The Electronic Medical Record

Promises and Threats

Lincoln D. Stein

Abstract

Starting with three fictitious scenarios that illustrate the promises and risks of the electronic medical record (EMR), this article describes the pros and cons of EMRs, the role that the Web will soon play in this arena, and the technological, social, and political challenges to controlling how one's personal medical information should be used.

Scenario 1: The Good

The middle-aged male patient is admitted to the emergency room of a Phoenix hospital at 10:32 AM, unconscious and unresponsive, after passersby saw him collapse on the street. Respirations are light and rapid, the pulse thready, and his blood pressure low.

In cases like this one, where someone experiences a sudden loss of consciousness, the range of possible diagnoses is vast. Among the possibilities are heart disease, drug overdose, infection, stroke, and various metabolic diseases. The treatment for each disease is vastly different. Some conditions, like an intracranial bleed, must receive appropriate treatment immediately. Others, like an epileptic seizure, will resolve by themselves if left untreated. Often the key to making the right diagnosis in a timely fashion is the patient's medical history, but an unconscious patient is in no position to answer questions.

In this case, the patient's wallet reveal only his name and an address in Boston; there are no medications to hint at the existence of a medical condition, and no contact information for family members, doctor, or medical facility. He appears to be on a business trip and is not known to anyone in Phoenix.

The traditional medical response to this situation would be to try a little bit of everything: a dose of an opiate-inhibitor to treat potential heroin overdose, an intravenous line of 50% glucose to cover insulin shock in a diabetic, a broad-spectrum antibiotic to treat possible shock from an overwhelming bacterial infection, and an EKG and blood samples to rule out a heart attack. However, the emergency room has just installed a state-of-the-art Internet-based medical record system. While the intern on duty is evaluating the patient in the traditional way, the resident strolls up to one of the ER computers, fires up Internet Explorer 7.0, and connects to the central search service, "MedCrawler." She enters the appropriate authorization codes, types in the patient's name and address, and within a few seconds is browsing the patient's full medical record. There at the top of the patient's "problem list" is the answer: a severe bee-sting allergy. The patient has somehow contrived to get himself stung by a bee. His sudden physical collapse is the result of anaphylactic shock. She and the intern immediately begin the standard treatment for allergic anaphylaxis with epinephrine and antihistamines. Half an hour later the patient is up, alert, and very, very grateful.

Scenario 2: The Bad

A professor at a top-tier school for international affairs is nominated for Secretary of State after the former Secretary was forced to resign for employing an illegal alien as a nanny. The nominee's record is faultless: she is the author of over 200 papers in the field of international relations, and has extensive practical experience in the Pacific rim as a former chief negotiator for the semiconductor industry. Her nomination is widely hailed by the press as a breakthrough, a case in which the nominee's manifest qualifications clearly supersede questions of partisanship politics.

This idyllic situation does not last long. A member of the opposition party, a declared enemy of the reigning administration, quietly hires a hacker to break into the nominee's medical records. Within a day, and without leaving the comfort of his vacation home in the south of France, the hacker has bypassed the security measures on the nominee's records by exploiting an implementation hole in the authentication stack. He downloads the nominee's records, burns them into a CD-ROM, and sends the CD-ROM off by FedEx.

Over the next few days, tantalizing tidbits of information about the nominee are leaked to the press. It's found out, for example, that years ago she had an abortion. This angers abortion-rights opponents. She was briefly treated for depression, raising doubts about her mental stability. A recent uterine biopsy shows hyperplasia, a precancerous condition, but one that raises doubts about her health. Then the stunner. The National Enquirer headlines screams from the grocery store racks: "State Department Pick Cheats on Hubby." Sure enough, a portion of the nominee's psychiatric records has just been leaked. In them, she talks with her therapist frankly about an extramarital affair. Washington's pro-family forces rally against the nomination, forcing the nominee to beat a humiliating withdrawal.

Scenario 3: The Ugly

A West Coast psychotherapist is finishing up work at the end of a long day when she gets a call from a clerk in the "quality assurance" division of one of the health plans the psychotherapist has recently joined forces with. The clerk is processing some of the electronic paperwork generated by one of the psychotherapist's patients and just needs a few clarifications in order to put the forms through.

