- Providers have to verify that the patient has given consent for the use of that medical data (the HIPAA rules) by others in non-emergency situations, and the so-called consent management process is even more fractured than the system around medical records.
- State laws and requirements differ on medical records (especially around areas such as drug and alcohol treatment, pregnancy, and HIV) and what can be shared, so cross-state sharing is further complicated.
- The organizations that have been set up to facilitate EHR data exchange across providers -- known originally as regional health information organizations (RHIOs), then as health information organizations (HIOs), and now as health information exchanges (HIEs) -- are a motley lot, with highly variable data mapping capabilities that make reliance on them a crap shoot. Worse, many refuse to take legal responsibility for the data they map and transmit -- they tend to be small companies operating on thin margins -- which means many providers refuse to use them.
- That trust issue extends to providers, notes Mac McMillan, CEO of health care security consultancy Cynergistek. EHRs have a standard for information management that includes security, but other medical systems -- inside hospitals, at insurers, and at HIEs -- do not. There's no trusted environment for the data that providers keep, yet they're held responsible if the information is used outside of patient consent rules. McMillan notes that 30 percent of hospitals have no information security officer and overall security spend at hospitals is less than half that of other regulated industries such as finance.
- There's no consensus on how to handle patient-generated data, such as from at-home blood pressure monitoring or from fitness tools like the Fitbit. Including this data in the formal medical record carries legal risks for providers: Is it accurate? Should they monitor it closely? How should they act on it, if at all? Because formal medical records can never be deleted per law, what happens to dubious or bad data? But not having access to it deprives providers of context that could be useful. In any event, such personal health records (PHR) are today outside any EHR data-sharing plans.
- There's no strong business case for health data interchange. "Hospitals don't want to lose patients or share care -- and thus revenue," says Dr. Wayne Guerra, marketing chief at mobile health app maker iTriage and contributor to the Mobile HIMSS Roadmap, which is meant to help hospitals deliver on patient engagement via wireless and mobile devices. Benefits today mainly accrue to patients. A change to pay-for-performance will shift the balance so that providers benefit too.
Where technology can help today
Some of these barriers are political issues that technology can't solve; at best it can work around them, such as through pattern matching to narrow down potential patient ID matches. But there are technology efforts under way to help.
The two largest medical providers in the United States (the Defense Department and the Veterans Administration) now have a common backbone, EHR interchange format, and connectivity APIs, based on a software-oriented architecture (SOA) services approach -- a once-hot notion well suited for dealing with federated systems. Their populations have a lot of overlap, so the integration makes sense. Dealing with just two providers means the name-matching is easier than in a multiprovider system, such as across a state or across the country.