Protecting the Electronic Health Record - Our Centerpiece
The Character of Healthcare today intensifies the need to protect patient data from unforeseen disasters and destruction. In recent times, providers of care have increasingly expanded their computerized technology portfolios and increased contributions to Electronic Health Record (EHR) repositories as a replacement to the patient chart. Developing a business continuity plan for the EHR must integrate all components of application, data, and technology in one place. Usually spread across diverse environments, today's EHR is an ideal candidate for disaster. Many healthcare providers use an EHR that is not dependent on a single piece of hardware. Rather, the EHR is often splintered into many components that are assembled in an interoperable fashion, sometimes in back rooms or in data centers miles away. Radiology and cardiology images are stored on one device, patient lab result may be stored on a separate storage subsystem, the patient's history and physical examination data are transcribed onto an optical disk, and the Web tool for viewing may be on yet another server. Approaching disaster planning from an "avoidance of disaster" approach offers huge advantages to limit loss.
The strategy outlined in the current national strategic framework strategy for providing consumer-centric health information moves the focus away from paper to a robust digital patient record that is viewable, portable, and accessible-any time and any place. This translates into computer servers, complex network switches, routers, and many sophisticated components and peripherals. Whether in a single clinic using one computer or a large integrated health delivery system using complex instrumentation interfaced together on many servers to create a combined digital patient record, the consumer's perception of quality is proportionate to the provider's level of technological sophistication. Once a care provider crosses the chasm to a digital electronic patient chart, any disruption in the technology link jeopardizes patient care. Nowhere is this more evident than when providers use technology tools such as digital imagery, e-prescribing, and automated electronics records interfaced with remote lab results. Computer technology now allows for medication administration and formulary management utilizing up-to date, rules-based practice, helping to avoid errors involving prescribing the wrong drug at the wrong time.
Using technology for medication administration has been shown to significantly reduce adverse reactions. Critical paths for diagnostic care and clinical outcomes management have become difficult to manage manually. Errors in patient diagnosis affect patient safety and have repeatedly been shown to increase healthcare costs. The larger the scope of care (e.g., hospitals, larger group practices), the more reliant the providers become on automated computer technology. Some hospitals, for example, have begun to use technological imprint of patients through the use of portable Radio Frequency Identification Devices (RFIDs), using a bar-coded wrist bracelet to track the patient from admission through each and every procedure, lab test, dose of medication, dietary plan, and discharge. The interoperability required for this technology to work seamlessly is complicated and presents tremendous risks if it fails. An eight-hour interruption in access to clinical information systems would create a serious problem, not to mention discourage use of the technology.
The healthcare industry has begun to evolve to using electronic healthcare records and it is unlikely to return to paper once the paper chart is fully automated. Investment in computer technology will continue to grow over the next 10 years as greater efficiencies are recognized and protecting the security of EHRs will become commensurately more important. Investment is necessary in both areas to achieve true reliability, save lives, and reduce healthcare costs. We must guarantee that records are adequately protected. The foundation of the EHR, specifically identified in the Strategic Electronic Health Record Initiative will have long and far-reaching effects over the next 10 years. The goal of the initiative is to have and maintain an electronic health record for every individual in the United States by 2014. The strategic framework falls into several categories: Informing clinicians-Technology is shown to improve efficiency of clinicians and patient care and can offer a higher quality to patient care. Interconnecting clinicians-The EHR will be more portable and will offer a more longitudinal view of the patient across the continuum of care. Delivering a dependable EHR to care providers can increase efficiency and enhance patient care. Personalizing care-An informed patient means that a patient may participate more in the care process. Access to their patient information electronically will allow patients to receive more timely care and allow greater involvement to allow healthcare to become more patient focused. Improving population health-The creation of health surveillance systems that alert of bio-terrorism, food alerts offering protection of the health of the public in general and acting on major events that impact the public good will require a timely response.
