It is not the EMR that sucks it is your lack of a information governance strategy

Hospitals are drowning is technological deficits; aging equipment, poor information security, unusable electronic health records and importantly no way to effective share patient records with patients or partners. A recent study shows that two out of three hospitals are not meeting HITECH standards for Health Information Exchanges. The authors note that even though there are fines (see here for HITECH fines), it is unlikely that these will spur adoption of health information exchanges (HIE).

Bernie Monegain (Editor Healthcare IT News) does a great job summarizing the article. From a software vendor perspective this seems like a perfect storm; a gap in capabilities, upcoming deadlines and a change in revenue models. In any other industry there would be lines of vendors at every hospital's CFO's door trumpeting their ability to help them meet their deadlines. Unfortunately the usual suspect vendors in HealthIT have not seized the opportunity (see here).

As I have mention before this is where ECM, WEM, etc vendors should be stepping in to fill the gap.Hospitals of all sizes will need to be able to confidently exchange patient information and make it available to patients once Meaningful use 2 standards for patient accessibility come into affect. Providibng a mechanism to share patient information in a standardized, secure manner is not a nice to have item, it is a required item to meet obligations-it should be on every hospital CIO, CFO and CEO's radar.

It also speaks to the larger problem of what electronic health records are strategically versus the narrow software characterization. Healthcare providers and thought leaders need to acknowledge the software sucks, and is not the best place to share and view information. It is just a dumb database designed to HOUSE patient information in a safe manner- as the name suggests a EHR is part of a records management strategy.

Electronic Patient information has the potential to increase the efficiency and cost effectiveness of healthcare delivery. The problem is the variety of solutions deployed by individual healthcare practices makes integration at the regional and national level difficult. As a rule they have been bought as point solutions to a immediate problem rather than as part of a healthcare information governance strategy.

It is time to look past a single solution that has a single set of technical specifications and build a system that manages data access.

As with any application rationalization process, it is important to define the costs, benefits and integration needs for any new enterprise application. Make no mistake; Health IT can no longer be a single application portfolio, they have to move to an ecosystem approach based on both clinical and administrative needs.

The failure of the single point solution of EHR/EMR has cause many IT professionals to take a negative view of information technology itself. As I have mentioned before, the problem is not the storage of the information it is how to access the information- it is a content management issue-be it ECM, WCM or -gasp-(SharePoint). EHR.EMR systems are horrible at providing access. For meaningful use 3 compliance and for your external marketing you need some kind of content serving system.

For organizations in a position to move to the newest EHR/EMR products, there may be no reason to have an additional system.For everyone who doesn't see a rip and replace in their next five years, consider how all the devices and partnerships that you have (and will have to grow to stay in compliance with Meaningful use).

You have a variety of regulatory items to think about as you develop your information governance strategy:

HIPAA 5010 covers Electronic data exchange(EDI[X12]) compliance standards as mandated for 1/1/2012: It covers exchange of all data transmitted by FTP, HTTPs, etc. Also encompasses the letter and number codes used for identifying file types during transactions. 5010 is largely an attempt to standardize the file codes in a way that increases security through in-flight encryption with de-crypt at each end. This is only possible if there is a standard metadata set.

ICD-10 is completely different it is the International Classification of Diseases (Rev. 10). This is used mainly for e-billing purposes as part of the diagnostic reference. It is not the official standard in the US until 10/1/2013, HIPAA 5010 EDI standards is a prerequisite for use of ICD-10.

Device access Smartphones and tablet computers represent the next wave of technological innovation in healthcare not to mention medical devices and consumer health apps (see here for more thoughts).

Mobile is a key aspect of your long term success. Hospitals have a variety of high earning "part-time" and ad hoc employees with their own businesses to run. You need a way to integrate their independent process and access into your secure information systems.

As with any access decision the type of information that can be accesses has to be balanced against the need for audit and security. The key is to remember the needs of end-users:
Doctors need access to all data, so restricting parts of the records is not an option.
Nurses need to update records on the fly.

IoT devices- There has been a lot of new devices for use in healthcare- patient owned health apps, mobile phones and wireless medical devices (see here for more on this). One of the key short comings of today's EMR/EHR products is their lack of abilities on the user experience front. Hospitals need to move away from single point solution planning for applications to a information management strategy that includes integration of outside data- whether it comes from patients, partner clinics or device vendors.

