A Measured Approach to De-Identified Patient Data

The first part of this series appeared on July 29.

Benefits of De-Identified Patient Data
For decades, de-identified patient data has been used to support clinical research.

As mentioned previously, the VA intends to extract de-identified patient data from its EHR to improve our understanding of care processes for cancer and PTSD. The research might show that certain treatment plans are more effective in certain patient subpopulations like the elderly or females, or that some approaches are more cost-effective than others.

Similarly, scientists in fields such as diabetes, cardiovascular disease and oncology use de-identified patient data on a regular basis to conduct trials of drugs and medical devices.

Post-marketing research also relies on such data. This is how scientists discovered that Vioxx posed an increased cardiovascular risk. De-identified patient data will undoubtedly be used to assess the safety of the Swine Flu vaccine once it becomes available, and comparative effectiveness research of the sort contemplated by the Obama administration will rely heavily on de-identified patient data as well.

Risks of De-Identified Patient Data
Jay Cline, a prominent expert on patient privacy recently conducted an exhaustive multi-data base review of the matter and was unable to turn up even one case in which a de-identified patient data set had been breached and re-identified with criminal intent.

Why? Cline hypothesizes that for those who seek to profit from the theft of private information, de-identified patient data is far less valuable than say, credit card information. “It's harder to monetize the fact that I know Judy Smith of Peoria has heart disease -- by filing false claims in her name, for example -- than to have Judy's credit card number and expiration date,” he says.

“If I'm a criminal with advanced data skills and I have a day to spend, I'm going to go after financial data and not health data.”

To be sure, there have been cases in which White Hat hackers have succeeded in re-identifying patient data, including Carnegie Mellon computer scientist LaTanya Sweeney’s famously successful effort to identify then Massachusetts governor William Weld’s health information by combing a $20 list of demographic information she obtained off the Internet with a de-identified set of health-insurance information…and that’s what has privacy advocates worried.

What Should HHS Do?

Despite these concerns, HHS should not to wield too heavy a sword in deciding whether to overturn current HITECH legislation, which does not require that patients be notified when their de-identified data is breached.

Why do some physicians abandon their EHR?

With significant stimulus moneys earmarked for physician adoption and “meaningful use” of Electronic Health Records (EHRs) as part of the HITECH (Health Information and Technology for Economic and Clinical Health) act, a component of the ARRA (American Recovery and Reinvestment Act), it is surprising to read that many physicians are actual de-installing their EHRs once they’ve installed it and used it for a while. Why might this be the case?

The recently described trend of de-installation seen in the Phoenix area mirrors an observation reported previously that failure and de-installation of EHRs abound. This is especially seen in solo and small practices, where the decision-making process is more individual and direct (larger groups and staff-model integrated delivery systems function more slowly, by committee). The reasons? Cost and usability, mainly.

Traditional, legacy EHRs have been very expensive, with significant server-end and IT support burdens (often an unexpectedly-large hidden cost). Even with subsidies (e.g. from local hospitals), the cost is significant, and the benefits are not immediately felt. It has been reported that only about 11% of the savings from EHRs go to the physicians – the bulk of the benefit goes to private and public insurers who end up paying for fewer unnecessary tests and the like. So the financial proposition to physicians has largely been one of significant risk – smaller practices, with very tight margins (especially in primary care), are seldom in a position to take on this degree of risk.

The other burden is the issue of usability. Clumsy, antiquated user interfaces (UIs) implemented by some of the larger, older, legacy systems simply get in the way of workflows that have been honed over the years. It is not uncommon to hear anecdotes from physicians who claim a dip in their productivity for a few months while their office got used to a new system, and some never fully recover their previous level of productivity (until they make the decision to abandon their EHR). Usability of EHRs has been the focus of significant study, but this element of EHR design remains problematic.

