Electronic health records in the United States

Federal and state governments, insurance companies and other large medical institutions are heavily promoting the adoption of electronic health records. The US Congress included a formula of both incentives (up to $44,000 per physician under Medicare, or up to $65,000 over six years under Medicaid) and penalties (i.e. decreased Medicare and Medicaid reimbursements to doctors who fail to use EMRs by 2015, for covered patients) for EMR/EHR adoption versus continued use of paper records as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the, American Recovery and Reinvestment Act of 2009.

The 21st Century Cures Act, passed in 2016, prohibited information blocking, which had slowed interoperability. In 2018, the Trump administration announced the MyHealthEData initiative to further allow for patients to receive their health records. The federal Office of the National Coordinator for Health Information Technology leads these efforts.

One VA study estimates its electronic medical record system may improve overall efficiency by 6% per year, and the monthly cost of an EMR may (depending on the cost of the EMR) be offset by the cost of only a few "unnecessary" tests or admissions. Jerome Groopman disputed these results, publicly asking "how such dramatic claims of cost-saving and quality improvement could be true". A 2014 survey of the American College of Physicians member sample, however, found that family practice physicians spent 48 minutes more per day when using EMRs. 90% reported that at least 1 data management function was slower after EMRs were adopted, and 64% reported that note writing took longer. A third (34%) reported that it took longer to find and review medical record data, and 32% reported that it was slower to read other clinicians' notes.

Coverage
In a 2008 survey by DesRoches et al. of 4484 physicians (62% response rate), 83% of all physicians, 80% of primary care physicians, and 86% of non-primary care physicians had no EHRs. "Among the 83% of respondents who did not have electronic health records, 16%" had bought, but not implemented an EHR system yet. The 2009 National Ambulatory Medical Care Survey of 5200 physicians (70% response rate) by the National Center for Health Statistics showed that 51.7% of office-based physicians did not use any EMR/EHR system.

In the United States, the CDC reported that the EMR adoption rate had steadily risen to 48.3 percent at the end of 2009. This is an increase over 2008 when only 38.4% of office-based physicians reported using fully or partially electronic medical record systems (EMR) in 2008. However, the same study found that only 20.4% of all physicians reported using a system described as minimally functional and including the following features: orders for prescriptions, orders for tests, viewing laboratory or imaging results, and clinical progress notes. As of 2013, 78 percent of office physicians are using basic electronic medical records. As of 2014, more than 80 percent of hospitals in the U.S.have adopted some type of EHR. Though within a hospital, the type of EHR data and mix varies significantly. Types of EHR data used in hospitals include structured data (e.g., medication information) and unstructured data (e.g., clinical notes).

The healthcare industry spends only 2% of gross revenues on Health Information Technology (HIT), which is low compared to other information intensive industries such as finance, which spend upwards of 10%.

The usage of electronic medical records can vary depending on who the user is and how they are using it. Electronic medical records can help improve the quality of medical care given to patients. Many doctors and office-based physicians refuse to get rid of traditional paper records. Harvard University has conducted an experiment in which they tested how doctors and nurses use electronic medical records to keep their patients' information up to date. The studies found that electronic medical records were very useful; a doctor or a nurse was able to find a patient's information fast and easy just by typing their name; even if it was misspelled. The usage of electronic medical records increases in some workplaces due to the ease of use of the system; whereas the president of the Canadian Family Practice Nurses Association says that using electronic medical records can be time-consuming, and it isn't very helpful due to the complexity of the system. Beth Israel Deaconess Medical Center reported that doctors and nurses prefer to use a much more friendly user software due to the difficulty and time it takes for medical staff to input the information as well as to find a patient's information. A study was done and the amount of information that was recorded in the EMRs was recorded; about 44% of the patient's information was recorded in the EMRs. This shows that EMRs are not very efficient most of the time.

The cost of implementing an EMR system for smaller practices has also been criticized; data produced by the Robert Wood Johnson Foundation demonstrates that the first-year investment for an average five-person practice is $162,000 followed by about $85,000 in maintenance fees. Despite this, tighter regulations regarding meaningful use criteria and national laws (Health Information Technology for Economic and Clinical Health Act and the Affordable Care Act) have resulted in more physicians and facilities adopting EMR systems:


 * Software, hardware and other services for EMR system implementation are provided for cost by various companies including Dell.
 * Open source EMR systems exist but have not seen widespread adoption of open-source EMR system software.

