Since Feb 17, 2009 when President Obama signed into legislation the Health Information Technology for Economic and Clinical Health Act (HITECH) as a part of the 2009 stimulus package, the incentives were promised for the adoption in health care practices of Electronic Health Records (EHRs).
The Carrot and the Stick
The incentives payments for “meaningful use” range from $63,750 over 6 years by Medicaid to maximum payments of $44,000 over 5 years for Medicare. The penalty for not adopting by Medicare will be 1% of Medicare payments in 2015, increasing to 3% over 3 years. Stimulus money is granted based on meaningful use of an EHR system.
Stories are rolling in by early adopters now that give cause for a prudent physician to rethink implementation anytime soon of an EHR for his/her practice. Here is a sampling:
- EHRs can be hacked and doctors will be held accountable. A total of 385 breaches of protected health information affecting over 19 million records have been reported since August 2009 (Redspin Breach Report 2011). Redspin also reports that industry estimates have put the value of a stolen health record on the black market at about $50 per record. For me, this is the biggest red flag for implementing an EHR now. Vendors are offering solutions in the form of data “masking”, but this could increase the cost of the systems.
- EHRs have stringent audit requirements under the HITECH Act. Health care organizations are expected to monitor for breaches of PHI. Audit logs must be kept. Audit strategy, process, and implementation tools must be used to meet stage 1 meaningful use criteria. Sanctions to employees for not following protocol. Healthcare facilities leave themselves vulnerable to individual and class action lawsuits when they do not have a strong enforcement and audit program in place for their EHR.
- EHRs are expensive to implement, both in terms of money and in terms of time. Dollar costs range from free (Practicefusion) to tens of thousands for such EHR vendors as Allscriptsor eClinicalWorks + ongoing maintenance costs. But don’t’ forget the time investment. Even small EHR systems can take 2 years to implement. I have just witnessed a client’s large practice literally crippled with the initial time investment required for staff and physicians to learn the system. Half staffing the front desk and other areas so employees can go to training has caused a drain on both patient and employee morale.
- Legal concerns are still unanswered regarding EHRs. Currently the debate is still on about who owns the electronic data. The EHR vendor will tell you that you do. HIPPA gives the patient the right to see their record or chart, and the right to have a physical copy of their record based on a reasonably cost for copying and postage. Typically doctors share medical records with other health care providers as a professional courtesy. Empowered patients think they own their records. According to a referenceregarding an HIMSS white paper, a patient owns the data in a Continuity of Care Document and has the ability to input and access that information.
- Obtaining meaningful use stimulus payments is not a given. I met with a physician owner client a few months ago in Arizona that has implemented an EHR for their specialty practice and was hoping to receive the stimulus payment for stage one by completing the 20 criteria needed. After plowing through the 31-page “Arizona Medicaid EHR Incentive Program”guide provided by The Arizona Health Care Cost Containment System Administration or AHCCCS, which is the Arizona arm of Medicaid he turned in his application, which was denied. His initial reaction was that the program did not have the funding in Arizona, but that seems not to be the case as a number of large payments have been made now in the state. Banner Healthcare, which operates the largest hospital system in the state with thirteen inpatient facilities, reported a total of $12.4 million in Medicaid booty for implementation of its NextGen Healthcare EMR systems in 2011. It appears that there is a learning curve involved here and the smaller practices will catch up while the hospitals currently seem to have better systems in place to capture the stimulus money. An entire MU industry has emerged to help physicians such as my client perfect their stimulus applications.
Risk vs. Reward
In the investment world I am always comparing risk vs. return when managing my client’s portfolios. At times in the marketplace, for various reasons, it just does not make economic sense to make certain investments as the possible risks far outweigh the potential return. An easy example now is the investment in “safe” longer-term treasury bonds. With a near 40-year low in interest rates, the 30-year treasury today yields 3.18 %. Yet if interest rates rise 1% in the marketplace, that 30-year treasury can drop 12%. A 2% rise can result in a fall of 22% in value. It would take 7 years accumulating 3.18% to offset the loss in value caused by a 2% rise in rates. I do not think rates are going up 2% tomorrow, but I just do not like the risk/reward spectrum here. Likewise, the biggest concern currently I have with EHRs is data breeches, as mentioned above, and the stiff penalties involved currently. Paper systems look a whole lot cheaper and safer when considering the ease at which a data breech can occur with electronic data. Fines, criminal sentencing, and disciplinary action by licensing boards are risks that may not worth taking considering current history on data breeches. Consider the following examples from the past few years enforced by the Office for Civil Rights (OCR), the enforcement side of the US Department of Health and Human Services that enforces HIPAA, and by employers and licensing boards:
Incident: A terminated researcher at UCLA School of Medicine retaliated by accessing UCLA patient records (many celebrities) 323 total times over the next four weeks.
