conducted by NCHS (reported here), only 17 percent of physicians in 2008 reported that they had a “basic” EHR system (which is defined as having electronic patient demographic information, patient problem lists, patient medication lists, clinical notes, orders for prescriptions, and laboratory and imaging results).  Recent NCHS data (reported here) show that that number has climbed nearly 50 percent to 24.9 percent of office-based physicians.

But basic use of EHRs is not sufficient under the proposed rule, which requires “meaningful use.”  Survey data from the Office of the National Coordinator for Health Information Technology, as reported here, show that only 41.1 percent of office-based physicians plan to apply for billions of federal dollars in EHR incentive payments that are available to Medicare and Medicaid providers under the HITECH Act, compared with 80.8 percent of acute care non-federal hospitals.  Additionally, as reported here, a recent survey from the Medical Group Management Association (MGMA) found that only 13.6 percent of medical practices that have adopted EHRs and plan to apply for the EHR Meaningful Use incentives currently are able to satisfy the fifteen core criteria necessary to establish that they are meaningful users.   Medical practices have a long row to hoe.

But the news is not all bad for physicians.  The MGMA survey also found something that suggests this issue is far from resolved on a theoretical or practical level.  As reported here, “almost 20 percent of responding independent medical practices that owned EHRs said that they had optimized their uses of EHRs” whereas “[o]nly 8.8 percent of responding hospitals — or [integrated delivery system (IDS)] — owned practices with EHRs said they had optimized their EHR use.”

Almost certainly, it is not just a coincidence that physicians are devoting their energy to becoming meaningful EHR users just as the first EHR Meaningful Use incentive payments are available. If CMS or private foundations develop additional incentive programs to help smaller practices cover the start-up costs associated with forming an ACO, the individual physician could still be in this game.  Notably, the AMA’s brief statement on the proposed ACO rule reiterates its recommendation to CMS to increase access to loans and grants for small practices as part of this puzzle.  It remains to be seen if any such programs are viable in this fiscal climate.

As promised, future posts will address the normative question of who should lead ACOs.

Doctors Wary of New Health IT

The Washington Post recently featured Lena Sun’s reporting on why many physicians are wary of adopting an electronic medical records system.  As noted in the piece,

Many are aware that beginning this year, health-care professionals who effectively use electronic records can each receive up to $44,000 over five years through Medicare or up to $63,750 over six years through Medicaid.  But to qualify, doctors must meet a host of strict criteria, including regularly using computerized records to log diagnoses and visits, ordering prescriptions and monitoring for drug interactions. And starting in 2015, those who aren’t digital risk having their Medicare reimbursements cut.

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, complains that, despite all these requirements, patient confidentiality concerns are being neglected:

But no federal regulations clearly require that doctors turn the data encryption on or prevent those who don’t do so from getting paid. . . . “This is a point of frustration,” said McGraw, who sits on an advisory group that sought unsuccessfully to prevent those who violate privacy regulations of the federal Health Insurance Portability and Accountability Act, or HIPAA, from getting incentive money.

Some older doctors may find it easier to retire than to get on board with new EMR systems.  We frequently hear complaints about Luddite doctors resisting technology that has long been adopted by other sectors.   But, as one commentator recently insisted, a doctor is not a bank.  To get a sense of how frustrated doctors can become because of the new health IT (and the legal contracts that accompany it), check out this parody website for the faux firm Extormity.  It announces a memorable experience for doctor clients/conscripts:

At the confluence of extortion and conformity lies Extormity, the electronic health records mega-corporation dedicated to offering highly proprietary, difficult to customize and prohibitively expensive healthcare IT solutions. Our flagship product, the Extormity EMR Software Suite, was recently voted “Most Complex” by readers of a leading healthcare industry publication.

I loved this description of a firm committed to maximizing the value of it’s intellectual property:

The Extormity EMR Software Suite is built on a proprietary software model renowned for its complexity. This proprietary platform and all of its components must be procured and implemented as a complete package we call the Extormity BundleTM (which describes both our comprehensive package and its associated cost).

Operating the Extormity Bundle requires a phalanx of servers, which of course need to be replicated for redundancy. Fortunately, Extormity acts as a value-added reseller of these servers, which we pre-load with operating software. This allows us to mark-up the cost of the servers and charge for server configuration. In addition, the server software carries with it steep annual license fees.

Let’s hope the ONC’s ongoing regulatory process can help reduce the risk of Extormity-style raw deals for doctors. Given the recent flap over the FDA’s effective imprimatur for an extreme drug price increase, no DC agency should set in motion a process that could lead to prohibitively expensive fees for an essential aspect of health care.

X-Posted: Health Law Prof Blog.

From Viral Marketing to Medical Profile Contagion

As ACA implementation lumbers ahead, and challenges to it slouch toward the Supremes, the U.S. health care system’s arbitrary old ways continue to mystify and frustrate. Consider this story on one person’s quest to obtain insurance:

Most employees assume that if they lose their job and the health coverage that comes along with it, they’ll be able to purchase insurance somewhere. . . .My husband, teenage daughter and I were all active and healthy, and I naïvely thought getting health insurance would be simple. . . .

Then the first letter arrived — denied. . . .What were these pre-existing conditions that put us into high-risk categories? For me, it was a corn on my toe for which my podiatrist had recommended an in-office procedure. My daughter was denied because she takes regular medication for a common teenage issue. My husband was denied because his ophthalmologist had identified a slow-growing cataract. Basically, if there is any possible procedure in your future, insurers will deny you. . . .

As I filled out more applications, I discovered a critical error in my strategy. The first question was “Have you ever been denied health insurance”? Now my answer was yes, giving the new companies reason to be wary of my application. I learned too late that the best tactic is to apply simultaneously to as many companies as possible, so that you don’t have to admit to a denial.

As was recently reported, “50 to 129 million (19 to 50 percent of) non-elderly Americans have some type of pre-existing health condition.” The “health care market” is sending a strong signal: don’t step out of the system if you have any continuing need for even minor care.

