CHAPTER 8

Right Time, Right Place

Improving Quality at the Point of Treatment

This chapter is about health information exchanges (HIEs) and the intention of the Office of the National Coordinator for Health Information Technology (ONC)’s to create a network of HIEs that would allow an individual’s information to be shared and accessible by providers across the country. The right treatment at the right time wherever the patient happens to be is expected as part of high-quality healthcare. No matter where the patient is receiving care, it is important that all the information that is important to her care is available to the treating clinicians when they are providing care. The right place may be another doctor or the ER of a hospital. Requesting and receiving the information electronically is possible with digital electronic health records (EHRs). However, as seen in Chapter 2, interoperability of healthcare systems is still a barrier to easy exchange of healthcare data.

Since the passing of the HITECH Act in 2010, the broad adoption of health information technology (HIT) is generating vast amounts of clinical data that present an enormous potential for improving the quality of healthcare. Yet these data are vastly underutilized. At the same time, the availability of new, consumer-grade health and wellness-related technologies has exploded. Equipped with smartphones and the choice of millions of healthcare apps, consumers are now able to assess their health and wellness, such as counting their steps completed in a day, measuring their heart rate, or diagnosing an ear infection with an attached device. The result is a plethora of data.

Healthcare is fast becoming a hyperdata world. But the average consumer and provider don’t merge all of the available data that are generated to present an overall synopsis of health and fitness. On the contrary, each source of consumer-generated nonmedical data must be looked at separately, used as feedback, and stored electronically to provide data points for simple charts and graphs. This silo type of data is useful on a daily basis, but without integration with other health factors, the information lacks richness in terms of correlations with other activities, nutrition, and medicines.

Hyperdata is a driver in healthcare consumer’s behavior, as seen in the study of people who had data on their activity in Chapter 5. But what good is it unless it is being used? EHRs might partially hold the answer even though most do not contain patient generated data. EHRs are the key to providing the ability to share health information among health professionals. Although EHR adoption has improved quickly with the HITECH Act, electronic HIE, promoted through HITECH, was intended to improve patient access to their own health information, allow public health surveillance with multiple sources of clinical data, research, and population health management.

The main benefits for exchanging health data are:

• All the information about a patient is available to providers when they need it and where they need it, regardless of the originating source.

• Aggregated data that are properly de-identified contributes to population health.

The major obstacles to exchanging health information include:

• Interoperability

• Privacy and security

• Ownership of the data

Although EHR adoption improved after the HITECH Act, it became readily apparent that implementing an EHR did not equal sharing these records with other healthcare professionals. The fact that EHRs were not developed with inherent interoperability, as seen in Chapter 2, has made EHRs islands to themselves. Sending information between them is difficult because there is no landing dock at either island. Each EHR has a different boat that requires its own special dock or it cannot land at another EHR’s dock. The dock is data’s entryway into another physician or hospital’s EHR. So far, there is no universal dock for all EHRs. This makes it costly to connect and share data with another health professional.

Two issues prevent the flow of information between providers—lack of interoperability and data blocking. The public good benefits with data exchange, but healthcare organizations see information exchange with a competitor as a threat that the competitor will take their consumers. This threat is considered a reason not to participate in exchanging data, and some critics accuse providers and software vendors of practicing information blocking and greed. Whatever the reason, the lack of shared data has the ability to seriously reduce the national efforts to improve the quality of care. With $28 billion invested in EHRs that are limited in their ability to send and receive patient information, it would be a huge setback in advancing the healthcare system if no universal solution is provided. It is in the hands of the ONC and federal government to make data exchange happen.

Health Information Exchange—Is There Enough Exchange?

