A critical mass of computer innovation is poised to produce an explosion of information in healthcare, vastly improving clinicians' access to valuable medical details on patients and their ills.
For healthcare systems struggling to manage a fragmented collection of facilities and work processes, these technological advances carry the potential to finally free caregivers from the limitations of paper records and provide them with broad access to information on patient history, past medical encounters and treatment decisions.
In locations as diverse as eastern Wisconsin, metropolitan Chicago, rural Indiana and New York City, healthcare organizations have turned their attention to strategies for making productive use of comprehensive information.
"We believe that information access within our care system is really key to improving the way healthcare is delivered and (in) coordinating care," says Jack Steinman, vice president of information services at Aurora Health Care, a Milwaukee-based system of 13 hospitals and 106 clinics in a 17-county area. "You can't execute coordination of care unless information can be shared freely."
Yet these leading-edge initiatives are loaded with risk. By their very nature, attempts to greatly broaden access to clinical data can have serious security consequences. Technology that facilitates data sharing also presents thousands of opportunities for inappropriate disclosure of personal information, a peril that did not exist when those details were closely held in paper charts or accessible only from computer systems in one facility or department.
It doesn't take many breaches of a patient's privacy to jeopardize the whole project, says Jay McCutcheon, a prime mover in the building of a regional electronic medical record in a 35-county expanse of northern Indiana and southern Michigan. The project, called Michiana Health Information Network, is organizing clinical data by patient record number on behalf of several cooperating healthcare systems and ancillary facilities serving a largely rural area.
From the time discussions began more than five years ago, "a key success factor was going to be a demonstration of privacy and security to the patient," says Robert King, vice president of marketing for the South Bend (Ind.) Medical Foundation. The foundation is the area's dominant laboratory service and a founding member of the Michiana network.
If only one patient made a case that the clinical database compromised sensitive information, "it would fail miserably," King says.
In addition, the network's prospects for success have hinged heavily on its ability to inspire the confidence of facilities such as hospitals and labs that receive medical orders from doctors and report transactions to the database, McCutcheon says.
That's why Michiana officials spent much of their advance planning on policies governing the security of information. "It's the heart of our business," McCutcheon says.
Other healthcare organizations are reaching the same conclusion: Security and privacy safeguards are essential prerequisites to gain acceptance for the broad data-access goals that will set them apart.
A need for security regardless of HIPAA
The issues of security and privacy are now being addressed by the entire healthcare industry, courtesy of the Health Insurance Portability and Accountability Act of 1996. But the prevalent attitudes, at least in the public arena, focus on the costs and upheaval involved in complying with the letter of the law and its voluminous regulations.
Health plans and healthcare providers will have until April 2003 to comply with 1,500 pages of regulations covering the privacy of personal health information and the rights of patients to exercise control over their medical records. The regulations became final early this year amid outcries from healthcare lobbying forces that they were unreasonably burdensome and costly.
HHS is reportedly close to unleashing final rules defining a set of practices and technical safeguards for computer systems that contain or transmit personal health information.
Industry observers don't expect much change from the proposed regulations issued three years ago, which described an "A-list" of technical requirements-access control, audit control, authorization control and authentication of data-to guard against unauthorized access and conclusively identify those receiving information protected by HIPAA.
Those requirements may be news to many providers, but they're familiar concepts to healthcare systems with a head start on designing accessibility and availability into their computer networks.
At Advocate Health Care, a system of nine hospitals and 4,600 physicians in the Chicago area, information professionals began four years ago to program access privileges according to the role people play in care delivery, says Dan Weegar, director of technology services.
For example, a physician who signs onto Advocate's Web-style secure network sees only his patient census along with posted test results, the status of orders and other information he's entitled to access. A nurse working on a certain inpatient-care unit sees only the information about patients in that unit.
Computer techniques for providing selective access to information based on a user profile or job role have matured in the past few years, providing not only security but also a simple way for users to tap into the information sources available to them instead of continually signing in and out of applications and searching for the bits of data they need.
Having already based their access strategy on such controls, Advocate managers aren't fazed by the data-protection aspect of HIPAA. "It's heading in the same direction that we're already going," says Judith Miller, director of decision support and regulatory compliance at the Oak Brook, Ill.-based healthcare system.
If anything, HIPAA "puts a little added muscle behind it and helps us move quicker" to build a potent information-delivery structure, says Bruce Smith, Advocate's vice president and chief information officer. He compares the HIPAA dynamic to that of the Y2K crisis in the late 1990s, a situation that forced Advocate to consolidate and streamline an information systems hodgepodge more swiftly than might have occurred otherwise.