"I see that you've coded this guy's diagnosis as DSM-IIIR 300.02: Generalized Anxiety Disorder," says the clerk, referring to one of the diagnostic codes in the Diagnostic and Statistical Manual of Mental Disorers, Third Edition (revised).

"Yes, that's right," answers the psychotherapist.

"The plan won't accept that one. You need a more specific diagnosis" says the clerk. "Well, I was wondering . . . I see here that this guy was sexually abused as a kid, so how about if we change this to a 309.81, Post-traumatic Stress Disorder. We use that one a lot here."

The psychotherapist is taken aback. Apparently the full text of her therapy notes, filed with the patient's electronic medical record, is available to the health plan's clerks, accountants, and insurance adjusters. Who else in the plan has access to this information?

A Mixed Blessing

These three scenarios, none of which is intended to resemble true people or events, illustrate the promises and risks of the electronic medical record. Scenario 1 illustrates the best use of a distributed, Internet-accessible medical record. In this scenario the availability of the electronic medical record went a long way to alleviating the frequent traveler's worst nightmare: getting sick in a strange city far away from one's doctor and friends. Scenario 2 illustrates the worst use: the full, unauthorized disclosure of someone's most intensely personal affairs to the general public. Though dramatic, in some ways this scenario is not so troublesome as the last one, Scenario 3, which portrays medical information percolating gradually through a large and ill-defined group of doctors, therapists, bureaucrats, and other members of the health care community.

The electronic medical record (EMR) is an inevitability. Already every major hospital in this country has some form of EMR, whether a simple system for storing and retrieving laboratory test results, or a comprehensive system for recording the full text of the patient's medical history, medications, progress notes, and test results. As managed care becomes increasingly pervasive and the health care system coalesces into a set of large regional "alliances," the EMR will become essential for coordinating a patient's care among a network of affiliated hospitals, clinics, HMO's, and medical offices.

A Brief History of the Medical Record

Traditionally, all medical records are maintained on paper in large manila binders called "charts." Typically, a patient has several charts, each maintained at a different location. His primary doctor or health clinic maintains one file, each of the patient's specialists (opthamologist, allergist, orthopedist) has theirs, and any hospital that the patient has ever visited has a chart of its own. When a patient is admitted to the hospital, whether on a scheduled visit or an unscheduled trip to the emergency room, a chart request is sent to the medical records department via courier or pneumatic tube. Minutes to hours later, the patient's chart would arrive.

During the patient's stay, the chart is his constant companion. Every interview, test, order, or medication that the patient receives is entered into the chart, dated, and signed by the responsible physician, nurse, or therapist. As a patient is moved about the hospital, from ward to X-ray to operating room, the chart accompanies him, often dangling from a specially-designed bracket on the gurney. When the patient leaves the hospital, a "discharge note" is entered into the chart. The chart is then returned to medical records for filing.

The paper system has never been much good. Charts are misfiled, pages fall out, notes are entered in the wrong order, and a poorly-placed cup of coffee (or urine specimen) can wipe out a patient's entire medical history. Another chronic problem of the paper record is the well-known illegibility of doctors' handwriting, which can obscure important medical information. Inevitably, mistakes occur during transcription which are propagated throughout the written record. Sometimes consequences of such mistakes are disastrous: a diabetic patient has the wrong leg amputated; a misunderstanding of the pathology report causes the surgeon to remove a benign portion of colon rather than the portion containing the cancer; a patient is nearly given a lethal dose of the anti-cancer drug chlorambucil rather than the antibiotic chloramphenicol.

Over the past twenty years, medical institutions have increasingly turned to computerization for help managing patient information. Inevitably, the first department to be computerized is Accounts Receivable. After that, the next departments to get computer systems are Radiology, whose task involves keeping track of ten thousand or more X-ray, CT, and ultrasound studies per year, and the Clinical Laboratory, which processes hundreds of blood and fluid specimens each day.

When I was in medical school in the mid 80s, the hospitals I worked in had an amusingly inefficient system for incorporating the computerized data from the laboratory systems into the paper chart. One of the medical student's chief duties was to run down to the clinical laboratory at regular intervals, use the computer system to look up patients' test results, run back to the ward, and transcribe the results into the paper record. Really advanced hospitals had dumb terminals at the end of each patient ward. Medical students could log into the lab system and retrieve the results without traveling any great distance. Unfortunately, the terminals were often down and we ended up making the trip anyway.

