The trusted source for
healthcare information and
Privacy, confidentiality a challenge in using EHR
'This information isn't easy to lock behind a door'
Once federal grants make their way to health care systems for the purpose of transitioning to electronic health records (EHRs), it might be years or even a decade before these systems are complete.
Research and health care institutions will need to resolve several ethical and technological challenges during this long process. And one of the major ones will be to ensure the data can be accessed and transferred safely, maintaining patient confidentiality, experts say.
"This is a really hot topic now," says Philip A. Cola, MA, vice president of research and technology at the University Hospitals Case Medical Center in Cleveland, OH.
The University Hospitals Case Medical Center began implementing an EHR in 2005 and now is about three-quarters of the way through with the process, Cola says.
"Our goal is to have it fully implemented by 2010," Cola adds.
When health care organizations implement EHR they likely will need to replace several older electronic systems, says Valerie Wiesbrock, MA, manager of the IRB administration office at the University Hospitals Case Medical Center.
"An institution might have electronic pharmacy records, different clinical records, and different portals," she adds.
Also, investigators will need to be sensitive to transporting electronic information in a way that risks its security, Wiesbrock says.
"We are constantly surprised to hear of investigators keeping thousands of records on their [USB] drives and then carrying them back and forth to their cars," she explains. "We look at that as the same as if you held records in a milk crate and left them on the seat of your car."
The health care system has a large information technology team managing the process, and there also is a research focus group.
"We have investigators, research study coordinators, and research administrators from across the organization get together to talk about what issues there will be to using EHR in terms of research," Cola explains.
"It's very easy for investigators and study coordinators to understand that if you're given an investigational drug treatment you have to protect the subject from any risks related to the investigational drug," Cola says. "But it's very difficult to understand the protections you have to put in place around privacy and confidentiality."
It helps if a research institution has existing protocols and informed consent templates that include privacy and confidentiality language, he notes.
"In the old days, we'd say the records were kept in locked filing cabinets in a locked room with only limited access to investigators and study coordinators," Cola says. "But when we're undertaking a huge electronic health record project, this information isn't easy to lock behind a door."
So sites have to update their policies and procedures, outlining specific details about who might have access to the information and for what type of reasons, he advises.
"You don't want a physician investigator to think he has access to these records for clinical purposes and so he can just go in there with his clinical credentials to mine the data for research purposes," Cola explains. "They can't do that without the IRB giving them protection and advice."
Policies regarding data security need to be strong enough to protect EHRs from unauthorized access, but flexible enough to build bridges between the clinical and research sides.
"We want to make sure we have built the right stopping points or different approaches or methods of access to those records," Cola says.
For example, access to the records for research purposes cannot be made until the researcher has obtained IRB approval and this is verified by Wiesbrock.
Tips to protect electronic records
Cola and Wiesbrock offer these suggestions for improving security and confidentiality with electronic health records:
• Don't carry around any electronic data with identifiers: "Don't put health records or personal, identifiable health information on a [USB] drive and carry it around with you," Cola advises.
"That's what happened in February, 2008, with a laptop at the National Institutes of Health," he says. "A few months later they issued reminders and tips on how to handle these things."
"Even if it's your personal computer in the office have it password protected in a number of different ways," Cola says.
• Apply random codes and de-identify individual medical records:
"We understand that identifiers are needed," Wiesbrock says. "But do we want to keep identifiers for long-term follow-up purposes?"
Investigators could de-identify data and keep a code list so if they carry their laptop to a conference they won't have identifiable data on it, Wiesbrock suggests.
"If your laptop is lost or exposed and if you had removed identifiers and used a code, then you will minimize risk and exposure," she says.
One way to minimize risk is create a random code to replace identifying information with numbers, Wiesbrock says.
"You keep the code number and cut out the identifiers," she adds."This is a manual process in the sense that you have a dataset that's identifiable and you've added a creative random number column to the dataset at the very beginning."
Then you add that column to a complete dataset with identifiable information that is kept in a password-protected file, she explains.
"You hide all the columns with identifiers in separate passwords, and this blocks people from getting any of the identifier data," Cola says.
The de-identified spreadsheet contains the random numbers, so an investigator could have a research assistant look up any one of those random numbers to find a particular subject for follow-up or other purposes, Wiesbrock says.
"It's not a time-consuming process," she adds. "It can be done within five minutes."
• Outline your data security plan to IRB: "It's simple, easy," Cola says. "You can describe what you did to the IRB in a protocol."
At the University Hospitals Case Medical Center, every time people write a protocol and has access to electronic health information, they're asked to add a section to their protocol and, perhaps, informed consent document, for the IRB review and consider as part of their approval process, Cola says.
They're asked to address several main points, he adds:
— "Please justify the use of and access to electronic information," Cola says. "Do you really need it electronically? Or can you get the information in hard copy?"
And if an investigator does really need the information, does he need it with identifiers, and can he justify its use? "It can't be just for convenience and ease of PI, Cola says.
— "Once you have that access, how will you protect that information? What are you going to do with it, and how will you protect it?" Cola says.
"Our office of research compliance is responsible for a lot of this," Wiesbrock says. "They ensure that what the IRB said is being done, and they report back that they're maintaining that list de-identified."
If investigators don't understand how to de-identify information, they're scheduled for one-on-one or group educational sessions where they can learn the basics on maintaining a spreadsheet and de-identifying data, Wiesbrock adds.
— Who has access to electronic information and for how long will they have that access, Cola says.
Access could be provided to research coordinators, statisticians, in addition to principal investigators, he adds.
The rules of The Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy Rule apply, and so it's very important to outline who has access to the information, Wiesbrock says.
"Under HIPAA regulations, there is a business association agreement that allows for that access by Case people, and UH employees are part of the covered entity under HIPAA," Cola explains.
"There are items we make everyone put in a protocol and consent form so the patient knows what's applicable," Cola adds. "We won't give access to electronic systems for research until those things have been reviewed and approved by the IRB."