It is not the EMR that sucks it is your lack of a information governance strategy

Hospitals are drowning is technological deficits; aging equipment, poor information security, unusable electronic health records and importantly no way to effective share patient records with patients or partners. A recent study shows that two out of three hospitals are not meeting HITECH standards for Health Information Exchanges. The authors note that even though there are fines (see here for HITECH fines), it is unlikely that these will spur adoption of health information exchanges (HIE).

Bernie Monegain (Editor Healthcare IT News) does a great job summarizing the article. From a software vendor perspective this seems like a perfect storm; a gap in capabilities, upcoming deadlines and a change in revenue models. In any other industry there would be lines of vendors at every hospital's CFO's door trumpeting their ability to help them meet their deadlines. Unfortunately the usual suspect vendors in HealthIT have not seized the opportunity (see here).

As I have mention before this is where ECM, WEM, etc vendors should be stepping in to fill the gap.Hospitals of all sizes will need to be able to confidently exchange patient information and make it available to patients once Meaningful use 2 standards for patient accessibility come into affect. Providibng a mechanism to share patient information in a standardized, secure manner is not a nice to have item, it is a required item to meet obligations-it should be on every hospital CIO, CFO and CEO's radar.

It also speaks to the larger problem of what electronic health records are strategically versus the narrow software characterization. Healthcare providers and thought leaders need to acknowledge the software sucks, and is not the best place to share and view information. It is just a dumb database designed to HOUSE patient information in a safe manner- as the name suggests a EHR is part of a records management strategy.

Electronic Patient information has the potential to increase the efficiency and cost effectiveness of healthcare delivery. The problem is the variety of solutions deployed by individual healthcare practices makes integration at the regional and national level difficult. As a rule they have been bought as point solutions to a immediate problem rather than as part of a healthcare information governance strategy.

It is time to look past a single solution that has a single set of technical specifications and build a system that manages data access.

As with any application rationalization process, it is important to define the costs, benefits and integration needs for any new enterprise application. Make no mistake; Health IT can no longer be a single application portfolio, they have to move to an ecosystem approach based on both clinical and administrative needs.

The failure of the single point solution of EHR/EMR has cause many IT professionals to take a negative view of information technology itself. As I have mentioned before, the problem is not the storage of the information it is how to access the information- it is a content management issue-be it ECM, WCM or -gasp-(SharePoint). EHR.EMR systems are horrible at providing access. For meaningful use 3 compliance and for your external marketing you need some kind of content serving system.

For organizations in a position to move to the newest EHR/EMR products, there may be no reason to have an additional system.For everyone who doesn't see a rip and replace in their next five years, consider how all the devices and partnerships that you have (and will have to grow to stay in compliance with Meaningful use).

You have a variety of regulatory items to think about as you develop your information governance strategy:

HIPAA 5010 covers Electronic data exchange(EDI[X12]) compliance standards as mandated for 1/1/2012: It covers exchange of all data transmitted by FTP, HTTPs, etc. Also encompasses the letter and number codes used for identifying file types during transactions. 5010 is largely an attempt to standardize the file codes in a way that increases security through in-flight encryption with de-crypt at each end. This is only possible if there is a standard metadata set.

ICD-10 is completely different it is the International Classification of Diseases (Rev. 10). This is used mainly for e-billing purposes as part of the diagnostic reference. It is not the official standard in the US until 10/1/2013, HIPAA 5010 EDI standards is a prerequisite for use of ICD-10.

Device access Smartphones and tablet computers represent the next wave of technological innovation in healthcare not to mention medical devices and consumer health apps (see here for more thoughts).

Mobile is a key aspect of your long term success. Hospitals have a variety of high earning "part-time" and ad hoc employees with their own businesses to run. You need a way to integrate their independent process and access into your secure information systems.

As with any access decision the type of information that can be accesses has to be balanced against the need for audit and security. The key is to remember the needs of end-users:
Doctors need access to all data, so restricting parts of the records is not an option.
Nurses need to update records on the fly.

