In a recent article in the American Journal of Medicine (AJM), the problems found as a result of the copy and paste functions in electronic health record (EHR) applications resulted in loss of new input, repeated errors, and loss of narrative function. Subsequent responses by healthcare professionals concurred with the analysis stating specific incidents of recorded error as a direct result of providers copying and pasting the notes of previous reports.
If copy and paste is a problem, then the built-in intelligence of some of the newer EHR applications creates an even larger problem to the medical community. In several of the EHR applications I have reviewed, the application will attempt to auto-populate a physicians notes and response to diagnosis based upon common notations or even based upon past notes. For example, as the physician begins to type in a diagnosis of a sinus infection, the application will begin to suggest or auto-populate observations and notes based upon the diagnosis into the patients electronic health record. If physicians become used to the application attempting to suggest content for a medical record then the AJM article is correct in assuming the medical records will lose accurate diagnostic records and the importance of a narrative health record trending the patient’s trajectory.
In an effort to make the EHR applications easier to use, save time and attractive to use in an industry where paper documentation has been the norm for so long, the technology may actually be harming the industry and therefore harming the effectiveness of healthcare. The AJM article suggests corrective action by disabling the copy and past features which may solve the problem but may also set back the usefulness and efficiency touted by the EHR movement. Selective copy and paste functionality for personal patient record information such as social security, name, address and non-health related information has bee suggested as permissible to maintain the efficiency of an EHR.
Once question not yet addressed is the potential for malpractice. If a record is recorded improperly as a result of copy and paste, does that constitute malpractice? If an incorrect or inaccurate diagnosis is perpetuated in the EHR as a result of copy and paste even though the patient’s trajectory has changed and an improper treatment is issued resulting in permanent injury or death then does this constitute gross negligence? EHR has the potential to transform the healthcare industry and improve the effectiveness of healthcare providers but only if the technology progresses in response to the needs and unique requirements of the healthcare profession.
A provisional rule announced by Congress will only force health care providers to notify patients of breaches to customer data only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.” How will the risk factors be determined? Will existing state laws on data breaches provide protection where the federal government falls short? Who is the real threat to your electronic health record?
In a poll sponsored by RSA of 400 top level executives, 52% described the majority of their data losses as accidental. Many of the reported data losses were due to inappropriate access by the wrong people. This data supports a problem that internal controls of access and control of data is the largest issue facing our healthcare providers in protecting our patient data. According to the Data Loss Open Security Foundation, 12% of all data losses are medical related. With the push to a national electronic healthcare technology infrastructure, that number is surely to increase over the next five years. Most consumers appreciate notification of these negligent data breaches. Perhaps even assign a healthcare provider rating based on the breaches to better inform consumers of the most secure and trustworthy healthcare providers.
Hospital and insurance representatives argue that notification costs would be too high if every breach was reported. Examples for routine breaches of handling data include statements sent to wrong addresses and improper employee access but when your health information is part of this routine error in handling would you want to know? Consumers should be asking “why is my health information mishandled so often?” Proper investment in security and access controls should limit risk and subsequently the cost of data breaches. The arguments provided by hospital and insurance representatives seem best used as evidence of gross negligence not an argument limiting notifications to patients.
But do you have any legal protection? Many states have already passed laws that would include a breach of patient health data in the state mandated reporting requirements of an improper access or loss of data but new federal rulings could preempt those state laws where your medical record is concerned. Negligent security requirements mandated for protection of electronic health records at the federal level will not sufficiently protect your records with the current requirements and restrictions. With federal laws regarding reporting on health care data breaches most likely winning out over state mandated reporting requirements, it appears the corporate lobbyists are exposing the nation to public electronic health records rather than private electronic health records and you may never even know when your record is breached.
Write your state and federal Congressmen and let them know your concerns for the protection and privacy of your health records. While network security should never be overlooked, the majority of data breaches occur inside an organization. Increased controls and requirements for handling patient health records is needed to sufficiently protect your private and personal information. As with too many points of privacy and security with the electronic health records, there are too many unanswered questions and undefined points of protection.
Leyden, John. Incompetence a bigger IT security threat than malign insiders.
As part of the 2009 HITECH Act, a national health information technology infrastructure (NHITI) is required for access and use of electronic health records resulting in a more “effective marketplace, greater competition…[and] increased consumer choice (HITECH Act, Section 3001(b)).” Such a system is not only necessary, but it is cardinal to improving delivery and reducing costs of health care in the United States. Properly executed, a NHITI with appropriate controls and security protocols will have the means to protect individual electronic health records (EHR), prevent provider mistakes, report errors and audit abuses of the health system.
A letter from Dr. David Blumenthal, National Coordinator for Health Information Technology, restated the requirements of the HITECH Act and the reasons for a NHITI. Blumenthal stresses the key premise of the technology infrastructure should allow information to follow patients while removing any technical, business and bureaucratic obstacles from the process of sharing an EHR. He also states that “Americans must also be assured that the most advanced technology and proven business practices will be employed to secure the privacy and security of their personal health information.”
The best process for defining the operation of a NHITI should start with a working group focused on national standards for interoperability and security of a health information exchange. Working groups should be comprised of an interdisciplinary group of industry experts tasked to create a national open protocol for the secure and private transfer of electronic health information. Ideally, such an exchange would occur over a private and secure network limited to health care providers and required users with limited and monitored access. Public access to personal healthcare records should utilize secure gateways similar to architecture utilized on Department of Defense (DoD) classified networks.
