Electronic Medical/Health Records Utilizing Electronic

¶ … Electronic Medical/Health Records

Utilizing Electronic Medical Records Increase Patient Safety?

A large majority of the American public expresses deep anxiety about their private health information, and over half of them are concerned that data they provide to insurance companies might be seen by an employer and used against them to reduce job opportunities. This is an upsurge from 1999, when only one-third of the public expressed concern. More precisely, in light of the fact consumers already have agreed to share such information, their concerns are about confidentiality, or the ability to control access to information (Ball, Smith and Bakalar).

In addition, the American public wants to have its own electronic medical/health records. In late 2005, almost two-thirds of Americans said they preferred the establishment of a secure online Electronic Health Record service for their own use. They believed this could improve safety and offer convenience.

Two-thirds of those responding indicated they would use it to check for errors in their health/medical records, and about the same number said they would use the records to check and fill prescriptions. Another 58% said they would use these "Personal Health Records" (PHRs) to get results online, and over half would turn to PHRs to conduct private e-mail correspondence with their doctors (Ball, et al.).

PHR systems are more than just information files for patients; they combine data, knowledge, and software that help people become actively involved in their own care. When PHRs are combined with electronic health record (EHR) systems, they provide greater benefits than would separate systems for consumers (Tang, Ash and Bates).

PHRs are patient-centered records that engage individuals in organizing their own health and healthcare through a composite, all-inclusive view of their health data, including medical history, medications, immunizations, allergies and other personal health information (Kaiser Permanente).

Since the purpose of this paper is not to differentiate between the two types of files and define them, but rather to discuss their safety factor in regards to the patient, we will deal with them under these circumstances as if they are, for the most part, the same. We will use the term "EHR" to serve as all-inclusive, except in those instances that it is necessary to differentiate for reasons of clarity.

Problem Statement

December 23, 2008...This morning, the Los Angeles Times reported that more than 1,000 patients at Cedars-Sinai had their personal information stolen by a former employee in the hospital's billing department. This problem is not unique to Cedars-Sinai.

Similar problems have surfaced at one of the hospital's major competitors, UCLA Medical

Center, where at least 165 staff members have been disciplined for improperly accessing the files of more than 1,000 patients, including California First Lady Maria Shriver, actress Farah

Fawcett and singer Britney Spears (Szwarc).

When a patient's medical records are compromised, it can hurt more than their wallets, experts warn. Victims of this kind of fraud face a greater risk of injury if doctors make treatment decisions based on incorrect information contained in their records. Many employers also demand access to medical records when making hiring, promotion or benefits decisions, according to the nonprofit Patient Privacy Rights Foundation (Szwarc).

And, on the other hand we have the case of Hurricane Katrina which has been the loudest wake-up call so far for the need for electronic health records (EHRs), according to some prominent policy figures. Floods from the storm erased the medical records of about one million people in the central Gulf Coast because they were written on paper and stored in boxes in hospitals and physicians' offices (Byers).

Feeling insecure about your health data security? If so, it is no wonder, considering the frequent security breach headlines and the eHealth Vulnerability Reporting Program's declaration in September that many electronic health record (EHR) systems are at risk for security threats. How worried should providers be, and what should they do to bolster security against would-be hackers (Take extra precautions...)?

"Hackers look for vulnerabilities in it infrastructure," says Norm Martel, president of Medical Technology Research Corp. In East Kingston, NH. "Whether you're a hospital or a high-tech company, the infrastructure is what ties everything together. All of your computers, all of your software, all of your equipment -- and for a hospital that might include x-ray equipment -- is connected to the organization's it infrastructure, which means you need to be concerned about it from a security point-of-view," he says (Take extra precautions...).

"Good security is a fine balancing act between accessibility and privacy. You have to decide how secure you want to be vs. how complex you want to be. You need to think about the ability to access and use your systems," Martel says (Take extra precautions).

Is online security for patient electronic health records adequate to protect the data and individual privacy? And how does online safety compare to physical security for paper files?

