As a growing number of patients take an increasingly proactive role in the management of their own health, sales of software programs that give users access to their personal health records are set to explode, experts say.
But the impending proliferation means new responsibilities for CIOs as hospitals experiment with the programs, which can let patients upload their health data from hospitals and doctors.
The IT departments at hospitals using cutting-edge programs such as Google Health and Microsoft HealthVault will have to build interfaces to communicate with those programs, known as electronic personal health records (EPHRs).
EPHRs allow a patient to connect to a hospital and import select records, statistics and other health information to an account. But for that to happen, the hospital needs to verify that the account actually belongs to the patient and, to some extent, automate exactly what information can go out the door. Think of an EPHR as a "patient portal" to the official, doctor-controlled records kept by hospitals, said Dr. John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston.
Microsoft launched HealthVault late last year, offering it as a free service for consumers to store, compile and allow access to their health information, be it blood pressure data, prescription lists or instructions for emergency situations.
Google Health, a cloud computing program like so many of Google Inc.'s offerings, is in a pilot program at The Cleveland Clinic and will soon be offered to patients at other hospitals. It, too, is free and seeks to centralize personal health data and give patients control over management and access, allowing them to import records from one health provider and pass them on to another.
The two programs join a market of about 200 electronic personal health record programs, including a number homegrown at individual hospitals. About 10% of Beth Israel patients use the EPHR built there. Halamka said it's most useful for people living with chronic diseases, adding that he welcomes the advent of non-hospital-specific programs because patients may want to collect and distribute information with doctors elsewhere.
Mary Griskewicz, senior director for ambulatory information systems at the Healthcare Information and Management Systems Society (HIMSS), said, "The CIO and the chief medical officers are going to have to prepare for a couple of things," such as developing plans and policies on how EPHRs will relate to secure electronic medical records controlled by doctors following Health Insurance Portability and Accountability Act (HIPAA) regulations.
EPHRs are not currently classified as HIPAA-regulated documents because they're maintained by individuals and aren't even necessarily viewed as true information in the eyes of some physicians, Griskewicz said.
That isn't to say this will always be the case. Lisa Gallagher, security director of privacy and security at HIMSS, said there has been legislative talk about extending HIPAA in the direction of such record holders. But she said she doesn't expect movement on that until after the presidential election, if at all.
Still, not being covered by HIPAA strips Google Health, HealthVault and similar programs of legal security concerns, leaving the main issue one of trust of Google and Microsoft by patients. But Gallagher said CIOs and other hospital leaders could still have security questions about the programs, such as the location of the servers storing data and how health data sent outside a hospital is encrypted.
"I think at this point it's sort of keep it on the radar and think about the policy-level issues," she said.
Halamka, who is also CIO at Harvard Medical School, said Beth Israel will soon start a pilot program with Google Health. He said hospitals accepting EPHRs will need to verify that the account accessing information actually belongs to the patient. At Beth Israel, patients will log in to Google Health and use a password provided by a doctor to upload hospital records to their account.
Halamka said hospitals will also need to develop a "content standard" or policy outlining what information goes from the hospital to the EPHR. That could include medication lists, allergies and lab results, among other types of information.
Hospitals also must decide on a "transport standard" it will accept in EPHRs, should that be the Continuity of Care Record or another equivalent to be used when moving information from one care provider to another.
Griskewicz urged CIOs and other executives to strive for "readability" when developing policies that dictate what information hospitals will share through an EPHR. Clear, uniform standards will simplify the process and encourage use among doctors, she said.
In a perfect world, Google, Microsoft and other major services -- Dossia and Revolution Health Group LLC are also in the game -- would develop a sort of "plug-and-play" interoperability standard that will simplify the process for both patients and IT staff, Halamka said.
"What happens is Microsoft will publish a set of specifications for talking to HealthVault," said Halamka, who is a member of the Google Health Advisory Council. Google Health will come with a different set of specifications.
"That means my programmers at the hospital have to write two sets of interfaces," Halamka said. And that means more cost and staff time. Until a set of national standards is developed, that could leave smaller health care providers limited in the number of EPHRs they can accept from patients.
"It's my hope that all of these efforts will converge to use one plug-and-play standard for clinical content and transport," Halamka wrote in a February blog entry about Google Health. "Once they do, patients will be able to select the personal health record of their choice based on features, not just data."
Halamka said he expects a move toward that interoperability in the next year or so.
Let us know what you think about the story; email: Zach Church, News Writer
Dig deeper on Data centers and virtualization for Small Business