By and large these early medical information systems weren't integrated. To get a radiology report you had to find a terminal connected to the radiology system. To get the report on a biopsy you had to log into the pathology system. One emergency room that I worked with had two terminals sitting side by side. One was used to retrieve blood gas chemistry results (the concentration of oxygen and carbon dioxide in patients' blood). The other was used to retrieve all other blood analyses!

During the late 80s health care institutions made a concerted effort to weld the individual laboratory computers into integrated "clinical information systems." From a single terminal or PC located in the office or hospital ward, health care workers could retrieve all the patients' test results, including blood chemistry, microbiology, radiology, and biopsy reports. By employing transcription services, hospitals and clinics also began to incorporate important parts of the clinical narrative as well. Surgical operative notes and discharge notes started appearing in the clinical information system, as well as capsule summaries of patient's medical problems ("problem lists") and lists of their current medications.

When managed care changed the face of medicine in the 90s, the face of the medical record changed as well. The spread of multi-institution "partnerships," "plans," and "alliances" across the countryside made it impractical to shuttle paper charts around. Doctors now had many more patients to see, and less time to do it in. Interviews and physical exams had to be efficient, expedient, and to the point. Leafing through a new patient's chart and trying to figure out the person's current medical issues just wouldn't cut it in this new world. Further, in order to keep costs under control, the medical plans needed to closely monitor doctors to ensure that every patient was receiving only the diagnostic tests and therapeutic interventions appropriate for his medical condition.

The computerization of the medical record has accelerated rapidly in recent years. In many centers, essential medical history such as clinic visits, hospital admission notes, problem lists, allergies, discharge orders, diagnostic tests, labor and delivery records, medications, and even dietary notes are kept in electronic form. When a doctor goes to see a patient, all the most important information is now instantly available on the computer or terminal in neatly organized, legible, and searchable form. A few health care providers have even taken the next step--abolishing the written record entirely for a system in which doctors and nurses enter notes into the computer directly and sign them with a digital signature. The notes are crunched into a record-oriented format and stored into a large database.

It's important to emphasize, however, that the traditional written chart is far from dead. Most health care systems still use some combination of electronic medical records and paper charts. It may be a decade or more before the written record is gone for good.

What's the Electronic Medical Record Good For?

In addition to fixing some of the obvious shortcomings of the traditional paper chart, the electronic medical record offers features that written records simply can't match.

Consistency

The electronic medical record enforces consistency. Every laboratory result, every radiology report, every progress note follows a standard format. When formats are standardized, incomplete or anomalous information stands out. Health care providers can spend less time figuring out what the report says and more time thinking about its meaning.

Flexibility

The written medical record is strictly a linear affair. Clinic visit notes, lab results, and progress reports are entered in strict chronological order, like the log book of a seagoing vessel. But medicine is anything but linear. Patients often have multiple, unrelated medical conditions. By forcing everything into a linear narrative the traditional paper chart mixes everything up. The story of the patient's fight with heart disease is interrupted by notes from the podiatrist, the dietician, and the dentist.

In reality, the medical record is more like a hypertext document (Figure 1); only in electronic form can it be expressed with the clarity and flexibility that it requires. If a clinician is interested in following the patient's heart disease, she can rearrange the information so that all the cardiologist's notes are together. She can move all the patient's electrocardiograms together to see how they've changed over the past year. She can even extract a single laboratory value, such as the patient's blood potassium level, and have the computer chart it over time.


Figure 1: The medical record consists of many interrelated parts, just some of which are shown here. Paper records force the parts to follow an artificial chronological order, but the electronic medical record allows their true hyperlinked relationships to be represented.

Problem Oriented Approach

At a time when the electronic medical record was just a distant dream, progressive medical and nursing schools were preaching a type of record keeping called the "problem oriented medical record." In this approach, the patient's medical condition is divided into a list of discrete problems, listed in order from most severe to least. For example, a typical problem list might look like this:

In this scheme, each entry in the medical record is explicitly organized around the problem list, indicating which problem(s) the note addresses, and summarizing the medical plan in regard to the others. As problems are resolved they're removed from the list. As new problems appear they're added.

Because of the flexibility of the electronic medical record, the problem oriented approach really comes into its own. Health care providers can instantly focus in on the problem they're interested in. Quality assurance personnel can quickly determine whether each problem is receiving the attention that the standard of care requires.

