In cases like this one, where someone experiences a sudden loss of consciousness, the range of possible diagnoses is vast. Among the possibilities are heart disease, drug overdose, infection, stroke, and various metabolic diseases. The treatment for each disease is vastly different. Some conditions, like an intracranial bleed, must receive appropriate treatment immediately. Others, like an epileptic seizure, will resolve by themselves if left untreated. Often the key to making the right diagnosis in a timely fashion is the patient's medical history, but an unconscious patient is in no position to answer questions.
In this case, the patient's wallet reveal only his name and an address in Boston; there are no medications to hint at the existence of a medical condition, and no contact information for family members, doctor, or medical facility. He appears to be on a business trip and is not known to anyone in Phoenix.
The traditional medical response to this situation would be to try a little bit of everything: a dose of an opiate-inhibitor to treat potential heroin overdose, an intravenous line of 50% glucose to cover insulin shock in a diabetic, a broad-spectrum antibiotic to treat possible shock from an overwhelming bacterial infection, and an EKG and blood samples to rule out a heart attack. However, the emergency room has just installed a state-of-the-art Internet-based medical record system. While the intern on duty is evaluating the patient in the traditional way, the resident strolls up to one of the ER computers, fires up Internet Explorer 7.0, and connects to the central search service, "MedCrawler." She enters the appropriate authorization codes, types in the patient's name and address, and within a few seconds is browsing the patient's full medical record. There at the top of the patient's "problem list" is the answer: a severe bee-sting allergy. The patient has somehow contrived to get himself stung by a bee. His sudden physical collapse is the result of anaphylactic shock. She and the intern immediately begin the standard treatment for allergic anaphylaxis with epinephrine and antihistamines. Half an hour later the patient is up, alert, and very, very grateful.
This idyllic situation does not last long. A member of the opposition party, a declared enemy of the reigning administration, quietly hires a hacker to break into the nominee's medical records. Within a day, and without leaving the comfort of his vacation home in the south of France, the hacker has bypassed the security measures on the nominee's records by exploiting an implementation hole in the authentication stack. He downloads the nominee's records, burns them into a CD-ROM, and sends the CD-ROM off by FedEx.
Over the next few days, tantalizing tidbits of information about the nominee are leaked to the press. It's found out, for example, that years ago she had an abortion. This angers abortion-rights opponents. She was briefly treated for depression, raising doubts about her mental stability. A recent uterine biopsy shows hyperplasia, a precancerous condition, but one that raises doubts about her health. Then the stunner. The National Enquirer headlines screams from the grocery store racks: "State Department Pick Cheats on Hubby." Sure enough, a portion of the nominee's psychiatric records has just been leaked. In them, she talks with her therapist frankly about an extramarital affair. Washington's pro-family forces rally against the nomination, forcing the nominee to beat a humiliating withdrawal.
"I see that you've coded this guy's diagnosis as DSM-IIIR 300.02: Generalized Anxiety Disorder," says the clerk, referring to one of the diagnostic codes in the Diagnostic and Statistical Manual of Mental Disorers, Third Edition (revised).
"Yes, that's right," answers the psychotherapist.
"The plan won't accept that one. You need a more specific diagnosis" says the clerk. "Well, I was wondering . . . I see here that this guy was sexually abused as a kid, so how about if we change this to a 309.81, Post-traumatic Stress Disorder. We use that one a lot here."
The psychotherapist is taken aback. Apparently the full text of her therapy notes, filed with the patient's electronic medical record, is available to the health plan's clerks, accountants, and insurance adjusters. Who else in the plan has access to this information?
The electronic medical record (EMR) is an inevitability. Already every major hospital in this country has some form of EMR, whether a simple system for storing and retrieving laboratory test results, or a comprehensive system for recording the full text of the patient's medical history, medications, progress notes, and test results. As managed care becomes increasingly pervasive and the health care system coalesces into a set of large regional "alliances," the EMR will become essential for coordinating a patient's care among a network of affiliated hospitals, clinics, HMO's, and medical offices.
During the patient's stay, the chart is his constant companion. Every interview, test, order, or medication that the patient receives is entered into the chart, dated, and signed by the responsible physician, nurse, or therapist. As a patient is moved about the hospital, from ward to X-ray to operating room, the chart accompanies him, often dangling from a specially-designed bracket on the gurney. When the patient leaves the hospital, a "discharge note" is entered into the chart. The chart is then returned to medical records for filing.
