BBI Contributing Editor

DALLAS The Healthcare Information and Management Systems Society (HIMSS; Chicago) annual conference here in March was certainly a more exciting show than the previous year's edition in Orlando. The venue, the Dallas Convention Center, was a bit too small to hold this sprawling conference, with HIMSS turning away more than 100 vendors because the facility could not accommodate them. But the dramatic upturn in interest in electronic health record (EHR) systems drew many physicians and other potential new users for the first time, as well as the usual hospital chief information officers and other administrators to the show.

Exhibiting vendors of all sizes commented that they were seeing new prospects and that the number of sales leads was up. It is clear that the initiatives made by HIMSS have established it as the conference to attend to see what is happening in the emergence of the EHR. HIMSS also was able to attract David Brailer, MD, the Bush administration healthcare czar, who in turn attracted much media and vendor interest.

Standards & interoperability news

Integrating the Healthcare Enterprise (IHE) is the project to promote interoperability among different vendors that produce imaging and cardiology related products and is highlighted at HIMSS in the form of an annual demonstration. The IHE group of vendors emphasize that they are not a "standards organization" in the conventional sense, but rather use standards (such as DICOM and HL7) to allow different vendor systems to interoperate. IHE began in 1997 with the mutual realization by HIMSS and the Radiological Society of North America (RSNA; Oak Brook, Illinois) that through cooperative efforts they could promote a higher level of interoperability among imaging and information systems. The American College of Cardiology (ACC; Bethesda, Maryland) has since come on board as a participating organization.

IHE was an outgrowth of imaging vendors seeking to have their various radiology-related systems exchange DICOM-standard images. However, since these early beginnings interoperability has expanded to include all things radiological, and more recently all things cardiologic as well.

This year's demonstration started with a diagnostic ECG that was passed on through various systems one might find in the cardiology department and ultimately on to diagnostic imaging tests that the mock patient required. Ultimately, the intention is for a hospital to select best-of-breed solutions, rather than having to standardize large purchases around one vendor. IHE interoperability is "thinner" than is apparent from the HIMSS demonstrations. The IHE process being demonstrated had four steps: The first was identifying interoperability opportunities; next came writing integration profile specifications. Then came "connect-a-thon" testing, which was the most interesting step as engineers from dozens of companies descended in one big environment to connect, troubleshoot and test interconnectivity. Connect-a-thon was like a shootout at the OK Coral. Finally came integration statements and requests for proposals (RFPs). Vendors interested in learning more can browse www.ihe.net, the organization's web site.

HL7 progress

Also at HIMSS, interoperability was discussed and demonstrated by the Health Level 7 (HL7; Ann Arbor, Michigan) organization, which is a "standards" group. The latest version of HL7 is version 3.0 (interoperability based on its embedded Reference Information Model (RIM)), which is what was discussed in Dallas. As this new version of the standard is still being ratified, it has not yet been adopted by any large number of vendors. Rather, most vendors offer systems that implement much earlier versions (2.2 2.5 Messaging) of the standard. With these earlier versions, implementation doesn't assure interoperability a problem that has frustrated hospitals, whose goal is not what the standard says, but assuring that when purchasing from two vendors who support the same version of the standard, they will be able to exchange data. But a decade into the development of this standard, that elusive goal has never been fully realized.

One of the questions that HL7 has struggled to answer is, "why can two systems that both comply with the HL7 standard fail to be interoperable with each other?" The answer is not simple, but the solution HL7 now promotes is "compliance profiles," which is a list that a vendor publishes, showing what functions of the HL7 standard are implemented in any of its particular systems/applications. The theory is that if two vendors share a function in their published profile (in version 3 at least), they will interoperate, according to the HL7 organization.

The question is, how long will it be before version 3 is ratified and any reasonable number of vendors support it and how broad will that support be for the family of products that most larger vendors sell (or have already sold)? Will vendors be willing to retrofit version 3 functionality to existing products in the market? Not likely, from what we heard on the floor.

Any hope for true interoperability based on the HL7 version 3 standard is still about five years away for any reasonable number of products. This period might be shortened a bit if hospitals buying systems began to demand version 3 compliance as a prequalification for any systems they are purchasing. In the meantime, interoperability remains a "buyer beware" promise that needs to be carefully and thoroughly researched by any purchaser of healthcare information technology (IT).

EHR erupts everywhere

The 2005 HIMSS conference was a landscape with clear seismic activity, and the EHR focus was threatening to erupt all around the conference. It wasn't only the keynote speech given by Brailer, who essentially told HIMSS attendees that the government is encouraging the adoption, but could at some point mandate it (which wasn't in fact news at all). Brailer pointed out that about 50% of EHR systems installed to date have failed, a point which several HIMSS vendors noted was not the case with their specific systems. Brailer has become a popular speaker at conferences as the push for EHRs continues. But there also is pressure from organizations such as HIMSS, MGMA, the American Association of Family Physicians (Leawood, Kansas) and other stakeholders and industry advocates, all of whom are calling for improvements in outcomes (like reductions in adverse drug events) that can only be achieved by the widespread adoption of such systems.