IT managers need to take the initiative and do these three things:

1. Ensure that the process involves care providers and administration in the same room. These meetings cannot be for show. All decision makers must be involved. 
2. Get to know who the key decision-making doctors are in each department and develop a relationship. Some doctors are in favor of EHR find out who these are in your hospital/clinic and involve them in building a strategy for how to attack the implementation. 
3. Get care providers on-board during the demonstration phase. Take your key decision makers through the products ask questions about the mundane parts of the software (first impressions of the GUI, how to access the records) not just the big picture items.

Information Security and medical devices

Lately I've been thinking about consumer focused medical devices. I am a Fitbit user and only every access the information on my cell. I do not actively share my information in their communities but I assume that Fitbit uses my information, in aggregate, to make money.

I get it, they are an for-profit company and I am receiving a ultra cheap service, Fitbit needs to make money on that service somehow.

Now that I've got the niceties out of the way the rest of this blog is angry and rant-y. In terms of full disclosure some of my anger comes from the recent kerfuffle over General Mills' plan to treat social media as a binding contract to protect itself from litigation. My fright over the new internet of things and the push for an exponential growth in apps and developers by 2020 -which BTW is not that long from now.

Anytime we expand something gets left out....and usually in software development it is security and customer privacy (see here for a good summary of where we are at with App security). We already know that many vendors do not take information privacy and governance seriously. Look at the recent Anthem disclosure...and they know they are subject to HIPAA.

The Market potential is enormous

The potential market for technologically enhanced medical devices is huge. (The market breakdown and total value are Espicom numbers. All analysis of the potential of technology to replace or enhance each category is mine. The Canadian market numbers are easily available-and could be verified, most estimates put the US market at 10-100 times the size)

I estimate at a $2 Billion dollar market in Canada based on current trends and the potential for technology to enhance the current medical devices when broken down by category. If we assume that some of the devices will collect information this puts the potential software market at $1.2B in Canada alone. The opportunity is enormous...for both commercial adventures and the rampant loss of patient privacy.

A lack of responsibility on the part of software companies

The other part comes from my attempts at conversations with a couple of consumer focused but information sharing applications. One company provides a cloud based service that allows doctors and medical students to share patient information, including pictures, with other doctors. It is a great premise BUT......what protection is there for patients? I contacted the company and basically their protections are focused on their own bottom line, the have a "policy in place that meets all legal obligations in their local jurisdictions".....THEY ONLY HAVE POLICY......they also would not disclose and had no plans to be proactive about applying any technical protections to block the sharing of patient data.

Am I the only person that has a problem with this?!? This is a product designed for medical personnel to SHARE patient information and they have no plans to protect the data!@!

As we move forward into the wearables and internet of things era, what are the obligations to these companies that hold personal information? We, as consumers, need to hold customer facing companies responsible for protecting customer information. Doctors and people within the software industry in particular should be absolutely ashamed of the state of the medical device and health app security. Both groups have actively undermined efforts to enact better regulations by complaining that it will kill the industry. Here is a note if you lose private health information- it will kill your company. Shouldn't a company that provides a service that enables the sharing of medical information as accountable? Should they be allowed to merely point to a piece of "paper" and say "not our problem?!?" If your policy says that the user must comply with hospital regulations on patient data sharing, you should provide the hospital a method to enforce policy. As a patient I need to know that the med student is not sharing pictures of my serious and potentially embarrassing problem just to have a laugh with their friends. It is the reason that Box is such a fast growing product! It gives end users what they need and it gives the business the protections it may need. In this age of PRISM and companies selling your data (see here for stats), wouldn't it be a marketing advantage to tell customers you go beyond the minimal standards that were set for a paper based age?

Here is my POV on this: If you are enabling sharing of a person's medical information-whether they are your customer or the patient of a customer's- you are obligated to protect that data from the stupidity or laziness of your users. How many busy residents are really going to take the time to ask their patients if they can share the x-ray? Especially if they can control capture and share from a personally owned device? Should I as a patient be forced to spell out the conditions under which I will allow students and doctors to share my information? Is that really a winning strategy in an age of user experience? There should be no such things as Facebook, Dropbox or Google drive for doctors! At a minimum you should provide hospitals the option of enabling controls based on their policy and not just weasel out of it by throwing your hands up and saying hey we did our job, they told us that it was alright.