Electronic Health Records Today

Page 2 of 4

Standard Terms and Definitions for Data Sharing
Among the key building blocks for the reforms in the HITECH act are data standards and security. In 2004 the ONC had already begun to lay the foundations for medical terms data to provide nomenclature standards and was required to meet an aggressive deadline of Dec. 31, 2009, the culmination of several years of effort defining common medical terms.

Amy Leopard, a technology expert and head of the healthcare and bioscience practices and a partner at the law firm Walter & Haverfield in Cleveland points out that "Common industry standards and definitions are significant, so we can have hard-coded data fields." She says that large portions of electronic medical records today include descriptive text fields or scanned documents, which are not really available for deep search or data analysis.

When asked where the best progress on behalf of the patient is being made, Leopard cites the regional HIEs. These health information exchanges provide the medical history of a person being treated in an emergency room to the hospital. One top-rated HIE known as HealthBridge, located in Leopard's home base of Cincinnati, is powered by Axolotl Corp. This is part of an orchestrated statewide effort that has pharmacies and hospitals reporting in to the Ohio Board of Pharmacy, a central data repository.

Standard terms will be a boon to the HIEs, according to Leopard, explaining that the more data that hospitals have hard coded in standard terms, the better it is for the patient. A 2009 eHealth Initiative study found that there were 193 HIEs in the U.S. There are at least two HIEs in every state-some are state health department initiatives and some come out of hospitals.

Security and Storage
Cloakware's chief technologist, Robert Grapes, says that there is a primary difference between medical data and other company data. Grapes points out, "Medical data travels across domains, whereas banking data resides within a single domain." He elaborates, "Data may go from the insurance group to [the] wealth management group, but it's all within the same domain."

Data in the medical sphere has an elaborate "value chain" that includes practitioners who also travel, Grape points out, so now records need to be made available overseas. Hence, Grapes views this kind of security as more of a digital rights management problem. He sees his role in performing medical systems security as "providing rights and permissions for each piece of data," much like that of a piece of music. In addition to the rights management concept, Grape points out that the best encryption is a moving target: "The more data that is under the same key, the greater the exposure if that key is breached. It is quite common on big systems. So if I am storing all that data under the same key and someone gets it, I am in trouble."

Therefore, the best systems for security assign nearly as many keys as there are data items, so that an attacker would need all the keys to assemble a single patient report.

The Story of the Snowbird and His MRI
Venkatachalam's favorite example of the current conundrum in electronic medical files is this story of a snowbird and his MRI. Venkatachalam, who lives in Florida, notes the example of a fictitious everyman named "Mr. Jones" who comes to Florida from Ohio for the winter, only to find he needs to get a copy of an MRI he had done back home.

This is a great example because there are few areas with as long an information technology history in hospitals than today's MRI imaging technology. PACS (picture archiving and communications systems) are the most pervasive data management systems found in hospitals today. Penetration of PACS from large to medium-sized hospitals is essentially at 100% and is driven primarily by equipment replacement and upgrades. So, problem solved; hospitals in the area certainly have PACS. Mr. Jones can get his MRI file now, right?

No. There is a missing link, which has to do with access to the file. This is partly a technology issue and partly an issue of permissions and security. Despite the pervasiveness of high-speed internet access, PACS, and the rest, our patient is still not able to get his file because one hospital's system cannot talk to the other hospital's systems, and they do not both subscribe to a service that allows them to grant permission to access the file. So his file remains in the hospital in Ohio. A regional HIE would solve the problem, but the hospitals are not in the same region. Thus far, points out Venkatachalam, HIEs cannot communicate with each other.

So in all likelihood, "An MRI costing $1,500 has to be repeated in Florida. You would not believe how common this is," sums up Venkatachalam with a sigh, pointing out that, in his view, "80% of the costs in healthcare come from what he sees as avoidable waste like redundant lab test results and time spent chasing down reports and data by doctors and their staff."

Page 2 of 4