Oh, look outside the window, there’s a woman bein’ grabbed

They’ve dragged her to the bushes, and now she’s bein’ stabbed

Maybe we should call the cops and try to stop the pain

But Monopoly is so much fun, I’d hate to blow the game

And I’m sure it wouldn’t interest anybody

Outside of a small circle of friends

— from `Outside of a Small Circle of Friends`, by Phil Ochs (1967)

Prologue: Why I Left Electronic Medical Recordkeeping

I was unsure whether to expect the best of times or the worst of times with my introduction to electronic medical records (EMRs). My group practice of obstetrics and gynecology had been considered a premier group in our town for many years, and we were supposed to be excited to have been selected as among the first private offices to join into Yale-New Haven Hospital’s conversion to the Epic Systems Corporation (Epic) EMR. For years, I had heard numerous positive comments from colleagues and residents who used VistA, the EMR of the Veterans Health Administration. By all accounts, VistA was quite user-friendly, easy to learn, well-supported, and an overall plus for both physicians and patients. In contrast, more recently, I had heard lots of negatives about academic hospital-based EMRs, that they were dysfunctional, a huge time sink and a pain to use. The benefits of the EMR, for example, that all of your medical information would be instantaneously accessible to of all your care providers, certainly have been prominently trumpeted.  So I approached `opening day` with cautious optimism, yet with eyes wide open.

On the very first day of my orientation, a giant red flag immediately emerged. We had been told that `experts` had tailored systems to a physician’s particular specialty and needs, which I was quite pleased to hear. A technical specialist was showing my group our `specially designed` order set, which was supposed to streamline the ordering of tests that obstetricians and gynecologists would regularly request. My hopes were smashed, alas, when I saw that the second test item listed on the specialized gynecological order set was for `Bence Jones proteins`. This was like seeing a lobster soufflé as the second menu item at the new McDonalds in town. Bence Jones proteins are a test for multiple myeloma, a hematologic disease of the bone marrow. Now indeed, I had ordered that test once, in 1975, when I was an intern in internal medicine. Not only would no gynecologist in the United States ever natively order such a test, but indeed many would never have even heard of these proteins. Clearly, no meaningful ob/gyn input had been implemented — so much for `user-centered design` here. I felt both bemused and betrayed, and my antennae went on high alert.

My next enlightenment was in the realm of patient privacy. One of my patients came in for an examination while I was away at a conference. The patient had a fairly minor problem with a vaginal infection, and she felt perfectly comfortable seeing a partner in my group, who treated and cured the vaginitis. My patient had been consulting with me for years about her lack of libido. Indeed, that was the principle reason for her several most recent visits to my office, and the diagnosis of decreased libido was listed as one of her primary diagnoses. My office staff appropriately entered the details of this current visit, along with other recent visits into the Epic system.

Several weeks later, the patient went to visit her dermatologist for a chronic problem with eczema. The dermatologist is one of the most eminent and respected physicians at the Yale School of Medicine. At the end of the appointment, my patient was given a summary printout of the visit, which is standard protocol in this system. Included on the printout was a listing of all of her primary diagnoses, including the diagnosis of “decreased libido.” She called our office and yelled at my office manager for 15 minutes, “How dare you write that I have decreased libido? It’s none of Dr. So and So’s business, and it’s all over the chart!”

But if that’s your diagnosis, it’s in your chart. All culture results and medications are part of the EMR, too. So if you happen to have a positive chlamydia culture for which you were prescribed azithromycin, it’s right there in your chart, for all with access to Epic to read. Certainly it is appropriate that other physicians who might prescribe medications be made aware of possible drug interactions, to avoid unwanted side effects. But does a patient want to allow a former partner or a potential employer to learn that she has an STD, either directly or through the grapevine?

Physicians have good reason to dislike the implementation of the EMR as well. Although physicians are mandated to switch to the EMR by many hospital and insurance systems, minimal technical support has been provided, particularly to affiliated private practices. When we were slated to start using the Epic EMR, I tried diligently to enter 30⁺ years of chart information for each patient into the computer forms. As I quickly learned, and had been warned, these forms were hardly designed to be user-friendly to physicians, unlike what I would have expected from VistA. It took me anywhere from 30-60 minutes per chart; I was up all night doing this, and none of this time was reimbursed. So I started having our staff technicians enter this chart information into the computer, as did everyone I know. These technicians are certainly well meaning and earnest, but their medical knowledge is very limited. For example, I would find in a chart that a patient carried the diagnosis of osteoporosis. I knew that she did not have osteoporosis; she had been TESTED for osteoporosis, and the bone density test was normal. However, in the computer she was then listed as carrying the diagnosis of HAVING osteoporosis. Of course this is inadequate, but then what were my alternatives? Was I now expected to pull all-nighters for months on end, again without any payment, to convert all of my charts to a non-intuitive and constricted database?

