THE ELECTRONIC PATIENT RECORD: USER NEEDS VERSUS PRIVACY AND SECURITY CONCERNS
By HTT, MD
The patient record, whether it is paper-based or computer-based, serves different users for different functions:
It records all medical processes in a patient-doctor encounter (clinicians);
It is a valuable document for teaching (educators);
It constitutes a database for research (researchers);
It is invaluable for third parties (insurers, government, etc …)
It provides acute-term and long-term information for in-house quality management (CEO, hospital administrator).
The electronic form of the patient record brings these functions to a higher level of functionality. In addition, the electronic patient record (EPR) raises concern about privacy, confidentiality and security. In this paper, I will discuss the database needs and functional components of the EPR in terms of different users and the state of the art of health care delivery. I also will include a discussion of potential conflicts between information access and confidentiality.
Before describing user needs of the EPR in details, a quick look at the design criteria of an ideal EPR is helpful. These prerequisites are drawn from the experience of clinical applications developers at the Brigham and Women’s Hospital in Boston over the last 20 years:
Patient care information systems must be available whenever users need them to manage patient care.
Patient care information systems must be available wherever decisions about care are made.
Patient care information systems must provide quick and value-added access to information.
Patient care information systems must be designed to fit actual patient care processes and work situations.
Patient care information systems must be so easy to use that they require little (or no) learning.
Involving physicians with direct entry requires minimizing time and maximizing incentives.
USER NEEDS
Clinicians, whose job is to take care of patients, require from the EPR the same data elements that appear in the paper-based patient record. These include such items as:
A format to register the encounter, such as SOAP;
A problem list, acute and chronic;
A list of major procedures and events;
A list of health maintenance routines;
A list of family history;
A list of social history;
A list of current medications with allergy and side effects notes;
In addition, they also want easy access to results of laboratory tests and imaging studies and consultation reports. A reminder of incoming medical activities (immunization schedule, for example) is a must. Clinicians greatly appreciate the presence of an expert system for diagnosis and treatment and the access to Medline for evidence-based medicine practice. Physicians, when asked which characteristics they expect from the EPR, almost always answer: speed, ease of use and performance.
The role of the CEO has been vastly expanded in this new era of electronic health information (Adapted from Tan):
obtain accurate, timely, and relevant health data that are needed for effective decision making
view management of health information resources as part of their managerial goals
To position and advance his institution in a very competitive market, the CEO must have strategic information about his/her own institution, his/her competitors and the industry itself. This strategic information is not derived from the OLTP (online transaction processing) system of daily activities, but is drawn from the clinical data repository. This kind of data warehouse is the pool of long-term data which is "data filtered" and "data mined." The CEO needs to have access to these decision-support systems (DSS) (Table 1. Adapted from DeLuca).
| Application | Functions | Type of Data Required | Data Uses |
| Budgeting | v Revenue/Expense v Volume-adjusted projections | v Historical revenue/expense data v Case-mix data | v Budgeting |
| Cost Accounting | v Produce data for cost per procedure, case DRG, AVG v Determine per procedure, case, DRG profit | v Labor hours v Supply costs v Number, types of procedures performed by departments | v Cost identification v Measure variable cost-control technique effectiveness |
| Reimbursement Modeling | v Project revenue/expenses (by facility, service, payer) v Compare actual/expected reimbursement v Predict financial impact of changes | v Revenue v Expense (cost per case, service line) v Case mix v Economic modeling assumptions | v Establish appropriate pricing strategies v Contract negotiation and management |
| Market Analysis | v Identify market share by case mix or product line v Identify areas of unmet demand | v Diagnosis and procedures codes from all departments/points of service v External third party databases | v Service planning v Facility planning |
| Productivity Management | v Management of labor hours | v Labor hours v Labor costs v Patient acuity data | v Staffing requirements and projections v Labor cost management |
According to Sennet, the business of health insurance comprises three separate, core activities:
The EPR can be used either as a transaction document or a verification document, for claims processing. At the present time, data include ICD-10 and CPT 4 codes, the provider’s name and the patient’s name. Third party payers have been longing for data for health care management and risk pooling. How deep the insurance company can dig into the patient record depends on legal issues regarding privacy and confidentiality. A claims and reimbursement management application, with electronic claims submission and reimbursement will facilitate the process.