But what’s more worrisome are the types of information circulating about you that you aren’t even aware of. Consider this story from Businessweek about the profiling of insurance applicants by third-party intermediaries:

Most consumers and even many insurance agents are unaware that Humana, UnitedHealth Group , Aetna (AET), Blue Cross plans, and other insurance giants have ready access to applicants’ prescription histories. These online reports, available in seconds from a pair of little-known intermediary companies at a cost of only about $15 per search, typically include voluminous information going back five years on dosage, refills, and possible medical conditions. The reports also provide a numerical score predicting what a person may cost an insurer in the future. . . .

[A] 57-year-old safety consultant in the oil and gas industry, says he tried to explain that the medications weren’t for serious ailments. The blood-pressure prescription related to a minor problem his wife, Paula, had with swelling of her ankles. The antidepressant was prescribed to help her sleep—a common “off-label” treatment doctors advise for some menopausal women. But drugs for depression and other mental health conditions are often red flags to insurers. Despite his efforts to reassure Humana, the phone interview with the company representative “just went south,” Walter recounts. He and his wife remain uninsured [as of 2008].

Health-related data from a wild west of unregulated intermediaries may spread to employers and other decisionmakers, just as credit scores have migrated from the bank context to influencing insurance pricing, and credit histories now influence employers. Sharona Hoffman has observed that “It is not uncommon for employers to obtain applicants’ and employees’ medical records. According to one source, every year, over ten million authorizations for release of medical information are signed by workers prior to the commencement of employment.” She has predicted disturbing possibilities arising out of that access to data:

Existing laws, including the ADA, GINA, HIPAA, and their state counterparts, provide important assurances to applicants and employees but are insufficient to guarantee that they will suffer no ill consequences as a result of EHR disclosure to employers. Employees may be especially concerned in times of recession, knowing that financial pressures make workers with health problems particularly unattractive to employers. Employers or their hired experts may develop complex scoring algorithms based on EHRs to determine which individuals are likely to be high-risk and high-cost workers. In addition, in times of financial difficulty, limited resources may be available to implement technology and policies that will secure EHR confidentiality.

Secondary uses of health data could be a very lucrative niche for profilers of the future.

Given these possibilities, individuals should at least have the right to access and correct the health data that intermediaries have compiled about them. The FTC recognized this right, and “forced the [insurance] industry to begin disclosing the use of prescription information under . . . the Fair Credit Reporting Act. . . . Copies of prescription reports are supposed to be available to consumers at no charge under federal law.” This is a small step forward. But if the “scores” assessing individual risk are compiled according to proprietary algorithms, the consumer may still feel “in the dark,” unable to adequately influence the presentation of herself to the insurer.

As Esther Dyson has stated in another context, mysterious data flows can jeopardize individual autonomy:

The comforting thing about the kind of data that Facebook primarily deals with is that it’s public. If your friends and other people can see it, so can you.

More troubling is the data you don’t even know about – the kind of data about your online activities collected by ad networks and shared with advertisers and other marketers, and sometimes correlated with offline data from other vendors. By and large, that’s information you can’t see – what you clicked on, what you searched for, which pages you came from and went to – and neither can your friends, for the most part. But that information is sold and traded, manipulated with algorithms to classify you and to determine what ads you see, what e-mails you receive, and often what offers are made to you. Of course, some of that information could go astray.

Online advertisers already slice and dice population segments (and distribute opportunities & exposure to ads) via marketing discrimination. Will the “e-health revolution” bring their methods out of cyberspace, and into the deadly serious business of offering employment and insurance based on estimates of health status that applicants can’t understand or challenge?

Linnaean Regulation in Health Insurance and Information Technology, Part II

[Ed. note: This is the second part (perhaps evident from the title) of a two part post. Though each could well stand on its own, the first part can be found here.]

Insurance Reporting and Classification

Reporting requirements may not seem like a notable accomplishment. Nevertheless, the trend toward monitoring the products and services offered by insurance companies is an important step toward accountability. HHS needs to impose some order, some translatable logic, on fields that have threatened to become enormously parasitic and unproductive by or masking the true nature of their commitments.

Consider the practical illegibility of the average insurance plan. A vanishingly small number of subscribers actually read such plans. A plan may have complex cost-sharing requirements that vary among in-network and out-of-network primary care doctors, specialists, surgeons, hospitals, and procedures. While a “great risk shift” makes consumers all the more responsible for their choices in health care, it’s hard to imagine anyone accurately mapping the true fiscal consequences of given disease episodes in an aggressively complex plan.

By setting “a minimum level of health benefits, called the essential health benefits, that must be offered by certain health plans.” As Jessica Mantel explains, the term “‘essential health benefits package’ means coverage that not only provides for the essential health benefits defined by the secretary, but also limits cost-sharing for coverage of the essential health benefits in accordance with the parameters specified in the statute.” The Cancer Action Network has applauded the ACA for promoting “more standardization in the scope and value of private health insurance coverage available.”

Similarly, setting a “medical loss ratio” involves a careful delineation of insurer payments and functions that actually contribute to care. As Tim Jost explained in Health Affairs:

Medical loss ratios have long been of interest primarily to investors. An insurer that could achieve a low MLR by holding down expenditures on health care for its enrollees was a good investment. . . . On November 22, 2010, the Department of Health and Human Services released its interim final rule implementing the requirements of the new section 2718 of the Public Health Services Act (added by section 10101 of the Affordable Care Act), entitled, “Bringing Down the Cost of Health Care Coverage.” This provision is usually referred to as the “medical loss ratio” (or MLR) requirement . . .

Section 2718 requires health insurers (including grandfathered but not self-insured plans) to report to HHS each year, the percentage of their premium revenue that the insurer spends on 1) clinical services for enrollees, 2) “activities that improve health care quality,” and 3) all other non-claims costs, excluding federal and state taxes and licensing or regulatory fees. . . .

Jost describes in details how the classification works, and how it is designed to encourage more responsible insurer behavior.

