Give Patients Complete Access To Their Data 2

If there's one thing that's going to revolutionize healthcare, whether it's IT, ACOs, or any aspect of health reform, what you're going to see is patients taking back healthcare from their providers." That's the prediction Neil Calman, MD, the CEO and co-founder of the Institute for Family Health, made at InformationWeek Healthcare's IT Leadership Forum in New York City earlier this month.

That transformation will make life a bit painful for CIOs and clinicians alike. Calman went on to say: "You're going to see patients who want complete and unfettered access to their medical records. Forget all this where we're going to keep the data to ourselves for seven days before it's released to patients, or we're going to create models of abstracted data to give to people. They will have total and complete, instant access to their medical information, whenever, in multiple formats, however they want it."

Each of those modifiers--instant, complete, unfettered--would rip away a security blanket healthcare practitioners and IT leaders cling to when they talk about giving patients access to their medical records.

>> Instant: Some providers now give patients access to lab results, but they wait several days so that doctors have time to talk with their patients about the results.

Dr. Neil Calman

>> Complete: Should patients be allowed to read their doctors' notes? To access every lab result? To see images they aren't qualified to assess?

>> Unfettered: Currently, patients can read their health records, but only through the hospital's sanitized portal, not as a raw download they can take with them. And most facilities don't offer a means for the patient to make comments, or correct something they think is wrong.

Calman's fellow panelist, Karen Marhefka, associate CIO for UMass Memorial Healthcare, said that when UMass Memorial considered setting up patient portals, its lawyers advised against mingling other information with the clinical data, even if comments could be identified as coming from the patient.

But Calman predicted that every major EHR system or portal will soon allow patient input. "Everything we do in medicine depends on what the patient told us," he said. "The subjective part of every progress report is [clinicians] writing down what the patient told us. But when the patients write it down themselves, the lawyers can't deal with that? These are the transformations that will have to take place."

Some 15,000 people now use the Institute for Family Health's portal to view records. But he predicted it won't be long until patients expect to get their records in a downloadable form of their choosing--and that HIPAA and other regulations will be amended to give patients that kind of portable access to their records.

Concerns that patients will misinterpret lab results are legitimate. And letting patients add their own comments or data to their health records does raise some new legal liability questions. But health IT leaders and their clinical peers shouldn't waste their time trying to stop this transparency movement and instead must pour their energy and intellects into coming up with workable solutions.

Concerned that a patient will misunderstand a test result? Health providers will need to arm that patient beforehand with information about what the test's looking for and where to get more information about it. They'll need to push EHR system vendors to build more such links into their products--links to reliable data sources, right from an EHR portal.

Giving people access to their medical records is closely related to another phenomenon: people turning to Google or Facebook as soon as they get a diagnosis. Anyone who has done that knows you're likely to read a lot of worst-case scenarios and quackery, and can understand why Debra Wolf, an associate professor of nursing at Slippery Rock University, said that social media "frightens me to death."

People are "going out to find patients like themselves," said Wolf, in an earlier discussion at the InformationWeek Healthcare forum. "What frightens me is they don't know how to safely evaluate a website."

Noteworthy is the fact that Wolf is looking for ways providers are helping patients get better information, not hoping to cut off access. At some hospitals, when nurses are discharging patients, they've been trained to ask, "Are you using a website for health information?" and offer tools to assess a site's quality and suggest reliable sites that people might consider using. People will inevitably look to the Web and social sources for healthcare insights, so "we need to meet them out there," Wolf said.

Same goes for people's digital health records. As patients demand access, health IT leaders will need to focus on making that experience valuable, not getting in the way.

More Pain: Meaningful Use Stages 2 And 3

Unfortunately, the way the healthcare system is set up in the United States, patients' access to their data is often less than user friendly, especially when patients are far from home or have moved recently. That's partly the case because hospitals and medical practices are still hesitant to exchange patient information. That's changing, but once again the transition will be painful.

Under the HITECH Act's upcoming Meaningful Use Stages 2 and 3, health data exchange requirements will become more rigorous. While those regulations are still being hammered out by government committees in Washington, health IT executives speaking at our IT Leadership Forum shed some light on the future of health information exchanges. The promise of HIEs? Help clinicians access more complete and timely information, and ultimately provide better, safer care while reducing costly and unnecessary tests and treatments. The regs for Stages 2 and 3 likely will specify and expand on the types of health data that must be shared.

Large providers like Dallas-based Tenet Healthcare, which has 49 hospitals and 84 outpatient centers in 11 states, will take a multipronged approach to exchanging health data, said Elizabeth Johnson, Tenet's VP of applied clinical informatics and a speaker at the forum.