The paper system has never been much good. Charts are misfiled, pages fall out, notes are entered in the wrong order, and a poorly-placed cup of coffee (or urine specimen) can wipe out a patient's entire medical history. Another chronic problem of the paper record is the well-known illegibility of doctors' handwriting, which can obscure important medical information. Inevitably, mistakes occur during transcription which are propagated throughout the written record. Sometimes consequences of such mistakes are disastrous: a diabetic patient has the wrong leg amputated; a misunderstanding of the pathology report causes the surgeon to remove a benign portion of colon rather than the portion containing the cancer; a patient is nearly given a lethal dose of the anti-cancer drug chlorambucil rather than the antibiotic chloramphenicol.
Over the past twenty years, medical institutions have increasingly turned to computerization for help managing patient information. Inevitably, the first department to be computerized is Accounts Receivable. After that, the next departments to get computer systems are Radiology, whose task involves keeping track of ten thousand or more X-ray, CT, and ultrasound studies per year, and the Clinical Laboratory, which processes hundreds of blood and fluid specimens each day.
When I was in medical school in the mid 80s, the hospitals I worked in had an amusingly inefficient system for incorporating the computerized data from the laboratory systems into the paper chart. One of the medical student's chief duties was to run down to the clinical laboratory at regular intervals, use the computer system to look up patients' test results, run back to the ward, and transcribe the results into the paper record. Really advanced hospitals had dumb terminals at the end of each patient ward. Medical students could log into the lab system and retrieve the results without traveling any great distance. Unfortunately, the terminals were often down and we ended up making the trip anyway.
By and large these early medical information systems weren't integrated. To get a radiology report you had to find a terminal connected to the radiology system. To get the report on a biopsy you had to log into the pathology system. One emergency room that I worked with had two terminals sitting side by side. One was used to retrieve blood gas chemistry results (the concentration of oxygen and carbon dioxide in patients' blood). The other was used to retrieve all other blood analyses!
During the late 80s health care institutions made a concerted effort to weld the individual laboratory computers into integrated "clinical information systems." From a single terminal or PC located in the office or hospital ward, health care workers could retrieve all the patients' test results, including blood chemistry, microbiology, radiology, and biopsy reports. By employing transcription services, hospitals and clinics also began to incorporate important parts of the clinical narrative as well. Surgical operative notes and discharge notes started appearing in the clinical information system, as well as capsule summaries of patient's medical problems ("problem lists") and lists of their current medications.
When managed care changed the face of medicine in the 90s, the face of the medical record changed as well. The spread of multi-institution "partnerships," "plans," and "alliances" across the countryside made it impractical to shuttle paper charts around. Doctors now had many more patients to see, and less time to do it in. Interviews and physical exams had to be efficient, expedient, and to the point. Leafing through a new patient's chart and trying to figure out the person's current medical issues just wouldn't cut it in this new world. Further, in order to keep costs under control, the medical plans needed to closely monitor doctors to ensure that every patient was receiving only the diagnostic tests and therapeutic interventions appropriate for his medical condition.
The computerization of the medical record has accelerated rapidly in recent years. In many centers, essential medical history such as clinic visits, hospital admission notes, problem lists, allergies, discharge orders, diagnostic tests, labor and delivery records, medications, and even dietary notes are kept in electronic form. When a doctor goes to see a patient, all the most important information is now instantly available on the computer or terminal in neatly organized, legible, and searchable form. A few health care providers have even taken the next step--abolishing the written record entirely for a system in which doctors and nurses enter notes into the computer directly and sign them with a digital signature. The notes are crunched into a record-oriented format and stored into a large database.
It's important to emphasize, however, that the traditional written chart is far from dead. Most health care systems still use some combination of electronic medical records and paper charts. It may be a decade or more before the written record is gone for good.
In reality, the medical record is more like a hypertext document (Figure 1); only in electronic form can it be expressed with the clarity and flexibility that it requires. If a clinician is interested in following the patient's heart disease, she can rearrange the information so that all the cardiologist's notes are together. She can move all the patient's electrocardiograms together to see how they've changed over the past year. She can even extract a single laboratory value, such as the patient's blood potassium level, and have the computer chart it over time.