Setting a Standard for Electronic Medical Records

Electronic health records systems will also need to develop shared data management standards. EMR vendors long argued that they needed flexibility to innovate in order to best reflect doctors’ practices and improve the capture of medical information. However, there is a tension between untrammeled innovation by vendors at any given time and later, predictable needs of patients, doctors, insurers, and hospitals to compare their records and to transport information from one filing system to another.

One system may be able to understand “C,” “cgh,” or “koff” as “cough,” and may well code it in any way it chooses. But to integrate and to port data, all systems need to be able to translate a symptom into a commonly recognized code. Health care providers can only avoid getting “locked into” a system if they can transport their records from one vendor to another. Patients want their providers to seamlessly integrate records.

HHS rulemaking has lain a groundwork for this type of common language of medical recordkeeping. As Sharona Hoffman and Andy Podgurski explain,

To address this problem, it is necessary for all vendors to support what we will call a “common exchange representation” (“CER”) for EHRs. A CER is an artificial language for representing the information in EHRs, which has well defined syntax and semantics and is capable of unambiguously representing the information in any EHR from a typical EHR system. EHRs using the CER should be readily transmittable between EHR systems of different vendors. The CER should make it easy for vendors of EHR systems to implement a mechanism for translating accurately and efficiently between the CER and the system’s internal EHR format.

There are also important opportunities for standardization in the security field:

As is true for a common exchange format, standardized security policies and mechanisms are unlikely to be adopted by vendors and providers without a regulatory mandate. In order to facilitate compliance and provide vendors with clear guidance, the regulatory mandate might incorporate, by explicit reference, some established and emerging security standards, such as the Internet Engineering Task Force’s Transport Layer Security (“TLS”) standard or its Public-Key Infrastructure (X.509) standard.

The discussion can quickly become technical, and it is difficult to explore all the ins and outs of the process. But the underlying purpose is clear: to develop some standard forms of interacting in a realm where “spontaneous order” is unlikely to arise and “network power” could lead to lock-in.

Of course, there are important differences between the EHR and health insurance landscapes. Symptoms refer to conditions that are, by and large, objective. (One can even imagine ubiquitous video cameras and sensors creating something like a complete patient record (or medical life log) for patients who consent to that type of monitoring.) Insurance contracts, by contrast, do not have the same “ontological firmness.” They must contemplate vague and open-ended spells of illness.

Nevertheless, a process similar to common exchange representation is now going on in the consumer affairs office of HHS. As the Office of Consumer Information and Insurance Oversight lays ground rules for ACA implementation, it must decide on some basic questions: what counts as insurance? What is a deductible? The ultimate goal is to require insurers to convey with far more precision what services they truly cover. The health insurance and health IT landscapes will only become governable when practices are nameable, classifiable, and comparable.

X-Posted: Concurring Opinions.

Linnaean Regulation in Health Insurance and Information Technology, Part I

I was recently listening to Health Affairs’s “Newsmaker Breakfast with Karen Pollitz.” She gave a fascinating presentation on the challenges she faces as she develops HealthCare.Gov as a portal for information about health insurance. As I noted a few years ago, health insurers can easily mislead consumers about the nature of their coverage, and disclosure charts can be very helpful.

But even disclosure charts run up against the slipperiness of language. Pollitz noted that for some plans, a “deductible” was not really a deductible; you could easily spend much more out-of-pocket on health care than the stated “deductible level” before coverage kicked in.

How can an individual make an informed choice when words lose their meaning in a tangle of qualifications and conditions? At what point does a deductible cease being a deductible? While this might seem like a relatively technical question of insurance regulation, it is reflects a more general information-gathering problem that will confront regulators in coming years. Scientists could only predict and control aspects of the natural world when they could be named and classified. Any successful regime of healthcare reform will depend, at a bare minimum, on a flexible yet standardized classification system that can map what health insurers are doing. Like Linnaeus patiently organizing a welter of living forms, regulators will need to taxonomize pullulating permutations of insurer practices.

The Rise of Health Care’s Middlemen

The United States leads the world in payments to private insurance providers. The industry has extraordinary power over access to health care. In 2010, long-standing dissatisfaction with the sector culminated in the Patient Protection and Affordable Care Act (ACA). Congress rejected changes like a public option in healthcare, in favor of a complex and reticulated statutory scheme to better regulate insurers. There have not been dramatic changes in the way that health insurance companies are run, and their stock prices tended to rise as reform became more certain.

The ACA has set in motion dozens of regulatory proceedings. The government also allocated $20 billion toward equipping all medical offices with electronic health records in the 2009 stimulus bill, the American Reinvestment and Recovery Act. Health regulators must now try to catch up with technologically advanced intermediaries in insurance and IT fields.

Immediately after the ACA passed, naysayers on both left and right complained that divisions like OCCIO were unprepared for their new regulatory roles. Perhaps the most compelling case for repealing the ACA is a belief that regulatory agencies will inevitably be captured, or overwhelmed with information from far far better funded attorneys and lobbyists representing insurance and IT firms.*

Nevertheless, the ACA has catalyzed one very important process: the development of an infrastructure of monitoring and reporting that will be necessary for any future informed regulation. It’s shocking to consider how inadequate past reviews were here. As of 1997, the “US Department of Labor had resources to review each employer-sponsored group health plan under its jurisdiction once every 300 years.” The Bush years did not significantly address that shortage. Moreover, “state insurance department staff levels declined 11% in 2007 while premium volume increased 12%.” The personnel simply haven’t been around.

Starting essentially from scratch, Pollitz and her fellow regulators are engaging in a painstaking rebuilding of the foundations necessary for substantial regulation. Having long neglected even to closely monitor the sharp practices of health insurers, federal regulators are now beginning new programs of surveillance.**

*The latter point does appear to be valid with respect to the public record now being compiled in dozens of rulemaking processes. In rule after rule, industry comments overwhelmingly dominate public interest or academic contributions. It’s sad to think that groups like Campaign for America’s Future, or labor unions, having spent so much time getting the ACA passed, are now ceding much of the regulatory field to insurers. On the other hand, given the Administration’s recent appointments, and recent McSurance waivers, who knows whether good comments would have an impact.

