May 8, 2016 § 2 Comments
There are few more potent touchstones for the public than the protection of their privacy, and this is especially true with our health records. Within these documents lies information that may affect your loved ones, your social standing, employability, and the way insurance companies rate your risk.
We now live in a world where our medical records are digitised. In many nations that information is also moving away from the clinician who captured the record to regional repositories, or even government run national repositories.
The more widely accessible our records are the more likely it is that someone who needs to care for us can access them – which is good. It is also more likely that the information might be seen by individuals whom we do not know, and for purposes we would not agree with – which is the bad side of the story.
It appears that there is no easy way to balance privacy with access – any record system represents a series of compromises in design and operation that leave the privacy wishes of some unmet, and the clinical needs of others ignored.
Core to this trade-off is the choice of consent model. Patients typically need to provide their consent for their health records to be seen by others, and this legal obligation continues in the digital world.
Patient consent for others to access their digital clinical records, or e-consent, can take a number of forms. Back 2004, working with colleagues who had expertise in privacy and security, we first described the continuum of choices between patients opting in or out of consent to view their health records, as well as the trade-offs that were associated with either choice .
Three broad approaches to e-consent are employed.
- “Opt Out” systems; in which a population is informed that unless individuals request otherwise, their records will be made available to be shared.
- “Opt in” systems; in which patients are asked to confirm that they are happy for their records to be made available when clinicians wish to view them.
- Hybrid consent models that combine an implied consent for records to be made available and an explicit consent to view.
Opt in models assume that only those who specifically give consent will allow their health records to be visible to others, and opt out models assume that record accessibility is the default, and will only be removed if a patient actively opts-out of the process. The opt-out models maximises ease of access to, and benefit from, electronic records for clinical decision making, at the possible expense of patient privacy protections. Opt-in models have the reverse benefit, maximising consumer choice and privacy, but at the possible expense of record availability and usefulness in support of making decisions (Figure 1).
Figure 1 – Different forms of consent balance clinical access and patient privacy in different proportions (from Coiera and Clarke, 2004)
All of the United Kingdom’s shared records systems now emply hybrid consent models of one form or another. Clinicians can also ‘break the glass’ and access records if the patient is too ill or unable to consent. In the US a variety of consent models are used and privacy legislation varies from state to state. Patients belonging to a Health Maintenance Organisation (HMO) are typically deemed to have opted in by subscribing to an HMO.
How do we evaluate the risk of one consent model over others?
The last decade has made it very clear that, at least for national systems, there are two conflicting drivers in the selection between consent models. Those that worry about patient privacy and the risks of privacy breeches favour opt-in models. Governments that worry about the political consequences of being seen to invade the privacy of their citizens thus gravitate to this model. Those that worry about having a ‘critical mass’ of consumers enrolled in their record systems, and who do not feel that they are at political risk on the privacy front (perhaps because as citizens our privacy is being so rapidly eroded on so many fronts we no longer care) seem comfortable to go the opt-out route.
The risk profiles for opt in and opt out systems are thus quite different (Figure 2). Opt-out models risk making health records available for patient’s who, in principle, would object to such access but have not opted out. This may because they were either not capable of opting-out, or were not informed of their ability to opt-out.
For opt-in models, the greatest risk to a system operator is that important clinical records are unavailable at the time of decision-making, because patients who should have elected to opt-in were neither informed that they should have a record, or were not easily capable of making that choice.
Other groups, such as those who are informed and do opt-out, may be at greater clinical risk because of that choice, but are making a decision aware of the risks.
Figure 2: The risk profiles for opt-in and opt-out patient record systems are different. Opt-out models risk making records available for patients who in principle would object to such access, but were not either capable or informed of their ability to opt-out. For opt-in models, the risk is that important clinical records are unavailable at the time of decision making, because patients who should have elected to opt-in were neither informed nor capable of making that choice.
Choosing a consent model is only half of the story
In our 2004 paper, we also made it clear that choosing between opt-in or out was not the end of the matter. There are many different ways in which we can grant access to records to clinicians and others. One can have an opt-in system which gives clinicians free access to all records with minimal auditing – a very risky approach. Alternatively you can have an opt-out system that places stringent gatekeeper demands on clinicians to prove who they are, that they have the right to access a document, that audits their access, and allows patients to specify which sections of their record are in or out – a very secure system.
Figure 3 – The different possible functions of consent balance clinical access or patient privacy in different proportions. The diagram is illustrative of the balances only – thus there is no intention to portray the balance between access and privacy as equal in the middle model of e-Consent as an audit trail. (From Coiera and Clarke, 2004)
So, whilst we need to be clear about the risks of opt in versus opt out, we should also recognise that it is only half of the debate. It is the mechanism of governance around the consent model that counts at least as much.
For consumer advocates, “winning the war” to go opt-in is actually just the first part of the battle. Indeed, it might even be the wrong battle to be fighting. It might be even more important to ensure that there is stringent governance around record access, and that it is very clear who is reading a record, and why.
- Coiera E and Clarke R, e-Consent: The design and implementation of consumer consent mechanisms in an electroninc environment. J Am Med Inform Assoc, 2004. 11(2): p. 129-140.
