Healthcare providers are establishing electronic health record (EHR) systems at an astonishing rate, due in part to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was created as a part of the American Recovery and Reinvestment Act of 2009.
i The $27 billion dollar piece of legislation offers eligible providers incentives for expanding the use of healthcare information technology (HIT).
ii This includes promoting the “meaningful use” of EHRs. The “meaningful use” standard was designed to use HIT to improve quality of care and health outcomes for patients, as well as to lower costs by eliminating repeat medical tests and reducing preventable medical errors that pervade the health-care system today. This legislation has been extremely effective in persuading healthcare providers to use of electronic health records. In fact, the incentives outlined in the HITECH Act are estimated to increase EHR adoption rates to 90% of all physicians by 2019.
iii Despite healthcare technology’s vast potential to improve patient health in the medical arena, there exists a host of complex legal, technical, and ethical concerns surrounding the use of HIT as incentivized in the HITECH Act, namely issues of privacy, confidentiality, autonomy, and the preservation of the physician-patient relationship.
The HITECH Act and “Meaningful Use”
The Health Information Technology for Economic and Clinical Health (HITECH) Act offers hospitals and eligible healthcare professionals incentives for expanding the use of healthcare information technology, including the “meaningful use” of EHRs.
iv Incentive payments are made available through the Medicaid and Medicare programs. The Centers for Medicare & Medicaid Services (CMS) judges whether a health care provide has satisfied the meaningful use core objectives through the use certified health technologies.
The Department of Health and Human Services defines meaningful use as using certified EHR technology to: (1) improve quality, safety, efficiency, and reduce health disparities; (2) engage patients and families; improve care coordination, and population and public health; and (3) maintain privacy and security of patient health information.
v The “meaningful use” framework incentivizes improvement to clinical care and quality by encouraging healthcare professionals to take advantage of instantaneous and patient-specific information. There are three stages of “meaningful use.” The first stage is the use of HIT for basic data collection, including demographic and medication history. The second stage is the use of EHR data to improve clinical processes including patient controlled data, clinical decision support, health information exchange (HIE), and quality measurement and research. The third stage is the use of EHR data to improve health outcomes, quality, safety, efficiency, and population health at the national level.
vi Hospitals and providers eligible for the EHR Incentive Program do not need to attest to meaningful use in their first year of participation. Rather, they must simply implement an EHR to receive an incentive payment from their State.
The incentive payments under HITECH are quite substantial. To receive payments, eligible professionals and hospitals must meet at least 5 of the “meaningful use” criteria defined, consisting of 15 core data points and 10 menu options.
vii These criteria include the entry of patient demographic and insurance information,
e-prescribing, and the use of drug interaction software to ensure patient safety.
viii Eligible professionals and hospitals that meet the criteria can be rewarded up to $44,000 in Medicare and $63,750 in Medicaid payments over 5 years. After 2015, physicians who fail to meaningfully use EHRs will be subject to reductions in Medicare and Medicaid reimbursement.
ix
Health Information Exchanges
The HITECH Act is a step towards the eventual goal of a national, interoperable, private, and secure electronic system to allow information to be shared among all the sites where patients receive care.
x While still in its infancy, Health Information Exchanges (HIEs) are being established at the community, state, and national level to facilitate the electronic exchange between systems. The State Health Information Exchange Cooperative Agreement and the Nationwide Health Information Network (NHIN) received $600 million in federal funding to create a platform for health information exchange across the United States.
xi At the state level, governments are creating statewide health information networks (HINs). At the national level, the Office of the National Coordinator (ONC), which oversees deployment of the HITECH Act, is executing plan to create a National Health Information Network (NHIN). Provider organizations participating in NHIN include Kaiser Permanente, the Cleveland Clinic, and the Veterans Administration.
These networks can lead to the development of data repositories filled with rich sets of health data for millions of individuals. Such data repositories can provide researchers with information necessary to improve quality of care and make significant discoveries in medicine that they may not otherwise have access to. Despite their great potential, progress in developing HIEs and repositories has been gradual. Many hospitals and clinics are hesitant to implement the systems because they do not have the finances or infrastructure necessary to do so. Moreover, there are also significant concerns over patient privacy and autonomy, which is to be discussed “Ethical Implications” sections below.
