After nearly a decade of concerns over patient privacy rights, the question regarding electronic medical records (EMR) hosting is no longer if but how. Systems software for electronic records, stored on computers and servers at medical practices and hospitals is nothing new (relatively speaking, anyway). Even more recently, many medical practices have converted from systems software to web applications, in which their patients? records are accessed over the internet, making them portable from one office to another. In 1998, Indivo, a personal health record that is made available to patients by medical providers and employers, underwent development, and has since grown in use. And in the last year, Google and Microsoft, two of the biggest names in technology, have launched Google Health and Microsoft HealthVault, EMR web applications that are patient-managed. How do online EMRs affect your practice in the broad scope? And what does the development of patient-managed health records mean for the future of bariatrics?
Addressing Privacy
EMR access via the internet, whether those records are managed by the patient or the physician?s office, will primarily mean that health practitioners from all fields will need to address patient privacy concerns. Google and Microsoft, while loved by the public for their contributions to IT (information technology), are currently branded in the mind of the American public as companies that make information available?the opposite of what patients want with regard to their health records.
Loi Tran, Chief Technology Officer of ObesityHelp, acknowledges that keeping private data private is a big concern for companies in the IT business. ?Security is the number-one enemy,? he affirms, and patients know it. HIPAA applies to health plans, health care clearinghouses, and health care providers, but not to EMR hosting companies like Google and Microsoft, or even the smaller companies that develop products for private practice, like bariMD, Exemplo, Raintree, Misys.
With concerns about privacy so widespread, companies in the EMR hosting business are naturally quick to address the issue on their websites. If you?ve shopped around for a web application for your practice, or to recommend to your patients, chances are you have come across terms like ?encrypted data,? ?de-identified data,? and ?Secure Sockets Layer? (SSL), but even some surgeons, arguably among the most elite and highly educated professionals in the modern world, would be hard pressed to define these terms. How do you know what SSL are, and how do you know you get them when you pay for them? Most web applications, especially the patient-managed, respond to security concerns by pointing to their password systems. On its own, ?Having password protection is almost totally worthless,? says Dr. Deborah Peel, a practicing psychiatrist and founder of Patient Privacy Rights, a consumer-led advocacy group based in Austin, Texas. Even when a company says that data has been de-identified, without security standards and a way of keeping the company honest, it doesn?t mean much. ?It?s too easy, with computer algorithms, to re-identify data,? Dr. Peel explains.
Rather than require everybody in the world to get a degree in IT, Dr. Peel has devised another method. Together with a coalition that includes a wide range of bipartisan groups, from the American Civil Liberties Union to Gun Owners of America and including Microsoft Corporation, Patient Privacy Rights has designed a two-part privacy certification system to set and enforce privacy standards. Dr. Peel describes the certification system: ?One, they have to agree to adhere to the patient privacy principles . . . and two, they have to have external audits . . . You have to promise that the FTC can bust you [if you fail your audit].? The audits are being constructed by Price Waterhouse Cooper, and they are predicted to gain public recognition and trust over the coming years. As William Crawford of the Informatics Program at Children?s Hospital Boston, which developed Indivo, says, ?Privacy requires organizational support, not just technology.?
Is this really necessary? Don?t patients see how much money and time EMR saves, and how they, the patients, ultimately will benefit from having up-to-date and accurate health records, even if they are on vacation in another state, move frequently, or forget if they?ve had an allergic reaction to a medication they can?t even pronounce?
In truth, according to a 2007 poll by Harris Interactive, most Americans do think the benefits of EMR make sense and are ready to accept the technology ?if solid security and privacy rules are applied? . . . but that?s a massive caveat. In addition, the same poll showed that one in six American adults already report withholding information from health care providers out of fear the information will be used against them to deny employment or health insurance coverage, or to deny the same to their descendants based on a genetics. These are real concerns for patients, raising issues that could impact every aspect of their lives. Moreover, there is a strong correlation between privacy concerns and health conditions: patients who describe their health as only fair or poor, and who would probably seek out more medical services, report greater concerns about privacy.
As a bariatric surgeon, you may see this manifested in a prospective patient who has a high distrust of the medical profession and who wants her information kept strictly confidential?think of a gastric bypass patient who wants to keep her surgery a secret from a future employer who she?ll bargain with for health insurance coverage, and who hasn?t been happy with her medical care for years because she feels doctors can?t see past her weight to treat any other condition she may have?and who will ask you for some proof of how you and your practice will protect her information. A privacy certification seal from Patient Privacy Rights on the web application your office uses could gain that patient?s trust. In the future, Dr. Peel has plans for a certification system of individual practices so that patients can see the same stamp of approval on the doctor?s office that they do on the IT vendors.
