By Matt Skoufalos
Since the 2010 passage of the Affordable Care Act and its 26 different mandates, which have specific implications for every business obligated to meet them, electronic medical records (EMR) and electronic health records (EHR) have become far more sophisticated mechanisms for providers, patients, and health care in general.
James Metzger, Vice President of Marketing and HIPAA Compliance Officer for the San Jose, California-based EHR provider, PrognoCIS, was on the Affordable Care Act task force of Blue Shield California when the statutes were released. Metzger was a subject matter expert on only three of those 26 mandates, and handling any one of them “was completely enough work for a team of people,” he said. One of the things the legislation did was expand the incentives (and eventual disincentives) initially offered in the Health Information Technology for Economic and Clinical Health (HITECH) Act for EMR systems that had a “meaningful use” component feeding aggregate population health reporting. In 2006, maybe a quarter of provider clinical locations were Internet-connected and fully digitized in terms of a paperless workflow; in today’s landscape, where that number is probably closer to 95 percent, “there’s a scale of differences,” Metzger said.
“The different systems that are out there today were forced by the market to grow in order to achieve an economy of scale in order to help them meet these regulatory issues that weren’t part of the landscape before,” he said. “We’ve gone from the medical record, which is the medical detail pertaining to specifically everything related to the patient, to the health record, which is the additional metadata that surrounds the medical data.”
According to a May 2016 report from the Office of the National Coordinator for Health Information Technology (ONC), the EHR space has seen a number of interoperability milestones in the past few years. National rates of electronic data sending, receiving and retrieval have increased significantly between 2014 and 2015, with 96 percent of non-federal acute care hospitals having a certified EHR system, and at least eight of 10 small, rural, and critical access hospitals having adopted a basic EHR.
“A substantial majority of hospitals were electronically sending and receiving summary of care records, and a little over half of hospitals were electronically finding information from outside sources,” the ONC noted. “More hospitals reported that they had health information available electronically from outside sources at the point of care. About half of non-federal acute care hospitals nationwide had the necessary clinical information available electronically from outside providers or sources when treating their patients.”
Down in the same data brief was the percentage of U.S. hospitals that reported the absence of technical capability “to electronically send or receive information,” yet the report noted that “a high proportion of hospitals’ exchange partners continue to lack the technical capabilities to receive data electronically.” Hospitals also continue to face difficulties matching patient data across systems and patient sites.
Finding the ways to integrate, secure, and share the information contained within those diverse data sets is a challenge for EHR vendors that has emerged in the decade since the market first distinguished itself as a niche within the health care IT space. Bruce Carlson, publisher of market-watcher Kalorama, says the space is still seeing double-digit growth in spending and vendor sales, but has settled down a bit since government stimulus funding for meaningful use has been withdrawn. In the post-incentive landscape, EHR is proving to be “a market on its own, like any kind of software market,” he said; one in which, absent of federal incentive dollars, products must sell themselves.
“It’s now a market based on vendors proving to customers that they’re offering value, saving money, leading to more efficient health care transactions and the like,” Carlson said.
According to Carlson, the market includes more than 150 companies “of any significance at all in EMR,” with the bulk of the revenue going to about 10 top vendors. The most significant EMR vendors include larger Health care IT companies like McKesson, Cerner, Allscripts, Epic Systems, eMDs, Athena Health, Next Gen, eClinicalWorks, and Greenway Health. The remainder of the market, some 44 percent, is shared among multiple smaller vendors. The universal meaningful-use requirements for U.S. health care providers to provide digitally accessible and secure patient health data leaves the space open to lots of competition among developers. Like any software market, companies can sell EMR and EHR products with very little physical overhead; in fact, “There’s a market for companies that can just sell over the web,” Carlson said.
“There’s no one EMR that you as a physician have to get,” he said. “You have to meet certain requirements that CMS has set up in order to get incentives or not to be penalized.”
In such a broad field, vendors distinguish themselves either in terms of the quality of product they provide or the level of support they offer. Some target physician clients, and others provide institutional-level service; because of this, there’s the opportunity for a lot of mobility within the space. Carlson cites the example of Epic Systems, which in the past half-decade has grown from being a minor EMR player into one of the three largest in the market. That ascension has a lot to do with the ability of a vendor to provide a high level of client service.
“When you’re operating in a market where everybody was a little bit behind the curve in IT, there’s this overarching incentive to purchase,” Carlson said. “That negates a lot of your traditional market mechanics – build demand, find customers, market, grow sales. Epic put more resources into support than marketing.”
As the EMR and EHR market matures, product offerings will continue to improve in terms of programming upgrades, vendor realignments, and customer service through added consulting, client training, or software development features, Carlson said. Now that many hospitals have an EMR system, increasing its compatibility with other technologies is another way to derive greater value from their investments, whether at the user level or the administrator level. As those technological improvements increase in a marketplace where there’s less and less growth in the field for new installations, the space will head toward vertical integration. Carlson said he already sees movement in that direction, spurred by a vendor interoperability push at HIMSS. Some vendors have already consolidated, and others have quit the space, he said.