Figure 1: The medical record consists of many interrelated parts, just some of which are shown here. Paper records force the parts to follow an artificial chronological order, but the electronic medical record allows their true hyperlinked relationships to be represented.
Because of the flexibility of the electronic medical record, the problem oriented approach really comes into its own. Health care providers can instantly focus in on the problem they're interested in. Quality assurance personnel can quickly determine whether each problem is receiving the attention that the standard of care requires.
Similarly, the computer system can be on the lookout for life-threatening results in the patient's laboratory test data. If routine blood chemistries detect a dangerously low potassium level, the system can raise an alert immediately rather than waiting for someone to notice the problem. Things can also be wired so that the computer will notice problems that arise from interactions between different parts of the medical record. For example, some medications are dangerous when used on patients with certain underlying medical conditions. The antibiotic gentamicin , for instance, should not be used in a patient with kidney disease, as it can damage the kidneys even further. If the computer sees "kidney disease" listed on the patient's problem list, or detects anomalous laboratory values that are indicative of kidney disease, it will complain and ask for confirmation if a physician tries to prescribe the antibiotic.
This may sound big-brotherish, but it's far better than the way quality assurance is now done in institutions that rely on paper records. Here, armies of clerks prowl the wards, reading through patients' charts in minute detail, searching for anomalies.
There's also a more positive side to quality assurance. The computer can help ensure that the medical system applies a uniform and consistently high standard of care. For example, the standard of care at one institution might be that women with an abnormal pap smear are scheduled for a repeat pap smear after six months. If it is still abnormal they are scheduled for a cervical biopsy to investigate the possibility of a cancerous or precancerous condition. The electronic medical record allows the computer system to detect when a woman's pap smear results are abnormal and to set the wheels in motion. It notifies the clinician of the abnormal result and generates the standard letter to the patient. It schedules the repeat appointment, and makes sure that the pap smear actually happens. If the pap is again abnormal, the computer system makes sure that the biopsy is scheduled and performed.
An integrated medical record has other potential benefits. With paper records, the patient's medical history is never complete. Little bits and pieces of it are stashed away in file cabinets of all the hospitals and clinics the patient has ever visited. The electronic medical record offers the possibility of a centralized database that can hold the patient's entire medical history, from childhood pediatric visits to geriatric records.
Electronic medical records give health care providers remote access to the chart. Doctors can check up on their patients from home, ask for the advice of outside consultants in distant parts of the country, or follow their patients when they've been transferred to remote locations. This is a major boon to primary care doctors, who have
long suffered the experience of being "cut out of the loop" when their patients were admitted to hospitals. Now personal physicians can actively participate in their patients' hospital management, reviewing the daily notes and treatment plan, and adding suggestions of their own to the chart. When radiologists are presented with particularly difficult cases, they can call in specialists for advice, transmitting the relevant X-rays and CT scan images across the Internet (there's even a name for this, teleradiology ).
Travelers need not fear that they will take sick in a distant locale and be treated by doctors who don't understand their medical needs. With their medical record accessible online, the local doctors can come up to speed rapidly.
The Web offers a way out of this mess. With simple standards-based communications protocols (TCP/IP and HTTP), well-understood data conversion techniques (CGI scripts at the server side, Java and ActiveX at the client side), and a widely available, easy-to-use client (the browser), the World Wide Web is the natural platform for the electronic medical record of the future. It provides nonproprietary data encryption and authentication techniques (SSL), [A] allowing confidential information to remain that way, and a rich array of multimedia formats allowing X-ray images, microscopic images, and even digitized heart sounds to be distributed.
If you do a Lycos or AltaVista search for "electronic medical record," you'll find a dozen or so Web-based EMR systems that are in various phases of research, development, and deployment. One of the nicest online demos is the EMRS project, jointly developed by Laboratory of Computer Science at Massachusetts Institute of Technology and Boston's Beth Israel, Children's, and Massachusetts General hospitals. It implements CGI gateways to the medical records databases maintained by these three hospitals, translating URL requests into database accesses on the fly, and converting the results into HTML pages, graphs, and other Web documents. You can try it out for yourself on a fictionalized database from this URL:
Figure 2 gives you an idea of what the EMRS system looks like. Each patient's complete demo graphic data is online, as well as the record of all visits, procedures, lab tests, and medications. The data can be viewed chronologically, or organized functionally according to the patient's current problem list. Hyperlinks connect relevant parts of the record: you can jump from a progress report on the patient's thyroid disease to the series of lab values showing how the patient's thyroid function has changed over time.