IoT devices- There has been a lot of new devices for use in healthcare- patient owned health apps, mobile phones and wireless medical devices (see here for more on this). One of the key short comings of today's EMR/EHR products is their lack of abilities on the user experience front. Hospitals need to move away from single point solution planning for applications to a information management strategy that includes integration of outside data- whether it comes from patients, partner clinics or device vendors.

IT managers need to take the initiative and do these three things:

1. Ensure that the process involves care providers and administration in the same room. These meetings cannot be for show. All decision makers must be involved. 
2. Get to know who the key decision-making doctors are in each department and develop a relationship. Some doctors are in favor of EHR find out who these are in your hospital/clinic and involve them in building a strategy for how to attack the implementation. 
3. Get care providers on-board during the demonstration phase. Take your key decision makers through the products ask questions about the mundane parts of the software (first impressions of the GUI, how to access the records) not just the big picture items.

Information Security and medical devices

Lately I've been thinking about consumer focused medical devices. I am a Fitbit user and only every access the information on my cell. I do not actively share my information in their communities but I assume that Fitbit uses my information, in aggregate, to make money.

I get it, they are an for-profit company and I am receiving a ultra cheap service, Fitbit needs to make money on that service somehow.

Now that I've got the niceties out of the way the rest of this blog is angry and rant-y. In terms of full disclosure some of my anger comes from the recent kerfuffle over General Mills' plan to treat social media as a binding contract to protect itself from litigation. My fright over the new internet of things and the push for an exponential growth in apps and developers by 2020 -which BTW is not that long from now.

Anytime we expand something gets left out....and usually in software development it is security and customer privacy (see here for a good summary of where we are at with App security). We already know that many vendors do not take information privacy and governance seriously. Look at the recent Anthem disclosure...and they know they are subject to HIPAA.

The Market potential is enormous

The potential market for technologically enhanced medical devices is huge. (The market breakdown and total value are Espicom numbers. All analysis of the potential of technology to replace or enhance each category is mine. The Canadian market numbers are easily available-and could be verified, most estimates put the US market at 10-100 times the size)

I estimate at a $2 Billion dollar market in Canada based on current trends and the potential for technology to enhance the current medical devices when broken down by category. If we assume that some of the devices will collect information this puts the potential software market at $1.2B in Canada alone. The opportunity is enormous...for both commercial adventures and the rampant loss of patient privacy.

A lack of responsibility on the part of software companies

The other part comes from my attempts at conversations with a couple of consumer focused but information sharing applications. One company provides a cloud based service that allows doctors and medical students to share patient information, including pictures, with other doctors. It is a great premise BUT......what protection is there for patients? I contacted the company and basically their protections are focused on their own bottom line, the have a "policy in place that meets all legal obligations in their local jurisdictions".....THEY ONLY HAVE POLICY......they also would not disclose and had no plans to be proactive about applying any technical protections to block the sharing of patient data.

Am I the only person that has a problem with this?!? This is a product designed for medical personnel to SHARE patient information and they have no plans to protect the data!@!

As we move forward into the wearables and internet of things era, what are the obligations to these companies that hold personal information? We, as consumers, need to hold customer facing companies responsible for protecting customer information. Doctors and people within the software industry in particular should be absolutely ashamed of the state of the medical device and health app security. Both groups have actively undermined efforts to enact better regulations by complaining that it will kill the industry. Here is a note if you lose private health information- it will kill your company. Shouldn't a company that provides a service that enables the sharing of medical information as accountable? Should they be allowed to merely point to a piece of "paper" and say "not our problem?!?" If your policy says that the user must comply with hospital regulations on patient data sharing, you should provide the hospital a method to enforce policy. As a patient I need to know that the med student is not sharing pictures of my serious and potentially embarrassing problem just to have a laugh with their friends. It is the reason that Box is such a fast growing product! It gives end users what they need and it gives the business the protections it may need. In this age of PRISM and companies selling your data (see here for stats), wouldn't it be a marketing advantage to tell customers you go beyond the minimal standards that were set for a paper based age?

