Will you entrust the US government or a private entity with your electronic medical records?

The ARRA stimulus bill provides incentives for medical providers to use Electronic Medical Records for storing patient healthcare information. (To read more about Meaningful Use and certified Electronic Medical records, beyond the scope of this posting, please refer to CCHIT). The overarching goal is to allow medical records to be exchanged between health-care providers. A simple example: An employee changes jobs and receives new health insurance, which requires him to use a different healthcare provider. How does he transfer his medical records to that new health-care provider.  Or a soldier is treated in a military hospital, then transferred to the VA and finally to a public/private hospital. How does his/her electronic medical record transfer between the three distinct institutions.

In transferring electronic patient data between institutions:

• How does American law protect the privacy and security of patient health-care data?
• Why are Americans hesitant to share medical information electronically?

On Monday January 25^th, 2010 a study by the Ponemon institute revealed that Americans distrust the Federal Government or private enterprise to electronically store their health-care data.

Of the 868 Americans surveyed about their views on digitizing and storing health records, only 27% said they would trust a federal agency to store or access the data–the same percentage as those who would trust a technology firm like Google Microsoft or General Electric

Let’s examine how US Federal law protects electronic medical records

• HIPAA – Health Insurance Portability and Accountability Act – is rather dated (1996) in terms of protecting electronic medical records. HIPAA does not take into account the electronic exchange of electronic health data.

Health Insurers and Providers who are covered entities must comply with your right to:

• Ask to see and get a copy of your health records
• Have corrections added to your health information
• Receive a notice that tells you how your health information may be used and shared
• Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
• Get a report on when and why your health information was shared for certain purposes

Nothing implied about electronic medical records, nor exchange of electronic data and most importantly authenticating the individual who is requesting access to the records. In an electronic medical record system, how can I be certain that Joe Smith is who he claims to be when he logs into the system. Is user-name password sufficient security?

• In light of the ARRA stimulus bill, the US Department of Health and Human Services (HHS) revised the privacy rule in December 2008. (11 page PDF here). In summary:

Access: Individuals must be provided timely access to their medical data

Disputation/Correction: Individuals must be able to dispute and correct information in their health record, from a simple typo, corruption of digital information in transit  between entities and even medical identity theft.

Openness/Transparency: Individuals must have access to their record and know what is in there and how it is disclosed.

Individual choice: Individuals must be able to choose how data is shared. For example which doctor is allowed to view their record delegating access to another person in case the individual/patient is incapacitated and cannot access their record.

Collection/Use: Individuals have the right to know how their medical data is distributed/used; that data is only used for their care and not distributed beyond the patient’s consent.

Data quality/integrity: Data is secure and not compromised

Accountability/Auditing: An audit trail and legal accountability exists to know who was authenticated and authorized to access an individual’s data.

The word “trust” appears 13 times in the 11 page document, the phrase “trust in electronic exchange of information” appears six times. Clearly the HHS is attempting to gain the public trust in an electronic exchange of health data.

• The Federal Trade Commission proposed a breach notification rule (50 page PDF) “requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached.”

So, given the above laws, why does the Ponemon study find Americans so distrustful to store their electronic health data. The study revealed:  Users rated health records as far more sensitive than other information they typically share with Web companies. On a scale from one to seven, medical data received an average rating of 6.64, while credit card information received only a 4.27 and online search records just a 1.86.

I posit that:

• Internet searches can be reasonably anonymous.  I can search for information from a public computer such as the library or a firewall can transform my computer’s identity (IP address).
• If my credit card information is compromised I am protected by the credit card company; so much so that credit card companies have sophisticated software that track errant spending patterns and forewarn me. Am I in an obscure overseas country attempting to purchase a $3000 airline ticket?
• Americans, historically, have a distrust in their government. The Bill of Rights dating back to 1791 protects the individual (for example unreasonable searches).  So why should the government be trusted with personal health information?

The problem is health information potentially reveals personal and important details about an individual: their weight, medications, illnesses, addictions, allergies,  perhaps even sexual preferences. (Interestingly under the US law, patients do not have access to their  psychotherapy notes. See HIPAA rule “You do not have the right to access a provider’s psychotherapy notes.” )

The real problem I believe is what options does a an individual have if their electronic medical record has been compromised? Witness two recent incidents in California where electronic patient information was stolen: UCSF – (600 patients) and Kaiser (15000 patients).

Is the FTC breach rule sufficient?

