Medical Professionals Aren't Leaping For E-Medicine 98
theodp writes "Despite all the stimulus money being directed toward developing electronic medical records, surprisingly few doctors, hospitals and insurers are using Google Health and other sites like it. One reason, Newsweek suggests, may be that Web-based personal-health records like the ones being compiled on Google Health don't appear to be covered under HIPAA, which requires that health care providers and health plans protect patient confidentiality. 'We don't connect that information to other aspects of Google,' explains Dr. Roni Zeiger, product manager for Google Health. Still, the federal government is in the process of drafting privacy recommendations that would apply to Google Health, as well as the makers of consumer apps that perform tasks like monitoring blood pressure."
nothing in common (Score:2, Informative)
Google health and the stimulus money are 2 very different things. They have no relationship.
Re:The real problem with centralized records (Score:4, Informative)
It occurs to me I used a bunch of industry specific acronyms in the above post; let me define 'em...
PHR - patient health records
PHI - protected heath information - mostly equivalent to PHR, but sometimes with private doctor-to-doctor discussions (such as a patient's drug seeking habits)
EMR - electronic medical records - "EMR" software as a class basically is the eletronic equivalent of the wall of paper charts in your doctor's office. most PHR exchange will happen between these types of systems, or be printed out, edited, and faxed (sometimes to another EMR).
credentialling / credentials management - tracking of doctor licenses, certifications, etc... this stuff is personal information about the doctors (ssn, etc) that's flying around between their office, the govt, and insurance companies.
NPI / NPIDB - National Practitioner Data Bank - government database of the public parts of a doctor's credentials; that's trying to unify and replace all the others that are out there (UPIN, Medicaid, Medicare, DEA). It's in use, but the information frequently is years out of date, even with the best intent of all involved.
Re:Chinese stealing American medical data? (Score:2, Informative)
You must be incredibly naive if you think existing EMR companies are going through this much trouble to keep data secure. I worked as a contractor for a leading EMR site, and it was an ASP.NET/MSSQL hack-job littered with SQL injection holes and easy-to-guess backdoors (think admin/admin). I don't hold out much hope that we were the exception to the rule.
Re:Sketchy. (Score:1, Informative)
Google health uses a subset of CCR. As much as I hate CCR, you can't fault them for their standards use. The only other standard remotely compatible with what they're doing is HL7, but it is more transactional whereas CCR is an actual record.
Not that google health really does anything. At this point its sort of like an appstore for your health records with no apps on it.
Re:EMR is much more than record keeping. (Score:3, Informative)
Before you complain about number 2:
There are certain guidelines that, if followed, are supposed to improve mortality. The problem is some patients are just lost to followup, therefore miss out on the procedures that may potentially save their lives (such as colonoscopies).
If the database is not drilled for these procedures, I can see a lawsuit happen from the family members of someone who got lost to followup and then died of metastatic cancer (due to a missed colonoscopy) or sudden death (due to not getting a defibrillator when they were eligible).
Medical data has owners by law (Score:5, Informative)
There is no such thing as data ownership.
Pity the law doesn't agree with you. Not on medical records [wikipedia.org] at the very least.
Re:The real problem with centralized records (Score:5, Informative)
The thing is that a decentralised system isn't a bad thing at all. PKI was designed, from the start, to be usable as a non-centralised system (non-pyramid). Realistically speaking, using the same example as the one you offered, where a doctor needs to validate medical records provided by the patient to be truthful, you only need to verify the other doctor's credentials and a signed file.
Now we get back to the old "How do I trust another doctor's certificates?", well, we use a centralised service. Each doctor needs to enroll [nist.gov] (Google cache [google.com] of the same document) to get his certificates, and they are delivered by a central authority, possibly governmental (or whatever authority governs doctors in your country). It's not a very hard thing to do, and can be implemented for roughly a couple million dollars -- the whole system.
How many doctors are there in the US? A laughable amount if you compare how many certificates are issued for the DoD. Heck, you could even implement it to be fully PIV-C compatible, and get cross-certification from the US government, and would allow doctors' credentials to be easily validated during a crisis.
Heck, nobody even needs to own the PKI solution in the US. The government can do it for you, if you are a valid organisation, an excellent project provides certificate management [idmanagement.gov] for you. Outside the US it gets a bit more difficult, as interoperability is not quite as great as in the US, however PIV is starting to have quite a lot of traction in Europe as well (I can't remember off the top of my head if it's PIV-I or PIV-C that is being implemented with the UK police forces). A pretty good read [nist.gov] (Google cache [google.com] as it doesn't seem to be loading from here) about how data is provided on a PIV smartcard.
That being said, maybe the health care professionals ought to have raised their voice at the same time the engineers and scientists did [nist.gov] (Google cache [google.com])?
Can you waive liability? (Score:3, Informative)
FTA:
California defines gross negligence as either a "want of even scant care" or "an extreme departure from the ordinary standard of conduct." In contrast, ordinary negligence consists of a "failure to exercise the degree of care in a given situation that a reasonable person under similar circumstances would employ to protect others from harm."
The "traditional skepticism" concerning agreements to release liability for future torts is expressed, the court said, in a California statute providing that all contracts with the purpose of exempting anyone from their "own fraud, or willful injury to the person or property of another, or violation of law, whether willful or negligent, are against the policy of the law."
I'd be interested if a lawyer (or other slashdotter) knew of a case where someone was denied remedy in a negligence case because they waived liability.
Re:The real problem with centralized records (Score:2, Informative)
I agree with you: decentralized is fine; and decentralized + PKI would be even nicer security wise. And as a patient, I'd trust it over a central system for all the reasons mentioned elsewhere in this discussion.
My main point was that while PKI is optional for decentralized PHR, in order to develop a centralized PHR system like Google Health, you pretty much *have* to have PKI before the doctors will use your system. The lack of trust is a design flaw which, somehow, I don't think any of the centralized phr developers have even realized that they have, much less that PKI would fix it... otherwise they'd be hawking it at the forefront of their advertisements to doctors. I'm not really sure how they missed the trust issue, because it's the first thing the doctors I work with mentioned after they heard about Google Health.
BTW, those are some nice links regarding PKI, thanks for them! Going to have to look into how I can put that stuff to use.
Re:Googlectomy (Score:5, Informative)
One of the many oddities of medicine in the US is the payment model. There are two ways in which physicians can earn money: by doing procedures, or by applying their learning. Now, procedures are fairly straightforward; if you do it, you can bill for it. But how do you get paid to think? You prove how much thinking went into the process by your documentation. On a paper chart, this is straightforward: you see a patient, talk to them, formulate a plan, and scribble out a note. The paper is easy to pull out and read, or copy, or whatever. You can take it with you on a clipboard into the room. Unless you get laptops with carts, you can't do that with EMR.
When you're in a hospital with EMR, you have to remember your username and password (and every password system has a different expiry cycle). In the one hospital in which I work, I have SIX systems with different usernames and passwords - the general EMR system (which has labs and dictations), the radiology system, the pharmacy dispensing system, the OR EMR system, the OR scheduling system, and email. Those who admit patients to two or three hospitals have this problem at each and every one.
In other words, physicians have two jobs - one as a physician, and one as a data-entry clerk. Not surprisingly, we are incredibly averse to spending time and effort on the second of these jobs, and anything that causes that data entry to take more time is costing us money. Not only that - the electronic records are often inferior to the paper ones they replace. In particular, many branches of medicine use drawings or diagrams. It's nice not to have to deal with handwriting, but a heart diagram with coronary blockages marked by location and percentage blocked is superior to a verbal description of those blockages.