May 1, 2016 § Leave a comment
What is the role of government in contributing to the nation digital health infrastructure? That is not an easy question to answer. Every nation has its own specific variant of a health system, with different emphases on the public or private, on central government intervention or laissez-faire commerce. I have in earlier blogs made the point that, despite these differences in national systems, we now collectively have enough experience that we cannot ignore the evidence when crafting national strategies.
Back in 2009, when I explored the implications of these structural differences for government, I came to the conclusion that digital health needed a ‘middle out’ governance model, rather than top-down or bottom-up approaches to strategy. One consequence of the thinking in that paper was that I formed a view that we did not need a centralised national summary care record – a view which left me with fewer friends in government than I used to have! I was only trying to be helpful …
With a new Australian Digital Health Agency, it is now a good time to revisit these questions, to learn from the past, and to come together as an informatics and e-health community, and give ourselves the best possible shot at getting digital health right.
Digging through my papers recently, I came across this briefing paper I wrote for the Secretary of Health in 2008 – well before the middle out and summary care record papers. It was a time when Facebook was in the ascendancy, so I used the term ‘Healthbook’ to portray my ideas for a distributed, federated digital information system. Maybe now is a good time to revisit its spirit, if not the technical details?
‘Healthbook’ – the consumer as catalyst for the creation of a national ehealth infrastructure
E. Coiera, 2 May 2008
Briefing paper to DOHA
Australia like many nations is struggling to identify a strategic approach to creating a health information infrastructure that is technically feasible, low risk, and affordable.
The current proposal for a national shared electronic health record (SEHR), presumes a centralised, potentially monolithic, structure, where every Australian has a health record summary stored for them, to facilitate health care provision. The mental model is similar to English NHS’ system, which has cost billions of pounds to implement, and has experienced significant technical and implementation challenges on the way. If Australia were to take a similar centralised approach to the SEHR, then it too would cost several billion dollars, presuming our cost structures are similar to the English NHS, and face its own technical risks. And after investing that money we are locked into ageing technologies that require continued significant investment. Implementation starts, but it never ends.
A second disadvantage of beginning with a centralised SEHR is that it demands ‘delayed gratification’. There is massive up front investment, substantial pain within the health jurisdictions during implementation, with benefits only arriving after many years, and little for consumers to see or appreciate despite the large sums of money being invested. It also draws resources away from other cheaper, but potentially higher value, elements of the eHealth infrastructure, specifically decision support technologies, which have great capability to reduce harm, improve safety, and deliver efficiency gains through more evidence-based use of investigations and therapeutics.
A different way
An alternative approach has emerged. Imagine that, rather than waiting 5-10 years for a ‘centrally planned’ SEHR (that is what it may take) we achieve many of the same goals in less than 5 years, at significantly less cost to government, in a market-driven and industry lead way, growing organically and flexibly, rapidly adopting technological innovation, and potentially building up new export industries for Australia’s IT industry. Imagine also if this new way had strong support from consumers, because it was all about them and their health care, and not about putting in expensive ‘backroom’ technologies they will never see.
There are three elements to this approach:
1 – The shareable record can be consumer rather than health service focussed: Utilising the resources of private industry, consumer demand for access to their record, personal health records are emerging as a major new business sector. The strongest evidence for this is the move by two of the largest IT companies into this space. Microsoft has made its first major step into healthcare with its HealthVault product, and Google Health is emerging as their main competitor. Both offer consumers a service to store their personal health information, and to make it accessible to health providers with consumer consent.
In the US many large health service organizations have many millions of their patients using locally developed personal health records, for example the VA hospitals, and Partners. Similar activities are underway here with smaller start-up companies e.g. myvitals.com. Expect a flurry of such companies to appear locally, or arrive from overseas, over the next 12 months.
There is much to be commended about personal health records, but there are also some major limitations, including – the potential for the consumer created record to be of poor quality or perceive to be so by clinicians, the lack of interoperability between different systems, the consequent locking in of one’s records to a single vendor, the poor connectivity between health service provider records and personal health records, the significant risk that personal health information may be used for secondary and commercial purposes, and for Australian’s, the very real risk that core national IP – the health records of all Australians, is stored overseas – resulting in a massive transfer of information and wealth overseas.
2 – The rise of social computing. While there has been talk of the internet being an online community since the mid ‘90s, only in the last 2 years has this really taken off, with Facebook, My space and others providing a sophisticated social networking experience that has caught the imagination of the average consumer, trained consumers in sophisticated information sharing strategies, and developed software to support this. Consumers are now comfortable to carry out many of their most personal transactions on the web, from banking, to finding partners and socializing. Blogging has created a generation that is far more comfortable in sharing their personal information than any before.
3 – The continuing rise of search. Google and its competitors continue to prosper. Health information is amongst the top two categories of information searched for. Consumers want information about their health, and continue to turn more to the Internet for that information.
Putting these three together it may now be possible for private industry to create information services that challenge the centralized monolithic SEHR model, and create a rich and flexible ehealth infrastructure on the way.
