Electronic Medical Records - Health Care's Next Challenge in Cyberspace

The quest for health care reform and the dynamic growth of integrated delivery systems have led to significant developments in the application of information technology to the health care industry. Multiprovider organizations now link computers on different floors, at different offices, and in different states to share patient information throughout an integrated network.

Successful managed care demands advanced information technology that can manage the patient's care. Electronic medical records can streamline patient management, provide instant access to data by multiple users, promote preventive medicine, facilitate research, improve billings, and minimize professional liability. But they also pose far more serious and unique legal challenges to health care professionals than traditional, paper-based patient records.

The computerized medical record relies on a series of products and software packages considered only an emerging technology a few years ago. In a recent survey of information systems trends in healthcare organizations conducted by Coopers & Lybrand for Modern Healthcare, seven in 10 respondents indicated that systems which make patient information and histories accessible throughout their organizations are operational or under implementation. The average annual projected spending on information systems during the next three years is $8 million.

Major Changes in the Delivery of Care

This move to a digital medium changes fundamentally how providers deliver care and which data are essential to them. For example, one health maintenance organization in Philadelphia plans to launch a new medical management system in May that allows a patient's electronic record to travel with him or her throughout the health maintenance organization's delivery network.

Rather than make an appointment with a primary-care gatekeeper, a subscriber seeking medical care will contact a 24-hour call center staffed by case managers who are registered nurses. The case managers will have immediate electronic access to every available piece of information on that patient from a computerized medical record stored at a regional data repository. The nurses will reach conclusions about possible care based on "triage algorithms" and the patient's responses, and then direct the patient in self-care or to a primary care physician, specialist, or emergency room.

Physicians can access the patient's medical records, review best practice protocols, schedule specialist appointments, obtain treatment authorizations, order laboratory tests, and compare their performance with their peers.

The health maintenance organization claims that the new system will improve both medical decision-making and preventive care. The call centers can also remind subscribers to take medications or make appointments for periodic tests.

Under evaluation at one cancer center is a system that will link the terms and conditions of managed care contracts to physicians at the point of care. The system will identify the most appropriate treatments, determine whether the treatments are covered, and obtain preauthorization for procedures.

Risks for Computerized Records

From the perspective of professional liability, the computerized medical record poses less risk than multiple medical histories in different locations, all with different, or contradictory, information. A physician in an emergency room can access vital data, and check a patient's allergies or prescription medication, even if the patient is unable to describe or recall his or her medical history. The electronic record improves patient care by ensuring that the correct information, such as the proper medication or dosage, is retrievable and legible.

However, the advantages that attend the electronic medical record in a multiprovider network, including the final link which connects the institution with the office-based physician, increase the risk that its confidentiality cannot be adequately maintained. In hospitals, nursing homes, physicians' offices, home health agencies, and health maintenance organizations or other managed care plans, billing clerks, data entry operators, nurses, secretaries, and other personnel may have easy access to exponential amounts of centralized medical information.

The increased volume and sophistication of computerized patient information also make that information more valuable to users who wish to sell, exploit, or abuse it. A single breach of a patient record system's security can result in almost instantaneous transmissions of thousands of confidential records. In information systems which are not well monitored, remote access may pass without notice. Integrated delivery systems and multiprovider networks must secure that information from access by electronic trespassers while at the same time allowing routine access by qualified users.

New Security Threats

The laws which govern the confidentiality of health care information require proper system and data security. If a system lacks reasonable security in design, operation, or maintenance, a court could determine that the records stored on that system are not sufficiently reliable to be admissible in a legal proceeding. As a result, a health care provider might not be able to defend itself properly in a malpractice case, or a patient might not be able to substantiate the right to custody in a domestic relations proceeding. Other breaches of system security, such as computer sabotage (viruses, worms, bombs, and Trojan horses), can compromise the accuracy of patient records and potentially harm the patients. The patient's providers may be liable for that harm.

If a patient record system slows down or crashes, users may be unable to access records, whether a breach is deliberate or inadvertent. Inaccessibility of patient records not only poses potential harm to the patient but may delay or preclude proper reimbursement and result in peer review actions as well. Health care providers should consider separate back-up systems for their medical records repositories.

One approach to limit access to electronic records is to maintain two levels of information -- one with easy access for basic information, and another with limited access for more sensitive information. Another approach requires the entry of a special code or password. Advanced technology now also permits biometrics-based authentication, which relies on some physical characteristic of the user, such as fingerprints or voice patterns. Other good security methods such as data encryption and compression techniques raise questions whether a record that has been compressed or encrypted -- or retranslated from its compressed or encrypted form -- is the "original" record for evidentiary or regulatory purposes.

Facilities which contract with outside computer service firms for automated record storage should require that their service agreements include provisions governing confidentiality of patient data, storage security, and indemnification for wrongful disclosure.

Other Risks

Records subject to access throughout an integrated network may lead to claims that providers who review a record must act on the information in it, even though a particular provider would not ordinarily pursue an unrelated medical problem. For example, if an orthopedic surgeon notes that a patient has complained consistently about chest pain, he or she must consider whether to instruct the patient about coronary artery disease. If a managed care organization collects sufficient data to indicate a case of child abuse, a reportable infectious disease, or an impaired professional, it may be obligated to report that information to the proper authorities.

Another concern relates to the verification of patient records. Computerization may facilitate the improper addition of notes. A user may wish to make the record appear as if information was timely added, or may wish to alter incorrect information to make it appear that it was originally correct. Also, verification of a valid signature of a computerized record or entry is problematic. An increasing number of states are now requiring certain standards for electronic authentication of medical record entries and electronic signatures or computer-generated signature codes. Electronic records also raise special concerns regarding their durability.

Finally, if a network uses teleradiology -- the electronic transmission of digitized images -- the "reading" physician may not be licensed in the state where the patient is located, or may not have privileges at the patient's hospital. Teleradiology raises issues of licensure and jurisdiction by the local board or courts.

Inadequate security of confidential health care information can result in severe emotional, financial, or adverse physical consequences for the patient, which, in turn, could lead to costly litigation and damages. Excessive restrictions, however, may prevent a health care provider from retrieving essential information when the patient needs it. Any provider that maintains or accesses electronic medical records, therefore, must adopt and implement appropriate policies, rules and regulations to govern their access and use, and to ensure their availability and integrity over time.

Copied to clipboard