How not to get lost in the Big Ocean of Portable Electronic Health Records: Riding the Wave of Digital Health Information

Spring ConferenceApril 4, 2008

Gary BeattyPresidentEC Integrity, IncVice-Chair ASC X12

Need to reduce the cost of health care Increase quality of health care Consumer driven health care Online health records

Payer support for community health records Transparency in health care Pay for performance programs Governmental

HR

PHR

EMR

PHI Hybrids

CCR

EHR

Health Records (AHIMA) The legal business record for a healthcare

organization. Individually identifiable information Any medium Collected, processed, stored, displayed

Health Records contain Diagnosis Medications Procedures Problems Clinical Notes Diagnostic Results Images Graphs Other items deemed necessary

Health Records Support continuity of care Planning patient care Provides planning information

Resource allocation Trend analysis Forecasting Workload management Justification for billing information

Electronic Medical Record (EMR) (HIMSS) An application environment composed of:

Clinical Data Repository (CDR) Clinical Decision Support (CDS) Controlled medical terminology Order entry Computerized provider order entry Pharmacy Clinical document applications

Enterprise support Inpatient and Outpatient Use to document, monitor and manage delivery of

health care Electronic Medical Record (EMR) (HIMSS)

The EMR is the legal record Owned by the Care Delivery Organization (CDO)

Electronic Health Record (EHR) (HIMSS) Longitutal electronic medical record across

encounters in any care delivery setting. Resource for clinicians

Secure Real-time Point-of-care Patient centric information source

Aids collection of data for other uses Billing Quality management Outcomes reporting Resource planning Public health disease surveillance Reporting

Electronic Health Record (EHR) (HIMSS) Includes:

Patient demographics Progress notes Problems Medications Vital signs Past medical history Immunizations Laboratory data Radiology reports

Electronic Health Record (EHR) (HIMSS) Automates / streamlines clinicians workflow Complete record of clinical encounter Supports other care-related activities

Evidence-based decision support Quality management Outcome reporting

Personal Health Record (PHR) Created by the individual Summarizes health and medical history Gathered from many sources Format of PHR

Paper Personal computer Internet based Portable storage

Continuity of Care Record (CCR) Patient Health Summary Standard

ASTM / MMS / HIMSS / AAFP / AAP co-development

Core health care components Sent from one provider to another Includes

Patient demographics Insurance information Diagnosis and problem Medications Allergies Care plan

Hybrid Health Record Both

Paper health records Electronic health records

Protected Health Information (PHI) Any health care information linked to a person

Health Status Provision of Health Care Payment of Health Care

Includes•Names•Geographic subdivision smaller than a state•Dates related to an individual•Phone Numbers•Fax Numbers•Email Addresses•SSN•Medical Record Numbers•Beneficiary Numbers•Account Numbers•Certificate/license numbers;

•Vehicle identifiers and serial numbers• license plate numbers

•Device identifiers and serial numbers •Web Universal Resource Locators (URLs)•Internet Protocol (IP) address numbers•Biometric identifiers

• Finger• voice prints

•Full face photographic images and any comparable images•Any other unique identifying number, characteristic, or code

Privacy Can anyone else read it?

Authentication How do I know who sent it?

Data Integrity Did it arrive exactly as sent?

Non-repudiation of receipt Can the receiver deny receipt? How do I know it got there?

How do I track these activities?

Internet / Intranet Wired Wireless

Wifi (802.11a, b, g, i, n) Bluetooth (Personal Area Network - PAN)

VoiP Dial-up Mobile Devices

Smart Phones Mobile Standards (GSM, GPRS, etc.)

PDA Tablet PC’s

Physical Media Magnetic, optical, flash (thumb drives), others

RC4 (ARC4 /ARCFOUR) – Stream Cypher (easily broken) Secure Sockets Layer (SSL) WEP Wire Equivalent Privacy WPA WiFi Protected Access

WPA2 (based upon 802.11i) Data Encryption Standards (DES) Advanced Encryption Standards (AES)

Government strength encryption

Firewall machines IP address selection ID + Passwords Security techniques

Encryption Digital Signatures Data Integrity Verification Non-repudiation

Trading Partner Agreements (TPA)

PLAINTEXTDOCUMENT ENCRYPT DECRYPT PLAINTEXT

DOCUMENT

CYPHERTEXT

PROVIDER PAYER

PRIVATE KEY

n * (n-1) / 2 keys to manage 100 users would require 4950 keys Key size 128 bits Generally considered fast

Gary

Frank

Erin Dale

Alice

Karen

Julie

Mary

PLAINTEXTDOCUMENT ENCRYPT DECRYPT

PAYER’SPUBLIC KEY

PLAINTEXTDOCUMENT

CYPHERTEXT

PROVIDER PAYER

PAYER’SPRIVATE KEY

n key pairs needed for n partners key size (128, 768, 1024, 2048 bits) Generally considered slower What happens if you lose your key?

Gary

Frank

Erin Dale

Alice

Karen

Julie

Mary

Public Key DirectoryGary Mary EAlice Dale FFrank Karen GErin Julie H

A digitized signature is a scanned image A digital signature is a numeric value that

is created by performing a cryptographic transformation of the hash of the data using the “signer’s” private key.

Ö m25_ +¦_+_ò`_^5w+A___enruƒ•\ƒ½PÑ7»q*++¤Gß_¿_°;·Ae¦_7¦?�ââ-á+H¶¥-÷90Y�å+£ú'¦Æ<§_8óX`p¡ìÉ_V+1^ª+ ¦�%Gary A. Beatty <garyb@eci.com>

Part of the digital signature process A secure one way hashing algorithm used

to create a hash of the data

EHR

Provider BPUBLIC KEY

Encoded

PROVIDER APRIVATE KEY

Cypher Cypher Encoded EHR

PROVIDER APUBLIC KEY

Provider BPRIVATE KEY

Provider BPROVIDER A

AS1 – Applicability Statement 1 Email exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail

Extensions Uses SMTP (Simple Mail Transfer Protocol) Satisfies Security Requirements

Encryption Authentication Integrity Non-repudiation

What’s needed Email capability Electronic Transaction Digital Certificate

AS2 – Applicability Statement 2 HTTP exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail Extensions Uses HTTPS

Hypertext Transfer Protocol over Secure Socket Layer Allows for REAL TIME delivery Satisfies Security Requirements

Encryption Authentication Integrity Non-repudiation

What’s needed Web Server (static IP address) Electronic Transaction Digital Certificate

AS3 – Applicability Statement 3 FTP exchange of electronic transactions S/MIME – Secure Multi-Purpose Internet Mail

Extensions Uses FTP – File Transfer Protocol Allows for REAL TIME delivery Satisfies Security Requirements

Encryption Authentication Integrity Non-repudiation

What’s needed FTP Server Electronic Transaction Digital Certificate

Electronic Credit Card Establishes “Credentials” for electronic

transactions Issues by Credential Authority

Name Serial Number Expiration Dates Certificate Holder’s Public Key Digital Certificate of Certification Authority

Verified by Registration Authority X.509 Standards Registry of Digital Certificates

Access with HIPAA Identifiers

Spring ConferenceApril 4, 2008

Gary BeattyPresidentEC Integrity, IncVice-Chair ASC X12