The idea of a facebook for health (or ‘healthbook’) is fairly straightforward – it is a web space where you manage your health information and access health information services, in the same way that your internet banking account is the place you manage your wealth e.g. looking at account balances, paying bills, transferring funds. There will be many competing ‘healthbook’ systems provided by industry, and we can expect companies to be offering consumers at least some or all of the following services:
- A personal health record, where you enter your own health information;
- Access to health information e.g. search engines, local guidelines, drug information, health leaflets;
- A social computing environment in which a personal health record and information can be shared amongst family, friends, clinicians, and groups;
- Links to a selected subset of health providers, allowing them to see personal health records, exchange messages (reminders, appointments, results, health messages), and maybe allow you to see some of their records about you e.g. a division of GPs might offer this service, or a private health insurer may negotiate with health service providers to offer this to their clients.
It is important to emphasise that we are not saying that the personal record now becomes the shared health record – it cannot and should not – but that the links to different clinical record systems we might find in a ‘healthbook’ effectively provides the first stage in shared access to clinical records. While such systems will grow organically, and possibly quite quickly, there are several missing pieces and some concerns that need to be addressed, including:
- Message exchange and access to your records stored by the public hospital system
- Message exchange and access to your records stored by other health services not part of the particular online consortium you join.
- Interoperability between systems, allowing consumers to take their personal health information, and linked messages and records, to a different provider.
- Protections for Australian health information going overseas and being exploited for secondary commercial purposes.
- Accreditation of healthbook providers to ensure clinical service providers and patients are comfortable in making their clinical records available via them.
If issues such as these were addressed quickly, we may in Australia be creating business conditions not yet operating anywhere else in the world, and create an opportunity for our local IT industry to corner or at least become highly competitive in a new business clearly destined to become the single largest information technology market.
It thus seems entirely feasible for government to choose not to invest in a monolithic national e-health infrastructure, but foster competition and rapid expansion of a web and business driven infrastructure. Government creates appropriate protections for the community and their personal information while supporting high quality and safe clinical care. Government is a key enabler, working with the professions and individuals to identify incentives and provides critical missing elements needed to fast track this world, including regulation, legislation, investment in making jurisdictional systems interoperable, provision of public knowledge and information sources, and investment in evaluation and research to drive evidence-based innovation.
What might happen next
If government steps in to address some of these barriers to fully interconnecting consumer-based personal health records, we could imagine three stages in the evolution of our national eHealth infrastructure:
Stage 1 (next 2 years) – Personal health record systems available and taken up by a few Australian. Some offer access to knowledge services e.g. Healthinsite; some service providers band together to allow their records to be linked to these systems and for messages to be exchanged between providers and consumers within this system. Records might be shareable within these restricted health service organizations. Standards are being developed by NEHTA, ISO and Standards Australia, and industry and the jurisdictions are moving to comply with these as they install eHealth systems.
Stage 2 (2-3 years) – Messaging standards and unique and secure IDs for every Australian (the UPI) are in place and allow communication between providers and any standards compliant ‘healthbook’. Record portability legislation encourages innovation and competition and avoids monopoly outcomes (similar to mobile telephone number portability, where a consumer can take their phone number and address book from one Telco handset and swap them to a different one). Some state jurisdictions and primary care divisions provide standard secure web interfaces to any accredited private system, and consumers chose to link to their records in these systems, if they are aware that they are able to. When viewing linked records they appear in non-standard ways, dependent on the structure of the local system the record sits on. 10% of Australians have a ‘healthbook’ page, with international IT companies amongst the major players, but Australians may end up trusting their health providers and government with their private information, so the biggest user base may be found with Divisions of general practice, or private health insurance companies. Many other players jockey for dominance.
Stage 3 (3-5 years) – Interoperability standards have allowed any accredited record provider to provide a discoverable web service, so that any healthbook can access these records, with consumer permission. This means when you create your new healthbook account and put in your UHI, the system will find all the records associated with your care that are on the web, and ask you if you want to link them in. When records are browsed from within a consumer space, they have a uniform appearance. So, irrespective of which company’s ‘Healthbook’ you use, a clinician can always find the information they want in the same place, by selecting the ‘common user interface’ option. It is possible to extract elements of provider records into a personal health record manually or automatically. For example, you can extract medication lists, test results, or allergies from your GP system into your personal health record.
For those who choose it, their treating clinician may decide which data gets extracted from the clinical record into the personal summary record. For Australians who are not interested in using a private system, or are unable to do so, a ‘vanilla’ personal health record is made available, possibly via the jurisdictions, that allows a provider to see other linked records for a given patient, with a patient’s consent. Local Australian companies provide the back end service to consumer health sites, with the front end run by large health delivery organizations e.g. public hospital systems, and private insurers. International IT companies provide some of the core technologies underpinning these systems but the data is stored in Australia, protected by legislation from going offshore, or even analyses of the data going offshore.
