A couple years ago, we reported on hackers who stole and encrypted consumer medical records and demanded payment to “release” the records (see A New Twist: EHR Extortion). This is clearly a criminal act – along with the very significant hacking of health care recordkeeping systems that has appeared in the popular press over the past few months – Premera Blue Cross Healthcare Breach Affects 11 Million, Highmark: 51,000 Pennsylvania Customers Affected By Anthem Data Breach, and 30,000 Rhode Islanders Hit By Health Data Breaches.
But there is another controversy over access to consumer health records where the issues are not quite so clear. With consumer health records “in the cloud”, access to those records is gained through the electronic health record (EHR) vendor. But can EHR vendors cut off access to consumer records for any reason? An example is the reported dispute (originating from a rate increase that raised maintenance fees from $300 to $2000 a month) between CompuGroup and Full Circle Health Care (see Billing Dispute Leads To Blocked Patient Data In Maine). CompuGroup has decided to take an uncommon step and block access to the medical histories on 4,000 patients in response to the billing dispute. The perspective of the provider organization managers is that the decision poses a potential threat to patient safety, as “clinicians have lost access to view diabetes records that include blood pressure logs, medication histories, allergy reports, and lab results” (see EHR Vendor Holding Patient Data “Hostage”).
I assumed these types of contract disputes – and this isn’t the first such incident with consumer data access as a bargaining chip – were rare and not consequential. But, just two weeks ago, I was surprised to sit in a presentation by the leader of a large accountable care organization (ACO), who said they had made the decision to move from cloud-based data storage to their own servers because of concerns about the vendor fees and access to consumer data. A little research on the subject found some different perspectives on this issue – one being that vendors are charging extraordinary fees for facilitating interoperability. One such perspective is in the blog post, Electronic Health Record Vendors Take Patient Data Hostage: What Should We Do?, from Niam Yaraghi, Ph.D., a fellow at the Brookings Institution Center for Technology Innovation, who writes:
EHR vendors have taken patient data hostage and are not willing to release it unless they receive a big ransom. They typically claim that technical problems limit the interoperability of their products. This prevents physicians from sharing their patient records with other doctors. This is like T-Mobile claiming that its users cannot make calls to AT&T customers. The claimed interoperability limitation does not end here. The vendors are proposing hefty charges to allow data sharing between their own customers. Because the market for new EHR products is now saturated, the only revenue source for EHR vendors are charges for data exchange. Currently, they can get away with outlandish charges because they know the incentives from the federal government allow doctors to cover their costs. But if the free money from the government were to stop, then EHR vendors would have to persuade the physicians to pay for the exchange fees.
The question for managers of provider organizations is how to protect your organization from these kinds of situations. My colleague, Joe Naughton-Travers, has this advice:
While we all like the benefits of cloud-based data systems, there are reasons for concern. There are some issues that can be addressed contractually with your cloud-based EHR vendor – making sure it is clear that you own the data, that you get your data if you end the contract, and exactly in what format you will get that data. But that still doesn’t address the fact you don’t have a copy of the data itself. More and more providers I work with request a periodic copy of the consumer dataset – sometimes just to facilitate off-line reporting and analysis — and more often to have a back-up for emergencies or other contingencies like this.
For more resources on EHR contracting, check out these resources in the OPEN MINDS Industry Library:
- Choosing An EHR Software System: Best Practices In Vendor Selection & Contracting
- Choosing The Right EHR For You: Best Practices In Vendor Selection & Contracting (Executive Web Briefing Recording)
- EHR From Plan To Reality: Best Practices In Vendor Selection, Contracting, & Implementation
- EHR ‘Square One’
- EHR Contracts: Key Contract Terms For Users To Understand
- Doctors’ Office Quality – Information Technology (DOQ-IT) Project Contracting Guidelines With EHR Vendors
Access to consumer health data and participation in health insurance exchange activities are key to specialist organizations’ strategies for future sustainability. This is an issue that needs attention – with best practice contracting models.