Law in the Internet Society
Ready for review.

Establishing a Private, Workable Online Medical Database

-- By BrendanMulligan?

In its 1999 report, “To Err is Human: Building a Safer Health System”, the Institute of Medicine claimed that preventable medical errors cause as many as 98,000 deaths per year in the United States and upwards of $29 billion annually in lost income, lost production, disability, and additional health care costs. According to the report, decentralization and fragmentation of the health care system are major causes of these errors. Providers lack access to complete patient data at the point of care. Fewer than 2% of the nation's 5,000 non-VA hospitals have what could be considered a full-fledged system.

Proprietary Contribution to a Broken System

Vendors’ commercial systems are proprietary and designed to not talk to other vendors' systems. Further, the Healthcare Information and Management Systems Society (HIMSS), which is a powerful healthcare organization focused on fostering the optimal use of information technology (IT) and management systems for the betterment of healthcare, is ostensibly independent, but acts as a lobby for proprietary owners. HIMSS hosts the largest and most well-publicized health IT conferences in the country. They charge large sums of money to buy space at conferences and limit the electronic health record vendor association to companies which “design, develop and market their own proprietary Electronic Health Record software application.”

People are dying because we lack proper IT infrastructure and the government should take steps to catalyze this process by (1) incentivizing the use of VistA? public domain software to improve functionality and streamline formatting and (2) safeguarding privacy.

Lip Service to Open Source Acceptance

The open source movement has gained some traction in relation to the government’s policy on health IT. First, the stimulus calls for a study on the availability of open source health IT systems to be completed by Oct. 1, 2010. This includes comparing the total cost of ownership of open source to existing proprietary commercial products, ideally providing open source systems with the opportunity to demonstrate much superior value to price ratios.

Second, the stimulus empowered the support the development and routine updating of qualified EHR technology. The government earmarked $20B to incentivize the switch to functional online databases. The provisions however, dictate that hospitals must only perform “one test of certified EHR technology's capacity to electronically exchange key clinical information.” See Table 2. The government set a much lower bar for interoperability and sharing information, despite the much higher bar for the way docs and hospitals use electronic systems internally.

However, the government already developed the best comprehensive health IT system, VistA? , and did nothing to promote its use. The VistA? system, its interface, and all updates (500–600 patches per year) are provided as public domain software and used by many private hospitals. VistA? successfully integrates the databases throughout the Veteran's Health Administration, which runs the largest medical system in the US. In focusing on internal benchmarks, the government inexplicably misses its chance to create an operational system. The stimulus dollars should instead incent hospitals to integrate onto VistA? —which has been established for as little as “1/10th the price” of proprietary software.

Lost, Stolen, and Mislaid Private Health Information

Secondly, a health database must address concerns over medical privacy. Much of the debate surrounding health care information centers on safeguarding data from being “lost, stolen or mishandled.” See also, Robert A. Gerberry, Legal Ramifications of the Formation of Digital Hospitals, 14 Health Law 27, June, 2002. “Faced with stories of confidential medical records being accidentally posted on a web site, and being emailed to all members of a computer network, patients continue to fear the misuse of confidential medical information. Online providers need to protect against the electronic misappropriation of health information by complying with confidentiality laws that seek to protect patient information.” These concerns are legitimate. In a recent survey of IT professionals, “seventy percent said senior management does not view privacy and data security as a priority. Eighty percent of respondent organizations had experienced at least one incident of lost or stolen electronic health information in the past year.” Over the last few years, the personal health information of “hundreds of thousands of people” has been compromised because of security lapses at hospitals, insurance companies and government agencies.

The government responded to these concerns with changes to Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any time private health information is “accessed, acquired, or disclosed” by or to an unauthorized person,” the Department of Health and Human must be notified. If the breach affects more than 500 residents of the same state, major media outlets must be notified. This will be enforced by penalties of $50,000 for actions of willful neglect, undefined, but presumably the failure to adopt safeguards required by law.

Problems of HIPAA-Acceptable Private Health Information Sharing

The above change may increase hospital vigilance in protecting medical privacy (e.g., http://www.arkhospitals.org/calendar/calendarpdf/july%2030-09hitech%20changes.pdf), but it fails to stop the easiest breach of private health information. HIPAA permits patients’ personal health information to be shared among more than 600,000 organizations without patients’ consent. 45 C.F.R. § 164.506 states that with limited exceptions “a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section.” Health care operations are defined extremely broadly, leaving almost no discernible restrictions. It includes activities such as business planning, management and administration, the sale or transfer of a covered entity, fundraising, and data analysis for plan holders or other sponsors.

This rule is indefensible even with paper files, but increased access to personal health data on an integrated system makes it particularly dangerous. Therefore, any change to HIPAA should alter this provision. Congress could start by revisiting the House’s 2004 STOHP Act, which makes consent the core of disclosure. In effect, the change would require individuals to give or withhold consent before their personal health information is used or disclosed before each routine purposes, instead of a one-time consent as in effect now.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" on the next line:

# * Set ALLOWTOPICVIEW = TWikiAdminGroup, BrendanMulligan

Note: TWiki has strict formatting rules. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of that line. If you wish to give access to any other users simply add them to the comma separated list

Navigation

Webs Webs

r4 - 26 Jan 2010 - 05:55:45 - BrendanMulligan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM