EHRs Not Yielding Cost Reductions as Predicted: Small Modifications Needed to Reach Further and Quicker than One Major Change

Guest post by: Sarah Armstrong, a consultant at ARRYVE, a strategy consulting firm.

A recent study published by the RAND Corporation indicates that implementation of electronic health records (EHR) has not yielded the cost reduction predicted in 2005[i]. Their study identified process efficiency and patient safety savings as two primary outcomes of EHR implementation, leading to a forecasted $81 billion annual drop in healthcare costs. Instead, costs have risen significantly. RAND cites a number of reasons for this: sluggish adoption of health IT systems, coupled with the choice of systems that are neither interoperable nor easy to use; and the failure of healthcare providers and institutions to reengineer care processes to reap the full benefits of health IT.

While the latter can be attributable to the inability or unwillingness of care providers to change, the former places blames on the institutions’ IT departments and software companies. These parties know that disparate EHRs leave a significant gap, but providers are not empowered to bridge the gap. Furthermore, software companies may struggle to differentiate themselves should they modify their product to be compatible with that of a competitor. Assuming either option presented a real possibility, modified software products and altered care processes lie years down the road at best.

If something breaks, you fix it. Fixing this problem will not be easy, however, and many opinion pieces point to our federal government as the catalyst required to affect change. But instead of a major, time-consuming overhaul by the producers and users of health IT, I propose we consider incremental ways to mitigate some of the effects of the problem. I see great opportunity for 2013 to be a year not of rigorously planned change, but of simple workarounds. Specifically, these workarounds would be performed by the people most affected by 1) poor or nonexistent interoperability of EHRs and 2) their caregiver’s inability to effectively use the technology: patients.

Consider the primary problem that arises from non-interoperable health IT systems: incomplete patient data. This problem manifests itself in many ways. For patients, treatment options may be redundant, medicines prescribed may counteract each other, and they may find themselves repeating information they already gave another provider. For providers, if their patients seek care outside their facility and do not fully report their medical history, the current state of health IT does not afford them a way to see the full picture. Additionally, the quality of a provider’s aggregate patient data diminishes.

I would argue that incomplete patient data has long been a problem associated with paper medical records. So why the recent finger pointing at EHRs? Could the problem be attributed to behavioral changes on the part of both providers and patients? Within the past five years, I have changed primary care physicians twice. I have listed the names of my previous physicians, but neither has asked me to obtain my old records. Because I have not been asked to procure these, I have not troubled myself with the task.

A patient unfamiliar with health IT or health information privacy laws might think that listing their previous physician’s name (or current specialists’ names) automatically transfers their medical record. Unless a patient signs for a record transfer, caregivers must rely on what is optimistically a factual and complete patient history form that is often filled out during the minutes before an initial visit. Years of medical care are rewritten according to one’s ability to recall vaccinations, test results, and allergies, as well as the accuracy of a data analyst inputting the record into the patient’s brand spanking new, and likely abbreviated, EHR.

Patients want the best care and we look to our caregivers to tell us what to do. We may not always listen (e.g., quit smoking, exercise, etc.), but people consistently identify their physician as the person they trust most. A simple but powerful mitigation plan for addressing incomplete patient data could be to involve patients more closely in their care:

Providers would also benefit from involving patients more closely in their care. Not only do they have countless reasons to deliver care based on complete data, but many also want to publicize to prospective patients that they provide quality care. Complete patient data helps legitimize providers’ quality claims. For example, by asking all female patients about recent cancer screenings, they can truthfully state the percentage of patients who are current on these screenings. Without asking this question, a primary care clinic might report a lower percentage of current screenings among its patients than is accurate, since they would not take into account those performed by outside providers (e.g., OB/GYN, dermatology, etc.).

When discussing the ineffectiveness of EHRs, invite all affected parties to the table. I have confidence that behavior modifications aimed at mitigating the side effects of a rapidly evolving landscape, keeping the best interests of everyone at heart, will serve us all well. I dare say that the cumulative effect of millions of small modifications will reach further and quicker than one major change by software manufacturers or Uncle Sam.


Sarah Armstrong is a consultant at ARRYVE, a strategy consulting firm, with a diverse mix of industry experience ranging from healthcare to software. Healthcare engagements have encompassed strategic planning, process design, revenue cycle, compensation planning, market analysis, quality management and regulatory compliance at academic medical centers, children’s hospitals, and both primary care and pediatric practices.

[i] Arthur L. Kellerman and Spencer S. Jones, What It Will Take To Achieve The As-Yet-Unfulfilled Promises of Health Information Technology, Health Affairs, 32, no. 1 (2013):63-68

The Majority of EHR Security Breeches Are Inside Jobs

Looks like my suspicions are correct. Most health data breaches are inside jobs. But, what’s surprising, according to a somewhat recent survey from Veriphyr — an access and identity provider – is that the majority of data breaches of medical records is by practice employees.

According to the survey, most of the data breeches of medical records more than 35 percent were of healthcare employees peeking into the files of their co-workers. Another 27 percent of the breeches reported were of a healthcare employee’s family or friends

Also gleaned from the survey is that of the hospitals and healthcare facilities surveyed, 70 percent reported some form of data breech. Data breeches cost healthcare organizations more than $6 billion a year, according to Veriphyr’s CEO, Alan Norquist, so they really are big business.

Some of the report’s key findings include:

Top breaches by type:

When a breach occurred, it was detected in:

Once a breach was detected, it was resolved in:

According to Health Data Management, there have been more than 31,000 data breeches in the last two-and-a-half years. Most of these breaches are unintentional, though, according to magazine, with “employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice.”

Accordingly, some steps to limiting internal data breeches is to continuously educate your employees about the dangers and consequence of handling HIPAA-protected data appropriately, and in some case, it’s may be necessary to adopt new policies to help manage how data is accessed. For example, if personal devices are allowed to be used in the work setting, you need to establish some rules to protect the data the the devices access, and in some cases, you’re going to have to offer support of the devices.

For more details about how to create a BYOD plan, take a look at this recent post: Creating a BYOD Plan Protects Your Practice and Your Employees.

Nevertheless, the information about data breeches is shocking. The number of employees sneaking peeks at patient’s profiles is like the rest of the world surfing the social profiles of complete strangers. Sure, the information is there, but that doesn’t mean we should take advantage of it.