The final HIPAA regulations also will provide some certainty for those out in front on planning for privacy and security, says Steinman of Aurora. "It will define, we hope, what is good enough," he says. "We're hoping it gives us a good target to focus on."
Regulatory impact aside, healthcare organizations should embrace the basic philosophy of privacy and security regardless of federal dictates, says Richard Bagby, CIO of four-hospital PinnacleHealth System, based in Harrisburg, Pa. "Whether it's HIPAA or not HIPAA, it's the right thing to do, and it needs to get done as we move into a digital age," he says.
Problems pulling information together
The digital age finally would make some sense of the reams and megabytes of data created in healthcare but not put to the most productive use. There hasn't been a way to sort through, organize and deliver clinical information wherever it's needed, especially in healthcare organizations with dozens of facilities and hundreds of separate sources of information.
Efforts in healthcare to digitally capture information have centered on accomplishing a particular process: registering a patient for treatment, automating lab tests and their outcomes, managing medication orders in the pharmacy, and computerizing radiology reports and images.
Often those processes used software acquired from a variety of different vendors, which made it difficult or impossible to merge information on a particular patient in a practical way. The situation was complicated by consolidation of hospitals and other care sites into healthcare systems during the past decade, which multiplied the number of incompatible systems brought together in the same organization.
In addition to the problems of integrating information from different types of software applications, healthcare systems sometimes had to cobble together several disparate applications handling the same work process at different hospitals.
Much of today's clinical documentation is still gathered and recorded on paper and then crammed into traditional medical-record folders. The information that does come from a computer typically is printed out for the paper chart instead of being available from the digital source in an easily accessible way.
A combination of new technologies, however, has shown promise in resolving the longstanding problems with capturing, aggregating and selectively presenting the data healthcare providers need to make better medical decisions.
Improved clinical information applications are committing more information to electronic form instead of paper, and Web-browser technology is being deployed to pluck and present patient-specific details from a range of previously incompatible information systems.
Advocate Health Care, for example, is implementing a series of clinical applications from Cerner Corp. that capture progress notes, medication administration and other data electronically instead of on clipboards and note pads. That follows initiatives during the past several years to standardize applications for financial, patient-accounting and lab operations at the nine hospitals, Smith says.
The result is a substantial increase in the amount of healthcare information kept in electronic form instead of paper, but it's only half the battle for information accessibility. "It's not only how we capture it but how we push it out to people," he says.
In the past 18 months, Advocate has tested and implemented a home-grown Web-based network that integrates clinical information captured from multiple applications and makes it available from a single electronic entry point to authorized users. "This is where the physician goes to get information," Smith says. "It pulls it all together for them."
About 2,000 physicians and another 1,000 healthcare professionals use the network, and managers expect to double the number of users within a year or so. Depending on who signs on, the network is programmed to present a particular cut of data on a subset of patients, including the status of orders and the results of tests from various departments as soon as they're available. A clinician can graph lab results over a span of time to spot a trend or link into libraries for research and medical information.
Committees of physician "informaticists"-doctors skilled in applying information-technology capabilities to patient care-play a role in deciding what to add, and they've compiled a backlog of about 35 functions waiting for implementation, Smith says. Information professionals can work on only four to five at a time, but because the network is Web-browser-based, improvements are available immediately throughout the system instead of having to be installed one site at a time, he says.
That availability also heightens the concern among doctors for security and privacy assurance as they push the limits of the network. "It comes up at almost every session," Smith says. The doctor-patient relationship is built on trust that can be greatly served or suddenly compromised by what the network is allowing clinicians to do, he says. "If we violate that trust, we're in danger of losing" the gains in information access.
Projects to aggregate access to clinical data
Other healthcare systems are hard at work on a variety of projects focused on reaching into their information troves and making pertinent data routinely available to doctors and support staff across a wide geographic area.
* At Aurora Health Care, four hospitals out of 13 are set up for access to a central clinical data repository, and eventually all facilities and physicians in the system will be able to access information in the database based on the need to know, says Michael Gorczynski, an osteopathic physician and director of medical informatics. One of the wired hospitals is a new facility in Two Rivers, which is served entirely through a remote link from Milwaukee, 85 miles away, instead of having the applications installed locally.
The clinical network, also from Kansas City, Mo.-based Cerner, will promote continuity of care by making a patient's record universally available across the healthcare organization, Gorczynski says. For example, he says, a doctor in rural Hustisford, Wis., population 1,070, now can enter a patient's vital signs and chief complaints from an Aurora clinic or from home. If the patient requires hospital care, an attending physician at nearby Hartford (Wis.) Memorial Hospital can look up the record online and see all that was done at the clinic.
