Post on 26-Jan-2016
description
transcript
Electronic Medical Records
Topics
• Introduction
• A medical record
• HIPAA
• Security and Privacy
• Accountability, Confidentiality, and Ethics
• Workplace considerations
A medical record
• Everything about you performed by a care provider– Doctor, nurse, phlebotomist, radiology
technician
• Every activity– Exams, meds, lab tests, x-rays
• Paper form• Electronic
It’s about data and knowledge
• Aggregation of data about the consumer from all points of care in order to provide a complete, dependable, accurate, and timely view of the person and health-related events
• Continued extraction of knowledge from data and immediate and direct application of that knowledge in the process of care
• A comprehensive EHR system with embedded decision support is the enabler.
Example• Vital Signs tracked and graphed • Chief Complaint/History of Present Illness with clinically-defined
templates for a variety of medical and surgical specialties • Exam with clinically-defined templates• Diagnosis with ICD-9-CM database and billing• Prescriptions with a database • Plan with customizable point-and-click templates with appropriate
findings • Progress Notes that automatically generate notes• E / M Level recommendations• Images, imported digital pictures, scanned images, anatomical
drawings • Labs and results with HL7 interfacing that can be electronically
transferred • Allergy Assessment • Referrals• Immunization
HIPAA
• What is HIPAA?– Health Insurance Portability and
Accountability Act• Primary goal – to assist in the portability of health
insurance and to reduce the administrative cost of healthcare
• What does this have to do with medical record security?
HIPAA Regulates
• ensuring portability of health insurance• standards for electronic data interchange
and code sets• health care identifiers• protecting against fraud in government
funded health programs• protecting patient privacy and securing of
health data
HIPAA
• Standards of electronic data interchange– Aha! Electronic Medical Record
• Protect patient confidentiality interests– Aha! System security
Security, Privacy, Confidentiality
• Privacy – The Right– Right of the individual to have anonymity
• Confidentiality – The Expectation– Obligation of the user of an individual’s information to
respect and uphold that individual’s privacy
• Security – The Mechanism– Policies, procedures, mechanisms, tools,
technologies, and accountability methods to support Privacy
Privacy
• Consent is required• Minimum Necessary• Patient Rights
– Inspection, Proposing Amendment, Disclosure Accounting
• Exceptions– Public Health, Legal Obligations for
Disclosure
Privacy
• Consent + Minimum Necessary– Your data will not be presented in a way
where you can be identified– If we mask your name, but leave your
address, age, and gender, you can be identified
– Example of privacy abuse
Security – The Three “A”s
• Authentication– You are who you say you are
• Authorization– You can see and do what you are permitted
by policy to see and do
• Accountability– You are held responsible for what you see
and do
Authentication
• Passwords – simplest form of authentication
• Can be very secure, but one breach can spread rapidly
• Can be too secure – if you forget your password
Authorization
• I’m a valid user or the system, and I’ve been authenticated. I want to see EVERYTHING on EVERYONE!!!
• The system can define who is authorized to see and do what
Authorization Models
• User Based– I have certain authorization rights based on who I am
as an individual
• Role Based– I have authority based on my role e.g. doctor vs.
nurse vs. lab technologist
• Context Based– Who you are + Where you are + What you are +
When you are What you are
Authorization Challenge
• We do not want to prevent anyone from providing care
• Authorization in many cases is based on relationship to the patient– Providers declare a relationship when a
patient is accessed• person_provider_relationship
– All patient data access is logged!!!• person_provider_activity
Accountability
• You are held responsible for what you see and do
• Difficult to develop systems-based ways of ensuring accountability
• An ethics problem• Security can help ensure accountability
– Audit Logging – “We know where you’ve been”– Password policies– Alert capabilities
Ethics and Morals
• One definition– Morals – choice between right and wrong– Ethics – choice between right and right– Example 1
• Famous person in hospital, and you’re curious about their lab results
– Example 2• Back to the banker example
Workplace Ethics
• Many people may have access to patient data
• Trust
• Knowledge of Rules
• Awareness of Consequences
A Problem
• FAXing a document to a remote location– Anyone in the office can potentially see
patient data– The office assumes all responsibility if they
are a trusted business partner
Other Means of Security
• Physical Access– Secured Areas – locked rooms
• Technology Solutions– An ORACLE instance can be locked out– Users of other ORACLE instances on the
same machine cannot gain access
Technology Solutions
• Data Encryption
• Data Aging – remove data after a certain time
• Data Transmission Security – can’t move what isn’t authorized
• Local Authentication– Includes time-out function
Who is responsible?
• Healthcare provider is ultimately responsible• But, the IT supplier that has a systems solution
will have a competitive advantage• So, at Cerner we have enhanced our systems to
be “HIPAA compliant”– Authentication– Authorization– Access logging
Workplace Ethics II
• Access to over 1500 clients from my desk– High-privilege accounts, required for troubleshooting– Back-end data access – we can see most anything
• Client-specific security measures– We MUST follow ALL policies– Who we are, what are we doing, what did we do– My own client security anecdote….