As I wrote up top, a heavily promoted benefit of EMRs is that having your health care data in a computerized system would be terrific, because your data could be instantaneously accessed from anywhere. For example, what if you have chest pain while you are visiting in San Francisco, and your regular care is in New York? Wouldn’t it be great to be able to retrieve your baseline cardiogram from the computer? It certainly would be grand! Unfortunately, as I was very disappointed to learn, at present this is a major misconception. Currently it is very unlikely that the computer system that your physician or hospital in San Francisco is using could “speak” to your local New York system. A large and growing number of totally different, discordant EMR systems are in use across the U.S., so much likelier than not, your cardiogram would be inaccessible from afar. Even the major hospital systems within the small state of Connecticut cannot communicate with each other — New Haven, Danbury and Hartford are about an hour apart from one another, and are on entirely distinct and incompatible systems.

Along these lines, sometimes even sharing a street address is not necessarily good enough. One of my colleagues recently told me a story about her mother, who had been admitted from the Emergency room of a major metropolitan hospital to the hospital’s intensive care unit (ICU). Unfortunately, the ER and the ICU in THAT hospital used different computer systems.  The ICU folks thought that her mother had been admitted for a kidney stone, rather than a kidney infection, and they started treating her with pain medication instead of antibiotics. Her mother spent a very sick month recovering from sepsis, which had worsened because of the lack of communication. Ultimately and fortunately, my colleague was able to intervene once she realized the breakdown that had occurred.

The importance of interoperability, this ability to electronically share records at a distance or across systems, powerfully hit home with me a few years ago, when I learned of the death of an eminent colleague whom I had known for a very long time. She was at the peak of her career, by all accounts quite healthy, and on vacation 2000 miles from home, when suddenly she became acutely ill, apparently out of the blue. Within 72 hours, she had died. At her Memorial Service, most of us were still stunned, incredibly sad, and wondering `What if?` It is exactly this type of setting when interoperability would be most utterly crucial, when someone is far from home, unknown to anyone local, and suddenly requires emergency care. The development of a highly functional EMR network that could provide essential health information in this scenario would go a long way towards justifying the premise and promise of EMRs. But again, such a network is certainly not here today, and from what I’ve both read and heard, won’t be in place anytime soon. Full interconnectivity of EMRs needs to be established as an indispensable and highest priority requirement, just as it is for telecommunications.

However, what finally clinched my decision to abandon the EMR is that I really like listening to my patients. I like to look at them when they are telling me their problems; it gives me a lot of information, so that I may be of use to them. But if I were required to use Epic, I would be a servant of two masters, with the computer designated as the dominant party. If I were forced to enter data into the computer non-stop, I could not pay my patients nearly the attention that they deserve. And unlike Truffaldino in Goldoni’s play, my role as the servant would then lead to a tragic, not a comic ending, according to my value system.

So I have elected to remain a dinosaur, and have exited from the EMR-business complex. I tell my patients that I am maintaining my office charts. What goes into my record stays only in my records, unless my patients tell me otherwise. I’d rather spend that extra time listening, so that I can be their best doctor possible, at least during the next quarter – quarter-century, that is.

But I could not go gentle into this good night without trying to be of further use. I felt a moral and a personal obligation to dig into matters somewhat more deeply, on two counts. First, I wanted to connect the dots and clarify to myself and to others how and why the practice of medicine is evolving so rapidly now, and identify the most essential pressing issues.  Second, I wanted to foresee how recent systemic changes would more likely than not play out over the longer term if they were left largely unchecked. I am very concerned that a series of short-term directives will lead to many unintended consequences and a badly fissured health care universe within a few years, barring substantial changes in the implementation details of the Affordable Care Act (ACA).

With apologies to Michel de Montaigne, I will try to convey my viewpoints and discoveries as best as possible in a series of essays. The next entry provides very brief mini-Abstracts for each essay. Some of what I discovered was quite illuminating, and in some instances, shocking to me.

As a sidebar, I’ve included a short Cheat Sheet that should help to elucidate some core background and related terminology on the HITECH and Affordable Care Acts that underpin much of the recent flux in health care. Part of this includes the `official` word on the distinction between the terms `electronic medical records` (EMRs) and `electronic health records` (EHRs). Although most physicians whom I know tend to use EMR in a generic sense here, as I do above, the current preferred term for broad context is the electronic health record or EHR, which I adopt in the essays below.