**For more on the importance of ongoing surveillance in complex business environments, see Larry Cata Backer on SarBox, and the last part of my earlier post on high finance.

Part II

X-Posted: Concurring Opinions.

Reform Rodeo

1. ProPublica details the incessant problem that medical schools face in preventing their faculty from accepting money in exchange for speaking on behalf of pharmaceutical companies. As previously noted on this blog, these conflicts of interests are in addition to those conflicts found in spinal surgery and cardiac stenting.

2. For the New England Journal of Medicine, Michael E. Porter introduces two recently published papers that explore the concept of value in health care.

3. The Commonwealth Fund provides a summary of a briefing on the ACA’s initiatives to reform primary care. A full video of the briefing (which was co-hosted with the Alliance for Health Reform), as well as a podcast of the audio, can be found here.

4. The Health Care Blog has a nice bulleted Year in Review for Health Information Technology (HIT), including topics such as the HITECH Act, E-prescribing, EHRs, and Health Information Exchanges.

5. The  New York Times discusses a new Medicare rule that will cover the costs of voluntary end-of-life treatment planning.

Can Suspicious Activity Reports Trigger Health Data Gathering?

In an article entitled “Monitoring America,” Dana Priest and William Arkin describe an extraordinary pattern of governmental surveillance. To be sure, in the wake of the attacks of 9/11, there are important reasons to increase the government’s ability to understand threats to order. However, the persistence, replicability, and searchability of the databases now being compiled for intelligence purposes raise very difficult questions about the use and abuse of profiles, particularly in cases where health data informs the classification of individuals as threats.

First, a little background. We traditionally think of law enforcement as needing some kind of probable cause to ground or justify the pursuit of an investigation. However, with the rise of the new Information Sharing Environment (often enacted by fusion centers, which provide one-stop shopping for access to data), a much broader set of law enforcement prerogatives is emerging. Fusion centers have promoted a domestic intelligence apparatus, which is designed not merely to solve crimes but also to generate a wide range of knowledge which could lead to the deterrence and detection of “all threats, all crimes, all hazards.”

The Department of Homeland Security has taken a number of innovative steps to deputize monitoring of individuals, asking personnel ranging from local law enforcement to cable repairmen to hotel cleaners to be on the alert for suspicious activity. Once such activity is detected, the detector can in some cases file a persistent Suspicious Activity Report. These SARs are entered into an FBI database, and quite possibly inform many other counterterror, intelligence, and even private sector initiatives. Arkin & Priest’s story gives a sample Suspicious Activity Report, and speculates about how its creation may affect the object of the profile:

The FBI is building a vast repository controlled by people who work in a top-secret vault on the fourth floor of the J. Edgar Hoover FBI Building in Washington. This one stores the profiles of tens of thousands of Americans and legal residents who are not accused of any crime. What they have done is appear to be acting suspiciously to a town sheriff, a traffic cop or even a neighbor.

[For an example of what might go in the database, consider] Suspicious Activity Report N03821 says a local law enforcement officer observed “a suspicious subject . . . taking photographs of the Orange County Sheriff Department Fire Boat and the Balboa Ferry with a cellular phone camera.” The confidential report, marked “For Official Use Only,” noted that the subject next made a phone call, walked to his car and returned five minutes later to take more pictures. He was then met by another person, both of whom stood and “observed the boat traffic in the harbor.” Next another adult with two small children joined them, and then they all boarded the ferry and crossed the channel.

All of this information was forwarded to the Los Angeles fusion center for further investigation after the local officer ran information about the vehicle and its owner through several crime databases and found nothing. Authorities would not say what happened to it from there, but there are several paths a suspicious activity report can take:

At the fusion center, an officer would decide to either dismiss the suspicious activity as harmless or forward the report to the nearest FBI terrorism unit for further investigation. At that unit, it would immediately be entered into the Guardian database, at which point one of three things could happen:

The FBI could collect more information, find no connection to terrorism and mark the file closed, though leaving it in the database. It could find a possible connection and turn it into a full-fledged case. Or, as most often happens, it could make no specific determination, which would mean that Suspicious Activity Report N03821 would sit in limbo for as long as five years, during which time many other pieces of information about the man photographing a boat on a Sunday morning could be added to his file[.]

[That data includes] employment, financial and residential histories; multiple phone numbers; audio files; video from the dashboard-mounted camera in the police cruiser at the harbor where he took pictures; and anything else in government or commercial databases “that adds value,” as the FBI agent in charge of the database described it. That could soon include biometric data, if it existed; the FBI is working on a way to attach such information to files. Meanwhile, the bureau will also soon have software that allows local agencies to map all suspicious incidents in their jurisdiction.

Given the expansive reservoirs of data already accessible to fusion centers, I would not be surprised if they took the position that health records “add value” to the data gathering. Civil libertarians can object to many types of data gathering, but for purposes of this post, I would like to focus on healthcare data. First, to what extent can a health condition itself give rise to a Suspicious Activity Report? Secondly, are there any concerted efforts to deputize medical personnel to report on suspicious activity? Finally, and I believe most importantly, how is the vast store of healthcare data presently associated with individuals utilized by the data mining programs of the surveillance state?

We daily learn of troubling data gathering practices online. For example, Arvind Narayanan has described rather indiscriminate data gathering by third parties:

The Facebook “like” button is a prominent . . . example[] of third-party tracking not directly related to behavioral advertising. . . . Facebook can keep track of all the pages you visit that incorporate the button, whether or not you click it. Did you know, for example, that the UK National Health Services website has the like button, among other trackers, on all their disease pages?

One need only visit the Wall Street Journal’s recent series on privacy to realize that all manner of health-related data can be generated about an individual with little to no restrictions imposed by HIPAA or effectively enforced by the FTC. To take one example, consider the scraping (copying) of data at a site called PatientsLikeMe:

At 1 a.m. on May 7, the website PatientsLikeMe.com noticed suspicious activity on its “Mood” discussion board. There, people exchange highly personal stories about their emotional disorders, ranging from bipolar disease to a desire to cut themselves. It was a break-in. A new member of the site, using sophisticated software, was “scraping,” or copying, every single message off PatientsLikeMe’s private online forums.

