Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems

In the foreseeable future, it is likely that the familiar, paper-based patient medical files will become a thing of the past. On April 26, 24, President George W. Bush announced a plan to ensure that all Americans\u27 health records are computerized within ten years and to establish a National Health Information Network. Many advocates are enthusiastically promoting the adoption of health information technology (HIT) and electronic health record (HER) systems as a means to improve U.S. health care. HER systems often not only serve as record-keeping systems, but also have multiple capabilities, including drug ordering, decision support, alerts concerning patient allergies and potential drug interactions, reminders concerning routine tests, and various treatment management and data analysis tools. Because these capabilities require sophisticated software, significant risks of software failure exist, which can lead to life-threatening medical errors. Thus far, scholars have not provided a comprehensive assessment of the benefits and risks of this complex technology and evaluated the need for careful regulatory oversight akin to that required, in principle, by the FDA for life-critical medical devices. This paper begins to fill that gap. It analyzes HER systems from both legal and technical perspectives and focuses on how the law can be used as a tool to promote HIT. It is the first law journal article to provide an extensive proposal for regulations to maximize the technology\u27s benefits and reliability. We argue that the advantages of HER systems will outweigh their risks only if these systems are developed and maintained with rigorous adherence to best software engineering and medical informatics practices. To ensure that these goals are achieved, regulatory intervention is needed. The paper carefully delineates recommendations that address the questions of who should regulate HER systems and how they should be regulated, including their approval and continual monitoring. It also proposes requirements for several significant features, including decision support mechanisms, audit trails, and interoperability. Because HER systems are safety-critical, the public\u27s health and welfare will depend upon their effective oversight

In Sickness, Health, and Cyberspace: Protecting the Security of Electronic Private Health Information

The electronic processing of health information provides considerable benefits to patients and health care providers at the same time that it creates serious risks to the confidentiality, integrity, and availability of the data. The Internet provides a conduit for rapid and uncontrolled dispersion and trafficking of illicitly-obtained private health information, with far-reaching consequences to the unsuspecting victims. In order to address such threats to electronic private health information, the U.S. Department of Health and Human Services enacted the HIPAA Security Rule, which thus far has received little attention in the legal literature. This article presents a critique of the Security Rule from both legal and technical perspectives. We argue that the Rule suffers from several defects relating to its narrow definition of “covered entities,” to the limited scope of information it allows data subjects to obtain about their health information, to the vagueness and incompleteness of the Rule’s standards and implementation specifications, and to the lack of a private cause of action. The article explores the difficult problem of crafting static regulations to adequately address rapidly changing computer and communications technologies and associated security threats to private health information. In addition, it develops detailed recommendations for improving safeguards for electronically processed health records

Artificial Intelligence and Discrimination in Health Care

Artificial intelligence (AI) holds great promise for improved health-care outcomes. It has been used to analyze tumor images, to help doctors choose among different treatment options, and to combat the COVID-19 pandemic. But AI also poses substantial new hazards. This Article focuses on a particular type of healthcare harm that has thus far evaded significant legal scrutiny. The harm is algorithmic discrimination. Algorithmic discrimination in health care occurs with surprising frequency. A well-known example is an algorithm used to identify candidates for “high risk care management” programs that routinely failed to refer racial minorities for these beneficial services. Furthermore, some algorithms deliberately adjust for race in ways that hurt minority patients. For example, according to a 2020 New England Journal of Medicine article, algorithms have regularly underestimated African Americans’ risks of kidney stones, death from heart failure, and other medical problems

Drug-Drug Interaction Alerts: Emphasizing the Evidence

Many analysts and users of contemporary clinical decision support ( CDS ) systems have expressed grave concerns about the technology’s efficacy and functionality. Alerts generated by CDS systems are often inaccurate, and an excess of alerts leads some physicians to experience alert fatigue and to turn off CDS altogether. This article formulates recommendations to improve drug-drug interaction (DDI) alerts. The paper comments upon a proposal by Susan Ridgely and Michael Greenberg, who call for the development of a consensus-based clinically significant drug-drug interaction list that could generate limited liability protection for users. We argue that instead of creating a list of always-contraindicated DDIs, experts should develop DDI alerts that offer essential information about DDI risks, supporting evidence, mitigating factors, and appropriate courses of action. Thus, DDI warnings should provide users with concise but comprehensive information. They should not deprive clinicians of discretion, but rather, enable them to make more knowledgeable and effective prescribing decisions. In addition, the article analyzes several other DDI-related issues. It details a process for determining which DDIs should generate alerts in CDS systems. It also examines the extent to which DDI alerts should serve as a basis for liability protection and suggests how data about DDI alert accuracy could be used as evidence in malpractice litigation

In Sickness, Health, and Cyberspace: Protecting the Security of Electronic Private Health Information

The electronic processing of health information provides considerable benefits to patients and health care providers while at the same time creating serious risks to the confidentiality, integrity, and availability of the data. The Internet provides a conduit for rapid and uncontrolled dispersion and trafficking of illicitly obtained private health information, with far-reaching consequences to unsuspecting victims. To address such threats to electronic private health information, the U.S. Department of Health and Human Services enacted the Health Insurance Portability and Accountability Act Security Rule, which thus far has received little attention in legal literature. This Article presents a critique of the Security Rule. It argues that the Rule suffers from several defects relating to its narrow definition of covered entities, the limited scope of information it allows data subjects to obtain about their health information, the vagueness and incompleteness of the Rule\u27s standards and implementation specifications, and the lack of a private cause of action. This Article explores the difficult problem of crafting static regulations to adequately address rapidly changing computer and communications technologies and associated security threats to private health information. In addition, it develops detailed recommendations for improving safeguards for electronically processed health records

Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems

In the foreseeable future, it is likely that the familiar, paper-based patient medical files will become a thing of the past. On April 26, 24, President George W. Bush announced a plan to ensure that all Americans\u27 health records are computerized within ten years and to establish a National Health Information Network. Many advocates are enthusiastically promoting the adoption of health information technology (HIT) and electronic health record (HER) systems as a means to improve U.S. health care. HER systems often not only serve as record-keeping systems, but also have multiple capabilities, including drug ordering, decision support, alerts concerning patient allergies and potential drug interactions, reminders concerning routine tests, and various treatment management and data analysis tools. Because these capabilities require sophisticated software, significant risks of software failure exist, which can lead to life-threatening medical errors. Thus far, scholars have not provided a comprehensive assessment of the benefits and risks of this complex technology and evaluated the need for careful regulatory oversight akin to that required, in principle, by the FDA for life-critical medical devices. This paper begins to fill that gap. It analyzes HER systems from both legal and technical perspectives and focuses on how the law can be used as a tool to promote HIT. It is the first law journal article to provide an extensive proposal for regulations to maximize the technology\u27s benefits and reliability. We argue that the advantages of HER systems will outweigh their risks only if these systems are developed and maintained with rigorous adherence to best software engineering and medical informatics practices. To ensure that these goals are achieved, regulatory intervention is needed. The paper carefully delineates recommendations that address the questions of who should regulate HER systems and how they should be regulated, including their approval and continual monitoring. It also proposes requirements for several significant features, including decision support mechanisms, audit trails, and interoperability. Because HER systems are safety-critical, the public\u27s health and welfare will depend upon their effective oversight

E-Health Hazards: Provider Liability and Electronic Health Record Systems

In the foreseeable future, electronic health record (EHR) systems are likely to become a fixture in medical settings. The potential benefits of computerization could be substantial, but EHR systems also give rise to new liability risks for health care providers that have received little attention in the legal literature. This Article features a first of its kind, comprehensive analysis of the liability risks associated with use of this complex and important technology. In addition, it develops recommendations to address these liability concerns. Appropriate measures include federal regulations designed to ensure the quality and safety of EHR systems along with agency guidance and well crafted clinical practice guidelines for EHR system users. In formulating its recommendations, the Article proposes a novel, uniform process for developing authoritative clinical practice guidelines and explores how EHR technology itself can enable experts to gather evidence of best practices. The authors argue that without thoughtful interventions and sound guidance from government and medical organizations, this promising technology may encumber rather than support clinicians and may hinder rather than promote health outcome improvements

The Patient\u27s Voice: Legal Implications of Patient-Reported Outcome Measures

In recent years, the medical community has paid increasing attention to patients\u27 own assessments of their health status. Even regulatory agencies, such as the Food and Drug Administration and the Centers for Medicare and Medicaid Services, are now interested in patient self-reports. The legal implications of this shift, however, have received little attention. This Article begins to fill that gap. It introduces to the legal literature a discussion that has been ongoing in the health care field.Patient-reported outcome measures (PROMs) are reports of patients’ symptoms, treatment outcomes, and health status that are documented directly by patients, typically through electronic questionnaires. In this era of growing efforts to control health care costs, improve care delivery, and combat physician burnout, patients’ own input can be invaluable for clinicians as well as researchers, regulators, and insurers. At the same time, however, PROMs have a number of pitfalls, and the implementation of PROM programs is challenging and complex.The Article argues that health care providers should be keenly aware of potential medical malpractice risks associated with PROMs. In addition, because PROMs collect a plethora of sensitive information about pain, sexual function, anxiety, and other matters, the HIPAA Privacy Rule should be revised to address PROMs specifically. The Article further posits that it would be premature for regulatory agencies or private insurers to require PROM submission at this time. It also details strategies, such as use of artificial intelligence, to strengthen PROMs and facilitate their integration into clinical practice and other arenas

The Use and Misuse of Biomedical Data: Is Bigger Really Better?”

Very large biomedical research databases, containing electronic health records (HER) and genomic data from millions of patients, have been heralded recently for their potential to accelerate scientific discovery and produce dramatic improvements in medical treatments. Research enabled by these databases may also lead to profound changes in law, regulation, social policy, and even litigation strategies. Yet, is “big data” necessarily better data? This paper makes an original contribution to the legal literature by focusing on what can go wrong in the process of biomedical database research and what precautions are necessary to avoid critical mistakes. We address three main reasons for a cautious approach to such research and to relying on its outcomes for purposes of public policy or litigation. First, the data contained in databases is surprisingly likely to be incorrect or incomplete. Second, systematic biases, arising from both the nature of the data and the preconceptions of investigators, are serious threats to the validity of biomedical database research, especially in answering causal questions. Third, data mining of biomedical databases makes it easier for individuals with political, social, or economic agendas to generate ostensibly scientific but misleading research findings for the purpose of manipulating public opinion and swaying policy makers. In short, this paper sheds much-needed light on the problems of credulous and uninformed uses of biomedical databases. An understanding of the pitfalls of big data analysis is of critical importance to anyone who will rely on or dispute its outcomes, including lawyers, policy makers, and the public at large. The article also recommends technical, methodological, and educational interventions to combat the dangers of database errors and abuses