Law in the Internet Society
Ready for review.

Establishing a Private, Workable Online Medical Database

-- By BrendanMulligan?

In its 1999 report, “To Err is Human: Building a Safer Health System”, the Institute of Medicine claimed that preventable medical errors cause as many as 98,000 deaths per year in the United States and upwards of $29 billion annually in lost income, lost production, disability, and additional health care costs. According to the report, decentralization and fragmentation of the health care system are major causes of these errors. Providers lack access to complete patient data at the point of care. Fewer than 2% of the nation's 5,000 non-VA hospitals have what could be considered a full-fledged system.

Proprietary Contribution to a Broken System

Vendors’ commercial systems are proprietary and designed to not talk to other vendors' systems. Further, the Healthcare Information and Management Systems Society (HIMSS), which is a powerful healthcare organization focused on fostering the optimal use of information technology (IT) and management systems for the betterment of healthcare, is ostensibly independent, but acts as a lobby for proprietary owners. HIMSS hosts the largest and most well-publicized health IT conferences in the country. They charge large sums of money to buy space at conferences and limit the electronic health record vendor association to companies which “design, develop and market their own proprietary electronic health record (EHR) software application.”

People are dying because we lack proper IT infrastructure. The government should take steps to catalyze conversion to a functioning EHR system by (1) incentivizing the use of VistA? public domain software to improve functionality and streamline formatting and (2) amending HIPAA to safeguard privacy.

Bungled EHR Policy Solutions

To promote the conversion to accessible EHRs, the government initiated two major changes via the stimulus package. First, it commissioned a study on the availability of open source health IT systems to be completed by Oct. 1, 2010. This includes comparing the total cost of ownership of open source to existing proprietary commercial products, ideally providing open source systems with the opportunity to demonstrate much superior value to price ratios. Second, the government earmarked $20B for doctors and hospitals that switch to "functional online databases". The provisions dictate that hospitals must only perform “one test of certified EHR technology's capacity to electronically exchange key clinical information.” See Table 2. This standard does not meet the hospitals' own bar for internal use of electronic systems.

Perplexingly, the government already developed the most well-used, cost-effective, and comprehensive health IT system, VistA, and did nothing to promote its use. The VistA? successfully integrates databases throughout the Veteran's Health Administration, the largest hospital system in the US. Its interface, and all updates (500–600 patches per year) are provided as public domain software and used by many private hospitals. The stimulus dollars might have incented hospitals to integrate onto VistA? —which has been established for as little as “1/10th the price” of proprietary software. Instead, perhaps to ward off well-rehearsed critiques of socialism, the government threw money into a proprietary black hole that promises lower standards than the government demands of itself.

Lost, Stolen, and Mislaid Private Health Information

A health database must also address concerns over medical privacy. Much of the debate surrounding health care information centers on safeguarding data from being “lost, stolen or mishandled.” See also, Robert A. Gerberry, Legal Ramifications of the Formation of Digital Hospitals, 14 Health Law 27, June, 2002. “Faced with stories of confidential medical records being accidentally posted on a web site, and being emailed to all members of a computer network, patients continue to fear the misuse of confidential medical information. Online providers need to protect against the electronic misappropriation of health information by complying with confidentiality laws that seek to protect patient information.” These concerns are legitimate. In a recent survey of IT professionals, “seventy percent said senior management does not view privacy and data security as a priority. Eighty percent of respondent organizations had experienced at least one incident of lost or stolen electronic health information in the past year.” Over the last few years, the personal health information of “hundreds of thousands of people” has been compromised because of security lapses at hospitals, insurance companies and government agencies.

The government responded to these concerns with changes to Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any time private health information is “accessed, acquired, or disclosed” by or to an unauthorized person,” the Department of Health and Human must be notified. If the breach affects more than 500 residents of the same state, major media outlets must be notified. This will be enforced by penalties of $50,000 for actions of willful neglect, undefined, but presumably the failure to adopt safeguards required by law.

Problems of HIPAA-Acceptable Private Health Information Sharing

The above change may increase hospital vigilance in protecting medical privacy (e.g.), but it fails to stop the easiest breach of private health information. HIPAA permits patients’ personal health information to be shared among more than 600,000 organizations without patients’ consent. 45 C.F.R. § 164.506 states that with limited exceptions “a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section.” Health care operations are defined extremely broadly, including activities such as business planning, management and administration, the sale or transfer of a covered entity, fundraising, and data analysis for plan holders or other sponsors. There are almost no discernible restrictions.

This rule is indefensible even with paper files but increased, easy, and remote access to personal health data make it particularly dangerous. As we move towards integrated EHR system, this provision must be changed. Congress could start by revisiting the House’s 2004 STOHP Act, which makes consent the core of disclosure. In effect, the change would require individuals to give or withhold consent before their personal health information is used or disclosed before each routine purposes, instead of a one-time consent as in effect now.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" on the next line:

# * Set ALLOWTOPICVIEW = TWikiAdminGroup, BrendanMulligan

Note: TWiki has strict formatting rules. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of that line. If you wish to give access to any other users simply add them to the comma separated list

Navigation

Webs Webs

r5 - 25 Mar 2010 - 01:48:40 - BrendanMulligan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM