Electronic Health Records

From SI410
Jump to: navigation, search
A cartoon depiction of a doctor merging health records of patients

Electronic Health Records (EHR) are a digitized form of a health record, used in health systems to collect, store, edit, and transfer patient information. EHRs provide a universal location of all information and history of a patient regardless of region or facility. EHRs are owned by the patient and allow patients to access and edit his or her information. In the coming years, healthcare systems hope to overtake or work in addition to its paper counterpart by providing a universal location for “virtually every facet of clinical information pertinent to patient care.” EHRs provide a comprehensive medical history intended to help medical professionals more accurately diagnose illnesses and prescribe medications based on previous reactions or medical conditions. It also prevents patients from deliberately omitting information that may be medically relevant in situations. During an emergency situation, EHRs enable doctors to immediately obtain necessary information about a patient or previous treatment plans if patients are incapacitated. EHRs have benefits that could potentially save lives, but they still carry a set of ethical problems that must be addressed in order for EHRs to reach their potential in today's medical society. One such problem is the correct procedure for sharing medical records between care providers and patients and, related to that, what happens when that procedure is not followed and private health records become public.

EHRs should not be confused with Electronic Medical Records (EMR) or Patient Care Records (PCR), which are a computerized record from a single facility. They are not universally shared and may not allow the patient access to his or her information. However, the EHR relies heavily on EMRs in order to attain patient information and must seek permission from the healthcare facilities.


EHRs were developed from Patient Care Record systems. PCR systems began to emerge in the 1960s under the John F. Kennedy presidency. The Lockheed Corporation received a large amount of government grant money for the NASA space program at the beginning of the sixties. The money was to be used for space technology under the stipulation that it be extended to the common good of society. Lockheed had the idea to develop a computer program that managed patient care. Lockheed presented their idea to El Camino Hospital in Mountain View, CA in 1968, who agreed to pursue the project. Lockheed industrial engineers spent the next two to three years analyzing the patient data flow in the hospital in order to understand how to build an effective infrastructure for the patient care application[1]. El Camino Hospital began using the program in 1973 on IBM computers.

Similar programs began to spread to other hospitals during the 1970s. Some of these projects included IFAS and Medpeo, PCS/ADS, and SMS. These PCR programs were very limited. They were able to send orders and share and gather results. During the 1980s other companies began to develop additional PCR systems, but many of them went out of business. By the end of the decade the Lockheed program was the only functioning system[2].

Computer network technology emerged and computing costs started to decline in the 1990s, which facilitated the expansion and further development of CPR systems. By the mid 1990s many out patient clinics and physician practices were using EHR technologies. Leading companies during this period were Compaq, Hewlett Packard, Data General, Cerner, HBOC, Meditech, TDS, IBX, and EPIC. Many of these companies created these technologies to fulfill specific needs of particular facilities, which in turn made it difficult to commercialize their systems[2]. Today many EHR systems exist and are used in many medical facilities. However, many facilities are only just beginning to utilize these systems or have very rudimentary forms of EHR.


EHRs can be updated easily. All additions to the EHRs are constantly being updated over the Internet, and therefore doctors do not need to spend time filling out new forms repeatedly by hand. The use of EHRs intends to help health professionals coordinate to deliver better quality care to patients. Additionally, EHRs make health records more secure as EHRs cannot be misfiled or lost like paper records can. Similarly, many EHR platforms require a username and password, which also adds to the security of the health records. EHRs are also more easily moved and accessed by medical professionals. This means that people will be able to have their medical records accessed whenever and whoever needs them. This will be able to help prevent accidental deaths due to problems such as allergies. This is because doctors treating new patients will be able to pull up any relevant data from another doctor, whereas before they had to work without any previous knowledge of that patient. This is potentially dangerous and can be life-threatening.

Additionally, several new health-providing solutions have been implemented (using EHRs) around the globe such as web-based digital health coaching solutions. These health-coaching opportunities simulate a live health coaching or counseling session over the web. These opportunities were not possible before the invention of computing technologies and EHR in healthcare. Not only is the possibility of live solutions an option for improvement in overall health quality, but in digital health coaching practices, computing technologies and their electronic components can draw on experience and expertise of hundreds of healthcare professionals, applying best practices and the most current scientific research and evidence to create a unique and personalized action plan for each individual. Individualized healthcare solutions that are now available through implementation of such technologies like EHRs and can thus also lead to overall improved quality in healthcare procedures. [3]


EHRs are expensive to set-up, making it difficult for private physicians and public clinics to adopt the system. Also, EHRs make it is easy to incorrectly record patient information. Furthermore, any EHR information has the potential to be accessed by non-medical professionals through a security breach. Lastly, if medical professionals are not comfortable with the system, they may be distracted by attempting to configure the system. The time spent trying to configure the system would then detract from a patient's treatment.


The logo on the Campdoc.com website

CampDoc.com is a website that acts as a platform for EHRs for summer camps specifically. The purpose of Campdoc.com is to solidify the complexities of paper health records by putting them all online in a centralized location. Additionally, an online location with a user login required, makes the site also more secure than a paper filing system. CampDoc.com has three aspects to it: health forms, health log, and medications/allergies.

