Please ensure Javascript is enabled for purposes of website accessibility

William A. McComas: Health records go digital

Chances are, before or during your visit to a doctor’s office, the first thing you must do is fill out forms with pen and paper. During your visit, the doctor may very well still take notes on paper, too, and the records of your visit will be stored in files destined for an archive, where they will be nearly impossible to transfer to other healthcare providers.

This antiquated system of record-keeping is gradually changing. One of the more consequential aspects of the healthcare reform effort now underway is the drive to digitize medical and personal records.

On the federal level, this effort is codified not in the controversial Affordable Care Act, but in the earlier stimulus bill, the American Recovery and Reinvestment Act of 2009. Under this law, the Obama Administration launched a $19-billion attempt to incentivize Medicare and Medicaid providers to use electronic health records by 2015. The aim has been to create a record-keeping system that allows for the efficient sharing and analyzing of patient data nationwide. Thanks in part to these funds, we are well on their way to the widespread use of electronic health records.

There are strong arguments for instituting this change. Physicians could provide more informed care to patients if they had swift, seamless access to all relevant health records. And public policy makers could conceivably make smarter decisions by analyzing the population data generated by digital record systems. The science of analytics has grown remarkably sophisticated in our “big data” culture; it is time for those advances to benefit public health policy.

But if nothing else, the troubled rollout of the online health insurance exchanges last year has taught us to be wary of government-led IT solutions. The federal website and state sites like Maryland’s were plagued by major technical problems and failures that prevented people from enrolling for months, led to significant cost overruns, and created security flaws.

Just imagine when such technical failures and security flaws appear in databases containing our health records. A hacking scandal in which our private medical histories fall into the hands of bad actors could lead to a backlash against digitized health records and to an increase in Medicaid and Medicare fraud.

Some might argue in favor of outsourcing the heavy-lifting to private companies. The government may not be able to run a website, but Amazon sure can. But even as we were reading news about the troubled rollout of, we also were learning of IT failures in the private sector. The retailers Target and Neiman Marcus, to a name a few, announced large-scale security breaches. And don’t forget this spring’s “Heartbleed” bug that broke down encryption protections on websites around the world.

Such incidents have become almost commonplace. We cope with them and move on. They should teach us, however, that even respected private sector companies can suffer cyber attacks. And the bigger the target and the richer the data, the more tempting it is for hackers. That’s why the dream of engineering gargantuan IT systems storing citizens’ health records is a dangerous one. The public benefits of such policy must be weighed against the individual’s interest in privacy.

We should first recognize that each patient owns his or her health records and should control them. We should then adopt (through industry or government efforts) a standardized protocol that facilitates the easy transmission of records to patients, and from patients to other healthcare providers.

A model for workable protocol can be found in the Health Insurance Portability and Accountability Act. That legislation instituted the use of Electronic Data Interchange (EDI) message sets to exchange electronic information between partners. An EDI message set has been around in other industries for decades and is simply a way to standardize how to transmit data from one party to another, regardless of the storage container holding the information. Reliance on EDI message sets enables various applications to communicate reliably by applying a dictionary or index to the raw data being transmitted. According to HIPAA, EDI message sets are used to transmit eligibility, coverage, or benefit inquiries, among other correspondence, and have led to significant savings.

The same method could apply to a national health record system. The government’s role should be to set the requisite standards if industry is unable to do so. This method offers the attractions of centralized efficiencies while unleashing the power of the market to create smart, adoptable solutions that empower the patients.

This approach would more likely lead to a system in which patients take control of their data. Government-created platforms will serve first and foremost the administrative needs of providers, insurers, and other parties — but not patients. A platform relying on EDI message sets would allow patients to access and store their information on personal computers and transmit them to doctors directly. Having decentralized data will in itself also act as a major deterrent to hackers.

Ultimately, patients should control access to medical information, not governments. We don’t need more IT debacles like the online insurance exchanges setting back much needed reforms and we don’t need monolithic and vulnerable data warehouses.

William A. McComas is a partner at Bowie & Jensen and a member of the transactional and technology law departments. He can be reached at