Secondary Use of Health Data
Until recently, collecting data for “secondary use” was an arduous task. “Secondary use” in healthcare is defined as the use of information collected from health records, electronic or manual, outside of direct patient care delivery. This includes data collection for the purpose of “research, quality and safety measurement, public health, payment, provider certification or accreditation, marketing, and other business applications.”
xii Such use of healthcare data in biomedical research has the potential to drastically improve the quality and affordability of healthcare services in the United States. EHRs contain structured information about patients, which is extremely valuable in research because now information can be retrieved in a much quicker and more efficient fashion than more traditional methods of record keeping. Researchers can develop algorithms to search through EHRs, including free-text clinician notes, to find data valuable to a specific study.
xiii
The effective secondary use of health data for research has great potential to improve health outcomes, reduce medical errors, predict health trends, and demonstrate the comparative value of drugs and other treatments.
xivOther benefits include the increased ability to analyze the efficacy of treatment options and identify evidence-based best practices. Furthermore, predictive modeling techniques may be applied to electronic health data to identify medical conditions before the onset of symptoms and promote earlier interventions. While experimental studies, such as randomized controlled clinical trials, are likely to continue to be the gold standard of clinical research compared to observational studies, they more expensive and time consuming. As such, electronic health data serves as a rich resource for the conduction of observational studies.
Nevertheless, the unprecedented surge in the amount of healthcare data, as well as the relative ease with which that data can be aggregated and exchanged between providers and researcher will raise ethical questions about its use in research, specifically concerning patient privacy and autonomy. The Health Insurance Portability and Accountability Act (HIPAA) requires patient health information (PHI) to be de-identified or authorized by the patient for release. However, de-identified data would omit significant clinical, demographic, and time-related data that would render the data sets much less useful for many research purposes. While de-identified data is invalid and leads to incomplete data sets, it seems like is a small price to pay for protected the privacy of patients, especially those with stigmatized conditions.
Accordingly, researchers are forced to walk a fine line between ensuring patient privacy and maximizing the descriptive power of their data sets. Before the value of secondary use can be fully realized, ethical considerations surrounding the mining of electronic health data must be explored, namely infringements on an individual's privacy, confidentiality, and autonomy. It is necessary to establish a national framework of policies for the secondary use electronic health data to allow stakeholders to harness valuable information to improve the U.S. health care systems while maintaining patient autonomy and privacy protections.
xv
Ethical Implications of EHRs and Meaningful Use: Data Quality Concerns
The mass of recent electronic health data makes it possible to assess the overall burden of disease and evaluate the impact of interventions on a national scale. Despite its promise, research through electronic health data mining and “secondary use” is not without flaws. Data quality concerns are inherent in data that is being used for any purpose other than what it was originally intended, especially considering the fragmented nature of the healthcare industry and the numerous platforms on which data is being collected.
xvi First, there are hundreds of different EHR systems, each with a distinct representation of data that makes it difficult to aggregate. Second, even within the same EHR system, information incompleteness, inaccuracy, and inconsistency are common challenges, as different healthcare professionals tend to use the same system differently.
xvii Third, clinicians tend to prefer using free text compared to structured data entry because it is more easily adapted to their individual practice styles and work flows, although it may make it more difficult to compile and analyze.
xviii While there are established clinical coding standards such as SNOMED and ICD-9 to facilitate easier data aggregation, consistency has still proved to be a challenge in clinical research. Fourth, incomplete and duplicate records threaten the quality of research using data mined from EHRs.
Furthermore, some critics may argue that EHRs make it more possible for clinician to falsify charts and reports, which would lead to both data quality and trust issues with patients. However, the falsification of records would not only violate the moral imperative against lying, but also infringe on the fiduciary relationship between the physician and patient. Furthermore, there are methods to protect against such acts, include audits, fraud charges, and reclamation of funds under the False Claims Act and the Deficit Reduction Act.
xix These measures act as valid disincentives to data falsification when it comes to patient records. Lastly, while the incentives and mandates of HITECH and “meaningful use” have led to an enormous amount of data being stored and generated by the U.S. healthcare system, there is an extreme lack of interoperability. The electronic data exists in different formats on hundreds of different systems.
Aggregating this sizeable amount of this data for research purposes will prove difficult, if not impossible, without a national regulatory framework to reduce intersystem variation and improve data quality. The federal government must determine national data standards or guidelines and clinicians to decrease data variation between systems. By implementing legislation to address these issues, the federal government can alleviate many ethical concerns and while allowing the United States healthcare system to benefits from more effective and larger scale use of secondary data.
Ethical Implications of EHRs and Meaningful Use: HIPAA and Privacy Concerns
With improved access to data comes increased risk of wrongful disclosure of patient health information. EHR data is at risk of human error, hacking, IT glitches, and theft of hardware than contains such information. HITECH challenges certain the notions of privacy and security found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), yet enhances others. HIPAA prohibits the disclosure of protected health information (PHI) without the consent of the patient except for the purposes treatment, payment, or healthcare operations. Under HIPAA, “business associates” of covered entities with access to PHI are not directly regulated.
xx Rather, they are obliged to comply with HIPAA pursuant to mandatory written agreements within the covered entities for which they work. The HITECH Act, on the other hand, provides for regulation of business associates and stipulates that HIPAA’s privacy and security rules directly apply to them.