Machine-Assisted Decision Making

With the medical record organized in a standard way, the computer can begin to help in a limited way with the medical decision making process itself. The most important aspect of this is the ability of the computer to catch and flag human errors. For example, there are over 3,000 medications in common usage. Most patients take several drugs simultaneously, and quite a few drugs have known adverse interactions with others. It's impossible for the average physician to keep track of all the drug interactions; many are rare, and some have come to light only recently. Here's where the computer system can help. It knows all the patient's meds and has an up-to-date database of adverse interactions. When the doctor prescribes a new medication, the computer scans its database for interactions with any of the patient's existing pharmaceuticals. If an interaction is found, the computer flags the problem and notifies the doctor, emphasizing its point with a capsule review and bibliographic references. The computer can catch misplaced decimal points and other errors that could result in a patient receiving a drug overdose.

Similarly, the computer system can be on the lookout for life-threatening results in the patient's laboratory test data. If routine blood chemistries detect a dangerously low potassium level, the system can raise an alert immediately rather than waiting for someone to notice the problem. Things can also be wired so that the computer will notice problems that arise from interactions between different parts of the medical record. For example, some medications are dangerous when used on patients with certain underlying medical conditions. The antibiotic gentamicin , for instance, should not be used in a patient with kidney disease, as it can damage the kidneys even further. If the computer sees "kidney disease" listed on the patient's problem list, or detects anomalous laboratory values that are indicative of kidney disease, it will complain and ask for confirmation if a physician tries to prescribe the antibiotic.

Quality Assurance

"Quality assurance" is managed care's euphemism for cost control. Quality assurance means that patients shouldn't receive expensive tests and medical procedures that they don't need. Since unnecessary tests and procedures don't improve the patient's life (and sometimes make it much worse) quality assurance is good for everyone. The electronic medical record makes quality assurance practical. The computer system audits the patient's problem list, diagnoses, laboratory tests, medications, and procedure notes. If it sees a test, medication, or procedure that doesn't seem to be justified by the patient's medical condition, it can request further information from the physician or alert someone in the quality assurance department to investigate. The system can also detect physicians who order an unusually high number of lab tests or whose patients have an abnormally high rate of hospitalization.

This may sound big-brotherish, but it's far better than the way quality assurance is now done in institutions that rely on paper records. Here, armies of clerks prowl the wards, reading through patients' charts in minute detail, searching for anomalies.

There's also a more positive side to quality assurance. The computer can help ensure that the medical system applies a uniform and consistently high standard of care. For example, the standard of care at one institution might be that women with an abnormal pap smear are scheduled for a repeat pap smear after six months. If it is still abnormal they are scheduled for a cervical biopsy to investigate the possibility of a cancerous or precancerous condition. The electronic medical record allows the computer system to detect when a woman's pap smear results are abnormal and to set the wheels in motion. It notifies the clinician of the abnormal result and generates the standard letter to the patient. It schedules the repeat appointment, and makes sure that the pap smear actually happens. If the pap is again abnormal, the computer system makes sure that the biopsy is scheduled and performed.

Online Health Care

Health care is not, and never has been, delivered at a single geographic site. Patients go to one office to see their gynecologists, to another for dental work. If they get sick enough to require hospitalization they'll likely end up in a hospital affiliated with their health plan. Increasingly, many routine lab tests and radiological procedures are now performed and interpreted by outside commercial enterprises rather than by labs located within the hospital walls. By taking advantage of the network infrastructure, electronic medical records allow patient information to be shared among these sites efficiently and rapidly.

An integrated medical record has other potential benefits. With paper records, the patient's medical history is never complete. Little bits and pieces of it are stashed away in file cabinets of all the hospitals and clinics the patient has ever visited. The electronic medical record offers the possibility of a centralized database that can hold the patient's entire medical history, from childhood pediatric visits to geriatric records.

Electronic medical records give health care providers remote access to the chart. Doctors can check up on their patients from home, ask for the advice of outside consultants in distant parts of the country, or follow their patients when they've been transferred to remote locations. This is a major boon to primary care doctors, who have

long suffered the experience of being "cut out of the loop" when their patients were admitted to hospitals. Now personal physicians can actively participate in their patients' hospital management, reviewing the daily notes and treatment plan, and adding suggestions of their own to the chart. When radiologists are presented with particularly difficult cases, they can call in specialists for advice, transmitting the relevant X-rays and CT scan images across the Internet (there's even a name for this, teleradiology ).