Literature Review

There has been much written about the efficiency advantages of systems that electronically provide an individual's health/medical information. There has also been a lot of statements provided regarding the disadvantages of such a system in terms of security and safety of patient records.

There is not an abundance of verifiable, empirical data available testifying to the fact that electronically-delivered health data is safe and secure either while it is being stored or utilized and transferred between physicians and medical facilities.

The Wall Street Journal / Harris Interactive poll quoted in this paper, (Beckey, 2007) also gives some inclination of how Americans feel about the security of their personal health records online. A majority believes electronic data is less likely to keep their personal information private.

Most of the research concentrates on the benefits of the processes of an electronic system and how efficient they are -- (Byers, 2008), (Denmark, 2008), (Tang, 2005). but, it is evident that these sources don't want to discuss the safety issue. They tend to treat it as a given -- which, of course, it is not. I believe that is the one big gap in the research I found -- the lack of the safety discussion in those articles that speak positively of other aspects of electronic records.

This area is open for more study by those whose research reflects these positive benefits of such a system. If not, their conclusions seem unbalanced, and, therefore, rather specious. This is reinforced by the fact that, in this day of serious hacking online, almost nothing can possibly be guaranteed safe. To skip the argument, is to admit that it merits review.

It would seem also that the same argument could be held in reverse for those who claim, and rightfully so, that electronic records bear some vulnerability to discovery and exposure. The gap in their research is that there seems only one consideration==that of safety -- and other benefits are briefly addressed or ignored (Szwarc, 2008), (Hoholik, 2008).

Future research in this subject, particularly in light of President Obama's push for nationwide electronic medical records, should use more empirical data as opposed to opinion. In the past this has been impossible due to the lack of long-term studies of electronic health and medical records' systems, such as the North Bay Healthcare Group case study (Denmark, 2008). It must be noted that this particular study did not discuss the results of electronic record security, yet empirically reported the successful usage of the many capabilities of the system.

I believe the contribution that existing research makes to the field is to reveal the lack of balanced studies to include long-term surveys and empirical data which can prove the safety and security of electronic health and medical studies, one way or another.

Trends, Factors, and Influences in Medical Record Security

The Health Insurance Portability and Accountability Act (HIPAA) is an extension of this age-old concern, consisting largely of common-sense requirements to ensure the continuing confidentiality of patients' medical information in all of its forms. The regulations stemmed from growing concerns about the security of electronically stored and transmitted data. Since its inception, though, the rule has expanded to include not only electronic medical records, but also oral communications and paper medical records (Fiske).

For years, a debate has been waged over the safety and security of paper vs. electronic records in the medical community. On one side is the argument that paper records are easier to manage and control because access is necessarily limited. By their nature, paper records are impervious to computer hackers, and, unless they are manually converted to electronic form, there is far less potential for the errors that occur during the transcription process. Electronic records, others say, are more efficient because most billing, including Medicare and Medicaid, is done electronically. Electronic records are less likely to be misplaced or lost and allow for safety precautions, such as computerized monitoring of prescriptions to prevent allergic reactions or undesirable drug interactions (Fiske).

In the end, most believe that there is, and may always be, a place for both electronic and paper records in the medical industry. The records of many smaller practices and rural hospitals continue to be paper-based. However, because they make billing more efficient, the majority of large urban practice groups and hospitals have already made the switch to electronic records, according to Michael R. Costa, attorney and associate at Greenberg Traurig, LLP, in Boston, Mass. However, he adds, most of these organizations maintain warehouses where they store paper records that have been transcribed to electronic form. "There is resistance from some about going to a completely electronic format because there are still some questions about privacy," Costa says. "There is definitely still a place for paper-based medical records, but the focus from now on will be on making sure that information can be adequately secured" (Fiske).

Frederick Geilfuss, partner in the health law department of Foley & Lardner, in Milwaukee, Wis. says that while many larger providers have already begun the shift, he has not encountered any institutions that have made a complete transition -- an event that he believes is still in the distant future. "There are quite a few doctors out there who are not technologically minded and who prefer paper records," he explains. Changing from paper to electronic records requires organization, as well as technology, because a switch made on a going-forward basis would result in two sets of medical records -- paper and electronic -- with an increased potential for confusion (Fiske).

