Wednesday, April 13, 2011

Health Information System as Data Conduit

A health information exchange is a device that moves medical information from one authorized entity to another. Ultimately, these "authorized entities" are people who need to examine medical records, but an authorized entity may also refer to a device, for example a computer you use to manipulate and work with medical records. Anything that holds a copy for a period of time falls under this category and must therefore follow the rules. Secure transmission is essentially a solved problem, and may be treated in a separate data transmission layer. While consent and authorization rules may get complicated, at any given time an entity may or may not have authorization to view a piece of medical information. When you request protected health information (PHI) it is delivered from a repository to you, across a network. While you are working with the PHI, you keep a copy in your sphere of control. The data exists in its secure repositories, and in your immediate control, and nowhere in between.

Anywhere PHI may be stored and used must be secure. Yes, it's great to have all that important information zipping around everywhere, but first, do no harm.

This is a diagram of the basic information flow.

When you want to work with a patient's medical record, you request a copy from a repository (maybe more than one) and it is delivered from the repository to you without leaving a trace anywhere in between. No copies, no caching, nothing. When you're done, all that PHI disappears completely from you local system, leaving only those copies stored in secure repositories within the health care system.

A health care professional (provider) is authorized to view a particular piece of PHI for a period of time. When a device or person becomes "de-authorized" to view a record, for example when a provider "logs out," then that PHI should be gone, leaving nothing of itself anywhere in the system. If a patient changes providers, then the consent rules change accordingly. Most commonly, consent is given for a finite period of time and will expire unless explicitly renewed. (This medical record will self-destruct on July 13, 2011.) PHI always exists in the secure repository and the patient, that is to say the person whose medical record it is (the "owner" of that medical record), is permanently authorized to handle the PHI and give or take away consent.

An ideal medical record, therefore, knows who is and isn’t authorized to see it at any given time, and is kind enough to politely decline to be transmitted or remove itself from an unauthorized system.


John Moehrke said...

I think this is a nice vision, and I would totally agree that any EHR client should operate this way. I know that quite a few EHR products work this way including those form my company.

But I struggle how in the current Medical Legal Records environment this can be done when the custodian of the data is not the same as the user of the data. Care givers have a Legal responsibility to maintain copies of any evidence they used to come to a medical decision. This drives the need to keep a 'secured' copy.

asdf said...

You're right, that's how it should work. I find it interesting, the trust relationship between doctor and patient has a finite time period, after which it goes into a "vault" of sorts, so a provider can maintain historical records.