Data Sharing in the Age of COVID-19: Why EHR Vendors Need a Closer Look

Amid the ongoing COVID-19 pandemic, insufficient health data sharing among electronic health record (EHR) systems in the U.S. has hindered our efforts to track the virus, contain its spread, and treat our most vulnerable patients.

An effective COVID-19 response requires timely and coordinated information sharing across all layers of the health care system. Although medical providers generally collect the patient data needed to order lab tests and assist public health officials, they often fail to communicate this information rapidly and efficiently to testing labs because their EHR systems cannot seamlessly exchange data.iAs a result, testing labs can’t report the information to public health agencies, which slows the COVID-19 response at critical junctures.ii Similarly, successful vaccination efforts require public health authorities to quickly gather and share vaccine information.iii A lack of EHR interoperability has systematically hindered all elements of our COVID-19 response strategy.

The U.S. government has taken steps toward greater digital health data exchange. The Health Information Portability and Accountability Act (HIPAA), enacted in 1996, permits medical providers to share patient health information using EHRs.iv Building on that legislation, the Health Information Technology for Clinical Health (HITECH) Act, passed in 2009, provided over $36 billion in financial incentives for physicians and hospitals to adopt software to keep track of their patients’ medical care through EHRs.v

Despite these efforts, health information exchange has moved slower than that of other industries. As of 2018, only 45 percent of hospitals routinely engaged in four dimensions of interoperability – finding, sending, receiving, and integrating data from outside providers.viBecause they provide the medium for health data exchange, EHR companies have been scrutinized for their role in its slow progression and suspected of engaging in information blocking – refusing to share healthcare data or limiting access to it to gain a competitive advantage.viiviii

In recent years, the EHR market has become more consolidated.ix The two most prominent vendors, Epic and Cerner, have built a combined 85% market share among large U.S. hospitals.xWhile consolidation in the EHR market may facilitate health information exchange across health systems, limited competition can disincentivize vendors from improving system interoperability and usability.xi

Several financial incentives may lead EHR companies to retain data and prevent physician and hospital customers from sharing it outside of business relationships controlled by the EHR company. First, an EHR company paid based on the number of individuals whose records they process has strong disincentives to make it easy for an individual to move their data to a competing provider.xii Second, the data held by an EHR company can be used for analytics, which are more informative and valuable if based on a greater volume of data.xiii Third, a lack of interoperability between EHRs may financially benefit them,xiv because interoperability enables other providers to acquire patient records outside the closed environment of this particular vendor.xvFourth, EHR developers may charge providers high fees for connectivity to other vendor systems to prevent them from using competing systems.xvi

In response to allegations of insufficient information sharing, EHR developers often argue that they need to restrict information sharing to protect their systems’ intellectual property.xviiFor example, Cerner’s terms of use prohibit the Los Angeles County Department of Health Services from disclosing “source code”.xviii When source code cannot be disclosed, competing EHR developers or physicians who hire their own software engineers, cannot develop the tools to engineer appropriate data connections between two vendors’ systems. Additionally, EHR developers cite data security as a barrier to information sharing, while major regulators have voiced concerns that EHR developers may strategically inflate security concerns to impede information exchange by undermining interoperability or inhibiting the sharing of information through competing EHR vendors.xix

As lawmakers became concerned that slow progress on health data interoperability was partly driven by information blocking, Congress requested the Office of the National Coordinator for Health Information Technology (ONC) to investigate.xx In April 2015, ONC published a report on information blocking, which concluded that the practice was occurring and that EHR developers and healthcare providers were engaging in anticompetitive conduct by not exchanging health information outside their closed systems.xxi Following this report, Congress passed the 21st Century Cures Act in 2016, which defines information blocking and authorizes the HHS Office of the Inspector General (OIG) to combat it.xxii

Although policymakers have taken some critical steps toward greater data sharing, additional measures may be taken to improve data flow about the COVID-19 pandemic.

First, the Department of Health and Human Services (HHS) should use its authority under the HITECH Act of 2009 to require that EHRs report data to public health agencies as a condition for certification and set standards for capturing the correct data and making it accessible to public health agencies.xxiii

Second, HHS should require that EHR vendors offer access to application programming interfaces (APIs) for public health reporting at no cost so that governments can obtain the data they need regardless of budget constraints.xxiv Under the Cures Act, HHS provides that patients access APIs and get their health data free of cost.xxv However, EHR vendors charge hospital systems and medical application developers to use APIs.xxvi Just as patients benefit from free access to their health data, society would benefit from free access to public health data.

Finally, the Federal Trade Commission (FTC) should conduct a study surrounding health data exchange to better understand what actions are being taken by EHR systems to limit health data exchange and how these actions affect competition.xxvii The FTC could collect the number of health information exchange transactions between unaffiliated EHRs and the costs incurred in engineering connectivity between two different EHR systems for two providers who want to exchange data.xxviii

Sanjay Reddy is a second year JD/MPP candidate at Georgetown Law and Harvard Kennedy School. Previously, he worked as a legislative aide in the U.S. House of Representatives and as a data analyst for Tempus Labs, a health technology startup in Chicago, IL. Sanjay holds a BS in Cellular and Molecular Biology from the University of Michigan.