New privacy rules, old technology creating a lot of headaches

What's driving people craziest about the big national push to convert to EMRs? Maybe it's the technology that some people don't like. Maybe it's resistance to change. Perhaps it's the short timeline to implement before the stimulus program starts--Oct. 1 for hospitals, Jan. 1 for physician practices. There's a lot of uncertainty, too, since the rules for "meaningful use" of EMRs aren't final yet and are very much subject to change.

All of those are legitimate concerns, but they pale in comparison to the privacy issue.

The American Recovery and Reinvestment Act tightens HIPAA privacy and security rules, though just like the 1996 HIPAA legislation, it leaves many of the details up to the regulators at HHS. The 2002 "treatment, payment and healthcare operations" exception to the privacy rule is disappearing, meaning that healthcare organizations will have to obtain consent before disclosing personally identifiable health data to third parties.

And that's creating headaches for some IT managers. On Tuesday, I attended a lively panel discussion on privacy at the Institute for Health Technology Transformation's winter health IT summit in Chandler, Ariz. It was lively in part because one of the panelists was Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation and the public face of the battle to get personal health information out of the hands of insurers, pharmaceutical companies and others who might mine and sell data.

Peel, who's passionate about what she does even though she may be Public Enemy No. 1 in the eyes of some EMR vendors, is disappointed that, at least to her coalition of privacy advocates, patients are third on the totem pole in terms of attention to their preferences, after the IT industry and providers. "We were disappointed with the key meaningful use rules and schema because the patient protections were not in there," she said.

This point of view didn't sit well with another panelist, Archie Galbraith, chief technology officer at UCLA Medical Services in Los Angeles. If someone pays cash for a single service during a five-day hospital stay that's otherwise covered by insurance, for example, Galbraith has to find a way to extract the bit of information related to the cash service when reporting the claim to the payer should the patient choose to exclude that data. Then he has to make sure everything gets pulled back together into the EMR so there's a complete clinical record available for clinicians.

Today's EMRs, Galbraith said, are "rubbish" because they are based on old technology and because the industry tends to favor standards over than functionality. And that makes it hard for him to do his job, based on the rules for meaningful use. "I just have to deliver," Galbraith said, "and right now I don't know how to." - Neil