Innovations in Technology: Storing Patient Information

The old saying, “Out with the old and in with the new,” couldn’t be more apropos as innovations in healthcare policies and procedures abound. The U.S. government, with the help of leaders in the medical community, is working diligently to improve patient care while reducing costs, and one of its main areas of focus is the storage of patient information.

Out with paper files and in with electronic storage. Out with misread and mistranscribed notes and in with tablets that allow physicians to quickly and accurately make notations into patient electronic health records (EHRs). Out with illegible paper prescriptions and in with e-scripts. The list and possibilities are endless for physicians to better store, retrieve and utilize information, as well as for patients to take a more active role in their healthcare.

Why the Need?

There are many reasons why change in the way healthcare information is stored is important today. According to 2008 Census Bureau estimates, more than 304 million people reside in the U.S. If each person went to the doctor just once each year, that’s a lot of paper. Multiply that by those who have multiple visits in a year (most people) and by the age of each person, and we are talking about countless pieces of paper, storage costs, manpower and security concerns. Add lab tests, visits to various specialists, etc., and the storage requirements grow exponentially. Factor in the likelihood that many of these patients will need access to their records at a time when the records are unavailable — during emergencies or vacations, or their records are forgotten, misplaced or destroyed — and the requirements for maintaining paper files are huge.

EHRs will also prevent the possibility of another situation like Hurricane Katrina, where thousands of paper records were destroyed. “Katrina taught us all that you can lose data in a day,” says Harry Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA, director of practice leadership with the American Health Information Management Association (AHIMA). “Those who had EHRs and the foresight to back up their data [either on the Internet or in a location away from New Orleans] could be back up and running in days.”

While paper records had been the only way to track patients for hundreds of years, they are slowly becoming obsolete. The Markle Foundation found in a 2005 public opinion survey that 60 percent of adults responding would support the creation of an online personal health record (PHR) “that would allow them to check and refill prescriptions, get results over the Internet, check for mistakes in their medical record, and conduct secure and private email communication with their doctors.”¹ Physicians, as well, are open to the possibilities this technology provides in improving patient care, though the medical community has indicated that security and cost concerns (starting price can be several millions) must be answered before it will fully embrace it.

The costs of not adopting an EHR system, however, will soon outweigh the current concerns, as the government has approved a bill that will begin penalizing providers that have not gone digital by the year 2014. These penalties could be as much as $3.2 million in reduced Medicare funding annually for a 500-bed hospital.² To avoid these penalties, providers will need to ensure that their EHR software provider is certified by the Certification Commission for Health Information Technology (CCHIT) and that the system operates in a “meaningful” way to avoid errors and improve outcomes. The term “meaningful” is at the center of debate as planners — from Congress to health information technology companies to physicians — come together to determine specifically what “meaningful use” means. It is anticipated that electronic prescribing, laboratory reporting, clinical summaries for care coordination and quality data will be covered in the definition.³ Yet, the term “meaningful” will morph over time to meet more stringent guidelines as the technology and adoption of EHRs increase.

What Are the Options?

Options for upgrading to an electronic storage system include EHRs using proprietary software or open source software, as well as PHRs provided through vendors such as Google, the patient’s insurance company and even software developed by a hospital’s EHR.

Of course, it is possible that some healthcare providers will opt to stick with the old paper record system and just pay the penalties. However, even the smallest practice can see improvements by adopting some technology. But just scanning those old paper records into electronic storage will create a flat EHR, not one that offers the ability to create reports and easily retrieve specific data a physician might need.

At their maximum capability, EHRs provide more than just an electronic vessel in which to store papers. An EHR puts patient information into readable and accessible templates so that when providers access a patient’s chart, they see the important information they need right away to make informed decisions. It lists most pressing health concerns, allergies, medications, etc., with just the click of a mouse. And, EHRs provide walls so that not every person who pulls up the file can see all of the patient’s information — only those who require legal access for that specific case.

