Record locator service a step to health information exchange

By Linda Tucci, Senior News Writer 16 Sep 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on healthcare and IT New HIPAA data breach notification rules put health industry on notice How to build a mature information security program: A crisis helps FTC pursuing HIPAA violations as a matter of consumer protection

Around the same time, St Luke's joined other hospitals and clinics in 18 counties, including its bigger city neighbor, St. Mary's/Duluth Clinic Health System, to form the nonprofit Community Health Information Collaborative (CHIC). One of CHIC's first efforts was to help its members secure federal funds to subsidize the cost of installing T1 lines to replace the expensive dial-up modems then used to submit Medicare claims.

In retrospect, said Clark Averill, director of IT at St. Luke's Hospital, CHIC was a precursor to the new regional health information organizations that are designed to facilitate health information exchange in defined geographies and are seen as the lynchpin of the National Health Information Network.

"We took those steps in early 2000 to be a viable health system, and it wasn't to respond to federal legislation. We thought we needed to do it to provide quality and safe care to patients," said Averill, who also serves as board chair for CHIC. "As an organization, we have 10 years under our belt of building an interoperable health care infrastructure."

Next week, CHIC takes another step toward reaching the national goal of seamless access to and exchange of patient health information with the launch of a record locator service (RLS), or patient lookup service, as it's sometimes called. An RLS holds information authorized by a patient about where medical records can be found, but not the actual information contained in the records.

"We think you need to take baby steps. Interoperability and exchange of clinical data is too big to bite off in one chew. We think just getting notification of where people have been, so you can use your own procedures to then get the electronic medical record, will enhance patient care," Averill said.

The RLS will not only potentially save lives, but it will also cut down on waste, said Dennis Dassenko CIO at St. Mary's/Duluth Clinic Health System. "We will not duplicate tests, we will not be relying on faxing, calling around, so it is consistent with what the federal government has in mind about saving healthcare costs," he said.

Centralized database vs. distributed network

CHIC worked with Minneapolis-based MedNetWorld.com to develop the record locator service. Group members were not in favor of using a centralized database to hold the records of where patients received treatment, preferring to keep their electronic health records behind their own firewalls. "It is a bit disconcerting to send 1 million patient records to other entities, allowing them to manage your security. This model keeps it close to home," Dassenko said.

We think you need to take baby steps. Interoperability and exchange of clinical data is too big to bite off in one chew. Clark Averill director of IT, St. Luke's Hospital

The MedNetWorld solution provides a server that stays inside the hospitals and clinics, close to the electronic health record system (St. Luke's uses one from Medical Information Technology Inc.; St. Mary's uses a system from Epic Systems Corp.).

John Fraser, CEO of MedNetWorld.com, explained, "Then we have a central query server that queries the hospitals whenever a question is asked. We can answer questions about where the information is located in an unlimited number of organizations by querying them and without creating a central database. Because of its distributed nature, we believe this provides a vastly higher level of security."

The architecture is based on grid computing, an emerging standard for massively parallel systems -- in this case, to provide patient information. Each of the participating CHIC organizations has agreed to standardize on VMWare. "They download our software from our website, copy it into their VMWare server and select run," Fraser said.

Patient privacy a big issue in record locator services

Instead of a username and password to gain access, security is based on public key infrastructure (PKI), which enables users of a public network such as the Internet to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The CHIC RLS requires each user to have a PKI credential, or certificate, which MedNetWorld provides.

In addition to security, patient privacy is a big issue. The MedNetWorld protocol for patient consent follows the "gold standard" set by Minnesota record locator service law, which stipulates that a healthcare provider cannot look up a record without getting patient consent, or stating that the situation is an emergency. (Many states have yet to pass legislation on this.) Indeed, the patient can choose to opt out anytime at one facility, and opt in again at another.

"All the servers need to be aware of when a patient opts in or out, so there were a lot of process issues that we worked through," Dassenko said. Patients are still not clear about what they are opting in and opting out of, for instance. "We don't expect anybody to opt out, but you still have to have the workflows and process to deal with that."

Don't 'pave the cow path' with an electronic health record system

The largest hurdle in moving toward an interoperable health network, said Dassenko and Averill, was not so much the technology but using this technology to actually improve on the delivery of healthcare. Unlike in banking or manufacturing, where a technology process like an ATM exchange is integral to the business, the electronic record is adjunct to the experience. Healthcare relies on the doctor understanding what the problem is, a knowledge based on experience. The record locator service, and other electronic record technologies, record the event but rarely make the difference in the event, Averill said.

"We tried to implement the technology in a way that enhances the patient care experience, and doesn't, as I like to say, 'pave the cow path' -- putting an electronic system on top of the way it's always been done," Averill said.

Dassenko added, "It's just a first step in a journey that we don't know the end of. But it is progress."

Tags: HIPAA and other healthcare compliance requirements,  Data retention and compliance software,  Managing governance and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda FTC pursuing HIPAA violations as a matter of consumer protection Data retention and compliance software Data loss prevention technology matures but is still no cure-all Be ready for electronic discovery with a records retention policy Discovery process puts onus on electronic records management tools Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Podcast: New Massachusetts data protection law mandates IT compliance How State Farm saves millions on electronic data discovery Hacked dental school server compromises 300,000 Data center virtualization: Four steps to compliance Google amends log retention rules, privacy advocates respond Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary