Medical Data Held For Ransom

Picture the scene: a reasonably-sized medical practice in the United States — 150 doctors and their staff at 50 clinic sites — all using the same electronic health record system. Given the size of the practice this group has its own IT staff. It houses huge amounts of clinical record data for its many thousands of patients. As part of the regulatory system in the United States this group, like most others, is required to submit various clinical quality measures to the federal government (CMS) — measures derived from their clinical data.

The practice finds a vendor to perform the task, only to find out that when they go to query the data there is an elaborate extortion mechanism preventing them from doing so. To get their own data out of their own system, they’re going to have to pay $45,000.

This is now happening across the country to more and more physician practices, and with the onset of MACRA/MIPS (a data-driven Medicare payment system that will reward physician practices for quality of care) more and more practices are scrambling to get their clinical data extracted, measured, and submitted.

So who’s holding the physicians and their data to ransom? Russian hackers? Romanian script kiddies? Nigerian princes?


It’s the company that sold them their Electronic Health Record system.

The Goal

This entire time, I’ve harboured a desire to create a way to report the quality of care provided yesterday, last week, this month. Currently, health care quality reporting is mired in the pursuit of perfection. The data must be perfect, the measurements unassailable, the findings scientifically reliable. This may sound like common sense, but this has led to a world where although we have health care quality reports freely available to all, they usually represent care delivered more than a year ago. In some cases, several years ago. We routinely sacrifice good at the altar of perfect. Worse, the data we do have is often pilloried by the establishment as it is based in large part on administrative billing data instead of clinical data.

To which, I reply, “so give me the clinical data”.

To which, for the most part, they say “no”.

The Problem

Around the country companies such as mine were then contracted to help these health care providers figure out which system worked the best for them, and how much it would cost in relation to the available money that was about to be showered on them by either the federal or in some cases state government. Oddly enough, most EHRs seemed to cost roughly what the per physician grant was, something in the vicinity of $45,000 over the adoption period.

Thus began the great EHR boom. Company after company started regurgitating and updating old EHR systems or building new ones, flooding the market with a plethora of closed source, standards-free, proprietary systems that lay the groundwork for the complete lack of interoperability we have today. Despite several excellent standards-making organisations being in the arena, no real method for communicating medical data was ever baked into any of these systems. And none was ever enforced by the people paying for it, neither HHS nor the states which were simultaneously loading Medicaid dollars on the EHR bandwagon.

There are now over 600 EHR vendors supplying certified EHR products. And, of course, there are now over 600 data standards. And not one of them talks to another in any meaningful way.

So here am I, working at a non-profit quality improvement organisation that has secured funds to implement a field-tested clinical data registry for a group practice, the practice is agreed, we know the data, we know the system, we know the measures. All we need to do is send a query to the database.

But we can’t.

The EHR vendor in question has demanded a recurring fee for access to the data. For us to get the data we need read-only credentials, and to get those someone has to ask the vendor. And the vendor has decreed that “supporting” this query will cost $300.

Per physician.

Per year.

That’s right, database connectivity pricing based not on the amount of data, not the IO, not the storage… but on the number of customers. This could be for self-hosted or managed data.

This is not uncommon. Information blocking of this type is becoming more and more widespread, perhaps because the taxpayer dollar fountain is starting to peter out and the EHR vendors need new sources of revenue.

I believe that public money should provide public benefit. I believe that government-procured technology should wherever possible be the shining light of standards and openness. I believe that if we the taxpayer bought billions of dollars’ worth of software, it should be able to produce meaningful, interoperable data in the spirit of the law under which it was funded.

The Status Quo

In April of 2015, the ONC report to Congress on Information Blocking found that:

Most complaints of information blocking are directed at health IT developers. Many of these complaints allege that developers charge fees that make it cost-prohibitive for most customers to send, receive, or export electronic health information stored in EHRs, or to establish interfaces that enable such information to be exchanged with other providers, persons, or entities. Some EHR developers allegedly charge a substantial per-transaction fee each time a user sends, receives, or searches for (or “queries”) a patient’s electronic health information. EHR developers may also charge comparatively high prices to establish certain common types of interfaces — such as connections to local labs and hospitals. Many providers also complain about the costs of extracting data from their EHR systems for their own use or to move to a different EHR technology.

As I write this, we are in the opening weeks of 2017. Little has changed.

And all this despite the fact that just a few weeks ago, Congress finally put some teeth into interoperability, in the form of new law.

The Cure

Defines interoperability as HIT that:

“Enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user”

“Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law”

Section 3022 defines “information blocking”:

Defines information blocking as a practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information; and if conducted by a health information technology developer, exchange, or network, such developer, exchange, or network knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information;

There are just under a million active physicians in the United States. At $300 per physician, the fees being imposed by the EHR vendor community could add over $277,000,000 for each registry or system that needs to connect to the nation’s EHR databases. Does this “materially discourage the access, exchange or use of electronic health information”? It does for me.

For the current project referenced above this would cost an additional $750,000 per year in additional EHR vendor fees, and that’s $750,000 that was neither expected nor budgeted. Therefore, it’s not there to be spent. The planned overall technology connection budget worked out to roughly $200 per physician, so the EHR vendor fees more than double the cost!

Yes, there are costs to running database queries. If data is tied up in a hosted SaaS solution, by all means charge me a few thousand to connect up and make sure we’re not hurting anything. But let me have the data. And if it’s not a SaaS implementation, then keep your nose out. I work for a HIPAA-compliant organisation that has transacted in paper-based medical record data since 1984. We would love to join the march of progress and get rid of the boxes and boxes of paper. To do so, we need to be able to transact in the same data using the new medium with these new players.

The gold rush is over, now these folks have to figure out sustainable revenue models. Which apparently, includes holding their customer’s data for ransom.

I just think it’s a crying shame.

Disclaimer: The views and opinions expressed are my own and do not necessarily represent the views and opinions of my employer.