Medical Data Held For Ransom

Image for post
Image for post

Picture the scene: a reasonably-sized medical practice in the United States — 150 doctors and their staff at 50 clinic sites — all using the same electronic health record system. Given the size of the practice this group has its own IT staff. It houses huge amounts of clinical record data for its many thousands of patients. As part of the regulatory system in the United States this group, like most others, is required to submit various clinical quality measures to the federal government (CMS) — measures derived from their clinical data.

The practice finds a vendor to perform the task, only to find out that when they go to query the data there is an elaborate extortion mechanism preventing them from doing so. To get their own data out of their own system, they’re going to have to pay $45,000.

This is now happening across the country to more and more physician practices, and with the onset of MACRA/MIPS (a data-driven Medicare payment system that will reward physician practices for quality of care) more and more practices are scrambling to get their clinical data extracted, measured, and submitted.

So who’s holding the physicians and their data to ransom? Russian hackers? Romanian script kiddies? Nigerian princes?


It’s the company that sold them their Electronic Health Record system.

The Goal

I got into health care quality improvement in 2001. Coming from a technology background it was quickly apparent there was ample opportunity to disrupt the industry. Since then, I and my team of statisticians and software engineers have supported hundreds of government-funded quality measurement, improvement and reporting activities with various technologies and tools, and published millions of rows of health care transparency data in the form of comparison Web sites and health care profiles. We’ve worked with national philanthropies and state governments to better direct the money available for quality measurement and reporting, along the way supporting folks like the Leapfrog Group, the Commonwealth Fund, and others who are in the business of making the cost and quality of health care more transparent.

This entire time, I’ve harboured a desire to create a way to report the quality of care provided yesterday, last week, this month. Currently, health care quality reporting is mired in the pursuit of perfection. The data must be perfect, the measurements unassailable, the findings scientifically reliable. This may sound like common sense, but this has led to a world where although we have health care quality reports freely available to all, they usually represent care delivered more than a year ago. In some cases, several years ago. We routinely sacrifice good at the altar of perfect. Worse, the data we do have is often pilloried by the establishment as it is based in large part on administrative billing data instead of clinical data.

To which, I reply, “so give me the clinical data”.

To which, for the most part, they say “no”.

The Problem

The Health Information Technology for Economic and Clinical Health Act, abbreviated “HITECH”, was part of the American Recovery and Reinvestment Act of 2009. Under HITECH, the US Department of Health and Human Services spent billions of dollars to stimulate the adoption of health information technology, primarily in the form of shelling out cash to health care providers and facilities to go out and buy electronic medical record systems. HITECH also gave the five year-old Office of National Coordinator a mandate to stimulate “Meaningful Use” of health information technology by tying incentive payments to meaningful use as they defined it.

Around the country companies such as mine were then contracted to help these health care providers figure out which system worked the best for them, and how much it would cost in relation to the available money that was about to be showered on them by either the federal or in some cases state government. Oddly enough, most EHRs seemed to cost roughly what the per physician grant was, something in the vicinity of $45,000 over the adoption period.

Thus began the great EHR boom. Company after company started regurgitating and updating old EHR systems or building new ones, flooding the market with a plethora of closed source, standards-free, proprietary systems that lay the groundwork for the complete lack of interoperability we have today. Despite several excellent standards-making organisations being in the arena, no real method for communicating medical data was ever baked into any of these systems. And none was ever enforced by the people paying for it, neither HHS nor the states which were simultaneously loading Medicaid dollars on the EHR bandwagon.

There are now over 600 EHR vendors supplying certified EHR products. And, of course, there are now over 600 data standards. And not one of them talks to another in any meaningful way.

So here am I, working at a non-profit quality improvement organisation that has secured funds to implement a field-tested clinical data registry for a group practice, the practice is agreed, we know the data, we know the system, we know the measures. All we need to do is send a query to the database.

But we can’t.

The EHR vendor in question has demanded a recurring fee for access to the data. For us to get the data we need read-only credentials, and to get those someone has to ask the vendor. And the vendor has decreed that “supporting” this query will cost $300.

Per physician.

Per year.

That’s right, database connectivity pricing based not on the amount of data, not the IO, not the storage… but on the number of customers. This could be for self-hosted or managed data.

This is not uncommon. Information blocking of this type is becoming more and more widespread, perhaps because the taxpayer dollar fountain is starting to peter out and the EHR vendors need new sources of revenue.

I believe that public money should provide public benefit. I believe that government-procured technology should wherever possible be the shining light of standards and openness. I believe that if we the taxpayer bought billions of dollars’ worth of software, it should be able to produce meaningful, interoperable data in the spirit of the law under which it was funded.

The Status Quo

Six US Senators pointed out the very same issues in 2013. Five of them pointed out that nothing had changed two years later.

In April of 2015, the ONC report to Congress on Information Blocking found that:

Most complaints of information blocking are directed at health IT developers. Many of these complaints allege that developers charge fees that make it cost-prohibitive for most customers to send, receive, or export electronic health information stored in EHRs, or to establish interfaces that enable such information to be exchanged with other providers, persons, or entities. Some EHR developers allegedly charge a substantial per-transaction fee each time a user sends, receives, or searches for (or “queries”) a patient’s electronic health information. EHR developers may also charge comparatively high prices to establish certain common types of interfaces — such as connections to local labs and hospitals. Many providers also complain about the costs of extracting data from their EHR systems for their own use or to move to a different EHR technology.

As I write this, we are in the opening weeks of 2017. Little has changed.

And all this despite the fact that just a few weeks ago, Congress finally put some teeth into interoperability, in the form of new law.

The Cure

On December 16th, 2016, Congress passed the 21st Century Cures Act. This bill constitutes nearly a thousand pages of new health care regulation, mostly aimed at rebooting the way the US approves new medicines, but buried in section 4003 is the following:

Defines interoperability as HIT that:

“Enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user”

“Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law”

Section 3022 defines “information blocking”:

Defines information blocking as a practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information; and if conducted by a health information technology developer, exchange, or network, such developer, exchange, or network knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information;

There are just under a million active physicians in the United States. At $300 per physician, the fees being imposed by the EHR vendor community could add over $277,000,000 for each registry or system that needs to connect to the nation’s EHR databases. Does this “materially discourage the access, exchange or use of electronic health information”? It does for me.

For the current project referenced above this would cost an additional $750,000 per year in additional EHR vendor fees, and that’s $750,000 that was neither expected nor budgeted. Therefore, it’s not there to be spent. The planned overall technology connection budget worked out to roughly $200 per physician, so the EHR vendor fees more than double the cost!

Yes, there are costs to running database queries. If data is tied up in a hosted SaaS solution, by all means charge me a few thousand to connect up and make sure we’re not hurting anything. But let me have the data. And if it’s not a SaaS implementation, then keep your nose out. I work for a HIPAA-compliant organisation that has transacted in paper-based medical record data since 1984. We would love to join the march of progress and get rid of the boxes and boxes of paper. To do so, we need to be able to transact in the same data using the new medium with these new players.

The gold rush is over, now these folks have to figure out sustainable revenue models. Which apparently, includes holding their customer’s data for ransom.

I just think it’s a crying shame.

Disclaimer: The views and opinions expressed are my own and do not necessarily represent the views and opinions of my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store