Technology will be required to accomplish this and must be dependable. The availability of clinical research information and decision support to create new opportunities will ultimately improve healthcare. The Certification Commission of Health Information Technology (CCHIT) formed in September 2004 recently chartered the accelerated adoption of a robust, interoperable health information technology by creating a mechanism for sustainable certification for IT products purchased by patient care providers. This means that the EHR will have standards and will interconnect. Guiding principles include interoperability, functionality, and security standards that would govern product certification, exclude platforms, create environmental factors, and develop baselines for "essential" security fundamentals. Uptime, performance response time, and version control will be included under reliability standards. The amount of patient data stored that will be stored will be immense. Terabytes of data will be housed separately in many corners of healthcare. In a program that compounds data perpetually, a plan for the management and protection and restoration of these huge stores of patient data will be paramount.
How can health providers (hospitals, medical practices, home care agencies, etc.) meet these requirements and, at the same time, reduce costs? First, the passage of time is a significant factor, which has proven to solve some of the interoperability issues we faced in the past. EHR technology has become more efficient. Technologies will continue to improve, resolving many current limitations and risks. However, even the most reliable technologies sometimes fail, and a care provider may have to pull out the reference manual to see how to correct a problem. Purchasing technologies and tools that meet reasonably open standards for interoperability, security, and reliability will provide a stronger foundation for the health IT system. Unfortunately, interoperability and reliability are not always guaranteed with today's available technologies. Having a documented, sustainable disaster recovery plan should be included as a part of any EHR. A disaster recovery plan should not have to compete for costs, resources, and demands for investments. It is simply the right thing to do.
Strategy for Reinforcing the Electronic Health Record
It cannot be overemphasized that developing a plan to protect EHRs following a disaster or outage is critical. However, the uncertainties involved force providers to make choices and live with the amount of risk that they decide to take. Healthcare Information Portability and Accountability Act (HIPAA) legislation mandates that disaster recovery planning be part of the protection of patient data; however the law does little to provide guidance on how to accomplish that task. Creating an industry standard and applying it to HER applications purchased (or developed) will help. Industry disaster recovery planning methodologies exist that are commonly used in a prospectively developed plan. Simply performing a retrospective assessment after a catastrophe occurs is simply irresponsible business planning. Business interruption insurance allows financial losses to be recouped after a disaster, but is of little help when patient care is affected and negative patient outcomes occur. This type of casualty cannot easily be measured, but the long-reaching negative effects to the provider may not be recoverable. Following are critical strategic elements to include for healthcare providers to achieve an acceptable level of protection. Ensure that both technology and disaster recovery are considered as equal foundational elements.Like the basic components of each piece of hardware that houses and makes the EHR work for patient care, the DR plan represents the sum of all recovery components required, including hardware, software, operating system, databases, and the application. These usually are separate components but are all foundation blocks of the EHR. Determine your priority technologies, data, and applications.An assessment of critical technologies and applications and their use can help prioritize the order in which critical technology elements should be recovered. The real measure may be valued in lost revenue or valued in terms of potential medication errors, potential morbidity, or mortality rankings.
Whatever the priority is, it should be easily documented and understandable. This prioritization will also help determine the gap between the recovery time and recovery time objectives for the EHR system. Determine the gaps and assess your risk .Whatever plan is developed for DR, there will be scenarios that have not been foreseen. However, the process to assess risks will shake out some of the pain points. Having a third party develop a plan also reduces some of the risk. The highest level of management must decide the amount of risk that can be tolerated by the organization, because the responsibility is usually held at that level. No EHR can operate at a peak performance level without management knowing it can function if and when a disaster would create a less than ideal situation. Commit to a documented plan.Many times, an EHR comes pre-assembled and ready for use by the care provider. Doing more than just system backup may not seem to be of utmost importance. In a disaster, however, anything might fail. A DR plan will provide the assurance to know that recovery is possible in a specified time frame. Maintain and test your plan.A mistaken belief that backroom technologies have been "bulletproofed," mounting pressures to cut costs, and ever-increasing time constraints place a significant burden on any healthcare provider and are dilemmas to be addressed when making EHR decisions. It is important to the success of an EHR that recovery plans are updated and tested on a routine basis. Demand it! Typically, a larger provider in the community is able to leverage more resources to apply to this endeavor. Providers of care that use technology must see the value of a sustainable disaster avoidance plan. Once we no longer have a paper or film records, we will be dependent upon digital technology to treat patients. Disaster avoidance is often not addressed unless it is brought to attention through an IT strategic plan or third-party audit. Unlike the more apparent technological aspect of healthcare assets, such as laboratory equipment, beds, or blood pressure cuffs, the digital origin ofthe patient record is not immediately apparent because the data center can be miles away. HIPAA and Joint Commission on Accreditation for Health Organizations (JCAHO) believe that devoting resources to disaster planning makes good business sense. The effects of an emergency in the data center miles away may not be realized until a patient is in crisis, so developing a plan for identifying the highest risk potential ahead of time is good business practice.