Penalty: 4 years in prison for the terminated researcher for violating HIPAA Privacy Rules
Incident: Thirteen staff members at UCLA hospital accessed Britney Spears’ medical records without authorization.
Penalty: UCLA fired the 13 individuals, suspended another six.
Incident: A doctor and two hospital employees accessed the medical records of a slain Arkansas TV reporter. Details were leaked to the press of her attack.
Penalty: All pled guilty to misdemeanors for violating HIPAA privacy rules and were sentenced to one-year probation. The three all were curious about the case and “peeked” at the patient’s record as employees of the hospital, even though she was not their patient. The doctor’s privileges were suspended by the hospital for two weeks; he was fined $5,000 and ordered to perform 50 hours of community service by speaking to medical workers about the importance of patient privacy. The two other employees were terminated.
Incident: Cignet denied 41 patients, on separate occasions, access to their medical records when requested.
Penalty: Initial violation was $1.3 million. OCR concluded that Cignet committed willful neglect to comply with the Privacy Rule and fined an additional $3 million.
Incident: 57 unencrypted computer hard discs containing PHI of more than one million people was stolen from a storage locker leased by Blue Cross Blue Shield of Tennessee (BCBST).
Penalty: OCR fined BCBST $1.5 million in settlement. The fact that BCBST secured the information in a leased data closet that was secured by biometric and keycard scan in a building with additional security was not enough. BCBST also spent $17 million in investigation, notification and protection efforts and had increased future compliance costs.
Incident: Health Net discovered that nine portable hard drives that contained PHI and personal financial information of approximately 1.5 million people were missing. The hard drives in question went missing from an IBM-operated datacenter in Rancho Cordova, California.
Penalty: The complaint alleged violations of HIPAA. Connecticut Insurance Commissioner wins a $375,000 fine for failing to protect member information and not reporting in a timely manner just months after the Connecticut AG won a $250,000 settlement for the breach. Vermont’s AG jumps in and gets a settlement of $55,000 to the State because 525 Vermonters were on the lost drive.
Incident: WellPoint / Anthem Blue Cross became aware that its customers’ health applications and information website, which contained up to 470,000 applicant’s information, was potentially publicly accessible when an applicant alerted the company that altered URLS after an upgraded authentication code could allow access to other people’s information.
Penalty: WellPoint / Anthem agreed to the terms of a class action lawsuit filed in California that will provide $1.5 million in general settlement, with an additional donation of $250,000 to two non-profit organizations aimed at protecting consumer’s rights, $150,000 donated to Consumer Action and $100,000 donated to the Public Law Center in Orange County. WellPoint / Anthem also agree to pay $100,000 to the state of Indiana for the data breach that exposed 32,000 state residents. A 2009 Indiana law requires companies to notify the state of certain data breaches within a certain period that was not met.
These examples point out the risks involved of managing an EHR for your practice. Notice that most cases here were due to careless, innocent lapses of judgment. Also in many cases actual damages either did not occur or were hard to prove. The new HITECH act extends HIPAA to allow the states’ attorney general to also bring actions, which adds more salt to the wound. Also, notice that even when the health care provider regarding storing the data exercised extreme care (BCBST with biometric, keyscan leased lockers and Health Net employing IBM’s “secure” datacenter), the health provider was sued and fined. Smaller medical practices could be more susceptible to EHR data breaches, if bad password management practices occur and website maintenance problems, protocols, and training are not firmly in place.
Establishment of an EHR for all medical practices seems inevitable, but 2015 is still a few years off before the first 1% Medicare penalties hit. Physicians need to exercise caution and understand all the risks before implementing an EHR for their practice.