Right now,  healthcare organizations have to go through some pretty tricky maneuvers to link patient data across varied systems and settings.  It’s possible to connect patient info electronically through database hacks, but more often than not, matching patients to clinical data gets done by hand.

Given the insane complexity of the existing system, would it make sense to create a national patient identification number for every U.S. patient?  The question is worth revisiting, given the immense level of error and wasted time generated by the existing system. After all, not only would putting an NPI in place make it easier to track patients within a hospital or health system, it would simplify the rollout of HIEs dramatically, wouldn’t it?

Dr. Robert Rowley of EMR vendor Practice Fusion notes that the biggest enemies of establishing a National Patient Identifier are privacy advocates who feel that an NPI would expose patients to greater risk of breaches or misuse of data.

But is that a realistic concern? Probably not. I agree with Dr. Rowley, who asserts that it’s hard to imagine that PHI would be at greater risk simply because of how it’s indexed.  As he notes, PHI breaches are nearly always often haphazard affairs in which a laptop is stolen than Big Government or corporate conspiracies. (If you’re afraid the government is covertly siphoning your health data off to study it, not having an NPI won’t protect you, anyway.)

No, the real barrier to this kind of administrative simplification measure is time, money and resources, the same barriers that hold back any other proposed HIT project.  It’s hard to imagine the resources that would be involved in instituting such a system — the idea makes my head hurt — and I have to assume it’d be several years before it was anything like mature.

Still, it’s good to bear in mind that at least some members of the public are afraid that creating an NPI would compromise their privacy. If the only barrier to improving patient matching in our EMRs is technical, that’s one thing — but if it’s patient fears, that’s another thing entirely. Sometimes, it’s good to remember that most of the world doesn’t think like a health IT exec.

So the first round of the HIPAA compliance audit program is underway. Howard Anderson, writing in HealthcareInfoSecurity.com, has a great post on what’s going on:
- 20 organizations will be hosting auditors from KPMG in the next few weeks, followed by another 130 organizations in the second phase of the audits later this year.
- The focus this year is on covered entities, not on their business associates.
- OCR is not just going after the big fish. OCR is auditing “eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians’ offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy.”
- Adam Greene, the blogger who broke this news first on his blog has some interesting details about the organizations. It seems as if 6 of the 20 organizations chosen for the first audit are Level 4 entities, meaning “Small providers and community pharmacies with less than $50 million in revenue and/or assets.” This translates to 30% of the initial list.
- Notifications were sent to organizations on the 1st of December. Auditors are going out for field visits expected to last between 3-10 business days.

Having been in charge of Sarbanes Oxley audits at my last place of work, I know first hand what a flurry external audits can cause in any organization. I can only empathize with the first few organizations chosen. However, I also find OCR’s approach to the audit process to be quite wise – the post at HealthcareInfoSecurity quotes Leon Rodriguez, OCR head honcho as saying “Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve… Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.”

Which probably is some solace for the organizations that are currently being audited. Hopefully at the end of this exercise, OCR will have a good idea of where the major weaknesses are, where it wants organizations to be at, and help them get there.

We’ve posted about it earlier on this blog as well, and it’s a point worth reiterating – most data breaches are not the result of hordes of internet hackers out to get your computer system, they’re due to human errors or negligence.

Here are some recent cases of patient data that has emerged from EMRs in unexpected places:
Lost in Break-In: By now, we’ve all probably already shaken our collective heads over the Tricare data breach involving data for 4.9 million military patients. Scientific Applications International Corp. (SAIC), one of Pentagon’s principal contractors, was the outfit that was responsible for the data loss, which was stolen from a break-in into a SAIC employee’s car. The data was contained in backup tapes, and contained information such as SSN, addresses and phone numbers of patients, and personal health data.

There are several perplexing things about this story – a) the statement on Tricare’s website claiming nothing important was really lost: “The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure” per this story.
b) SAIC’s success with HHS contracts – SAIC was awarded a lucrative $15 million contract by HHS, despite the breach.