It would seem evident that the way out of this mess, in order to reverse the trend of frustration and de-installation of EHRs despite federal moneys intended to incentivize it, is to look to newer technologies. Web-based, hosted, SaaS (software-as-a-service)-based EHRs are now emerging, which eliminate the server-end burden and the attendant costs. Many hosted web-based EHRs offer a per-month subscription; Practice Fusion is a web-based EHR that is offered free to physician end-users (subsidized by alternative revenue streams, including advertising).

In addition, Practice Fusion is built with detailed attention to usability. As a web-based product, it can improve and roll-out new enhancements easily without needing any local “upgrades.” The hope is that, as such newer technologies become more widely implemented, practices (especially smaller ones) will find the EHRs tools to be helpful (rather than a hindrance), and will experience the full benefit that sophisticated EHR tools promise to deliver.

Robert Rowley, MD – Chief Medical Officer, Practice Fusion, Inc.

FTC Delays Enforcement of Red Flags Rule

Just 2 weeks after announcing plans to roll-out its Red Flags Rule on August 1, the Federal Trade Commission has decided to punt on the implementation date until November 1.

The regulation requires creditors and financial institutions to develop identity theft prevention programs.

As described in an earlier post on this blog, physicians that accept health insurance or permit patients to pay in installment plans are going to have to implement written policies and procedures that protect against identity theft in accordance with the Rule, or risk incurring a $2,500 penalty for each “knowing violation.”

Vigorous objections by the Medical Group Management Association and the American Medical Association have been instrumental in delaying the initiation of the FTC program.

Hat tip: Douglas Arnold, Middlesex Professional Services, Middletown, CT.

Glenn Laffel, MD, PhD, Sr. VP, Clinical Affairs

The De-Identification of Patient Data (Part I)

This article is based on a July 24 Computerworld piece by Jay Cline, a former chief privacy officer at a Fortune 500 company who is now president of Minnesota Privacy Consultants.

Many organizations use de-identified patient data—that is, data in which all information that could be used to identify individuals has been removed—to support clinical research and development. The Veteran's Administration for example, has recently announced it will use such data to improve the care for medical conditions ranging from cancer to PTSD. Similarly, private-sector organizations such as IMS Health and SDI Health use de-identified prescriber-level data to create reports that inform the CDC, the US Department of Public Health and most major pharmaceutical companies.

At the moment, the HITECH provisions contained within the American Recovery and Reinvestment Act (also known as the stimulus plan) do not require patient notification when de-identified data are breached.

However, at the request of privacy advocates, the US Department of Health and Human Services has decided to review this policy.

A reversal of the status quo would force health care organizations to notify patients if their de-identified data has been breached.

The consequences of such a reversal are enormous, as the California experience has shown. California recently mandated that patients should be notified when their de-identified data has been breached. This year alone, more than 800 breaches have been reported to the beleaguered state, which has managed to investigate 122 of them.

The state has yet to detect a case in involving criminal mischief, or an intent to use the information for personal financial gain.

How is Patient Data De-Identified?
The Health Insurance Portability and Accountability Act says that health information can be linked with particular individuals if it is associated with any of the following “Direct Identifiers.”
 
1. Names
2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of a ZIP code
3. All elements of dates (except year) for dates directly related to an individual (e.g., date of birth, admission)
4. Telephone numbers
5. Fax numbers
6. E-mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers

EHRs, PHRs and Patient Portals – how are they connected?

An increasing amount of attention is being focused on Personal Health Records (PHRs), and how these relate to Electronic Health Records (EHRs). Australia, for example, has set a goal for every citizen to have a PHR by 2012. With a myriad of terms being used in the press around elements of health IT, it might be useful to review what they are, and how they are related.

