Who owns your medical records?
Hint: It's not you. Nor do they belong to taxpayers, who paid for their collection.
Cyber thieves hacked their way into the computer system at Lurie Children’s Hospital in Chicago last week, shutting down the patient portal, email and telephone systems at an institution that serves a quarter of a million children annually. None have returned to normal as of this writing.
Lurie is not the only health care facility victimized by data thieves, who often demand ransom to end their online disruption. There have been nearly 6,000 healthcare data breaches since 2009. In 2023, hackers gained access to a record 133 million patient and employee files. That was 2 ½ times the level of 2022, which was the previous high year, according to the Office for Civil Rights inside the Health and Human Services Department.
Apparently, “known criminal actors” (Lurie’s description of the perpetrator) have easy access to patient and hospital data. I wish the same could be said for physicians at one hospital trying to get records for a patient previously admitted to a different hospital system. Or specialists in one practice trying to get records from a primary care doctor in an unaffiliated practice. Or patients trying to transfer their medical records from one facility to another. Or researchers trying to obtain de-identified records from various hospitals to see how well they compare on safety, outcomes and cost.
Stealing medical records is easy for criminal hackers. But obtaining them legally remains a difficult or even impossible task for patients, even though both hospitals and physicians are required by law to share data if given permission by the people they care for.
The promise of easy health information exchange
It wasn’t supposed to be that way. Shortly after President Barack Obama took office, Congress passed legislation that granted $30 billion to hospital and physician offices to buy computers and digitize their medical records. When the law passed, most of those records resided in manila folders, which put the health care industry about three decades behind the rest of America in joining the information age.
If health care providers took the money, and almost all eventually did, the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act required they and their software vendors meet rigorous standards. First and foremost, they had to protect patient privacy, which was already required by law.
The HITECH Act added a new set of requirements to promote better health care. The new systems had to use standardized data protocols so patient records could be easily exchanged between providers — so-called interoperability. The law’s architects believed health record interoperability was key to overcoming the fragmentation that plagues America’s health care delivery system, where primary care physicians, specialists and hospital clinicians maintain separate medical records for an individual patient.
In addition to enabling better coordination of care, interoperability would eliminate duplicative tests. It would reduce medication and treatment errors. It would relieve patients of the onerous task of filling out the same forms every time they visit a hospital, clinic or physician’s office. Its most fervent proponents hoped it would foster better health outcomes in a country, which, while devoting over 17% of its economy to improving health, achieves middling results in life expectancy, infant and maternal mortality and many other basic indicators of public health.
The law also gave states grants to set up health information exchanges (HIEs), which would serve as clearinghouses where providers could deposit their patient records. This would allow other providers instantaneous access to their patients’ records after the patients had given permission to share.
The HIEs would serve as a research repository where the data, de-identified to protect individual privacy, could be used by public health officials to highlight major societal health challenges; track vaccination rates; and monitor cancer, hypertension and diabetes screenings. It would empower public agencies to spot geographic disease hotspots – those communities hardest hit by the opioid, behavioral health, hypertension and obesity/diabetes epidemics. This would enable public health departments to deploy their scarce resources in the most needy areas.
Health researchers could use the data in HIEs to create what came to be known as a learning health care system. Analyzing the real-world outcomes from the use of drugs, medical devices and surgical procedures would provide valuable information to improve the clinical practice guidelines issued by scores of government agencies, medical professional societies and patient advocacy groups. It could be used to inform clinicians what works best and under what circumstances, especially when there are competing approaches to treating a particular disease.
Provider organizations could use HIEs to get feedback on the quality of care they provided. They could compare their outcomes to rivals; compare resource use; and compare the outcomes obtained by individual clinicians within their own organizations to see if unnecessary variation in clinical choices was harming patients or wasting resources on costly procedures and tests that didn’t lead to better outcomes. States could use the data from HIEs to make hospital and physician performance transparent, thus allowing patients to make better informed choices when choosing hospitals, physicians or other providers.
In short, the dawn of the medical informatics era over a decade ago was greeted with the same fervor that is greeting artificial intelligence in medicine today. It was going to change everything.
Interoperability— the big fail
Things did not turn out as planned. Providers took the money, of course. According to the most recent report issued last March by the Health and Human Services Department’s Office of the National Coordinator (ONC), which was created to oversee the digitization of America’s medical records, nearly all hospitals and four-fifths of physician offices have installed electronic health record systems (EHRs).
Indeed, near universal EHR adoption had been achieved as early as 2014. But what we have seen since is an almost complete failure to achieve the most ambitious goals of information sharing. Progress on every front has been “inconsistent and influenced by different priorities across industry actors,” the ONC report said.