Here is my POV on this: If you are enabling sharing of a person's medical information-whether they are your customer or the patient of a customer's- you are obligated to protect that data from the stupidity or laziness of your users. How many busy residents are really going to take the time to ask their patients if they can share the x-ray? Especially if they can control capture and share from a personally owned device? Should I as a patient be forced to spell out the conditions under which I will allow students and doctors to share my information? Is that really a winning strategy in an age of user experience? There should be no such things as Facebook, Dropbox or Google drive for doctors! At a minimum you should provide hospitals the option of enabling controls based on their policy and not just weasel out of it by throwing your hands up and saying hey we did our job, they told us that it was alright.

The obligation of mHealth vendors to protect patient information

Lately I've been thinking about consumer focused medical devices. I am a Fitbit user and only every access the information on my cell. I do not actively share the information in their communities but I assume that Fitbit uses my information, in aggregate, to make money. I get it, they are an for-profit company and I am receiving a ultra cheap service, Fitbit needs to make money on that service somehow.

Now that I've got the niceties out of the way the rest of this blog is angry and rant-y. In terms of full disclosure some of my anger comes from the recent kerfuffle over General Mills' plan to treat social media as a binding contract to protect itself from litigation. The other part comes from my interactions with a couple of consumer focused but information sharing applications. One company provides a cloud based service that allows doctors and medical students to share patient information, including pictures, with other doctors. It is a great premise BUT......what protection is their for patients? 

I contacted the company and basically their protections are focused on their bottom line, the have a "policy in place that meets all legal obligations in their local jurisdictions"......they also would not disclose and had no plans to be proactive about applying any technical protections to block the sharing of patient data.

Am I the only person that has a problem with this?!? 

As we move forward into the wearables and internet of things era, what are the obligations to these companies? 

We hold customer facing companies responsible for protecting customer information. Shouldn't a company that provides a service that enables the sharing of medical information as accountable? Should they be allowed to merely point to a piece of "paper" and say "not our problem?!?" 

If your policy says that the user must comply with hospital regulations on patient data sharing, you should provide the hospital a method to enforce policy. As a patient I need to know that the med student is not sharing pictures of my serious and potentially embarrassing problem just to have a laugh with their friends. It is the reason that Box is such a fast growing product! It gives end users what they need and it gives the business the protections it may need. 

In this age of prism and companies selling your data (see here for stats), wouldn't it be a marketing advantage to tell customers you go beyond the minimal?

Here is my POV on this: If you are enabling sharing of a person's medical information, you are obligated to protect that data from the stupidity or laziness of your users. 

How many busy residents are really going to take the time to ask their patients if they can share the x-ray? Especially if they can control capture and share from a personally owned device? Should I as a patient be forced to spell out the conditions under which I will allow students and doctors to share my information? 

There should be no such things as Facebook, Dropbox or Google drive for doctors! At a minimum you should provide hospitals the option of enabling controls based on their policy and not just weasel out of it by throwing your hands up and saying hey we did our job, they told us that it was alright.

Clinical data random information

I've become an information hoarder. As I spend more time thinking about Information Management and speeding the move to better technical systems, I am amazed how general the principals of design are between the different industries.

Here is a noobs (i.e. me) "plain spoken" understanding of a key term in managing patient data across hospitials and for predicative analytics and personal health decison making.

Level setting (i.e. in general the definition of Clinical data warehousing) Clinical data warehousing is a patient identifier organized, integrated, historically archived collection of data.

For the most part the purpose of CDW is as a database for hospitals and healthcare workers to analyze and make informed decisions on both individual patient care and forecasting where a hospital’s patient population is going to need greater care (i.e. patient’s are showing up as obese; therefore the need for specific hospital programs to fight diabetes are a good idea).

Data warehousing in healthcare also has use in preparing for both full ICD-10 and meaningful use implementation. For example; McKesson through its Enterprise intelligence module probably has plenty of CDW management capabilities the only interested in meeting the upcoming ICD-10 and meaningful use deadlines. These kinds of worries are only for US hospitals. However since Canada requires ICD-10 compliance for all EMR systems this does present a benefit to Canadian healthcare.

