Good morning Mr. Chairman, Ranking Member Murray and distinguished committee members. I’m delighted to be with you today to talk about driving progress toward quality and value through health information exchange.
The notion of “health information exchange” has been around for decades, and we have tried many approaches. Yet our health care system is struggling to foster the kind of exchange that will truly drive better care and smarter spending. Entrenched payment policies that do not reward better health outcomes or coordinated care continue to hold us back. We are making progress, but many health care organizations today still treat health data as a close-hold business asset, when it should be treated as a public good.
I’m here to talk about how consumers can be a force for change.
We know that consumers want health information technology (IT). According to a nationwide survey released by the National Partnership in December, patients overwhelmingly believe that electronic health records (EHRs) are essential to making sure providers have timely access to information that can help avoid medical errors and repeat tests.1 Consumers also want and use online access to their own health information, largely through patient portals. Almost nine in 10 patients who have such access use it, and it has a significantly positive impact on patient engagement, better care and improved outcomes. Notably, individuals who use patient portals with some frequency are dramatically more likely to say it motivates them to improve their health.
We also know that the role of consumers in health care is changing rapidly, facilitated in part by these emerging technologies, along with evolving economic incentives and rising consumer expectations.
These forces are converging, positioning consumers as a potentially potent force for change that can dramatically reshape the way we share and use information in health care — if we can make the process of downloading, managing and sharing health information easy, private and secure.
What does it take to unleash this consumer potential? Let’s look at how our system works today. In my case, I have a primary care physician (PCP) who uses an EHR. I also have a high-deductible health plan, which means that I often seek out care from places that have published price lists and are convenient — like a web-based service that, earlier this year, allowed me to “see” a doctor online on a Sunday morning for just $49. As a result, health care data about me exists in several different places — with my doctors, my health insurer, MinuteClinic, my web-based doctor service, and more. This is not usual for most Americans — all of us have data spread across a patchwork of providers and systems.
But few if any of these systems talk to each other, which means that no single provider can see a complete picture of my care. So how can I, and the millions of consumers like me, become a force for change that drives health information exchange in the marketplace?
If I could gather my data electronically from all of the health care entities that hold it, and use a safe and secure app to store it, then I could share it with any one of my health care providers, giving them a much better view of my health and my care.
The fact is, as the patient, I am the only one present at all of my health care encounters — so I can potentially amass more data, more quickly and more comprehensively than any single health care entity can today, because I know where it all is. And, in theory, I know how to get it. If I have the data, I can spot errors, avoid repeat tests, detect fraud, help facilitate coordinated care, and much more. I can be the curator of my own health record, sharing it where and when it is needed to improve my care, and for other important purposes like research into precision medicine.
We are close to achieving this vision; both the policies and the technologies exist. But we aren’t there yet. I learned this the hard way when I requested my data from my PCP eight weeks ago. Because the practice participates in Meaningful Use, I should have been able to download my data directly from the patient portal. That is due to an important federal requirement that stipulates patients must be offered online access to view, download or transmit their health information to a third party. Unfortunately, the patient portal was broken and the practice had no plan to fix it.
So I decided on another approach that few consumers — and it turns out, few providers — know about. Under the HIPAA amendments made by the HITECH law, I now have a legal right to an electronic copy of my health information. I can exercise this right with any covered entity that holds data about me, as long as they can produce the data electronically. And if they have a Meaningful Use-certified EHR, they can. So I asked my PCP’s office for an electronic copy of my health record.
After convincing them that I wasn’t trying to change doctors and just wanted my record electronically, they told me they “don’t do that;” they only offer paper copies. I told them about my legal right to an electronic copy since they have a certified EHR, and they again simply said they don’t do that.
So I returned a few days later with a copy of the Federal Register, demonstrating my legal right under HIPAA to an electronic copy. Over the course the following week, and many phone calls back and forth, the practice staff figured out how to meet my request. They created a text file, and a second file in a format called CCR, which stands for Continuity of Care Record, and placed both files on a CD-ROM that they left at the front desk for me to pick up.
I quickly learned that having my record on a CD-ROM wasn’t very useful. I could read the text file (once I bought an external CD-ROM drive), but text files aren’t very actionable. So I did what anyone would when faced with a problem — I downloaded an app. The app used the CCR file to summarize and display my medical record in an organized way that I can understand.
This simple medical records request was a big hassle — it caused a lot of friction even though I was simply requesting information to which I am legally entitled — information that is an essential part of my health and care. It required multiple trips to the doctor, several aggravating phone calls, legal and technical knowledge, and persistence. Most consumers won’t have the resources to persist and eventually succeed.
My case is not unique, and it illustrates the many challenges of our current system:
- Many providers and their staff members don’t know we have a right to an electronic version of our records.
- They don’t have workflows to accommodate it — for example, their medical records request forms don’t ask if the patient wants paper or an electronic copy.
- Consumers don’t know about this right. And if we do, we don’t know the best ways to ask for the data — that we should avoid PDFs in favor of structured data, and what our options are to get structured data. Many also don’t know about their ability to download data via their portals.