Indeed, flagrant disregard of the interoperability requirements in the original HITECH Act led Congress in 2016 to include a section in the 21st Century Cures Act that imposed up to $1 million in fines on health care providers that refuse to share data. The ONC maintains a portal where patients or providers can report alleged instances of what the regulators called information blocking.
To date, it has received nearly 900 complaints. None has led to fines by the HHS Office of the Inspector General, a spokesman for the agency said via email. The agency also refused to comment on whether any investigations are underway.
What’s behind this systemic refusal to use digitized medical records to reduce fragmentation, lower costs, improve quality, and get better outcomes?
The answer, in short, is the financialization of health care. Every player in the health care ecosystem has a proprietary interest in maintaining a stranglehold over what they consider to be their data. They resist interoperability because it impedes their ability to make money. They say they want to share, but in practice, they act like a bunch of high school bullies stealing lunch money from the nerdy kids.
Hospitals, especially those that belong to large systems that are both horizontally and vertically integrated (they own multiple facilities in multiple markets, each attached to large physician practices with extensive outpatient and surgical centers) are reluctant to share data with other systems in their service territories. They have no interest in making it easy for their patients to switch providers.
These dominant organizations use a variety of illegal and quasi-legal tactics to block information exchange. They include:
Charging excessive fees to create electronic health record interfaces;
Requiring recipients adopt their brand of EHR before sending data;
Imposing unduly restrictive contractual limitations on the use of the data; and
Simply delaying the exchange, which in health care is tantamount to denying the request.
I spoke last week with Dr. David Blumenthal, the first head of the ONC. He recently returned to teaching public health at Harvard University after running the Commonwealth Fund. The original proponents of the law were naïve, he said.
“No one expects a BMW dealer to exchange his client list or his client’s purchasing patterns with the Toyota dealer down the street,” he said. “But somehow, we expected that hospitals would do that out of the goodness of their hearts. It turned out it costs money, aggravation, and there’s no return on investment to them. In fact, there is a potential loss of business.”
But from the patient point of view, there are many reasons for wanting to switch providers. They may want to see a different doctor. They may have a new insurer with a narrower physician or hospital network. They may want lower out-of-pocket costs.
Such switching would be seamless if they could easily move data from one provider to another. Hospital systems and large physician practices, afraid of losing the revenue, have no interest in seeing that happen.
Concentration within the medical-industrial complex has made it easier for big health care systems to resist interoperability. Today, the nation’s 600-plus hospital systems, which own three-quarters of the nation’s 5,000-plus hospitals, employ over half the nation’s physicians and surgeons. Throw insurance- and corporate (often private equity)-owned physician practices into the mix and that number rises to 73% of all doctors, up from just a third two decades ago, according to a recent study by the Physicians Advocacy Institute.
Most metropolitan areas are dominated by a handful of large systems. Patients today no longer switch doctors. They switch systems. And when markets are concentrated, there can be a tacit agreement among those systems to avoid sharing patient data — what in essence is a cartel for pursuing information blocking.
EHR vendor complicity
Providers are aided and abetted by the EHR software vendors. Though there are dozens of companies selling EHR software, the market is dominated by four firms that control over 80% of the hospital market. The physician office EHR market is similarly skewed.
Vendors’ reasons for avoiding interoperability are the same as their customers: They want to limit competition by making it harder to switch. It would also cut off a lucrative sideline business selling the add-on software needed to exchange data between otherwise incompatible EHRs.
Epic Systems, a privately-held company headquartered near Madison, Wis., dominates the market. It set the standard for building firewalls to prevent information sharing between health care systems.
Founded in 1979 by Judith Faulkner, now 80, Epic posted an estimated $4.6 billion in sales in 2022, earning its primary owner third place on Forbes Magazine’s list of richest American women with an estimated net worth of $7.4 billion. That value has grown fourfold since the dawn of the government-funded EHR era.
I interviewed Faulkner at the 2014 HIMSS meeting, the industry’s largest trade show. I asked her if Epic promotes interoperability. She pointed to Care Everywhere, a trademarked service launched in 2008 that allows any Epic user to share data with any other Epic user. In other words, if you want to exchange data with a hospital that uses Epic, all you have to do is buy an Epic product for your health care office or facility.
A few years ago, Epic added Share Everywhere, which allows patients to access their data on a smart phone or computer, which they can then share with other providers. But there’s a catch. It’s only available when the patient is logged in. Epic’s patient information sheet on Share Everywhere makes no mention of allowing that data to be downloaded, much less sent to another provider. However, “the person who views your information can also write a note back to your health system to help keep your care team informed of the care they provided.” Ah. Another provider can share its data with Epic, but it is not reciprocal. Epic won’t share its data with them.
