Electronic Health Records

The new e-security worry

It sounds like common sense: Tight regulation and oversight of electronic health records are key to maintaining patient privacy and preventing costly, possibly fatal, mistakes. But with EHR systems still in their infancy in the United States, plans for regulation have seen little progress. Now, with a new bill in Congress that could help move EHRs into the mainstream, two Case Western Reserve University professors are calling for action.

paper records pile

Movement to electronic health records raises flags for security and privacy issues.

"These systems have incredible potential, yet they are completely unregulated," says Andy Podgurski, a professor of computer science at the Case School of Engineering. Podgurski and his wife, Sharona Hoffman, a professor of law and bioethics at Case Western Reserve’s School of Law, are co-authors of the first study to assess the need for comprehensive regulation of EHR systems. "We are trying to argue this lack of regulation is a mistake," he says.

EHR systems, Hoffman says, have the potential to improve the quality and efficiency of patient care by providing a doctor at any hospital or medical practice with immediate access to a patient’s full medical history, including lists of prescribed drugs and allergies, laboratory test results, and even radiology images. More high-end systems help with diagnoses and treatment plans and include mechanisms for ordering medications electronically.

Worries persist, however, that such records could fall into the wrong hands, leading to massive privacy violations. But that’s not the only fear.

In addition to privacy and security, quality and safety of EHR systems are in need of oversight, say Hoffman and Podgurski, whose study was published in the Harvard Journal of Law and Technology.

Imagine a software malfunction that causes information about patients’ allergies or medication orders to be deleted or incorrectly recorded. Patients could receive the wrong medications or drug dosages and suffer serious harm or death.

The Certification Commission for Healthcare Information Technology has been conducting limited testing of EHR systems, but the commission is run by the EHR industry. Hoffman and Podgurski propose that an unbiased government body should regulate the systems on an ongoing basis to make sure they meet certain standards.

"These software systems are as complex as some of the medical devices that need to be approved for medical use by the FDA," says Podgurski. "And their potential effect on patient health is huge."

Something else they say should be regulated is the ability of different EHR systems to talk to one another, a function known as interoperability in which files are transferred from system to system without glitches.

"Interoperability does not exist generally, yet it is critical," says Hoffman. "Patients die because emergency room doctors cannot access a patient’s record and know that he or she is resistant to a particular antibiotic."

One solution would be for a regulatory agency in charge of EHR systems to set a standard with which all vendors have to comply so that systems can share information.

So far, only 17 percent of physician offices use EHR systems, but EHRs may soon become a routine part of medical care. The Bush administration had set a goal of having EHRs for most Americans by 2014, and the American Recovery and Reinvestment Bill of 2009, being considered by Congress under the new presidential administration, includes an investment of $20 billion to update and computerize the health-care system.

"As a nation we tend to ignore potential problems until there is a catastrophe," says Hoffman. "We are trying to call attention to them before this occurs."