The Role of government
Government has a role to:
- Facilitate – through standards activities (NEHTA) and early investment for industry development and research. For example COAG may wish to provide seed funding for 2-4 large-scale implementations e.g. requiring each consortium to include a public hospital system, a primary care organization, and for some % of the industry membership to be locally based. This attracts industry to invest, and creates a competitive climate in which innovation is focussed on delivering to the consumer as the main customer. It should be clear investment is for start up and that all programs need to be self-funding at the end of the projects. There may be incentives for meeting subscription and transaction rate milestones, and for health services incentives for meeting outcome targets e.g. preventative health activities. There may be penalties for failure to deliver, including withholding of payments should benchmarks not be met. There should be some key deliverables that we expect of out any such consortia, including:
- Working with standards organizations like NEHTA, they should agree on a working record portability standard and mechanism, that allows a consumer to extract their personal health record, provider messages, links to clinical records, and any other information such as a future shared health record, and transfer it to another provider;
- Consortia should demonstrate interoperability between each other for record mobility between consortia, and for messaging between providers and different consortia.
- Working with standards organizations, the consortia should agree on a default ‘common user interface’, which provides a uniform way of accessing linked records, messages, and patient data for clinicians and consumers. There is no obligation to use this interface as different systems will want to ‘value add’ and provide better user experiences for their customers. We want to ensure that clinicians will only need to learn how to access healthbook records once, and always find the information they need in the same place every time – for safety as well as efficiency reasons.
- Demonstrated use of a unique personal identifier like the UHI, ensuring secure and safe creation of new accounts, protection of personal information, and ease of access in clinical situations.
- Demonstrated security and consent mechanisms so that consumers feel safe using these systems.
- Protect – the privacy of individuals, and the national IP – through legislation, and where appropriate accreditation. Consumers will need record portability and not be locked into one vendor, so legislation should allow for consumers to extract their digital records from any one vendor and move to another. Consumers and providers will want to know that healthbook systems are accredited before records are linked into them, and that accreditation ensures that records made available this way are not used for any purpose other than clinical care, and only with the consent of consumers.
- Evaluate – We need benchmarks for this program, both in terms of uptake by citizens, as well as adoption rates, usage and benefits. Evaluation programs for benefits are best run by independent organizations, and this is a clear role for academic institutions.
- Ensure Access – Ensuring all citizens and health service providers have access via a decent broadband system, and for those citizens who choose not to actively be engaged, or are unable e.g. infirm, elderly, then create an option of clinician or health service managed e-services where the consumer gives permission for their ‘healthbook’ to be created for them. Facilitate early adoption by service providers with an incentives program (e.g. to make practice records linkable to commercial systems).
- Innovate – We want Australian industry to have access to new ideas and IP to make them competitive with the US industry in particular, and there is a clear opportunity to support Australian R&D and innovation with targeted support for eHealth innovation programs.
- Participate – where jurisdictions control medical content such as records or knowledge resources (Healthinsite, service or provider directories), make these available and interoperable with private sector systems. Where government has a specific duty to individuals such as military personnel, provide or auspice services available to citizens e.g. military personnel may have records that cannot be linked for security reasons to commercial systems, so a military system might be needed, which links to all public records, but remains secure.
Appendix – Some benefits and ideas worth capturing at this stage
Benefits of this approach
- A better informed, better engaged population
- A transition plan to implementing SHER functions, not a ‘big bang’ centralised SHER, which is a single point of failure if things go wrong.
- Technical and investment risks are lower, as the elements government may want to invest in e.g. standards, making jurisdictional records compliant, and messaging are all required under the monolithic SEHR model too. So, if the consumer-drive model does not work, government can in the future elect to step in and can complete the ‘last mile’ e.g. with health information exchanges.
- Most of the implementation risk is borne by private enterprise
- A shift to preventative healthcare, as consumers build for possibly the first time a place where they actively manage their healthcare, and receive targeted messages and support.
- Safer care – driven by consumer benchmarking and rating, the use of consumer decision support systems, easier interaction with clinicians via messaging, a shareable record that allows clinicians to see the bigger clinical picture.
- Support for the Australia it industry and research community to become a world leader in a market that is highly lucrative – if there is to be a new company that becomes the Google of healthcare, why could it not be an Australian company?
- Use the healthbook to send reminders for vaccinations, screening tests, routine check ups.
- Support for healthy journeys e.g. parents with young children accessing information at crucial child development stages, and possibly linking up with the community 1-stop shop proposal by government.
- If every high school student has a computer why can’t they use ‘healthbook’ applications to manage their exercise and eating regimes, by providing a online social environment where quality information is shared, groups can form e.g. how to cope with anorexia or obesity, providing information and social support?
- Support for more targeted, efficient access to services e.g. by providing consumers health service directories, similar to ‘choose and book’ in the NHS, with the ability to identify providers, and make appointments. Especially valuable for rural and remote citizens to identify services that might be available to them outside of local area.
- Consumer based benchmarking of services – similar to Amazon star rating for books (this will happen anyway – best to support it being as informative and balanced as possible).
October 7, 2015 § 2 Comments
Learning health systems are the next big thing. Through the use of information technology, the hope is that we can analyse all the data captured in electronic health records to speed both the process of scientific discovery and the translation of these discoveries into routine practice1,2. Every patient’s data, their response to treatment, and final outcome, will no longer be filed away, but feed the care of future patients3. It’s an exciting vision, and if we can achieve it, there is no doubt healthcare delivery would be transformed.