• Can we look up data on celebrities? Family members?
The Medical (Patient) Record• A historical record of patient care• A communication tool among care providers• A research and knowledge-gaining tool• A teaching tool• An operational tool (e.g., order entry)• A business tool (e.g. to support billing)• An administration record (e.g., to manage
resources)• A legal record with considerable longevity
Electronic Medical Record
• Provides multiple advantages vs. manual records:– Record can be used by multiple personnel at the same
time– Record is accessible from anywhere (even from home)– Clear, well-organized, legible documentation– Data can be reused for other purposes– Data can be integrated from multiple sources transparently– Data can be validated automatically– Enables multiple automated research and decision-support
functions (analysis, machine learning and data mining, automated diagnosis, reminders, guideline-based care)
– Decision support can be integrated with use of the patient record
EMR: Costs
• Large initial set-up investments – Hardware, software, training, support,
maintenance
• Significant workflow changes• Significant organizational changes• Difficult data entry relative to handwriting• Potential catastrophic failure
– Note: paper records also have “down” times
What must be in place
• Data standards– Reference Information Model– Common data elements– Common data types– Common terminology– Clinical templates
• Ability to share data and knowledge– Data interchange standards– Common content architecture standards– Common minimum set of functions for the EHR– Infrastructure to support required connectivity– Common methods of knowledge representation
Integration of EMR and Decision Support Modules
• Decision support is most effective when integrated with an EMR– The most likely opportunity for providing decision
support is when the physician is assessing the patient record or entering an order
– All or most relevant patient data can be accessible to the DSS and do not require separate entry
– Physician should always be able to override the recommendation and, if relevant, provide feedback
Order Entry
• A major function of an EMR system, allowing care providers to enter clear, legible orders for patient care anytime, anywhere
• Supports validation of order, issuing of alerts, suggestion of relevant information and knowledge, and even actions
• Quick effect on physician ordering behavior
EMR and Knowledge Sources
• The most effective time to provide access to knowledge is when the care provider is browsing the patient record
• A query can be formulated in a context-sensitive manner with respect to the patient record, thus anticipating the physician’s needs– Note: Queries often have relatively expected structure
and content (e.g., which drug is useful for condition X in context Y; What are side effects of drug Z when used in manner W; What clinical guidelines are most relevant for disease D in patients of type P)
EMRs: Major Issues
• Data Entry– Data capture: the scope of the data that is or
can be represented in the EMR– Data input: coded data are difficult to input by
physicians; text is less useful for processing– Errors can be reduced by multiple validity
checks
Validity Checks During Data Entry in an EMR
• Range checks (Hemoglobin in [0..30] Gr/Dl)• Pattern checks (a telephone number pattern)• Numeric and other inter-data constraint
checks (total of WBC differential is 100%)• Consistency checks (pregnant male??)• Temporal-abstraction checks (weight cannot
change by 50 Kgs in 2 days)• Spelling checks
Physician-Entered Data
• The main challenge to EMR developers!– Patient histories, physical findings, interpretations,
diagnostic and treatment plans
• Several very different entry methods– Transcription of dictated or written notes– Structured encounter forms from which notes are
transcribed and even encoded– Direct entry of data by physician via computer
• Speech recognition might alleviate some of the difficulties
The Need for Standards• EMRs and almost any other information-oriented
system in a clinical environment cannot be used without well-defined standards for representing and communicating information
• Data need to be exchanged between multiple, heterogeneous systems and might be used by very different applications
• Standards are needed for several different uses:– Identifying patients, providers, health-care plans,
employers– Transferring patient data across different systems– Representing medical knowledge that can be reused
How are Standards Developed?
• Ad hoc– A group of interested people and organizations agree on
an informal specification (ACR/NEMA DICOM)
• De facto– A single vendor creates standard through monopoly
(Microsoft Windows)
• Government mandate– Agency creates a standard and legislates it (HCFA UB92
claim form)
• Consensus– A group of volunteers work openly to create standard
(HL7).