Beyond financial concerns there are a number of legal and ethical dilemmas created by increasing EMR use, including the risk of medical malpractice due to user error, server glitches that result in the EMR not being accessible, and increased vulnerability to hackers.

Legal status
Electronic medical records, like other medical records, must be kept in unaltered form and authenticated by the creator. Under data protection legislation, the responsibility for patient records (irrespective of the form they are kept in) is always on the creator and custodian of the record, usually a health care practice or facility. This role has been said to require changes such that the sole medico-legal record should be held elsewhere. The physical medical records are the property of the medical provider (or facility) that prepares them. This includes films and tracings from diagnostic imaging procedures such as X-ray, CT, PET, MRI, ultrasound, etc. The patient, however, according to HIPAA, has a right to view the originals, and to obtain copies under law.

The Health Information Technology for Economic and Clinical Health Act (HITECH) (,§2.A.III & B.4) (a part of the 2009 stimulus package) set meaningful use of interoperable EHR adoption in the health care system as a critical national goal and incentivized EHR adoption. The "goal is not adoption alone but 'meaningful use' of EHRs—that is, their use by providers to achieve significant improvements in care."

Title IV of the act promises maximum incentive payments for Medicaid to those who adopt and use "certified EHRs" of $63,750 over 6 years beginning in 2011. Eligible professionals must begin receiving payments by 2016 to qualify for the program. For Medicare the maximum payments are $44,000 over 5 years. Doctors who do not adopt an EHR by 2015 will be penalized 1% of Medicare payments, increasing to 3% over 3 years. In order to receive the EHR stimulus money, the HITECH Act requires doctors to show "meaningful use" of an EHR system. As of June 2010, there were no penalty provisions for Medicaid.

In 2017 the government announced its first False Claims Act settlement with an electronic health records vendor for misrepresenting its ability to meet “meaningful use” standards and therefore receive incentive payments. eClinicalWorks paid $155 million to settle charges that it had failed to meet all government requirements, failed to adequately test its software, failed to fix certain bugs, failed to ensure data portability, and failed to reliably record laboratory and diagnostic imaging orders. The government also alleged that eClinicalWorks paid kickbacks to influential customers who recommended its products. The case marks the first time the government applied the federal Anti-Kickback Statute law to the promotion and sale of an electronic health records system. The False Claims Act lawsuit was brought by a whistleblower who was a New York City employee implementing eClinicalWorks’ system at Rikers Island Correctional Facility when he became aware of the software flaws. His “qui tam” case was later joined by the government. Notably, CMS has said it will not punish eClinicalWorks clients that "in good faith" attested to using the software.

Health information exchange (HIE) has emerged as a core capability for hospitals and physicians to achieve "meaningful use" and receive stimulus funding. Healthcare vendors are pushing HIE as a way to allow EHR systems to pull disparate data and function on a more interoperable level.

Starting in 2015, hospitals and doctors will be subject to financial penalties under Medicare if they are not using electronic health records.

Goals and objectives

 * Improve care quality, safety, efficiency, and reduce health disparities
 * Quality and safety measurement
 * Clinical decision support (automated advice) for providers
 * Patient registries (e.g., "a directory of patients with diabetes")


 * Improve care coordination
 * Engage patients and families in their care
 * Improve population and public health
 * Electronic laboratory reporting for reportable conditions (hospitals)
 * Immunization reporting to immunization registries
 * Syndromic surveillance (health event awareness)


 * Ensure adequate privacy and security protections
 * Predict future health conditions through machine learning before diagnoses

Quality
Studies call into question whether, in real life, EMRs improve the quality of care. 2009 produced several articles raising doubts about EMR benefits. A major concern is the reduction of physician-patient interaction due to formatting constraints. For example, some doctors have reported that the use of check-boxes has led to fewer open-ended questions.