Finally, I do believe that it is still possible to improve the landscape significantly, both for patients and for doctors, without dismantling the core framework and paradigm of the ACA. However, time is very much of the essence, as is substantial political will. So with that optimism in mind, I will also attempt to propose a few suggestions that could potentially be helpful to the cause, or at the very least, kindle or catalyze a couple of new approaches.

Should I be Human, or a Computer?

We discuss the effects of EHR record-keeping on the doctor-patient relationship, especially in the face of severe pressures for physicians to constantly interact with a computer during consultations. The relative diminution of face-to-face contact and of careful and layered listening and observation can significantly hinder effective diagnoses, and lessen mutual trust and openness. A reexamination of several important settings, including treatment of ductal carcinoma in situ and of prostate cancer, and of discussions on how to maintain a healthy diet and exercise balance, illustrate the issues in play.

Franz Kafka, meet Joseph Heller

A byproduct of EHRs has been the loss of patient privacy and the security of personal health data, with little transparency or accountability. We discuss a number of vast scale transactions, involving many millions of EHR records and in some instances, billions of dollars, among industry, the government, insurers and advertisers. Data analytics companies apply advanced techniques to sift through these huge quantities of very detailed medical records, genetic information, and personal information on behalf of their clients. Promises of data anonymization can be and frequently are readily broken. Finally, we truly live an age of acute cyber vulnerability and require much more data protection, given the numerous, prominent and diverse recent instances of large scale data breaches and theft.

Legal Recourse: Slim and None

Prominent health law experts agree that patients have very limited recourse to protect themselves against violations of privacy.

Cheat Sheet

We clarify the usage of the terms electronic medical record (EMR) and electronic health record (EHR), what the HITECH Act, Affordable Care Act, and Meaningful Use are and how they relate, and where Epic Systems fits into the big picture.

Worse than Russian Roulette

We quantify the likelihood of interoperability between two different EHR systems – it is small.

Life Begins at 60

Even if we achieve full interoperability among major hospital systems, the extent of a patient’s complete medical history that exists within the hospital’s electronic record may be (and typically is) minimal.

Migratory Patterns

The recent drop in the number of independent primary-care physicians is striking, with 35% independent in 2014, down from 62% in 2008. We describe why this has come about, and what might be lost, particularly continuity of care with a single provider, along with associated consequences. This has accelerated patient interest in alternative solutions such as concierge care.

Throw Dr. Kildare from the Train

In the last few years, I have seen a pronounced increase in the number of retirements and planned retirements among local physicians from both the academic and private community. In large part, this is in response to a profound recent change in the balance of power and authority within nearly all hospitals from a medical-centric to an administrative and business-centric environment, accompanied by a remarkable migration towards incessant bureaucracy, and by a hard push to meet `productivity goals` that are little more than a volume measurement to pursue Meaningful Use dollars. The severe, often unseemly collateral damage here is that many esteemed colleagues are being treated as commodities or clerks by the hospital staff.

Commoditization: The Rise of the Clones

It appears that physicians have been reduced to generic commodities in the business model of the Affordable Care Act, e.g., independent of competency level or experience. Along similar lines, it is implicitly presumed that there is no consequence to a patient’s medical care if one switches insurers, and as a result, switches treating physicians on a yearly basis. I argue that this model will most likely lead to greater long-term system costs, in part due to the loss of continuity of care from a familiar doctor.

Turnover – Replacement Parts not Equal

When I was young, medicine was considered to be the top career choice by many, and a significant percentage of our smartest and most driven students became doctors. Who will replace these physicians upon their (often accelerated) retirement? At present, the job of doctor is still generally well regarded, but the profession no longer seems to attract nearly as many star students, particularly compared to finance, consulting or entrepreneurial ventures. Recent data confirm a compelling shift.

EHRs – less Love and more Money

The depth of doctors’ dissatisfaction with EHRs is confirmed by many recent studies. Secondly, we examine a potent 2014 research report by RAND that includes an analysis of the role of EHRs in health care, including a comparison of the VA’s VistA and Epic EHRs. RAND concludes that EHRs’ principal successes to date relate to billing, not to medical care, and that short-term rewards and procedures are increasingly favored over long-term benefits and prevention.

The State of EHR Interconnectivity is `Not Shortly`

We discuss the current and near-term future status of full interconnectivity of EHRs, plus some of critical behind the scenes issues that frame the debate and the politics.

