I apologize if this sounds disrespectful, but a statement like this, along with some of your other posts, shows a lack of understanding of EHR software and the medical landscape. Claiming that a problem of this complexity and magnitude is solved, is the kind of talk I would expect to hear from salesmen or even some executives who are in a position to tell their subject matter experts, project managers, and programmers to “just get it done” without ever having to wade into the nuts and bolts of making it happen.
@Lars, you have switched from writing in your post about “countries” to all of Europe. I was speaking of individual countries. Some European countries have historically been much more homogeneous than the United States.
So the government maintains a centralized medical record which all providers can access and contribute to. There is no interoperability/exchange needed except that outside providers can contribute to the database.
That is a good solution in a country which has one dominant (government) provider but I do not see how it could/would work in USA. I suppose in theory the US govt could create a “National EHR” and invite all doctors/health systems to abandon their systems and use this instead. The public at large in USA would never accept that; the public would interpret that as the government having access to all of their private information. And private doctors/hospitals would not like it because inevitably they would be upset about certain features not available in whatever EHR sytem is chosen.
I don’t need to deeply understand it. I am just pointing out that “electronic patient records” are in place and working here. For years. That’s a fact and not a question of more or less understanding. Solved by people with probably a high understanding of EHR and the medical landscape. Which maybe is more advanced here.
That’s how the EU works. Common legal framework to overcome those issues. Same with “digital signature”. My national signature (country) is valid across the whole EU (Europe).
There is nothing more (nor less) advanced in medicine/EHRs in Europe vs USA.
There are however vast cultural and economic differences regarding private vs public ownership of healthcare facilities. Without offering comment on whether one system is “better” than the other, it has a big impact on the feasibility of sharing electronic health records.
There are about 230,000 private medical practices in USA, each of which maintains its own medical record system. That creates a challenge to integrating the information while maintaining patient privacy.
Good heavens, yes. I’ve seen that happen way too many times, as people have assumed that the Gmail address of someone with my first initial and family name is firstinitiallastname@gmail.com. Nope. That address belongs to me, and has pretty much since Gmail was a thing.
More than once I’ve had to email or call someone to say no, I don’t have a child who receives care at your pediatric practice. I don’t have a child. I don’t even live in your state.
Once I was even sent log in information for the parental cams at a daycare. It’s a good thing I’m not someone who’d misuse that info.
I’d have a hard time saying a fax was less secure than email. Email has to travel through a minimum of four computers (Sender to SMTP Server → IMAP/POP Server to recipient). Add in relays, firewalls, spam filters, backup servers, archivers, etc. and my message may travel through as many as a dozen devices before it (hopefully) gets to its intended destination. And even if it does it may not be secure or private.
OTOH an old fashion fax machine connected to a POTS line (plain old telephone system) is far less likely to be intercepted. But cloud faxing is fast replacing those.
Email can be used to send protected health information under certain conditions. And while faxing is still technically HiPAA compliant the rules covering that are evolving.
No idea. Having national halth insurance helped a lot. You have a very fragmented landscape.
For the tin-foil weirdos, there’s an opt-out option. If they want paper, they can have it.
What certailny helps is the high trust the population has in the national health care system. While we complain a lot about GDPR, it also creates a very robust legal framework for privacy. Which, in fact, is a constitutional right in Europe.
For a “information” perspective, not much changes. Every visit, treatment, prescription always went to the central health care system, now it’s electronic. With the same exceptions. But it makes life a lot easier. Back in the day, you had to send a stack of papers to their offices for some things. Now I can use my digital signature to upload everything. And it’s more transparent, since I can review my stuff.
A fax is completely (electronically) ephemeral while an email can (and almost certainly will) result in data coming to rest in places unsuitable as secure repositories of medial data.
Why you can’t send the email anyway because you’re sending your own data:
Even if you’re okay with sending your data via email, once the data is in the possession of the health care provider, they are responsible (and accountable) for managing it according to the relevant regulations, something which an email system almost certainly doesn’t comply with.