The Hartford physician also can refer the patient if necessary to Sinai Samaritan Medical Center in Milwaukee for a cardiac procedure, where all previous records will be available. And when the patient returns home, the original primary-care doctor can quickly bring himself up to date on the results of recent tests and treatments done elsewhere.
* Mount Sinai-NYU Health, a New York-based system with five hospitals spanning the length of Manhattan and a sixth facility in Queens, called upon a vendor of wide-area communications last fall-Seattle-based Aventail.Net-to establish a secure way for physicians and nurses to access information from Mount Sinai's information systems through the Internet. The "virtual private network," which was integrated into the healthcare system's applications and ready for use in seven weeks, provides about 700 physicians with access to patient records, lab results and administrative applications, says Fred Eisenberg, director of information security. He anticipates that 1,000 doctors will be using the network by year-end, and the aim is to eventually have all 4,000 affiliated physicians registered to use it.
The outsourced network cost only $135,000 to implement, and the ongoing cost amounts to about $12 per active user per month, Eisenberg says. "A lot of people register, but a lot of them don't use it on a regular basis," he says. If only 200 of the 700 registered physicians use the network in a given month, for example, Mount Sinai-NYU gets billed only for those users.
* At PinnacleHealth System, physicians have remote access through a Web browser to the information on their patients contained in a central data repository. For now the database has radiology, laboratory and transcription results, but gradually more types of results will be added, says Greg Baugh, director of information systems. Of the 1,006 active physicians on staff, 330 have registered to use the remote access since it was introduced nearly a year ago.
* At Marshfield (Wis.) Clinic, a multispecialty physician organization of more than 600 specialists, an internally developed information network connects 39 care sites throughout northern and western Wisconsin as well as to Saint Joseph's Hospital in Marshfield and Flambeau Hospital in Park Falls. All three organizations use the same identifiers for patients and for providers. Developed during the past 30 years with a focus on system integration, Marshfield's database acts as the lifetime repository of lab and radiology results and event documentation for office visits, problem lists, procedures, diagnoses, operative reports and discharge summaries. During the past several years it has updated its technology to provide faster performance and easier access, and it's developing secure Internet communication with physicians.
* In one of the most ambitious projects involving clinical information access, Michiana Health is developing a secure clinical database that reports tests results and manages the medical encounter history of patients independent of provider organization. A foundation of privacy policies and access protocols allows doctors to see information on their patients from all participating providers and diagnostic facilities, McCutcheon says. The business model is based on a monthly subscription fee according to an organization's size and the services supplied. The single-source approach to clinical records is aimed at putting patients in ultimate control of their medical information, he says.
A question of balance
Competing concerns create a tricky balancing act between timely access and adequate protection of patient data. On one hand, information initiatives have great potential to improve medical decisionmaking. But on the other hand, the risks of exposing sensitive clinical facts about people are ever-present. "As we clamp down on security, we have a razor-thin edge of (latitude) trying to deal with access vs. confidentiality," says Bagby of PinnacleHealth.
But managers in the middle of the balancing act can't lose sight of the basic reason for compiling information, which is patient care, says Smith of Advocate Health Care. "Sometimes that gets a little lost in the discussions about security," he says.
Marshfield Clinic has assembled a comprehensive lode of clinical detail accessible to more than 1,750 healthcare professionals systemwide-some records going back more than 10 years-and the organization has a responsibility to its patients to use all the knowledge it can when making treatment decisions, says Carl Christensen, the clinic's CIO.
"Our view is no patient should suffer due to lack of available information," he says.
That concern has spawned intensive use of pinpoint access controls without any prodding from the proposed HIPAA regulations on security measures. Access controls can immediately grant authorization to the information a user is entitled to see but deny access to records or certain elements of records on patients outside the purview of a particular healthcare professional (See related article, p. 24).
Recent guidance from HHS on interpretation of the HIPAA privacy regulations has acknowledged the importance of unfettered information sharing among clinicians involved in a patient's care, which Christensen says reflects the general wishes of people being cared for.
"Patients are very concerned about privacy of their medical information, but they're not concerned about privacy in their medical care," he says. "They're more concerned about that information getting outside."
The statutory force behind HIPAA's privacy and security requirements, however, can be used to the advantage of security-conscious organizations trying to get business partners on the same page, including other providers, Christensen says.
When Marshfield began sharing information with affiliated hospitals, differences over the types of precautions to take on patient information almost became a roadblock to agreement on data-access issues, he says. "Now we've got something with teeth in it, and it's changing the discussion. We can say it's not just Marshfield Clinic saying this, it's the federal government."