Meaningful use
The main components of meaningful use are: In other words, providers need to show they're using certified EHR technology in ways that can be measured significantly in quality and in quantity.
 * The use of a certified EHR in a meaningful manner, such as e-prescribing.
 * The use of certified EHR technology for the electronic exchange of health information to improve the quality of health care.
 * The use of certified EHR technology to submit clinical quality and other measures.

The meaningful use of EHRs intended by the US government incentives is categorized as follows:


 * Improve care coordination
 * Reduce healthcare disparities
 * Engage patients and their families
 * Improve population and public health
 * Ensure adequate privacy and security

The Obama Administration's Health IT program intends to use federal investments to stimulate the market of electronic health records:


 * Incentives: to providers who use IT
 * Strict and open standards: To ensure users and sellers of EHRs work towards the same goal
 * Certification of software: To provide assurance that the EHRs meet basic quality, safety, and efficiency standards

The detailed definition of "meaningful use" is to be rolled out in 3 stages over a period of time until 2017. Details of each stage are hotly debated by various groups.

Meaningful use Stage 1
The first steps in achieving meaningful use are to have a certified electronic health record (EHR) and to be able to demonstrate that it is being used to meet the requirements. Stage 1 contains 25 objectives/measures for Eligible Providers (EPs) and 24 objectives/measures for eligible hospitals. The objectives/measures have been divided into a core set and menu set. EPs and eligible hospitals must meet all objectives/measures in the core set (15 for EPs and 14 for eligible hospitals). EPs must meet 5 of the 10 menu-set items during Stage 1, one of which must be a public health objective.

Full list of the Core Requirements and a full list of the Menu Requirements.

Core Requirements:


 * 1) Use computerized order entry for medication orders.
 * 2) Implement drug-drug, drug-allergy checks.
 * 3) Generate and transmit permissible prescriptions electronically.
 * 4) Record demographics.
 * 5) Maintain an up-to-date problem list of current and active diagnoses.
 * 6) Maintain active medication list.
 * 7) Maintain active medication allergy list.
 * 8) Record and chart changes in vital signs.
 * 9) Record smoking status for patients 13 years old or older.
 * 10) Implement one clinical decision support rule.
 * 11) Report ambulatory quality measures to CMS or the States.
 * 12) Provide patients with an electronic copy of their health information upon request.
 * 13) Provide clinical summaries to patients for each office visit.
 * 14) Capability to exchange key clinical information electronically among providers and patient authorized entities.
 * 15) Protect electronic health information (privacy & security)

Menu Requirements:


 * 1) Implement drug-formulary checks.
 * 2) Incorporate clinical lab-test results into certified EHR as structured data.
 * 3) Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach.
 * 4) Send reminders to patients per patient preference for preventive/ follow-up care
 * 5) Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies)
 * 6) Use certified EHR to identify patient-specific education resources and provide to the patient if appropriate.
 * 7) Perform medication reconciliation as relevant
 * 8) Provide a summary care record for transitions in care or referrals.
 * 9) Capability to submit electronic data to immunization registries and actual submission.
 * 10) Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.

To receive federal incentive money, CMS requires participants in the Medicare EHR Incentive Program to "attest" that during a 90-day reporting period, they used a certified EHR and met Stage 1 criteria for meaningful use objectives and clinical quality measures. For the Medicaid EHR Incentive Program, providers follow a similar process using their state's attestation system.

Meaningful use Stage 2
The government released its final ruling on achieving Stage 2 of meaningful use in August 2012. Eligible providers will need to meet 17 of 20 core objectives in Stage 2, and fulfill three out of six menu objectives. The required percentage of patient encounters that meet each objective has generally increased over the Stage 1 objectives.

While Stage 2 focuses more on information exchange and patient engagement, many large EHR systems have this type of functionality built into their software, making it easier to achieve compliance. Also, for those eligible providers who have successfully attested to Stage 1, meeting Stage 2 should not be as difficult, as it builds incrementally on the requirements for the first stage.

Meaningful use Stage 3
On March 20, 2015 CMS released its proposed rule for Stage 3 meaningful use. These new rules focus on some of the tougher aspects of Stage 2 and require healthcare providers to vastly improve their EHR adoption and care delivery by 2018.