Posted on a Homework Help forum: According to this NYT story and its follow-up, patient records (names, diagnosis codes, account numbers, admission codes) from emergency visits for a six month period at Stanford Hospital, CA, were posted online. Supposedly, a Stanford vendor sent the data to a prospective contractor as part of a testing exercise. The contractor posted it all online, on a website offering tutoring help no less, without realizing it was actual patient data. The story says Stanford had the data removed from the website, and reported the breach to federal and state authorities, as well as the patients. Stanford is arguing that none of its staff has done anything wrong, and that it severed its relationship with the contractor. To me, this is the proverbial buck being passed.

Lost in the Subway: The first NYT story mentions how the paper records of 192 patients left on a subway by an employee of Massachusetts General Hospital in Boston. The hospital has agreed to pay a $1 million federal fine for HIPAA violations.

So to summarize some lessons learned from these data breaches:
Loss of paper records is worse than the loss of electronic records: This should be obvious to anyone who’s not a schoolgirl with a fancy diary guarded by a lock.

Your data is only as safe as your weakest link: If you’re farming out your data to vendors, then you have to know what policies your vendor has in place. If your vendor subcontracts further, then you have to keep going down the line till you are reasonably assured of data safety. When the hammer falls, it is *you* who will be coughing up the fines.

Prep with Data-handling Policies and Procedures that you and your staff religiously follow: The data was lost in very human ways – data left inside a car, posted by an untrained contractor. This just means you need to have robust, and enforced, policies in place for how patient data is handled by your employees. Maybe in your company this means that your employees can’t take work home, or that they must clear their workspaces of any patient data before they leave. Decide what makes sense in the context of your business, and maybe hire someone to enforce these rules.

Give kickbacks to HHS: If you’re in the business of contracting with the government, seriously figure out how SAIC has managed to stay in HHS’ good books. I wish I were kidding with this one.

Maybe two years ago, I saw this interview on TV with this Silicon Valley yuppie who had a camera attached to a cap on his head (or maybe it was a backpack. I digress.) Every 10 seconds, the camera would kick into action and take a snapshot. This way, the yuppie surmised, he would have a repository of pretty much everything he had ever done, even the parts he didn’t like or want to share.

Fascinating as the interview was, to me the $64,000 question was Why? Why, I wondered, would someone want this much detail about his life?

Turns out, there are a whole lot of people who are into this kind of minutiae logging. And they may very well be changing the way medical records are used and stored. At Quantified Self, people believe that self-logged data holds the key to a better understanding of oneself. And some Quantified Selfers are on a mission to make it easier and cheaper to save one’s personal data.

I can think of a myriad things about my health that I might want to log and analyze – blood pressure, weight, mood swings, food intake and (ew! even) bowel movements. Such data might serve to show me the cause and effect, or at least correlations, between my daily choices and the end result of these choices. Such feedback loops apparently work. Last month’s Wired story on this topic shows how innocuous and ineffective seeming reporting can be used for positive behavior change. (There’s an interesting section on how one inventor helps non-compliant patients take their pills as directed.)

This is still a newish area of experimentation. We still don’t know if, and when, and how this trend will play out in the healthcare field. To me, there are several questions that need to be answered:

• How is data going to be stored and transmitted to the EMR?
• Who takes charge of interpreting all this data we will gather? Will my already overworked primary care physician for example want to look through graphs of my self-reported B.P. and weight changes?
• How will this data interface with EMR systems already in place?
• How safe is it to maintain a personal health data journal? What are the HIPAA implications?
• How much is too much?

It will be interesting to see how this form of health-logging will play out.

Over the last year or two, a growing number of healthcare providers and organizations have gotten involved with social media. There’s a great deal of discussion underway in social media networks on how these new new tools can improve patient care, foster better communication between clinicians and even help patients manage their own care more effectively. (If these topics interest you, do a search on the Twitter hashtag #hcsm, and you’ll find lots of interesting content.)

