Banking on privacy

States and the federal government take contrasting approaches to building large medical record repositories.

As the federal government continues to push for wider adoption of electronic medical records, many organizations are asking how they can efficiently distribute and safeguard all of that electronic medical information once it’s captured.One strategy is to create banks of records from which authorized doctors and nurses can quickly pull patients’ lab tests and medical histories. Proponents contend that care will improve and medication mistakes will decline when specialists and emergency room physicians have immediate access to the same information that a patient’s primary care physician has.“There are tangible benefits we could see right away in quality, efficiency and cost savings,” said Dr. David Gifford, director of the Rhode Island Department of Health. “There aren’t many things that both help improve quality and lower costs, so it’s a real win-win situation.” Although EMR banks are potentially beneficial, some privacy advocates have raised concerns. Public-sector medical groups, private hospitals and payer organizations, are trying to tackle such nagging details.EMR banks could get more funding later this year if Congress votes on a revised version of last year’s Independent Health Records Bank Act, a proposal to create nonprofit organizations to manage health records under the scrutiny of the Commerce Department, which would audit security and privacy activities.In the meantime, a number of states, including Rhode Island and Washington, are developing their own models. In addition to improving patient care, records banks could save money. Rhode Island has estimated that a third of the $6 billion it spends on health care each year pays for duplicate diagnostic tests and other wasteful expenses because information wasn’t readily available. Yet privacy fears continue to dog health care information technology. In February, the co-chairman of the American Health Information Community’s Confidentiality, Privacy and Security Workgroup resigned over what he saw as a lack of progress in developing privacy and security policies for a national health information network. The Government Accountability Office recently issued a report faulting the Health and Human Services Department’s larger privacy efforts, concluding that the agency lacked a well-defined approach to key privacy challenges. Public-sector groups are putting concerns like these at the top of their agendas as they develop EMR banks.Researchers at the University of Louisville in Kentucky are developing a centralized database known as the Louisville Health Information Exchange. The current design, which could be tested early next year, would permanently store medical information from physicians, hospitals and pharmacies in a central repository as part of a patient’s record. The exchange’s board chose to create a central storehouse rather than a distributed architecture that pulls information from various sources primarily for security reasons. “Electronic information about patients is going to be more secure if it is controlled carefully in one place than if it is flying around through the Internet,” said Judah Thornewill, acting director of the university’s Center for Complexity and Health and a member of the exchange’s board.He said the board’s research showed that centralized databases cost 10 to 20 times less than distributed models. Central repositories could also potentially deliver more accurate data because network delays and other performance factors wouldn’t jeopardize the delivery of complete records to doctors. “Even if there’s a 99.5 percent probability that the personal health record being shown to the ER doc is accurate, you’ve got a 0.5 percent probability that a critical piece of medical information is missing, which could kill someone in the ER,” Thornewill said.Not everyone is sold on centralization. So far, Rhode Island officials believe a more distributed approach to data management can be just as secure. “Our model is not necessarily to merge all the data into a single repository where everyone goes in and looks at it,” Gifford said. “Think of ours as a record locator system that pulls data together.”Rhode Island officials fear that centralization might result in slower response times. “We’re looking at a more fluid, look-up and viewing mechanism that we hope addresses” performance, Gifford said. The state’s legislature has committed $6 million for a health information exchange, which would need an estimated $14 million more from federal and private sources. At press time, the state planned to finalize negotiations with a systems integrator to build a prototype that would link to hospital systems, a large independent laboratory and other sources of medical data.Rhode Island will address privacy concerns in two ways. First, people will have the opportunity to opt out of the exchange. Second, those who do participate can determine who can access the information. For example, a patient might allow care providers to call up records but block insurance companies. Other patients might choose to open their records to any of the groups authorized to use the bank.“Consumers have an appropriate level of cautious concern about confidentiality and access to the data, but they also understand the obvious benefits of having this information together,” Gifford said. The key is providing patients with flexibility and control over who can see their data, he added. “The beauty of an electronic system over a paper system is that we will have an audit of everyone who has viewed your data. Users can see who has been looking at their records.”Washington plans to build on existing hospital systems to develop a larger EMR architecture. Richard Onizuka, director of health care policy at the state’s Health Care Authority, pointed out that several organizations already have good infrastructures in place using in-house resources or an application service provider model in which a third party runs the application off-site. He cited the state’s Group Health Cooperative and Inland Northwest Health Services as having strong systems. “We want to do something that takes advantage of the current infrastructure rather than replicating it all over again,” he added. Onizuka is part of a 12-member Health Information Infrastructure Advisory Board the legislature created two years ago to develop standards and recommend ways to increase EMR adoption. The board issued a 57-page report last December that proposes a Web-based system Onizuka called an account-locator service. It would allow doctors to access records even if they or the patients didn’t know where the medical information was stored. An initial search might deliver a high-value dataset with the most recent diagnostic, lab, pharmacy and allergy information, he said. The system could also give doctors ways to drill deeper into the patient’s history if they needed a more complete record.The report recommended that the state allocate $9 million to fund additional design work and a test. Onizuka said the legislature was expected to vote on the funding proposal in April.Structure and security aren’t the only technology challenges proponents of EMR banks must address. In many states, only a small percentage of medical offices use electronic systems, and the ones that do exist might not easily communicate with hospital systems, Thornewill said.But adoption rates could grow. Doctor’s offices will have an incentive to install EMR applications as “a critical mass of consumers in a community demand that doctors provide copies of their data” to a communitywide system, he said. “A different kind of a market pressure will encourage doctors and hospitals to find new technologies and better ways to interoperate,” he added.Rhode Island medical officials are working with hospitals, insurers and others to develop financial incentive programs for doctors to move to electronic systems. In the meantime, the state’s emerging health information exchange will likely enable doctors to view and print records via a secure Web connection. “Initially, we won’t be sharing all the information from electronic medical records in each physician’s office,” Gifford said. “That’s a goal down the road.”Last year, Washington handed out 24 awards of $20,000 each to help small physician’s offices adopt e-records. “We do this in collaboration with private partners that are helping us to continue that project,” Onizuka said.

Louisville Health Information Exchange (LouHIE)









Privacy concerns












Security through centralization












A different approach












Building on an existing foundation










More challenges











Banking your dataStates and the federal government aren’t the only ones interested in medical records databases. Commercial financial banks also want a piece of the action.

A group of six $100 billion-plus banks — including Mellon Financial, PNC Financial Services Group and Wachovia — are part of the Medical Banking Project, a private group pushing a plan to use the existing financial infrastructure to aggregate medical information for patient records.

“The paradigm is changing from payment- and remittance-processing solutions to health data liquidity,” said John Casillas, the project’s executive director. “As long as banks meet the stringent [Health Insurance Portability and Accountability Act] requirements, as well as more stringent banking regulations, they can do that.”

Why should patients trust their medical information to commercial banks?

First, banks have systems in place for protecting sensitive data, and requiring them to comply with HIPAA makes them as trustworthy as any health care group for protecting medical files, Casillas said.

Second, banks are already part of the medical process. “In order to move a payment in this country, you have to be a bank,” he said.

“Much of that trail of paper that follows you every time you leave a hospital is very detailed payment data that goes through the banking networks,” he said.