Electronic Health Records: Finding the Perfect Lock and Key

Question: if you had a winning lottery ticket in your hands, a jackpot to change the course of your life—how much would you invest to keep it safe until you turned it in? Would an old shoebox do? A sock drawer? A state-of-the art, armor-plated vault under 24-hour armed surveillance? A similar question faces US physicians today as they work to keep their patients’ healthcare information safe yet accessible. Secure electronic healthcare records (EHRs) were once a nice thing to have—the hallmark of a practice ahead of the technology curve.

The potential benefits to be derived from electronic records convinced a small percentage of practices to become early adopters, with larger group practices, hospitals, and other institutions better equipped to absorb the costs of development and implementation leading the charge. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other oversight legislation included provisions governing the collection, use, and dissemination of electronic data. As adoption rates increased and new technologies were developed, every substantive healthcare proposal and legislation (such as the Medicare Modernization Act of 2003) was crafted with an increasingly computerized and automated healthcare landscape in mind. So much progress has been made that what was once a nice thing to have is now viewed as a virtual necessity by many healthcare stakeholders and opinion leaders. Even policy makers have jumped on the bandwagon, culminating with President Bush’s 2005 State of the Union Address calling for all US citizens to have access to EHRs by 2014.

The impetus behind the great push toward EHRs has been, according to HHS Secretary Mike Leavitt, “to make medical clipboards and prescription pads a thing of the past” and, as a result, increase the safety and efficiency of healthcare delivery in the United States. Rising healthcare costs mean greater-than-ever demand for uniform healthcare data with which to evaluate alternative coverage and treatment approaches and reduce the administrative costs of delivering care.

Paper or PDA?

Reducing the administrative costs of delivering care, curiously enough, has not been a compelling reason for the vast majority of the country’s doctors to trade in their clipboards and prescription pads for computer screens and PDAs. That’s in part because single-physician and small-group practices are having a difficult time justifying the current cost and disruption to workflow of converting from traditional paper-based health records and files to EHRs. At the most basic level, many physicians simply don’t know where to start when it comes to EHRs. To help physicians choose from among the flood of hardware and software providers who were rushing to market in the hopes of serving them, the Certification Commission for Healthcare Information Technology (CCHIT) was formed in 2004 by the American Health Information Management Association (AHIMA), Healthcare Information and Management Systems Society (HIMSS), and The National Alliance for Health Information Technology (Alliance). As of this writing, dozens of ambulatory EHR products had achieved CCHIT Certified status.

“Eight to ten percent of our 93,000 members were using EHRs in their practices by 2003,” says Dr. Steven Waldren, director of the Center for Health Information Technology (CHiT) for the AAFP and one of the leading experts in the field. “Now we’re seeing about 50 percent: 37 percent of our member practices are fully implemented with EHR and another 13 percent are starting the process” [Figure 1]. Still, Dr. Waldren cautions that these percentages shouldn’t be used to draw a conclusion about all US physicians. The EHR usage rate for all physicians nationwide, he says, hovers somewhere around 15-25%.

Who’s Going to Pay for All This?

“The main reason for the lag is the cost of these systems,” Waldren readily admits. “The average cost of adopting EHRs is somewhere between $35,000 to $40,000 per physician, and this can easily go as high as $80,000.” The cost varies widely because of tangible and not-so-tangible factors [see Figure 2 on the next page]. The purchase of the hardware and software alone needed to convert what may be decades of patients’ paper health records is certainly a big part of the cost, as well as annual licensing fees to use the vendor’s software (if it’s not a proprietary system), system maintenance, and record updating. Time lost due to training office staff on the new system is another, less directly measurable expense many doctors are loathe to incur.

Proponents of widespread EHR adoption, from government and the medical community alike, say the upfront monetary and time investment of migrating over to EHRs will eventually pay for itself. One early HHS report suggested ambulatory practices could save up to $70,000 during a nine-year period with EHRs, mostly by eliminating duplicate record entries and streamlining electronic billing. Even so, the incentive for a doctor just out of medical school facing enormous student loans—or, on the other end of the scale, a doctor who’s about to retire to invest in an EHR, is low. Combine this with the almost total lack of government or insurance industry reimbursement for doctors who do invest in EHR, and the appeal all but disappears.

“Another issue is vendor lock,” Waldren says. “Physicians are concerned they may pick the wrong EHR vendor and be contractually stuck with a system that doesn’t work for them or face having to start from scratch and re-keying their records into a new system all over again.”