Health Information Management (HIM) professionals using paper-based systems are confronted by many of the same challenges regarding HIPAA compliance as their colleagues who have switched to electronic records. Although the legislation was originally intended to ensure security and privacy of electronically stored and transmitted information, it has evolved to include all types of communications. "HIPAA extends to any manifestation of patient confidentiality, including what people do in medical offices and what they say about confidential information," explains Henry E. Schwartz, partner in the business and corporate department in the Baltimore, Md., office of Blank, Rome, Comisky, and McCauley, LLP (Fiske).

The HIPAA security requirements for paper-based records are the same as those that apply to oral communications and electronic information, Costa explains. It will be necessary to ensure that the minimal amount of information is disclosed at any time, and providers will need to adhere to restrictions about uses of patient information for medical research and quality assurance purposes. Monetary penalties for noncompliance can range from $10,000 to $250,000, depending upon whether disclosure of information is accidental or for commercial profit, he says. There are also criminal penalties ranging from five to ten years in prison for willful release of patient information without patient consent (Fiske).

While securing paper medical records in either an office or at an off-site facility is often lock-and-key simple, it is always important to monitor and limit employee access to vital and confidential information. "There is really nothing new under the sun, as far as security measures, for paper medical records," says Schwartz. "Medical information has always been confidential, and, in the larger sense, HIPAA didn't change that." Although HIPAA does not specify the means by which requirements must be met, most security measures are simply based on common sense, beginning with an assessment of office practices in order to determine the current state of security for written and oral information, he says (Fiske).

Among the measures that Schwartz recommends are locking medical records files and restricting physical access to them; implementing a policy to ensure that no one enters medical files without authorization and reason to do so; developing a fax policy to ensure that faxed medical information is received by the person for whom it was intended; and, perhaps most simply, not leaving medical files on desks or tables around the office. "It's great that medical records are protected when they are in a storage cabinet," Schwartz comments, "but what happens when someone takes them out to look at them? Does the person leave them lying around while he or she leaves to get a cup of coffee" (Fiske).

As bulky paper records accrue, many healthcare organizations opt to store them in off-site warehouses or storage facilities. Historically, this has not presented any problems of which Schwartz is aware, but he cautions administrators to include security policies in contracts with off-site storage providers. He adds that, when disposed of, paper medical records should always be shredded. "If anyone gets a hold of them," he advises, "they should be unreadable and unrecognizable" (Fiske)

Discussion -- Perhaps EHR's aren't Safe Enough for a National Roll-out?

Will EHR's eventually make patient records safer? The answer, as we will see, is, most likely, yes. However, how do we get there? If we want and need a safer system, we also need a usable, economic system for all types and sizes of medical facilities. And this country will need solid, well-designed health information technology (HIT) networks to store, distribute, and keep safe all of that private medical information.

As mentioned previously, when President-elect Obama outlined his economic stimulus package earlier this month, he emphasized the need to invest in the healthcare system's infrastructure by pushing for electronic health records (EHR), nationwide: "We will make sure that every doctor's office and hospital in this country is using cutting edge technology and electronic medical records so that we can cut red tape, prevent medical mistakes, and help save billions of dollars each year" (Mahar).

The problem is that the physicians and hospitals who the government expected to invest in electronic health records are least likely to benefit financially. For example, if electronic medical records reduce the number of redundant tests, the insurer and/or the patient enjoy the financial benefit: the physician does not. In fact, if the physician does the tests in his own office, he loses money every time he doesn't need to repeat a test. Over time, health care providers might realize savings from EHRs, but experience suggests that it would take at least ten years (Mahar).

Since insurers would be the first to enjoy savings from more efficient care, it would make sense for them to provide the initial funding for Health Information Technology (it). But so far, relatively few for-profit insurers have stepped up to the plate.