If we were to step back, we might conclude that although this is an admirable vision, for all its failings, the machinery of science is already working faster than we can handle it. The arena where organizational learning most needs to take hold is in the way we deliver health services. It is clear that we could do so much better in this arena. There is too much variation in patient care, too much waste and harm in the system.
So, if what we have today is not yet a learning health system, then by definition we must have the opposite – a forgetting health system. If that is the case, then here are two working definitions to contrast the two ideas:
- Learning system: The past shapes the future. Today’s mistake is tomorrow’s wisdom.
- Forgetting system: The past is the future. Today’s mistakes are forgotten quickly and are repeated tomorrow.
With this perspective it is easy to see examples everywhere of such ‘forgetting’. The history of large-scale e-health is a litany of the same case study being repeated. A large health IT project is started (usually by a government and usually as a technology innovation project rather than to fix a defined health problem). It quickly runs over time, over budget, and is treated with dismay as its users find it doesn’t do what they were promised. The end result is new problems, workarounds to circumvent the intruder technology, and in some cases, the eventual removal of the system.
The solution to this mess is of course seems to be to start a new large-scale e-health system, run by different people. Yet, like moths to a flame, these new protagonists seem to make the same set of strategic mistakes, but in new ways. Today’s large-scale health IT projects seem to be in a perpetual state of Groundhog Day, and must be a classic example of a forgetting system. This may be because there is no learning, because we convince ourselves that this time is ‘different’ and the past has nothing to teach us, or because when we look at past failures, we are unable to drawn any conclusions because of a lack of ability or imagination.
Information is lost
If a system ‘forgets’ then by implication that means that information that existed in the system has been lost, preventing its reuse to guide future events. If you think about it for one moment, the health system loses information every moment of every day, in unimaginable amounts. We only record a fraction of the events that occur. Most of these are not directly captured but rather are reconstructed from the memory of the individual making the record.
If we were to transform our forgetting system into a learning system, so that health system improvements are driven by experience, what do we need to do? For a system to ‘remember’ an event, a teachable moment, it firstly needs to be detected. You can’t remember what you never saw. Next, after detection, it needs to be recorded. Finally, this recording needs to be somehow aggregated with other events, for discovery of new knowledge to occur.
When it comes to treatment and diagnosis, we have built very precise mechanisms to detect important events or processes through a variety of diagnostic methods. The data captured are increasingly being recorded in electronic systems, and analysed. That’s the ‘big data’ movement in healthcare in a nutshell.
When it comes to health services, we still don’t know what events we should detect, what processes of service delivery should be instrumented, and there is still little thought to pooling system measurements in a way to allow across organizational analysis and learning. So, if we are to make our health services become learning ones, the task is much bigger than installing patient records.
One of the challenges to learning in health services is that, whilst it is easy to imagine that organizational memories can be stored in bits on a database, more often they will sit in the heads of those who work within them4. So, a good indicator that you are working in a forgetting system is that your organization has a high staff turnover – because it is very likely that when staff walk out the door they also walk with everything they know about the system that they are leaving, and no one has tried to capture that rich web of knowledge (if it could so easily be captured).
When learning also requires forgetting
Memories however also exist in other ways in an organisation. Crucially, they persist in the processes, protocols and built structures of the organisation, and in the workarounds and annotations that happen to physical spaces5. These structural memories are not inert or idly awaiting someone’s analysis. They sit there every moment shaping work, and altering human perceptions, actions and intent.
With time, accreted structural memories can lead to inertia, to an immovable status quo6. These kinds of memories therefore need to be managed. Some need to be revisited and revised, others are the jewels of the past that we should never forget and some, some are impeding the emerging purpose of an organization, and need to be actively forgotten. The need for organizational apoptosis, or active forgetting, is something I’ve written about before6.
From learning to adaptive systems
So, learning clearly is not nearly enough. Recording and analysing, at least as far as organisations are concerned, can only take you so far. The living walls and praxis of an organisation are already busy recording, even learning, but may not make it possible to do anything about what has been learned. For organisational inertia to be broken, and for repeated failures to be avoided, we not only need to learn, we need to actively, wisely, carefully, forget.
That will be a true learning system, because learning systems also need the capacity to change.
- Etheredge LM. A rapid-learning health system. Health affairs. 2007;26(2):w107-w118.
- Friedman CP, Wong AK, Blumenthal D. Achieving a nationwide learning health system. Science translational medicine. 2010;2(57):57cm29-57cm29.
- Gallego B, Walter SR, Day RO, et al. Bringing cohort studies to the bedside: framework for a ‘green button’ to support clinical decision-making. Journal of Comparative Effectiveness Research. 2015(0):1-7.
- Coiera E. When conversation is better than computation. Journal of the American Medical Informatics Association. 2000;7(3):277-286.
- Coiera E. Communication spaces. Journal of the American Medical Informatics Association. May 1, 2014 2014;21(3):414-422.
- Coiera E. Why system inertia makes health reform so hard. British Medical Journal. 2011;343:27-29.
