Making IT Useful

Standardized EHR Systems Introduce New Worries

The words private and privacy have really evolved during my lifetime. When I was young these words were used to describe someone’s personality or the culture in which they lived. Privacy meant having a lot of trees on your property or a sign on your office door. It meant storing your personal effects in a safe place in your home, perhaps in a shoebox under the bed. Privacy was somewhat simple to achieve and for the most part up to you to protect. You just kept what you didn’t want to shared either in your head or out of the view of friends, family and the general public. If you didn’t what people to know your thoughts on a particular issue, you kept it to yourself... you were a private person.

From the beginning of time people have been very private about common everyday things like financial information, health history, love and marriage. Until recently, those areas of our lives have always been conducted on paper or by telephone. The phone calls were made behind closed doors and the paper was either hand delivered or sealed tightly in an envelope. The information coming and going could be safely exchanged with little worry about the contents being shared outside the relationship unless you wanted to share it. And if your privacy was compromised, you had a better than average chance of determining who may have been responsible and how far the information traveled. Privacy was also easier to maintain years ago because of the company we kept, or the “network” as we now call it. My families had twenty or so close friend and neighbors; we had classmates, one family doctor, a dentist and several aunt and uncles. These people were basically all the people we frequently interacted with. Our bills were delivered to our creditors using the U.S. Postal Service and garbage was stored in plastic bags and picked up on Wednesday by a guy named Al. We had a very simple network and if it was privacy we were looking for, it was easy to find.
Today, the word “privacy” has taken on a whole new meaning. The treed lot has been replaced by a firewall, the shoebox under the bed now takes the shape of a database stored on a server in an unknown location, our thoughts on personal issues are being shared and argued on social media sites with people we may not know and paper correspondences and phone calls have been replace with email and texting. Even the way we dispose of our garbage is starting to change; a portion is now shredded out of fear that Al might open the plastic bags in search of credit card account information. Our society’s obsessive need to communicate and share information using today’s technology has developed faster than our understanding of the technology.

Today in the United States new technologies in the form of smart phones and computer tablets have made it faster and more convenient for people to manage their interests with the help of the Internet. People are using the Internet as part of their daily lives to fulfill their social, financial and entertainment needs. And with each need there is a different username and password to manage, and the sharing of personal data with the faith that the information will be considered private. That’s not always the case and now Internet users of all ages are struggling to evolve a bit further as humans and develop a new type of street smarts to help them determine how to react to what they find and share on the Internet.

When people share data online today they do so to satisfy a personal needs. Whether they are ordering a pair of shoes or registering for a training seminar or paying their monthly mortgage. They understand the outcome of their online transactions, however most people don’t have any idea of the path that their personal information travels once they hit the submit button. They simply hope that the vendor that they are conducting business with has taken every step to secure the data that they provided. They basically use their instincts to determine whether their need for the product or service they are exchanging their personal information for is worth the risk of their personal information being shared. People are starting to gather a greater understanding of the good and the bad that is offered on the Internet. But there is still a gap between the experienced users who can sense unsafe waters to surf and the folks who are in the process of rescuing yet another Nigerian princess.

One of the bigger questions that have evolved from our ever-growing Internet “street smarts” over the last decade is, how private is our personal health care information? Medical professionals, both caregivers and insurers in the United States have been collecting a variety of patient data online and they have been converting even more information from paper records to electronic format with hopes of creating a complete set of Electronic Health Records (EHR) aimed at improving their level of service. Here in the United States we feel a sence of protection which is provided by our government in the form of the Health Insurance Portability and Accountability Act (HIPAA). (e.g.,Embi, Peter, J., et al. “Impacts of Computerized Physician Documentation in a Teaching Hospital: Perceptions of Faculty and Resident Physicians.” Journal of the American Medical Informatics Association 11, no. 4 (2004): 300–309.)
But privacy is only one of the issues that challenge the development of a complete system that meets the needs of the medical industry. Privacy issues clearly headline the list of potential issues that face the three parties involved; the patient, the care providers and the financial institutions that provide funding.