Costs
The price of EMR and provider uncertainty regarding the value they will derive from adoption in the form of return on investment have a significant influence on EMR adoption. In a project initiated by the Office of the National Coordinator for Health Information, surveyors found that hospital administrators and physicians who had adopted EMR noted that any gains in efficiency were offset by reduced productivity as the technology was implemented, as well as the need to increase information technology staff to maintain the system.

The U.S. Congressional Budget Office concluded that the cost savings may occur only in large integrated institutions like Kaiser Permanente, and not in small physician offices. They challenged the Rand Corporation's estimates of savings.

"Office-based physicians in particular may see no benefit if they purchase such a product—and may even suffer financial harm. Even though the use of health IT could generate cost savings for the health system at large that might offset the EMR's cost, many physicians might not be able to reduce their office expenses or increase their revenue sufficiently to pay for it. For example. the use of health IT could reduce the number of duplicated diagnostic tests. However, that improvement in efficiency would be unlikely to increase the income of many physicians. ...Given the ease at which information can be exchanged between health IT systems, patients whose physicians use them may feel that their privacy is more at risk than if paper records were used."

Doubts have been raised about cost saving from EMRs by researchers at Harvard University, the Wharton School of the University of Pennsylvania, Stanford University, and others.

Start-up costs
In a survey by DesRoches et al. (2008), 66% of physicians without EHRs cited capital costs as a barrier to adoption, while 50% were uncertain about the investment. Around 56% of physicians without EHRs stated that financial incentives to purchase and/or use EHRs would facilitate adoption. In 2002, initial costs were estimated to be $50,000–70,000 per physician in a 3-physician practice. Since then, costs have decreased with increasing adoption. A 2011 survey estimated a cost of $32,000 per physician in a 5-physician practice during the first 60 days of implementation.

One case study by Miller et al. (2005) of 14 small primary-care practices found that the average practice paid for the initial and ongoing costs within 2.5 years. A 2003 cost-benefit analysis found that using EMRs for 5 years created a net benefit of $86,000 per provider.

Some physicians are skeptical of the positive claims and believe the data is skewed by vendors and others with an interest in EHR implementation.

Brigham and Women's Hospital in Boston, Massachusetts, estimated it achieved net savings of $5 million to $10 million per year following installation of a computerized physician order entry system that reduced serious medication errors by 55 percent. Another large hospital generated about $8.6 million in annual savings by replacing paper medical charts with EHRs for outpatients and about $2.8 million annually by establishing electronic access to laboratory results and reports.

Maintenance costs
Maintenance costs can be high. Miller et al. found the average estimated maintenance cost was $8500 per FTE health-care provider per year.

Furthermore, software technology advances at a rapid pace. Most software systems require frequent updates, sometimes even server upgrades, and often at a significant ongoing cost. Some types of software and operating systems require full-scale re-implementation periodically, which disrupts not only the budget but also workflow. Costs for upgrades and associated regression testing can be particularly high where the applications are governed by FDA regulations (e.g. Clinical Laboratory systems). Physicians desire modular upgrades and ability to continually customize, without large-scale reimplementation.

Training costs
Training of employees to use an EHR system is costly, just as for training in the use of any other hospital system. New employees, permanent or temporary, will also require training as they are hired.

In the United States, a substantial majority of healthcare providers train at a VA facility sometime during their career. With the widespread adoption of the Veterans Health Information Systems and Technology Architecture (VistA) electronic health record system at all VA facilities, fewer recently-trained medical professionals will be inexperienced in electronic health record systems. Older practitioners who are less experienced in the use of electronic health record systems will retire over time.

Software quality and usability deficiencies
The Healthcare Information and Management Systems Society, a very large U.S. health care IT industry trade group, observed that EMR adoption rates "have been slower than expected in the United States, especially in comparison to other industry sectors and other developed countries. A key reason, aside from initial costs and lost productivity during EMR implementation, is lack of efficiency and usability of EMRs currently available." The U.S. National Institute of Standards and Technology of the Department of Commerce studied usability in 2011 and lists a number of specific issues that have been reported by health care workers. The U.S. military's EMR "AHLTA" was reported to have significant usability issues.

