This discussion paper was produced by the Patient Held Medical Records sub-committee of HIANSW, consisting of John Lambert (Chair), Sid Antflick, Michael Crampton and Josephine Holman with the assistance of submissions from Patrick Bolton, Roderick Neame and Gray Southon.
HIANSW is concerned that there be rational discussion and considered debate about health informatics issues. The proposal to establish a Health Communications Network in Australia, and the possibility of using new commu-nications and information technology to sup-port existing clinical and patient management activities, deserve serious and detailed consid-eration. Hence, HIANSW wishes to encourage balanced discussion in the Australian health care community, and among the public, about patient records. Specifically, HIANSW wishes to review what effect new technology can and should have on patient record management and the management of the health require-ments of the Australian population.
This discussion paper aims to focus on Patient Held Medical Records (PHMRs). As part of the discussion, the paper will review:
Medical records have different forms and functions, when seen from the perspective of individuals and from the perspective of instit-utions or individual health care practices.
Medical records are usually considered to be physical collections of patient-related medical information, mostly in written format, but in-cluding images, graphs and other data types. They are usually considered to be static and time sequenced, and to be associated with one institution or practice. The physical entity (media) that contains medical records is usually considered to be owned by the institution or practice where it is stored, although the con-tent of the record is not owned in the same way.
However, an individual patient's Medical Record can be considered as that logical coll-ection of relevant patient clinical information which extends across ALL physical records which pertain to the individual patient. This view of what defines a medical record seems to be more sensible from the patient's per-spective, and indeed is the view most health care practitioners 'expect' patients to have when they are interviewed at first contact with some new aspect of the health care system. Usually an individual patient's Medical Record is based on his/her memory, summarised and filtered, both by the patient's understanding of the clinical events that have occurred, and by the patient's recall of the details.
Patients retain ownership and some degree of control over the information within any physi-cal entity that forms a part of that patient's medical record. This ownership and control is symbolised by the requirement for a health care provider to have a patient's authority and consent prior to the release of identified patient clinical information to a third party, ex-cept where that disclosure is required by law.
Why are medical records created and retained?
Practitioners, through practices and institutions, maintain medical records to record details of individual contacts, to monitor patients' health status, to monitor the practitioner's health behaviours, and to support legal requirements. Extracts of medical records are used to transfer information between health care providers.
Individuals maintain a knowledge of their own health record to optimise their own health care and transfer information between health care providers, usually verbally. In some cases, information that forms part of an individual's medical record may be used for teaching or research purposes. These different require-ments place divergent demands upon 'Medical Records'.
What are 'Patient Held Medical Records'?
PHMRs are conceived to be physical collections of clinical information in the possession of the patient. Amongst other features, PHMRs must be:
A paper-based list of major health problems and treatments, retained by the patient, and updated by each treating health care provider, forms a simple example of a PHMR. Given the improvements in information processing and communication inherent in modern computing and information systems, there are potentially more powerful versions of such 'paper-based lists'.
The development of better versions of PHMRs requires justification from both cost and benefit perspectives, technical feasibility, and the resolution of issues such as ownership, access and control of the clinical information con-tained within such PHMRs. The potential benefits that may arise from increased access to more detailed patient clinical information, both in the treatment of individuals and in medical research, demand close consideration of all options for PHMRs.
How do PHMRs fit into current information pathways?
Patient information is generated, retained and required in many different situations and at many different places. Two questions are cru-cial in deciding whether a PHMR can facilitate the storage and transfer of this information; who are we providing information to, and for what purpose?
In the first instance there is the knowledge patients have about themselves or about some-one they care for, such as a child or mentally- impaired adult. Bits and pieces of this information are brought forth as needed in particular situations.
Patients rarely receive detailed information in written form about their treatment in hospital or specialist clinic, so they must rely on their own understanding of what has happened to them and their own memories to retain it. A tall order!
A PHMR can assist the patient in recalling relevant information when needed. It may con-tain information not fully understood by the patient but useful to health care practitioners.
The relationship between local doctor and pat-ient may be close and long term but, increas-ingly, patient information at the general practitioner level is fragmented as people move between suburbs, states, and even countries.
In terms of providing optimal patient care it could be argued that the local practitioner has the greatest need to know the broad picture of a patient's medical history. What appears a rel-atively innocent complaint on its own may have wider implications when considered along with information from other sources. A PHMR has great potential for the local doctor as diagnostician. Tests performed elsewhere and their results could be accessible in detail, and promptly. Of course, the PHMR is only useful if systems are developed to ensure the PHMR is updated with new information and results as they become available.