The terms EMR (Electronic Medical Records) and EHR are often used synonymously, but many define EMR as just the physician interface, and EHR includes both a physician and a patient interface. The main idea here is that EMRs/EHRs serve as tools designed for physicians, and attempts to replace the use of traditional paper charts in a medical office. A well-designed EMR system will work harmoniously with workflows in a physician office, and will ease the time and burden involved in medico-legal documentation of patient encounters. An EMR may interface with a Practice Management (PM) system, which carries out billing. PM systems, sometimes housed in-house and sometimes housed in outsourced billing agencies, are responsible for packaging billing information, sending out bills to insurers (via paper or electronically), posting payments, and sending out patient bills. Often, PM systems are stand-alone, and sometimes are part of an EMR-PM integrated system.

As EMRs have matured, many have offered Patient Portals – web-based ways in which patients can view some of the information contained in their physician’s EMR. When a Patient Portal is added to an EMR, it is often then called an EHR. Patient Portals are populated by EMR data, and not updatable by the patient directly. Kaiser’s KP Online is an example of such an offering. Such Patient Portals may contain ways by which patients can communicate via secure email/messaging with their physicians, receive lab results, request appointments or pay their bills.

Patient-centered documentation has grown in parallel to EMRs. Though the precise definition has undergone evolution, a PHR has come to imply a computerized application that stores an individual’s personal health information (like allergies and adverse drug reactions, medications, illnesses and hospitalizations, surgeries and other procedures, vaccinations, lab test results, and family history). The idea is that a PHR is portable, controlled by the patient, and serves as a repository of data that can be referred to when encountering the healthcare system in a variety of settings (like going to a new doctor, or a hospital, or an emergency department).

Traditionally, PHRs began as simple, empty shells, and relied on patients to enter all their information themselves. Not surprisingly, such efforts were only taken up by a few “early adopter” enthusiasts, and failed to gain widespread usage. More recently, a newer generation of PHRs have emerged (Google Health and Microsoft Health Vault), which offer the ability to fill PHR data from outside data-source feeds, such as lab results. Unfortunately, much of the available data imported by these PHRs had come from health-plan data, based on billing (not clinical) information, which was found to be significantly inaccurate.

What is the future of these trends? PHRs and EHRs have been converging, and this will continue to evolve. EHR Patient Portals have the limitation of being only about what is contained in a given practitioner’s system (what happens to your Kaiser Patient Portal when you leave the Kaiser system?), though they have the advantage of being pre-populated by the clinicians’ EMR data. PHRs, more portable and centered around the patient (regardless of where healthcare is sought), have tried to be more connected, and filled by EHR data where possible. The ideal is to create a PHR that is filled by data drawn from each EHR system used by the various clinicians involved, allowing patient feedback and involvement – and done in a way that is secure and protects privacy.

The federal government is building a Nationwide Health Information Network with this goal in mind. Some traditional EHR vendors are building their own infrastructure to help in this effort around Health Information Exchange (HIE). Practice Fusion is moving in that direction as well – by building the ability for clinicians to share charts across different practices, the Patient Portal under construction will in fact be a PHR pre-populated by the EHR data from all the clinicians involved in care, and available securely via a web connection – and, importantly, available as a free service facilitated by the underlying Practice Fusion business model.
 
Robert Rowley, MD – Chief Medical Officer, Practice Fusion Inc.

Comparative Effectiveness Roadmap

Just weeks after the IOM released its“Top 100” list of agenda items it hopes will drive the Feds’ $1.1 billion comparative effectiveness program, Stanford scientists have weighed in on the matter as well.

In a JAMA editorial, Randall Stafford and colleagues suggest that if comparative effectiveness research is to realize its potential to improve the quality and cost-effectiveness of care, it must focus not just on drugs and devices, but on health-delivery processes and lifestyle practices as well.

Examples of the latter are various diets and exercise programs, as well as alternative therapies that have become popular in the US, according to Stafford’s group.

The group also recommended that comparative effectiveness studies be undertaken earlier on in the life of new drugs and devices. Had such analyses been done regarding the ill-fated pain-killer Vioxx, millions would not have been exposed to its cardiotoxic effects, they say.
 