As this discussion grows richer, a small number of healthcare social media innovators are beginning to discuss how to blend the strengths of social media with the power of EMRs.  At first blush, the two might seem worlds apart — one a database with with a nifty UI (we hope!) and the other a set of disarticulated, freewheeling communication channels.

One of the neatest visions I’ve seen of how this might work comes from pediatric gastroenterologist Dr. Bryan Vartabedian, who blogs on social media and medicine at 33 Charts.

Late last year, Dr. Vartabedian offered a detailed vision of an EMR-based “digital dashboard” which would allow doctors to slip easily between social discussion, content and clinical data. The key seems to be that the EMR would handle everything: it would incorporate social media tools, securely log communications, trigger related content and more.

But how long will it be until EMRs include functions like these?  Well, the general consensus seems to be “I wouldn’t hold my breath.”  Consider these comments from Josh Herigon, MPH, writing for the social media/medical blog KevinMD.com.

Although I dream of the day when we have a system like Dr. Vartabedian’s vision, I am not very optimistic such a system will come to fruition anytime soon…I would be satisfied with truly interconnected EMR systems (i.e.–I can pull up any patient’s chart from any hospital or clinic and see their entire recorded medical history), the elimination of pagers and subsequent replacement with secure smartphone communication systems, widespread use of tablets at the bedside that update the record in real-time so I can finish notes at a workstation, and some level of integration of Facebook/Twitter-like communication within care teams.

I’m not surprised that people are skeptical about linking EMRs and social media together.  While creating the interfaces Dr. Vartabedian describes in his article wouldn’t be a big deal technically, it would represent a big change in how vendors thought about their product. After all, a comprehensive system which juggles both social media and patient data is a much different deal than a patient database with some templates and analytical tools layered on top. The idea of making this kind of shift could give both programmers and vendors a bad case of the vapors.

On the other hand, Dr. Vartabedian is far from the only physician who’s passionate about making better use of social media. If healthcare social media fans can bring more colleagues on board — and slowly but surely, they’re clearly succeeding — EMR vendors will be forced to respond.  Having sat in on many “health 2.0″ chats, I can tell you first-hand that there’s a lot of excitement about social media in medicine out there. I wouldn’t be surprised if evangelists defy critics’ expectations and turn social media into an everyday clinical tool.

Here’s some interesting and potentially important news. According to some recent news items, it seems that Mayo Clinic investigators are putting the finishing touches on a suite of tools which can identify and sort medical data contained in any electronic medical record.

Mayo investigators are working under a federal grant, the $60 million Strategic Health IT Advanced Research Projects (SHARP) program, which is funded by the ONC.

According to a piece in Government HealthIT, the researchers have used natural language processing tools to isolate health data from about 30 digital medical records of patients with diabetes.  So far, so good. When the extracted data is run through specialized systems developed with IBM’s Watson Research Center, the 30 patient records “explode” into 134 *bilion* individual pieces of information, Government HealthIT reports.

Unfortunately, none of the sources I have explain what specific data pieces make up this total, which sounds extremely high to me. If we’re talking about just 30 patients, it’s hard for me to imagine that mundane details of care represent even multiple thousands of data points, unless you’re dealing with decades of care. (Perhaps the information involved includes the coding needed to extract the data — readers, can you clarify this for me perhaps?)

While I can’t testify as to how realistic the Mayo researchers’ claims are, I have to think that if they’re on target, something very big is in the works.  After all, to date I’ve heard little of tools that can effectively, fluidly extract clinical data from an entire EMR-based patient chart regardless of format or data organization. Concepts like natural language processing are far from new, but it seems they haven’t been up to the job.

Not only would  such capabilities allow virtually any set of institutions to share data, a giant leap in and of itself, they would also allow providers to do unprecedented levels of clinical analysis and ultimately improve care.

