Difference between revisions of "EHR"

From MgmtWiki
Jump to: navigation, search
Line 46: Line 46:
# Follow the wiki page on [[HIPAA Compliance Checklist]]
# Follow the wiki page on [[HIPAA Compliance Checklist]]
# Try to fallow the US Government Regulations
# Try to fallow the US Government Regulations on a Standardized API for patient and population services
  '''Table for Privacy and Security'''
Standardized API for patient and population services
  Table for Privacy and Security
* If choosing Approach 1:
* If choosing Approach 1:
** Authentication, access control, and authorization (§ 170.315(d)(1))
** Authentication, access control, and authorization (§ 170.315(d)(1))
Line 60: Line 58:

Latest revision as of 17:07, 22 December 2021

Full Title

Electronic Health Records (EHR) aka Electronic Medical Records (EMR).


Records that contain Patient Health Information PHI.


Before the Advent of EHR

  • Records were kept on paper and seldom given to the patient. When the doctor left practice, or the patient moved, the history was simply not available.
  • Even with EHR in the doctors office, there is little incentive for the records to be provided to the patient or other health service providers.
  • Centralized data seems to actually increase the risk of permanent loss of data. The referenced article is more than 2 years old![1]

Errors and Omissions with EHR

The advent of EHR has introduced new problems that create new risd of legal liability for the holders of the data.

  • Not all information in the record is valid but entered just to assure that the payment for services will be rendered, or because it is easier to cut and paste or blindly click "OK".[2]
  • Information that is entered by the Physician may not make it to the correct service to assure action. This type of failure has already resulted in patient deaths.[3] The U.S. government claimed that turning American medical charts into electronic records would make health care better, safer and cheaper. Ten years and $36 billion later, the system is an unholy mess. [4]

Conduct Risk with EHR

The push by the US government Health and Human Services(HHS), Office of the National Coordinator (ONC)[5] for Health Information Exchange has created an infrastructure that could disappoint the patients in many new ways.

  • The HIE looks like just another instance of the credit bureaus, and we all know how well that worked out.
  • The Health Information Exchange may wind up being just one (or more) other places that the patient needs to create a sign in account which they can never remember their user name or password. So rather than make it easier for the patient (or the patient's guardian) they my just add to the burden.
  • Sharing information that the patient did not want to share.
  • Avoiding sharing information because of bad choices by the Patient.

Sloppy Security

In the US health records are protected by HIPAA. Some other countries have special protection for health records, but not all. Even the countries where laws exist, security can be suboptimal. The consequences of Sloppy Security in Healthcare can be catastrophic for the patients.

Consider this exploit of Mental Health Records in Finland. (Wired 2021-05-04)
Rather than use an existing system, the company designed its own. It launched in late 2012, around the same time Vastaamo’s first in-­­person clinic opened, in the Malmi district of Helsinki. Tapio wouldn’t go into technical detail about the system, but in court documents he suggests it was browser-based and stored patients’ records on a MySQL server. More important for Vastaamo’s­ purposes, the interface was easy to use. When therapists applied for a job at the company, they heard all about how much it would quicken their work.

But the slick exterior concealed deep vulnerabilities. Mikael Koivukangas, head of R&D at a Finnish medtech firm called Onesys Medical, points out that Vastaamo’s system violated one of the “first principles of cybersecurity”: It didn’t anonymize the records. It didn’t even encrypt them. The only thing protecting patients’ confessions and confidences were a couple of firewalls and a server login screen. Anyone with experience in the field, Koivukangas says, could’ve helped Vastaamo design a safer system.

At the time, though, fears of a breach were far from Tapio’s mind. The summer after Vastaamo’s first clinic opened its doors, he took over as CEO and set the company on a path toward expansion.

In 2014 there was a change in the regulations around Vastaamo’s business. The Finnish Parliament decided to split medical information systems into two categories. Class A systems would connect with Kanta, the national health data repository, so they’d need to meet strict security and interoperability standards. Anyone who planned to keep their patients’ records in long-term electronic storage would have to use a Class A system.

Smaller organizations, the kind that kept vital records in manila envelopes and filing cabinets, would be allowed to use Class B systems. These weren’t as tightly regulated, in part because they wouldn’t make very interesting targets for a hacker. Class B operators would simply self-certify to the government that their setup met certain requirements. “The government” being, in this case, a single man—Antti Härkönen—whose purview includes all 280 Class B systems in Finland.

The new law gave Vastaamo several years to adopt a Class A system. The problem, Tapio says, is that the Finnish government hadn’t specified how psychotherapy practices should format their data. Vastaamo could build a Class A system and plug into Kanta, but there was “no way to stop, for example, general practitioners at health care centers or occupational health physicians from accessing” therapy records, he says.

Outi Lehtokari, Kanta’s head of services, pushes back against this claim. “Tapio might have misunderstood how Kanta works,” she says. Patients can choose to restrict access to their information.

In any event, on June 29, 2017, Vastaamo registered a Class B system. As Tapio tells it, the company was eager to upgrade to Class A as soon as the government released formatting specs for psychotherapy. But that didn’t happen. Instead, when the specs came out, Vastaamo kept on going with its Class B.

Tapio says that Finland’s “supervisory authorities” then signed off on the system “numerous times” in the years ahead. Härkönen, who is one of those authorities, says that to monitor all the Class B systems carefully would be “mission impossible” for him. He adds, however, that there should be more “proactive inspections.”


  1. Follow the wiki page on HIPAA Compliance Checklist
  2. Try to fallow the US Government Regulations on a Standardized API for patient and population services
Table for Privacy and Security
  • If choosing Approach 1:
    • Authentication, access control, and authorization (§ 170.315(d)(1))
    • Trusted connection (§ 170.315(d)(9))
    • Either Auditable events and tamper-resistance (§ 170.315(d)(2)) or Auditing actions on health information (§ 170.315(d)(10)).
    • Encrypt authentication credentials (§ 170.315(d)(12))
    • Multi-factor authentication (MFA) (§ 170.315(d)(13))
  • If choosing Approach 2:
    • For each applicable privacy and security certification criterion not certified for Approach 1, the health IT developer may certify using system documentation which is sufficiently detailed to enable integration such that the Health IT Module has implemented service interfaces to access external services necessary to meet the requirements of the privacy and security certification criterion. Please see the ONC Cures Act Final Rule at 85 FR 25710 for additional clarification



  1. This article is more than 2 years old NHS accused of covering up huge data loss that put thousands at risk (2017-02-26) The Guardian https://www.theguardian.com/society/2017/feb/26/nhs-accused-of-covering-up-huge-data-loss-that-put-thousands-at-risk
  2. Fred N. Pelzman, Just because EMRs can document everything doesn’t mean they should (2019-08-29) https://www.kevinmd.com/blog/2019/08/just-because-emrs-can-document-everything-doesnt-mean-they-should.html
  3. Kaiser Health News Summary, Death By 1,000 Clicks: Where Electronic Health Records Went Wrong. https://khn.org/news/death-by-a-thousand-clicks/
  4. Fred Schulte and Erika Fry, Inside a digital revolution that took a bad turn. Fortune (2019-03-18)
  5. The Sequoia Project Is ONC’s Recognized Coordinating Entity (RCE) https://rce.sequoiaproject.org/

Other Material