Yet the approach of these groups is quite diverse. Brailer and some of the largest vendors are promoting RHIOs Regional Health Information Organizations. But just how today's RHIO is anything more than a reheated leftover of last millennium's CHIN Community Health Information Network or why healthcare providers a decade later are going to be any more enthusiastic about creating them is still a mystery. HIMSS is pushing RHIOs and positioning itself to be at the center of their implementation. Whether they are called RHIOs or CHINs, these entities raise enormous patient data privacy issues, in spite of Health Insurance Portability and Accountability Act (HIPAA) regulations, which as presently written are seen by many as an expensive, bad joke perpetrated by the federal government on the entire country.

The darker side of HIMSS & EHRs

Let us cite one example. Quietly, behind the scene, Richard Dick and Associates has created a database of all prescription medications filled during the last five years by more then 200 million Americans. The assembly of this highly personal information, gleaned from the records of pharmacies that filled them, occupies 12 terabytes of data storage. Knowing the meds prescribed indirectly tells one the diseases being treated, with personal identifiers not scrubbed of personal data. Dicks' company was purchased by United Health Care (Minnetonka, Minnesota), which makes this data available to a consortium of healthcare insurers. The insurers in turn use it to underwrite requests for new medical policies made by these same people. The data simplifies and speed the underwriting process from days to about 75 minutes.

Given HIPAA, one might ask how collection of this non-scrubbed, personal information is not a violation of HIPAA, only to be told that each patient waives his or her HIPAA privacy rights when they apply for the policies and when they visit the physicians that prescribed the drugs initially. Without understanding the full implication, patients have signed away their rights to have their data protected, believing that if they refuse to do so, care will be denied to them. So Americans are not voluntarily giving their permission for commercial organizations to collect their entire medication history, but are being coerced to allow this highly personal information to be collected in exchange for receiving medical care. So much for HIPAA safeguards.

At the present, Americans' five-year prescription history is only in the hands of one organization, but many others that know about the existence of this database are anxious to get their hands on it. Now fast forward to when RHIOs all over the country create a mechanism to obtain patient records "in an emergency" and ask what protection individuals have or what means they have of tracing what organizations will ultimately do with this acquired information. Hackers, once they learn of the system, will certainly want to take a crack at obtaining it. How well protected is this highly sensitive data? Who knows? How well documented is access to it? Who knows? If the data was breached, would United Health report this publicly? Who knows? Think the Lexus/Nexus hacking was a problem? It would be nothing in comparison to a successful hacking of this data.

Since corporate America large elements of which are not exactly known for ethical conduct uses outsourced organizations in India, Indonesia and elsewhere to keep their data, what assurances or means of redress are there if these subcontractors violate the confidentiality of the information, all of which is supposed to be "protected" by the HIPAA legislation? One might wonder how Americans would feel about this if they found out about it? Look at how they feel already, knowing nothing of it. In a February poll, between 62% and 70% of adults indicated that they are worried their sensitive health information might leak because of weak data security in healthcare organizations that have adopted electronic health records, that there will be more sharing of patients' medical information without their knowledge. "I am convinced that how the public sees the privacy risks, and responses from EHR managers will be absolutely crucial to the EHR systems' success or will be a major factor in its failure," said Dr. Alan Westin, emeritus professor of public law & government at Columbia University (New York) and director of the program on information technology, health records & privacy at Privacy and American Business. Fully 82% say that offering consumers tools to track their own personal medical information in the new EMR system and to assert their privacy rights is important to implement at the start of any EMR system.

Richard Dick is not through yet. He has created a new company, You Take Control, whose pitch is to empower individuals to control and sell their sensitive private information to whomever they want. To do this, one becomes a member of You Take Control on its web site, at one of four levels of participation ranging from free to $99 a year. Hopefully, one can then decide what of his or her personal information they wish to sell and make back more than the $99 it costs to join, thus turning a "profit" on that sensitive information, which is then essentially put into the public domain.

Why would you voluntarily sell your "sensitive" information? Dick notes that drug companies will want to test new drugs on individuals based on their disease profiles and genetic make-up. His plan is to have the drug companies pay individuals for the rights to match their profile to the study requirements, than add the fees associated into the research costs and pass them on to the patients who use the drugs after they are released on the market. It would also allow for post-approval tracking of drug effects something that is becoming more popular given the recent removal from the market of Vioxx and other drugs.

Unlike our European neighbors, where such things are illegal and would result in prison terms for violators, Americans have thrown caution to the wind and are making sensitive, personally identifiable drug prescription information available for a variety of uses. Indeed, the more automated and electronic healthcare transactions become, the more data is collected by the payers, who already have drug purchase transaction records available from 80% of major U.S. pharmacy firms to mine, thanks to processing by companies that mine such data.