The section of the 21st Century Cures Act that aimed to put an end to information blocking set up the Trusted Exchange Framework and Common Agreement (TEFCA) – a common set of standards for information exchange. Shortly after it passed, a survey of state- and regionally-run health information exchanges (HIEs) — there are more than 100 across the country that were set up to facilitate data exchange — reported over half of EHR vendors and nearly a third of health systems engaged in information blocking. The HIEs cited the unreasonably high prices providers and their vendors put on transferring data as the number one cause of information blocking.
In theory, the law had teeth. The final rule set a $1 million maximum penalty for information blocking. Four years later, the OIG has yet to impose a single penalty despite receiving nearly 700 complaints from patients and 100 from providers.
That oversight failure provides a textbook example of agency capture (economist-speak for when regulated companies control or successfully limit regulators’ actions). The final rule identified eight “exceptions” when regulators would allow information blocking.
You do not have to be a legal genius to use those exceptions to deny requests for data, especially given how rampant data breaches are today among health care providers. The eight exceptions include: Situations where sharing might harm patients, compromise privacy or risk data theft; if sharing is unfeasible for technological reasons or unforeseen events; if fees for obtaining data (including profits) are “reasonable”; and if providers want to to license the data, which can be used to restrict downstream uses, even if de-identified.
Try, try again?
Since that rule didn’t solve the problem, HHS has come up with another rule. Last month, the agency finished collecting public comment on a rule that creates “disincentives” for information blocking. It would cut bonus payments to hospitals that took government cash to buy computers and EHRs but failed to provide easy data exchange. Physician offices would see their quality bonuses cut by as much as 25%. And accountable care organizations, which share savings with the federal government when they lower costs, would see those bonuses cut.
Reading the comments to the proposed rule gives one a good picture of how seriously the leading trade groups for hospitals and physician practices take the interoperability requirements contained in the original HITECH law. The Federation of American Hospitals, the trade group for the for-profit section of the industry, wants CMS to take “an educational and not a punitive approach, at least initially, until agencies and providers have much greater experience in investigating claims and working with providers to remedy any potential information blocking.”
America’s Essential Hospitals, which represents 200 mostly urban hospitals that provide a high proportion of their care to the poor and uninsured, said the group was “firmly on board with the need to seamlessly share information.” However, it called the rule excessively punitive and premature. “There is still significant confusion about the types of conduct that would constitute information blocking,” CEO Bruce Siegel wrote.
Meanwhile, America’s Physician Groups, which represents the nation’s 360 largest physician practices with over 200,000 doctors, complained that lowering both quality bonuses and shared savings at physician practices that participate in ACOs represents “double jeopardy.”
Even the Sequoia Project, an industry-wide consortium set up in 2012 to promote interoperability, suggested the proposed “disincentives” went too far, even though the proposed cuts to bonus payments and shared savings are minuscule, a tiny fraction of annual revenue. “We recommend that investigations be limited to egregious acts and persistent, bad behavior,” wrote CEO Marianne Yaeger. Moreover, “providers should always have the right to appeal the decision that information blocking occurred.”
Only Families U.S.A., which represents health care consumers, voiced unconditional support for the penalties in the proposed rule. “Access to interoperable and transparent data enables hospitals, clinicians, and payers to provide higher quality, less costly care,” wrote Sophia Tripoli, the senior policy director for the group. “It is vital that data be made more broadly available and interoperable across the payment and delivery system.”
With that alignment of forces — all providers, payers and vendors lined up against a handful of consumer groups — it looks like it is still going to be a long time before patients can walk into a doctor’s office, download their entire medical record onto a thumb drive, and transfer it to another doctor’s office.
(In the next edition of GoozNews, I’ll take a look at the payer side of the health information cartel.)
Merrill, France figured it out 25 years ago, achieving interoperability and eliminating paper medical records with the Carte Vitale. This green plastic credit card with an embedded memory chip is the central administrative tool of French medicine. Issued to all of France’s 66.7 million citizens and legal residents, the encrypted card contains the owner’s complete medical history (a child’s medical record is maintained on the mother’s card until age 15). The Germans followed ten years later.
I have been in practice for over 25 years. Obtaining medical records is much easier than it was when I first started out. I practice medicine in the Kansas City area and frequently require medical records from both sides of the state line. Health information exchanges have made this process much easier. Missouri has Louis and Clark Information Exchange (LACIE) and Kansas has the Konza network among others. My EMR has links to this data. I can upload records to a patient’s chart and review them before their initial visit. There are limitations. If a large health system doesn’t participate in the HIE or if the records are from a small private practice, I don’t have access. In addition, I can’t predict how robust the information is since it varies. Things aren’t perfect but they are much better than they were.