Intranets can help clinicians share patient information

Logistical problems ar abundant; one early experience is reviewed

By John D Halamka, MD, MS

The American Heritage dictionary defines web as "something intricately contrived, especially something that ensnares or entangles."

Such a definition seems fitting to the World Wide Web, since the medical resources on the Internet are extensive, disorganized, and generally unmonitored. The technologies that send Web pages from one site to another on the public Internet can shape a private medical intranet that assembles a "virtual" emergency medical record which draws on sources of heterogeneous information.

However, barriers to creating virtual medical records on intranets abound. Some are technical: correctly identifying patients, guaranteeing data integrity, and protecting confidentiality. Some are organizational: standardizing the types of information exchange, providing appropriate sanctions for violation of security policies, and obtaining patient consent for transmitting information among multiple institutions.

Several groups have proposed solutions for such technical and organizational challenges and have implemented systems that use intranets to provide clinical information to healthcare providers.¹ This holds special impact for emergency departments that constantly struggle with providing care based on incomplete information about medical histories.

An early experience

To illustrate both the challenges and some early solutions, I will describe the early experiences with a live implementation, CareWeb, that shares emergency medical information between two inpatient delivery systems on a corporate intranet in an academic health center.

The Beth Israel Hospital, the Deaconess Hospital, three Boston area community hospitals, and several satellite outpatient clinics have joined forces to create a delivery system that required the integration of existing electronic medical records. Each site has different clinical computing systems, different institutional vocabularies and varying completeness of clinical information.

The former Beth Israel Hospital stores clinical data and several related practices in a comprehensive, custom-built computing system² while clinical data at the former Deaconess Hospital resides in an industry-standard database.

Our goal was to consolidate medical records "virtually" at these heterogenous institutions, using the corporate intranet to make that information available to emergency practitioners at the point of care.

CareWeb operates in response to an emergency care provider who, using a standard Web browser, creates a query for information by specifying patient identification. This information is submitted over the intranet to CareWeb, which, in turn, generates a request for information to both the Beth Israel and Deaconess hospital systems.

The systems respond with demographics, problems, medications, records of allergies, notes and visits. CareWeb interprets the incoming messages and creates a single, unified presentation that it returns to the health-care provider as a series of Web pages.

Tool bars enable full navigational control, allowing the medical record to be scanned using a tab folder-like paradigm.

Barriers, both technical and organizational, preclude a uniform infrastructure for exchange of medical records on an intranet. To exchange patient information among hospitals, even apparently simple tasks, such as identifying the correct patient can be a challenge.

Identifying the patient

In the United States, there is no universal healthcare identifier assigned to patients. A logical approach is to use a combination of demographic identifiers such as name/date of birth/gender or Social Security number.

However, demographic identifiers are often misentered or misreported, making patient identification a difficult problem. Teich and colleagues at Partners Healthcare in Boston³ found a 3% discrepancy in birth month for known matched patients, and a 39% discrepancy in last name. Another study⁴ found a 2.4% discrepancy in gender for known matched patients.

The Health Insurance Portability and Accountability Act of 1996 Human Services devise a strategy for universal patient identification, which is still pending. Suggestions span the gamut from the Social Security number to the use of long random numbers, unique to each individual.

CareWeb uses a best match of name, gender and date of birth to identify patients. It looks up patients phonetically by name to be tolerant of misspellings. It refines the search by looking at birthday, plus or minus 6 months, allowing inexact birthday matching. Finally, gender is not used if name and birthday are sufficiently closely matched, allowing misentry of gender information. If such ,a combination yields more than one patient, a list of patients with additional demographic information, including address and Social Security number, is presented to the clinician, requesting clarification.

Data format and vocabulary

Medical records contain data elements that vary widely among hospital systems, both in definition and in the amount of data available.

To exchange electronic medical records successfully, all partners must define the uses for the data and elect a consistent set of elements most relevant to the intended use. For example, a clinical emergency department application requires a set of data far different from an application assaying managed care eligibility. Data elements also must address potential legal and social sensitivities. A patient may agree to share insurance authorization information, but not HIV status.

Several standardized data sets have been suggested for emergency clinical use, including the Center for Disease Control's Data Elements for Emergency Department Systems (DEEDS),⁶ the Boston Collaborative data set⁷ and the National Information Infrastructure Health Information Network Emergency Medicine data set.⁸

But even if partners agree on data elements to exchange and a consistent way to request information, the data exchanged may not be easily comparable. Hospital systems are heterogeneous, and most lack uniform vocabulary. One hospital may list a diagnosis as "hypertension," while another may code the same diagnosis as "high blood pressure." Similarly, medication lists assembled from multiple hospitals might feature a mixture of brand and generic names.

Vocabulary standards solve the problem of data comparability. ICD9CM coding is one of those most familiar. By coding all medical records with ICD9CM codes instead of physician generated English descriptions, hospital discharge records become comparable.

