Information Therapy

The term "information therapy" was new to me, but I think this concept should be at the core of our communication strategy:

An Introduction to Information Therapy

Information Therapy (Ix®) is the timely prescription and availability of evidence-based health information to meet individuals' specific needs and support sound decision making. Ix prescriptions are specifically targeted to an individual's needs at a particular moment in care and are delivered as part of the process of care.

Mission: To advance the practice and science of prescribing and using information to improve people's health.

Vision: A future in which every health decision is informed

Center for Information Therapy

Convenience vs. Security

You might think that IT folks would be early adopters of this communication medium, but a quick survey of posts will show that they're not flocking to this blog. So recently I posed a question to the IT community by taping it on the wall, just outside my office:

"If you can login to your banking website and be confident that your money is safe, why can't your login to the intranet from outside the firewall (i.e., via extranet) and be confident that the data is safe?"

The clever folks in IS responded with a "paper blog", attaching a string of printed responses below the original question. Because the topic is so important, I thought I'd share those responses with you. I hope they will illustrate that our "obsession" with security is not intended to create roadblocks to access but stems from serious concern for our ethical obligations to our patients and our liability under the law.

Based on all of the identity theft and credit card fraud, it's hard to believe that anyone actually thinks their data is safe... If someone gets your banking or credit card information, how much do you lose? Maybe several thousand dollars? In medical ID thefts, the costs are usually tens to hundreds of times greater. People whose medical information was compromised have received bills in excess of $100K for operations and hospital stays that they did not actually receive.... The information that we are talking about here is much more valuable and more sensitive than financial data.

All that being said, we really need to provide a much better Web presence and the ability for patients to access their information and set up their own appointments.

Another poster addressed the complexity of providing secure Web access:

My bank uses a mix of AIX and Solaris to run their webservers and databases. They have partitioned databases. Web application servers do not directly access back end databases. The web applications themselves are written in Java. Finally, they have dedicated security staff that runs regular audits & code reviews and monitors web traffic & application performance.

All of that and I still don't actually trust that the site is truly secure, but they warrant that I will not be financially liable for online fraud. What will we be able to refund or un-release if PHI is stolen?

A third poster addressed PHI directly:

Kaiser Permanente lets you see your Electronic Medical Record on their Website. Are they not as serious about protecting PHI as we are?

A fourth poster thought not, citing the following evidence:

Kaiser fined $200,000 for release of PHI
Kaiser worker data breached, identity fraud reported

We in Information Systems are working diligently to find the appropriate balance between convenience and security. We hope that our customers understand that these concerns are not trivial, and we want to work with you to craft a solution that protects patients, employees, and the County without creating undue hardships for those charged with providing direct patient services.

If you have any comments to add on this topic, I hope you will share them with us.

Getting Ahead of the Curve on Electronic Health Record Mandates

Interesting article in today's Washington Post on the potential impacts of the $19 billion in the stimulus package that is directed towards electronic health records. The article focuses on the need for standards (both legal and technical) as well as the vast amounts of additional money that will be required to make this vision a reality. (Others have concerns over the privacy implications of these measures.)

Some may feel it's best to take a "wait-and-see" attitude -- to see how the legislation actually shapes up before worrying about how we'll deal with it -- I would hope that we can take a more proactive approach.

I think we can all recognize that some form of electronic health record will become commonplace over the coming years. I hope most of us would agree that there are some health benefits to be gained from a universal, standardized system. And still, many have legitimate concerns about how such a system would be implemented and used. That is why we must begin talking now about what a human-centered electronic health record would look like.

"Human-centered" includes privacy concerns as well as software usability. And software usability includes not only the patient who owns the record, but the medical providers and clerical staff who must help keep it current and accurate, the analysts who rely on the aggregate data, and technicians who must maintain the system!

I think it's important that IS initiate this conversation about the electronic health record, but it's even more vital that it be a cross-disciplinary discussion. Medical providers and clerical support staff who will maintain these prospective EHRs must be at the table, as must representatives from the business side. Together, we should build our own vision of a humane EHR, and we can give our requirements to our representatives to help shape the policy and secure the funding.