“There aren’t new hospitals or new physician offices in the United States,” Carlson said. “Most hospitals have some kind of system now, even very small community hospitals; there’s such a disincentive to not have EMR. It’s a matter of upgrading them, upselling existing customers, acquiring new customers at the expense of another vendor, and holding onto your own.”
Carlson foresees new points of entry in the EMR/EHR marketplace as being based on technological advancements, like mobile computing, workflow, and analytics. Supports for revenue cycle, fraud management, and inventory control are areas of integration where Kalorama foresees future growth potential.
“[Hospitals are] experts at hiring clinical practice personnel; when it comes to tech, this is not their specialty,” Carlson said. “Implementing EMR is a big job, and the more the vendors can do, the more they’ll succeed. On the institutional side, it’ll knock off small firms that cannot handle the volume.
“Health care is one of the last regional markets [but] even that separation between physicians and hospitals will be eroded too,” he said.
One of the most significant changes in the past decade is how much the EMR and EHR business has migrated even beyond just paperless systems to cloud-based storage and delivery networks. Metzger recollects the change as particularly transformative not only from the perspective of simply digitizing paper forms, but into rethinking how information is gathered, disseminated, and analyzed altogether.
“If you’re just digitizing forms, are you taking advantage of the quantum leaps in workflow that a digital workflow can provide?” he asks.
One of those quantum leaps is the push for greater interoperability of health care systems and the standardization of the data they share, which poses “an inherent conflict with the needs of the market and the needs of a manufacturer of anything to provide a uniform solution,” Metzger said.
“In order to have a business plan succeed in the medical marketplace, at what point do some companies decide to become market leaders by extending functionality?” he said.
These questions even stem as far back as 1996, when the Health Insurance Portability and Accountability Act (HIPAA) contained provisions for the development of a National Patient Identifier (NPI), which was philosophically intended to be “the cornerstone of all interoperability” in the health care space, Metzger said. After the Social Security number “has gone through its own trajectory of mass adoption for purposes other than what it was originally intended for,” from bookkeeping to inter-practice communication, he said, it’s no longer as viable an option for that purpose.
“During the landscape of identity theft, it’s rare that you would find a provider or clinical location that was still using a Social Security number as an identifier in a required sense,” Metzger said. “Now there’s more of a clamor for the development of the NPI because there’s a void there.”
One such possibility to resolving the questions of NPI, however potentially remote, is the emergence of biometric identifiers. Although the landscape is largely undeveloped for such a product in conjunction with patient records, the notion creates “a paradox of interoperable communication in an environment of patient-controlled, secure authorization and validation,” Metzger said.
“I can build you a very secure room, but you have to allow me to build you a room with no windows and no doors,” he said. “Who’s got access? Who controls that access? I don’t even think the courts have come down with a firm position on who owns the data.”
“The current understanding is that the patient owns the data and anyone else is just a steward of the data,” Metzger said. “Then there is medical data byproduct, which is population health – aggregate data, aggregate anonymized data. At what point can someone control their personal data?”
The most common reason given for hospitals not using information generated within their systems related to an inability to access the information from within their EHR, the ONC noted “whether that was due to clinical workflow or inability to integrate data from outside sources into their EHR.”
“Continued increases in the interoperable exchange and use of health information from outside sources, along with the availability of information are important to the success of care transformation efforts nationwide,” the agency said.
The push for interoperability has even become a Congressionally mandated national health care objective with a July 2016 deadline to establish metrics for the same. In 2015, the Medicare Access & CHIP Reauthorization Act (MACRA) defines interoperability as hinging on the exchange of “clinical and other information” and common standards for the use of that information “to provide access to longitudinal information for health care providers to facilitate coordinated care and improve patient outcomes.”
Part of the issue comes in sourcing the data from things like health care insurance claims, program performance data, health care system surveys, and EHR-generated data, as well as capturing a broad enough spectrum of data to effectively illustrate the scope of patients nationwide. Capturing specialized patient data may be another hurdle; for example, the ONC notes that “basic EHR adoption among children’s and psychiatric hospitals is significantly lower than [among] general medicine hospitals.”
Finally, the office also describes the paradox Metzger noted of the “shared responsibility” of cybersecurity among the institutions that gather and share patient data, patients themselves, and the clinicians who treat them. HIPAA established penalties for individual and institutional data breaches, and tasked the HHS Office for Civil Rights (OCR) with enforcement of its statutes; ONC works in conjunction with OCR to develop resources that can help providers establish better in-house policies and procedures for the implementation and enforcement of patient data privacy and security. Its two-year-old Security Risk Assessment (SRA) tool is one such mechanism for organizing risk mitigation; the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST) is another.
As the marketplace for EHR continues to evolve, the regulatory statutes that govern its development provide another critical set of contributing factors.
“The end goal is a growing culture of privacy and security, where patient health information is protected and secure, and cybersecurity is realized,” ONC noted in a 2014 story published on HealthITBuzz. “If providers have this mindset, we are headed in a secure direction.”