This has created a chicken-and-egg scenario. “If only 10% of doctors are using EHR in their practices, the vendor’s sale price is going to be relatively high,” says CCHIT chair of security Soloman Appavu. “But as market adoption increases, the cost should either go down or stay the same. Competition may improve the cost of these products.”

What’s the Password?

In addition to cost outlay, ensuring the security and privacy of electronic medical information is another key issue in the current uphill battle to get physicians to warm up to EHRs. It is difficult, if not impossible, to separate the security component out of a larger EHR system—at least according to CCHIT. The CCHIT does not make this distinction when deciding which EHR systems get their stamp of approval—a system is either fully compliant with all CCHIT criteria, including the security component, or it is not. As evidenced by the rather lengthy security criteria with which systems must comply if they hope to become CCHIT-certified, data security is a big part of EHR functionality. HIPAA also placed a premium on ensuring the security and privacy of electronic records, designating four categories of requirements that a covered entity would have to address in order to safeguard the integrity, confidentiality, and availability of its electronic health information pertaining to individuals: administrative procedures, physical safeguards, technical security services, and technical mechanisms. Briefly, these encompass security polices and procedures to be followed by physicians and support staff, data integrity and backup, security measures to guard against unauthorized access to patient information inside or outside of the practice, and the control of individual access to patient information.

Patients’ confidence in the security of their healthcare information is perceived by many to be playing a part in the speed (or lack thereof) with which physicians make EHRs part of their practice. A 2005 survey conducted by the California Healthcare Foundation (CHCF) and Forrester Research revealed that, despite federal protections under HIPAA, two in three patients in the US were concerned about the confidentiality of their personal health information and were largely unaware of their privacy rights. One in eight patients surveyed said they were so concerned about the privacy of their personal health records that they’d omitted or lied about their medical history out of fear that employers may use the information against them when making hiring decisions. “As efforts to develop a nationwide health information network proceed, concerns about personal privacy could have major implications,” the survey said. Yet close to 60% of the same group said they would be willing to share personal health information if they believed it would result in better medical treatment.

Many health IT experts and EHR advocates are of the opinion that current barriers to greater EHR adoption are not insurmountable. They also agree that concerns over data security and privacy are valid and should be taken seriously. Accordingly, there are several minimum security standards all practices should follow. Likening EHR security standards to those used when people withdraw money from an ATM, pay bills online, or make purchases from Internet retailers, Appavu says there are a basic set of security measures any physician practice, large or small, should look for when selecting an EHR system. “Record authentication, authorization, accountability of people who have access to records, access control, audit trails, encryption, data backup and system recovery are the major security components that are critical to any EHR system,” he says.

“Look for a CCHIT-certifi ed product,” says Dr. Kenneth Adler, a longtime EHR supporter who writes and lectures frequently on the topic. Adler spearheaded the implementation process for an EHR system for his own 86-member physician team several years ago (you can read about this experience). “The very minimum requirement you need to have is password protection. Password protection and user IDs should change every two months as part of an automated process.” For physicians who may want to go a step further and communicate with patients through e-mail, Adler says, a secure firewall is a must. “Any Internet-based product needs to be strong, especially if you’re a physician who will be accessing records outside of the office. You need a VPN connection in that case. Th is is where people can really have problems with security.” Wireless networks should also be secure.

“You probably don’t want to be accessing patient records from your laptop using Starbucks' wireless connection.” Anti-virus software and other protections are also a must. Virus protection will take on even greater importance once EHRs become truly interoperable and the barriers to rapid and reliable data exchange are removed. The potential dangers to data security and privacy are an order of magnitude greater when you’re talking about electronic data exchange between an ambulatory clinic and a hospital or a physician and a pharmacy, rather than have patients walk their own records from one office to another. But with physicians still only dipping their toe into the EHR waters, these more advanced capabilities will likely come into widespread use very, very gradually.

“You really need to make a clinical and business decision to move your practice forward,” Waldren says. “If you make those two decisions, you’re well on your way to getting an EHR. From a security standpoint, yet, there is a risk, but it is fairly small and by remaining diligent, you can keep your records secure. On the other hand, look at the doctors and patients in New Orleans who had paper records only and who now have no medical records because of Hurricane Katrina.” “In the end,” Waldren says, “you have to decide what is right for you and your practice.”

Diane West is a freelance healthcare journalist.