Introduction

Information technology (IT) has so pervaded our lives that we often take it for granted. Tens of billions of emails pass through cyberspace every day. Anyone with a credit card or an ATM card has access to cash 24 hours a day, seven days a week, in most countries. Thirty million U.S. workers now telecommute. These developments have made our lives more productive and more convenient.

One glaring exception, however, is the health care sector. There, IT is used only in a piecemeal fashion -- for limited tasks like scheduling appointments and accounting -- not as a means of streamlining all health care processes. Rather than sending prescriptions to pharmacists electronically, for example, most doctors continue to scribble them on paper, sometimes illegibly. Similarly, most doctors use paper medical charts instead of electronic records. Most hospitals do not mine data to find patterns of poor quality care. And health insurance plans and government programs like Medicare generate a massive flow of paper back to patients for processing routine medical claims instead of authorizing payments automatically.

Although some pioneering health care providers have launched comprehensive IT systems, patients are becoming impatient. Four of every 10 Americans have sought answers to their health care questions online instead of contacting a doctor, despite knowing that such information may not be reliable. Patients would do much more online if they could. Surveys show that most patients would like to check and refill prescriptions online, get test results, and email their doctors. As any patient who has carried X-rays from doctor to doctor knows, there has got to be a better way.

President Bush's proposed solution is a 10-year project, launched in 2004, that urges all doctors to keep their patient records electronically rather than on paper. So far, however, less than one-quarter of the country's doctors have begun doing so. In fact, only 9 percent have computer systems with the features that health care experts recommend. And none of the nation's doctors are connected to a network for sharing patients' records with other health care professionals providing care to the same patients.

Doctors are not connected to a national health information network, because no such network exists in the United States. What is more, the administration has dropped the ball in creating one, according to the U.S. General Accountability Office. That is unconscionable. A national health information network would provide the essential foundation for modernizing the U.S. health care system at a time when the system's soaring costs and retrograde inefficiencies constitute a dangerous drag on the country's economy and a glaring flaw in its social contract.

Merely asking doctors and other medical service providers to begin digitizing the records they keep on patients is insufficient because that will only create a series of disconnected electronic silos of patient information in doctors' offices, hospitals, medical testing labs, pharmacies, and elsewhere. Fragments of an individual patient's medical history will be spread far and wide: X-rays and MRI films in a medical lab here, a primary care physician's diagnostic notes in an office there, a specialist's notes in another office somewhere else, and so on. What is needed instead is a networked system that allows medical service providers to securely feed those disparate pieces of information into a single electronic history that is owned and controlled by the individual patient, and that represents the patient's complete medical record.

When a patient sees a doctor, she should be able to give the doctor an access code and a password to her private medical history. The doctor should then be able to view all of the key information contained in that history, ideally on a single computer screen. In the course of providing treatment, the doctor should be able to feed new information into the system to keep the patient's medical history up to date. Eventually, these patient-controlled electronic medical histories could become hubs at the center of a national health information network that seamlessly connects not just doctors and patients, but also hospitals, pharmacies, medical labs, and health insurance companies -- that is, all entities that offer medical services of any kind to American consumers. Such a network would give doctors more comprehensive patient information that they could use to improve the quality of care they provide. It could increase efficiency by expediting billing processes, cut costs by eliminating the need for redundant tests, and reduce medical errors by making it easier to flag dangerous drug interactions, for example. More generally, it would allow people to take greater control of their own health care.

Experts have been calling for such a system of secure, patient-controlled electronic health record (EHR) accounts for several years. In fact, a pilot EHR system, administered by the nonprofit organization Patient Safety Institute, is already up and running in three Seattle-area hospitals. Similar EHR systems are operating in Indianapolis, Kansas City, and Spokane, Washington. Under the leadership of Gov. Chris Gregoire (D), Washington state is expanding such pilots as part of a statewide health IT strategy.

It is noteworthy that these pilot EHR systems have been undertaken by organizations that are not medical service providers themselves. One reason President Bush's electronic health records plan is not likely to lay the groundwork for a national health information network is that it relies on doctors to take the initiative in going digital. But doctors do not have enough financial incentive to make the substantial IT investments necessary to create patient-controlled electronic health record accounts, because entities other than themselves -- especially the insurance companies and government programs that pay most of the country's medical bills -- will be the chief beneficiaries of the resulting efficiency gains.

