In a recent article in the American Journal of Medicine (AJM), the problems found as a result of the copy and paste functions in electronic health record (EHR) applications resulted in loss of new input, repeated errors, and loss of narrative function. Subsequent responses by healthcare professionals concurred with the analysis stating specific incidents of recorded error as a direct result of providers copying and pasting the notes of previous reports.

If copy and paste is a problem, then the built-in intelligence of some of the newer EHR applications creates an even larger problem to the medical community. In several of the EHR applications I have reviewed, the application will attempt to auto-populate a physicians notes and response to diagnosis based upon common notations or even based upon past notes. For example, as the physician begins to type in a diagnosis of a sinus infection, the application will begin to suggest or auto-populate observations and notes based upon the diagnosis into the patients electronic health record. If physicians become used to the application attempting to suggest content for a medical record then the AJM article is correct in assuming the medical records will lose accurate diagnostic records and the importance of a narrative health record trending the patient’s trajectory.

In an effort to make the EHR applications easier to use, save time and attractive to use in an industry where paper documentation has been the norm for so long, the technology may actually be harming the industry and therefore harming the effectiveness of healthcare. The AJM article suggests corrective action by disabling the copy and past features which may solve the problem but may also set back the usefulness and efficiency touted by the EHR movement. Selective copy and paste functionality for personal patient record information such as social security, name, address and non-health related information has bee suggested as permissible to maintain the efficiency of an EHR.

Once question not yet addressed is the potential for malpractice. If a record is recorded improperly as a result of copy and paste, does that constitute malpractice? If an incorrect or inaccurate diagnosis is perpetuated in the EHR as a result of copy and paste even though the patient’s trajectory has changed and an improper treatment is issued resulting in permanent injury or death then does this constitute gross negligence? EHR has the potential to transform the healthcare industry and improve the effectiveness of healthcare providers but only if the technology progresses in response to the needs and unique requirements of the healthcare profession.

A provisional rule announced by Congress will only force health care providers to notify patients of breaches to customer data only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.”  How will the risk factors be determined?  Will existing state laws on data breaches provide protection where the federal government falls short?  Who is the real threat to your electronic health record?

In a poll sponsored by RSA of 400 top level executives, 52% described the majority of their data losses as accidental.  Many of the reported data losses were due to inappropriate access by the wrong people.  This data supports a problem that internal controls of access and control of data is the largest  issue facing our healthcare providers in protecting our patient data.    According to the Data Loss Open Security Foundation, 12% of all data losses are medical related.  With the push to a national electronic healthcare technology infrastructure, that number is surely to increase over the next five years.  Most consumers appreciate notification of these negligent data breaches.  Perhaps even assign a healthcare provider rating based on the breaches to better inform consumers of the most secure and trustworthy healthcare providers.

Hospital and insurance representatives argue that notification costs would be too high if every breach was reported.  Examples for routine breaches of handling data include statements sent to wrong addresses and improper employee access but when your health information is part of this routine error in handling would you want to know?  Consumers should be asking “why is my health information mishandled so often?”  Proper investment in security and access controls should limit risk and subsequently the cost of data breaches.  The arguments provided by hospital and insurance representatives seem best used as evidence of gross negligence not an argument limiting notifications to patients.

But do you have any legal protection?  Many states have already passed laws that would include a breach of patient health data in the state mandated reporting requirements of an improper access or loss of data but new federal rulings could preempt those state laws where your medical record is concerned.  Negligent security requirements mandated for protection of electronic health records at the federal level will not sufficiently protect your records with the current requirements and restrictions.  With federal laws regarding reporting on health care data breaches most likely winning out over state mandated reporting requirements, it appears the corporate lobbyists are exposing the nation to public electronic health records rather than private electronic health records and you may never even know when your record is breached.

Write your state and federal Congressmen and let them know your concerns for the protection and privacy of your health records.  While network security should never be overlooked, the majority of data breaches occur inside an organization.  Increased controls and requirements for handling patient health records is needed to sufficiently protect your private and personal information.  As with too many points of privacy and security with the electronic health records, there are too many unanswered questions and undefined points of protection.

Leyden, John. Incompetence a bigger IT security threat than malign insiders.

(2009) : Internet. http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/

November 15, 2009.

Schwartz, Emma. Health Industry Winning Round On Privacy of Digital Health

Records. (2009) : Internet. http://www.huffingtonpost.com/2009/11/13/health-industry-winning-r_n_357476.html

November 15, 2009.

State-by-State Listing of Data Loss and Freedom of Information Legislation

(2005-2009) : Internet. http://datalossdb.org/us_states

November 14, 2009.

Data Loss Statistics.

(2005-2009) : Internet. http://datalossdb.org/statistics

November 14, 2009.

As part of research for an upcoming article I’d like to get some response to the following short survey.  Physical access to health care IT resources by patients could greatly impact the security of your organization with the new EHR requirements.

As part of the 2009 HITECH Act, a national health information technology infrastructure (NHITI) is required for access and use of electronic health records resulting in a more “effective marketplace, greater competition…[and] increased consumer choice (HITECH Act, Section 3001(b)).”  Such a system is not only necessary, but it is cardinal to improving delivery and reducing costs of health care in the United States.  Properly executed, a NHITI with appropriate controls and security protocols will have the means to protect individual electronic health records (EHR), prevent provider mistakes, report errors and audit abuses of the health system.