Travelers need not fear that they will take sick in a distant locale and be treated by doctors who don't understand their medical needs. With their medical record accessible online, the local doctors can come up to speed rapidly.

How Does the Web Fit In?

In the preceding discussion I have deliberately soft-pedaled one of the biggest problems of the evolving electronic medical records system: There is no standard for the EMR. Each hospital, HMO, health plan, and clinic has built its own system, sometimes from commercial systems, and sometimes from scratch. As the health care sector contracts, institutions have been seized by merger mania. As they merge, they discover the disconcerting fact that their EMR systems are incompatible. This makes it difficult to effectively share patient information within an institution, let alone distribute it remotely. At first glance, fixing this problem appears to involve massive database conversion, reengineering of existing systems, and the installation of custom software and hardware throughout the consolidated institution.

The Web offers a way out of this mess. With simple standards-based communications protocols (TCP/IP and HTTP), well-understood data conversion techniques (CGI scripts at the server side, Java and ActiveX at the client side), and a widely available, easy-to-use client (the browser), the World Wide Web is the natural platform for the electronic medical record of the future. It provides nonproprietary data encryption and authentication techniques (SSL), [A] allowing confidential information to remain that way, and a rich array of multimedia formats allowing X-ray images, microscopic images, and even digitized heart sounds to be distributed.

If you do a Lycos or AltaVista search for "electronic medical record," you'll find a dozen or so Web-based EMR systems that are in various phases of research, development, and deployment. One of the nicest online demos is the EMRS project, jointly developed by Laboratory of Computer Science at Massachusetts Institute of Technology and Boston's Beth Israel, Children's, and Massachusetts General hospitals. It implements CGI gateways to the medical records databases maintained by these three hospitals, translating URL requests into database accesses on the fly, and converting the results into HTML pages, graphs, and other Web documents. You can try it out for yourself on a fictionalized database from this URL:

http://www.emrs.org/

Figure 2 gives you an idea of what the EMRS system looks like. Each patient's complete demo graphic data is online, as well as the record of all visits, procedures, lab tests, and medications. The data can be viewed chronologically, or organized functionally according to the patient's current problem list. Hyperlinks connect relevant parts of the record: you can jump from a progress report on the patient's thyroid disease to the series of lab values showing how the patient's thyroid function has changed over time.


Figure 2: An experimental EMR produced by MIT's Laboratory of Computer Science in conjunction with a number of medical hospitals converts the information in the clinical information system mainframe into a set of HTML pages. Hyperlinks lead to the patient's notes, demographic information, medications, and lab results.

Progress and visit notes are not available at this time because all three of the hospitals that participate in this project still keep these notes in written charts. However the full text of discharge summaries and letters to the patient's personal physician are available.

Another example of a Web-based medical record system is available at:

http://vemr.virginia.edu/demo/homepg.htm

This system, run by the Neurosurgical department at the University of Virginia Health Sciences Center, is a fictionalized demo of an actual system this institution uses to manage patients. Figure 3 shows a page from this system. An interesting feature of its user interface is that it lists items from the patient's problem list in small tabs on a frame at the top of the window. When you click on the tab, all entries relating to the problem are displayed. Hyperlinks take you back and forth between different parts of the record, allowing you to view the patient's history in chronologic order, or to focus in on the aspect of the history that you're most interested in.


Figure 3: A Web-based EMR system in use at the University of Virginia Health Sciences Center department of Neurosurgery incorporates images as well as text. The tabs at the top and bottom of the main frame include components of the problem list (in this example 'Parkinsonism') as well as links to other parts of the medical record.

The Dark Side of the EMR

As the scenarios at the beginning of this article suggested, the electronic medical record has its problems too. The main issues are reliability, accountability, and patient privacy.

Reliability

Despite their many shortcomings, paper charts are still very reliable. They will withstand power outages, electrical storms, air conditioning failures, electromagnetic pulses, and, yes, even the Millenium Bomb. They are also completely impervious to programming errors--public enemy number one of the software world. When I visited a devastated hospital in Uganda soon after their civil war, I found that nearly everything was broken: there was no electricity, no running water, no autoclaves, no medication, no clean syringes. However, the paper-based medical records system, miraculously, was still running smoothly despite the chaos.