CampDoc.com allows parents or guardians to submit their child's camp health forms electronically. Camp staff are then able to access these health forms online.

The health log section of CampDoc.com serves as an online location for camp staff to log all times that a camper visits the camp health service and record all information regarding this visit. For instance, the reason for visiting, the medicine, if any, that was given to the camper, the time and day that the camper visited.

The medications/allergies section allows parents to list all medications that the camper must take, as well as the schedule of when to take them. Additionally, a list of all allergies that the camper has, as well as any consequences that may occur if the allergy is violated, is available in this section.[4] [5]

Ethical Issues

EHRs allow healthcare providers access to a comprehensive medical history of their patients in order to provide them with better and more efficient care. EHRs are meant to improve healthcare through improved flow of patient information to medical professionals. Ethical issues arise when non-health care providers gain access to patient information. These large databases of patients' medical history are prone to outside access and in turn can cause the unethical exposure of personal health information to unauthorized viewers. [6]. As a result, patients' privacy is susceptible to violation, which raises the question if the benefits of EHRs are worth this potential violation. A few examples of how medical records may be accessed by third-party members are when computers or laptops are stolen, a lapse of security in online billing programs or the EHR network, or when medical facilities accidentally post EHR information online for public access.[7]. Laws have been passed in order to ensure efficiency and confidentiality of electronic health records.

Meaningful Use

"Meaningful use" is a term used to define the set of standards of adoption and use of certified EHR systems within a healthcare organization. The criteria are set by the Centers for Medicare & Medicaid Services (CMS). Healthcare organizations receive financial incentives for meeting the criteria according to the five-year, three phase plan. The goal of implementing the meaningful use incentive system is to increase and spread the use of EHR technology to improve healthcare around the United States. [8]

However, the idea of "meaningful use" is laced with controversy due to its flat standards. For healthcare organizations in rural areas where patients and healthcare institutions have limited internet access, "meaningful use" widens the gap in the Digital Divide. One of the original twenty-five performance measures states that the institution must provide at least 10% of their patients with electronic access to their record within 96 hours of the clinic receiving the data. [9] In areas where fewer than 10% of patients have access to a computer or to the internet, this measure is impossible to attain. These institutions do not receive the bonus and continue to be disadvantaged in comparison to institutions with more affluent and technologically advanced cliental. In this way, not only the healthcare institution is disadvantaged, but the patient is also deprived of reaping the care benefits of the bonus that will not be granted to the institution because it did not meet the "meaningful use" requirement.


An issue arising is the increased risk of a patient's private medical history and information being exposed to more and more users with access to their EHRs. An increasing number of providers and healthcare staff have access to these EHRs, and there is always a potential risk that some of these people will view and use patient information that is not currently relevant to them. For example, providers may look up personal information on a patient that they are not treating or involved with simply out of curiosity or for selfish reasons.


Legislation has urged many health care providers to adopt electronic health record systems.[10]

Health Insurance Portability and Accountability Act (HIPAA)

The United States passed the Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, in 1996. It consists of two key components:

  • Title I of HIPAA protects health insurance coverage of employees and their families when their employment changes or they become unemployed.
  • Title II or Administrative Simplification (AS) Rules of HIPAA required the Department of Health and Human Services (HHS) to adopt national standards for electronic healthcare transactions that improve the efficiency and effectiveness of the healthcare system. It encourages the use of electronic data interchange to exchange information within the U.S. healthcare system. The AS Rules also address Privacy and Security. HIPAA Administrative Simplification Rules are located at 45 Code of Federal Regulations (CFR) Parts 160, 162, and 164.

The Administrative Simplification Rules consist of the Privacy Rule, the Security Rule, standards for transactions, and standards for national provider identifiers of covered entities (healthcare providers, health plans, and healthcare clearinghouses), and the Enforcement Rule. The Office for Civil Rights (OCR) in HHS enforces both the Privacy Rule and the Security Rule. The Centers for Medicare & Medicaid Services (CMS) administer and enforce other HIPAA AS Rules including:

  • Transactions and Code Sets Standards
  • Employer Identifier Standard
  • National Provider Identifier Standard

The Privacy Rule was published in December 2000 and modified in August 2002. It applies to all forms of protected health information (PHI), either printed or electronic records, and is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). The goal of the Privacy Rule is to secure PHIs as it moves through the system by implementing disclosure and uses regulations. Covered entities are required to comply with the Privacy Rule as of April 14, 2003 (April 14, 2004, for small health plans).

