Dear Secretary Leavitt:

Thank you for this opportunity to voice my opinion. To offer to your readers what I am about to write, took courage.

It is my understanding that the electronic health records you envision are intended to be interoperable between all providers. What if I told you that tomorrow morning, dentists will start running in the other direction? By May, the nation will be too busy with other issues to notice increasing numbers of dentists abandoning computerization altogether. However, you and I and some alert readers will witness dentists nationwide sacrifice efficiency in order to protect their patients from uncontrolled identity theft, as well as to protect their businesses from bankruptcy. It is no longer ethical, or safe for a dentist to be a covered entity.

By now you should already be aware that American dentists are not buying electronic dental records systems. In fact, because of the ever-increasing costs and liabilities of EDRs, the American Dental Association no longer actively promotes “paperless practices” to membership like they once did. Nobody wants to look that foolish in front of colleagues. It gets worse, Secretary Leavitt.

Almost 93% of dentists have computers in their offices (ADA Survey Center, 2007). That means at least 7% of dentists are satisfied using the old-fashioned pegboard and ledger card system of performing clerical work. The pegboard system, with carbon paper, was adequate for decades. Consider this: Dentists cannot take out teeth nor do fillings any faster than they could 50 years ago, no matter how many computers they have. Compared to whole body healthcare, the business of dentistry is incredibly simple even if the work is very intricate and performed in a challenging environment. After all, we only bill for procedures involving the lower 1/3 of the face.

So how big of a liability are office computers? I recently wrote the ADA to ask what a dentist should do if a computer containing patients’ identities is stolen in a burglary from a dentist’s office. Dr. John Findley, President-elect of the ADA, provided me a response. In the letter he sent, he forwarded information he obtained from the ADA legal department:

“It appears that under these circumstances the dentist may wish to notify affected patients that their information may have been compromised so that they can take necessary steps to protect themselves (i.e. cancel credit cards, notify social security about potentially stolen social security numbers…). (This communication is informational and personal consultation between the dentist and his or her attorney is recommended.) They should also check their state breach notification laws to determine if there is anything else that is required.

In this case, the Texas Identity Theft Enforcement and Protection Act (Texas Code Sec. 48 et seq) (the “Act”) covers data breach notification. The Act protects both “Personal Identifying Information,” which is defined as any information that alone, or in conjunction with other information, can be used to identify an individual and an individual’s:
A) name, social security number, date of birth, or government-issued identification number;
B) mother’s maiden name;
C) unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image;
D) unique electronic identification number, address, or routing code; and
E) telecommunication access device.

The Act also protects “Sensitive Personal Information,” which is defined as an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
i) social security number;
ii) driver’s license number or government-issued identification number; or
iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Sec. 48.102 of the Act creates a duty for businesses to protect and safeguard information through creating and implementing procedures for such purpose. If there is a breach in the security of information, the Act requires a business that maintains ‘Sensitive Personal Information” to notify the owners of such information as soon as possible that a breach has occurred. The Act specifies one of the following modes of notice to be provided:
1) written notice;
2) electronic notice, if the notice is provided in accordance with 15 U.S.C. Section 7001 (which basically requires that a consumer must consent to receiving such notice in electronic form); or
3) notice as provided by Subsection (f) (see below).

(f) If the person or business demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the person does not have sufficient contact information, the notice may be given by:
1) electronic mail, if the person has an electronic mail address for the affected persons;
2) conspicuous posting of the notice on the person’s website; or
3) notice published in or broadcast on major statewide media.

A person who violates the Act is liable to the state for a civil penalty of at least $2,000 but not more than $50,000 for each violation.”

Dr. Findley added that the information was found in the Identity Theft Enforcement and Protection Act, Chapter 48 of the Business and Commerce Act of Texas. (My dental practice is in Fort Worth, Texas).

As anyone can see, a stolen computer can mean bankruptcy, whether the incident is reported or not. Hackers leave no trace anyway. That is a big deterrent, Mr. Leavitt. A solution to this problem must be found quickly, because your EHRs will never interoperate with a steel box of ledger cards.

Sincerely, Darrell Pruitt DDS

cc: spamgroup

Mr. Secretary: Thank you for your visit to Des Moines,Iowa today (January 31, 2008) to discuss electronic health records. I was the Mercy Health Network representative who took a few minutes of your time to share our use of the integrated electronic health record across hospital and clinic sites.

As I mentioned, Mercy Health Network is a state-wide network of public/private partnerships comprised of a not-for-profit health system and county and city-owned rural hospitals across the state. For years we've been working to improve quality and safety for patients through IT implementation,and we've learned when it comes to improving the health of our communities, "we don't have a person to spare" in the effort.

A request for your views: What are the best ways to improve the provider/patient/payer partnership so everyone is pulling in the same direction? What is the role of city, state and federal government in driving change so we can prosper in the future?

Thank you very much for your time.

Dear Mr. Secretary,
I read with great interest what you have written about electronic records, including an article published about a week ago in the Des Moines Register.
I have heard and read that the VA system has a terrific EMR but will not release it for others to use. It seems to me that a great deal of money could be saved and the transition to EMR's would go much smoother if the VA would release their system to private practice doctors and hospitals to use. Do you have any comments on this issue?
We have been using an EMR at our local hospital for about a year now and I feel the benefits are enormous. Americans will be much better off with EMR's in use. Anthing that HHS or the VA could do to make it easier would be wonderful.

Sincerely,
Brian Ford, M.D.
Spirit Lake, IA

Dear Mr. Leavitt,

I had the honor of working with the CDC on the Case Notification and Common Data Store I.T. project over the past year. Great people but the contractors are not interested in building anything in a timely manner. It is a current waste of tax-payers dollars.