EHRs. A number of EHR vendor options for hospitals and small offices exist, including those that have developed their own proprietary software and others that utilize open source software adapted for their specific needs. Proprietary software is developed by contracting with a software developer. Open source software, on the other hand, is authored by small communities of developers that are committed to advancing healthcare information technology but are not directly compensated financially for their efforts. The software can be viewed, modified and distributed, although the software creator retains the copyright, and users obtain a license, which is typically free. A good example of open source healthcare software is OpenVista, a healthcare information system distributed with a license that allows unlimited use at any number of facilities. (See Open Source Electronic Health Record (EHR) Software on page 19 for a listing of some current software.) Each has its pros and cons.

Proprietary software can include bells and whistles that a vendor using open source software would need to add. However, in some cases, proprietary software cannot communicate with software created by another vendor, making it more difficult for doctors to treat patients outside of their system. In addition, proprietary software vendors eventually will stop supporting older versions of the software, requiring the purchase of an upgrade or an entirely new system. “Some say the proprietary software can’t match the features of open source software as quickly,” says Rhodes. However, when you need support for the software, it is there. You don’t have to hunt for support as you do with open source software.

Open source software has already matured and developed, and some argue it is less expensive for a vendor to adapt to a customer’s specific needs. The software is free, as are a lot of the innovations. However, others say open source software vendors tease you with freebies and the software becomes more costly when features are added. Open source software speaks freely with other open source software, allowing doctors treating patients on vacation to quickly access their records from their primary care provider in another location — assuming both systems speak the same language. Typically, open source software allows healthcare providers to keep current technologies within their office system, rather than purchasing an all-new system. One downside to open source software, though, is that it has not been widely proven for smaller venues and locations with more significant financial constraints.⁴ Healthcare providers will likely need to hire a consultant to help piece together the system, which can be costly. There also may be integration challenges as new components are added.

An important component between the different systems is the way in which data will be transported from system to system. Clearly, the information will be encrypted so that data will not be legible between points A and B. However, no matter what the two end points are, both need to be compatible with the mode of transportation. The hypertext transfer protocol secure (HTTPS) standard allows many different systems to speak to each other without the added coordination between systems.

In addition, the CCHIT certification and technology advances will help improve the interoperability between different systems. “It’s like the Good Housekeeping Seal of Approval,” says Rhodes of the certification. Likewise, Health Level 7 (HL7), an accredited standards development organization (SDO), is working with other SDOs to ensure interoperability and the preservation of the meaning of patient data. HL7 has seven layers of protocol implementations, hence the name of the organization.

PHRs. Many patients are now opting to keep their own medical records through various software programs, as well as web-based PHRs. (See Web-Based Personal Health Records (PHRs) on this page for a listing of many free and fee-based sites.) Because a PHR is initiated by the patient, permission must be provided to providers, pharmacists, insurance companies, etc., for the retrieval and storage of information from PHRs, which can sometimes be problematic. However, because patients are encouraged and expected to add their own information to the record, it is more effective for patients to manage their own or a dependent’s care.

Concerns in the Electronic Age

One of the main concerns for physicians and patients alike is the security of electronic records. “Actively protecting a patient’s data is part of patient care,” says Lisa A. Gallagher, BSEE, CISM, CPHIMS, senior director of privacy and security at Healthcare Information and Management Systems Society (HIMSS). The security of that data is the responsibility of the physician, the third party vendor who holds the patient records (if there is one) and the staff who have access to the records. “Security is an ongoing process and physicians need to manage it. It isn’t just something you do just once and are finished with it,” adds Gallagher.

How does a provider know if a patient’s records are truly secure? They don’t unless they actively strive to know. It is the physician’s responsibility to initiate controls at the office level to control who has access to the information. It is also the physician’s responsibility to manage risk at the IT level and continually look for the potential for security breaches. “If physicians view the patient’s data, it is because they are trying to help them,” says Gallagher. Likewise, staff should not have access unless they need it. Conducting security audits of basic vulnerabilities with behavior in the workplace is key. The Department of Health and Human Services (HHS) will be providing guidance for technical safeguards for Health Insurance Portability and Accountability Act (HIPAA) by February 2010.

