There are two interesting trends going on in healthcare at this time (no, I am not talking about the current debate in congress). One is that we will see more and more healthcare providers use electronic medical records – a trend that is fueled by financial incentives through “stimulus money”. The other is one of the consumerization of IT – specifically healthcare IT.
We see this trend in other areas as well – like employees using their personal cell phones of choice to access corporate email, or even bringing their personal laptops to work.
In healthcare, doctors are already heavy users of mobile technology – cell phones, smart phones, the ubiquitous pager etc. But today we’re at a point where the consumer technology is good enough to be used for clinical purposes and can actually contribute to giving doctors a little bit of their free time and their personal life back.
Case in point: The patient calls their on-call doctor after hours with a rash or burn. In the old days, it would have required the physician to drive a possibly long distance to see the patient in order to recommend treatment. Today, she can simply ask the patient to take a picture of the ailment with a smart phone and simply email it over. In many cases, the image quality is good enough to recommend treatment and help the patient immediately.
This trend is obviously troublesome for healthcare administrators. Many actually recommend against their physicians employing “unapproved” avenues to make remote diagnosis out of fear of litigation and legal compliance violations. The dilemma is that both patients and doctors use technology out of convenience where it makes sense. It is against doctor’s nature to hold back care if it is obvious how the patient can be helped right then and there.
However, I stipulate that this is actually nothing new.
- For a long time, doctors have consulted their patients over the phone and gathered enough information to diagnose and make a recommendation for treatment, so the digital information exchange actually reduces risk in many cases.
- The patients are the only rightful owner (note that I am not saying the only legal owner, this would be a different discussion) of their medical data. If they choose to share some of it over less than secure connections with their physician, it’s their choice. In the age of social media and Internet-based commerce, people have become accustomed to giving up some privacy and security in exchange for faster and better service online.
So, can both groups – doctors and their patients on one side and privacy advocates, regulators, and lawyers on the other side be happy? Yes.
Some electronic medical record system vendors incorporate an internal, secure messaging feature that allows patients to communicate with their doctors and nurses directly, but through the established channels of an existing EMR implementation. In addition (or in lieu) of this capability, healthcare providers can use their smart phones, netbooks, tablets, home computers etc. to securely connect to their employers system to upload data, annotate patient notes in real time etc, check for potentially harmful allergies, etc. If the EMR implementation does not expose a fully functional web based user interface, both desktop and application virtualization technologies can make it so.
Instead of getting into the cold car and driving 50 miles through snow and ice to see a patient, the doctor on call can simply pause the movie on the living room TV, switch the set to the connected PC and securely connect to the patient’s medical record, review pertinent information, write a prescription electronically (a must have under the proposed “meaningful use” criteria) and finally go back to being a private person. More personal life for caregivers, faster service for patients – enabled through technology.
Follow me on twitter: @florianbecker
The American Recovery and Reinvestment Act of 2009 (ARRA) contains a whole chapter called HITECH. This catchy acronym stands for Health Information Technology for Economic and Clinical Health and makes you wonder if “they” construct the acronym before deciding on what information to convey. It basically mandates a number of fairly stringent disclosure requirements for HIPAA covered entities and their business associates in the case of privacy breaches leading to the disclosure of patient data. The act is intentionally aggressive in order to entice health care providers and insurance companies to be really cautious about patient privacy and record security.
I am at HIMSS in Atlanta this week and I notice that ARRA, HITECH, HIPAA and other related topics are front and center in many sessions and for many vendors on the floor.
Under HITECH, the burden of proof is on the side of the covered entity to prevent a breach, discover the breach, and then disclose the breach to the patients and – in some cases – to the secretary of health and human services. If the breach is affecting 500 or more patients in a state or region, the covered entity must notify the patients via public media and notify HHS immediately.
So, let’s define what a breach really is, and then what you can do to never having to call your local newspaper for the disclosure ad.
Under HITECH, a breach is an “unauthorized acquisition, use, or disclosure that compromises the security or privacy of the health record”. There’s also something in the language that this must pose a significant risk of financial, reputational, or other harm to the individual. Note that I am not a lawyer, but I did stay in a holiday….. tonight. Kidding aside, I did listen to Gerry Hinkley and Deven KcGraw during their HIMSS session this week – both are legal experts in this field.
So, having a laptop with unencrypted, and personally identifiable patient information stolen would be a breach. If, however, the data is secured with federally accepted levels of encryption (and the security of the key is not compromised), OR the data does not include certain items such as DOB or the patient’s ZIP code, it’s not a breach.