On the other hand, it’s not clear how practical this approach will be. If it only takes 30 records to generate that much data, just imagine how much data a single mid-sized hospital would have to wrangle!  If I’m reading things right, this technology may remain stuck at the research stage, as it’s hard to imagine most institutions could manage terabytes of new data.

Still, there’s clearly much to learn here. I’m eager to find out whether Mayo’s SHARP technology turns out to be usable in everyday clinical life.

Anyone who knows me has probably heard me take a few potshots at the AMA, which isn’t exactly known for its progressive positions on health policy issues.  But this time, I must admit, the AMA has done the industry a good turn by shining a spotlight on an issue that deserves a closer look.

The group’s House of Delegates has just adopted a policy asking the AMA to study the issue of who owns — and can use — data sent back and forth across an HIE network.

The author of the policy, a New Mexico-based nephrologist, noted that as health plans acquire HIE technology vendors, it’s become unclear who will control patient data.

For example, UnitedHealth Group’s health IT consulting subsidiary Ingenix bought HIE technology provider Axolotl last year.  Another example of such consolidation comes from Aetna, which picked up HIE vendor Medicity last year, notes American Medical News.

At present, the AMA notes, it’s not clear whether payers who buy HIE technology vendors have the right to siphon out data on patients who aren’t members of their own plans.  (My guess is that health plans will be all too happy to do so, if they can get away with it, as it would help them screen out high-risk patients before they even consider applying for coverage.)

Now, I’m no legal expert, but I would have assumed that HIPAA regs would cover this situation.  But even if HIPAA does spell out what health plans may and may not do in this instance, this won’t be the last time the increasing consolidation of patient records will raise important privacy questions.

The truth is, as health data begins to become a public commodity — something that’s hard to avoid as it’s aggregated and shared with more parties — the notion of health data privacy will need to evolve.

Do we need a “son of HIPAA” law to protect consumers in this new era?  Not being an attorney, I’m not qualified to say.

But as HIEs begin to play a more important role in healthcare delivery, I do think we should pay close attention to what data ends up in whose hands.  Otherwise, we’re looking at loopholes you could drive a truck through.

Right now, HHS is considering a new rule which would demand that hospitals, medical practices and health plans provide anyone who asks with a list of who has accessed their electronic medical records.

The proposed rule, which will go into effect January 2013 if approved, shouldn’t be a big deal in theory. After all, since 2005 healthcare companies directly involved in patient care have had to keep their own log of who accesses patient records electronically.  But apparently, the industry is arguing that providing a report on who saw your EMR file would be a massive hassle. (Even the rule’s author told USA Today that “the burden could be significant.”)

OK, I’m beginning to get a bit of a headache. Correct me if I’m wrong, but isn’t such monitoring — a detailed record of who looked at what record — a completely standard security measure for any organization with its act together?

I’m also wondering why the heck the article suggests that it would be difficult to get such access logs across departments. Again, I’m not an IT executive and I don’t play one on TV, but how much would EMR security be worth if you could only track access department by department?

I’ll admit that the more paper that remains in the process, the trickier things get. If a consumer wanted a complete list of who’d accessed their files, and the healthcare organization still conducted some major processes on paper, things could get pretty time-consuming. (Though even in that case, healthcare organizations better be aware of who’s peeked at what patient’s data.)

Still, I detect a smokescreen here. While there are probably entities — notably smaller practices with lower-end EMRs in place — that would be burdened by this requirement, many more would probably find it no trouble to handle if they tried. In fact, if a provider has spent big bucks on an EMR that can’t dig up access records easily, they should get their multi-million-dollar investment back.

I understand health plans’ and hospitals’ reluctance to turn over such information, which could drag them into lawsuits, divorces (“Did my wife really have the right to see my records?”) and medical ID theft prosecutions, to name just a few possibilities.  Once targeted, the entity would have to prove, sometimes laboriously, why a given person actually did have good reason to access a certain patient record, and sometimes they’d look bad even if they were in the right.