Security controls such as authenticity, iris scans and fingerprint scans are available. Rhodes says that 80 percent of the security risk is not out there on the Internet; it is within an office’s staff. “We put up firewalls and do all these things, but we tend to be careless internally.” So, as healthcare workers change job functions, they need to make sure that when their access to information needs change, it is. What they no longer need should be cancelled, and any new information they need should be added. In the event of termination or resignation, access should be taken away. In addition, even those with legitimate access should not be viewing records when there is no need. “The challenge is: Do you have the right and authority to be in this record,” says Rhodes.

If the patient’s data are held by an outside vendor, as opposed to a hospital, the physician needs to look for assurances by the vendor, in HIPAA vernacular, that controls are in place for protecting data. Essentially, the physician is allowing the vendor to hold the data on his of her behalf, so the proper procedures must be in place when sending that information through a gateway to the vendor and as the vendor stores the data. An important component in the vendor/health entity relationship is whether the vendor is considered to be a business associate of the provider. The short answer is: If a vendor has access to the patient’s information in the course of doing work or supporting the EHR, the vendor is likely to be considered a business associate. If, however, the vendor has responsibility for maintaining the data without access, it is not.⁵ The question of whether a vendor is a business entity will be an important one, and merely providing support for the maintenance of EHRs will be considered access. This will be an important clarification.

However the data are stored, Rhodes feels a preferred way of doing so is a federated model, where each department keeps its own records on a patient, as opposed to one centralized location where the entire record is kept. When needed, these departments can also access other departments’ data. However, in the federated model, there are better access controls for these “information silos.”

When sending information to a third party such as an insurance company, the days of sending the entire record are going away. Physicians now need to send only what is relevant and necessary to the claim, and the responsibility falls on the sender if too much information is sent. HHS is also providing guidance per the American Recovery and Reinvestment Act of 2009 (ARRA) section “Health Information Technology for Economic and Clinical Health,” commonly referred to as HITECH. This will spell out specifically what healthcare providers need to know about the disclosure of relevant information.

From a liability standpoint, there is concern based on interoperability and the fact that more physicians will have legal access to the EHR when providing patient care. In a perfect world, the more specialists caring for the patient, the better the patient’s care. Concern arises, however, in the implicit liability of secondary physicians’ duty of care should there be an injury. Also, there is a question about who is liable to an injured patient in the event of a software glitch.⁶ These issues will be vetted in both the medical and legal communities.

New and Improved: What Does the Future Hold?

Technology is always advancing, and EHR systems will advance along with it. In the future, according to HIMSS, you’ll find improvements such as:

• Better access to information for emergency responders
• Improved ability to transfer medical records when a patient transfers physician care
• Ability to incorporate family history information into decision making
• Access to remote patient monitoring to save office visits

Capturing Metrics of Patient Care⁷

The important part of the EHR puzzle is understanding what has happened, anticipating and planning for what is going to happen and understanding how it all applies to the business of healthcare. That’s where associations such as AHIMA and HIMSS come in as they pull the information apart and translate it into plain English for their members. They also stay on top of requirement deadlines.

As the use and capability of EHRs grow, adherence to HL7 functionality models for clinical and administrative data will continue to be critical. “This includes what is needed for direct care, what needs to be captured to supplement patient care and support features, functionalities and support criteria,” says Rhodes. “Creating an implementation standard, vocabulary standard, formatting standard… In the near future, you will see a lot more interoperability.”

Remote access to EHRs is also turning into an important feature. Whether a physician is at home or traveling, being able to access and monitor their patients’ progress is important. There is also discussion of creating a first responders database so that emergency medical services personnel will have important data for saving the lives of those who may be unable to communicate their conditions. Vehicle safety and security systems are also looking into ways to link to PHRs to provide information to first responders about their customers.

Other up-and-coming features of record storage are multimedia records capabilities, where physicians can read reports and view video or audio files related to tests, as well as continuous speech recognition for physicians to dictate a report and immediately see it on the screen.

The opportunities for improvements in healthcare and patient data security are vast as EHRs become more commonplace and capable. Soon, the days of the paper record system will be gone, and physicians will wonder how they ever treated patients with them.