Lack of semantic interoperability
In the United States, there are no standards for semantic interoperability of health care data; there are only syntactic standards. This means that while data may be packaged in a standard format (using the pipe notation of HL7, or the bracket notation of XML), it lacks definition, or linkage to a common shared dictionary. The addition of layers of complex information models (such as the HL7 v3 RIM) does not resolve this fundamental issue.

As of 2018, Fast Healthcare Interoperability Resources was a leading interoperability standard, and the Argonaut Project is a privately sponsored interoperability initiative.

In 2017, Epic Systems announced Share Everywhere, which lets providers access medical information through a portal; their platform was described as "closed" in 2014, with competitors sponsoring the CommonWell Health Alliance.

The economics of sharing have been blamed for the lack of interoperability, as limited data sharing can help providers retain customers.

Implementations
In the United States, the Department of Veterans Affairs (VA) has the largest enterprise-wide health information system that includes an electronic medical record, known as the Veterans Health Information Systems and Technology Architecture (VistA). A key component in VistA is their VistA imaging System which provides a comprehensive multimedia data from many specialties, including cardiology, radiology, and orthopedics. A graphical user interface known as the Computerized Patient Record System (CPRS) allows health care providers to review and update a patient's electronic medical record at any of the VA's over 1,000 healthcare facilities. CPRS includes the ability for Licensed Practitioners to place orders, including medications, special procedures, X-rays, patient care nursing orders, diets, and laboratory tests.

The 2003 National Defense Authorization Act (NDAA) ensured that the VA and DoD would work together to establish a bidirectional exchange of reference quality medical images. Initially, demonstrations were only worked in El Paso, Texas, but capabilities have been expanded to six different locations of VA and DoD facilities. These facilities include VA polytrauma centers in Tampa and Richmond, Denver, North Chicago, Biloxi, and the National Capitol Area medical facilities. Radiological images such as CT scans, MRIs, and x-rays are being shared using the BHIE. Goals of the VA and DoD in the near future are to use several image sharing solutions (VistA Imaging and DoD Picture Archiving & Communications System (PACS) solutions).



Clinical Data Repository/Health Data Repository (CDHR) is a database that allows for the sharing of patient records, especially allergy and pharmaceutical information, between the Department of Veteran Affairs (VA) and the Department of Defense (DoD) in the United States. The program shares data by translating the various vocabularies of the information being transmitted, allowing all of the VA facilities to access and interpret the patient records. The Laboratory Data Sharing and Interoperability (LDSI) application is a new program being implemented to allow sharing at certain sites between the VA and DoD of "chemistry and hematology laboratory tests". Unlike the CHDR, the LDSI is currently limited in its scope.

One attribute for the start of implementing EHRs in the States is the development of the Nationwide Health Information Network which is a work in progress and still being developed. This started with the North Carolina Healthcare Information and Communication Alliance founded in 1994 and who received funding from Department of Health and Human Services.

The Department of Veterans Affairs and Kaiser Permanente has a pilot program to share health records between their systems VistA and HealthConnect, respectively. This software called 'CONNECT' uses Nationwide Health Information Network standards and governance to make sure that health information exchanges are compatible with other exchanges being set up throughout the country. CONNECT is an open-source software solution that supports electronic health information exchange. The CONNECT initiative is a Federal Health Architecture project that was conceived in 2007 and initially built by 20 various federal agencies and now comprises more than 500 organizations including federal agencies, states, healthcare providers, insurers, and health IT vendors.

The US Indian Health Service uses an EHR similar to Vista called RPMS. VistA Imaging is also being used to integrate images and co-ordinate PACS into the EHR system. In Alaska, use of the EHR by the Kodiak Area Native Association has improved screening services and helped the organization reach all 21 clinical performance measures defined by the Indian Health Service as required by the Government Performance and Results Act.