The international Systemized Nomenclature for Medical and Veterinary Medicine (SNOMED) provides a comprehensive set of more than 150,000 terms organized into 12 categories (see Figure 1).⁹

The National Library of Medicine's Unified Medical Language System (UMLS) has concept identifiers that group these ICD9 and SNOMED terms into a single nomenclature.¹⁰ The Logical Observation Identifier Names and Codes (LOINC) provides a library of more than 6,500 clinical test names or identifiers.¹¹

Finally, the National Drug Code (NDC) provides a standard dictionary of medications. Although most institutions do not use all of these vocabularies, it is possible to translate institution-specific data into standard terminologys during the presentation of medical information to clinicians. ¹²

At each of our hospitals, a site-specific CareWeb program intercepts incoming requests for information. These programs have knowledge of the computer systems at each site and translate hospital-specific information into standard vocabularies, ICD9CM for diagnoses, NDC for drug information and LOINC for laboratory. Once translated into standard vocabularies, messages are sent between CareWeb sites using Health Level 7, ¹³ a standard data format for medical information interchange.

Security/confidentiality

In his 1997 State of the Union address, President Clinton noted that "we should connect every hospital to the Internet, so that doctors can share data about their patients instantly with the best specialists in the field."

However, the security and confidentiality implications of Webconnecting the nation's clinical data is a major impediment in realizing this goal.^14,15

In 1995, the National Research Council (NRQ of the National Academy of Sciences was charged with evaluating practical measures that can reduce the risk of improper disclosure of confidential information, while providing appropriate access to those interested in improving quality and reducing the cost of care.

Its March 1997 report, "For the Record: Protecting Electronic Health Information," presents the findings of 2 years of collaborative investigations that delineate best technical and organizational practices to protect patient confidentiality. ¹⁶

Intranet medical record systems should incorporate these recommendations. Existing legislation emphasizes the need to implement strong security measures. For each unauthorized disclosure, the Health Insurance Portability and Accountability Act of 1996 imposes a fine of up to $250,000 per incident, and up to 5 days of imprisonment. In addition, failure to protect patient information and patient privacy can result in loss of accreditation.

CareWeb incorporates all NRC guidelines for protecting health care information, and the techniques for this are discussed elsewhere.¹⁷

Authentication

The authenticity of each CareWeb user is guaranteed with Security Dynamics' SecurID hardware tokens. These handheld devices contain microprocessors that calculate and display unpredictable codes.

These codes change at a regular interval, typically 60 seconds. To access CareWeb, each user must enter a username, a memorized personal identification number (PIN), and the currently displayed password from the SecurlD device. CareWeb transmits this information to a security server that authenticates the user and verifies that the correct password was entered.

The security server compares the user-entered password with its knowledge of what password should have been entered for that 60 second period. If the password does not match, it also checks the password from the previous 60 second period to account for delays in typing and transmission. If a user loses a SecurID, the token can be deactivated immediately at the security server.

Once users are authorized, CareWeb uses a database to determine how much access they are permitted. Clinicians are allowed to examine the full record, while registration clerks are limited to demographic information.

Audit trails

The security policy of the Beth Israel Deaconess Medical Center is to provide auditing at the level of the specific patient queried and the individual menu selections used." CareWeb implements a complete multi-organizational audit trail.

In any multi-institutional reporting system, there are two places to capture the audit at the institutional level where the information is stored (the sites) or at the point where the information is delivered. CareWeb audit information is captured at the site level. By storing audit trails at each site, each hospital can control and audit the information that leaves its site, regardless of where it is delivered.

Each hospital site server captures patient identification information' the requester, the requester's location, date, time, and information requested. Although information is stored at the site level, a multi-institutional auditing system that provides patients with the details of the movement of their medical information throughout the healthcare enterprise is available. The auditing query system has the same hardware token authentication and access controls required for any CareWeb healthcare data request.

Once authenticated, an auditor enters patient identification information and submits it to the CareWeb auditing system. It produces a consolidated report showing all flows of information about the patient for all institutions.

Security

The existing hospital computing Systems at the Beth Israel and Deaconess hospitals employ a complex series of hardware controls that limit connectivity from outside the institution.

Using these "firewalls," network administrators limit system access to users physically located within the campus.

For communications between data sources and CareWeb users, we implemented a cryptographic system that incorporates industry standard components for digital signature and encoding of messages, using the most secure keys available.

Record authentication

CareWeb uses digital signature cryptography methods for all network transmissions, ensuring the integrity of all health data delivered. The NRC recommends an implementation of digital signature to ensure that medical records are not changed on the individual systems where they are stored.

The CareWeb architecture provides a secure mechanism to transport each institution's data and can guarantee that the data were not changed during the retrieval process. Security policies of each institution providing data dictate the reputability of the data.

Disaster recovery

Multi-institutional architecture provides significant physical protection for health data. Instead of physically locating all patient records in a central data source vulnerable to physical disasters, the CareWeb architecture creates a virtual record that is assembled on demand and not stored in a central repository.

Currently, all hospital computers linked by CareWeb are geographically dispersed and are locked in secure computer rooms accessed by electronic keycode. The CareWeb architecture depends upon the physical security and disaster recovery practices of the individual sites that provide data. However, if any sites sustain a disaster and cease to provide data, CareWeb notes that a site is unavailable and provides a virtual medical record made up of all functioning sites.