It is also important to note that most security violations occur internal to an organization. Internal security, privacy and access controls may be more important to securing the national health information infrastructure although perimeter controls are by no means useless. Working groups to develop security and privacy policies for internal use of data, perimeter controls of the exchange and interoperability of data exchange should all be formed as soon as possible.
A nationwide health information data exchange will contain extremely private and personal health information. The public has no reason to fear such a data repository if proper measures are taken to manage security and privacy risks. Dr. Blumenthal emphasizes the importance of this network and the need for strong security but are we heading in the right direction to satisfy the requirements necessary?
This article was originally published on Healthcare Professional Live
Here is an interesting survey being driven over at SoftwareAdvice.com. Is Obama’s EHR stimulus creating more buyers or just a lot of providers kicking the tires around? Take their survey here http://www.softwareadvice.com/articles/medical/obamas-emr-stimulus-of-2009-creating-buyers-or-tire-kickers-1102709/
With two large players, Microsoft and Google, entering the health IT marketplace, it would make sense that the two would drive standards for information exchange between applications and their PHR systems.
Microsoft and Google are notorious for innovation and driving development towards their own ends yet neither seems too vocal on electronic health records and the inevitable leap in innovation the industry will experience over the next five years.
Both Microsoft and Google have electronic health portals for use by patients to create and store a patient health record (PHR) yet neither has been very vocal to drive interoperability and consistent formatting. For an industry we literally entrust our lives to, patient records have the least governance for standardization.
It makes sense that the national health exchange would dictate standards for formatting to both share doctor driven EHRs and patient driven PHRs, but with the states gaining control of the backbone of data exchange, it seems unlikely that all 50 states will agree upon a standard format. Where does the industry turn? HITSP? HHS? Industry leaders?
In the past, the health care industry seems happy to invent their own cryptic standards such as HL7, but with the aggressive time table for implementation it seems fruitless to spend time reinventing the wheel. There are many options available, but why not use XML? With XML accelerators available on the market to process large quantities of data, a structure easy to customize and modify as requirements change, and the perfect way for disparate software platforms to communicate to each other. It seems XML would be a perfect solution for vendors to use to export data from practice to national health data exchange and then again to PHR systems for the patient to view their data. XML data exporters can be effectively optimized for speed, security and integrity.
Close to any modifications and upgrades to the health IT infrastructure in use within the United States must always be the security of the patient’s health information. HIPAA security requirements are weak at the best of times, but generally are open for any knowledgeable hacker to obtain from the average health care provider. It is imperative to treat the security of patient health information with the care we treat our financial information.
One of the main purposes for many of the new regulations in the HITECH Act and the push to increase technology utilization within the health care industry is to save money. If implementation of an EHR increases the amount of time to see a patient, is it saving money? What is the real ROI for the average provider post implementation?
My argument is by no means to stop the push for EHR and other technology improvements to the health care industry. My argument is the current players simply do not have the right EHR system to do the job. The majority of systems do not improve workflow or increase efficiency within an office. These systems definitely improve quality of care and decrease the possibility for human error, but do they actually save time and increase the doctor’s ability to perform timely and cost effective health care.
Technology generally improves a person’s quality of life. User interface design is big business. Other software developers focus on ease of use, number of clicks, user intuitive screen design. Business intelligence, finance, security and other very high tech industries have very efficient and easy to use systems. Health care does not. Health care is 10 years behind the curve.
Where is the EHR system that will anticipate the user’s actions based on previous click and role? Where is the EHR system that reduces the number of clicks compared to a comparable system by half? Where is the EHR that allows a physician to double the number of patients they see?
Why has the health industry historically been so quick to resist movements to jump into the electronic age? Cost barriers? Implementation headaches? Lack of usable solutions? Perhaps all of these items have contributed to the slow adoption of technology within the smaller practices but the software industry has not been helpful in reducing the barriers to entry and educating the end user.
A few weeks ago I was sitting in a seminar hosted by a major health care software development company and listened to a client testimony tell the full room to simply accept that the process of implementing an EHR should be painful and slow for six to eight months. Appalled would be an understatement for my reaction to this testimony but unfortunately it seems to be a consensus for most health care professionals when you start talking about EHR and practice management solutions. This is the fault of the software industry. It is completely unacceptable for a end user to believe that implementation of technology will impede not improve their operations.
My background in software development is not rooted in health care technology but most of my clients would have called security and had me escorted out of the building if I told them my software package was going to be painful to install and not improve business processes post implementation. It is time for the reformation of the health care software industry and impose the standards and requirements the rest of the software development world has apparently been using for years.
More importantly than simply catching up to status quo, I believe that the HITECH stimulus funding will push health care software development to push features and functions beyond the expectations of the end user. Why should the application simply store data? The application should be intuitive and interactive. If ever the software industry had a market for bleeding edge features and functionality, the health care industry is it.
Speech recognition is still very costly for rich functionality. Many EHR systems that offer speech recognition charge $100,000 or more to integrate the module and training the system for each user is yet still another costly burden. Health care IT has an opportunity to push speech recognition to the edge and reduce implementation costs while increasing effectiveness.
Moreover, IT should improve practice management operations and profit margins. Patient evaluations should move more quickly allowing doctors to see more patients without sacrificing care. Systems should automatically notify practice managers when patients are due for checkups or tests based on treatment, diagnosis and lifestyle. Prescription management should have guesswork removed. Systems should auto-interface with other provider records and pharmacy records to aggregate all prescribed medications for a patient so health care providers are better informed.
Providers should remember that anything is possible with software. Be vocal with your requests and ideas and drive development. Write letters to your congressman and women and to HHS. http://www.hhs.gov/feedback.html