Privacy and confidentiality
In the United States in 2011 there were 380 major data breaches involving 500 or more patients' records listed on the website kept by the United States Department of Health and Human Services (HHS) Office for Civil Rights. So far, from the first wall postings in September 2009 through the latest on 8 December 2012, there have been 18,059,831 "individuals affected," and even that massive number is an undercount of the breach problem. The civil rights office has not released all of the records of tens of thousands of breaches in the United States, it has received under a federal reporting mandate on breaches affecting fewer than 500 patients per incident.

Privacy concerns in healthcare apply to both paper and electronic records. According to the Los Angeles Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient's records during a hospitalization, and 600,000 payers, providers and other entities that handle providers' billing data have some access also. Recent revelations of "secure" data breaches at centralized data repositories, in banking and other financial institutions, in the retail industry, and from government databases, have caused concern about storing electronic medical records in a central location. Records that are exchanged over the Internet are subject to the same security concerns as any other type of data transaction over the Internet.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in the US in 1996 to establish rules for access, authentications, storage and auditing, and transmittal of electronic medical records. This standard made restrictions for electronic records more stringent than those for paper records. However, there are concerns as to the adequacy of these standards.

In the United States, information in electronic medical records is referred to as Protected Health Information (PHI) and its management is addressed under the Health Insurance Portability and Accountability Act (HIPAA) as well as many local laws. The HIPAA protects a patient's information; the information that is protected under this act are: information doctors and nurses input into the electronic medical record, conversations between a doctor and a patient that may have been recorded, as well as billing information. Under this act there is a limit as to how much information can be disclosed, and as well as who can see a patient's information. Patients also get to have a copy of their records if they desire, and get notified if their information is ever to be shared with third parties. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; or to identify or locate a suspect, fugitive, material witness, or missing person.

Medical and health care providers experienced 767 security breaches resulting in the compromised confidential health information of 23,625,933 patients during the period of 2006–2012.

One major issue that has risen on the privacy of the US network for electronic health records is the strategy to secure the privacy of patients. Former US president George W. Bush called for the creation of networks, but federal investigators report that there is no clear strategy to protect the privacy of patients as the promotions of the electronic medical records expands throughout the United States. In 2007, the Government Accountability Office reports that there is a "jumble of studies and vague policy statements but no overall strategy to ensure that privacy protections would be built into computer networks linking insurers, doctors, hospitals and other health care providers."

The privacy threat posed by the interoperability of a national network is a key concern. One of the most vocal critics of EMRs, New York University Professor Jacob M. Appel, has claimed that the number of people who will need to have access to such a truly interoperable national system, which he estimates to be 12 million, will inevitably lead to breaches of privacy on a massive scale. Appel has written that while "hospitals keep careful tabs on who accesses the charts of VIP patients," they are powerless to act against "a meddlesome pharmacist in Alaska" who "looks up the urine toxicology on his daughter's fiance in Florida, to check if the fellow has a cocaine habit." This is a significant barrier for the adoption of an EHR. Accountability among all the parties that are involved in the processing of electronic transactions including the patient, physician office staff, and insurance companies, is the key to successful advancement of the EHR in the US Supporters of EHRs have argued that there needs to be a fundamental shift in "attitudes, awareness, habits, and capabilities in the areas of privacy and security" of individual's health records if adoption of an EHR is to occur.

According to The Wall Street Journal, the DHHS takes no action on complaints under HIPAA, and medical records are disclosed under court orders in legal actions such as claims arising from automobile accidents. HIPAA has special restrictions on psychotherapy records, but psychotherapy records can also be disclosed without the client's knowledge or permission, according to the Journal. For example, Patricia Galvin, a lawyer in San Francisco, saw a psychologist at Stanford Hospital & Clinics after her fiance committed suicide. Her therapist had assured her that her records would be confidential. But after she applied for disability benefits, Stanford gave the insurer her therapy notes, and the insurer denied her benefits based on what Galvin claims was a misinterpretation of the notes.

Within the private sector, many companies are moving forward in the development, establishment, and implementation of medical record banks and health information exchange. By law, companies are required to follow all HIPAA standards and adopt the same information-handling practices that have been in effect for the federal government for years. This includes two ideas, standardized formatting of data electronically exchanged and federalization of security and privacy practices among the private sector. Private companies have promised to have "stringent privacy policies and procedures." If protection and security are not part of the systems developed, people will not trust the technology nor will they participate in it. There is also debate over ownership of data, where private companies tend to value and protect data rights, but the patients referenced in these records may not have knowledge that their information is being used for commercial purposes.