Who knows how many incidents like this go unreported each year? Finally, the government itself is keeping a record of prescription drug use, which apparently was used after the Virginia Tech shooting. Law enforcement exceptions to HIPAA (and, presumably, HITECH) may give an official imprimatur for similar activities even if they involve “covered entities.”

The clash of intelligence prerogatives and health privacy always raises difficult issues. For now, I would just like to make one claim about the need for the government to be forthright about whether it is collecting health care data while profiling citizens. Such data gathering should not be what David Pozen calls a “deep secret;” that is, citizens should not be “in the dark about the fact that they are being kept in the dark.” Rather, we need to understand whether this very personal and important data is being commandeered to fight an “enemy within.”

There are broader principles for fair disclosure of the workings of the surveillance state. First, people are all too eager to sign up for new health “apps” and affinity groups without having any sense of how these activities and affiliations can affect their future. There is still a lazy public/private distinction affecting far too much of consumer conduct; I hear so-called internet experts wondering why anyone would worry about data stored by a private company because “they’re not the government.” Arkin & Priest have consistently shown that the public/private distinction is evanescent at best, a confounding development in social affairs that leaves libertarians sounding like communists.

Julie Cohen’s recent article in Social Research observes that there is a much larger political economy of surveillance that has accelerated both data gathering and profiling:

Devaluation of privacy is bound up with our political economy and with our public discourse about information policy in important ways that have little or nothing to do with official conduct. . . . Flows of data are facilitated by corporate data brokers like ChoicePoint, Experian, and Axciom. To help companies (and governments) make the most of the information they purchase, an industry devoted to “data mining” and “behavioral advertising” has arisen; firms in this industry compete with one another to develop more profitable methods of sorting and classifying individual consumers.

In the United States, a number of federal agencies have awarded multimillion dollar contracts to corporate data brokers to supply them with personal information about both citizens and foreign nationals. Privacy restrictions that limit the extent to which the government can itself collect personal information generally do not apply to such purchases at all. The government has deployed secrecy to great effect where these initiatives are concerned, with the result that we still understand too little about many of them. Legal regimes purporting to guarantee official transparency are in fact indeterminate on how much openness to require.

These processes let important decisionmakers in both the private and public sectors exist behind a “one way mirror.” Even if full transparency would compromise data gathering, citizens must know whether certain critical information (including health data) is being commandeered by the domestic intelligence apparatus.

Patient Autonomy and Personal Health Records

I recently gave remarks as part of a panel at the roundtable “Personal Health Records: Understanding the Evolving Landscape,” sponsored by the Office of the National Coordinator for Health Information Technology (ONC). There were many interesting speakers, including some of the leading businesses in the PHR space and regulators from FTC, HHS, and the California state Office of Privacy Protection. The roundtable exposed the promise–and limits–of a personalized health record model. Databases may help both public health and patient care, but the many stakeholders in PHR’s may have very different views about how much control patients should have over the presentation of their medical selves in everyday life.

Discussions about health records can get forbiddingly abstract and technical, but a real-world dilemma can help concretize the problem. As Lisa Wangsness’s Boston Globe article shows, at least one individual feels “burned” by his effort to quickly port past data into a PHR:

When Dave deBronkart, a tech-savvy kidney cancer survivor, tried to transfer his medical records from Beth Israel Deaconess Medical Center to Google Health, a new free service that lets patients keep all their health records in one place and easily share them with new doctors, he was stunned at what he found. Google said his cancer had spread to either his brain or spine — a frightening diagnosis deBronkart had never gotten from his doctors — and listed an array of other conditions that he never had, as far as he knew, like chronic lung disease and aortic aneurysm. A warning announced his blood pressure medication required “immediate attention.” “I wondered, ‘What are they talking about?’ ” said deBronkart . . .[He] eventually discovered the problem: Some of the information in his Google Health record was drawn from billing records, which sometimes reflect imprecise information plugged into codes required by insurers.

According to one doctor consulted by the Globe, “an inaccurate diagnosis of gastrointestinal bleeding on a heart attack patient’s personal health record could stop an emergency room doctor from administering a life-saving drug.” For the critically or chronically ill, the record is literally a life-or-death matter.

Admittedly, the level of personal control an individual has over a PHR also offers a solution to this problem. If we follow the same model as credit reporting, patients should be able to review their reports without charge, and make corrections. The Markle Foundation has done a superb job highlighting the importance of accountable health technology. But, as the Center for Democracy and Technology argues, rulemaking on EHRs will need to build in a number of consumer safeguards to assure that other stakeholder interests do not trump patients’ interests.

The CDT recommends that HHS require “PHR providers to provide opportunities for consumers to amend, correct or annotate information in a PHR,” and “to have policies for handling disputes concerning information in the PHR.” CDT expands on the obligation in these paragraphs:

Many PHRs contain data from two categories of sources: copies of information obtained from members of the traditional health system (including health care providers, insurers, etc.) and data generated or acquired by consumers themselves, whether directly entered by them, or fed into the PHR by devices or
other sources that are not part of the traditional health care system (including data from a monitoring device that the consumer operates, from a commercial Web site, or from a consumerʼs own health-related observations).

Policies governing disputes about the validity of data should draw a distinction between these different categories of data. With respect to copies of data that users might not be permitted to change directly (including but not limited to data that originates with members of the traditional health system), users should be given a way to attach notes or complaints to the PHR disputing the validity of the data – and the note should remain appended to the data any time it is disclosed from the PHR. (This is similar to how the HIPAA Privacy Rule treats patient amendment of data in covered entity records.) PHR vendors also should consider mechanisms for communicating patient disputes about data back to the original source for consideration.

Even in a world where PHR’s are ubiquitous, there’s almost certainly going to be some “objective health record” in the medical system about any individual. (And, if key software engineers get their way, there will be a unique “personal health identifier” for everyone once health records systems are up and running.) So why should the integrity of PHRs matter to anyone other than the person recording them?