In most developed countries, the government (i.e. taxpayers) has played a major role in developing and funding EHRs. The U.S. decided to wait for market competition to do the job. So far, that hasn't worked out very well, and the new administration seems ready to take a more proactive role. But before making an enormous investment, someone should ask about the state of the art: are EHRs ready for a national roll-out (Mahar)?

The answer, says Dr. Scot Silverstein, the director of Drexel University's Institute for Healthcare Informatics, is No! Over at Dr. Roy Poses' Health Care Renewal, Silverstein has posted an open letter to President Obama, applauding him for the it initiative, but warning that at this point in time "Health Information Technology (HIT) is an experiment" -- at least in the U.S. It is, yet, unproven on a large scale. There have been many warning signs that it is an experiment that could go awry" (Mahar)

Silverstein notes that "after years of effort and billions of dollars spent," the use of HIT in this country remains limited. And where electronic health records are used, "Clinicians (physicians, nurses and others) are struggling to use awkwardly designed HIT, designed as if for quiet, solitary business offices yet costing millions of dollars per hospital."

Silverstein blames information technology experts who do not recognize the difference between healthcare and other industries. They design systems that might work well in a bank but will not cut it in a hectic ER. Silverstein stresses that clinicians must be involved in the design of healthcare it (Mahar).

A 2005 article in the Journal of Biomedical Informatics expands on this point: "Designers of healthcare information technology (HIT) must be exquisitely sensitive to the non-linear, context dependent, fast communication-dependent, interruption-filled, uncertain, and collaborative nature of hospital clinical practice," writes the University of Pennsylvania's Dr. Ross Koppel. The piece concludes: "That some HIT development has occurred without this disciplinary input and wisdom is deeply regrettable (Mahar).

Three years later, little has improved, says Silverstein. Rather than becoming more sensitive to the needs of a hospital, "the healthcare industry and the HIT sector have been reliably tone deaf on these issues, which results in the very low diffusion of HIT. Platitudes, excuses, and blame placed solely on end users (i.e., the clinicians) are the norm" (Mahar).

Yes, a large investment in health it would create jobs but, as Silverstein points out, given the state of vendor-designed EHRs, and the trouble healthcare workers and hospitals are having with them, "While HIT problems may be good for the it and management consulting businesses, they are not good for the healthcare business, already struggling under great financial duress."

If phrases like "HIT hell" and "irrational exuberance" don't give you pause, consider another open letter to the Obama Healthcare Team on TheHealthCareBlog.com (THCB). This missive was penned by David C. Kibbe MD MBA, a Family Physician and Senior Advisor to the American Academy of Family Physicians who consults on healthcare professional and consumer technologies, and Brian Klepper PhD, a health care market analyst and a Founding Principal of Health 2.0 Advisors, Inc. (Mahar).

They acknowledge that "the easy solution would be" for the administration "to spend most of its health it funds on electronic health records (EHRs). The EHR industry has made it easy by establishing a mechanism to 'certify" EHR products if they incorporate certain features and functions.

"But the easy solution would not be the right one," they explain. "EHRs still are notoriously expensive." Moreover "often, practicing physicians do not consider many of the ["certified'] features and functions to be useful or important." Meanwhile, "It can cost as much as $40,000 per physician in a medium size medical practice at the beginning of an EHR implementation. Even that regal sum may not completely cover the hardware and technical support necessary."

Russell Pierce, CISO at CVS Caremark, said the push to digitize medical records is fraught with potential security problems, making it crucial that health organizations get behind a more specific set of security guidelines (Mahar).

"We've seen a lot of difficulty in the health sector in terms of how one evaluates the security of third parties, especially when it comes to what third parties are doing to satisfy the Health Insurance Portability and Accountability Act (HIPAA) security requirements," Pierce said in a phone interview. "There have been some significant inconsistencies on that front" (Brenner).

One problem is HIPAA itself, which many security practitioners see as more a list of suggestions than a specific set of requirements. The law has been open to interpretation, and the Health Information Trust Alliance (HITRUST) hopes its Common Security Framework (CSF) will put more organizations on the same page in terms of what must be done to improve security. The move is especially timely, Pierce said, because the healthcare sector is going to see a new burst of activity in response to Obama's call for more digitized records (Brenner).