The whole email question is a an interesting one. If Patient A sends us an email, we treat it as their choosing to risk their privacy. We have a BAA signed with MS for our Exchange Server so once the email hits our servers MS has acknowledged that they could be in possession of PHI and will protect the data. We also add Azure encryption to our email accounts. But in accordance with HIPAA we could be in violation just for receiving the email.
I was at a conference once and learned that the Fed Gov’t has written all of the privacy and technology rules and laws intentionally vague so that it makes enforcement easier. This way an investigator from the OIG or DHS can show up and decide on the fly if we broke any rules, but the rules are up to their judgement. So, they could say that we did not take reasonable measures to prevent a patient from sending us PHI and fine us for receiving PHI sent by the patients choosing.
Imagine this scenario. You are driving 70 on a highway and there are NO speed limit signs. Only signs that indicate “Drive safely for the conditions, at a speed you consider reasonable” and you get pulled over and the officer decides that because it was dark and windy 70 was unreasonably fast. Then writes you a ticket. That is one reason some offices are so nervous about tech.
I would think they could come up with some sort of gateway that would accept email and toss it into the “secure” system, couldn’t they?
I’m not suggesting my local clinic have Outlook on their front desk computer with giant unencrypted inboxes. I’m saying that if I wanted to send them an email, at my own risk of deliverability, I would think we have the method of getting it into the system.
ESPECIALLY since many providers have that exact setup for incoming faxes.
I don’t think there is ia big history of over-enforcement of HIPAA.
There is a benefit to the flexible way HIPAA is written. It says that security needs to be appropriate for the facility in question.
So if I am a solo practitioner with a small practice, basically the HIPAA standard is that my electronic records need to be at least as secure as my prior paper filing cabinet solution. If I am a huge medical system with hundreds of thousands of patients/employees then a lot more is expected from a security perspective - as it should.
Also remember that the whole point of HIPAA is to facilitate communication among health providers - not to inhibit it. It is not true that a signed HIPAA release is needed every time PHI is released. If I call a doctor across town who is known to me and I am known to him and I ask to discuss a patient who just came to me who he previously treated, then that is a routine physician communication which is specifically permitted by HIPAA - no paper forms needed.
There is much paranoia and generalization about many aspects of HIPAA - this largely originated with attorneys who put the fear of God into providers at the time HIPAA was first enacted.
I’m respectfully suggesting that if you think opposition to such a system in the United States would be limited to fringe groups of conspiracy theorists, you don’t understand the political environment in the USA very well.
The “not really very useful” is definitely what we experienced. In our case, we didn’t need to move records from one practice to another on a one-time basis. My GF visited her PCP who treated an issue, ordered tests, imaging, etc. Then at a time that PCP wasn’t available, she had an emergency issue related to the same treatment - so she headed to the ER.
On some level, the hospital and the PCP were plugged into the same broad “network” - but their computers somehow couldn’t exchange information because of internal silo-ing. The ER, therefore, proceeded to re-do much of the PCP’s work because they couldn’t get access to the records in a timely manner to handle her treatment.
@rkaplan talked about “the public at large” not accepting it in the USA, and you directly replied by talking about “tin-foil weirdos”. If that’s not the brush you were hoping to paint with, just realize that’s how it sounds.
The disadvantage of writing in a forum, which is not a good replacement for a conversation. Any statement: my experience, my region, my surroundings, our system, our population.
My expertise on US society is very limited. While I have relatives there and visit once in a while and am on the board of a US organization, so I frequently travel to meetings (Covid-interrupted), that doesn’t add to broader societal knowledge, only limited to those two cases.
One other consideration is that while you may have a good understanding of the risks involved when using email, the same cannot be said for most (or at least many) people. Many people probably don’t understand that their email resides on (let’s say) Google’s servers and that Google can and does scan it. Without that kind of understanding, they can’t give informed conscent to accept the risk of using a non-compliant communication method to transmit their data.
By far, the easiest way to provide electronic communication that meets regulatory requirements is with a secure portal of some sort, which is why that’s the solution most providers go with if they choose to permit electronic communication. It’s also why so many smaller providers don’t do it.
It’s a good thing I’m not someone who’d misuse that info.