First, the more legible, portable, and useful PHRs are, the more they may displace other records of patient information. Emergency rooms may only have a chance to look at one HR–the one given to them by the patient they are treating.

Second, we can assume that as PHR’s become a bigger part of larger employers’ cost-control programs, they are going to want to make sure that “quantified selves” are accurately reporting their health efforts and achievements. Health reform has taken a “preventive turn,” and the ACA gives employers new latitude to reward and punish employees:

Although it prohibits insurers from charging higher premiums based on an individual’s health risks, it allows them to charge a smoker as much as 50 percent more than a nonsmoker. It also permits employers to increase rewards for participation in wellness and disease-prevention programs from 20 percent to 30 percent of the costs of insurance premiums.

To verify participation, an employer may want access to an employee’s PHR, particularly if it is much easier for its own computer systems to read and understand than the “objective health record” existing in the health care system itself. Yet the employer may also want to ensure that the PHR is populated by materials validated by third parties (such as doctors’ offices, fitness clubs, scales, or blood sugar monitors). Presently, this is not a major issue; as Nicolas Terry warns, “sharing or exchange of data between PHRs and providers or their EMRs is as speculative as it is controversial.” However, technological advances could promote PHRs with inputs from providers, apps, and even RFID chips. What happens if the employer tries to condition participation in a wellness program on an employee’s agreement not to try to change whatever is reported by those “trusted” third parties?

The CDT suggests some principles that should guide this situation as well. They recommend that:

Employers, health plans, and others should be explicitly prohibited from requiring individuals to open PHR accounts as a condition of employment, membership, or for any other reason. PHR accounts should also not be routinely opened for consumers who do not explicitly activate them, as this can expose personal data to uses not necessarily anticipated by the consumer. Similarly, consumers should not be compelled to disclose the information held within the PHR, or whether they are using a PHR, without due process of law.

I believe these “compulsion” points should go beyond the decision to open a PHR, to the more granular rights and responsibilities associated with the maintenance of one. However many times employers sing the praises of contract law, the truth remains that employees in this tight labor market have very little bargaining power. That’s one reason why Nicholas P. Terry’s recommendation of inalienable rights to control data in the PHR context was one of the most provocative and compelling comments at the roundtable.

I am not here advocating for complete autonomy of the patient over records in all contexts. As Sharona Hoffman has argued, in the realm of treatment, there are important rationales for prioritizing the independent medical judgment of professionals whose first obligation is to maintain health:

If patients are empowered to opt out of EHR use or to disallow treating physicians’ access to their records, they may lose much of the benefit of computerization. Many clinicians would continue to care for patients in ignorance of essential facts that could make the difference between appropriate and inappropriate treatment decisions. For example, it might seem at first blush that most physicians would not need access to a patient’s psychiatric records. However, a psychiatric diagnosis may help other specialists better understand the patient’s symptoms, and the patient’s complete drug list, including psychiatric drugs, is vital for purposes of safely prescribing additional medications.

Some commentators at the roundtable also offered creative solutions for the “sensitive health data” conundrum raised by Hoffman; for example, a patient could include an “envelope” in their EHR or PHR that would only be opened in case of emergency, or when authorized directly by the patient. Regardless of how one feels about this issue, outside the treatment context, it is critical for consumers to have reasonable opportunities to review, correct, and withhold their personal health records.

When all is said and done, people have to “buy in” to EHR for it to work effectively, and rational individuals are going to avoid any system where medical history can be as effective as credit history at denying them opportunities. One commentator at the roundtable said that her patients “didn’t care” about health data or security; they just wanted some quick and dirty method of digitizing their records. However compelling this perspective may seem for those “on the front lines,” the perils of “wikileaked world” should end any complacency about the use and misuse of computer records. We should avoid the temptation of letting cut-rate or subpar EHR and PHR systems develop, especially since they are likely to target the most vulnerable patients. Robust regulatory requirements can spark a race to the top for data privacy and security.

In the film Sleep Dealer, a laborer encounters a “memory recorder,” a computerized transcription machine that translates past experiences into video re-enactments. The machine occasionally blanks out as the laborer narrates his story, and its operator chides him to “be more truthful,” to hew closer to the actual truth of the matter. The film is ambiguous as to whether the machine, its operator, or the laborer himself have real access to what actually happened. In the treatment context, best practices may inevitably consign us to a messy, multi-stakeholder effort to set forth the “real truth” of a health record. However, the personal health record should be primarily a project of the person it describes, with no undue influence from the growing number of reputation raters and shapers with a pecuniary interest in particular representations of that person.

Online Health Data in Employers’ and Insurers’ Predictive Analytics

Did you know that buying generics instead of brands could hurt your credit? Or that a subscription to Hang Gliding Monthly could scare off life insurers? Or that certain employers’ access to electronic health records could lead them to classify you as “high-risk” or “high-cost”?

In all these cases, firms use “predictive analytics” to maximize profits. Consumers are the guinea pigs for these new “sciences” of the human. As Scott Peppet argues, it becomes more difficult to opt out of analytics systems as more people use them. What type of world are they leading us to?

Credit Analytics: Should Frugality be Punished?

One credit analytics company determined that buyers of cheap automotive oil were “much more likely to miss a credit-card payment” than those who paid for a brand-name oil. Spending on therapy sessions may also be a red flag. Appearing too frugal, too anxious, too spendthrift—all might lead to higher interest rates or lower credit limits. One R&D head at a credit analytics firm bragged that they consider over 300 characteristics to discover delinquency risk. He was not nearly as forthcoming about how the data is aggregated. Analyzing millions of transactions, the companies observe customers as a gardener might observe a rose garden: weeding out unpromising specimens, and giving a boost to incipient flourishers.