Is Privacy Even Possible?

You might expect health-care providers and insurance companies to use the best security measures to keep your medical information private. But a national expert on patient privacy said it's naive to think that your health record is secure. And with the federal government pushing for more electronic records, security will only get worse.

"Because of the primitive state of health technology, there are a lot of risks with electronic records, frankly far more than paper," said Dr. Deborah Peel, founder of Patient Privacy Rights, a nonprofit organization based in Austin, Texas (Hoholik).

Peel, who recently spoke at a health-policy conference in Columbus, said most people don't know about all of the nonmedical staff people who have access to their electronic health information. And she questions providers who promise privacy.

"The public is not aware that hospital systems allow anyone who's a staff member to see your records," she said. "They can limit employees to certain parts of your record, but most hospital-based systems don't even have that" (Hoholik).

Hospital and insurance officials don't agree.

"They actually are more secure than paper records," said Tiffany Himmelreich, spokeswoman for the Ohio Hospital Association. "The data is encrypted so Joe off the street doesn't have access to it." She said most hospitals can audit records to see who opens them.

Only physicians and medical assistants have access to patients' electronic records at Dr. Michael Waluzak's office in Westerville. The Central Ohio Primary Care office switched completely to electronic records in June 2006 (Hoholik).

"If someone breaks into your office and you have paper charts, you have no security,"

Waluzak said. "Nobody can tell you any system is 100%, but I think it's more secure than paper" (Hoholik).

The Institute of Medicine Speaks Out

The Institute of Medicine issued a report on privacy of medical records in early February that fuels this concern. The IOM started with the premise that protections for electronic medical records are a must, because the benefit of health it is so great. The records will speed up access to a patient's health information, cut down on redundant care, and reduce medical errors. Access to the online digital record by researchers also means massive medical databases can be searched, shared, analyzed, and drawn upon. Epidemiological research would be carried out on a scale never before imagined, to improve care, develop better practice guidelines, and determine cost-effectiveness (Healy).

Recognizing the importance of the public's confidence in the sanctity and confidentiality of medical records, the IOM came down hard on the current privacy protections that are supposed to ensure this. The group concluded that government rules to protect patients' medical records are simply inadequate. At best, they should be scrapped -- or overhauled, at the very least. The report also points to the many security breaches of medical record databases, covering tens of thousands of patients that have occurred in the past two years and cites this as a growing problem (Healy).

Lack of confidentiality protections for a far more extensive national online record system would surely cause major unrest among most Americans. Despite its shortcomings, the paper record distributed across hospitals and doctors' offices has a limited ability for wide dissemination. A centralized, integrated, electronic record with access to all Americans' files would not only contain more information, but its potential distribution could be measured in the millions, not just the few who could lay their hands on a chart. Would most of those unauthorized eyeballs be gazing for the patient's benefit? I don't think so (Healy).

One thing that the IOM calls for is an audit trail of just who accesses online records. In fact, there is no reason that patients themselves should not know who's seen their records, rightly or wrongly, here or elsewhere in the world, where records are now outsourced for insurance review. it's also unseemly that marketers can buy pharmacy information about patients, so they can send them illness-specific advertising, and questionable that insurance companies should send patients mailings that suggest they take a medicine other than the one their doctor has ordered (Healy).

Discussion -- the Positive Side of EHR/EMR Security...maybe?

Finding advantages listed for EHR systems is easy. Finding information that tells one how much safer an EHR is than a paper file is not so easy. My research discovered that there is a lot of "hedging" and "iffy" statements about the safety of "online" records of any sort. It seems that very few are willing to commit to a black and white statement of support that, if you trust your health records to the electronic age, someone (unnamed) will guarantee you they will be safe. I found this quite disconcerting, as my assumption going in was that, of course the EHR is safer than a paper folder sticking out of a shelf in a doctor's office.