Electronica Britannica

Two histories from EHR experiences in the United Kingdom provide important cautionary tales for the U.S., given parallelism along several essential lines. First is the recent failure of the nationwide NHS IT program to connect patients’ records electronically, Connecting for Health, which was “urgently” dismantled in 2011 at a cost $20 billion following years of well-publicized problems. Second is a the history of how the Cambridge University Hospitals NHS Foundation Trust went from being world-renowned centres of excellence and among the safest hospitals in all Britain to a failing enterprise that was placed on “special measures” in a matter of 8 months in 2014-5. An executive report very recently published by the U.K.’s Care Quality Commission detailed, with many specifics, that this drop was to a large extent due to problems the Trust had in implementing its new Epic Systems EHR.

Solution Proposals

We propose several suggestions to potentially help to resolve some of the identified conflicts and concerns, with a view to the long-term. These address patient histories, patient privacy, treatment of physicians, and regulation of EHRs, and more broadly, systemic reform.

Final Thoughts

We discuss who is winning and who is losing in our rapidly changing health care ecosystem. Unchecked, I foresee an acceleration towards two-tier medicine, which probably was not the preferred outcome of recent reforms. There still is time, if we act decisively within the near future, to significantly change yet preserve the system while creating much better long-term outcomes for patients and doctors.

It is hardly news anymore that electronic health records (EHRs) are the bane of many doctor-patient relationships. EHRs are often detested by doctors and viewed at best with mixed feelings by patients, as a necessary evil to achieve the advertised benefits of digitized records. Patients now typically see their physicians spending most of their time interacting with a laptop during consultations, instead of looking at them as they had done previously. Naturally, the patients then often feel like second-class citizens, with the doctor-computer relationship apparently now more important than the doctor-patient relationship. In turn, the doctors are severely pressured to constantly use the EHRs, both to fulfill administrative demands within hospital environments, and to check off scores of boxes on the computer screen to satisfy insurance requirements for payment – moreover, generally at reduced rates. Many of my colleagues tell me that they now spend several extra hours each day on computers, typing while seeing patients, between appointments and late into the evenings. In a recent survey of about 35 interns in several hospitals, Stephen Bergman, Professor of Medicine at N.Y.U. (and author of the novel The House of God under his pen name Samuel Shem) reported that the typical percentage of time spent in front of a computer screen and typing in the data during a shift is 80-90% percent, leaving minimal time for face-to-face doctor patient contact. This is all part of a broader malaise, in which the business and administrative components of healthcare have come to take clear precedence above other needs of doctors and patients, for instance, quality of life issues. On point, last year the American Medical Association called for a major overhaul of EHRs to make usability and high-quality patient care higher priorities.

The Eyes Have It From a strictly diagnostic perspective, much may be lost if a doctor spends only a short amount of time actually looking at his or her patients. About 20 years ago, Irwin Braverman, a nationally prominent (now emeritus) Professor of Dermatology at Yale recognized a critical need to improve observational and diagnostic skills in his medical students. Dr. Braverman then took an unusual means to achieve his goal, developing a course to teach first-year medical students to improve these skills by carefully studying paintings (at the Yale Center for British Art) as if they were surrogate patients. This shortly thereafter became a required course at Yale, and subsequently has been much lauded and emulated by many other prominent medical schools. And the greater attention to visual cues certifiably works — according to a study published in JAMA in 2001, students’ abilities to pick up on important medical details significantly improved on the basis of this approach. The students learned that the more time that they spent carefully looking at a patient, the more likely they were to notice something that a cursory glance or tests would have missed.

Indeed, I came to appreciate the importance of careful observation on my very first set of rounds while I was a medical student, a lesson that I never forget. The resident who was leading us diagnosed lupus in a patient who was complaining of severe abdominal pain. What prompted the young doctor to make this remarkable (and correct) diagnosis, which at the time floored me as both miraculous and beyond the reach of any mortal observer? Our resident astutely commented that the beds of the patient’s fingernails showed irregular, twisted, and dilated capillaries, or as he said in his regional twang, `linear cuticular telangiectasia`. I surely would never have proposed lupus as a primary differential (diagnosis) based solely on listening to the patient. As I subsequently came to appreciate, the visual appearance of the fingernails can in fact provide clues to a number of underlying systemic diseases. For example, clubbing (colloquially called `drumstick fingers`), which is often associated with lung or heart disease, was first described by Hippocrates in the fifth century B.C.