There are several concerns for patients that range from protecting electronic health records with tight encryption and other security technologies to making information technology outsourcing arrangements more trusted and secure. Ensuring that information transmitted among the many participants in the emerging health information exchanges remain private, and ensuring telemedicine applications, such as implantable medical devices and in-home monitoring systems, adequately address security risks. These concerns are well understood and widely documented because they affect the larger fraction of the participants involved in the overall process... the patient.

Our collective “street smarts’ now needs to understand that there is data in these systems that we have no control over. Beyond the normal name, address and insurance provider information we provided our physician during our first visit, we are left to wonder about the information that the physician added to the file. You know that messy file folder that the doctor brings into the examination room during your routine checkup, I never really asked what was in that folder because I trusted it was being kept between the two of us. Now those records are going to be made digital and their location and potential audience is not necessarily known.

The design and development of EHRs’ is happening at the same time as many doctors’ offices are attempting to move their traditional paper-based patient records and artifacts to an electronic format, weather they be digital or just scanned documentation. Traditional paper-based records are often office-based and accessible by a particular doctor and his or her staff. Moving those paper-based records may cause several unintentional issues. For example, a computerized filing system may be used as the medical record system for a large health clinic with several medical disciples, the records might than be shared between several physicians and their staffs. This introduces several issues such as ownership and accountability from a user role or permissions perspective. Physicians involved in converting to electronic health records face several areas of uncertainty. Who is responsible for the management and quality of data? What are patients’ rights and expectations with respect to the privacy of their personal health information? What are the physician’s obligations with respect to obtaining patient consent for the use and disclosure of information in the EHR? With multiple health care providers contributing to the EHR, how will access to the data be managed so that information is not accessible for unauthorized purposes? Can a physician rely on the information provided by other health care providers? What is the consequence of relying on this information? And what are the medical liability issues? (e.g., AHIMA e-HIM Work Group on Maintaining the Legal EHR. “Update: Maintaining a Legally Sound Health Record—Paper and Electronic.&rdquoWinking
These questions are largely unanswered and make great fuel for many debates between physicians, insurers, patients and their respective lawyers. I just want to make sure that when I do visit my doctor that the old trusted paper file was converted correctly, and because the information is available in a sharable format, I would like access in order to confirm my own medical history.

Just as patients are concerned over the protection of their personal health data, health care and insurance providers are also worried. EHRs’ offer considerable opportunities, but they also raise many legal issues that must be ironed out. As I mentioned earlier, our need to use the technology we have today has surpassed our understanding of it. The result of this uneven progression of our technical experiences, physicians and other health care agencies may be unknowingly exposed to medical liability risks. Physicians will be challenged to meet the expectation of patients and their right to maintain their privacy of personal health information, to assure it will not be compromised, shared or misused.

A recent article published in the New England Journal of Medicine discusses how the age of electronic health records is affecting malpractice liability and the impact that access to this information has on both doctors and patients. The government sponsored Health Information Technology for Economic and Clinical Health Act of 2009 authorized grants and monetary incentives of billions of dollars to promote the “meaningful use” (e.g., A Definition” Recommendations from the Meaningful Use Workgroup to the Health IT Policy Committee June 16, 2009) of electronic health records by providers. In order to be provided a reimbursement incentive a physician or hospital provider will need to meet the standard of becoming a “meaningful user” of an EHR. Incentive payments began in 2011 and will gradually phase down as work is completed. Starting in 2015, providers are expected to have adopted and be actively utilizing an EHR in compliance with the “meaningful use” definition or they will be subject to financial penalties under Medicare. Roughly translated, there will be billions of dollars handed out to health care providers to help get their health records into an EMR’s before 2015. That’s a lot of work in a short period of time. Let’s hope that proper quality assurance steps are used to validate the conversion of my health records so that my next trip to the doctor are within my expectations, and I’m not associated with a different set of patient records.

