Guest post by Steven Chau, CTO and co-founder, Doctor Quickly.
Healthcare is one of the last industries to be disrupted by technology. Although unprecedented levels of biomedical knowledge, surgical procedures, and condition management have been amassed, we are not using them to their potential to create the tools to improve healthcare experiences. A balance of privacy and policy regulations with technology is the key to creating a secure yet efficient healthcare system.
The State of Healthcare
A staggering portion of healthcare costs are wasted. According to the Institute of Medicine (IOM), $765 billion or 30 percent of the 2009 total U.S. healthcare spending was wasted. Key areas that were tracked include unnecessary services, services inefficiently delivered, prices that are too high, excess administrative costs, missed prevention opportunities and medical fraud.
- Overused services, defensive medicine and higher-cost services total $210 billion in excess cost;
- Medical errors, care fragmentation and preventable complications total $130 billion in excess cost;
- Duplicative costs to administer insurance and insurances’ administrative inefficiencies drive $190 billion in excess cost;
- Product prices beyond competitive levels total $105 billion in excess cost;
- Missed prevention opportunities like primary, secondary and tertiary prevention total $55 billion in excess cost;
- Fraudulent claims total $75 billion in excess cost.
Additionally, there will not be enough physicians in the next few years to meet the growing demand. The Association of American Medical Colleges (AAMC) projects a shortage of 62,000 physicians by 2015. This shortage is expected to increase to 91,000 by 2020. This physician deficit is due to an aging Boomer Baby population, the insuring millions of new patients through the Affordable Card Act, and the retiring of a large number of doctors in the coming decade.
Technology can curb inefficient health management, increase knowledge sharing, and improve access to a shrinking physician pool. However, proper precautions must be taken to safeguard patient information privacy while empowering healthcare providers to provide more efficient care.
Healthcare technology is largely regulated by the Health Insurance Portability and Accountability Act (HIPAA). It was created in 1996 to protect the privacy of electronic patient data, known as protected health information (PHI) and to restrict access to PHI. Predating the iPhone by 10 years, the HIPAA rules were strengthened in 2013 to increase rigor on de-identifying PHI, to broaden HIPAA’s reach to include all entities that touch PHI directly and indirectly, and to notify affected parties if a PHI breach has occurred.
Before patient data can be used for research, it must be de-identified to prevent a patient’s identity from being connected with information. This is commonly done by removing 18 identifiers, including name, contact, face photo, and health record ID. Ideally, de-identified health data would strike the proper balance between patient privacy and statistically accurate data for scientific and health research. Sadly, the current de-identification rules with inconsistent interpretations yield limited security advantages to patients while impeding the pace and scope of insights from health research and care improvement.
According to a recent HIPAA study on effectiveness:
- Perfect HIPAA de-identification provides important privacy protections (0.04 percent risk of re-identification);
- But Perfect HIPAA de-identification is not possible because of the nature of population data;
- There is no guarantee de-identified data will remain so;
- Errors, inconsistencies and uncertainty plague research accuracy when linking data from sample sizes to the population.
This problem is well understood by statisticians, but not as well recognized and integrated within public policy.
Additionally, any entity touching PHI directly or indirectly needs to handle the administrative, physical, and technical safeguard requirements of HIPAA. This includes “covered entities” like health plans, health providers and health clearinghouses, as well as “business associates” like data centers such as Amazon AWS and Box. If a patient loses her phone and a stranger accesses her PHI from an open mobile app, then the company that created the mobile app is held accountable. This risk forces healthcare technology companies to err on the side of caution and introduce a lot of barriers, reducing convenience and efficiency.
Finally, breaching of PHI is devastating to the patient-provider relationship since the patients and the media must be notified. Not disclosing the security breach yields harsher penalties.
Examples of PHI breaches include:
- Untrained staff who accidentally disclose protected information;
- Patient records piled on the receptionist’s desk and seen by other patients making co-pays;
- Physician staff call-in prescriptions or scheduled patient appointments for tests within earshot of other patients or visitors;
- Protected information transferred electronically (like through email) without encryption;
- A laptop containing protected information stolen from your outsourced collection agency (the provider is held responsible);
- A breach of confidentiality that unintentionally occurs but goes unreported;
- Computers accessible to non-essential users or monitor screens visible to patients and visitors;
- Extra photocopies of patient records your staff disposes of without shredding.
Finding a balance between safeguarding patient data and providing convenient and meaningful solutions remains a challenge.
Likewise, in 2013, the FDA issued guidelines to define mobile apps that collect vital signs as medical devices. The FDA regulates the medical devices for fraudulent behavior. Fitness, wellness and medical references do not fall under its scope. Last October, the FDA and the Center for Internet Security (CIS) released additional guidance on cybersecurity procedures for medical devices and its technology partners.
The area that is mired in a labyrinth of complex policy is telemedicine. Telemedicine has been around for decades, but innovation is being stifled by antiquated and confusing rules where no two states’ telemedicine policies are alike. Last September, the American Telemedicine Association (ATA) published two reports to identify gaps in coverage, reimbursement, physician practice standards and licensure for all 50 states. Key areas that were compared include reimbursement, patient settings, eligible technologies, distance restrictions, eligible providers, services, consent, licensure and out-of-state practice.
- 15 states authorize state-wide coverage with private insurance without any provider or technology restriction;
- 47 state Medicaid programs have some type of coverage for telemedicine;
- Coverage for specialty services vary for each specialty for each state with no two states having the same;
- 23 states require informed consent;
- 27 states do not allow telemedicine in lieu of an initial in-person examination or to establish a physician-patient relationship in most cases;
- Most states require a telepresenter or a healthcare provider on the premises during a telemedicine encounter;
- Every state imposes a licensure policy that makes practicing medicine across state lines difficult.
These state-by-state approaches prevent patients from getting convenient and quality care that may be available to neighbors across state-lines. Telemedicine providers and technology healthcare companies risk punitive action by their state boards if they attempt to navigate the patchwork of rules and regulations in order to take advantage of new tools and services to lower costs and save time. Fortunately, there are a number of bills that state lawmakers are proposing to modernize their telemedicine laws.
Emerging mobile health technology
Mobile healthcare technology is emerging. Studies have shown that 500 million people will be using healthcare apps in 2015. By 2018, half of the 3.4 billion smart phone and tablet users will have downloaded mobile health apps. The proliferation of smart phones with incredible technology has allowed patients to monitor and track simple health metrics, and capture high-resolution images, sound, and videos.
As mentioned earlier, technology can curb inefficient health management, increase knowledge sharing, and improve access to a shrinking physician pool. For example, studies have shown that 70 percent of patient visits to the physician are for informational purposes only and could have been done over the phone or online. However, most patients still schedule an appointment, take a half day off of work, commute, and wait in the lobby just to speak to a doctor for 15 minutes. This wastes patients’ time and causes unnecessary overhead costs to healthcare facilities. Research shows nearly 70 percent of individuals would be willing to have a telehealth appointment with their provider.
While technology alone cannot solve all of the U.S. healthcare’s systemic problems, it can improve patient-physician communication, expand the reach of knowledge, and increase access to clinical information when needed. The challenge will be effectively following privacy and policy rules to safeguard patient information while creating efficient tools to improve healthcare experiences.