Figure 2: An experimental EMR produced by MIT's Laboratory of Computer Science in conjunction with a number of medical hospitals converts the information in the clinical information system mainframe into a set of HTML pages. Hyperlinks lead to the patient's notes, demographic information, medications, and lab results.
Progress and visit notes are not available at this time because all three of the hospitals that participate in this project still keep these notes in written charts. However the full text of discharge summaries and letters to the patient's personal physician are available.
Another example of a Web-based medical record system is available at:
This system, run by the Neurosurgical department at the University of Virginia Health Sciences Center, is a fictionalized demo of an actual system this institution uses to manage patients. Figure 3 shows a page from this system. An interesting feature of its user interface is that it lists items from the patient's problem list in small tabs on a frame at the top of the window. When you click on the tab, all entries relating to the problem are displayed. Hyperlinks take you back and forth between different parts of the record, allowing you to view the patient's history in chronologic order, or to focus in on the aspect of the history that you're most interested in.
Figure 3: A Web-based EMR system in use at the University of Virginia Health Sciences Center department of Neurosurgery incorporates images as well as text. The tabs at the top and bottom of the main frame include components of the problem list (in this example 'Parkinsonism') as well as links to other parts of the medical record.
An electronic medical record system needs to be at least as reliable as a paper system. The system cannot crash, it cannot hang, it cannot behave capriciously without having potentially life-threatening consequences. This has obvious implications for Internet-based EMR systems. There is no room for network blackouts or slowdowns.
This is an indequate solution. A typical case is exemplified by one of the hospitals that I have worked at. Although this hospital hasn't abandoned the paper chart yet, it's fairly advanced along that path. Diagnostic reports, medical orders for tests, and inpatient prescriptions are all handled via the clinical information system. To access the system, you must type in your secret key (key only--a user name isn't required), consisting of five uppercase alphanumeric characters. For example, one of my previous passwords was HQ7BB . The user doesn't choose these keys; the system generates them automatically and changes them every six months.
What's wrong with this system? For one thing, by assigning random keys to the users, the system effectively forces users to write their passwords down. My wallet contains various slips of paper containing my current password and several of my previous ones. Written passwords are easily lost, stolen, or read over someone's shoulder. They're also vulnerable to sharing among friends and associates.
For another thing, this password system is prone to guessing. You'd think that the password space for this key system would be 36 (26 letters plus ten numerals) raised to the fifth power, or somewhat more than sixty million possible passwords. However, inspection of a handful of valid passwords suggests that the random number generator always generates a key that contains exactly four alphabetic characters and one numeral. The password space is really more like this:
26^4 + 10^4 = 1.04E6or somewhat more than a million possible keys. This might still seem like a lot, but consider that the hospital--plus its various affiliates and outpatient clinics--employ somewhere between 5,000 and 10,000 employees, a substantial proportion of whom have access to the computer system. This means that if you were to guess at keys randomly, you need only try a hundred or so guesses before you hit someone's key. In fact, the odds may be better than this. Nearly everyone who has used this system has had the experience of "breaking in" to someone else's account just by accidentally mistyping their key!
With a system like this in place, how can a patient hold a doctor legally responsible for any order placed in the medical record system? The doctor can simply protest that he lost his key or that someone must have guessed it. How can we guard the system against malicious individuals who plant embarassing or even health-threatening information in the system using a valid, but stolen key? Conversely, how can we be sure that the health care institution itself doesn't tamper with the medical record in order to delete information that might be legally damaging to it?
