What if an EHR fails?

Well...that escalated quickly.

The life of Silicon Valley Bank went into roller coaster mode last week as the bank announced a share offering to offset nearly $2 billion in losses. Depositors, many of whom are startups or are connected to venture capital, promptly fled to the tune of $42 billion in a single day, and the fallout has pulled Signature Bank down with it and hammered plenty of regional financial institutions.

All this begs the question of whether we can draw any lessons for healthcare and interoperability. I'll concede that the comparisons can't be exact, but if we suspend some disbelief, what would happen in the extreme case of an EHR suddenly becoming unavailable to patients and providers? What harm could that do and is there anything we can do to prepare?

Long odds

Let's be clear that there are no signs that any major EHR companies are imminently threatened, nor would a collapse play out in the same way. At the most basic level, banks operate by accepting your deposits and making money on them through loans and investments. If a large number of account holders suddenly want to yank out their cash, a bank may have to sell securities (potentially at a loss) or borrow money to meet the demand.

EHRs are much different. While they will gladly take in more of your data and repurpose it for analytics, algorithms, and automation, wiping it out is a harder process. For one, data retention regulations obligate healthcare providers to hold on to your information for years, and in the US there is no right to be forgotten. Nor is there any practical risk of a "run" that threatens an EHR's solvency. Revenue for an EHR company is typically dependent on factors like the number of concurrent users or the number of licensed modules, rather than the raw quantity of data on a hard drive.

A better bet

Instead, the more likely parallel to what we see in the financial world is the issue of access to your data. Suppose you woke up to the news that all patient records at your primary source of healthcare were inaccessible. Such a scenario isn't far-fetched; it could occur if a health system that hosts the EHR itself suddenly closes its doors, or a ransomware attack forces IT systems offline, or a provider simply doesn't pay its bills.

Thankfully such instances are rare and usually temporary, but that isn't guaranteed. Healthcare lacks a mechanism like the FDIC to serve as a backstop and restore faith and availability in times of crisis. If your data were permanently locked away, treatment would be disrupted, digital health apps that rely on connections to your patient record would be rendered ineffective, and transitioning to a new care provider would be very difficult. Patients would need to rebuild their clinical history from scratch, and the government won't be coming to the rescue.

Coming out ahead

What can we do to address this challenge? On a personal level, we should treat our health information like any other irreplaceable asset and back it up on a regular basis. Federal rules require certified EHRs to facilitate exporting your clinical information and exchanging it via APIs, so much like you might save important family photos on a flash drive, you can leverage these mandatory features to create a copy of your data for safekeeping. Perhaps downloading and archiving a copy of your medical information becomes an annual household ritual, like checking your credit report or getting an eye exam.

This is admittedly only a partial solution, however, and revised policies are warranted. The current regulations simply require that the APIs support USCDI v1, so not all EHRs will allow retrieving things like diagnostic reports, encounter information, and detailed problems and medications. Policymakers should raise the bar for EHR developers and push them to support the latest version of USCDI, so that patients can safely archive a larger subset of their data.

CMS should also press forward with the Patient API and Provider API requirements in its proposed prior authorization rule. While probably not CMS' primary intent of the proposal, these APIs open new options for patients and providers to retrieve valuable clinical data directly from payers, which could be a lifesaver if EHR data is inaccessible. The rule wouldn't help the uninsured population or Medicare Fee-for-Service members, but it would nonetheless help a significant majority of patients lower the risk of permanent loss of their medical history.