Gulf widens between large, small EHR providers

Another significant story at this year's HIMSS gathering was the growing gulf between the large, multi-segment, multi-product (including EHR) companies such as GE Healthcare, Siemens and others and the smaller companies whose only products are EHR or computerized practice management (CPM) products. As HIMSS forms its EHR vendor groups and other medical organizations cut deals with many of these larger companies, smaller companies rightly are wondering how to level the playing field for them to promote their products will be and what barriers they are likely to encounter as the federal government's vision of automating every physician practice in the U.S. takes shape. Money talks, and multinational companies have many divisions that are cash-flow generators that allow them to influence such organizations resources that smaller companies cannot match. If the EHR market truly emerges over the next five to 10 years, it is likely that 80% of the companies that offered products at HIMSS this year will either not be in business at all or won't be under the same name or ownership.

Brailer, who was at HIMSS to promote the government's consistent commandment to physicians, "Thou shall automate thy practice," is joined by many healthcare philanthropies such as the Robert Wood Johnson Foundation (Princeton, New Jersey) and the Markle Foundation (New York), among others, which are providing money for pilot programs and advice on how to spend it. Various other government and public policy agencies and organizations are leaping on the EHR bandwagon as well, making this the most successful alliance of diverse interests that the Bush administration has ever achieved. Brailer told the audience at HIMSS exactly what they wanted to hear and had been telling each other for years: healthcare IT is a cost-effective form of "therapy" that saves lives and money. He pointed to ePrescribing, preventive reminders and bar code scanning as examples that should be universally adopted to prevent mistakes and reduce waste. Brailer touted President Bush's commitment to fund his office with $50 million in the 2005 budget and $125 million in the 2006 budget; however, to date Brailer has had to dip into contingency funds for money to operate.

All of this publicity about EHR is creating a welcome boom for anyone who resembles a "healthcare IT consultant."

Uncle Sam's first objectives

The heart of Brailer's presentation was the goals he called upon HIMSS and the entire healthcare sector to embrace:

  • Inform clinical practice.
  • Interconnect clinicians.
  • Personalize care.
  • Improve population health.

To underscore the urgency in achieving these goals, Brailer noted that only 13% of small group practices have adopted what they describe loosely as some form of EHR compared to 57% of practices with more than 100 physicians. He offered no insight into how the staff and resources of such practices were fundamentally different, with smaller practices lacking the IT personnel and budget to fund the multi-million-dollar solutions offered to large practices, but essentially not available to smaller ones.

Brailer chided the industry for making data proprietary, which he indicated limited it becoming a strategic asset that could improve public health, without answering the concerns expressed by privacy advocates who already are alarmed by the amount of very private data on individual Americans that exists in commercial databases used for underwriting purposes. He pointed to the statistic that showed that one-third of those surveyed by the Kaiser Family Foundation (Menlo Park, California) under the sponsorship of the Agency for Healthcare Research and Quality (Washington) indicated they had created their own set of medical records a statistic that is highly questionable. We did a small survey of people we know and the number who had their own personal health records stored away was nowhere near one-third. Moreover, those that did indicate they had such records generally did not have them in electronic format or even organized in any way that would be immediately useful to a healthcare provider in an emergency situation. Until there is more widespread acceptance of the "personal health record" as well as standards (such as there is for the continuity of care record that physicians are supposed to exchange with one other), it won't matter much what Americans do in collecting their own health records.

Meanwhile, this year's HIMSS had no less "vaporware" on the exhibit floor than in the past and many of the "working systems" demonstrated by large vendors exhibited the same fundamental flaws that have been ignored for the past five years. For example, many vendors with the largest booths offer "advanced EHR" systems that still don't recognize the transposition of systolic and diastolic blood pressure values input a situation that cannot happen physiologically, but can easily be entered into these systems. Many systems readily accept flawed physiological data without even a warning to the user that the data is nonsense. One key reason that small practices are so cautious and such reluctant adopters of systems is that they are tired of being "burned" or hearing about associates who got burned by systems that didn't work as represented by their vendors. With more than 700 vendors in the marketplace offering something, the question is, who is credible and matches the needs of a physician's practice?

EHR validation by summer

Brailer reaffirmed his office's commitment to produce a national strategic plan in compliance with the president's executive order, which he indicated would build upon the Framework for Strategic Action that has been presented as a trial balloon by Brailer in his talks with groups around the country. The national healthcare IT guru noted that the newly formed Certification Commission for Health IT (CCHIT) is on schedule to deliver a standard for EHR validation by this summer 2005, yet many question whether the standard that will come forth will be specific enough to reduce the vaporware that has characterized the industry for more than two decades. What will it mean that an EHR product is CCHIT-certified? What assurance will it provide to physician groups that products will work as represented by the EHR vendor sales personnel? Unmet vendor promises are the single most common reason for the removal of failed EHR systems.

However, at the pace Brailer is setting, there could be real change and accomplishment, assuming the president continues to fund this endeavor. Watch for progress by groups working on the Federal Health Architecture and the Consolidated Health Information Initiative, which Brailer is pushing to generate standards. While there may be questions about the exact timetable for all of this change, the clear impression is that change is coming, and it's likely to affect the entire system. Small practices will have to shape up with EHR or perhaps fold up sometime in the next three to eight years. Whatever happens in this area is going to affect a lot of small practices and tens of millions of patients.

(Next month: Going beyond scanning, security solutions and vendor surprises at HIMSS.)