What else might be lost in this Brave New World? I am especially concerned about the potential loss of trust and openness, which is paramount in a thriving doctor-patient relationship. As suggested above, EHRs tend to squash any rapport between the doctor and patient, reducing the interaction to pure process. I am sadly reminded of a definition that I learned in college, namely that a lecture is the process by which the notes of the professor become the notes of the student without going through the minds of either. However, there are substantial health care benefits in the human interaction between doctor and patient. Studies have shown that patients with close, personal bonds with their doctors and shared engagement with their care are more likely to follow their prescribed treatments. Even placebo effects can be real and strong. The ability to really listen, to pay full attention to tone and cadence, while reading emotions, facial expressions, and body language, is a skill set that is developed throughout medical school and residency, and allows the attuned doctor remarkable insight into a patient’s hopes, fears, and expectations. Must this all be forfeited in the name of productivity?  What about empathy, compassion, comfort, and counsel? I see my role to be a partner in a quest for a patient’s best health and quality of life, a coordinator of integrative care, as necessary, and a zealous patient advocate, certainly not an automaton. Good medical care is considerably more than data management.

A reexamination of several important settings should amplify my concerns here

In Sickness Both ductal carcinoma in situ (D.C.I.S.), often referred to as Stage 0 breast cancer, as well as prostate cancer in men, illustrate the issues at play. Screening to detect either of these diagnoses is very controversial, with ongoing debate amidst a large body of equivocal or conflicting evidence of utility, and frequently shifting guidelines. `Do I ever need to test?`, `At what age should I start?`, `How often do I retest?`, and `What to I do with a positive diagnosis?` are all questions that require a personalized response. More acutely, most patients with a fresh, positive diagnosis will be somewhat confused and scared, and should want guidance that is individualized, incorporating both their history and their personal belief structure. Should a woman just diagnosed with DCIS undergo surgery, and if so, is a lumpectomy or a mastectomy the `right` choice? If lumpectomy is chosen, should it be followed by radiation therapy? Is nonsurgical `watchful waiting` (active surveillance) a better option, and if so, what tests should be taken to monitor disease status, and with what frequency? As Siobhan O’Connor recently wrote in a timely and cogent feature article in Time Magazine on this subject, “doctors are learning that a one-size-fits-all approach isn’t working.” If surgery is elected, most women still have vital concerns regarding body image, sexuality, and attractiveness to their partner, and as always, surgery comes with potential complications, especially if a mastectomy with reconstruction is involved. For men with a recent diagnosis of prostate cancer, the fog of information is particularly problematic because surgery and radiation treatments can have serious side effects like incontinence and erectile dysfunction. Patients receiving either a DCIS or a prostate cancer diagnosis need to explore the options thoroughly before making a decision that depends heavily on the risks that they are willing to take.

Although in the abstract, patients are aware of many of the above issues, let’s now reconsider the patient’s actual decision-making process in the face of a positive diagnosis. Many patients will prefer to defer to their doctor’s recommendations as to how to proceed.  But these are life-changing decisions that we are discussing, and I want this to be a joint (and ongoing) discussion, not a unilateral directive. Most decisions ultimately will be driven by subtle and nuanced personal considerations, balancing programmatic data based on diagnostic findings and medical history with not only my patient’s risk tolerance, but also with familial, social and career demands and future expectations, and possibly as well with financial security.  I hope to provide some context, experience, judgment and empathy here. This shared decision-making generally requires a significant block of time, not a formulaic resolution. But present incentives tend to go counter to such discussions, especially EHR-based ones that are strongly biased toward billable procedures. And most importantly, this discussion is usually much more likely to be productive in the context of a vibrant, longstanding doctor-patient dynamic, compared to either a truncated or to an unfamiliar relationship.

And in Health On a more upbeat topic, I believe that it is important for all of us to maintain a healthy diet and exercise balance, so I try to incorporate some discussion and positive encouragement on this topic as part of my medical evaluations of patients. However, my approach to motivating patients to come up with a realistic plan that they can and will stick to varies widely from patient to patient. Again, a `one size fits all` glib comment about target weight rarely works, and the best strategies generally spring from a longstanding relationship with the patient. What has worked previously, and what has not? Does my patient prefer solo exercise, or more social workouts, like spinning? Are aerobic exercises best, or ones with less overt sweating, like yoga? Will a Fitbit encourage or frustrate?  For joggers with lots of painful wear and tear, what about swimming? Or strength training? Do lifestyle considerations enter into the picture? Is my patient looking to potentially getting involved in a new relationship? Have life stressors derailed the balance, and if so, how can I re-motivate my patient to get going again, or to shift strategies? Does a patient do better with a pat on the back or a poke in the tush? All of these are critical factors to consider in attempting to optimize one’s health, among variables that we can control. So I am very concerned that collateral to more commoditized, process-driven care, our patients will be more likely to lapse into and retain a diet-exercise imbalance that will ultimately compromise both their quality of life and their longevity.