November 29, 2013 § Leave a comment
Like many nations, Australia has begun to develop nation-scale E-health infrastructure. In our case it currently takes the form of a Personally Controlled Electronic Health Record (PCEHR). It is a Federal government created and operated approach that caches clinical documents including discharge summaries, summary care records that are electively created, uploaded and maintained by a designated general practitioner, and some administrative data including information on medications prescribed and dispensed, as well as claims data from Medicare, our universal public health insurer. It is personally-controlled in that consumers must elect to opt in to the system, and may elect to hide documents or data should they not wish them to be seen – a point that has many clinicians concerned but is equally celebrated by consumer groups.
With ongoing concerns in some sectors about system cost, apparent low levels of adoption and clinical use, as well as a change in government, the PCEHR is now being reviewed to determine its fate. International observers might detect echoes of recent English and Canadian experiences here, and we will all watch with interest to see what unfolds after the Committee reports.
My submission to the PCEHR Review Committee focuses only on the clinical safety of the system, and the governance processes designed to ensure clinical safety. You can read my submission here.
As background to the submission, I have written about clinical safety of IT in health care for several years now, and some of the more relevant papers are collected here:
- J. S. Ash, M. Berg, E. Coiera, Some Unintended Consequences of Information Technology in Health Care: The Nature of Patient Care Information System Related Errors, Journal American Medical Informatics Association, 11(2),104-112, 2004.
- Coiera E, Westbrook J, Should clinical software be regulated? Medical Journal of Australia. 2006:184(12);600-1.
- Coiera E, Westbrook JI, Wyatt J (2006) The safety and quality of decision support systems, Methods Of Information In Medicine 45: 20-25 Suppl. 1, 2006.
- Magrabi F, Coiera E. Quality of prescribing decision support in primary care: still a work in progress. Medical Journal of Australia 2009; 190 (5): 227-228.
- Coiera E, Do we need a national electronic summary care record? Medical Journal of Australia 2011; 194(2), 90-2.
- [Paywall] Coiera E, Kidd M, Haikerwal M, A call to national e-health clinical safety governance, Med J Aust 2012; 196 (7): 430-431.
- Coiera E, Aarts J, Kulikowski K. The Dangerous Decade. Journal of the American Medical Informatics Association, 2012;19(1):2-5.
- [Paywall] Magrabi F, Aarts J, Nohr C, et al. A comparative review of patient safety initiatives for national health information technology. International journal of medical informatics 2012;82(5):e139-48.
- [Paywall] Coiera E, Why E-health is so hard, Medical Journal of Australia, 2013; 198(4),178-9.
Along with research colleagues I have been working on understanding the nature and extent of likely harms, largely through reviews of reported incidents in Australia, the US and England. A selection of our papers can be found here:
- Magrabi F, Ong M, Runciman W, Coiera E. An analysis of computer-related patient safety incidents to inform the development of a classification. Journal of the American Medical Informatics Association 2010;17:663-670.
- Magrabi F, Li SYW, Day RO, Coiera E, Errors and electronic prescribing: a controlled laboratory study to examine task complexity and interruption effects. Journal of the American Medical Informatics Association 2010 17: 575-583.
- Magrabi F, Ong, M, Runciman W, Coiera E, Patient Safety Problems Associated with Healthcare Information Technology: an Analysis of Adverse Events Reported to the US Food and Drug Administration, AMIA 2011 Annual Symposium, Washington DC, October 2011, 853-8.
- Magrabi F, Ong MS, Runciman W, Coiera E. Using FDA reports to inform a classification for health information technology safety problems. Journal of the American Medical Informatics Association 2012;19:45-53.
- Magrabi, F., M. Baker, I. Sinha, M.S. Ong, S. Harrison, M. R. Kidd, W. B. Runciman and E. Coiera. Clinical safety of England’s national programme for IT: A retrospective analysis of all reported safety events 2005 to 2011. International Journal of Medical Informatics 2015;84(3): 198-206.
November 29, 2013 § 4 Comments
Professor Enrico Coiera, Director Centre for Health Informatics, Australian Institute of Health Innovation, UNSW
Date: 21 November 2013
The Clinical Safety of the Personally Controlled Electronic Health Record (PCEHR)
This submission comments on the consultations during PCEHR development, barriers to clinician and patient uptake and utility, and makes suggestions to accelerate adoption. The lens for these comments is patient safety.
The PCEHR like any healthcare technology may do good or harm. Correct information at a crucial moment may improve care. Misleading, missing or incorrect information may lead to mistakes and harm. There is clear evidence nationally and internationally that health IT can cause such harm [1-5].
To mitigate such risks, most industries adopt safety systems and processes at software design, build, implementation and operation. User trust that a system is safe enhances its adoption, and forces system design to be simple, user focused, and well tested.
The current PCEHR has multiple safety risks including:
- Using administrative data (e.g. PBS data and Prescribe/Dispense information) for clinical purposes (ascertaining current medications) – a use never intended;
- Using clinical documents (discharge summaries) instead of fine-grained patient data e.g. allergies. Ensuring data integrity is often not possible within documents (e.g. identifying contradicting, missing or out of date data);
- Together these create an electronic form of a hybrid record with no unitary view of the clinical ‘truth’. Hybrid records can lead to clinical error by impeding data search or by triggering incorrect decisions based on a partial view of the record ;
- Shifting the onus for data integrity to a custodian GP avoids the PCEHR operator taking responsibility for data quality (a barrier to GP engagement and a risk because integrity requires sophisticated, often automated checking).
