I believe that standards are no longer the rate limiting step.
On November 12, I presented an overview of standards readiness to Secretary Leavitt and AHIC. The video is available online
My presentation begins at 1 hour and 8 minutes. Anyone wanting to view it can just use real player to advance to that point.
You'll see that as a country, we have finished:
2006 - Personal Health Records, Laboratories, Biosurveillance
2007 - Medications, Quality, Clinical Summaries
2008 - Medical devices, Referrals, Family History/Genome, Secure messaging, Public Health Reporting, Immunizations
In 2009, we'll complete Newborn screening, Clinical Trials/Research and close a few minor gaps
All the stakeholders (vendors, government, academic, pharma, labs, payers, providers, patients) have agreed on the needed standards by consensus. Secretary Leavitt has Recognized all the 2006 and 2007 standards and will be Accepting the 2008 standards on January 8, 2009. Recognition means that the standards are required for use by all Federal agencies. Acceptance means that a year of testing begins and Recognition will follow.
Thus, there is no need to wait for the standards. Vendors are beginning to implement these standards and the Certification Commission on Health Information Technology is beginning to require them.
If standards are not the issue, what about security and privacy? As readers of my blog know, I am passionate about the need to protect confidentiality.
I believe that security is no longer the rate limiting step.
The standards for security were finished in 2007. They are available online and have been fully incorporated into all the HITSP interoperability specifications including all the needed security standards to support encryption, authentication, authorization, audit trials, non-repudiability, and patient consent.
These security standards can enforce any local privacy policies - from something basic like HIPAA to something complex like the Massachusetts approach to opt-in consent at the institutional level.
It is true that the US has very heterogeneous privacy policies in states and localities that pre-empt HIPAA, but that is not a security or technology issue.
What about architecture?
I think that we've done enough pilots and experiments to know what architecture we need.
The US already has a functional architecture for e-Prescribing including retrieval of comprehensive medication history. The US already has a functional architecture for exchange of lab results among providers, patients and commercial labs.
What's missing is a clinical summary exchange that ensures care coordination among providers of care and patients. I've written about a simple, internet-based, service oriented architecture that can securely exchange structured healthcare data between stakeholders. This can approach can be used to
a. Send / push / route hospital data to appropriate parties
b. Send / push / route visit and other data in support of referral consultation
c. Send / push / route visit and other data for standardized quality reporting
d. Send / push / route data for patient health records (PHRs)
Note that none of these transactions creates new privacy issues. Every one of them is currently required by good medical practice or by law, and are performed on paper today.
Thus, interoperability is implementable today with harmonized standards, appropriate security, and a service oriented architecture using the internet.
Now we need incentives to implement it.
Data exchange is a public good in many ways, so it will be challenging to fund purely based on local stakeholder contributions. There is a need for Federal leadership and funding to mandate very specific transactions on a defined implementation timetable. We should accelerate adoption through the same approach the US is using for e-Prescribing: regulation to create mandates and incentives to create urgency, followed by penalties for late implementation.
Experience has taught me that it's best to automate existing processes rather than trying to simultaneously change process and add technology. The approach I've presented above is a good short term solution. In the long term, let's hope that patients become a steward for their own data via PHRs or establish a "medical home" - a primary care giver who coordinates all their care. The architecture could easily evolve such that every entity which provides care has to push the data into a "medical home" EHR in a standardized fashion.