As you can see, the devil is in the detail. So, how can you take steps to avoid that painful disclosure? For one, ensure that the patient information never leaves your data center. Leverage desktop or application virtualization and disable clipboard and local disk access on the client device. Many electronic health applications can only print through the server, so that client connected printers are not needed and can also turned off without compromising functionality. If mobile access to the data is needed, consider the Citrix Receiver for the iPhone or mobile access platform of your choice to deliver the information without delivering the data.
Even without HITECH, these are important considerations for any Electronic Medical Records (EMR) rollout. When done correctly, you could allow your doctors, nurses, and staffers to use the laptop, netbook, tablet, iPad of their choice without having to worry about IT managing the myriad of devices or any of them leaving the premises.
Now, unfortunately, this is only one aspect of HITECH. The other aspect involves the unauthorized access of patient records by employees who have legitimate access to the systems, but are basically snooping around. HITECH covers privacy breaches, not just security breaches. Looking up your own lab results, or the chart of your friend’s sick kid is an example of a well intentioned, but illegal breach. Looking up the local football player’s records to determine if that hamstring injury has healed before Sunday’s game is also an illegal breach, but not an innocent one. Identifying those scenarios actually requires intelligent data mining to assess whether access was justified for a person to do their job or constitutes a breach. While you can’t fix the latter category through application or desktop virtualization, you can confidently use virtualization technology to prevent breaches through the loss of devices or data without restricting mobility. One less thing to worry about in the complex world of healthcare regulation.
Questions? Comments?
Follow me on twitter: @florianbecker
While most discussions on successful Electronic Medical Record (EMR) implementation and adoption circle around the proper implementation of clinical workflows, standard order sets, diagnostic codes, and the all important CPOE (Computerized Provider Order Entry), little time is spent on thinking about how the applications actually make it to the users. I have talked to CMIOs this week at HIMSS who mentioned that the improper application delivery actually constituted a significant roadblock or bottleneck towards adoption.
Healthcare organizations have tried anything from Computer’s on Wheels (COWs) to tablets to smart phones and iPhones. Each modality has its own merits and risks. Let’s have a look:
COWs: With large screens and full keyboards, using the system is as easy as using a desktop computer in the office. However, there are some distinct challenges associated with COWs: They are used by many different people. Although the carts are adjustable, users don’t adjust them in the interest of time on the floor and are therefore experiencing ergonomic problems. COWs are wireless, so the 802.11x infrastructure must be 100% reliable with good signal strength. Map out every patient room using the all familiar “Can you hear me now?” method of assessing signal strength in every place the COW might be used. Check with your facilities manager whether the COWs in the hallways would violate any fire security.
Tablets: Overcome some of the bulkiness of COWs. Same challenges with wireless networks though. Check with your users first. Doctors carrying the tablet in one hand and the stylus in the other hand don’t have a hand left to touch the patient. The success of tablets also depends on the specific EMR application you are running. Entering data via the virtual keyboard of the tablet is very time consuming and therefore prone to error. Applications that let users click through selection lists are much more tablet friendly. Consider specialized tablets for the healthcare industry that include scanners and interfaces to diagnostic equipment while maintaining the mobility.
iPhones, SmartPhones: Awesome. Barely larger than a pager with a user interface made for the device. Can’t replace a full application though as many apps are just for vitals, bedside monitor virtualization, results review etc. Smart phones are complimentary to other access modalities – not a full replacement.
iPad: It’s coming. I talked to several EMR vendors at HiMSS 2010 in Atlanta this year, who are already working on their user interfaces to make them friendly for user interaction sans keyboard. Of course, the Citrix Receiver will be able to deliver any windows app or desktop directly to the iPad.
Finally, there are the good old thin clients. These units combine the best of all worlds: Large screen, yet small form factor. Don’t require wireless networks and several incorporate a smart card reader to facilitate two factor authentication. Have one in each patient room, nursing station and several in the hallways (neatly wall mounted and tucked away while not in use) and you have a solution that allows doctors to use both hands on the patient and use a familiar keyboard for data entry. Use desktop and/or application virtualization so that you can eliminate the end point support team. Depending on the EMR application, consider generic windows logon and light or no profiles to speed up logon times to the windows environment. Authentication happens on the application itself in this case. Smooth Roaming capabilities are essential to cut logon time down to a few seconds and provides full mobility on the floor without carrying a device.
Some of the access modalities in your healthcare facility depend on provider preference (yes, doctors do prefer some devices over others and yes, please make your doctors and nurses happy). Use application or desktop virtualization wherever possible to avoid end-point support. Citrix XenDesktop can deliver remarkably high quality application fidelity and image resolution even over longer distances thanks to the bundle of HDX technologies.
What is your experience with EMR implementations and application delivery?
Follow me on twitter @florianbecker
