How to 'Unblock' Secure Info ExchangeSenate Panel Hears Ideas for Improving Health Data Sharing
The federal government, healthcare providers and electronic health records software vendors all could take several steps to help ensure the secure exchange of patient information to improve treatment is not blocked. That was the message offered at a July 23 Senate hearing called to examine obstacles to health information exchange.
For example, those testifying suggested that the federal government could better align Medicare payment models to incentivize healthcare providers to securely exchange health data. They said healthcare providers could stop using HIPAA as an excuse for not sharing data. And they suggested EHR vendors could embrace technology standards and business practices that support easier, secure data exchange.
"Interoperability - this communication between systems that is so critical to the success of electronic health records - has been difficult to achieve. Information blocking is one obstacle to interoperability," Lamar Alexander, chair of the Senate Committee on Health, Education, Labor and Pensions, said at the hearing.
Even though the federal government has spent $30 billion on HITECH Act financial incentives to promote widespread adoption of EHRS, system interoperability issues are still impeding data exchange, he said.
In April, the Office of the National Coordinator for Health IT issued a "Report to Congress on Health Information Blocking." (See Overcoming Health Info Exchange Blocking.)
An unwillingness to securely share patient information "originates in the current business models of some healthcare provider organizations, and the healthcare industry in general, wherein fee-for-service payment creates disincentives for sharing of health information and rewards information hoarding, or at least the delay of timely information exchanges," testified David Kibbe, M.D., senior adviser to the American Academy of Family Physicians. He's also president and CEO of DirectTrust - a nonprofit alliance that created and maintains the security and trust framework for using the Direct Project for secure e-mail in the healthcare sector.
Testimony by Kibbe and other witnesses also suggested that some EHR vendors inhibit - sometimes intentionally - the exchange of patient data in a number of ways. Some products lack interoperability functionality. Some fail to take advantage of standards for facilitating secure exchange. And some EHR vendors charge healthcare providers hefty extra fees for interfaces that can facilitate secure data exchange and insert "gag orders" in contracts that prohibit healthcare organizations from publicly disclosing technical issues with EHR products.
"There's a lot of intimidation about reporting vendors" whose EHR systems lack interoperability, testified David Kendrick, M.D., chair of the department of medical informatics at the University of Oklahoma. He's also CEO of MyHealth Access Network, a health information exchange organization based in Tulsa, Okla.
"Should we outlaw gag orders?" asked committee member, Sen. Bill Cassidy, M.D, R-La. "Yes," several witnesses answered in unison.
The exchange of patient information by using secure, encrypted email that takes advantage of the "Direct" standard has grown rapidly since becoming a required feature in 2014 of EHR technology certified by the Office of the National Coordinator for Health IT under the HITECH Act program, Kibbe testified. Healthcare providers, however, are still facing obstacles in using Direct to share patient information, he said.
"Information blocking by healthcare provider organizations and their EHRs, whether intentional or not, is still a problem for some providers wishing to use Direct exchange, as well as for these providers' clinical partners who want to be able to exchange Direct messages and attachments with them," he testified.
For example, some EHR software lacks in-boxes to receive Direct messages, he said. Other EHRs restrict the various kinds of attachments - such as Word documents - that can be securely sent via Direct, he added.
In addition to vendor issues impeding secure health information exchange, some healthcare providers also contribute to the problem by using HIPAA compliance as an inappropriate excuse for not sharing or disclosing patient data to authorized individuals, some of the witnesses testified.
The Department of Health and Human Services needs "to help improve stakeholder understanding of the HIPAA provisions related to information sharing," Michael Mirro, M.D., past chair of the Medical Informatics Committee of the American College of Cardiology, testified.
Federal Action Needed
The federal government could also help fuel better interoperability of health IT and collaboration among healthcare providers by aligning financial incentives, witnesses told the Senate panel.
For instance, HHS needs to better align "value-based payment models" for Medicare that reward healthcare providers based on patient quality care measures with the requirements for the HITECH meaningful use EHR incentive program, including those aimed at secure patient exchange, Kendrick of MyHealth Access Network, testified. "Value-based payment models need to incentivize providers to make patient information available," he said.
In addition, ONC needs to develop a national governance strategy for health information exchange, he testified.
Under HITECH, "ONC was called upon to establish the governance for the nationwide health information network," Kendrick said. "Now, more than six years later, that governance still does not exist, due in part to interpretations of limitations on ONC's authority. Thus, there is a vacuum in governance for this critical component of America's infrastructure."
Patients are also concerned about secure health information sharing, testified Mirro, who is chief academic and research officer of Parkview Mirro Center for Research and Innovation. "A lot of my work is focused on delivering content to patients in a secure fashion," he says. "Encryption and secure file transfer protocol seems to adequately protect patient information in the transmission to personal health records. Today we have adequate privacy and security, but we could do better."