- Most of us don’t know what to do with the data once we get it. Which app should we use? What are that app’s policies and practices on privacy and security? We also don’t know that once we download data from my doctor, hospital or other covered entity, and upload it into an app like a Personal Health Record (PHR), that data is no longer covered by HIPAA unless the app developer is itself a covered entity. That means the developer could sell my identifiable health information.
- And finally, to drive heath information exchange, EHRs need to be capable of ingesting data from consumers, and making it actionable.
These are challenges, to be sure, but they can be addressed in the very near term. And if we overcome them, the potential of consumers to unravel the knot that binds our health data in silos is enormous. If consumers can make a concentrated tug on the rope and demand their data, starting right now, it can enable systemic change. In my case, just asking for my records electronically produced results – because of my experience, my doctor is now making changes to their records request process to make it easier patients in the future.
To do that, we need to take the friction out of the process for consumers. There are a range of actions we can take in three broad areas over the next 24 months to achieve change. The good news is that none require legislation. They can all be done by administrative action, by the private sector or with public-private collaboration. However, a little nudge from Congress can help:
- Equip consumers with the tools and awareness they need to exercise their rights to their digital health data.
- Better educate consumers about their legal rights, and about the use of patient portals for downloading and using health data. The U.S. Department of Health and Human Services (HHS) has many mechanisms for doing so, one of which is the Office of Civil Rights (OCR). OCR has a webpage to help consumers understand and exercise their privacy rights. Content should be updated to emphasize electronic requests over paper-based ones.
- Develop and disseminate tools to help consumers understand how/where/what and what format to request, what to do with the data, where to securely store it, and how navigate roadblocks along the way.
- Make the process of requesting data easier. How can we automate it? A small group of leading experts, consumer advocates and former policymakers are catalyzing action in this area right now. Developers are working on tools such as the Vocatus tool, which enables consumers to request their health data online. Others are working to fix problems with patient portal download features.
- Give providers the tools and incentives to make consumer use of digital data the norm in health care:
- Work through HHS to educate providers about how to meet the demand for digital health information — through patient portals and through other means of downloading data such as Blue Button (which Medicare and the Veterans Administration already use), or the Direct protocol — a secure email link between patients and providers.
- Use the federal EHR certification program to create the capacity for EHRs to incorporate consumer-generated data and make it easy for providers to analyze and act on.
- Advance federal policies that enable consumers to routinely request, download and use their own health data in private, secure and valuable ways. Focus on two areas:
1. First, support policies that drive more information sharing by:
- Finalizing the proposal to include open Application Programming Interfaces (APIs) in the federal EHR Certification program. APIs will help break down information silos in health care.
- Preserving and strengthening the Meaningful Use view/download/transmit requirement, most commonly met by offering patient portals which deliver functions patients want like secure messaging with their providers, online medication refills and data downloads. We must preserve both the requirement that the technology is in place, and the requirement that a percentage of patients use it at least one time during the reporting period. Regardless of whether the number is five percent or something else, CMS’s recent proposal to drop this threshold to just a single patient will completely undermine efforts by consumers who want to have and use their data. Requiring providers to actively engage with a percentage of patients is an essential mechanism for changing consumer expectations and enabling consumers as a force for change.
- Encourage the Office of the National Coordinator (ONC), the Federal Trade Commission (FTC) and OCR to finalize and widely disseminate best practice guidance on protecting privacy and security for app developers. Under its existing authority, the FTC can enforce voluntary best practices for those who adopt them.
- Ask the public and private sectors to come together and explore how to evaluate apps on a range of aspects, including privacy, security and usability. My own research into the privacy policies and data sharing practices of the apps I considered for my record required hours of reading and the ability to decipher a lot of legalese. We should incentivize more app developers to use ONC’s model PHR notice for consumers. It enables consumers to quickly and easily compare privacy policies across apps, including whether or not the developer sells consumer data for marketing or to employers and/or insurance companies. But it should be promoted much more aggressively by the federal government.
- Shorten the timeframe for meeting records requests under HIPAA from 30 days. Patients should have the data as soon as doctors do, and where digital records make that possible, the law should not provide a basis for delay.
- Require providers to offer an ongoing data feed, at least where it is feasible, so patients don’t have to submit requests again and again. There are technical standards that already enable this.
- Establish that it is willful neglect to deny a patient access (or even claim HIPAA precludes it), unless the provider in good faith is relying on one of HIPAA’s exemptions.
2. Second, privacy protection — there is no question consumers want and support greater online access to their own health information. Consumers also care about privacy. Now that health data is increasingly accessible in digital form, an app market is rapidly emerging, bringing with it both benefits and risks. We need to enable the market and protect consumers who are using apps to manage their data. To do so, we should:
If all that sounds technical, the challenge before us really is quite simple and straightforward. More than that, success is within reach. By taking some of the steps I have outlined, we can make it possible for consumers to finally stop being the “sneaker net” — patients who have to walk our records around to different doctors — and start leveraging the Internet to drive quality, value and patient-centered care.
1 Engaging Patients and Families: How Consumers Value and Use Health IT. National Partnership for Women & Families, December 2014. www.nationalpartnership.org/patientsspeak.
A PDF version of this testimony that includes citations can be found here.