The term HIE is new from the HITECH Act, but the concept of exchanging health information has been around for decades. One of the nation’s first regional attempts to share data locally was the Santa Barbara Care Data Exchange³ (SBCDE). Funded by the California Healthcare Foundation (CHCF), the organization brought together public and private health organizations in Santa Barbara County and built the exchange’s custom software for the stakeholders—physicians, hospitals, and laboratories. Some of the hurdles that SBCDE encountered are still present today—data security and integrity, interoperability, data sensitivity, incremental approach, and a long-term sustainable business model. The exchange was in existence for nine years and closed at the end of 2009. The key lesson learned from the project: Take an incremental approach toward delivering the clinical information most needed. Stakeholder buy-in is not achieved through a theoretical construct, but through value delivered. Despite its closure, it helped focus attention on the value of health information exchange, which led to the federal government’s plans to establish regional health information organizations (RHIOs) across the United States.

Since then, there have been Community Health Information Networks (CHINs), Regional Health Information Organizations (RHIOs), Health Information Exchange Organizations (HIOs),⁴ and State HIE Cooperative Agreement Programs. CHINs and RHIOs, like SBCDE, were local and regional, and came together where stakeholders (e.g., payers, hospitals, physicians, and government) wanted to pursue information sharing.

Adoption of EHRs by hospitals and office-based physicians provides the foundation for sharing health information, but alone it is not sufficient. In addition to adoption, there has to be a critical mass of providers within a community who want to share patient data. When office-based physicians and clinics send referrals to specialists, they need information back from the referrals and hospitals on any diagnosis made and treatments received by the patient in order to provide follow-up care. Too often, primary care physicians don’t even know that their patient was in a hospital or ER until the patient contacts him for follow-up care. Some patients may not contact their doctor for follow-up because of cost, inconvenience, or other reasons. In these cases, the patient’s doctor cannot reach out to the patient because he was unaware that another doctor treated the patient. That results in overall poorer quality of care.

In a survey of 106 operational HIEs,⁵ 89 percent exchanged patient care summary records, 78 percent discharge summaries, and 67 percent ambulatory clinical summaries. For individual data types, test results (88.7 percent) were the most exchanged followed by admission-discharge-transfer (ADT) alerts and 68 percent sent problems lists.

There are two technical models for exchanging health information. The query model is the most common, and requires users to search for data on a specific patient. The provider can conduct the search at the time the information is needed and receive the search results immediately. The second most common model is the push approach. Pushing the data is when unidirectional electronic messages are sent to one of two places—directly into an EHR or to an inbox outside of an EHR. Most existing HIEs use a master patient index, offer consent management, and have a clinical data repository and health professional directory.

Meaningful Use and Health Information Exchange

HIEs have the ability to assist healthcare professionals in meeting the meaningful use criteria of Stage 2. However, only 9.4 percent of the 106 operational HIEs supported all eight core Stage 2 measures according to the 2015 annual report on Health Information Technology.⁶ Providers who wanted to use their HIE to submit Stage 2 required measures would likely not to have found that as an option.

HIE support for meaningful use

Source: Adapted from Health Information Technology in the United States, (2015): Transition to a Post-HITECH World.

Implementation Assessment of State HIEs

An assessment of six state HIEs completed in June 2015 by NORC at the University of Chicago found the following:

• Providers like the idea that HIEs improve care delivery and coordination by providing doctors with information at the point of care. Providers’ exchange priorities are ADT alerts, services that facilitate care coordination, and interstate exchange.

• Providers expect that the new requirement for HIE services will grow due to meaningful use incentives and payment reform. They will look to vendors to supply HIE services and infrastructure.

• Providers noted a need for interoperable systems to meet exchange and health system reform goals.

• Provider challenges include competing priorities, lack of qualified provider staff, managing multiple funding sources, and inadequate support from EHR and HIE vendors.

• State HIEs contributed to building awareness and the benefits of exchanging information. Providers felt that HIEs have an important role as a neutral entity to convene stakeholders. The HIEs also engaged long-term care and behavioral health providers, even though there were no incentives for these providers.