Many have complained about inaccuracy in these new forms of profiling, and consumers’ inability to review and correct digital dossiers collected about them. But let’s just assume that this profiling is correct, and choosing a generic really does correlate with increased credit risk. What’s the social value of this discovery? Maybe credit card companies can reduce rates infinitesimally (and increase profits) by burdening the generic buyers. But I’d be willing to bet that, for every few people whose generic purchases indicate financial trouble, there is another shopper who’s wisely frugal and increasing her chances of successfully repaying all her loans. It seems very odd to penalize the financially responsible merely because they happen to engage in an activity shared by the distressed.

The Dream of the Perfect Profile

Ahh, predictive analysts might reply, you just oversimplify our process. We would never reduce the credit line of someone who purchases generics if that person also, say, has a subscription to Travel and Leisure, or drives a Nexus, or gives over $1,000 a year to the Republican National Committee. They’re not desperate—they’re just careful shoppers. The more information we have, the more fair and accurate we can be. (I can only propose this response, since the industry is so careful about protecting its trade secrets. But this seems like a plausible counterargument.)

Just as free speech advocates often say that the answer to “bad speech” is more or “counter” speech, predictive analysts may argue that the cure for the mistreatment of any given individual is more information about the person’s true motives or opportunities. If privacy advocates are worried that certain surveillance practices will unfairly tarnish the reputation or profile of an individual, the answer is more, not less, information, on that person. The more comprehensive a picture that firms can develop of the individual, the better they are able to properly target resources.

Whatever the merits of this approach, it appears to me that it only applies to one dimension of the credit analytics example above. Rewarding “brand buyers,” in general, is not that likely to alter behavior in ways that could seriously undermine someone’s quality of life. But effectively punishing those who seek therapy or marriage counseling creates a different set of concerns, showing once again the ways in which health care decisionmaking needs to be distinct from the Procrustean forces of market pressures.

Stressed by Sickness in the Risk Society

A recent article by Sharona Hoffman illuminates some problems with pervasive use of health data in predictive analytics.

Employers may obtain and process EHRs [electronic health records] for a variety of reasons. Many require applicants who have received employment offers to provide authorizations for release of medical records in order to verify the individuals’ fitness for duty. At times, employers require records for purposes of workers’ compensation claims, reasonable accommodation requests by individuals with disabilities, or Family Medical Leave Act (FMLA) requests. Employers who are self-insured also process employees’ medical data in order to pay insurance claims.

EHRs will likely provide employers with unprecedented amounts of data. . . . Employers or their hired experts may develop complex scoring algorithms based on EHRs to determine which individuals are likely to be high-risk and high-cost workers. . . . Employers with access to EHRs containing a wealth of medical information may be sorely tempted to exclude certain individuals from the workforce because of concerns about the employees’ future productivity, absenteeism, or medical costs. To disguise unlawful conduct, employers may not act immediately to withdraw a job offer or terminate an employee, but rather, decide not to promote an individual with a disability or to select her for a layoff at a later time.

In other words, predictive analytics in health can lead to more “death spirals” for the sick: lost employment, lost insurance due to that lost employment, and future inability to find work due to poor health. Hoffman’s concerns about employers sidestepping relevant regulations were reflected in today’s WSJ article on insurance profiling, too:

[G]iant data-collection firms . . . sort details of online and offline purchases to help categorize people as runners or hikers, dieters or couch potatoes. They scoop up public records such as hunting permits, boat registrations and property transfers. They run surveys designed to coax people to describe their lifestyles and health conditions. Increasingly, some gather online information, including from social-networking sites.

For insurers and data-sellers alike, the new techniques could open up a regulatory can of worms. The information sold by marketing-database firms is lightly regulated. But using it in the life-insurance application process would “raise questions” about whether the data would be subject to the federal Fair Credit Reporting Act, says Rebecca Kuehn of the Federal Trade Commission’s division of privacy and identity protection. The law’s provisions kick in when “adverse action” is taken against a person, such as a decision to deny insurance or increase rates. The law requires that people be notified of any adverse action and be allowed to dispute the accuracy or completeness of data, according to the FTC. Deloitte and the life insurers stress the databases wouldn’t be used to make final decisions about applicants. Rather, the process would simply speed up applications from people who look like good risks.

Many aspects of FCRA have been rendered irrelevant by the all-importance of credit scoring—it’s hard to care too much about one’s ability to “correct” one’s credit report if the only thing that really matters is a score whose calculation only contingently depends on any given piece of information in the report. But I had not heard before Deloitte’s assurance that information would “simply speed up” applications, and not “be used to make final decisions.” Quite the creative lawyering behind that distinction.

Relating the Real and the Digital Body

Dan Solove has written extensively on the “digital person,” and perhaps we can see predictive health analytics as an effort to create a “digital body.” As the WSJ reports, we are reaching a point where online “data can reveal nearly as much about a person as a lab analysis of their bodily fluids.” The least we can ask is for the purveyors of data-driven decisionmaking to be much clearer about how they profile individuals. Moreover, in the case of employment, we should seriously consider expanding disability discrimination laws to prevent employers from stratifying employees based on health data. Profits are important, but they shouldn’t come at the expense of sick people who already have enough problems to contend with. As HHS implements PPACA’s promotion of “wellness programs” at workplaces, they should also try to avoid the “Orwellness” of data-driven health profiling.

X-Posted: Concurring Opinions.

Medicare, Hospitals, Serious Harm and Death

The Inspector General of the Department of Health and Human Services, Daniel R. Levinson, published an Op-ed in USA Today that is well worth considering.  The column, entitled “Medical mistakes plague Medicare patients,” speaks volumes. Levinson writes:

Today’s hospitals are modern-day marvels of healing, and we expect them to be models of patient safety as well. But a just-released report from my office shows that medical care is falling short for too many hospitalized Medicare patients. A decade after an Institute of Medicine study placed preventable medical errors among the leading causes of death in the United States, our latest study found that a disturbing number of hospitalized patients still endure harmful consequences from medical care, 44% of them preventable. These instances, which the report calls “adverse events,” include infections, surgical complications and medication errors

Such occurrences are not always preventable, particularly since many Medicare patients are elderly and have complicated health problems. But enough patient harm is avoidable to make a strong case for action. Hospitals must improve, but they need the help of lawmakers, medical professionals and patients to do so.