When it comes to a security breaches involving PHI, HITECH mandates public notification when unsecure, unencrypted PHI is disclosed or used for an unauthorized purpose, similar to many state and federal financial data breach laws. The HITECH Act also requires that patients be notified of both internal and external breach of their data security. If a breach affects over 500 patients, the Department of Health and Human Services (HHS) must also be notified and the name of the breaching institution will be posted on the HHS web site. There are also certain circumstances where local media will need to be notified to inform the public of breaches than effect many people within a given area.
xxi
While HITECH is a federal law, it the Department of Health and Human Services and state attorneys general are granted with the authority to enforce the law. Subtitle D of the HITECH Act addresses the privacy and security concerns of EHRS by strengthening both the civil and criminal enforcement of the HIPAA rules.
xxii Section 13410(d) of the HITECH Act revised the Social Security Act by establishing significant penalties for violation of security policy of the HITECH Act.
xxiii If an institution or individual is unaware of a violation despite due diligence, the minimum penalty is $100 per violation, with a cap of $25,000 for violations of an identical requirement within the same year.
xxiv If the security violation is due to “willful neglect,” the minimum penalty is $10,000 per violation, with a cap of $250,000.
xxv The maximum penalty is $50,000 per violation, with a cap of $1.5 million.
xxviThese are clear examples of the HITECH’s acts attempts to deter data breaches and mitigate security concerns.
The healthcare industry continues to tread carefully when it comes pursuing “meaningful use” of HIT while protecting patient privacy under HIPAA regulations. Critics current HIPAA does not accommodate the powerful research opportunities that may become possible as HIT and HIEs become more commonplace. The public health benefits of secondary use merit judicious consideration of how such data can be optimized while protecting patient autonomy.
Ethical Concerns of EHRs and Meaningful Use:Confidentiality & Physician-Patient Relationship
Patients often express concerns about keeping their PHI is kept confidential and secure. Moreover, patients may fear re-identification of their de-identified health information. Furthermore, understanding that EHRs provide a rich source of data that is highly desirable to pharmaceutical companies, insurance firms, and researchers, it seems valid to be concerned that these entities may try to purchase, use, and resell this data. There must be high security standards and regulations set to ensure that patient information is secure and not vulnerable to such misuse. Such concerns by the patient are harmful to the vital physician-patient relationship. The physician-patient relationship is a unique and complex status in which confidentiality is key; Privacy of a patient’s health information is considered sacred in the medical field. Any perceived infringement on patient privacy will severely damage this unique physician-patient relationship.
If a patient does not feel confident about the security of his or her health information, he or she may feel the need to conceal sensitive information. For example, a patient might fear that sensitive health matters such as those relating to sexual health and mental health could be accessed by others and refrain from sharing information about those issues. This is particularly true pertaining to sensitive health issues, such as sexually transmitted infections or mental health disorders. As a result, the patient’s health and treatment may be compromised. This may result in patients not fully disclosing important facts or, worse, avoiding medical care entirely, which would clearly result in negative health outcomes.
Accordingly, it is essential for physicians to ensure doctor-patient confidentiality by openly discussing these concerns with patients and explaining the security attempts detailed above that are in place to mitigate them. Furthermore, it is important that patients be able to access their EHRs with relative ease. It would be wise to allow patients to have a degree of control over the records’ content by allowing them to write notes or amendments to the record. Lastly, a new informed consent system must be established to enable patients to play a role in the decisions about how much of their EHRs they wish to make public to researchers and other stakeholders. A system must established to enable patients to play a role in the decisions about how much of their EHRs they wish to make public to researchers. Allowing patients to set the level if access they choose to share with certain health care providers and researchers will maintain respect for their autonomy and right to confidentiality. While variation in data due to informed consent redactions may result in significant differences in the completeness of individual datasets, making them less powerful tools for research, it is a risk that we must face to protect patient autonomy while optimizing the research potential of electronic health data.
xxvii Patient ownership of their health data, in terms of both privacy and content, is critical to the ethical to use EHR data.
