Risk and Regulation - Learning from the EHR Experience
I spent last week in Las Vegas, attending and presenting at the BSidesLV information security conference. My topic? System dynamics for information security! I think my presentation was a success in sparking interest, which makes me happy. Onward to this week(end)’s essay….
I’m thinking this week of effective versus misapplied risk management. Effective risk management doesn’t just mean, “We reduced risk.” It means, “We reduced risk without weighing down the process so much that we introduced worse risks or simply shifted risk elsewhere.” Shifted risk is not reduced risk, but it can easily become hidden risk, hard to measure and therefore difficult to address.
For example, how does a company know who never applied because they didn’t want to deal with all the compliance paperwork a particular job entails? Where did all those people who didn’t apply go, and what did they do instead? Did those people go on to add more risk to the system through their choices, either by commission or by omission?
These types of questions are almost impossible to answer with any level of accuracy, yet where the best and brightest choose to work (or don’t) plays a huge role in the success of companies, economies, and countries. These are important dynamics!
On shifting risk
So, we need to do risk management, but we don’t want to make it so onerous that we chase potential A-players away from important roles.
Let’s talk about electronic health records (EHR) systems, which were incentivized by the American Recovery and Reinvestment Act of 2009. The intent of pushing for electronic health records was good, but the implementation was, in my view, a disaster.
Here’s the intent (legalese ahead!): among other provisions, the law says a medical professional should be, “using certified EHR technology in a meaningful manner, which shall include the use of electronic prescribing as determined to be appropriate,” and, “such certified EHR technology is connected in a manner that provides, in accordance with law and standards applicable to the exchange of information, for the electronic exchange of health information to improve the quality of health care, such as promoting care coordination.”1
What does this mean? In plain English, the law envisions that a patient’s medical history could be synced across doctors’ offices, hospitals, labs, and urgent cares, so duplicate tests—and, especially, duplicate prescriptions—could be eliminated.
Implementation and fragmentation
In many cases, that’s not what happened in practice. As of 2022, there were several EHR system vendors in the United States, such as Epic, Oracle Cerner, Meditech, CPSI, Altera Digital Health, and Medhost, and interoperability among them remains imperfect despite consolidation in recent years.
As a personal anecdote, when I visit a new medical office, I usually have to fill out my health information from scratch, including medical history, contact information, and insurance numbers. Only rarely have I encountered a system that knew anything about me in advance. So, if the goal was, “Link patients’ medical records across providers,” that outcome has largely not manifested for me.2 (Patients who see doctors mostly within a single healthcare system are likely having a different experience.)
Raising hard questions
Even worse, though, EHRs have by many accounts made the practice of medicine worse for doctors. This 2019 New York Times op-ed offers a doctor’s take on downsides of EHR, this 2020 series of letters to the editor shares a few more views of pluses and minuses, and this December 2019 article states eloquently that doctors and nurses spend about half their time “treating the screen, not the patient.”3
Potentially making things worse, compliance requirements are a fact of life in a litigious society, and as new requirements inevitably pop up, an obvious and easy way to address them might be, “Add a field to our EHR system.” Over time, that could tally to a heap of added work that may not benefit the core practice of medicine.
If increases in paperwork are boosting burnout or even deterring future doctors from pursuing the field, that’s a terrible second-order effect—and I’d argue it wasn’t worth whatever risk reduction EHRs wrought.
A financial example
Shifting focus to the financial industry, the Payment Card Industry (PCI) standards had noble goals (protecting credit card data), but implementation initially turned out to be a checklist nightmare for many small businesses. Their response was, in some cases, to outsource payments to PCI-certified vendors like Shopify and Stripe, so the regulation likely increased centralization around large vendors.
This shifting of risk largely worked because small businesses could keep focusing on their core businesses (after some painful adaptation and possibly fines). For whatever reason, the healthcare industry doesn’t seem to have achieved as reasonable a result with EHRs.
Why rehash sub-optimal outcomes of regulation?
I mention EHRs and PCI as cautionary tales because regulation is a hot topic in technology right now, and rightly so. Regulation is a necessary (though not on its own sufficient) component of ensuring AI controls catch up to, begin to keep pace with, and ultimately outpace AI capabilities as technology advances and risks increase.
It will be vital to get AI regulation right. An EHR-like outcome would be disastrous and likely would increase risk in the system overall, either by shifting activity into less regulated jurisdictions or by incentivizing sub-optimal implementation of controls.
In my March essay on System Dynamics and AI Regulation, I included this causal loop diagram on the dynamics of well-crafted versus poorly crafted regulation:
In this diagram, “failures of regulation” describes a situation where a poorly crafted or outdated regulation actually increases risk in the system. Fortunately, that path isn’t a foregone conclusion; well-crafted regulation is feasible and easily identifiable by experienced regulators during the crafting process.
As we move forward, it bears keeping in mind how the paths we follow can shape likely outcomes—and spending the time and effort needed to choose the right road.
“H.R. 1: American Recovery and Reinvestment Act of 2009.” https://www.congress.gov/bill/111th-congress/house-bill/1/text
However, one of the main reasons I chose my doctors is that they spend most of each visit talking with and examining me, not typing into a computer. I don’t think I’m alone in this choice, and I believe the rise of concierge and no-insurance-accepted medical offices is an unintended consequence of vastly increased insurance and EHR paperwork, which in turn has vastly increased inequity of access in the healthcare system. That’s a really important shifting of risks that hasn’t received enough acknowledgment.
Brown, Theresa, and Stephen Bergman. “Doctors, Nurses and the Paperwork Crisis That Could Unite Them.” The New York Times, December 31, 2019. https://www.nytimes.com/2019/12/31/opinion/doctors-nurses-and-the-paperwork-crisis-that-could-unite-them.html
Congratulations on the Conference -- hope you enjoyed presenting and learning. Solutions to inter-operability and compliance are challenging. I would imagine healthcare is so fragmented, it is not easy. Years ago I worked at a startup. We were contracted by a major hospital system in Boston (Brigham Women's) to implement a system for them. It's function does not matter. What was clear at the time was it was the wild west and Hospital systems could do whatever they please. Great for us. We did our best. We made money. We resold the solution to others. Utterly ridiculous when I think about the consequences of our design. When I contemplate what we built, it seems inevitable our product, operating in isolation could easily kill people.
The larger vendors (Epic, Oracle, etal) take advantage of this fragmentation to get lock-in. Successful regulation and compliance exists and it seems to me it always follows from compliance. The Underwriters Laboratory (UL) listing process, the National Electric Code (NEC) and Request for Comment (RFC) systems are all great examples. None of my examples are mysterious. They are SIMPLY mandated cooperation at the lowest level. All of my examples happen to be thanks to the Institute of Electrical and Electronic Engineers (IEEE). Regulations and standards should be the price of entry into markets which can impact us directly. Standards are a sensible means to endear trust.
Excellent article Stephanie. We are watching this play out in real time in the medical device industry. The new medical device regulation in the EU (EU-MDR) is creating a lot more chaos than necessary in the name of safety.