A covered entity is permitted to disclose and use PHI without individual authorization in the following circumstances:

  1. To the individual-A covered entity is permitted to disclose an individual’s protected health information to that particular individual within 30 days of the request. Also individuals may request to have any mistakes in their PHI to be corrected.
  2. Treatment, Payment, and Health Care Operations- A covered entity is permitted to disclose PHI in its own treatment, payment and health care operation activities. It may disclose this information to another covered entity given that the individual has a relationship with the other covered entity and the information is relevant to the relationship.
  3. Opportunity to Agree or Reject- A covered entity is permitted to disclose protected health information by informally asking the individual’s consent. If the individual is incapacitated, the covered entity may decide to disclose and use protected health information based on the individual’s best interest.
  4. Incident to an Otherwise Permitted Use and Disclosures- The privacy rule does not require that covered entities eliminate all risks of incidental use or disclosure or protected health information, as long as they follow the Security Rules.
  5. Limited Data Set for the Purposes of Research, Public Health, or Health Care Operation- A limited data set is individuals’ protected health information from which they cannot be identified. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
  6. Public Interest and Benefit Activities- Permits the use and disclosure of protected health information without an individual’s permission or authorization for twelve national priority purposes.The twelve national priority purposes are:
    1. Required by Law
    2. Public Health Activities
    3. Victims of Abuse, Neglect, or Domestic Violence
    4. Health Oversight Activities
    5. Judicial and Administrative Proceedings
    6. Law Enforcement Purposes
    7. Decendents
    8. Cadaveric, Organ, Eye, or Tissue Donation
    9. Research
    10. Serious Threat to Health or Safety
    11. Essential Government Functions
    12. Worker’s Compensation

The Privacy Rule also states the the protected health information used or disclosed must be the minimal amount of information necessary for its purpose. It also states that covered entities must keep track of all disclosures and uses of PHIs and covered entities must notify the individual when their PHI is used or disclosed. [11].

The Final Security Rule was published in February 2003 and provides guidelines for covered entities in securing electronic protected health information (ePHI) when they are created, sent, or received and provides standards for the electronic system to ensure overall system security.

The standards for transactions for electronic data interchange (EDI) of health care information include the use of ASC X12N or National Council for Prescription Drug Programs (NCPDP) standard formats and implementing the proper content and formatting requirements with each transactions. Claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits and premium payment are transactions that are subject to the previously stated standards[12].

The national provider identifiers (NPI) of covered entities are ten digit codes made up of numbers and letters used in all of their financial and administrative transactions. NPIs are meant to make transactions more efficient between covered entities. The NPI is intelligence free, meaning it does not provide any additional information on the covered entity it pertains to. Covered entities may have more than one NPI for subparts of their business[13].

The Enforcement Rule was added to HIPAA in 2006. It outlines the procedures for investigating and conducting hearings for HIPAA violations and establishes civil money penalties for such violations[14].

Understanding Patient Safety and Quality Improvement Act (PSQIA)

The Understanding Patient Safety and Quality Improvement Act (PSQIA) was passed in 2005 and implemented in 2008. PSQIA is a voluntary reporting system that individuals can use to report health care errors in hopes of improving patient safety. To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information, called patient safety work product. PSQIA authorizes HHS to impose civil money penalties for violations of patient safety confidentiality. PSQIA also authorizes the Agency for Healthcare Research and Quality (AHRQ) to list patient safety organizations (PSOs). PSOs are the external experts that collect and review patient safety information. [15].

External Links


  1. http://www.springerlink.com/content/u83kt1k4142k6550/
  2. 2.0 2.1 http://vimeo.com/12202874
  3. http://www.jnj.com/connect/caring/patient-stories/focusing-wellness-prevention
  4. http://www.campdoc.com/features.php
  5. http://www.google.com/imgres?q=campdoc&hl=en&client=safari&sa=X&tbo=d&rls=en&biw=1274&bih=581&tbm=isch&tbnid=SEOe_-ySj2W0SM:&imgrefurl=http://pinterest.com/campdoc/&docid=dwIhjRVbcWMztM&imgurl=http://media-cache-ec5.pinterest.com/avatars/campdoc-61_600.jpg&w=600&h=600&ei=vZK_UP-YM6ec2QWCoYCIAw&zoom=1&iact=hc&vpx=318&vpy=122&dur=862&hovh=220&hovw=220&tx=111&ty=107&sig=101362661831469468465&page=1&tbnh=144&tbnw=144&start=0&ndsp=23&ved=1t:429,r:2,s:0,i:92
  6. http://dl2af5jf3e.search.serialssolutions.com/?ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info:sid/summon.serialssolutions.com&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Third+party+access+to+shared+electronic+mental+health+records%3A+ethical+issues&rft.jtitle=Psychiatry%2C+Psychology+and+Law&rft.au=McSherry%2C+Bernadette&rft.date=2004-04-01&rft.pub=Australian+Academic+Press+Pty.+Ltd&rft.issn=1321-8719&rft.volume=11&rft.issue=1&rft.spage=53&rft.externalDBID=n%2Fa&rft.externalDocID=121082132
  7. http://www.privacyrights.org/data-breach/print
  8. http://www.healthit.gov/policy-researchers-implementers/meaningful-use/
  9. http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html?redirect=/ehrincentiveprograms/
  10. http://www.accenture.com/SiteCollectionImages/Outlook_PDF_and_Cover/06-11_Healthcare_Chart-02.jpg
  11. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
  12. https://www.cms.gov/TransactionCodeSetsStands/
  13. https://www.cms.gov/nationalprovidentstand/
  14. http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/index.html
  15. http://www.fortherecordmag.com/archives/ftr_10292007p18.shtml

(back to index)