In addition, the group said more work needs to be done on translating the results of comparative effectiveness studies to the bedside. “Unfortunately, we still want to believe that information alone will change physician practice,” Stafford told BurrillReport. “There are more potent influences on physicians, including their local culture of practice.”
 
The scientists also recommend that early-stage drug and device trials feature head-to-head comparisons against already-approved drugs in the same category rather than placebo-controlled trials. This strategy would assure a flow of improved products to the marketplace while driving innovation among drug and device makers.

Lastly, the Stanford group suggests a greater focus on the cost-effectiveness of new therapies, despite methodological problems associated with such evaluations. “What good is comparative effectiveness if it cannot be used to discern anything about value to clinicians, insurers, patients, and society?” they ask.

Glenn Laffel MD, PhD, Sr. VP Clinical Affairs

"Medical records are an area where IT could make us healthier"

Robert X. Cringley - author, former InfoWorld columnist and tech guru - has an excellent post about medical data up on his blog. He covers the opportunities and concerns surrounding the future of electronic health records. I recommend reading the whole thing, but here's a quick excerpt:

There are lots of advantages to computerizing health records.  A couple of years ago I visited the Mayo Clinic in Rochester, Minnesota, to discuss this very issue.  Mayo has been in the forefront of digitizing all of its six million patient records.  This is a bigger job than most of us realize since it involves not just blood tests and doctor’s notes but also X-Rays and CAT scans.

Mayo, which was a century ago the first clinic in America to standardize the way it kept records in the first place, is also at the forefront in creative ways to use those records once they are in the system.  You see Mayo doesn’t have six million patients, they have six million patient records — many of those being records of people long dead.  But keeping extensive records of dead people creates a powerful database for statistical testing of possible treatments and even drug interactions.  “Surely in those six million records there is something similar to this medical mystery we are trying to solve today.” And often there is.

Figuring out from an analysis of records that combining drugs A, B, and G sometimes kills people can be good to know.

Mayo is taking the process even further to include DNA data for many patients with the goal of being able to statistically identify genetic trends within the population through records analysis.

Click here to read the full text of Cringley's post. His commentary has already sparked another interesting post from an anthropologist, John Hawks on the specific genetic data aspects of electronic health records. Hawks mentions Practice Fusion's recent case study in Chris Anderson's book.

What do you think of Cringley's take on EHR? Share your comments below.

Does a free EHR level the playing field on quality?

As the measurement of clinical quality has evolved, an observation has emerged that practice size matters. In an article published by the AMA in November, 2007, the multiple pros and cons of large group practice vs. smaller or solo practice are discussed. However, according to a study reported in the Annals of Internal Medicine in 2006, larger groups outperformed smaller practices on a number of clinical quality metrics.

 Why is this the case? Looking into the details of these reports, the key seems to be access to electronic tools (EHRs) which are able to present prompting for wellness and disease management to the clinician. Such systems historically have been more available to larger groups – mainly due to cost, the adoption of EHRs has been higher among larger practices than among smaller ones.

So what would be the outcome if small practices had equivalent access to sophisticated EHR tools with prompting and decision-support at the point of care? If the cost barrier were eliminated – which is what Practice Fusion offers – and physician practices (regardless of practice size) were able to move along the adoption curve toward true meaningful use, it is quite conceivable that the differences in quality metrics seen historically will disappear.

Certainly, one can argue that there is more to clinical quality performance than simply having enabling technology. Having the tools and using the tools effectively are not the same thing. It may be that the team approach to care will be better able to carry out the recommendations offered-up by the EHR technology. Such a team approach is more feasible in (though not intrinsic to) larger groups – and certainly the emergence of Patient-Centered Medical Home models of care implies teams working collaboratively. Only time and experience will tell. But, at the very least, making sophisticated next-generation low-cost (or free) EHR tools available to every clinician – regardless of practice size or setting – will tremendously enable improvement in health care. It will “level the playing field” and allow smaller practices to “move up the quality ladder” and achieve outcomes previously out of reach.