Scribes In his eloquent book The Digital Doctor, Robert Wachter makes a strong case for the use of scribes to facilitate EHR management. To paraphrase several sources, `the solution would be to take the doctors off the computer, put them at the bedside, and let the scribe do the transcription.` Indeed, the large number of doctors who now employ medical scribes to record the medical encounter into the EHR confirms the severity of the issue, and the potential utility of this solution.  I agree that the scribe model may be both fine and appropriate for some specialties, but alas, not for mine. I can get at most 50% of my patients to allow a Yale resident in the same room to simply observe how I conduct an office visit, given the oftentimes confidential nature of the doctor-patient discussions, so I would expect that most of my patients would balk at the presence of a scribe. Also, I believe that it would often be very challenging for a scribe to properly identify, let alone extract the critical psychological or social observations that I would routinely make, based on longstanding relationships with my patients, that would determine individualized diagnosis and treatment in many cases. Once again, optimal care involves far more than data management and image analysis.

The Turing Test asks, in an Imitation Game, if a computer is sufficiently advanced so that an astute evaluator can no longer distinguish the machine from a human. I optimistically believe that continued advances in computer hardware and programming will provide ever-increasing complementary and synergistic utility to the practice of medicine. But the profession that I gladly entered, in which the laying on of hands and the heartfelt shared grief of a patient’s tears are vital signs as well, should never strive to pass Turing’s challenge.

Hold your Enemies Close and your Friends Closer In January 2015, Ricardo Alonso-Zaldivar and Jack Gillum of The Associated Press reported that the health insurance site Healthcare.gov had been sharing user data with companies like Google, Twitter and Facebook, as well as with a host of online advertising providers. They wrote that the administration said it had prohibited companies “from using the data to further their own business interests” and that “there is no evidence that personal information has been misused.” However, Cooper Quintin at the Electronic Frontier Foundation, a civil liberties group, wrote that “sending such personal information raises significant privacy concerns.” A company that receives the information, he added, “could match up the personal data provided by Healthcare.gov with an already extensive trove of information” to create an extremely detailed profile of you and your interests. Moreover, he wrote, a company could connect Healthcare.gov data with users’ real identities.

In March 2015, Elizabeth Dwoskin wrote an article in the Wall Street Journal aptly titled `The Next Marketing Frontier: Your Medical Records.` She disclosed that for physicians who utilize EHR software from Practice Fusion, when the physician views patient charts on his or her computer, a sponsored alert sometimes pops up to indicate when a patient is due for vaccines (or particular treatment) for influenza or for hepatitis B, among other ailments. Practice Fusion, which gives its software free to doctors, is pioneering a new type of data-driven business, and has built a database of 100 million patient records. Practice Fusion has begun to sell sponsorships for alerts to drug companies, labs and insurance companies, matching preprogrammed alerts to patients in real time based on their health indicators and medical history, letting marketers deliver a crucial pitch at the moment when clinical decisions are being made. Some experts worry that the sponsored alerts blur the line between promoting health and marketing medicines. Practice Fusion, which has raised $157.5 million from investors, says about 112,000 health professionals, doctors and nurses are using its system and the software logs about 5.5 million office visits a month.

Just this past December, Rebecca Robbins reported in the Boston Globe on some of the new data mining techniques by insurers, in a bid to figure out when you’re likely to get sick, ostensibly to design interventions to keep you healthy (and to save themselves a lot of money in the process). Insurance companies are now paying data analytics companies such as GNS Healthcare and Predilytics to sift through huge quantities of medical records, genetic information, and personal information on everything from what model car you drive to how many hours you sleep, from which magazines you read to where you shop and what you buy. GNS will also rank patients by how much return on investment the insurer can expect if it targets them with particular interventions, such as sending a text message reminding them to refill a prescription or sending a nurse to their home for a checkup. According to Colin Hill, the chief executive of GNS, the algorithm also can tell the insurer not to waste time and money trying to get certain patients to take their pills — but to spend resources on other patients instead. But using an algorithm to determine how and when to intervene raises troubling risks, said Kirsten Martin, an assistant professor at George Washington University who studies business ethics and Big Data. Such analyses are only as good as the underlying data sources, which in numerous instances have exhibited profound inaccuracies, as well as the algorithm used to mine them. Insurers say they don’t deny care to anyone based on algorithms, but just use the data to customize the approach to each patient. Yet surely there are big vested, commercial incentives by insurers to `monetize` this information, either in rate increases, added constraints or denials. And as always, I worry that insurers are using all this highly personal, often sensitive, possibly inaccurate information without informed consent and with little transparency or accountability.