International Classification of Diseases (ICD)
– Intended mostly for talking about dead people (reporting mortality statistics to the WHO)
– Strict hierarchy with core 3-digit codes, possibly 4th digit– ICD-9 (1977) common; inadequate for clinical reporting– ICD-9-CM (Clinical Modifications) adds extra levels of
details by 4th and 5th digits, popular in USA– ICD-10 (1992) exists, but no clinical modifications yet
Codes in The International Classification of Diseases (ICD-9
CM)724 Unspecified disorders of the back
724.0 Spinal stenosis, other than cervical724.00 Spinal stenosis, unspecified region724.01 Spinal stenosis, thoracic region724.02 Spinal stenosis, lumbar region724.09 Spinal stenosis, other
724.1 Pain in thoracic spine724.2 Lumbago724.3 Sciatica724.4 Thoracic or lumbosacral neuritis724.5 Backache, unspecified724.6 Disorders of sacrum724.7 Disorders of coccyx
724.70 Unspecified disorder of coccyx724.71 Hypermobility of coccyx724.71 Coccygodynia
724.8 Other symptoms referable to back724.9 Other unspecified back disorders
Diagnosis-Related Groups (DRGs)
• A USA (Yale) abstraction of the ICD-9-CM codes
• A small number of codes grouping multiple diagnosis codes by similar expected costs of hospitalization
• Modifies the major diagnosis by associated conditions, severity, and procedures to determine specific DRG code
Current Procedual Terminology (CPT)
• Encodes diagnostic and therapeutic procedures• Adopted in the USA for billing and
reimbursement• Similar to DRG, classifies procedures by cost
and reasons• CPT-4: The main code used for reporting
physician services to government and private insurance reimbursement
Diagnostic Statistical Manual of Mental Disorders (DSM)
• Published by the American Psychiatric Association
• Provides nomenclature as well as definitions (diagnostic criteria) of psychiatric disorders
• Coordinated with ICD; e.g., DSM-IV is coordinated with ICD-10
Systemized Nomenclature of Medicine (SNOMED)
• Developed by the American College of Pathologists• Evolved from SNOP, A multi-axial system for
describing pathological findings by postcoordination of topographic (anatomic), morphologic, etiologic, and functional terms
• SNOMED III: 11 axes, more than 130,000 terms• SNOMED-RT (Reference terminology) created to
encourage more consistent use of terms• Main problem: Too expressive—several ways of
defining the same term (e.g. acute appendicitis)
Read Clinical Codes
• Developed by James Read during the 1980s
• Adopted by the British National Health Service (NHS) in 1990
• Version 3 is a multiple hierarchy, and version 3.1 added ability for postcoordination of modifiers
• Work undergoing to map to SNOMED
The Unified Medical Language System (UMLS)
• A project of the National Library of Medicine (within the National Health Institutes [NIH])
• Main resource: The Metathesaurus– contains over 330,000 terms– relates terms from over 40 different sources
• Supports searching the medical literature• Uses Medical Subject Headings (MeSH) which
are used to index medical literature
Logical Observations, Identifiers, Names and Codes (LOINC)
• A naming system developed by McDonald and Huff for tests and observations (now includes also vital signs, ECG, etc)
• Uses six semantic axes to encode the test, such as substance measured (urine) and analysis method used
• Coordinated development with the European Clinical Data Exchange Standard (EUCLIDES) standard
Example Data-Interchange Standards
• ACR/NEMA– American College of Radiologists with the National
Electronic Manfacturers Association– Current version: DICOM 3.0; uses an object oriented
model and supports ISO communications
• ASTM E31– Published E1238, Standard Specification for
Transferring Clinical Observations Between Independent Systems
– E1460: Defining and Sharing Modular Health Knowledge Bases is the Arden Syntax for Medical Logical Modules
Health Level 7 (HL7)
• Today, includes more than 500 industrial and academic organizational members and over 1800 individual members
• Name refers to OSI application layer 7• A standard for exchange of data among different
hospital computer applications• Built upon ASTM 1238 and other protocols• Version 3 (1999) is object oriented and uses a
Reference Information Model (RIM)
Functions of a Health-Care Information System (HCIS) (I)
• Patient management– Admission, Discharge, Transfer (ADT)– Patient tracking
• Departmental management– Ancillary departmental systems support clinical
departments; laboratory, radiology, pharmacy, blood bank and medical records are most commonly automated
• Care delivery and Clinical documentation– Mostly order entry and results reporting
Functions of a Health-Care Information System (HCIS) (II)
• Clinical decision support– Built upon other HCIS components and need to be
integrated with them (e.g. during order entry)
• Financial and resource management– Typically the first functions to be centralized
• Managed-care support– Integrated Delivery Networks (IDNs) start focusing
more on patient health maintenance rather than cutting costs of treating sick patients
– Thus, provider-profiling systems, contract management systems and more sophisticated modules
Three Classic HCISs (1)
• The HELP system at the University of Utah– Developed by Warner et al. at LDS Hospital– Incorporated decision support logic modules
from the start; these react to data and issue reminders, alerts, and advices
– Uses the HELP Frame Language– Eventually led to Medical Logical Modules and
the Arden Syntax
Three Classic HCISs (2)• The Center for Clinical Computing (CCC) system at
Beth Israel Deaconess Medical Center– Developed by Bleich and Slack as a centralized system in
Beth Israel Hospital, Boston from 1978– Intensively used– Includes knowledge access to MedLine via the
PaperChase module, as well as email– Ambulatory system supports problem lists and clinic notes– Uses a MUMPS database, used as the clinical-data
repository, and the ClinQuery online data warehouse– Very little decision-support functionality
Three Classic HCISs (3)
• The DIOGENE System at Geneva Canton University Hospital– Developed by Jean-Raoul Scherer and colleagues
from 1971– Migrated from a centralized to distributed architecture– Supports all administrative and clinical functions– Reports are printed; physicians write orders by
telephoning an operator who types the order while physician dictates, views typing on computer screen, and gives verbal consent.