We’ve written about this issue before here on HRW (in the context of various calls for medical malpractice reform as part of health care reform and studies that show hospital staff neither washing their hands regularly nor utilizing the simple but effective surgical checklist). The Institute of Medicine study Inspector General Levinson referred to estimated 98,000 deaths per year. Last year I wrote:

Bloomberg reports that “The U.S. Institute of Medicine found a decade ago that medical errors kill 98,000 Americans a year” according to Les Weisbrod, president of the Washington-based trial lawyers’ group, the American Association of Justice.

According to Medical News Today, the medical error fatality figures above were supported by “Dr. Chunliu Zhan and Dr. Marlene R. Miller in a research study published in the Journal of the American Medical Association (JAMA) in October of 2003. The Zhan and Miller study supported the Institute of Medicine’s (IOM) 1999 report conclusion, which found that medical errors caused up to 98,000 deaths annually and should be considered a national epidemic.

A study by HealthGrades found more than twice that number in “potentially preventable deaths.”

And now this study. Look at the numbers; they aren’t pretty–and they cast some present doubt on the 98,000 number if one considers the rubric, “contributed to their deaths.” Levinson writes:

Errors prolonged hospital stays

This study began in response to a congressional mandate to determine the number of harmful medical events Medicare patients experienced, and the cost to taxpayers. My office arranged for physician reviewers to examine a random sample of 780 Medicare patients discharged from hospitals around the country during the month of October 2008.

Physicians determined that about one in seven patients (13.5%) experienced at least one serious instance of harm from medical care that prolonged their hospital stay, caused permanent harm, required life-sustaining intervention, or contributed to their deaths. Projected to the entire Medicare population, this rate means an estimated 134,000 hospitalized Medicare beneficiaries experienced harm from medical care in one month, with the event contributing to death for 1.5%, or approximately 15,000 patients.

That’s per month. Some quick math will give us the yearly death figure: 15,000 x 12 months = 180,000 per year. And that’s just Medicare patients.

The “seriously harmed” equals 1,608,000 per year. Again, just Medicare.

Levinson continues:

Strikingly, medication errors factored in more than half the patient fatalities in our sample, including use of the wrong drug, giving the wrong dosage, or inadequately treating known side effects. Such events were commonly caused by hospital staff diagnosing patients incorrectly or failing to closely monitor their conditions.

Less serious harm also occurred. An additional one in seven hospitalized Medicare patients experienced temporary problems, such as allergic reactions or injuries from falls. And many experienced multiple events, including an elderly heart patient who had six separate events during a single hospital stay. Obviously, this situation is unacceptable — and expensive, costing taxpayers more than $4 billion a year due to the need for additional treatment or longer hospitalizations (and even more if you add costs for follow-up care).

I’ve said it before and I’ll say it again. “Seemingly, one would define “defensive medicine” as that which a doctor [or hospital] does, which he or she would not do, if solely exercising his or her [or its] discretion without the fear of being sued. Therefore, might I suggest that “defensive medicine” is only excessive if the doctor’s [or hospital's] best estimation of the situation is correct.”

You can read the rest of Inspector General Levinson’s Op-ed here. He offers some direction– much needed direction.

Privacy Paradigms: From Consent to Reciprocal Transparency

Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyrightholders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.

If individuals had enough time to manage their personal data the way they manage their checkbooks and gardens, perhaps the consent paradigm would be a good foundation for addressing public concerns about privacy. If applicants could easily bargain with would-be employers over privacy, or patients with hospitals, perhaps we could rely on them to protect their interests. But actual occurrences of such acts of self-assertion and self-protection are rare. Given the frequently abstract benefits that privacy and reputational integrity afford, they are often traded away for competitive economic advantage. This process further erodes societal expectations of privacy.

A collective commitment to privacy is far more valuable than a private, transactional approach that all but guarantees a race to the bottom. If such a collective commitment does not materialize, record systems will only deserve trust if they become as transparent as the patients and research subjects they profile. Given corporate assertion of trade secrecy (and even privacy rights), reciprocal transparency will not be easy to achieve. Nevertheless, repeated breaches, fraud, and data meltdowns in the US should provoke an alliance of socially responsible researchers to lobby the US government to set minimal standards of reciprocal transparency and auditing. Consumers can only trust innovators if they can understand what is being done with data. As we become “transparent citizens” (as Joel Reidenberg puts it), we should demand that the corporate, university, and governmental authors of that trend reciprocate, and become more open about the data they gather.

Fortunately, as a recent presentation by Deborah Peel reminded me, there is significant audit authority built into the recent HITECH act which may curb some abuses. Audits will become increasingly important as a “wild west” of health data is excavated by scrapers, marketers, and other data miners.

Consider, for instance, the following scenario: contributors to the medical website PatientsLikeMe.com found that “Nielsen Co., [a] media-research firm . . . was ‘scraping,’ or copying, every single message off PatientsLikeMe’s private online forums.” Had the virtual break-in not been detected, health attributes connected to usernames (which, in turn, can often be linked to real identities) could have spread into numerous databases. A reciprocal transparency paradigm would require all those harboring health data to have some certified indication of its legitimate provenance. Data would not be allowed to persist without certification of its provenance.

Unforeseen spread of inaccurate or inappropriate health data is not just a problem for those who want to avoid getting solicitations for burial plots after a sensitive appointment. Given law enforcement exceptions to medical privacy laws and regulations, it should come as little surprise that the government claims that “a 2005 law authorizes it to monitor and record all prescription drug use by all citizens via so-called “Prescription Drug Monitoring Programs.” Such programs may just be the tip of an iceberg of new domestic intelligence programs that rely on private companies to act as “big brother’s little helpers.”

Whenever health data is fed into an evaluative profile of an individual, there should be safeguards in place to assure that the data is accurate, and that the resulting profile is, if at all possible, not used to harm or disadvantage the individual. Without assurances like these, we can count on continued resistance to the development of health data infrastructures.

Next Page »