Finally, IBM just announced the $2.6 billion purchase of Truven Health Analytics, which has data on the cost and treatment of more than 200 million patients. IBM is looking to enhance the growth of its Watson Health business, and to that end, has now purchased four companies since it created the unit last April, at a total expenditure of more than $4 billion. Two other acquisitions, Explorys, a spinoff from the Cleveland Clinic, and Phytel, a maker of software to manage patient care based in Dallas, also brought with them significant data assets, mostly data from patients’ electronic medical records. The Watson Health business, IBM said, now has health-related data on “approximately 300 million patient lives,” mostly in the United States. The goal is to run the patient data through Watson’s artificial intelligence (A.I.) software, so that it works as a specialized digital assistant to physicians and health administrators to improve care and curb costs. The $1 billion purchase of Merge Healthcare, a medical-imaging software company, added expertise in managing health image data. Truven contributes vital payment information on patients, including detailed coding on disease types, diagnosis, drugs prescribed. Now I am optimistic that the vast majority of the IBM researchers are interested in the scientific and A.I. opportunities in this project. But look at the dollar values involved here. More crucially, who has allowed the intermediary companies here to obtain and aggregate our medical and health records in such volumes, with such specificity, and trade them like stocks and bonds? Again, I have very serious concerns about data protection, anonymity, and sales of these data to other companies (such as insurers or marketers) with more mercenary or insidious interests. The frank and large scale activity here is in wanton disregard of our privacy rights, especially given the extent of data hacking, the special value of medical data, and the lack of anonymization described below. I could understand the handing off of records between subsystems strictly within a highly secure, closed network, with no outside commercial forces in play. But the present context just described appears to be light years away from such a place.

Anonymization with Plausible Deniability Even when real names and other personal information are deleted from large data sets, it is often possible to use just a few pieces of information to identify a specific person, according to a study published last year in the journal Science. A group of data scientists from the M.I.T. Media Lab analyzed credit card transactions made by 1.1 million people over a three-month period. Although the information had been `anonymized` by removing personal details like names and account numbers, knowing just four random pieces of “metadata” information was enough to uniquely re-identify 90 percent of the individuals. The study certainly calls into question the standard methods many companies and systems currently use to anonymize their records. As the authors wrote: “A data set’s lack of names, home addresses, phone numbers or other obvious identifiers does not make it anonymous nor safe to release to the public and to third parties.” In a 2013 study, Latanya Sweeney similarly demonstrated that researchers were able to re-identify patients by name in a supposedly anonymized hospitalization data set. Frank Pasquale, a law professor at the University of Maryland, has written an important book on the dark side of hidden algorithms, automated judgments and one-way mirrors (corporations watching individuals), entitled The Black Box Society: The Secret Algorithms That Control Money and Information, in which he discusses this issue within a larger context. As he says, we should not necessarily be reassured: “There’s a big literature out there on broken promises of anonymization, of efforts where users were assured that the information was anonymized, but it wasn’t really anonymized well.” Pasquale is very concerned about “the spillage of data from one context into others,” especially commenting that “there’s high demand for health data out there.” Life insurance companies, for instance, “want to use everything on you to calculate what your life insurance premium should be.” Hmm – I think that this links up rather naturally to Rebecca Robbins’ report in the Boston Globe on data mining by insurers. Should we be concerned?

Vulnerability with a King-size “V” As we now know, a double-edged byproduct of EHRs has been the loss of patient privacy and the security of personal health information, which of course is in profound contrast to our old-fashioned paper charts that were previously stored in an office or hospital basement. We all appreciate the potentially great advantages that computerization can afford, but much more protection is imperative along this front. Many disclosures within the last couple of years underscore the extent of the concern here, that we truly live an age of acute cyber vulnerability. The long list of both private companies and government organizations that have been hit include Target (70 million), Home Depot (50 million), the health insurer Anthem (80 million), Premera Blue Cross (11 million), and the U.S. Office of Personnel Management (OPM), 4 million federal employees. In many of these breaches, particularly those involving health care data, the stolen files include `huge treasure troves of personal data,` to borrow the phrase used by a Washington Post article last year to characterize the OPM breach.  It turns out that in many of the breaches, the affected organizations had failed to take even basic steps to secure its computer networks. This has at times been attributed to `a lack of management focus on the potential problems`. This really means that the organizations did not want to budget funds or time to provide proper protection because profit margins would be lowered, and/or the cost of products might have to be raised slightly, placing them at a `competitive disadvantage`.

