Electronic health records

Small-scale breaches of patients' medical privacy are going unpunished because officials at the federal office for Civil Rights focus on voluntary compliance as the remedy, ProPublica's Charles Ornstein reports. Many people also cannot turn to their own lawsuits for redress. The Health Insurance Portability and Accountability Act doesn't allow for a private cause of action, and states vary on how much protection tort law provides for medical privacy.

Indiana courts have ruled that healthcare providers are liable for employees who snoop in medical records, but courts in Ohio, Minnesota and New York, as well as other states, have rejected those types of claims, Ornstein reports.

Small-scale breaches of medical privacy can cause the most harm, Ornstein reports. For example, an employee at a New Jersey hospital disclosed that an 11-year-old boy had attempted suicde. The revelation caused him to be bullied at his school, Ornstein reports. In another example, a dental assistant had a former friend post on Facebook that she had the STD human papillomavirus.

The Obama administration's Office of the National Coordinator for Health Information Technology has taken vendors of electronic health records "to task for making it costly and cumbersome to share patient information and frustrating a $30 billion push to use digital records to improve quality and cut costs," The Wall Street Journal's Melinda Beck reports.

For example, vendors are requiring customers to use proprietary platforms and making it too expensive to switch systems. Even though nearly 80 percent of doctors and 60 percent of hospitals have converted from paper files to EHRs, only 20 to 30 percent of providers are able to share records with other providers, Beck reports.

ONC could decertify EHR systems that block data-sharing, but the report says that would unduly penalize customers, Beck reports.

ProPublica's Charles Ornstein reports that federal regulators are rarely fining health care organizations for data breaches. There have been more than 1,140 large breaches affecting more than 41 million people in the last 5.5 years. But there have been fines levied just 22 times, even though the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, has required healthcare providers to report breaches involving at least 500 patients since 2009.

Peter Suderman, writing on Reason's blog, piggybacks off the concerns that Dr. Jeffrey Singer made about the government mandate for electronic health records in the Wall Street Journal's op-ed section. Singer pointed to research that found that physicians think that electronic health records drive up healthcare costs because, among other reasons, of high implementation costs, which is particularly burdensome for small private practices. A bigger concern is that current health IT systems are not interoperable and don't operate across multiple provider networks, Suderman also notes.

According to a report in iHealthBeat, the Food and Drug Administration is going to expand a pilot that is using electronic health records, as well as claims data, to monitor the safety of medical devices the agency regulates: "Specifically, FDA said the [Mini-Sentinel] system can examine: More than 350 million person years of observation; Four billion pharmaceutical dispensings; and 4.1 billion patient meetings." Now, the pilot is being rolled out on a full scale.

Ruth Reader, writing for VentureBeat, reports that, in 2014, healthcare providers made up nearly one-third of all data breaches: "Hot medical identities can sell for as little as $50, according to a report issued earlier this year by the FBI. With more and more hospitals moving to electronic health records and healthcare breaches on the rise, its hard to see how this problem won’t become more widespread in the coming year." Reader also points out that, unlike for financial breaches, it is much harder to prove that a consumer didn't receive medical services on their records.

U.S. Senators Michael Bennett and Orrin Hatch are circulating a draft bill to exempt some electronic health records, including medical charts and health histories, from the FDA's oversight, Reuters' Christina Farr reported last week. Medical technology that is classified as posing a low risk to patient safety would be exempt from FDA regulation. Bradley Merrill Thompson, an FDA-specialist with the Washington D.C.-based legal firm Epstein Becker & Green, told Reuters the bill would have unintended consequences.

According to Medscape Medical News' Ken Terry, several experts says that electronic health records need to be verified before being admitted into evidence. Terry, reporting on a law review article in Ave Maria Law Review, writes that "the central contention of the authors, Barbara Drury, Reed Gelzer, MD, MPH, and Patricia Trites, MPA, is that EHRs are designed to maximize payments to providers and therefore do not necessarily reflect the care that was actually provided to patients." Without verification, electronic health records are hearsay, the authors said. One takeaway is that there should be an audit function in all EHRs and healthcare providers shouldn't be able to turn that function off or erase audit logs.

The New York Times' Julie Creswell reports on how doctors are finding barriers to sharing electronic health records because computer programs made by different companies don't share records with each other: "Doctors and hospital executives across the country say they are distressed that the expensive electronic health record systems they installed in the hopes of reducing costs and improving the coordination of patient care — a major goal of the Affordable Care Act — simply do not share information with competing systems." Doctors who are getting federal funds in support of their electronic health records must show that they can share patient data or face cuts in their Medicare reimbursements, Creswell further reports. 

One of those companies is Epic Systems, which charges a fee to send data to some non-Epic systems, Creswell notes. Epic's founder, in a rare interview, "offered muted criticism of regulators for, essentially, failing to create what she did — a contract to help providers connect to one another and a way to authenticate that only the correct person could view the patient information." Regulators are in the process of developing a standard to make health information technology interoperable.