Ethical Concerns of EHRs & Meaningful Use: Autonomy, Informed Consent, and Syndromic Surveillance
While the secondary use of electronic health data has the potential to improve the quality of care in the United States, there are several ethical considerations that must be addressed before a national framework is implemented to address issues of autonomy and informed consent. Patient autonomy is threatened when an individual’s personal health information is shared without that person’s knowledge or consent. When data mining electronic health data, it is unlikely that patients are told that their data is being accessed. It is even less likely that they are contacted for their consent. This is concerning, as champions of patient autonomy would argue that informed consent is necessary for the secondary use of health data. Patients often believe they have a right to know who is viewing their medical information, why it’s being accessed, and how it is being used. Additionally, those who champion patient autonomy believe that patients have a right to take an active part in decisions about the access, content, and ownership of EHR data. It would appear to be a violation of autonomy to aggregate and generate new information about a patient’s health without their knowledge or permission. Patients provide information to healthcare professionals in confidence with the specific goal of advancing their own personal health outcome. If the principle of autonomy is intrinsically linked to advancing an individuals own personal health outcome, then any form of secondary use (by definition as the use of PHI outside of direct patient care delivery) appears to be a violation of the principle of “respect for persons.” The real question here is whether or not you can turn a patient into a research subject without their knowledge or consent.
To overcome these issues of autonomy, patients should be able to access their EMRs with relative ease. Moreover, patients should maintain the right to have a degree of control over the records’ content. While it seems unreasonable to allows patients to modify or delete any of the content entered by health care professionals per se, it seems judicious to allow autonomous patients to review, annotate, or challenge their own electronic medical record. Furthermore, federal regulations must be reassessed to determine considered valid informed consent for research using electronic health data specifically. Some HIEs are attempting to develop new consent processes to overcome HIPAA compliance issues. Some are calling for a blanket “opt-in” or “opt-out” policy, while others suggest the independent ability to exclude certain types of sensitive data in one’s own health record. Ideally, to maintain the highest level of patient autonomy, the patient would have full say as to what specific information may be shared and with whom it may be shared.
That being said, there are certain public health situations where it is necessary and desirable to use electronic health data without informed consent. This is particularly true in public health emergencies. In the interest of population health, the HITECH framework allows for syndromic surveillance to notify public health officials of reportable conditions. Syndromic surveillance systems seek to use existing health data in real time to provide immediate analysis for early detection of disease outbreaks, and to monitor disease trends.
xxviii It has been well established the government has the authority to do so under their police power authority to regulate for the safety and welfare for the population. However, it is important to consider from a bioethical perspective where the line ends between public health surveillance and an intrusion on one’s own individual liberty and autonomy. On the other hand, it could be argued that it would be a “tragedy of the commons” if individuals independently acted according to each one's self-interest and refused to be surveilled. To take a communitarian perspective, aggregation of public health data is an essential resource to public health officials and necessary for the welfare and beneficence of the population as a whole.
It is also necessary to note the point of “electronic exceptionalism.” There is a longstanding history of manual disease surveillance. However it seem more ethically unsettling when this process is done with high technology tools that can quickly aggregate and share data in unprecedented ways. While critics may look at syndromic surveillance through EHR data as exceptional because of its electronic nature, its use may not be so different than traditional methods after all. There has been mandatory reporting of certain conditions to public health officials at the local and national level for decades before EHRs existed, including the reporting of drug-resistant tuberculosis, certain cancers, and HIV. EHRs will make reporting of these conditions and others deemed necessary to protect public health easier, and may actually do a better job at protected patient health data by encrypting and preventing unauthorized access through password protection.
Ethical Implications of EHRs and Meaningful Use: Meaningful for Whom?
It is clear that the “meaningful use” of EHRs is on the rise, but is important to question for whom is it meaningful, and how meaningful is it? Let us consider one of the primary goals of “meaningful use,” which is to provide patients with electronic resources to increase participation in their own care. This involves providing patients with an electronic copy of their health information within three business days if requested, including diagnostic test results, medication lists, allergies, discharge summary, and procedures.
xxix Accordingly, providers often offer patients access to online personal health record (PHR). PHRs are largely secure as they are encrypted and password-protected. However, it is important to note that patients need more than just Internet access and a very basic understanding of health information to fully benefit from PHRs.
xxx Rather, they need access to the basic resources required to
act on the information provided through this technology. Not only must patients be able to read and interpret lab results; they must be willing and capable to act on the information he or she receives. This point has been largely neglected in discussions surrounding the HITECH Act. For those without access the Internet, those with very limited health literacy, and those unable to act on that information for financial or other reasons, EHRs have limited to no directed benefit. It is important to note this limitation and ethical concern of the HITECH Act, as well as to acknowledge the justice and access issues it presents.
