EHRs And The Law: When Interoperability Isn’t a Choice
First off, I’m no legal expert, but recently I had an interesting conversation with the director of HIT at Texas Medical Association, which represents more than 47,000 physicians in the state. I scheduled the call because we wanted to learn more about (and hopefully help them with) the hurdles smaller, clinic-based physicians are encountering when trying to switch EHR vendors, be it to meet Meaningful Use Stage 2 data exchange requirements or to simply move to a vendor that delivers a better product.
Aside from the typical implementation and “Go Live” process, these physicians are facing unplanned fees of another sort in the form of data conversion from the old EHR to the new EHR. One doctor was quoted $12,000 to migrate nine months’ of EHR data – a hefty price to pay for making a bad EHR choice nine months ago. That cost, combined with the price of the new EHR, is simply too expensive for primary care physicians who already invested in an over-hyped and poorly-developed EHR product. If not for Meaningful Use requirements, these costs would have me skeptical of the report in Black Book Rankings that claims 2013 may be the “year of the great EHR vendor switch.”
EHR databases contain much more information than what can be contained in a CCD or Consolidated CDA document, they contain everything such as patient notes, email exchanges, dictation audio files, images, etc., so using an HL7 interface feed wouldn’t suffice to transmit or migrate this amount of data.
Why doesn’t the physician simply point the new EHR implementation team to the server where all the data is stored? Aside from the data mapping complexity of moving data from one database to another, there is the problem of actually getting ones’ hands on the data. In most of these cases, the EHR vendors are more affordable cloud/SaaS hosted solutions. So, the data is wherever the vendor put it.
But, there’s more.
(Note: This is not intended to be an indictment of hosted EHRs. Many operate with an honest, customer-centered approach.)
The “other” issue that came up during the call added an unexpected twist: the law. According to state law, which I’m told can vary between states, most physicians must keep or have access to patient data for seven years after their last encounter with the patient. Requirements for pediatricians are even stricter — they must keep patient data until the patient turns 21.
What happens when a physician quits paying their monthly EHR subscription fees and are locked out of the system? Through these laws, is the government forcing these physicians to either continue paying shoddy EHR vendors and/or pay exorbitant data migration fees? What if the cloud-based EHR vendor goes out of business?
Like I said above, I’m no legal expert so I asked health care attorney David Harlow about this issue. In addition to his legal work, David writes for and manages HealthBlawg, which I read regularly and highly recommend. This is his response:
“If a physician practice is ‘locked out’ of an EHR system, it doesn’t have HIPAA problems, it has bigger problems: inability to provide or coordinate care, inability to deal with audit requests from payors (which might lead to recoupment of payments), inability to defend malpractice suits, etc.
“Therefore, it is critical to negotiate the initial contract with an EHR provider with all of these nightmare scenarios in mind: the agreement should specify the cost of exporting data to a new system if the practice elects to move on; there should be a pre-negotiated transition services and payment section; there should be some external backups that the practice has access to, just in case; etc. We can’t predict the future, but we can be careful about ensuring that when we are surprised by something in the future, there is a mechanism in place for dealing with it. We lawyers are professional worriers — so that’s why there is value to having such an agreement reviewed and negotiated by a lawyer.”
In other words, hire an expert and read the fine print prior to signing an agreement. But many physicians do not take the necessary precautionary steps, which leaves them with few options than spending more money or staying put.
This calls into question the issue of data ownership. Does it belong to the patient? To the physician? From the perspective of these Texas physicians, it apparently belongs to the EHR vendor. But to most readers of this blog, the data really belongs to the patient. It is their body, after all, that produced the data and patients do pay for the medical services in one way or another.
So, assuming the data belongs to the patient, what access will we have to our records if they are locked in a cloud-based system our caregiver can no longer access? According to the HIPAA Privacy Rule, patients have the right to access their protected PHI. Caregivers, rightfully so, must provide the data to their patients, but current conditions may prevent them from following the law.
It is time for EHR vendors to change their tactics by opening access to the hosted databases, let go of the data migration revenue stream and begin backing up their highly skilled sales representatives’ claims of improving patient care.
Kudos to the Texas Medical Association, and others like them, for acting on the physicians’ behalf to try and find a solution to this problem.