Who "owns" patient data?

One of the first hurdles that we had to clear as a SaaS company was the objection of providers who were accustomed to keeping their data within their offices. We called it "storing data in the broom closet", since in many offices the actual physical location of their server was no more secure than a utility closet. While the data was certainly NOT secure, it was accessible, or at least perceived as such.



In fact, there are many problems with that arrangement, among them:

• Dismal disaster recovery (DR) options. I once heard that 60% of magnetic tape backups are unusable, although that number may be high. More conservative estimates vary between 10% and 50%. Within medical offices, where there generally is no dedicated IT staff, I would lean toward the higher estimates.


• Lack of security. It would be easy for a disgruntled employee to unplug a few cables and carry the whole server out the door, or just bring in a laptop and wirelessly copy data from the server.


• Risk of physical damage. Hundreds of medical offices were devastated by Hurricane Katrina, for example, and permanently lost huge amounts of irreplaceable patient information.

So, over time, our customers have accepted the fact that they are better off letting AdvancedMD keep their data for them, as long as we provide methods (standard data exports, ODBC access, etc.) for them to get access to it.

Now doctors are being faced with more dispersal of patient information, in the form of electronic prescribing systems, RHIOs, HIEs, PHRs, etc. I'm not a doctor (obviously), but I have to believe that this new sharing of data is a little disconcerting for some.

In the Summer 2008 issue of JHIM, Richard D. Lang, EdD, writes in "Blurring the Lines: Who Owns the Medical Data Home?" (HIMSS membership required) about the very objection that we used to face, but applied in a slightly different way.

Dr. Lang says:

Healthcare IT is evolving from a physician-centric model to
a collection of disparate patient-centric applications where
all constituents contribute to a mélange of databases that
serve people and processes in many different ways. By electronically
diffusing the traditional patient record, this new model blurs
the long-established medical data home.

As a true SaaS company, AdvancedMD assumes ownership of the provider's physical data, even though conceptually the data remains the property of the provider. Similarly, if a practice contracts with a billing service, the lines of ownership become further blurred, as the billing service assumes ownership of whatever data it needs to effectively bill for the practice's services. In that scenario, the billing service contracts with AdvancedMD, not the providers, so we are an additional level removed from the actual healthcare practitioner.

For eight years, we've proven that this data model can work, and, in fact, it works extremely well. It almost seems natural that, over time, patient information will continue to be further dispersed among interested parties that play a role in the patient's care.

As a patient, I kind of like the idea of spreading my information around, as long as it's secure. The next time I need to see a PCP and can't even remember who I saw last, wouldn't it be great if my new doctor could access my medical history without me having to remember it?

I have to believe that AdvancedMD's customers are better prepared for this "brave new world" than those who are still stuck in their broom closets.

NAHIT "Defining Key Health Information Technology Terms"

NAHIT recently released a document called (get this):

The National Alliance for Health Information Technology Report to the Office of the National Coordinator for Health Information Technology on Defining Key Health Information Technology Terms

Basically, it has some interesting definitions for some common healthcare terminology. The location of the original document (along with the rest of the NAHIT site) appears to be down at the moment, but John Mertz at NeoTools has conveniently listed the terms for us, so I'll repeat them here:

• Electronic Medical Record: An electronic record of health-related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one healthcare organization.
• Electronic Health Record: An electronic record of health-related information on an individual that conforms to nationally recognized standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one healthcare organization.
• Personal Health Record: An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be drawn from multiple sources while being managed, shared, and controlled by the individual.
• Health Information Exchange: The electronic movement of health-related information among organizations according to nationally recognized standards.
• Health Information Organization: An organization that oversees and governs the exchange of health-related information among organizations according to nationally recognized standards.
• Regional Health Information Organization: A health information organization that brings together health care stakeholders within a defined geographic area and governs health information exchange among them for the purpose of improving health and care in that community.

I don't know whether there is industry-wide agreement on these definitions, but they're an interesting start for the uninitiated.