Part I – Quality Measure Reporting
Why you should read all of this long post
Just to make you quickly aware of why you should read on, the Federal Department of Health and Human Services (HHS) is collecting, among other things, names, dates of birth and addresses of adults and children who are overweight, smoke, abuse alcohol and drugs or may be depressed as well as other diagnoses, and the amount and variety of what is collected is slated to grow. This information is being collected from health care providers using Electronic Health Records (EHRs). The information will be stored in a massive HHS database that is already receiving millions of personally identified reports from EHRs on patients in the name of improving the quality of healthcare as part of Meaningful Use and Quality Reporting for Medicare and Medicaid. You cannot prevent your doctor from submitting this information to HHS without stopping HHS from requiring it as things stand now.
Detailed Background:
Why is this happening?
As part of the HITECH Act which is part of the The American Recovery and Reinvestment Act of 2009 (ARRA) (Pub.L. 111-5), eligible healthcare providers and hospitals receive incentive payments to adopt Electronic Health Records and to use them “Meaningfully”. Eventually, most providers will be penalized if they don’t use EHRs “Meaningfully.” The regulations written by HHS that were created to enforce this legislation, require that electronic EHRs have to undergo testing to be sure they are what is called “Meaningful Use Certified” and healthcare providers have to prove they are using them “Meaningfully” in a way that is regulated by the Office of the National Coordinator for Health IT (ONC). ONC is a division of HHS. Part of requirements for Meaningful Use of EHRs is the collecting and reporting of data about patients that is used to calculate the providers performance on clinical quality measures. If doctors and hospitals don’t report and achieve the standards necessary, they will lose the incentive payments that help pay for the EHRs they installed, and they will be financially penalized by cuts in Medicare payments. Medicare is administered by the Center for Medicare and Medicaid Services (CMS) which is part of HHS.
How is it happening?
Quality measure data is reported to HHS using QRDA reports (Quality Reporting Documentation Architecture). There are three types of QRDA reports reports, two of which, the QRDA I and the QRDA III (said Q-R-D-A One and Q-R-D-A Three), are required to be produced by Meaningful Use Stage 2 Certified EHRs. QRDA I reports provide detailed information about patients including names, dates of birth, addresses, race and ethnicity and conditions such as diabetes, drug and alcohol abuse, obesity, depression, etc. QRDA III reports are summary reports which do not contain personal information about patients.
Some of this detailed personal information about patients has already been submitted by many health care providers for a few years through another incentive program called PQRS, or Physicians Quality Reporting System which also uses the QRDA I report format for submitting this information. The PQRS program is administered by CMS. PQRS is a program for Medicare and Medicaid, i.e., the personal information submitted is only about patients over 65, disabled or poor. HHS is planning to require all data to be submitted in a personally identifiable manner with QRDA I reports in the near future for both PQRS and Meaningful Use. Unless HHS is stopped from going ahead with the plans. This year there are approximately 100 measures that may be chosen for reporting. Some are required and some are optional.
What is reported?
This year’s quality measures are enumerated for private physicians and hospitals in the links below. Please review them all and consider whether or not the Federal Government should be collecting this information about anyone individually. You will see a description of numerator and denominator information for these measures. An example would be that all of the patients
that HHS considers as likely to have diabetes in a doctors practice being reported in the denominator and all of those who have a blood test showing poor control of their diabetes being in the numerator. Both numerator and denominator patients would be reported to HHS with fully identified information about who they are.
Outpatient Quality Measures:
Ctrl-Click to open the link
http://tinyurl.com/htke4ye
Hospital Quality Measures:
Ctrl-Click to open the link
https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/eCQM_2016EH_MeasuresTable.pdf
http://tinyurl.com/grjcd3t
How do you know this data will be personally identified?
As published in the Federal Register, Volume 80 No. 158 August 17, 2015 page 49759 , https://www.gpo.gov/fdsys/pkg/FR-2015-08-17/pdf/2015-19049.pdf (Ctrl-click to follow – begin midway, page 49759 second column) http://tinyurl.com/hrae3az HHS contends that if it keeps a database that holds personal information secure, that is the same a protecting privacy. SECURITY is not the same as PRIVACY. If they hold private information, they have already invaded privacy, whether or not it is secure. In the document on that same page, at the bottom of the third column, they state they intend to collect all quality data personally identified. The number of quality measures they are collecting now has gone down because of the protests about the great difficulty for health care providers collecting all of this data and the adverse effects it has on the usability of electronic health records. However, in other proposed rules, it is clear that the intent is to have more quality measures each year, all automatically loaded into electronic health records. all automatically reported and all personally identified. This would affect virtually all people who see healthcare providers in the United States.
Why should we be concerned?
We already know that health care information is prized by criminals and that the Federal Government cannot keep data in its databases secure. We already have examples of breaches of security clearance data from he Office of Personnel Management (https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine Ctrl-Click to access the link) to IRS http://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/) and possible NSA hacks ( https://www.forbes.com/sites/thomasbrewster/2016/08/15/nsa-hacked-shadow-brokers-equation-group-leak/#169eaad0759e). In fairness, the only completely safe database at this time is one that does not exist, which should be the case for this database. (Added 3-1-2017) Here is a link about persistent security gaps at HHS. http://www.fiercehealthcare.com/privacy-security/despite-small-improvements-hhs-plagued-by-persistent-cybersecurity-gaps
In addition, we know that the HHS itself often makes the decision to distribute information about its citizens’ health and other matters without their express consent ( https://www.resdac.org/cms-data/request/innovator-research https://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/QEMedicareData/index.html?redirect=/qemedicaredata/) . There are numerous web sites already detailing how information about Medicare and Mediaid recipients can be received without the consent of the recipients. Many times this data is supposedly de-identified, but we know now that the de-identification methods approved under HIPAA http://www.hopkinsmedicine.org/institutional_review_board/hipaa_research/de_identified_data.html are woefully inadequate in this day of Big Data ( https://tcf.org/content/report/strengthening-protection-patient-medical-data/).