Although there is much support by health care providers, policymakers, and patients for a health care system that takes advantage of new information technology solutions, there are some possible effects of this technology on medical malpractice liability. The areas of risk can be separated into four different categories: the documentation of clinical findings, the recording of medical test and imaging results, the computerized provider-order entry phase, and clinical-decisions. The risks of malpractice vary during the different phases of implementation of EMRs’. For example, during the initial implementation of an electronic system in a medical facility, a provider’s malpractice risk is actually increased. Several studies performed by accredited medical organizations have documented increases in computer-related errors during the conversion stage that can result in an increased risk for malpractice. (e.g., Embi, Peter J., et al. “Impacts of Computerized Physician Documentation in a Teaching Hospital; Perceptions of Faculty and Resident Physicians.”

This is mainly due to the challenges presented when a facility moves from an old familiar method of entering data into a new computerized method. It is unclear whether the use of electronic systems is likely to increase or decrease malpractice liability overall after the initial implementation. Some malpractice insurers offer discounts to providers who make the switch from paper records to electronic systems in an effort to lower the number of paid malpractice claims.

Privacy and liability issues will always be a challenge during the life cycle of every record management system. Patients will always want to be assured their personal information is kept private and providers will always what to use some of the information to better serve their customers. Legislations and guidelines will be drawn and crossed and moved around in an attempt to provide both a sense of trust and understanding.

Now the polar opposite of trust and understanding is fraud. Fraud in the healthcare industry has long been a large and every expanding problem, and with the expanded use of electronic data for healthcare records, the pace at which the problem is increasing, it may well pick up substantially. Years ago, you would never hear of a burglar breaking into a doctor’s office to steal medical records from a locked filing cabinet. With those records now in digital format they are far more valuable to outside interest. Drug companies looking to use the data for marketing research and sales trends, hackers looking for easy access to credit card information or personal health information shared with the public or online.

Faced with this growing problem and the rapid application development of EHR systems, healthcare organizations are likely to proactively seek solutions. It is possible that when used properly, EHR solutions should actually serve as a layer of protection against fraudulent activity. But if the systems are created without proper controls, such as privacy, liability and fraud administrative modules, EHR systems could make it easier for the unorganized, unknowing and criminals to perpetrate problems in a healthcare organization's name. EHR systems could be used to conduct several fraudulent actions through misuse of data captured in the EHR to prepare false claims. Such actions could be committed by anyone within the provider organization who has access to the system. On the other hand, the power of the EHR can be harnessed to prevent fraud through implementation of control mechanisms that protect data that could otherwise be used to perpetrate fraud, and that validate data used for legitimate provider reimbursement. (e.g., AHIMA e-HIM Work Group on Maintaining the Legal EHR. “Update: Maintaining a Legally Sound Health Record—Paper and Electronic.&rdquoWinking

If healthcare systems providers do not create appropriate security controls for their EHR software they may me asking for trouble. They could be opening the door for fraudulent billing activities. By creating strong controls, a healthcare provider can show it customers that they have a secure system that can be trusted.

In conclusion, the last twenty-five years have offered many new ways to communicate, not only with each other, but also with everyone we know or could know. We have a whole new way of conducting our day-to-day interests and business dealings. Where we once had a standard set of “street smarts” to guide us through the bureaucratic paper processes that glued the way we interacted with entities outside our homes, we now have an invisible network that is at times, intangible, unpredictable, unforgiving and leaves us very little room for error.

As a society we are beginning to develop sort of a “web smarts” that coexists with our repository of old school “street smart” skills. As we move forward the terms fraud, liability and privacy will still have the same meaning in the dictionary, however the methods in which they are applied will broaden considerably. As we each grow older and become more experienced with the tool, the culture and the ups and downs of the Internet we will all be developing and sharping our “web smart” skills to better protect ourselves as we try to take advantage of the of the new technology.

When I was ten years old my grandfather took me to New York City to visit Time Square. I got up that morning and placed a crisp ten-dollar bill in my hardly used wallet to buy a souvenir once we got to the city. As soon as we got off the train in Grand Central Station my Grandfather noticed the stiff wallet in my back pocket and told me “if you want to keep that wallet, you should place it your front pocket… the city is filled with pick-pockets looking for rubes from upstate” I began to develop my street smarts that day on the platform, and to this day, when in the city my wallets in my front pocket.

We are going to use the same principles in the future to measure the risk of sharing personal information, when to share it, when not to share it, and who to share it with.