A letter from Dr. David Blumenthal, National Coordinator for Health Information Technology, restated the requirements of the HITECH Act and the reasons for a NHITI.  Blumenthal stresses the key premise of the technology infrastructure should allow information to follow patients while removing any technical, business and bureaucratic obstacles from the process of sharing an EHR.  He also states that “Americans must also be assured that the most advanced technology and proven business practices will be employed to secure the privacy and security of their personal health information.”

The best process for defining the operation of a NHITI should start with a working group focused on national standards for interoperability and security of a health information exchange.  Working groups should be comprised of an interdisciplinary group of industry experts tasked to create a national open protocol for the secure and private transfer of electronic health information.    Ideally, such an exchange would occur over a private and secure network limited to health care providers and required users with limited and monitored access.  Public access to personal healthcare records should utilize secure gateways similar to architecture utilized on Department of Defense (DoD) classified networks.

It is also important to note that most security violations occur internal to an organization.  Internal security, privacy and access controls may be more important to securing the national health information infrastructure although perimeter controls are by no means useless.  Working groups to develop security and privacy policies for internal use of data, perimeter controls of the exchange and interoperability of data exchange should all be formed as soon as possible.

A nationwide health information data exchange will contain extremely private and personal health information.  The public has no reason to fear such a data repository if proper measures are taken to manage security and privacy risks.  Dr. Blumenthal emphasizes the importance of this network and the need for strong security but are we heading in the right direction to satisfy the requirements necessary?

This article was originally published on Healthcare Professional Live

Would you be willing to complete a short survey before your visit to the doctor if it would improve wait time and potentially decrease visit costs?

Here is an interesting survey being driven over at SoftwareAdvice.com. Is Obama’s EHR stimulus creating more buyers or just a lot of providers kicking the tires around? Take their survey here http://www.softwareadvice.com/articles/medical/obamas-emr-stimulus-of-2009-creating-buyers-or-tire-kickers-1102709/

With two large players, Microsoft and Google, entering the health IT marketplace, it would make sense that the two would drive standards for information exchange between applications and their PHR systems.

Microsoft and Google are notorious for innovation and driving development towards their own ends yet neither seems too vocal on electronic health records and the inevitable leap in innovation the industry will experience over the next five years.

Both Microsoft and Google have electronic health portals for use by patients to create and store a patient health record (PHR) yet neither has been very vocal to drive interoperability and consistent formatting. For an industry we literally entrust our lives to, patient records have the least governance for standardization.

It makes sense that the national health exchange would dictate standards for formatting to both share doctor driven EHRs and patient driven PHRs, but with the states gaining control of the backbone of data exchange, it seems unlikely that all 50 states will agree upon a standard format. Where does the industry turn? HITSP? HHS? Industry leaders?

In the past, the health care industry seems happy to invent their own cryptic standards such as HL7, but with the aggressive time table for implementation it seems fruitless to spend time reinventing the wheel. There are many options available, but why not use XML? With XML accelerators available on the market to process large quantities of data, a structure easy to customize and modify as requirements change, and the perfect way for disparate software platforms to communicate to each other. It seems XML would be a perfect solution for vendors to use to export data from practice to national health data exchange and then again to PHR systems for the patient to view their data. XML data exporters can be effectively optimized for speed, security and integrity.

Close to any modifications and upgrades to the health IT infrastructure in use within the United States must always be the security of the patient’s health information. HIPAA security requirements are weak at the best of times, but generally are open for any knowledgeable hacker to obtain from the average health care provider. It is imperative to treat the security of patient health information with the care we treat our financial information.

Summary
If you ask a doctor what is most important to them concerning the ARRA stimulus money, most of them will tell you “meaningful use.” Multiple iterations of what this means have been issued, reviewed and regurgitated, but what does this mean to the recipient of the ARRA funds?  This IT guy does not believe the doctor or health care provider should worry too much unless you already have an EHR implemented.

Transfer of Responsibility
More than likely, if a health care provider is using a CCHIT certified EHR system, they will be in compliance with meaningful use. Most of the requirements that have come out of the definition will be part of the development and implementation of the EHR. Simply implementing and using the appropriate EHR will qualify a provider for stimulus funds.

ONC Definition

Most recently, the ONC recommended a definition of meaningful use that includes seven different electronic exchanges to be required. It is important to note that this is only for the 2011 requirements. Going forward, there will be additional capabilities and exchanges required.

1. ePrescribing
2. Lab Results
3. Clinical Data Summaries from provider to provider
4. Bio-surveillance
5. Immunization Registries
6. Public Health
7. Quality Measurement

What does it all mean?
If you are health care provider waiting for ARRA stimulus funds, it means wait to buy your EHR. Most large companies will be updating their software to fit government requirements, but there is no guarantee the upgrade process will be any less painful than the initial implementation. Start looking at an EHR now and find out which one fits your needs best, but since funding will not be available until 2011, there is still some time.