Data is being obtained from many sources and because of weakness in the HIPAA rules for de-identification of data , agencies may not be able to deny FOIA requests for legally de-identified data. This would likely include the data in this HHS database. As an example of data that was released that will almost certainly be re-identified, see http://statinmed.com/en/datasets .
Adam Tanner has contended in his book, Our Bodies, Our Data, that longitudinal records are being constructed of our personal health data by enterprising data brokers. Release of this sort of data being collected will greatly enhance the ability of data brokers and hackers to re-identify data. This is of concern, not only for individual patients, but for those genetically related to them as the assumption will be that if the index person has a particular problem, so may their relative.
There is some protection against using genetic information for determining health insurance premiums and for employment, but it is not air tight and there is no mention of life insurance or long term care insurance. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/genetic/ginaifr.pdf It would likely be very difficult to prove if genetic information was used to deny insurance as there is no requirement to inform patients about why insurance was denied or why premiums were higher than usual or to prove it was used to not hire an individual.
Given this database of information, can we ever be sure the information will not be used against anyone by the federal government? Will the information from the screening measure that someone may be depressed be used to deny a security clearance? Sometimes a screening test for a problem such as dementia, alcohol abuse or depression can be just one question. If providers are being forced to administer these tests, what protection is there for their patients that the results won’t be used against them?
Even if only summary data is allowed, these quality measures are of concern because some require referral for certain conditions or the provider will risk a penalty. Referrals, such as to a nutritionist for obesity or to a psychiatrist or psychologist because a depression screen was positive, will probably generate a line item in a claim to justify the referral and another to pay for the referral if it is completed. It may be a provider would prefer not to refer the patient, but he or she is essentially required to show an intervention that will generate a charge because of the quality measure requirements.
We should be concerned about not only Meaningful Use Reporting but also about reporting for Medicare and Medicaid.
Most providers are not aware that the EHR they are using is submitting sensitive information to HHS nor do they even think to question whether or not the federal government should be collecting this information. If they knew, I think they would be outraged as most physicians do care very deeply about protecting their patients’ privacy. Although the legislation set out the overall plan for this program to promote adoption and use of EHRs, it is HHS that wrote the regulations to enforce the legislation.
HHS should also not be collecting this personal information about the elderly, disabled and poor as part of the PQRS program just because they administer the Medicare and Medicaid program. Administering a Health Insurance Program should not mean that the government has a right to collect such extensive, very personal information about its citizens. It is enough of an invasion of privacy that they have claims data.
What can you do about this?
Please call or write your Representative and Senators and Tom Price, MD, head of HHS, to protest the collection of QRDA I reports by HHS and ask that they only allow QRDA III reports. Here is a link to help you find the address and telephone number of your Representative or Senators
http://www.opencongress.org/people/zipcodelookup
Nancy Anthracite, MD
Addendum: 4/6/2018
The recent uproar over Facebook has shifted some focus to the aggregation of data that has been without much notice for years. This story talks about Facebook planning to take deidentified hospital data and matching it up to Facebook users is one that has apparently be thwarted but is just the sort of thing that is done with supposedly deidentified data that meets the HIPAA standard for deidentification but can be easily reidentified by matching up data bits of data from multiple sources to reidentify it. I am sure these patients would not have any say in whether or not their supposedly deidentified data was shared much as people have no say on what data is sent to HHS about quality measures and what data from those submissions HHS will share, also supposedly deidentified.
https://www.theverge.com/2018/4/5/17203262/facebook-medical-data-sharing-plan-healthcare
Addendum: 9/22/2018
I am very pleased that the MedChi, the state medical society of the state of Maryland, has passed the following resolution in favor of patient privacy. This resolution will be presented at a national meeting of the American Medical Association in an effort to get their support to help protect patient privacy by stopping the submission of personally identified information for quality measure reporting.
Resolved that, to protect patient privacy, MedChi submit a resolution to the American Medical Association to establish regulation and/or legislation that all quality measure data should only be collected in summary format with no personally identified information included.
Addendum: 3/20/2019
An editorial in JAMA pointed out all of the problems with the quality measures for the physicians MIPS program, which is essentially the same as the Meaningful Use quality measure reporting. 54 of 86 quality measures (62.8%) were considered invalid or of uncertain validity. I am convinced that not only is reporting these measures an invasion of patient privacy, it is a major part of the reason so many physicians hate their electronic health records because they are focused on satisfying the quality measure reporting rather than taking care of the issues the patient has.
The article can be viewed free of charge here: https://jamanetwork.com/journals/jama/fullarticle/2727554
Adendum: 6/6/2023
As has been explained in this section, HIPAA deidentification has been inadequate since the date the standard was enacted, but with the advent of the latest AI releases, reidentifying it is likely to be done very easily. Please see this link.
Nancy Anthracite