I think the rule is sufficient, but the ubiquity, and ease of electronic data duplication, makes it difficult to gain the trust of users. If my medical records are stolen, what comfort is the rule? The answer individuals require from electronic medical record vendors is “we will encrypt your data, at rest and in transit.” At rest means data in a database is encrypted; in transit means, that the data as it is transmitted across computer networks. Today, encryption in transit is easily achieved with SSL. Encryption at rest is rare because it is practically difficult to implement. If I encrypt “Joe Smith” as “aS@Pn!”, then how do I search for his record, as I cannot search for “Smith”? How does another, say reporting application, access and present the encrypted data? How do I index a database (group all the “Smith”s together) if the data is encrypted? How can a receiving party in another institution (sharing electronic medical records) decrypt the data? As the UCSF and Kaiser incidents note, unencrypted data was stored on detachable disks and subsequently stolen.

Electronic medical record vendors and the US government have a long way to go to gain public trust.

(This posting is an assignment from my UC Davis Informatics class on telemedicine)

Should Doctors answer email (from patients) ?

When I attended a HIMSS conference on PHRs last month, (see my writeup in particular item 3.) one of the panelists, Dr Chan, discussed their (tethered PHR) – in particular the ability of patients to email their physician. (I am fortunate to be able to email my doctor). So I asked, Dr Chan, if email did not consume a lot of a Doctor’s time outside of their paid hours at a clinic or even their own practice.  In a similar vein, an author only known as “Amy” commented on an entry in kevinmd.com that Doctors are not paid to answer email and some patients are loathe to pay for the functionality of emailing their doctor.

How does it change a physician’s job, if they establish an email relationship with their patients?

I suggest the following:

1. The Doctor is not encumbered to answer email immediately. Though we may lead hyperconnected lives with smartphones and wifi, email replies can wait.
2. Email is not a substitute for an office visit, doctors should not diagnose by email.
3. Use email for follow up, answering simple questions such as: “Do I take the medication recently prescribed on a full stomach or before eating?

Some responses to the KevinMD blog post, questioned why Doctors should work outside of their normal office hours by answering email. I wonder which professions today are limited to “office hours” ? Email does offer a Doctor the opportunity to answer patient questions asynchronously, meaning when the Doctor wants to, versus a phone call that requires the Doctor to answer immediately.

The D’s of Telemedicine: Denmark and Davis

This week I start the second course in my informatics certificate program from University of California, Davis, a class on Telemedicine taught by Dr Peter Yellowlees. Co-incidentally an article in the New York Times today on how Denmark embraces Telemedicine and Electronic Health Records.

Telemedicine offers many benefits to patients who are unable to visit a doctor on a regular basis. Using rapidly emerging technology, the patient can transmit medical data to their doctor using the Internet. A virtual medical visit. Watch this space for more on telemedicine as I plow through the class material.

Transferring 30 printed pages of medical records to my doctor

In January 2000, I was hospitalized at Stanford Hospital following a vehicle accident.

In December 2009, I visited a Urologist and when I mentioned my medical history, he said it would be useful to get a copy of my medical records from Stanford Hospital. His nurse began a request for medical records from Stanford, estimated to take six weeks. My doctor’s office is three miles from Stanford hospital so one could walk there and back in an hour to get records, in theory. In practice, it requires a search of off-site archives to retrieve medical records.

I returned home and remembered that subsequent to my hospitalization 10 years ago, I had requested copies of my Stanford medical records for myself.  I dug up the large envelope of 30 single sided printouts.

Now to get the 30 page medical record to my Urologist. My doctor’s office uses EPIC for electronic medical records and as a patient I have a tethered PHR – meaning I can view my EPIC medical record from any computer on the Internet using a web browser. I can also send an email to the doctor and view/create appointments.

I attempted the following, without success, to get the medical records to my Doctor:

• I scanned the pages at home and created a PDF, but the EPIC patient email software does not allow attachments.
• I uploaded the PDF to my personal website and then sent an email to the Doctor with the URL for him to download the scanned medical records. I received a response that the download could not be performed. I suspect that the old/pre-web EPIC email interface does not produce clickable links, but could the doctor not execute a copy/paste from EPIC to a browser?
• I phoned my doctor and was told to fax the documents. Sorry I don’t have a fax machine at home.
• I logged into GoogleHealth, hoping that I could link my clinic’s EPIC system to my Google medical record, but GoogleHealth offers no functionality to upload medical records from one’s own computer, only to import medical records from a variety of vendors. I did not try Microsoft HealthVault, though I suspect the same result. Anyway, it was a long shot. I am sure that linking medical records between Google/Microsoft and medical providers is a long way off

I ended up driving to the doctor office and hand delivering the medical records to his nurse.

Wishing a year of good health to you all!