1

Electronic Records & Electronic Records & ConfidentialityConfidentiality

(Focus on Research)(Focus on Research)Lawrence H. Muhlbaier, PhDLawrence H. Muhlbaier, PhD

Assistant ProfessorAssistant ProfessorBiostatistics & BioinformaticsBiostatistics & Bioinformatics

Duke University School of MedicineDuke University School of Medicine24 March 200724 March 2007

2

This talk is NOT specifically about:This talk is NOT specifically about:

21 CFR 11 Compliance21 CFR 11 Compliance

Genetics Data BasesGenetics Data Bases

Specimen RepositoriesSpecimen Repositories

Technology of DatabasesTechnology of Databases

3

Possible Electronic Records:Possible Electronic Records:

Primary Data CollectionPrimary Data Collection

Clinical Systems (LIS, CPOE, …)Clinical Systems (LIS, CPOE, …)

Billing Systems/Admin DataBilling Systems/Admin Data

Electronic Medical Record, NHIN, RHIOElectronic Medical Record, NHIN, RHIO

Outside Systems (PHIN, Tumor Registry,…) Outside Systems (PHIN, Tumor Registry,…)

"Old" Research Data"Old" Research Data

Physician "personal" logsPhysician "personal" logs

4

Possible Electronic Records:Possible Electronic Records: Clinical Systems Clinical Systems

LISLIS Laboratory Information SystemsLaboratory Information Systems HL7 Export (2 Flavors)HL7 Export (2 Flavors) Coding differs by Institutions/VendorsCoding differs by Institutions/Vendors

CPOECPOE Computerized Physician Order EntryComputerized Physician Order Entry PrescriptionsPrescriptions MedsMeds

5

Possible Electronic Records: Possible Electronic Records: Billing Systems/Admin Data Billing Systems/Admin Data

Coarse measures of consumptionCoarse measures of consumption DemographicsDemographics ICD coded Dx & ProceduresICD coded Dx & Procedures CPT coded ProceduresCPT coded Procedures Meds billed (not administered)Meds billed (not administered) Resource useResource use

Vent hours, blood, room use, OR useVent hours, blood, room use, OR use

6

Do you use and Electronic Health Do you use and Electronic Health Record at your Hospital:Record at your Hospital:

1.1. No No

2.2. YesYes

3.3. MaybeMaybe

4.4. Don't work with HospitalDon't work with Hospital

7

Do you use and Electronic Health Do you use and Electronic Health Record at your Hospital:Record at your Hospital:

1.1. No No

2.2. YesYes

3.3. MaybeMaybe

4.4. Don't work with HospitalDon't work with Hospital

1 2 3 4

22.2%

69.4%

2.8% 5.6%

1 2 3 4

22.2%

69.4%

2.8% 5.6%

8

Possible Electronic Records: Possible Electronic Records: Electronic Medical Record Electronic Medical Record

Rich data sourceRich data source

Often text basedOften text based

Difficult to extract dataDifficult to extract data

Extends to Extends to RHIO (Regional Health Information RHIO (Regional Health Information

Organizations)Organizations) NHIN (National Health Information Network)NHIN (National Health Information Network)

9

Possible Electronic Records:Possible Electronic Records: Outside Systems Outside Systems

PHIN (CDC)PHIN (CDC) Public Health Information NetworkPublic Health Information Network Bioterrorism, ED usage, …Bioterrorism, ED usage, …

Tumor Registry (State)Tumor Registry (State)

Compliance/QA RegistriesCompliance/QA Registries JCAHO (Premier)JCAHO (Premier) Specialty (ACC, STS, MI, Ortho)Specialty (ACC, STS, MI, Ortho)

10

ConfidentialityConfidentiality

confidentiality /con·fi·den·ti·al·i·ty/ (kon?fi-confidentiality /con·fi·den·ti·al·i·ty/ (kon?fi-den?she-al´i-te) the principle in medical den?she-al´i-te) the principle in medical ethics that the information a patient reveals ethics that the information a patient reveals to a health care provider is private and has to a health care provider is private and has limits on how and when it can be disclosed limits on how and when it can be disclosed to a third party. to a third party.

11

SecuritySecurity

Implements ConfidentialityImplements Confidentiality

Cannot do it itselfCannot do it itself

Currently not very integratedCurrently not very integrated

12

Pessimists ViewPessimists View

"You have no privacy anyway. Get over it.""You have no privacy anyway. Get over it."