EMR systems need to use a secure, verifiable, and untamperable form of digital signature, coupled with a message integrity check to ensure that the record itself isn't tampered with. The software industry already has more than enough technical solutions for this particular problem, but makers of electronic medical record systems have been slow to adapt them. At some point, however, I'm confident that some combination of smart card, public key cryptography, secure hash algorithm, and/or digitally signed certificate will ensure that we can trust the elecronic medical record to tell the truth. [B]
These concerns, which have been simmering for years, were brought forcefully into the public eye about a year ago, in a well-publicized case in Florida. A worker in a Florida state agency that conducts "anonymous and confidential" testing for the AIDS virus decided that it was his duty to protect the public from infection. He downloaded the list of HIV positive patients to a floppy disk and distributed it to his friends, encouraging them to use the list to avoid picking up the wrong date. Without even the Internet to help out, thousands of people had their medical confidentiality violated in one blow.
If medical records are distributed via the World Wide Web, how are we to ensure that only authorized medical practitioners have access to them? I submit that the Web itself won't present the major problem. The cryptographic protocols, digital signatures, and certificate infrastructure that is being built to protect financial transactions will be more than adequate to protect medical data while it flows across the Internet. To the extent that computer systems can be protected with a combination of firewalls, strong authentication, and hardened operating systems, the databases that store medical records will be made safe from crackers, vandals, and idle thrill seekers.
The problem is to define "authorized medical practitioner." Health care institutions have become vast, and every employee in those institutions is potentially an authorized practitioner. In addition to the doctor and nursing staff, there are medical students, nursing students, physical therapists, occupational therapists, dieticians, social workers, radiation therapists, nuclear medicine techs, EKG techs, and a host of other medical and paramedical positions. On top of the caregivers is the bureaucracy entrusted with quality assurance, billing, and insurance coding. The insurance companies themselves feel they have a legitimate right to review the medical record, or at least to know what diagnoses and diagnostic tests are in it. Some people are nosy, some gossip. Others can be bought. When thousands of people have access to the juicy information contained within medical records from the comfort and safety of their own homes, you can be sure that some accesses will not be legitimate. In my own experience I have encountered several cases in which hospital employees have used the clinical information system inappropriately to look up data on recently admitted celebrities, friends, relatives, relatives of friends, and friends of relatives.
Obviously not everyone should have the right to peruse all parts of the medical record. Dieticians should only have the right to see those parts of the record that are relevant to the patient's diet. Physical therapists shouldn't be browsing the psychiatric notes. A doctor shouldn't have access to the records of a patient she hasn't any responsibility for. You would think that you could segment the medical record on a "need to know" basis, the way the military does with classified information. However, this has turned out to be surprisingly difficult to do. In order to do his work properly, the dietician needs to know the patient's allergies, medications, and any relevant medical conditions, such as heart disease, diabetes or renal failure. In a hospital environment doctors frequently cover for one another, and in an emergency no one should be denied the need to access the patient's record just because the system doesn't recognize one's need to know. A large number of medical ethicists, committees, and congressional panels have wrestled with this problem, and as yet no one has arrived at a satisfactory solution.
Recently, a panel appointed by the U.S. National Research Council met to discuss the privacy threats posed by distributing medical records on the Internet. They concluded that the Internet isn't the problem: the same technical solutions used to protect corporate and financial data can be used to protect patient privacy against interception by people outside the health care system. The real threat, they concluded, is the widespread and unregulated sharing of medical information among the many public and private arms of the medical system, including insurance companies, health care administrators, and government agencies. [C]
In the absence of a clear solution to this problem, some health care providers have reined back their plans to convert to a completely digital medical record. Recently, the Plymouth Health Plan of Massachusetts, on the eve of unveiling a new electronic medical record system that would completely replace their paper system, had second thoughts. Putting the new system on hold, they held an intensive series of meetings with patient groups, ethicists, and physicians. Eventually, they arrived at a compromise solution. Certain parts of the medical record that everyone felt was important for providing quality care--current medications, allergies, and problem lists--would be incorporated into the electronic system. Sensitive parts, such as psychiatric notes, would be kept in written form only and maintained in the traditional way.
The privacy risks posed by the electronic medical record are not primarily technological ones, but social and political ones. What we need most is well-considered legislation that lays down guidelines on how medical information should be used, who should have access to it, and what parts should be made available. Only when these issues are resolved to everyone's satisfaction can the electronic medical record assume its rightful place on the Web.
Lincoln Stein is a part-time pathologist, part-time Director of Information Systems at CuraGen Corporation, and a full-time Perl hacker.