- No national process or standards to ensure that clinical software and updates (and indeed the PCEHR) are clinically safe.
The need for clinical safety to be managed within the PCEHR was fed into the PCEHR process formally , via internal NEHTA briefings, at public presentations at which PCEHR leadership were present and was clear from the academic literature. Indeed, a 2010 MJA editorial on the risks and benefits of likely PCEHR architectures highlighted recent evidence suggesting many approaches were problematic. It tongue-in-cheek suggested that perhaps GPs should ‘curate’ the record, only to then point out the risks with that approach .
Yet, at the beginning of 2012, no formal clinical safety governance arrangements existed for the PCEHR program. The notable exception was the Clinical Safety Unit within NEHTA, whose limited role was to examine the safety of standards as designed, but not as implemented. There was no process to ensure software connecting to the PCEHR was safe (in the sense that patients would not be harmed from the way information was entered, stored, retrieved or used), only that it interoperated technically. No ongoing safety incident monitoring or response function existed, beyond any internal processes the system operator might have had.
Concerns that insufficient attention was being paid to clinical safety prompted a 2012 MJA editorial on the need for national clinical safety governance both for the PCEHR as well as E-health more broadly . In response, a clinical governance oversight committee was created within the Australian Commission on Safety and Quality in Health Care, (ACSQHC) to review PCEHR incidents monthly, but with no remit to look at clinical software that connects to the PCEHR. There is however no public record of how clinical incidents are determined, what incidents are reported, their risk levels or resulting harms, nor how they are made safe. A major lesson from patient safety is that open disclosure is essential to ensure patient and clinician trust in a system, and to maximize dissemination of lessons learned. This lack of transparency is likely a major barrier to uptake, especially given the sporadic media reports of errors in PCEHR data (such as incorrect medications) with the potential to lead to harm.
We recently reviewed governance arrangements for health IT safety internationally, and a wide variety of arrangements are possible from self-certification through to regulation . The English NHS has a mature approach that ensures clinical software connecting to the national infrastructure complies with safety standards, closely monitors incidents and has a dedicated team to investigate and make safe any reports of near misses or actual harms.
Our recent awareness of large-scale events across national e-health systems – where potentially many thousands of patient records are affected at once – is another reason PCEHR and national e-health safety should be a priority. We recently completed, with the English NHS, an analysis of 850 of their incidents. 23% (191) of incidents were large-scale involving between 10 and 66,000 patients. Tracing all affected patients becomes difficult when dealing with a complex system composed of loosely interacting components, such as the PCEHR.
- A whole of system safety audit and risk assessment of the PCEHR and feeder systems should be conducted, using all internal data available, and made public. The risks of using administrative data for clinical purposes and the hybrid record structure need immediate assessment.
- A strong safety case for continued use of administrative data needs to be made or it should be withdrawn from the PCEHR.
- We need a whole of system (not just PCEHR) approach to designing and testing software (and updates) that are certifiably safe, to actively monitor for harm events, and a response function to investigate and make safe root causes of any event. Without this it is not possible for example to certify that a GP desktop system that interoperates with the PCEHR is built and operated safely when it uploads or downloads from the PCEHR.
- Existing PCEHR clinical safety governance functions need to be brought together in one place. The nature, size, structure, and degree to which this function is legislated to mandate safety is a discussion that must be had. Such bodies exist in other industries e.g. the civil aviation safety authority (CASA). ACSQHC is a possible home for this but would need to substantially change its mandate, resourcing, remit, and skill set.
- Reports of incidents and their remedies need to be made public in the same way that aviation incidents are reported. This will build trust amongst the public and clinicians, contribute to safer practice and design, and mitigate negative press when incidents invariable become public.
[See parent blog for links to papers that are not linked here]
1. Coiera E, Aarts J, Kulikowski C. The dangerous decade. Journal of the American Medical Informatics Association 2012;19:2-5
2. Patient safety problems associated with heathcare information technology: an analysis of adverse events reported to the US Food and Drug Administration. AMIA Annual Symposium Proceedings; 2011. American Medical Informatics Association.
5. Coiera E, Westbrook J. Should clinical software be regulated? MJA 2006;184(12):600-01
8. Coiera E. Do we need a national electronic summary care record. Med J Aust 2011 (online 9/11/2010);94(2):90-92
9. Coiera E, Kidd M, Haikerwal M. A call for national e-health clinical safety governance. Med J Aust 2012;196(7):430-31.
10. Magrabi F, Aarts J, Nohr C, et al. A comparative review of patient safety initiatives for national health information technology. International journal of medical informatics 2012;82(5):e139-48
November 1, 2013 § 10 Comments
A common strategy for structuring complex human systems is to demand that everything be standards-based. The standards movement has taken hold in education and healthcare, and technical standards are seen as a prerequisite for information technology.
In healthcare, standards are visible in three critical areas, typical of many sectors: 1/ Evidence-based practice, where synthesis of the latest research generates best-practice recommendations; 2/ Safety, where performance indicators flag when processes are sub-optimal; and 3/ Technical standards, especially in information systems, which are designed to ensure different technical systems can interoperate with each other, or comply with minimum standards required for safe operation. There is a belief that ‘standardisation’ will be a forcing function, with compliance ensuring the “system” moves to the desired goal – whether that be safe care, appropriate adoption of recommended practices, or technology that actually works once implemented.