Not storable

Web pages returned by CareWeb cannot be stored on local hard disks by the browser. Three specific techniques are used to prevent such behavior:

• Pages are given an expiration date of Jan. 1, 1970, and arrive "out of date. "

• Pages are sent with a special message instructing the browser not to store them.

• Pages are sent in a secure mode (secure sockets), which most browsers use as an indicator not to store pages.

Discussion

Intranets help enhance the quality and value of medical care by increasing the information flow among patients and clinicians.

The political sensitivity of using Internet technologies for transmission of confidential data was emphasized in March 1997, when the Social Security Administration created a publicly accessible Web page for display of Social Security benefits information. The page was discontinued after 1 month because of outcry from privacy and citizen's rights groups. ¹⁹

Reports of flaws in Internet security give a public impression that Internet technologies are not suitable for transmission of sensitive information, which creates difficulty in obtaining institutional support. Consensus for deploying such a system must include information systems personnel, hospital administrators, patients and clinicians.

Several groups are working to define data and security standards to encourage the development of a national infrastructure for medical data exchange.

The Three-State Initiative funded by the Robert Wood Johnson Foundation is a consortium of three nonprofit health-data organizations -- the Massachusetts Health Data Consortium, the Seattle based Foundation for Health Care Quality and the Minnesota Health Data Institute intended to create security standards for exchange of medical information. The final report delineates seven Health Security Levels that represent gradations of confidentiality protection. ²⁰

The combination of federal legislation mandating universal patient identification and penalties for breaches of confidentiality, ²¹ combined with the efforts of researchers, public interest groups, and industry fuels a rapid evolution of the infrastructure required to exchange medical records using intranets.

With an appropriate balance between confidentiality and the need for clinical information, an intranet-based system will benefit patients and physicians and, ultimately, lead to better care.

This article was funded in part by a cooperative agreement with the Agency for Health Care Policy and Research and the National Library of Medicine Sharing Paperless Records Among Networks of Providers Grant (UO1 08749).

References

1. Frasier H, Kohane 1, Long W. Using the technology of the World Wide Web to manage clinical information. British Medical Journal 1997;314:16001604. 2. Bleich HL, Beckley RF, Horowitz GL, et al. Clinical computing in a teaching hospital. N EngI J Med 1985;312:756764. 3.Teich J. Personal communication. 4. Goldberg J, et. al. A strategy for assembling samples of adult twin pairs in the United States. 12:16931702. 5. Szolovits P Kohane 1. Against simple universal health identifiers. Journal of the American Medical Informatics Association 1994;1:316319. 6. Pollack D. Data elements for emergency department systems (DEEDS). Annals of Emergency Medicine 1998;31:264273. 7. Kohane IS, Greenspun P, Fackler J, Cimino C, Szolovits R Building national electronic medical record systems via the World WideWeb. Journal of the American Medical Informatics Association 1996;3:191207. 8. Barthell EN, Kulick SK, Felton CW, et al. The National Information InfrastructureHealth Information Network.Top Emerg Med 1995;17:1723. 9. Humphreys BL, Lindberg DA, Schoolman HIM, Barnett GO.The Unified Medical Language System: an informatics research collaboration. J Am Med Inform Assoc 1998;5:111. 10. Cote RA, Rothwell DJ, Palotay JL, Beckett RS, Broch L, eds.The Systematized Nomenclature of Human and Veterinary Medicine: SNOMED International. Northfield, IL: College of American Pathologists, 1993. 11. Forrey AW, McDonald CJ, DeMoor G, et al. Logical observation identifier names and codes (LOINC) database: A public set of codes and names for electronic reporting of clinical laboratory test results. Clinical Chem 1996;42:8190. 12. Law V, Goldberg HS, Jones P, Safran C. A componentbased problem list subsystem for the HOLON testbed. Submitted to the Fall Symposium of the American Medical Informatics Association. 13. Health Level Seven: An application protocol for electronic data exchange in healthcare environments. Version 2.2. Chicago: Illinois Health Level Seven, 1990. 14. Woodward B.The computerbased patient record and confidentiality. N Engl J Med 1995;333:14191422. 15. Rind D, Kohane 1, Szolovits P, Safran S, Chueh H, Barnett G. Maintaining the confidentiality of medical records shared over the Internet and World Wide Web. Ann Intern Med July 1997. 16. For the record: Protecting electronic health information. Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics and Applications, National Research Council, National Academy Press, 1997. 17. Halamka JD, Szolovits P, Safran C. A WWW implementation of national recommendations for protecting electronic health information. Journal of the American Medical Informatics Association 1997;4. 18. Safran C, Rind D, Citroen M, Bakker AR, SlackWV, Bleich HL. Protection of confidentiality in the computerbased patient record, MID Computing, 1995; 12:187192. 19. Schwartz J, Saffir BJ. Privacy concerns shortcircuit social security's online service. Washington Post April 10, 1997. 20. Baker DB, Barnhart R, BussT PCASSO: Applying and extending stateoftheart security in the healthcare domain. Proceedings of the Annual Computer Security Applications Conference, San Diego, CA, December 1997. 21. Health Insurance Portability and Accountability Act of 1996.