I am Dr. Lewis Lorton, Executive Director of the Healthcare Open Systems and Trials consortium (HOST). We appreciate your inviting a representative of HOST to address the state of the industry concerning uniform standards and practices for patient medical record information.
I am honored to be here in the company of these other panelists whose experience and specific knowledge shall certainly bring illumination to some of the murky problems associated with electronic patient records.
I have always been intrigued by the complexity of health information systems. There is a greater variety of data, greater numbers of stakeholders, greater numbers of requirements in healthcare than in any other industry. This complexity has generated the enormous problems of identifying and developing a complete set of standards in the face of enormous change in both the electronic infrastructure and the organization of healthcare.
The problems in developing complete set of robust standards for electronic patient records is so great as to have stymied the combined resources of many brilliant and devoted scientists for the last two decades. Much of my career was spent as a bench scientist and, in circumstance such as this, where the problem seems overwhelmingly complex it is wise to attempt to decompose the problems into smaller, more manageable issues. In this testimony I would like to address some of those issues.
HOST is a non-profit organization representing many of the diverse stakeholders in health care. We are committed to increasing access to in health care through the use of information technology. HOST was founded in 1994 to provide, not a forum, but a neutral workplace for the industry to develop and implement technology solutions. We encourage and support the standards development organizations (SDOs); in all of our implementation efforts we use existing standards and we work with these same SDOs to extend and improve these standards
Why is healthcare not just another major information technology application? After all, other huge organizations even industries have successfully standardized very large integrated information systems.
There are a number of reasons why these problems have not yet been solved in healthcare. Healthcare is a unique environment with a huge variety of types of data, many requirements, diverse kinds of stakeholders with unique needs and a culture that prizes individualism. To some degree, implementation could not wait for a system of standards to be produced by under-resourced standards development organizations. Within this hugely complex environment, the development and implementation of standards lagged far behind the actual implementation of systems
The problems were under-appreciated for years because health care was generally delivered at the community level – whatever the size of the community - and, until recently, there was not a compelling argument for healthcare information systems that extended beyond the community. Organizations were limited and the communications infrastructure would not support simple, cost-effective movement of large amounts of data. Thus system developers were comfortable, or rather not-too-uncomfortable, with non-standard approaches, local structures, local systems, even local languages.
Within this environment, literally hundreds of developers sprung up to provide their customers with computer systems. Each medical specialty within a medical center might expect individual interfaces, languages, might even have distinct usage of common words. It is not uncommon for a medical organization to have a variety of clinical and administrative systems that might run on the same network but can not exchange data.
The effects of the Standards Developing Organization just couldn’t keep up with the profusion of development activities and the enormously quickly changing environment.
What has changed to encourage a higher level view at the crucial need for standards? In the last several years, the organizational structure of healthcare changed drastically – new, larger organizations formed and old boundaries disappeared. The need to survive in a chaotic marketplace and the downstream benefits of information systems technology became apparent and many organizations resolved to make the move to implement integrated systems only to face a Gordian knot of technology and system problems.
There is an incredibly complex set of problems, and there can be no simple set of solutions. There are, potentially enormous benefits if these solutions can be realized. All of the healthcare informatics industry and healthcare in general would benefit enormously from clear direction and stable, complete standards.
The Federal Government, as both the largest potential beneficiary and the most powerful single entity, should become the instigator and motivator of government and industry partnerships to make progress. I am not implying that the government provides the answer but only that it becomes the motivating force to direct and support the industry in working towards solutions.
It is my conviction that, in fact, the only player in this game with enough influence and no proprietary interests is the Federal Government. The government has already made one step in developing itself as the directing force. A consortium formed from the Department of Veterans Affairs, the Department of Defense, the Indian Health Service and the Department of Health and Human Services (with the additional involvement of the State of Louisiana through LSUMC) intends to develop a standard government computer patient record. This is probably the largest-ever, non-proprietary effort to bring some degree of uniformity to the computer patient record.
We are certainly immersed in huge, multi-dimensional problems and I find myself, not with solutions, but suggestions as to direction.
I would like to address two separate components: first the targets for standards development and second, how the definition of the security structure is dependent on the ultimate definition of the extent of a medical record.
There are three projects that might serve, in different ways, as exemplars for the development of standards:
In each of these efforts, the stakeholders were motivated by clear-cut requirements and economic interests to define what information could be exchanged and then to decide which of this information actually had enough worth to warrant the exchange. Mechanisms to manage incompatibilities were defined and then formal structure was built which allowed the interchange of the chosen data and allowed future additions.
The crucial content points are:
Crucial operational points are:
Thus the possible process for directing the development of a suite of standards and the milieu in which the EMR should operate would be:
Automated Information systems (AISs) streamline and increase the efficiency of operations by providing access to a multitude of data by a myriad of users. This collection, aggregation, and distribution of various types of information also increases the need for its confidentiality and protection. The medical community is aware of the requirement for implementing technical, administrative, and physical safeguards to protect its information systems and is also aware that successful security emerges from strict and rigorous policy.
Last year the HOST consortium interviewed a series of individuals who had been active as 'privacy advocates.' We asked them to discriminate between data which should be considered strictly limited to specific health care providers and which data could be considered as general health information for use by any health care provider.
Inevitably the discussion involved around privacy and HIV status and, equally inevitably, we ended up with this list of items:
The points then discussed were how to decide which information to censor from records – and from which type of practitioner - and the difficulty of censoring information which reside on systems that are not directly influenced by the clinical privacy policy.
Consequently, because data can be used for many functions, aggregated in many ways, and the associated value of its loss or harm changes with respect to that aggregation, it becomes impossible to consider data as static.
To implement the proper information security controls and restrictions requires, not only an understanding of the types of data that will be processed, how they will be stored, and who will have access to them, but also requires an deep-down awareness of how each specific data element should be treated and under all conditions.
To provide confidentiality and privacy in today's healthcare information technology systems and bridge the gap between policy and implementation of security mechanisms, the development of a structured evaluation and assessment process for the community's information technology products and systems is imperative. This structured evaluation activity must be combined with an overall operational security assessment to provide a framework under which healthcare organizations can make informed decisions.
This approach also benefits the product and system vendors by clearly articulating the security requirements and standards that apply to healthcare systems and products, and provides an objective method for assessing how well their products or systems comply with those requirements. Of course, the entire healthcare community would benefit from standard evaluations, perhaps from third party security evaluation facilities, to buy those products that have successfully achieved the security equivalent of a "Good Housekeeping Seal of Approval".
The basic, underlying requirement for sensible security policy and standards is an understanding of what the medical record is, and how all its parts should be treated. It is this effort that I hope the NCVHS will promote and support.
We appreciate the opportunity to comment on the processes to ensure that health care will be able to reap the benefits of information technology while preserving the confidentiality and data integrity that the American people expect. Healthcare in the United States, if we are to have some EMR that will provide national benefits, can no longer let standards development be the under-resourced effort it has been. We must decide on our goals and commit resources in an organized manner to attain them. The Federal Government, just as it motivates and sponsors public health efforts, should take the lead in government/ industry partnerships to make this happen.