EHR Bloggers
is a FREE, Web-based EHR.  Go there now »
Health Topics » EMR Research » Health News Highlights from across the Web

EMR privacy and security

by Robert Rowley, MD on August 10, 2010

We are moving toward building a national infrastructure designed to improve the nation’s health care system by enabling health information to follow a patient wherever and whenever it is needed. Critical to such an endeavor is creating trust that the electronic exchange of health information is built on a foundation of privacy and security.

EMR privacy and securityOne of the key areas of focus for the Office of the National Coordinator for health IT (ONC) – besides defining the criteria for Meaningful Use, and for Certification – is around privacy and security. In fact, the ONC has organized a workgroup under the HIT Policy Committee to evaluate a broad range of such issues – this group has been dubbed the Tiger Team, and its work is expected to run through late fall 2010.

Co-chaired by Deven McGraw (director of the Health Privacy Project at the Center for Democracy and Technology), the Tiger Team met August 3rd to begin exploring how current technologies can help patients make decisions on consent and access to their electronic health records when more sensitive patient data is involved. It is also looking at the readiness of current Electronic Health Record products available on the market to be able to support this level of granularity of record sharing.

One of the impacts of the HITECH section of the American Reinvestment and Recovery Act (ARRA) of 2009, which funded the stimulus dollars for encouraging physician adoption of health IT (“meaningful use of certified EHR technology”), has been that personal health information is more available to be shared between healthcare settings. And, although the direct exchange of patient data between providers for treatment purposes does not require patient consent beyond what is covered in existing law and fair information practices, some patients may want to exercise more choice in consultation with their providers about how their sensitive data is handled, the Tiger Team noted. “We want to honor patient preferences from the policy perspective and determine if technology supports it,” stated McGraw.

The work of the Tiger Team coincides with efforts by the Office of Civil Rights (OCR) and the ONC around expanding HIPAA Privacy and Security Rules. The proposed new regulations are currently published as a Notice of Proposed Rulemaking, open for public comments through September 13th. These new regulations will extend the OCR’s enforcement of HIPAA privacy to business associates and covered entities, strengthen an individual’s right to request and receive their own medical information in electronic form (which is a Meaningful Use and Certification criteria already), and set new limits on the use and sale of individuals’ information.

From a regulatory perspective, one of the challenges facing rule-making at the federal level is the fact that different states have differing laws governing the disclosure of health information. A local Health Information Exchange – the network construct needed by legacy EHR vendors in order to exchange data between local installations of their products – might be neatly housed in a region under one such set of laws. However a different HIE in a different locale might function differently. Tying them together into the envisioned Nationwide Health Information Network is therefore a complex task. Hence the work facing the Tiger Team, as they try to develop a regulatory framework that addresses local regulations, honors patient preferences, and at the same time allows for the appropriate quick interchange of health data at the point of care, where it is needed.

Legacy EHR systems might be quite challenged to develop ways in which data exchange is shared in such a granular way. By relying on Continuity of Care Documents (CCDs) as the main method of data exchange, “hiding” some codes while making others visible (or, perhaps, visible only to specific intended recipients) can be difficult. This is particularly true if the CCDs are to be routed through a local HIE “clearinghouse.”

Web-based technologies might be better able to achieve the desired level of permission-based data sharing, and tag each element of information (each diagnosis, each medication, each chart note, each lab result) with the appropriate permission. It is still not an easy task, and requires meticulous attention to detail – but the desired result might be more readily (and quickly) achieved in this new realm, rather than in the legacy, locally-installed, enterprise world of traditional EHRs and the HIEs they must rely upon in order to share information with each other.

Let us not forget that our goal is to enable health information to follow the consumer, be available for clinical decision making, and support the appropriate use of health information beyond direct patient care so as to improve population health. We need products that are able, on the one hand, to address the privacy and security concerns which are necessary in order to establish trust (and hats off to the work of the Tiger Team). At the same time (on the other hand) we need products that are usable, quick and intuitive, and become the indispensable “tools of the trade” for everyone involved in health care.

Robert Rowley, MD
Chief Medical Officer
Practice Fusion EMR

Robert Rowley, MD

Robert Rowley, MD

Dr. Rowley brings together three areas of expertise, and helps shape Practice Fusion in a unique way. He has been a practicing primary care physician for over 30 years, and as an early EHR adopter, has been practicing without paper charts since 2002. He has been involved in governance and directorship of health care delivery in a managed care setting in California for over 20 years. He also has a strong technology background and helped develop the very first version of Practice Fusion based on tools created for his own practice. Formerly Medical Director of Practice Fusion, Dr. Rowley helped guide the development of the EHR as an essential tool for our doctors, and as a valuable resource for healthcare overall. Connect with Dr. Rowley:   

This entry was posted in EHR Adoption, HIPAA Compliance, Understanding EMR and tagged , , . Bookmark the permalink.
Related Articles
prev next