Consumer as the HIE

Ideally, the individual possesses all their own health information, including current and historical data, and can freely and thoughtfully give that data to whomever he chooses and using agreements to satisfy his desired privacy for non-Health Insurance Portability and Accountability Act (HIPAA) covered parties. As long as each provider can view and update the record immediately, and lab results and images are stored or linked to the personal record, the patient will always have an up-to-date copy of his health record. This personal health record would be readable by any health provider and emergency personnel. It’s preferable that the record is portable, so that access to the Internet is not required. A ubiquitous identification card, such as a driver’s license, would allow each person to store the most pertinent information on an embedded chip or mag stripe that can be read by providers. Nonessential emergency information could be stored in the cloud, and data generated from the patient’s personal devices would have the option of being included on the license. A patient’s primary care doctor would decide what personal device data should be included for emergency care.

The key to the example mentioned is that the patient holds all her data. Privacy is intact because the patient does not need to give permission, since she is performing the role of HIEs. Interoperability does not interfere with data sharing, because EHR systems are not involved. If hospitals and doctors want to upload the recent pertinent emergency patient information to their EHRs, their EHR need only support the interface from the standard chip format.

We are not there yet. Some of the challenges will be to determine the data that should be included, a standard format to download data from different sources, what is required to read the information by a provider, and securing the data. This is a futuristic scenario, but a simple version like this may work adequately for many consumers.

Many organizations are working to getting closer to this future vision. The Consumer Partnership for eHealth’s “Vision for Ensuring that Health Information Technology Enables and Promotes Patient-Centered Healthcare” states that widespread consumer engagement and empowerment would be a direct result of technology being used in ways that really matter to consumers, such as:

• Anytime, anywhere access to health information, including diagnoses, medication lists, lab test results, and immunization records.

• Immediate and convenient connections with the clinical care team.

• Online appointment scheduling.

• Access to information, such as after-visit summaries, care plans, and supporting information, which helps prepare for encounters with clinicians and later recall key information.

• Online prescription refills and access to electronic prescription information, such as dosing, frequency, side effects, benefits of adherence, drug to drug interaction, and cost comparisons.

• Access to detailed procedure information regarding what to expect, how to help ensure safety, and potential long- and short-term impact and outcomes.

• Customized, evidence-based decision support that considers the particular needs and preferences of the patient.

When the consumer can access her information and save it in a secure personal data space, she has the ability to control its dissemination without relying on providers. An alternative route for the consumer is to securely send the data to the providers she chooses from a provider’s system. The ultimate goal is that the consumer is her own HIE and can join public or private HIEs by contributing her data from other systems.

HIE Survivability and Sustainability

One of the biggest challenges to HIEs is the financial sustainability of their organizations, HIOs, and state programs. While the ACA funded the start-ups of these entities as well as the continuation of others, it was the responsibility of each organization to put in place a framework for long-term sustainability. Given the startup issues⁷ of an HIE organization, including the ability to hire/retain staff, lack of agreement on what HIE includes, stakeholder concerns of privacy and confidentiality, governance, competition, stakeholder concerns about competitive position, accurately linking patient data/patient matching, and managing complexity of consent models, it is not a surprise that only 46 percent of the operational HIE organizations were able to cover operating costs with revenue from participants.

The stakeholders most commonly reported⁸ as paying to participate in 106 national operational HIE efforts were:

• Private medical/surgical acute care hospital—58 percent

• Independent physician practice—55 percent

• Hospital-owned or health system-owned physician practice—52 percent

• Publicly owned hospital—42 percent

The least common stakeholders were:

• Independent pharmacy—7 percent

• Vendor—6 percent

• Employer—3 percent

• Consumer—1 percent

Operational HIE organizations whose participants covered 100 percent of operating costs reported an average of 2.6 years from the time they began exchanging information to achieving financial sustainability.

The following story illustrates the difficulty that new HIEs that organized with funding from HITECH faced. The Hawai‘i Beacon⁹ project engaged in multiple initiatives to improve healthcare delivery on the rural island of Hawai‘i.