An electronic medical record system needs to be at least as reliable as a paper system. The system cannot crash, it cannot hang, it cannot behave capriciously without having potentially life-threatening consequences. This has obvious implications for Internet-based EMR systems. There is no room for network blackouts or slowdowns.

Accountability

When a physician signs a progress note, a medical order, or a prescription, her signature is a legal statement of responsibility. On the basis of this signature, the pharmacy will fill the prescription, the therapist will begin a round of radiation therapy, or the patient will be led off to surgery. In a world where the only record kept of life and death decisions is in a malleable, easily-forgible medium, it's critical to have a reliable substitute for the signature. Some institutions have addressed this issue by claiming that the secret login key assigned to their employees constitutes a legally binding signature. When a health care worker enters an order, note or diagnostic report, she "signs" it by entering her secret key.

This is an indequate solution. A typical case is exemplified by one of the hospitals that I have worked at. Although this hospital hasn't abandoned the paper chart yet, it's fairly advanced along that path. Diagnostic reports, medical orders for tests, and inpatient prescriptions are all handled via the clinical information system. To access the system, you must type in your secret key (key only--a user name isn't required), consisting of five uppercase alphanumeric characters. For example, one of my previous passwords was HQ7BB . The user doesn't choose these keys; the system generates them automatically and changes them every six months.

What's wrong with this system? For one thing, by assigning random keys to the users, the system effectively forces users to write their passwords down. My wallet contains various slips of paper containing my current password and several of my previous ones. Written passwords are easily lost, stolen, or read over someone's shoulder. They're also vulnerable to sharing among friends and associates.

For another thing, this password system is prone to guessing. You'd think that the password space for this key system would be 36 (26 letters plus ten numerals) raised to the fifth power, or somewhat more than sixty million possible passwords. However, inspection of a handful of valid passwords suggests that the random number generator always generates a key that contains exactly four alphabetic characters and one numeral. The password space is really more like this:


26^4 + 10^4 = 1.04E6

or somewhat more than a million possible keys. This might still seem like a lot, but consider that the hospital--plus its various affiliates and outpatient clinics--employ somewhere between 5,000 and 10,000 employees, a substantial proportion of whom have access to the computer system. This means that if you were to guess at keys randomly, you need only try a hundred or so guesses before you hit someone's key. In fact, the odds may be better than this. Nearly everyone who has used this system has had the experience of "breaking in" to someone else's account just by accidentally mistyping their key!

With a system like this in place, how can a patient hold a doctor legally responsible for any order placed in the medical record system? The doctor can simply protest that he lost his key or that someone must have guessed it. How can we guard the system against malicious individuals who plant embarassing or even health-threatening information in the system using a valid, but stolen key? Conversely, how can we be sure that the health care institution itself doesn't tamper with the medical record in order to delete information that might be legally damaging to it?

EMR systems need to use a secure, verifiable, and untamperable form of digital signature, coupled with a message integrity check to ensure that the record itself isn't tampered with. The software industry already has more than enough technical solutions for this particular problem, but makers of electronic medical record systems have been slow to adapt them. At some point, however, I'm confident that some combination of smart card, public key cryptography, secure hash algorithm, and/or digitally signed certificate will ensure that we can trust the elecronic medical record to tell the truth. [B]

Patient Privacy

This is the most troubling issue for the electronic medical record. Our medical records hold some of our most intimate and private information. Medical records can reveal a history of drug abuse, a venereal disease, or a life-threatening illness. Psychiatric notes reveal inner fantasies, sexual peccadiloes, crimes, or the crimes and abuses of family members. The information from genetic tests can reveal not only that a patient is susceptible for some disease, but that her children and other family members are susceptible as well. If medical records are disclosed, you can lose your insurance, your job, or even your marriage. Is the price we pay for making our medical records easily accessible to health care providers the complete loss of our privacy?

These concerns, which have been simmering for years, were brought forcefully into the public eye about a year ago, in a well-publicized case in Florida. A worker in a Florida state agency that conducts "anonymous and confidential" testing for the AIDS virus decided that it was his duty to protect the public from infection. He downloaded the list of HIV positive patients to a floppy disk and distributed it to his friends, encouraging them to use the list to avoid picking up the wrong date. Without even the Internet to help out, thousands of people had their medical confidentiality violated in one blow.