But if that’s the real issue, and I strongly suspect it is, I’d prefer to see health plans and providers come out and admit that they don’t want to get dragged into fights they may not win. Saying they can’t afford to comply with what should be a simple request just makes them look dishonest. And that can only lead to further headaches down the road.

Now that the government is pushing EMR use, the mainstream press has begun to report on the issue.

True, some astute editors are beginning to dig in to the problems that matter, such as securing patient data and challenges to getting physicians on board.

But most consumer publications, with their penchant for simplifying and condensing issues, are muddying the waters even further. Here’s some things they’re doing which, I’d argue, are actually slowing down the EMR adoption process:

*  Asking consumers whether they “want” an EMR: Let’s be honest: most consumers have only a vague idea of what an EMR is. You might as well ask them whether they’d like oh, I don’t know, a confoobatron. If they think those confoobatrons are supposed to be the latest thing in medicine, they’ll say sure, I’d want one of those!  In other words, you’re not giving doctors and hospitals real feedback as to how EMRs will foster relationships with their patients. It’s easy for clinicians to write off such responses as bogus and avoid adoption for a while longer.

* Focusing on a few spectacular security breaches: Yes, it’s really unfortunate that hospital staffers stole a peek at some Hollywood celeb’s medical data, or that a stolen laptop stocked with unencrypted data exposed patients at Hospital A to medical ID theft. But in playing up spectacular security breaches, mass media players distract everyone from the real issues. As we all know, most hospitals and doctors have far less glamorous problems to worry about, such as encrypting data, controlling access by role and seeing to it that staff are trained in security policies. But playing up a few disasters — such as stolen laptops or celebrity medical record leaks — makes it sound like security is beyond the reach of your average provider.

* Doing little to examine why physician adoption of EMRs is still low: While you will see the likes of USA Today look at abysmal EMR adoption rates, these stories usually collect a few random interviews with association heads or a random private practitioner and cite a few of their random headaches. These stories don’t dig into the really important issues (such as fear of productivity loss, lack of clinician buy in and techno-phobia) that are stopping the train. While doctors obviously read trade publications like this one, they’re human, and if the USA Today story they skimmed on the train doesn’t address their concerns, it’s easy to stay tuned out on EMRs for a while longer.

OK, maybe I’m being a bit unfair here.  Having been an editor for decades, I know the mass media can’t take the place of blogs like this that focus on serious professional issues. But I still wish that my colleagues in the consumer press would give EMR issues as much serious thought as, say, professional football. Wouldn’t that be refreshing?

Here’s a handy little blog item from health IT consulting firm Entegration.  While many bloggers focus on big-picture issues, firm president Art Gross has offered three easy-to-understand, concrete suggestions on how medical practices should protect themselves when they’re first rolling out their EMR.

Gross suggests they consider the following steps:

*  HIPAA security:  Gross recommends hiring HIPAA security services to help train employees and implement protocols which will make sure protected patient information isn’t compromised.

* Off-site data backup:  Few medical practices do more than back up their existing files to tape, but as he notes, data gets corrupted, backups are sometimes overwritten by mistake and disasters (fire, floods and more) can destroy on-site archives.

* Disaster recovery:   To be prepared for all contingencies, practices must have more than one copy of current data available, methods for accessing that data and detailed procedures in place for accessing the duplicate data.

Sure, companies with big IT staffs would do these things as a matter of course, but many small physician practices don’t even have a single full-time IT employee, relying instead on consultants to do basic maintenance.  That drive-by consultant is unlikely to be evaluating the practice’s overall readiness to keep an EMR up and running securely.

Reminding doctors that they must be careful custodians of their new digital data is a good idea.  Let’s hope more consultants )and vendors) dealing with small practices are preaching this gospel.