Broad-based HIE was the intent of the HITECH Act and the development of the State HIE Cooperative Agreement Program. The goal was that HIE would enable patient information to follow the patient from provider to provider and across various care settings. With the end of this funding, sustainability of HIE entities is a big question.

Almost Health Information Exchange

There are two types of HIEs that are growing that compete with state- and community-level HIEs.

1. EHR vendors offering to connect customers who are on the same vendor platform.

2. A specific set of healthcare delivery organizations who partner and share information (enterprise HIE).

Both of these are more aptly called intranetwork data sharing; they aren’t true HIEs because neither shares data outside of their defined enterprise or with another vendor. These vendors and enterprise partnerships want to keep patients and consumers in their private worlds. Is it ethical to withhold a patient’s health information because she wants to go to a doctor who has a different EHR? What if the patient wants a provider outside the enterprise partnership? The patient doesn’t care about the interest of the vendor or the enterprise partnership, she just wants to go the provider of her choice. Trapping providers and their patients by bribing them with the ability to have HIE is wrong, and hampers the efforts of state and local HIE organizations to connect and flow patient data across vendors and organizations that do not have the same business interest. Unfortunately, this practice¹⁰ is becoming increasingly common. This kind of poor behavior should not be allowed, since it does not serve the interest of the patient in the transition to a patient-centered health system.

Privacy

All data collected and stored electronically by providers, including EHRs, are covered by the privacy rule of the HIPAA. Individually identifiable health information, referred to as personal health information (PHI), held by covered entities and their business associates is protected by HIPAA. The rule permits the disclosure of health information needed for patient care and other important purposes without necessarily obtaining patient permission first. An important point is that HIPAA gives patients the right to access and receive copies of their health data.

Among one of the perhaps lesser-known changes to HIPAA is that providers must send a patient’s medical record to a patient’s e-mail address if asked. The provider is allowed to warn them of the privacy risks and have them sign a form. However, they are not allowed to deny the patient’s request. A patient access HIPAA violation can be a serious offense: One of the largest fines ever for a HIPAA violation, $4.3 million, was levied against Cignet¹¹ for not providing patients access to their own data.

Many people think digital records are less secure, but the reality is the opposite. The digitization of health records and other health information has allowed data to be more secure. Paper records can be locked up, but they can also be faxed to a wrong number, or copies may be left unshredded in a trash bin, or left in a taxi. Data breaches do happen, of course, but these breaches aren’t just with health data. Notably, some of the largest cyberattacks were on eBay, Heartland Payment Systems (one of the largest payment processing companies), T.J. Maxx, Anthem, and Sony.

Sharing Involves Risk

Sharing data and personal information is inherently risky. You don’t know if the person or company you gave the information to will give it to someone else and if that person will pass it on to another person or company. If that data is the type of car you own, you might not care. If that data also include your address and phone number, your eyebrows may rise but it’s not a big worry. If that data also included your social security number or bank account number, you would be picking up the phone and calling someone to find out what’s going on.

But look at Facebook, where millions of members share some very private information about their lives and personal details, including illnesses, every day. What’s the difference? The Facebook users make a conscious¹² choice to share their own personal information.

Choice Is the Right Choice

Consumers want to control their health information. In a survey¹³ of California residents, 70 percent agreed that an individual’s right to control their health information trumps the potential benefits of medical research. Consumers want to choose where their electronic health data goes and they want to know how the data are going to be used. Consumers need to feel safe that their health data are secure and privacy is intact.