The data center is the epicenter of the EHR. As national and regional efforts unfold to make the EHR universally available, Regional Health Information Organizations (RHIOs) will become linchpins in the longitudinal patient record. RHIOs and peer membership will push existing provider requirements to ensure that controls are in place for disaster avoidance and recovery as the EHR data passes from provider to provider, remaining intact throughout the patient's lifetime.
Business associate and service level agreements that focus on the commitment and relationship that an organization makes with its customers to protect the integrity and availability of EHR are key components of recovery time objectives. Even if a clinician does not immediately see the value, this process is a key to success with clinicians.
It will make little difference to a physician or clinician whether an event that jeopardizes an EHR is a disaster or not. The EHR must always be available, uninterruptible, and sustainable. As clinicians move closer to Computerized Patient Order Entry (CPOE) and care treatments begin through a portal of a digital image, system unavailability may mean life and death or less optimal care of our patient population. Providers of care should begin today to consider the most appropriate ways for protecting every link to their electronic health information and the associated unplanned downtime. Several elements are paramount to understanding what is at the heart of enterprise technology use by clinicians:
- The EHR must always be available, accessible, and reliable to ensure continuity of care for the patient.
- Clinicians are trained in a technological imperative of patient care over cost.
- Clinicians will be discouraged from utilizing the HER through system unavailability.
- Quality of care has become synonymous with technology.
- No downtime is reasonable when care is to be provided.
- Technology interruptions mean that some facet of care is interrupted.
- Healthcare has become and will remain dependent on digital technology.
Healthcare providers who are currently building and installing Electronic Health Records are still early adopters of the technology. However that will change quickly as the national healthcare technology czar, Dr. David Brailer, moves the healthcare strategic initiative forward into the next 10 years. Patient care pressures demand digital availability to reduce the time and cost overhead associated of today's patient care. As the 10-year goal of the Strategic Electronic Health Record Initiative intensifies and healthcare savings are realized through the use of technology, EHR will become more widely adopted. As providers see incentives emerge in terms of pay-for- performance, the pace will likely explode, because reimbursement is the way healthcare has always been funded. The technology that supports the application use and the data stored in those back room data centers will almost certainly continue to develop and improve. As the technology to protect data reaches a new height, the demand for availability rather than the irresponsible effort that can be realized recovering thedata will be the main focus.
Nevertheless, technologies are less than flawless and finding a "no-fail" option to protect data is a worthwhile effort. A disaster recovery plan is a methodology that is easier to achieve. It just takes a little investment. Strategies for a disaster recovery plan need to be universally applied throughout the industry. Standard backup methodologies to protect data and processes to test the integrity of the restored backups must be consistent. The real challenge is to test your own disaster avoidance or disaster recovery plan using the scenarios you believe will give you comfort. Finding a "common practice" tool with documented methodologies to assist in this effort can reduce overhead and allow the adoption of a maintainable plan. Disaster avoidance and disaster recovery plans are the final prescription for good health and the ultimate protection of theEHR.
Victor Fuchs referred to choices in his classic book, Who Shall Live. Many of the health, economic, and social issues associated with healthcare today can now be addressed through technology and the efficiency of an EHR. Although, the HER may not fully exist in your organization, the components that you have built towards that end must be protected so that when the final components are interoperable a fully protected tool will be in place for patient care continuum. A plan for protecting electronic patient record is matter of choice. Simply, if you can afford to invest in digital technology, you should be able to afford to protect it. Protection in the form of a plan will certainly provide the best opportunity for the patient in the long run to realize reduced costs, make care more efficient, and provide continuity of care.
Mark J. Jacobs, MHA, CPHIMS is director of technology services and data center at Wellspan Health (York, PA). Jacobs is a 24-year veteran in healthcare information technology with experiences in several multi-hospital settings, insurance, and health planning. Jacobs can be reached at (717) 851-5687.