The maturity and availability of HIE organizations and services vary from place to place, Johnson noted. So depending on the location, Tenet participates in regional, community, or state HIEs, including the Nebraska Health Information Initiative and MidSouth eHealth Alliance in Memphis, she said.

However, in other regions, Tenet leverages HIE products from vendors that allow data exchange for providers in those communities and states. Such products include software from RelayHealth at Tenet's medical center and for other healthcare providers in San Ramon, Calif. Medicity data exchange products are being used by providers in the Atlanta market, Johnson said. Tenet also enables health information sharing among its providers in some other regions using e-medical record and HIE products from NextGen. "We try to utilize regional or state HIEs when we can," she said.

Tenet is moving to HIEs to improve the quality of patient care, attract and retain physicians, and comply with HITECH rules, said Johnson, who's a member of the Health IT Standards Committee, a federal advisory group working with the Office of the National Coordinator for Health IT on the criteria for Meaningful Use Stages 2 and 3. By enabling its healthcare providers to participate in HIEs, Tenet provides a competitive and quality boost in terms of clinicians being able to access more timely and complete patient information at time of care.

Among the recommendations the IT Standards Committee submitted to ONC in June were a reminder to keep the standards simple; proposals about HIE metadata headers, such as privacy flags and patient identifiers; and standards for provider directories, Johnson said.

Also, "patients want to be able to opt in, not opt out" of having their data shared among healthcare providers participating in HIEs, she said. Among the requirements still to be decided, she noted, are those governing HIE privacy and security.

In New York City, the 2-1/2-year-old New York Clinical Information Exchange, or NYCLIX, has been expanding the services it offers members--which include nearly 20 leading local healthcare providers--to help them share and access data on the more than 4 million patients they serve, said NYCLIX technical manager Tom Moore during the IT Leadership Forum.

NYCLIX offers data exchange services, including event notifications. Such notifications refer to primary care doctors receiving electronic alerts when their patients show up in hospital emergency room for care. The federated system provides secure messaging, test results delivery, patient transfers, e-prescriptions, and clinical records such as discharge summaries, allergies, medications, and sometimes continuity of care documents.

NYCLIX plans to expand its services to include clinical decision support and collaboration tools, tighter clinician workflow integration, and public health analytics, i.e., software tools to help identify health trends among patients in a region, Moore said.

Agreements that allow participants in an HIE to share and use patient data are the most important aspect in the early months of a new HIE, "even more so than the technology," said Moore.

As more providers participate nationwide in HIEs, "I expect there will be more blending together of HIEs and EHRs," said Moore, explaining that the aim for HIEs like NYCLIX is to make it easier for clinicians at the point of care to view and use the many pieces of patient data coming from several healthcare providers.

Data Theft: Yet Another Pain Point

As more and more patient data finds its way into EHRs and HIEs, some healthcare providers and hospital systems are looking to cloud computing. Vendors such as Practice Fusion and ClearPractice offer EHR as a service, while Axolotl, Medicity, and others incorporate cloud services into their portfolios of HIE offerings, which include on-premises software and professional services. While adopting such approaches may seem fast and easy, they're fraught with privacy and security issues. Is it really safe to store patient histories and other personal information in far-flung data centers outside your IT team's control?

As of mid-July, the U.S. Department of Health and Human Services had recorded 292 incidents of health data breaches, in which protected health information was used or disclosed without permission. (HHS requires notification of breaches affecting 500 or more individuals.) Hacking was the cause of the breach in 6% of those cases. While that percentage seems low, it's more a reflection of the high incidence of other causes (lost and stolen computer equipment, improper disposal of paper records) than cause for celebration. Nonetheless, the risk is that, as more healthcare providers put data in the cloud, more of that data will fall into the wrong hands.

Dr. Vatsal Thakkar with Susan Clark

Susan Clark, senior project manager with the Colorado Regional Health Information Organization, said it's critical for health IT professionals to evaluate the security practices of the cloud service providers they're considering. When CORHIO signed on with Medicity, it hired IT security consultancy Applied Trust to conduct penetration testing of Medicity's data center. Next, CORHIO plans to contract for an independent security risk assessment to identify security gaps and vulnerabilities. "This is a very high priority," Clark said.

Even with those steps, she worries about the difficulty of securing EHRs in an environment where more people gain access to medical records as CORHIO and other HIEs connect with each other.

The difficulty of protecting EHRs from prying eyes hit home at the Institute for Family Health, where Calman has fired several employees for "inappropriate access" to healthcare records. He offered as an example an employee who called to congratulate a patient and friend on her pregnancy, before the patient had even told her mother. "Those are the real breaches that I worry about," Calman said. "We have to teach people a whole new way of handling information."