De-identification of data is the default method of making patient records anonymous. However, with the many nonhealth sources available, re-identification can be done more easily than once believed. Re-identification could happen if enough of the consumer-generated data are merged into a database with other large data sources. A highly publicized example of this was a contest that Netflix held to improve the predictability of their software to make movie recommendations. A pair of researchers at the University of Texas showed that the supposedly anonymized data released for the contest, which included movie recommendations and choices made by hundreds of thousands of customers, could in fact be used to identify them. But the big public data sets also carry the potential to inadvertently reveal a person’s identity, even without a name attached. Data about online personal behavior can increasingly be sifted, correlated, and analyzed for patterns that often point to an individual.

Consumers want to control their data, but they must realize that once they have possession, keeping the data secure and out of unwanted hands is their responsibility. For instance, data from a covered entity (provider or payer) is governed by HIPAA. When a patient releases the same information on Facebook or other social media or stores it in a smartphone health/fitness app, it is no longer under HIPAA’s rules. The consumer is subject to the privacy policies of each company.

Such privacy policies have a reputation of being hard to find, harder to understand, and worse—nonexistent. Why is this bad? Because consumers need to trust the companies who track, store, use, and distribute their data. But consumers also need to be aware that there is no free lunch when it comes to using apps or website that collect their personal data and feeds it back to them. Everyone should know that the use of a mobile app or website is either paid for by advertisements or by allowing the company to use the data for their own purposes. That’s where reading and understanding the privacy policies for these “free” tools is important. If the policy says that the data collected and used for marketing purposes AND is de-identified, that policy may not guarantee your identity and data are completely anonymous.

Would a customer ever want to release their data? Yes—it is their choice. They are more likely to say yes when it benefits them. Those situations might be:

• An app on your Apple watch can integrate data from your EHR to tell your cholesterol level, blood pressure, and sugar levels in real time. In order to do that, you need to release data from your EHR to the app company.

• Donating your personal data for research that aggregates it to find a cure or a treatment in the future for a disease that adds years to your life or improves the quality of life for you or a family member.

• Sharing data that could be analyzed to predict health issues before they occur, or identify treatments that would benefit you by lengthening your life or preventing the worse effects of disease.

The right way to respect privacy is to allow the customer to control his information, assess the potential risk of releasing it, and be part of a system that easily allows the customer to choose the recipient and easily approve sharing of their information.

These challenges are new to healthcare, but fortunately, there is much experience in other industries.

References

Health Information Privacy. n.d. “Civil Money Penalty: Cignet Health Fined a $4.3M Civil Money Penalty for HIPAA Privacy Rule Violations.” http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cignet-health/ www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cignetcmp.html

Health Information Technology in the United States. 2015, September 18, 2015, “Transition to a Post-HITECH World, ” Mathematica Policy Research and Harvard School of Public Health. Robert Wood Johnson Foundation.

¹ ONC reported in May 2016 that 96 percent of non-federal acute care hospitals had adopted at least a Basic EHR at the end of 2015. http://www.healthcareitnews.com/news/ehrs-now-nearly-ubiquitous-hospitals-oncannual-meeting-gets-under-way

² Health Information Technology in the United States (2015).

³ The author worked with the SBCDE in 2004.

⁴ Organizations that exchange health information identify themselves as HIOs partly because some health insurance exchanges use the acronym HIE, which causes confusion.

⁵ Milstein, Gilbert, and Jha (2015).

⁶ Health Information Technology in the United States (2015).

⁷ Health Information Technology in the United States (2015).

⁸ Health Information Technology in the United States (2015).

⁹ The Beacon Communities Cooperative program included 17 regionally based communities that received funding to ensure the representation of a diverse population, unique health professional characteristics and innovative approaches to the use of technology. Collectively, they represented an extremely diverse opulation as demonstrated by high variability in the racial and ethnic mix of their residents as well as socioeconomic circumstances.

¹⁰ Vendors who implement ONC’s three core commitments described in chapter 2 would end this practice.

¹¹ “Health Information Privacy” (n.d.).

¹² The default is to share with friends. The user can change the setting to public or private.

¹³ Journal of the American Medical Informatics Association, Health IT Security reports (Snell, Health IT Security, 4/1/2015).