It is also necessary to consider community outreach and education programs that focus on Internet and health literacy, rather than merely advertising new electronic and personal health record capabilities.
xxxi Many fear that patients will misunderstand or misinterpret information if they read it without a medical professional to interpret it. It is possible that the HITECH Act granted health care providers a new ethical obligation to work with patients to ensure they understand these tools and how to use them. Furthermore, healthcare professionals run the risk of relying solely on PHRs to communicate important health information to their patients. This stands to cause great harm to the doctor-patient relationship. Electronic tools must not replace the face-to-face communication between healthcare provider and patient that is essential to maintaining trust and achieving improved health outcomes.
Beneficence of Electronic Data in Medical Research
Despite the ethical concerns addressed above, the use of electronic health data is critical to ensuring patient health, improving our healthcare system, and making new scientific discoveries in this technological age. Critics may question whether EHRs are truly meaningful or whether it is an “excessive bureaucratic requirement to spend public dollars on doctors’ computer systems.”
xxxii This answer to this question can be discussed through the principle of justice. It is ethical, one could argue, to expend public funds for EHR systems that provides for the greater good and benefits for the public as a whole. Having data that is structured and easily retrievable benefits clinicians, patients, and the greater population. These benefits include safer prescribing, prevention of medication errors, epidemiological tracking to protect population health, and public medical error reporting. Furthermore, there is a clear need to switch from outdated, burdensome, and inefficient clinical charting traditions to electronic format.
EHR adoption aims to reduce cost, which is a primary goal of health reform in the United States. The increase in information available to clinicians can help prevent redundant or unnecessary tests and imaging. Furthermore, EHRs can provide point-of-care clinical decision support (CDS) as doctors prescribe tests, medications, and imaging requests, which can also help reduce costs. Lastly, “shared savings,” or “gain-sharing,” allows hospitals and healthcare providers to collaborate to reach quality metrics.
xxxiii Accordingly, EHRs enable users to measure desired outcomes and report this data more quickly and easily, saving both time and money. With regard to the costs associated with EHRs, studies have documented the strong return on financial investment that may be achieved following EHR implementation.
xxxiv Other financial benefits include increased revenues due to improved care coordination, averted costs of paperwork, chart pulls, and billing errors, and fee-for-service savings including the rate of new procedures and charge capture. Furthermore, the secondary use of health record information is anticipated to become one of the healthcare industry’s greatest assets and the key to greater quality and cost savings over the next five years.
xxxv In fact, a recent report by the McKinsey Global Institute, estimates the potential annual value to the healthcare industry at over 300 billion dollars.
xxxvi These savings in cost benefit both the patient and provider.
There are also several patient-centered benefits that result from the “meaningful use” EHR data. Perhaps one of the most promising results of EHR data mining is the use of predictive modeling techniques to identify medical conditions and promote interventions before the onset of symptoms. Furthermore, retrospective analysis of the health data mined from EHRs could expedite scientific discovery in medicine by providing valuable information for research. In addition, physicians’ access to data and analysis could demonstrate the efficacy of different treatment options across large populations, which could help treat and prevent chronic conditions. Lastly, such data can be used to identify evidence-based best practices, identify potential patients for clinical trials, and monitor patient compliance and drug safety. These measures show beneficence towards the patient by providing better more individualized care.
Conclusion
EHRs can facilitate the efficient delivery of health care in a cost-effective, safe, and patient-centered way. The safety, privacy, and of patients and potential research participants is of utmost concern and can be maintained while capitalizing on technological advances to improve the United States healthcare system. It is possible to reconcile the use electronic health data for research while maintaining respect for patient’s autonomy. Accomplishing this will require collaboration among ethicists, researchers, clinicians, informatics specialists, and policy makers.
xxxvii By reevaluating, clarifying, and enforcing HIPAA guidelines as they pertain specifically to secondary use, the federal government could point the healthcare field in a direction that both protects of patients’ privacy and autonomy while empowering researchers with valuable data sets. Permitting the establishment HIEs and data repositories of EHR data for research purposes has great potential for identifying evidence-based best practices, monitoring patient compliance and drug safety, and showing the efficacy of different treatment options across large populations. However, we must provide patients with the right to dictate which information they choose to share and allow them to opt out of the platform to protect patient autonomy while optimizing the research potential of electronic health data. Moreover, EHRs cannot be considered a cure-all for patient health and we must acknowledge the effect it may have on the physician-patient relationship.
The HITECH Act’s initiatives take us a step closer to President Obama’s stated goal of “an EHR for every American by 2014.”
xxxviii The integration of HIT into our health care system is more than just a technological upgrade; it represents a fundamental change in our approach healthcare practice in the United States. EHRs will continue to evolve as a critical component in the medical field, and can be ethically integrated to deliver the highest quality healthcare to Americans in the 21st century.