There are other concerns about privacy, cases that will be less visible to you, and this fear has to do with data mining on a broad scale. Who?s searching what and how often is valuable information to other corporations. If you read the fine print on most websites you enter information into, ?your? information is no longer yours. ?That?s the case with Facebook and MySpace,? Dr. Peel says, and she says Google will do this with Google Health. ?They assert that they own that information and can do what they want with it.? What they usually want to do with it is sell it, and it?s worth billions of dollars to parties that don?t engage in patient services, leaving patients wondering who took the ?care? out of ?health care.?
In contrast, a non-profit like MedicAlert, which has gained public trust with more than fifty years of patient services, does more legwork for patients. Though it keeps its data electronically, it?s not advertised that way, mostly because the patients don?t handle their own information . . . which might not be such a terrible thing, if you consider the implications of lay people interpreting specialized information. Says Ramesh Srinivasan, Vice President of Business Development at MedicAlert: ?One of the things we do at MedicAlert is, the patient may not be savvy enough to understand the differences and nuances in medical terminology. We have a data distillation process . . . [information submitted by members] is reviewed by trained medical professionals for completeness, then prioritized and summarized for first responders.? Indivo, which is also a not-for-profit enterprise, may be more trustworthy to consumers?it was developed by Children?s Hospital Boston, and funded in part by the NIH and the CDC. Crawford of Children?s says that privacy depends on the deployment of the application: Children?s, which can deploy Indivo, is bound by HIPAA, but other deployments might not be.
On the other hand, when a company?s goal is other than providing direct patient services, patients are wary. That?s when a stamp of approval from Patient Privacy Rights carries great weight, and the nice surprise is that some IT companies are on board, namely Microsoft and its HealthVault product. ?In early 2007, you could?ve knocked me over with a feather when Microsoft said they wanted to join our coalition,? Dr. Peel recalls. ?We actually met with them, and they built HealthVault to meet our standards.? She asks her colleagues, ?What kind of system do you want? Because there?s going to be one. Do you want a wild west superhighway [where information is up for grabs], or do you want a system that really does guarantee privacy??
That system will incorporate not just the big conglomerates, but their partners and partner applications. And that?s the next frontier on the horizon in IT land.
Partner Applications and the Future
The possibilities that are opened up in the world of IT by web applications like Indivo, Google Health, and Microsoft HealthVault are mind-boggling. Not only would a large amount of information become available for use?whether it?s used for patient services or to sell them products?but their interfaces, called APIs, create a new ecosystem for standardized applications.
Tran, the Chief Technology Officer at ObesityHelp, explains that this allows for new creations based on the original applications. ?A third party can build a program on top,? he says, ?This is new, this is the first time that electronic medical records are connectable.? So a medical group or a patient networking site could have an application custom-made that interfaces smoothly with HealthVault or Google Health, one that could include details specific to a particular practice or field of medicine. More than a possibility, that?s a likelihood.
Regardless of how IT companies develop EMRs, the most crucial aspect to success will still be patient care; privacy has now become part of that, so much so that it will be a marketing point for any medical practice. Tran predicts that the company who addresses public concern over privacy most effectively will be the one to come out on top.
Can you define the following terms?
1. IT
2. Systems software
3. Web application
4. API
5. Clouding
6. Data mining
7. SSL
8. Encryption
(Answers)
1. IT is Information Technology, which refers to managing and processing large volumes of information.
2. Systems software is a utility that gives your computer a specific set of instructions. PowerPoint and PhotoShop are systems software, as is Bariatric Office Products.
3. A web application is a utility to give your computer specific instructions that is accessed via the internet. HealthVault, Raintree, and bariMD are web applications.
4. API is the abbreviation of Application Program Interface, provides the building blocks and interface for creating applications.
5. Clouding, or cloud computing, is the sharing of data processing chores between networks of computers and servers in order to process higher volumes of data at faster speeds as they handle applications.
6. Data mining is the use of applications to search for patterns in data. This data can be used in marketing research to predict consumer behavior.
7. Secure Sockets Layer are protocol for encrypting data using two keys, a public one and a secret one, so that only the person with the secret key can access the information.
8. Encryption is translation of data into a secret code.