Research is a main activity at large health care institutions. Different uses of patient data can be categorized as follows:
Most of these uses employ detailed data from the EPR. Desired data elements include identifiers, characteristics, dates, codes, clinical indicators, process of care, disposition, outcomes, and more. Two most important characteristics of data for research are standardization and accuracy. Standards are needed if one has to compare data across different institutions. Data accuracy is difficult to achieve, although it can be increased by direct data entry, avoidance of double data entry.
Managed care has become important in the everyday business of health care organizations: eligibility verification, authorization, contract management. Governmental agencies monitor morbidity and mortality, compliance with regulations, population health. They need data for Medicare, Medicaid patients. These database elements and functional activities in term of managed care administrators and governmental agencies are presented in Table 2 (Adapted from DeLuca3).
| Application | Functions | Type of Data Required | Data Uses |
| Eligibility and Authorization | v Member status verification v Support for multiple contract, health plans v Authorization requirements and status v Referral tracking | v Patient membership contract terms, dates v Patient demographics v Capitation rosters v Payer procedures and requirements for verification | v Initiate care v Reimbursement v Case-mix analysis |
| Claims and Reimbursement Management | v Electronic claims submission v Electronic reimbursement v Claim auditing v Payment status tracking and verification | v Clinical data (diagnosis, complications and comorbidities, services performed v Patient insurance coverage v Contract terms v Paper-specific claim submission procedure format | v Contract negotiation support v Reimbursement verification v Financial analysis |
| Reporting | v Aggregate information for Medicare/ Medicaid, managed care payer reporting v Electronic report submission v Revenue streams from multiple reimbursement models v Reimbursement history and patterns by health plan and payer | v Patient clinical data v Reimbursement data by payer/patient type v Contract terms | v Management reporting v Contract management and negotiation support |
| Contract Management | v Support for multiple contract "carve-out" terms and limits v Automated reimbursement/contract calculations v Contract auditing v Negotiation support | v Contract terms and limitations v Claim audit v Patient/member clinical data, by contract | v Determine profitability by contract v Support future negotiations v Enforce current contract provisions |
| Outcome Management | v Severity of illness classification v Health status evaluation v Aggregate data grouping for quality "report cards" | v Patient financial, clinical, and administrative data v Internally or externally defined quality indicators | v Quality evaluation and maintenance v Clinical protocol development v Regulatory, state reporting |
| UR and Case management | v Actual vs. expected/contracted utilization | v Case mix by provider/contract v Contract terms/fee schedules/authorizations v Initial and final patient diagnoses; procedures performed v Patient demographic and historical data | v Monitor ongoing compliance with contract terms v Provider profiling v Utilization control v Contract profitability analysis |
PRIVACY AND SECURITY CONCERNS REGARDING EPR
The changes in the health care delivery system-integrated delivery systems, managed care and new users of electronic health information-has made the public concern about privacy, confidentiality and security. The paradox between easy access and confidentiality can only be solved by trade-off. Privacy itself is relative. Privacy and public interest have always been at odds. Let look at airport security measures, for example. Airline passengers must relinquish some of their privacy in order to feel safe against sabotage by terrorists. This phenomenon was unacceptable three decades ago. Another example is the need of the public to know about the health of their leader. Some public figures hold their health status (Boris Yelsin of Russia for example) to their advantage. Another concern of data integration is also raised as transmission over networks is commonplace nowadays.
A threat model is helpful in planning and implementing countermeasures to breaches of confidentiality and security. Most of the time, the culprit is the authorized user within the organization, who voluntarily or involuntarily divulges a patient’s data, compromising his/her privacy and confidentiality. The outsider, who is interested in a particular patient’s data usually acquires them through traditional means (bribery, extortion). As the price of hardware falls down every day, interested parties can set up a dedicated computer to intercept transmission of data.
All the above being said, the EPR cannot move along until the public has been reassured of the capability and reliability of those measures destined to protect privacy and confidentiality of patients’ data. Two kinds of measures are needed: organizational approaches and technical approaches. Organizational policies must lead the technical measures and not vice versa.