Some additional numbers worry me even more. Security experts have warned that further attacks on health care organizations were likely because of the especially high value of medical data on the black market. In black market auctions, complete patient medical records tend to sell at much higher prices than credit card numbers. One security expert said that at one auction credit card records were sold for 33 cents, whereas patient medical records sold for $251, a factor of nearly 1000 times higher. In another somewhat more cautious estimate, law-enforcement officials gave estimates of credit card numbers sold at $6 or $7 versus health care records sold at about $50, only a tenfold increase. A study published last year in the Journal of the American Medical Association found that between 2009 and 2013, more than 29 million medical records were hacked, stolen or otherwise compromised. Chillingly, about 90 percent of health care organizations reported they have had at least one data breach over the last two years, according to a survey of health care providers published last year by the Ponemon Institute, a research concern.

These `bobbles` have real consequence, oftentimes in the form of medical identity theft. According to a survey published last February by Ponemon, such theft affected 2.3 million adult patients in 2014. This could lead to loss of health insurance, collection notices from hospitals, and diminished credit scores. In a twist on identity theft, crooks could then use stolen personal data to get their own health care, prescriptions and medical equipment, which could lead to the thief’s health data folded into the victim’s own medical charts. Confusion or errors could ensue that could lead to dangerous diagnoses or treatments. Finally, adding insult to injury, a victim often could not fully examine or repair his own records because the thief’s health data, now folded into his, would be protected by federal medical-privacy laws.

I know – just lots of big numbers. Until you or a loved one gets hit, that is.

A number of prominent health law experts agree that patients have very limited recourse to protect themselves against violations of privacy. They have concluded that more state and federal legislation is necessary, because there are major holes in the way current health care law is written. Some enlightening and relatively nontechnical details are given in a representative 2007 article in the University of Illinois Law Review entitled `Ensuring the Privacy and Confidentiality of Electronic Health Records`, by Nicolas Terry and Leslie Francis. (Very few primary changes have occurred during the intervening years.) In brief, personal health information has been judged to be under threat either by its collection or its disclosure. The law has parsed these threats separately, expressed as the distinct models of privacy and confidentiality. When I read this legal splitting of hairs, my antennae quickly went way up. It turns out that contemporary U.S. confidentiality and privacy models are shaped and constrained by several persistent features. First, the regulation of medical records is primarily a creature of state (not federal) law, has a number of exceptions, and is highly qualified. Moreover, and unsurprisingly, there is remarkable variation by state. Second, the law relating to the privacy of medical information is described as underdeveloped and narrowly circumscribed.  As a result, common law privacy actions have been successful in only a few extreme cases. Gaps in data protection may be especially apparent if data are transferred across regimes, as when health records are made available to insurers or employers. Any EHR system that transcends state boundaries (including virtually all of the major software providers) thus poses the issue that patient protection is only as strong as the weakest state link. Worse, privacy dispute resolution has been in the hands of the Office for Civil Rights, in the Department of Health and Human Services. Although this may sound benign or neutral, in practice, from a patient’s perspective, enforcement has been placed in the hands of an `insider` primarily interested in ensuring the efficiency and continuity of the present system. This is the same agency that enforces the HIPAA Privacy, security and breach notification rules.

The conclusions from this paper come with added gravitas, given the stature within the field of the co-authors. Nicolas P. Terry is Professor at the Indiana University McKinney School of Law and Director of the Hall Center for Law and Health, while Professor Francis is the Director of the Center for Law and Biomedical Sciences, Emery Professor of Law and Distinguished Professor of Law and Philosophy at the University of Utah. In particular, Professor Terry is a longstanding authority on the intersection of medicine, law and information technology, and has written extensively on fundamental privacy and confidentiality issues for many years. Remarkably, many of these privacy concerns were already voiced on high more than a decade ago, in expert testimony that Terry was called to give in 2005 before the U.S. Dep’t of Health and Human Services, National Committee on Vital and Health Statistics Subcommittee on Privacy. This testimony can be found at http://www.ncvhs.hhs.gov/wp-content/uploads/2014/05/050816p1.pdf. Terry’s overall concerns and conclusions remain spot on today. Given the specific suggestions for privacy policy reform, both in the aforementioned paper and elsewhere, we can only hope that Terry does not persist as Cassandra to the government’s Apollo.