I honestly fear EHRs. Chances are they they will offer me greatly-reduced access to my own medical records, while offering my insurance company (or prospective insurers) greatly increased access. I am open to hearing that some regulation ensures this will not be the case.
Your fear is understandable, but I feel you would have less doubt if you knew more about the EHR space.
The government is laying out strict regulations on how EHR's should work and what data can be used (and by whom).
Access by patients to their own records is mandated as part of the certification and we already see widespread use of patients accessing their data from EHR systems via our patient portal and iPad app for patients.
Can I get my data in a portable format I can take with me to another provider, as easily as paper records? Or can I _only_ get my own data through your proprietary portal / application?
Patient records can be given to patients in .pdf format (human readable) and also one of two government specified HL7 formats (CCR and CCD.) The MU certification makes all vendors give patients/doctors the ability to download one of the format (CCR or CCD), but all vendors have to be able to read both formats.
The MU guidelines did a great job of forcing all of the vendors to adopt one of these two standards and to understand them both.
Mobile technology presents providers "with a very long list of legal concerns," they point out. "Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software."
Unless I'm missing something, this "certification" from Infogard doesn't appear to speak much to these concerns, if at all, which are the overwhelming concerns of physicians with these kind of non-hospital cloud-based system.
The "certification" that the application meets "meaningful use" just means that app use may allow physicians to qualify for the government incentive money for adopting an EHR.
Security, security, security is the real issue. The drchrono CEO says that a "security audit" was done, but the article gives no details. Who did it, at what level, and where are the results?
Does drchrono assume all risk and liability for patient confidentiality? Is that spelled out contractually? Unfortunately, the problem is that even with such verbiage in a contract, individual physicians would likely not escape the rightful wrath of patients and regulatory bodies if a data breach occurred. Frankly, even if physicians did adopt a system like this, they'd have to provide disclosure and go through an informed consent process with their individual patients about the use of drchrono, and get written approval from individual patients to store their info this way. What happens when many (if not all) patients opt-out? Maintain two systems?
"Tell the court, Dr. Incentive, what drove your use of drchrono? Were you convinced that the system provided any benefits whatsoever to the patients who now have their HIV status, mental health diagnoses, and street drug use information plastered all over the net....or were you more interested in the $44,000 benefit you got from adopting the software?"
But, he [CEO of drchrono] says, with the iPad connected to drchrono's cloud-based platform, "there's no information stored on the iPad except a temporary cache ... it's more secure than locally stored laptops and servers."
This statement makes no sense. We've seen countless breaches and releases of protected health information from cloud-based systems. How is highly sensitive information transmitted to and stored on drchrono and/or third-party servers possibly more secure than leaving patients' data on local systems which are locally controlled, physically fenced (easily quarantined from the net), easily whole-disk encrypted, locally backed-up, locally audited, with locally set retention policies, and locally destroyed when needed?
The legal FUD you bring up would have some basis in fact if the government weren't mandating that all US physicians use EHR systems and passed laws/regulations defining their use and liability under HIPAA and the security rule.
The #1 source of patient data theft has occurred from stolen laptops which contained locally stored records. A cloud based solution with mobile access is much more secure since even if an iPad is stolen there is no loss of data.