In the world of healthcare information systems, the mantra of standards and intra-operability is near a religion. Standards bodies proclaim them, governments mandate them, and as much as they can without being noticed, industry pays lip service to them, satisficing wherever they can. For such a pervasive technology, and we should see technical standards as exactly that – another technical artifact – it is surprising that there appears to be no evidence base that supports the case for their use. There seem to be no scientific trials to show that working with standards is better than not. Commonsense, communities of practice, vested interests and sunk costs, all along with the weight of belief, sustain the standards enterprise.
For those who advocate standards as a solution to system change, I believe the growing challenge of systems inertia has one a disturbing consequence. The inevitable result of an ever-growing supply of standards meeting scarce human attention and resource should from first principles reasoning lead to a new ‘Malthus’ law of standards – that the fraction of standards produced that are actually complied with, will with time asymptote toward zero. To paraphrase Nobelist Herb Simon’s famous quip on information and attention, a wealth of standards leads to a poverty of their implementation.
It should come as no surprise then that standardisation is widely resisted, except perhaps by standards makers. Even then they tend to aggregate in competing tribes pushing one version of a standard over another. Unsurprisingly, safety goals remain elusive and evidence-based practice to many clinicians seems an academic fantasy. Given that clinical standards are often not evidence-based, such resistance may not be inappropriate[2 3].
In IT, standards committees sit for years arguing over what the ‘right’ standard is, only to find that once published, there are competing standards in the marketplace, and that technology vendors resist because of the cost of upgrading their systems to meet the new standard. Pragmatic experience in healthcare indicates standards can stifle local innovation and expertise. In resource-constrained settings, trying to become standards compliant simply moves crucial resources away from front-line service provision.
There is a growing recognition that standards are a worthy and critical research topic. Most standards research is empirical and case based. An important but small literature examines the ‘standardisation problem’ – the decision to choose amongst a set of standards. Economists have used agent-based modelling in a limited way to study the rate and extent of standards adoption. Crucially, standards adoption is seen as an end in itself with current research, and there seems little work examining the effect of standardisation on system behaviour. Are standards always a good thing? There seems to be no work on the core questions of when to standardise, what to standardise, and how much of any standard one should comply with.
Clearly, some standardisation may be needed to allow the different elements of a complex human system to work together, but it is not clear how much ‘standard’ is enough, or what goes into such a standard. My theoretical work on the continuum between information and communication system design provides some guidance on when formalisation of information processes makes sense, and when things are best left fluid. That framework showed that in dynamic settings where there is task uncertainty, standardisation is not a great idea. Further information system design can be shaped by understanding the dynamics of the ‘conversation’ between IT system and user, and by the task specific costs and benefits associated with technology choice[9 10].
It is remarkable that these questions are not being asked more widely. What is now needed is a rigorous analysis of how system behaviour is shaped and constrained by the act of standardisation, and whether we can develop more adaptive, dynamic approaches to standardisation that avoid system inertia and deliver flexible and sustainable human systems.
This blog is excerpted from my paper “Stasis and Adaptation“, which I gave in Copenhagen earlier this year, to open the Context-Sensitive Healthcare Conference. For an even more polemic paper from the same conference, check out Lars Botin’s paper How Standards will Degrade the Concepts of the Art of Medicine.
1. Coiera E. Why system inertia makes health reform so hard. British Medical Journal 2011;343:27-29 doi: doi:10.1136/bmj.d3693[published Online First: Epub Date]|.
2. Lee DH, Vielemeyer O. Analysis of Overall Level of Evidence Behind Infectious Diseases Society of America Practice Guidelines. Arch Intern Med 2011;171:18-22
3. Tricoci P, Allen JM, Kramer JM, et al. (2009) Scientific Evidence Underlying the ACC/AHA Clinical Practice Guidelines. JAMA 301: 831-841. JAMA 2009;301:831-41
4. Coiera E. Building a National Health IT System from the Middle Out. J Am Med Inform Assoc 2009;16(3):271-73 doi: 10.1197/jamia.M3183[published Online First: Epub Date]|.
5. Lyytinen K, King JL. Standard making: A critical research frontier for information systems research. MIS Quarterly 2006;30:405-11
6. The Standardisation problem – an economic analysis of standards in information systems. Proceedings of the 1st IEEE Conference on standardization and innovation in information technology SIIT ´99 1999.
7. Weitzel T, Beimborn D, Konig W. A unified economic model of standard diffusion: the impact of standardisation cost, network effects and network topology. MIS Quarterly 2006;30:489-514
8. Coiera E. When conversation is better than computation. Journal of the American Medical Informatics Association 2000;7(3):277-86
9. Coiera E. Mediated agent interaction. In: Quaglini BaA, ed. 8th Conference on Artificial Intelligence in Medicine. Berlin: Springer Lecture Notes in Artificial Intelligence No. 2101, 2001:1-15.
10. Coiera E. Interaction design theory. International Journal of Medical Informatics 2003;69:205-22