In an interesting turn, the Commerce Department’s National Institute for Standards and Technology (NIST) says it is looking to develop standards for evaluating ease-of-use of health IT systems. This raises some questions about the appropriate federal role in guiding the evolution of Electronic Health Records (EHR) systems – should the feds be specifying “usability standards” in the first place?
The NIST notice is currently very preliminary – they are simply looking for companies with expertise in quantifying and measuring Usability in health IT systems. However, the NIST has been charged with developing the specific testing and process documents that will be used (by organizations yet to be selected) to certify EHR systems. The overall policy and specification about Meaningful Use of a Certified EHR, which is needed to access ARRA stimulus moneys available beginning in 2011, have been published for open commentary. However, the specific nuts-and-bolts of certification is being hammered out by the NIST. They have already contracted with Booz Allen Hamilton to help with this process.Continue reading…
The concepts of “security” and “privacy” of medical information (Protected Health Information, or PHI) are closely intertwined. “Security,” as described in the second part of this series, has to do with breaking into medical data (either data at rest, or data in transit) and committing an act of theft. “Privacy,” on the other hand, has to do with permissions, and making sure that only the intended people can have access to PHI.
So, who actually “owns” the medical record? The legal status of medical records “ownership” is that they are the property of those who prepare them, rather than about whom they are concerned. These records are the medico-legal documentation of advice given. Such documentation, created by physicians about patients, is governed by doctor-patient confidentiality, and cannot be discovered by any outside party without consent. HIPAA Privacy Rules govern the steps needed to ensure that this level of confidentiality is protected against theft (security) and against unauthorized viewing (privacy). HIPAA-covered entities (medical professionals and hospitals) are held accountable for ensuring such confidentiality, and can be penalized for violation.
The question of privacy, then, revolves around sharing PHI between professionals in order to coordinate health care – after all, health care is delivered by networks (formal or informal), and data sharing is necessary to deliver best-practices levels of care. In the traditional world of paper charts, record-sharing is accomplished by obtaining consent from the patient (usually a signed document placed in the chart), and then faxing the appropriate pages from the chart to the intended recipient. Hopefully the recipient’s fax number is dialed correctly, since faxing to mistaken parties is a vulnerability for unintended privacy violation using this technology.
When medical data moves from a paper chart to a locally-installed EHR, the organization of medical data across the landscape is not really changed – each practice keeps its own database (the equivalent of its own paper chart rack), and imports/exports copies of clinical data to others according to patient permission (just like with traditional paper records). Such clinical data sharing is often done by printout-and-fax, or by export/import of Continuity of Care Documents (CCDs) if the EHR systems on each end support such functionality.
As technology evolves, new layers of medical data sharing emerge, which challenge the simple traditional “give permission and send a copy” method of ensuring privacy. Health Information Exchanges (HIEs) are emerging regionally and nationally, and are supported by the Office of the National Coordinator (ONC) for health IT. HIEs are intended to be data-exchange platforms between practitioners who might be using different EHR systems (that do not natively “talk” to each other). Only certain types of data are uploaded by an EHR into an HIE – patient demographic information, medication lists, allergies, immunization histories. HIEs, then, function as a sort of evolving “library” of protected health data, where local EHRs feed their data on a patient-permission-granted basis, and can download data (if granted the permission to do so) as needed. The potential impact on quality of care is dramatic.
In addition to being a “library” of shared data, HIEs can serve to assist in public health surveillance. This can range from CDC-based surveillance of the emergence or prevalence of specific diseases, to FDA-based post-market surveys of the use of new medications (and shortening the timeline for identifying problems should they arise). This sort of use of HIE data is de-identified, so that permissions around using PHI are not violated – patient-specific data in HIEs is only used with permission, and used for direct patient care (e.g. downloading into your own EHR your patient’s immunization history).
HIEs, however, are essentially a “bridge technology” that tries to connect a landscape where health data remains segregated into “data silos.” A newer frontier of technology can be seen arising from web-hosted, Internet “cloud”-based EHRs, such as Practice Fusion. In this setting, a single data structure serves all practices everywhere, and local user-permissions determine which subset of that data are delivered as a particular practice’s “charts.” This technology raises the potential to actually share a common chart among multiple non-affiliated practitioners – based upon one physician referring a patient to another for consultation (with the patient’s permission to make the referral), both practices are then allowed access to the shared chart, see each other’s chart notes, view the patient medications, review labs already done (reducing duplication of services), see what imaging has already been accomplished, securely message one another, and even create their own chart-note entries into the common, shared chart.
This “new frontier” of technology, where clinical chart sharing between practices (based on patient permission) occurs across all boundaries of care, makes the Practice Fusion vision an “EHR with a built-in HIE.” Extending this even further – shared EHRs and linkage with Personal Health Records (PHRs) – is beyond the scope of this particular article, and will be addressed subsequently. With good design, as pioneered here, the balance between ensuring security and privacy of PHI on the one hand, and permission-based sharing of clinical information for the betterment of overall health care delivery on the other hand, a truly remarkable technology is being built. The impact on transforming health care is profound.
Dr. Rowley is a family practice physician and Practice Fusion’s Chief Medical Officer. Dr. Rowley has a first-hand perspective on the technology needs and challenges faced by healthcare practitioners from his 30 year career in the sector, including experience as a Medical Director with Hill Physicians Medical Group and as a developer of the early EMR system Medical ChartWizard. His family practice in Hayward, CA has functioned without paper charts since 2002. You can find more of his writing at the Practice Fusion Blog, where this post first appeared.
If you liked this post you might be interested in these related posts:
The announcement of Salesforce.com investing and coordinating development efforts with Practice Fusion has brought talk of “cloud computing” to the fore. Salesforce has been known as a leader in cloud computing, and moving healthcare IT to that “cloud” has raised questions by a number of observers. What, exactly, is “cloud computing?” Is it appropriate for health IT? What are the security issues and risks?
“Cloud computing” is a term described as a style of computing in which on-demand resources are provided as a service over the Internet. Software-as-a-service (SaaS) is a type of cloud computing, where users do not need to install or maintain any software themselves – simple Internet access and a browser are all that is needed. Users do not need to have knowledge of, expertise in, or control over the technology infrastructure in the “cloud” that supports them – the Internet site (e.g. Practice Fusion) provides a unified dashboard to the user, and works out the technical issues of presenting that data in the background.Continue reading…