Scott McNealy, Sun Microsystems (1/25/1999)Scott McNealy, Sun Microsystems (1/25/1999)

13

At work, how many UserID + Passwords At work, how many UserID + Passwords do you have?do you have? 1. 01. 0

2. 12. 1

3. 23. 2

4. 3-54. 3-5

5. 6-105. 6-10

6. 11+6. 11+

14

At work, how many UserID + Passwords At work, how many UserID + Passwords do you have?do you have? 1. 01. 0

2. 12. 1

3. 23. 2

4. 3-54. 3-5

5. 6-105. 6-10

6. 11+6. 11+

1 2 3 4 5 6

4.9%12.2%

46.3%36.6%

1 2 3 4 5 6

4.9%12.2%

46.3%36.6%

15

SecuritySecurity

Moving toward 1 ID/personMoving toward 1 ID/person

Biometric IDsBiometric IDs

HR tie-inHR tie-in

16

Thorny IssuesThorny Issues

Follow-UpFollow-Up

Access to dataAccess to data

QueriesQueries

Access TrackingAccess Tracking

HIPAA/Common Rule InteractionsHIPAA/Common Rule Interactions

17

Thorny Issues:Thorny Issues:Follow-UpFollow-Up

HIPAA vs OHRP (Death)HIPAA vs OHRP (Death)

Permission to FollowPermission to Follow

Passive vs Active Follow-UpPassive vs Active Follow-Up

18

Follow-up when Follow-up when Authorization Revoked Authorization Revoked

OK for FDA Regulated StudiesOK for FDA Regulated Studies

""for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity." 45CFR164.512(b)(1)(iii) Part of Public Health Reporting Requires Disclosure AccountingRequires Disclosure Accounting

19

Thorny Issues:Thorny Issues:Access to DataAccess to Data

Read/Write/ChangeRead/Write/Change

OwnershipOwnership

Gatekeeper/"Trusted Broker"Gatekeeper/"Trusted Broker"

Administration (non-IRB review committees)Administration (non-IRB review committees)

20

Thorny Issues:Thorny Issues:QueriesQueries

Who can queryWho can query

Tools to queryTools to query

Technical ControlsTechnical Controls

Administrative ControlsAdministrative Controls

21

Thorny Issues:Thorny Issues:Access TrackingAccess Tracking

P&P: HIPAA securityP&P: HIPAA security

HIPAA Privacy: Disclosure AccountingHIPAA Privacy: Disclosure Accounting

Technical ControlsTechnical Controls What to trackWhat to track How long to storeHow long to store

Administrative ControlsAdministrative Controls Who does itWho does it

22

Thorny Issues:Thorny Issues:OHRP/HIPAA InteractionsOHRP/HIPAA Interactions

HIPAA largely technicalHIPAA largely technical

Definition differencesDefinition differences

Scope differencesScope differences

23

AdvantagesAdvantages

Records available to all care giversRecords available to all care givers

All meds available (All meds available ( drug interactions) drug interactions)

NHIN and ResearchNHIN and Research Long tem follow-upLong tem follow-up Post marketing surveillancePost marketing surveillance

How much sooner would we have known the How much sooner would we have known the cardiac risks of Vioxx?cardiac risks of Vioxx?

24

Specimen Registries vsSpecimen Registries vsData RegistriesData Registries

HIPAA treats them the sameHIPAA treats them the same

Common Rule/Ethical ConcernsCommon Rule/Ethical Concerns Future RiskFuture Risk OwnershipOwnership Limited ResourceLimited Resource Source (leftover, study specific, …)Source (leftover, study specific, …)

NCI draft guidance on Biorepositorieshttp://a257.g.akamaitech.net/7/257/2422/01jan20061800/

edocket.access.gpo.gov/2006/pdf/06-3997.pdf

25

Public Health & PrivacyPublic Health & Privacy

PHINPHIN How much detail does it really have?How much detail does it really have? (Disclosure Accounting)(Disclosure Accounting) http://www.cdc.gov/phin/http://www.cdc.gov/phin/

26

SummarySummary

Electronic Health Data are EverywhereElectronic Health Data are Everywhere

Confidentiality challenges aboundConfidentiality challenges abound

Security tools still evolvingSecurity tools still evolving

Very large Health Data Systems comingVery large Health Data Systems coming Require strong security toolsRequire strong security tools BUT flexible access!BUT flexible access!

27

Resources on the WebResources on the Web

NCHICA: http://www.nchica.org/NCHICA: http://www.nchica.org/

PHIN: http://www.cdc.gov/phin/PHIN: http://www.cdc.gov/phin/

HIPAA: HIPAA: (Databases under HSR)(Databases under HSR)

http://privacyruleandresearch.nih.gov/http://privacyruleandresearch.nih.gov/

28

Selected AcronymsSelected Acronyms

ACC: ACC: American College of CardiologyAmerican College of Cardiology

STS: STS: Society of Thoracic SurgeonsSociety of Thoracic Surgeons

ED: ED: Emergency DepartmentEmergency Department

HRHR: Human Resources: Human Resources

OHRP: OHRP: Office of Human Research ProtectionsOffice of Human Research Protections

NCHICA: NCHICA: North Carolina Healthcare Information North Carolina Healthcare Information & Communications Alliance& Communications Alliance

29

Contact InformationContact Information

Doc MuhlbaierDoc Muhlbaier

DUMC 3865DUMC 3865

Durham, NC 27710-7510Durham, NC 27710-7510

919-668-8774919-668-8774

lawrence.muhlbaier@duke.edulawrence.muhlbaier@duke.edu