If medical records are distributed via the World Wide Web, how are we to ensure that only authorized medical practitioners have access to them? I submit that the Web itself won't present the major problem. The cryptographic protocols, digital signatures, and certificate infrastructure that is being built to protect financial transactions will be more than adequate to protect medical data while it flows across the Internet. To the extent that computer systems can be protected with a combination of firewalls, strong authentication, and hardened operating systems, the databases that store medical records will be made safe from crackers, vandals, and idle thrill seekers.

The problem is to define "authorized medical practitioner." Health care institutions have become vast, and every employee in those institutions is potentially an authorized practitioner. In addition to the doctor and nursing staff, there are medical students, nursing students, physical therapists, occupational therapists, dieticians, social workers, radiation therapists, nuclear medicine techs, EKG techs, and a host of other medical and paramedical positions. On top of the caregivers is the bureaucracy entrusted with quality assurance, billing, and insurance coding. The insurance companies themselves feel they have a legitimate right to review the medical record, or at least to know what diagnoses and diagnostic tests are in it. Some people are nosy, some gossip. Others can be bought. When thousands of people have access to the juicy information contained within medical records from the comfort and safety of their own homes, you can be sure that some accesses will not be legitimate. In my own experience I have encountered several cases in which hospital employees have used the clinical information system inappropriately to look up data on recently admitted celebrities, friends, relatives, relatives of friends, and friends of relatives.

Obviously not everyone should have the right to peruse all parts of the medical record. Dieticians should only have the right to see those parts of the record that are relevant to the patient's diet. Physical therapists shouldn't be browsing the psychiatric notes. A doctor shouldn't have access to the records of a patient she hasn't any responsibility for. You would think that you could segment the medical record on a "need to know" basis, the way the military does with classified information. However, this has turned out to be surprisingly difficult to do. In order to do his work properly, the dietician needs to know the patient's allergies, medications, and any relevant medical conditions, such as heart disease, diabetes or renal failure. In a hospital environment doctors frequently cover for one another, and in an emergency no one should be denied the need to access the patient's record just because the system doesn't recognize one's need to know. A large number of medical ethicists, committees, and congressional panels have wrestled with this problem, and as yet no one has arrived at a satisfactory solution.

Recently, a panel appointed by the U.S. National Research Council met to discuss the privacy threats posed by distributing medical records on the Internet. They concluded that the Internet isn't the problem: the same technical solutions used to protect corporate and financial data can be used to protect patient privacy against interception by people outside the health care system. The real threat, they concluded, is the widespread and unregulated sharing of medical information among the many public and private arms of the medical system, including insurance companies, health care administrators, and government agencies. [C]

In the absence of a clear solution to this problem, some health care providers have reined back their plans to convert to a completely digital medical record. Recently, the Plymouth Health Plan of Massachusetts, on the eve of unveiling a new electronic medical record system that would completely replace their paper system, had second thoughts. Putting the new system on hold, they held an intensive series of meetings with patient groups, ethicists, and physicians. Eventually, they arrived at a compromise solution. Certain parts of the medical record that everyone felt was important for providing quality care--current medications, allergies, and problem lists--would be incorporated into the electronic system. Sensitive parts, such as psychiatric notes, would be kept in written form only and maintained in the traditional way.

The privacy risks posed by the electronic medical record are not primarily technological ones, but social and political ones. What we need most is well-considered legislation that lays down guidelines on how medical information should be used, who should have access to it, and what parts should be made available. Only when these issues are resolved to everyone's satisfaction can the electronic medical record assume its rightful place on the Web.

About the Author

Lincoln Stein
CuraGen Corporation
555 Long Wharf Drive
New Haven, CT 06511
lstein@genome.wi.mit.edu

Lincoln Stein is a part-time pathologist, part-time Director of Information Systems at CuraGen Corporation, and a full-time Perl hacker.


[A] For more information on SSL, see the article entitled "Introducing SSL and Certificates Using SSLeay" by Frederick Hirsch, in this issue.
Return to text
[B] These techniques are described in Simson Garfinkel and Gene Spafford's article, "Cryptography and the Web." For more detail on digital signatures, see the DSig 1.0 Signature Label specification in the "W3C Reports" section of this issue.
Return to text
[C] For details on the report, see http://www2.nas.edu/cstbweb/ .
Return to text