PHRs, EHRs, privacy, functionality, and what the future might hold

I had the opportunity to give an informal talk at a NEHIMSS gathering earlier this week. 

It was a perfect storm: Google Health finally went live on Monday (and now I am the last blogger to blog about it), and a local institution has been involved as one of the first cohort of providers and others that can deliver patient records to Google Health should a patient choose to make that happen.  The patient privacy advocacy community is all fired up about the potential privacy issues brought to the fore not only by PHRs, but also by EHRs and by components of those systems, and related systems, that are being further defined these days at various levels — consider, for example, the e-prescribing regs issued recently by CMS (see related press release and e-prescribing page), as well as the overarching Wired for Health Care Quality Act.  Letters have been written, reports issued.  Senate sponsors have apparently agreed to make some changes to the Wired Act, though some observers wonder if Ted Kennedy's health issues will derail action on the bill.  Not all advocates are satistfied, and there is another bill (known by its clever acronym, TRUST) wending its way through Congress as well.  Other observers believe that the privacy issues are so significant, and the opportunity to share EHR data with those who need it (i.e., other clinicians) is just around the corner, that the consumer-facing PHR business model is in serious trouble.  The Commonwealth Fund got into the act, too, releasing a report on a number of EHR implementations and the measurable benefits that accrue from their use.

We had an interesting discussion about the benefits and burdens associated with PHR and EHR systems — from evidence-based medicine built on appropriately-blinded secondary use of data, to better patient management through tracking of the filling of e-prescriptions.  While there are a lot of regulatory initiatives out there to promote EHRs and e-prescribing, the government is not mandating their use. Instead, it seems to be in the business of establishing standards (if you adopt such a system it must have certain features and be interoperable with other systems.  It is ceding the field to payors, who are likely to continue to mandate being wired as a condition of provider network participation.

Back to the question of regulation:  HIPAA seems to have left some gaping holes through which Microsoft's HealthVault and Google Health may pass.  Those companies say that their privacy policies are more stringent than HIPAA and Google has said recently that serving ads on Google Health is not in the cards.  The problem with relying on these statementsis simply that they are voluntary policies adopted by businesses that may change them over time.  Other related parts of the health care information economy are similarly untouched by HIPAA. 

This raises the perennial issue of the regulator: how do we regulate what is not covered by law?  This, in turn, raises a philosophical question about the nature of regulation, and the degree of specificity that is needed in a statutory or regulatory scheme.  (The more specific, the shorter the shelf life.)  Check out a fascinating discussion of rules-based regulation vs. principles-based regulation in a recent issue of The New Yorker.  While the magazine column is focused on US Treasury regulations (do we prevent another Enron or Bear Stearns debacle only by writing rules that would have limited specifically what Enron and Bear Stearns did, after the fact?), its points are generalizable to other regulated industries:  Why not establish broad principles (as many EU countries do) that allow for broad discretion on the part of regulators?  For example, financial statement disclosure need not be one-size-fits all.  Let's give regulators the tools to prevent the next debacle before we even know exactly what it will look like, instead of always fighting the last war.  One argument against the principles-based approach: if one believes an Administration to be unprincipled (or to have the wrong principles), then one cannot blithely grant broader discretion to the regulators.  It will be interesting to see whether the principles-based approach to rulemaking gains traction in other federal agencies.

— David Harlow