CLEVELAND-- Cost and security concerns about bringing health care record keeping into the 21st century through electronic health records (EHR)have led to a call for an effective regulatory and oversight system from a pair of Case Western Reserve University professors.
"Electronic information can be illicitly accessed from anywhere and transmitted across the globe quickly, cheaply, and with little risk of detection," said Sharona Hoffman, professor of law and bioethics at the School of Law. "EHR systems could transform health care in the U.S., but their potential will be realized only with careful oversight."
Hoffman, along with her husband, professor Andy Podgurski from the Case School of Engineering, are responsible for one of the first scholarly studies to assess the need for federal regulation of electronic health record systems. "Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems" (Harvard Journal of Law and Technology, forthcoming 2009) comes on the heels of two previous publications by the two on security and privacy issues of EHRs and critiques of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Most Americans would argue against an increase in government regulation, but as Hoffman believes, some regulation in an area like health care record systems is needed.
"We regulate drugs, transportation, communication, food, and many other goods and services," she said. "A safe and effective transition to computerized medical records cannot be achieved without federal regulation.
The pair realized the dramatic implications of EHR systems for both law and computer science and the need for further study in a discussion over dinner. Additional conversations led to their joint research agenda and regulatory framework. They hope their work will reach policy-makers and be influential as the country continues to transition to EHR systems.
"Electronic health records systems offer great promise for significantly improving health care in the U.S. and around the world," said Hoffman. "However, their complexities generate many risks of software and hardware failures and adverse patient outcomes, and thus they require rigorous regulation. This is an exciting time for health information technology, but it must be approached cautiously and thoughtfully."
Currently the Certification Commission for Healthcare Information Technology (CCHIT), a private organization, conducts one-day testing of EHR systems. Hoffman and Podgurski , however, believe that CCHIT's certification process is not sufficiently thorough and has several important shortcomings.
The professors suggest that CCHIT oversight be replaced by governmental oversight and that an extensive testing and approval process be established. Without this testing, new EHR systems should not be marketed, just as drugs and devices cannot be sold if they have not been approved by the Food and Drug Administration (FDA). In addition, EHR systems must be subject to monitoring throughout their operational lifetimes to ensure that technical problems are detected and resolved.
When asked who should be responsible for this regulation Hoffman replied, "Some may think the FDA is the natural choice. However, the FDA is currently a beleaguered agency, which is heavily criticized and plagued by insufficient resources. In addition, the clinical trial model that is used for drug and device approval is not a good fit for EHR systems."
Instead, the researchers suggest regulation by the Centers for Medicare & Medicaid Services, which already enforce the HIPAA Security Rule, or a newly created agency with jurisdiction over health information technology.
Financial support and incentives are also critical to the success of the transition to EHR systems.
Hoffman and Podgurski explain that many of these problems can be solved through careful attention to system usability and user interface design. They suggest that federal regulations include a "best practices" standard and guidance as to how optimal usability is to be achieved. They also emphasize the importance of interoperability, which will allow EHRs to be transmitted electronically from one provider to another so that work does not have to be duplicated each time a patient sees a new clinician.
Their previous publications, "Securing the HIPAA Security Rule," (Journal of Internet Law, February 2007) and "In Sickness, Health and Cyberspace: Protecting the Security of Electronic Private Health Information," (Boston College Law Review, March 2007) were the first to provide an extensive critique of the HIPAA Security Rule, which governs the security of electronic health information. The two found major flaws in the rule that if unchanged, could prevent health records from remaining confidential. The HIPAA Security Rule covers only health plans, health care clearinghouses, and health care providers who transmit health information electronically for particular purposes, generally claims or benefits activities. It does not regulate others who might possess personal health information, including employers, marketers, or website operators.
The Security Rule does not allow aggrieved individuals to sue in court and thus its deterrence and remedial capacities are limited. It also does not provide clear guidance regarding which security technologies to employ in order to address security vulnerabilities, which hinders compliance with the Rule. Hoffman and Podgurski recommend expanding the definition of "covered entities," adding a private cause of action and establishing a "best practices" standard for security safeguards.
After publishing their HIPAA Security Rule critique and recommendations, they realized that many issues beyond privacy and security remained unaddressed, leading to the development of this most recent study.
|Contact: Jason Tirotta|
Case Western Reserve University