In principal since data warehousing at its core is about building a relational database and should be EMR supplier agnostic. Since McKesson is an ICD-10 and meaningful use- ready supplier, the database itself should conform to standards that would allow general solutions to be used. This article goes through some of the potential benefits and pain points. It is tailored to clinical trials but the underlying message that building a CDW is a ongoing procedure is the same for other uses.

One example of how this may be done is Stanford’s STRIDE; they used HL7 reference information model to combine their Cerner and Epic databases. This is part of a larger opensource project that may be an option if an organization has some development expertise.

https://clinicalinformatics.stanford.edu/research/stride.html

Since the main user of CDWs tends to be the people doing the analysis (current buzzwords for search for analytics include:BI, Predictive analytics, enterprise planning, etc) it is probably useful for Health IT professionals to understand its WHO and WHAT the CDW is for within the organization...i.e. have a full blown Information Governance plan that places a value on information not just a risk assessment. 

Security without usability isn't better healthcare

I spend a lot of my time understanding how information is stored, accessed and protected as part of my role as a IT analyst. I always am astounded at how little of what is standard practice in many industries as not filtered over to health care and/or life sciences (Pharma+Biotech+academia).

The recent hub-bub about ACA (AKA Obamacare) has completely yelled over the real transformation opportunity in healthcare. Up until the recent deadlines and political fights regarding ACA "everyone" was really concerned about meaningful use. The TL;DR version of the MU legislation is this: make information available to care providers and patients.

So what are we really talking about here? It is really pretty simple; it is information management and the processes that guard against mis-use while enabling productivity.

Lets be honest the EHR/EMR solutions implemented at most organizations do not enable productivity or protect information. Doctors hate them because they do not fit their work patterns (see here), hospitals are have significant issues with data protection (see here) and importantly it is not mitigating the biggest risk to patient outcomes (and hospital liability) (see here).  

It is time to re-think the information silos in healthcare.

So if a single poorly accessed EHR is not the answer, what is?

I would argue that we need to think about this based on information flow and how we expect the value to be delivered. In this case patient care.

An interesting model to think about is the Canadian delivery model. For example; Ontario E-health has determined it is neither cost effective nor timely to build a single system for every hospital.  At the moment, 70% of all physician practices and hospitals already have some sort of EHR system in place. So rip and replace is not an option, the reality is we need to make lemonade.

Since Ontario funds the hospitals through direct allocation of tax revenue, it is loathe flush that money down the drain. 

Therefore the best approach is to control the data itself (including digital images, prescription history, surgery, etc) and letting the individual hospitals control how they view and use the data. 

In other words- Make it easier to access information based on who you are and what you need the information for!

Focus on the Information exchange layer

Consolidated Information Management layout for Patient care focus. 

So how do we do this without moving to brand new systems and shiny new toys?

The same way every other industry is doing it; especially low margin high risk industries such as Oil and gas, Insurance and Manufacturing. Keep the clunky but very secure system and take advantage of the new technologies that enable information sharing. Instead of all-in-one solution add an ECM or portal to manage rights, search and presentation. It will be more cost-effective than doing nothing or rip and replace.

This structure controls movement and access to patient data, allowing for quick access to the appropriate information based on job and location.  It provides a structure that takes advantage of the current investment in a secure database yet provides a flexible layer that is designed to convey information in context for end users. 

This may not be the best system or the system that you would design from scratch with an unlimited budget, but it gives a long term flexibility AND doesn't require a rip and replace of your current EMR/EHR. It should provide very good, highly usable healthcare at a reasonable cost.

The way they are going about the change may not be splashy but it will work for both patients and doctors- that’s a great thing. The one thing it won’t fix is the doctors who refuse to use it-and that is a bad thing.

There is additional cost involved in this model but if teh doctors and nurses do not use what you have now.....would salvaging that investment be better?

Love any comments or critique of the model.