In 2013, reports based on documents released by Edward Snowden revealed that the NSA had succeeded in breaking the encryption codes protecting electronic health records, among other databases.

In 2015, 4.5 million health records were hacked at UCLA Medical Center.

In 2018, Social Indicators Research published the scientific evidence of 173,398,820 (over 173 million) individuals affected in USA from October 2008 (when the data were collected) to September 2017 (when the data was uploaded for the statistical analysis).

Regulatory compliance

 * Health Level 7

In the United States, reimbursement for many healthcare services is based upon the extent to which specific work by healthcare providers is documented in the patient's medical record. Enforcement authorities in the United States have become concerned that functionality available in many electronic health records, especially copy-and-paste, may enable fraudulent claims for reimbursement. The authorities are concerned that healthcare providers may easily use these systems to create documentation of medical care that did not actually occur. These concerns came to the forefront in 2012, in a joint letter from the U.S. Departments of Justice and Health and Human Services to the American hospital community. The American Hospital Association responded, focusing on the need for clear guidance from the government regarding permissible and prohibited conduct using electronic health records. In a December 2013 audit report, the U.S. HHS Office of the Inspector General (OIG) issued an audit report reiterating that vulnerabilities continue to exist in the operation of electronic health records. The OIG's 2014 Workplan indicates an enhanced focus on providers' use of electronic health records.

Medical data breach
The Security Rule, according to Health and Human Services (HHS), establishes a security framework for small practices as well as large institutions. All covered entities must have a written security plan. The HHS identifies three components as necessary for the security plan: administrative safeguards, physical safeguards, and technical safeguards.

However, medical and healthcare providers have experienced 767 security breaches resulting in the compromised confidential health information of 23,625,933 patients during the period of 2006–2012.

The Health Insurance Portability and Accessibility Act requires safeguards to limit the number of people who have access to personal information. However, given the number of people who may have access to your information as part of the operations and business of the health care provider or plan, there is no realistic way to estimate the number of people who may come across your records. Additionally, law enforcement access is authorized under the act. In some cases, medical information may be disclosed without a warrant or court order.

Breach notification
The Security Rule that was adopted in 2005 did not require breach notification. However, notice might be required by state laws that apply to a variety of industries, including health care providers. In California, a law has been in place since 2003 requiring that a HIPAA covered organization's breach could have triggered a notice even though notice was not required by the HIPAA Security Rule. Since 1 January 2009, California residents are required to receive notice of a health information breach.

Federal law and regulations now provide rights to notice of a breach of health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS and the Federal Trade Commission (FTC) to jointly study and report on privacy and data security of personal health information. HITECH also requires the agencies to issue breach notification rules that apply to HIPAA covered entities and Web-based vendors that store health information electronically. The FTC has adopted rules regarding breach notification for internet-based vendors.

Vendors
Vendors often focus on software for specific healthcare providers, including acute hospitals or ambulatory care.

In the hospital market, Epic, Cerner, MEDITECH, and CSPI (Evident Thrive) had the top market share at 28%, 26%, 9%, and 6% in 2018. For large hospitals with over 500 beds, Epic and Cerner had over 85% market share in 2019. In ambulatory care, Practice Fusion had the highest satisfaction, while in acute hospital care Epic scored relatively well.

Interoperability is a focus for systems; in 2018, Epic and athenahealth were rated highly for interoperability. Interoperability has been lacking, but is enhanced by certain compatibility features (e.g., Epic interoperates with itself via CareEverywhere) or in some cases regional or national networks, such as EHealth Exchange, CommonWell Health Alliance, and Carequality.

Vendors may use anonymized data for their own business or research purposes; for example, as of 2019 Cerner and AWS partnered using data for a machine learning tool.

History
As of 2006, systems with a computerized provider order entry (CPOE) had existed for more than 30 years, but by 2006 only 10% of hospitals had a fully integrated system.