Robert Rowley, MD – Chief Medical Officer, Practice Fusion

EMRs Shown to Improve Care

A treatment program in which nephrologists used an EMR to remotely monitor the care of patients with mild to moderate kidney disease has reduced by two-thirds the number of specialist referrals that took place too late in the course of the disease. 

Brian Lee, a Kaiser nephrologist based in Hawaii, published these findings in the British Medical Journal.

Lee and associates used Kaiser’s HealthConnect system to track progress of patients having elevated serum creatinine levels to assure they received care consistent with evidence-based treatment guidelines.

They suggested referral to a specialist or provided treatment plans for implementation by PCPs as they deemed necessary.

"The goal with kidney disease is to detect it early enough to make changes that will slow the disease down,” Lee told BurrillReport. “Patients who consult with a nephrologist before the onset of kidney failure are less likely to be hospitalized and more likely to survive longer.”

In a separate study funded by the National Cancer Institute, Kaiser’s EMR was found to boost mammography screening rates by 17% among women who should receive them.

Participants were female Kaiser Permanente Northwest HMO members aged 42-49 years old that had not received the breast cancer screening test in at least 20 months.

After identifying eligible patients, the Kaiser system mailed out a “mammogram due soon” postcard to them. This was followed by up to 2 automated phone calls and then a live call for nonresponders.

Before the system was instituted, 63.4% of targeted women completed a mammogram. This number increased to 75.4% during the initial implementation phase of the program, and to 80.6% during a maintenance phase.

The write-up appears in the American Journal of Preventive Medicine.

Glenn Laffel, MD, PhD, Sr. VP Clinical Affairs

The conversion from paper to EHR – how much does it REALLY need to cost?

The topic of converting medical practice from paper to electronics seems to appear daily in news, blogs, radio, and seemingly everywhere. Earlier this week, NPR's Marketplace had a segment about the costs of implementing an EHR.

Several factors have brought this question to light: ARRA stimulus money set aside to encourage physicians to take on e-adoption (up to $44,000 cumulatively from 2011 to 2015, as an add-on to Medicare payments): the emergence of a national Health IT policy that defines goals, objectives and “meaningful use;” and the debate around federal health reform – all these factors add juice to adoption of EHRs.

 

One of the presumptions in the discussion has been that EHRs are expensive. Several studies have shown that the biggest barriers to EHR adoption historically have been (1) cost, and (2) usability (or the lack of it). Traditional EHR vendors have offered very large, self-contained, locally-installed client/server systems – and these systems have been very costly. Not only is there the cost of the EHR software itself, but there is the cost and burden of establishing a server, with data backups, security, connectivity and the like. This is something beyond the resources available to smaller practices, and therefore (not surprisingly) such EHRs have been implemented in larger organizations: hospital-based systems, large medical groups, staff-model organization like Kaiser, etc.

 

But how much does an EHR need to cost, really? Firstly, a locally-installed client/server system involves server-end costs. Even if that EHR software were given away free, the server costs remain – and this is considerable. Again, a major challenge to small practices. However, web-based, hosted EHRs completely remove this layer of burden from the practice. No longer are there server-maintenance, data backup, security, and network connectivity issues – all you need is an internet-connected computer and a browser.

 

Even beyond the benefits of a hosted, web-based “software as a service” (SaaS), there is also the question of paying for the service. Some SaaS-based EHR vendors charge a monthly use fee, sometimes per-MD and sometimes per-user. Practice Fusion has developed a unique business model that allows the SaaS service to be offered for free to all end-users. Revenues come from ads, and other alternative revenue sources.

 

By eliminating the cost barrier of EHR adoption, Practice Fusion can focus on the issues that are truly significant – usability, flexibility, portability, connectivity to other data sources, and true establishment of “meaningful use.”

 

Robert Rowley, MD

Chief Medical Officer

Practice Fusion, Inc.