ORGANIZATIONAL APPROACHES TO PROTECT ELECTRONIC HEALTH INFORMATION
Formal policies regarding information uses and flows are needed. They must define first which data are sensitive and which are not, and in what circumstances. Guidelines for releasing health information will protect from secondary dissemination by third parties. Security policies and confidentiality policies are also included.
On the patient part, he/she must know his/her right to privacy and confidentiality. Most recent surveys showed that the patient was not told fully about these rights. No information should be released without the consent of the patient. As the owner of the content of the EPR, the patient is entitled to access his/her EPR, his/her audit logs at anytime, at anywhere and he/she can ask the institution to correct errors or omissions. This total and easy access to his/her EPR will put the patient at the helm of his/her health care, put him/her accountable for his/her lifestyle.
Education and training about privacy, confidentiality and security problems must be organized for every new employee and renewed several times a year for established employees. This campaign must be pursued continuously and is accompanied with penalties and rewards. Most employees will act professionally.
TECHNICAL APPROACHES TO PROTECT ELECTRONIC HEALTH INFORMATION
The essential features of a secure system and network may be categorized as: authentication, authorization, integrity, audit trails, disaster prevention/recovery, and secure data storage and transmission5.
Authentication refers to providing assurance regarding the identity of a subject or object. For example, ensuring that a particular user is who the user claims to be (authentication of user) and corroboration that the source of data is received as is claimed (authentication of data origin).(ASTM E1762)5. Authentication technologies in healthcare industry use either a physical device (smart card) or passwords, or a combination of both. All passwords should be scheduled to expire at routine intervals.
Authorization is the granting of rights, which includes granting of access based on access rights. (ISO 7498-2) 5. Authorization controls allow users to physically access the system and to get the legitimate information needed for patient care. A second layer of passwords can be used.
Integrity is the property that information is changed only in a specified and authorized manner. Data integrity, program integrity, system integrity, and network integrity are all relevant to consideration of computer and system security. (National Research Council, 1991) 5. To ensure the integrity of data, unauthorized deliberate or accidental modification or entry of data must be prevented. Program integrity refers to the stability of the program, free of bugs. System integrity and network integrity are also important because a breakdown of these elements will cause data inaccessible and/or corrupted.
An audit trail is the result of monitoring each operation on information. (National Research Council, 1991) 5. All current healthcare information systems have some sort of audit trail integrated in the design of the systems. An audit trail will record who accesses which patient for what kind of data, at what time and date.
Disaster recovery is the process whereby an enterprise would restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. (CPRI, July 1996) 5. All critical operations must have backup systems. The emergency team must be available 24 hours a day, 7 days a week. Mockup disaster exercises must be practiced on a regular basis.
Data storage refers to the physical location and maintenance of data. (CPRI, September 1996) Transmission of data is the exchange of data between person and program, or program and program, when the sender and receiver are remote from each other. (Longley, 1987) 5. The simplest way to secure data storage is to use physical measures, such as locks with combination keys, curfew hours at the central area. Transmission of data must be secured by encryption.
CONCLUSION
The EPR promises easy access, no duplication of data, more integration of different components of the record. At the same time, it raises concern about confidentiality and privacy. Unless reliable security measures are built in every system and unless the public has total trust in these measures, the implementation of the EPR will still be impeded.
1. Drazen EL, Metzger JB, Ritter JL and Schneider MK: Patient Care Information Systems. Successful Design and Implementation. New York: Springer-Verlag, 1995.
2 Tan JKH: Health Management Information Systems. Theories, Methods, and Applications. Gaithersburg: Aspen, 1995.
3 DeLuca JM and Cagan RE: The CEO’s Guide to Health Care Information Systems. Chicago: AHA Publishing, Inc, 1996.
4. Sennett C: The Computer-based patient Record: The Third Party Payer’s Perspective. In Ball MJ and Cohen MF: Aspects of the Computer-based patient Record. New York: Springer-Verlag, 1992.
5 Computer-based Patient Record Institute: Security Features for Computer-based Patient Records Systems. http://www.cpri.org/docs/features.html.