Achieving 100 percent adoption of full-featured EHR systems will require an investment of approximately $115 billion. That is simply too much to ask of doctors and hospitals. Yet researchers at RAND estimate that the potential return on investment in EHR systems for the nation as a whole could be $5 for every dollar invested over a 15-year period -- about $500 billion in total. That creates an enormous opportunity for third parties to step into the breach, put up some investment capital, and make a profit by delivering efficiency gains. Commercial ventures or membership organizations like the AARP could finance the creation and maintenance of EHRs at no cost to patients by charging insurers, the government, and others a small fraction of the large benefits they will accrue as widespread use of EHRs produces new efficiencies and cost savings in the health care system.

But before such a health information market can emerge, PPI believes government must establish a regulatory framework that protects people's medical privacy and requires the players to use interoperable technologies, among other matters. For starters, there must be a highly secure means of administering EHR accounts and authorizing access to the data they contain. An analogy would be to the functions that VISA and MasterCard perform in administering credit card accounts and authorizing payments.

Just as financial institutions compete to offer consumers credit cards with different perks, PPI envisions a number of government-certified health record trusts competing to offer people their electronic health record accounts. The trusts could compete for people's business by offering EHRs with highly personalized features. For example, a trust might offer people with diabetes EHR accounts that automatically notify them when it is time to have check-ups on their eyes, feet, blood pressure, and blood sugar to prevent unnecessary blindness, amputations, heart disease, and other complications that are commonly related to diabetes. In fact, just as computers and the Internet have driven transformation in other sectors of the U.S. economy, the emergence of health record trusts offering EHR accounts will trigger the development of a host of revolutionary new computer applications for patients and health professionals.

The main responsibility for all health record trusts will be to gather patients' medical records into EHR accounts and authorize doctors, hospitals, pharmacies, insurance companies, and other entities in the health care sector to access the data according to patients' specific instructions. That level of patient control over medical data would be substantially stronger than current federal law, which generally does not require health service providers to ask permission before sharing patient records with other organizations. In addition, health record trusts should be required to provide patients with regular reports of who has been accessing their accounts, just as credit card billing statements list all charges to an account every month. Patients should also be able to view their medical records and correct inaccurate information.

The federal government can be a prime catalyst for electronic health records, since it pays for nearly half of the nation's health care bills through Medicare, Medicaid, and other programs, and since it subsidizes most private health care spending through tax breaks.

Congress should take the following steps to give all Americans access to a network of EHR accounts within the next three years:

1. Set federal rules for independent health record trusts. These standards should include privacy and security protections for patients, and interoperable IT standards for health care providers to transmit patient information back and forth with health record trusts. In addition, the government should create a certification process that bestows a regulatory seal of approval upon trusts that are verifiably adhering to these government standards. Just as the banking industry benefits from federal regulation that protects consumers' deposits, trusts will need federal regulations to assure patients that their health records will be permanently available according to their privacy preferences. Federal regulation also needs to assure doctors that they will have easy access to reliable information about their patients. Trusts will be responsible for working collaboratively to develop protocols for the private, confidential, and secure storage and transmission of patients' health records among all the players in the health care system. Reps. Dennis Moore (D-Kan.) and Paul Ryan (R-Wis.) and Sen. Sam Brownback (R-Kan.) have proposed legislation to promote such organizations.

2. Give patients a legal right of access to medical records that are already being stored electronically. Current federal law only gives patients a right to a paper copy of their records. Congress should require doctors, hospitals, health plans and other entities with electronic patient data to give a patient's health record trust access to that patient's information so it can be gathered together in an EHR account. The Moore-Brownback legislation and another bill by Reps. Patrick Kennedy (D-R.I.) and Dave Reichert (R-Wash.) would patients this legal right. In addition, Sen. Tom Carper (D-Del.) and Rep. Jon Porter (R-Nev.) have proposed legislation to require health plans in the Federal Employers Health Benefits program to give federal employees access to records stored in the computers of the health plans.

3. Strengthen patients' privacy rights. Regardless of where or in what form health records are stored, federal law should give patients the right to control who has access to them, review a list of people who see them, and be notified of any security breaches. These EHR accounts would give providers an inexpensive and easy way to protect patients' privacy and to follow their privacy preferences.

This paper examines the obstacles to health IT adoption; the creation of independent health record trusts; the use of patient health information that is "stranded" in the computers of medical testing labs, pharmacy benefit managers, and health insurance plans; and finally, changes in federal law needed to protect patient privacy.