Data from Community and Specialised Health Services
There are numerous types of community health services such as baby health centres, family planning clinics, social work agencies and home nursing, all of which maintain records of their own. In addition there are specialist agencies providing pathology, radiology and allied health services.
While in many cases the information generated, at least in summary form, will be sent to the local doctor, it is rarely available across ag-encies. It is assumed that what needs to be known in each situation will be gleaned from referral letters or the patients themselves.
A PHMR could undoubtably assist in the dissemination of information to all those in-volved with a patient's care but the borderlines between what a health professional wants to know and needs to know are unclear and patient control of what information is available to whom is a major consideration.
Public and private hospitals generate both inpatient and outpatient information.
The storage of information in hospitals is still largely on paper or microfilm although islands of information in electronic form exist on pathology and radiology PC and mainframe systems and on specialised departmental PC databases. Only in a few situations do these systems, even within one institution, 'talk' to each other.
Surprisingly, the paper Medical Record, even within an institution, is often not one entity, as Accident and Emergency visits may be stored separately and individual departments often maintain separate and/or more detailed patient data than is in the central record. A PHMR could contain the essential data from all encounters within an institution. It may also encourage specialists to be more conscious of other health issues surrounding a patient but not directly related to their speciality.
When a patient is delivered unconscious to the hospital emergency room, it may be critical to that patient's management to obtain some idea of current illnesses, medications and allergies at the very least.
In a hospital emergency room very little information may be available without signifi-cant delays. At best, the record of the treatment the patient has previously received at that hospital may be available via their medical record and test results may be accessible online as well as in hard copy in the record. If the patient is conscious and able to convey where else they may have been treated a few phone calls may assist in gathering more background information.
PHMRs can store the required information, but what is the best way to allow patients to retain control of access to their personal medical history and yet have vital information made available at a time of crisis?
There has long been interest in achieving portability of the patient record. The goals of the various systems are flexibility of data movement, without compromise to the privacy and confidentiality of the care provider- patient relationship. Given a system of this general arrangement, the problem is now one of en-suring that the patient can authorise a care pro-vider to assemble the relevant information quickly and easily. This requires that there be an 'index' of the elements of the patient record, which can be made available to the care provider: however that index is itself a con-fidential document and it must be rendered secure, but transportable.
PHMRs in this form already exist. Generally, they consist of a pre- formatted sheet of paper, upon which abbreviated medical information is typed or written and appended to as necessary. The patient keeps this sheet and presents it when necessary for updating or to provide in-formation to a new health care provider. The main problems with this form of PHMR are size and durability, being limited to storing one page of information, with limited options for erasure of obsolete information, short of re-typing the whole record.
Plastic cards are made computer- readable by a magnetic stripe which has been applied to one surface: the position of the magnetic stripe is a 'standard' so that any make/model of machine can be used to read the card. This stripe is just like a piece of cassette tape stuck to the card, and is read as the card is 'swiped' by a head not unlike that in a tape cassette player. It is a relatively simple task to read the magnetic stripe data, to copy it onto another card, to alter or to erase it: it is not in any way a secure data store, and therefore the data it stores must not be confidential or useful for any purpose other than accessing your personal 'account'. The card itself can hold very little data (about 200 characters).
The card can be used for little more than an identifier with a PIN (Personal Identification Number), which can provide access to personalised data held locally on the provider system, as well as elsewhere. For access to data not held on- site, the PIN must be checked against a central master index for validity: this can then provide user access to basic bio-demographic data from the central data store, as well as an index of data held elsewhere on individual provider systems. All off- site data would have to be moved across the data network, and could be encrypted, if required, for added security.
The advantages are that magnetic stripe swipe systems are widely installed, cheap and simple to use, and the technology is very familiar to users. The disadvantages are the small amount of data storage, the absolute requirement of a high- speed, high- capacity data network avail-able to all health care providers, the time that would be taken to access even basic data from off- site sources and the risk of hacking into the central master index system.
Optical technology has been around for years, primarily in the form of 'read only memory' (ROM) which is the technology used to pro-duce audio compact disks, although more recently, WORM (Write Once, Read Many times) and re- writable technologies have been developed. WORM has the advantage that alte-ations to the data on the card are permanently recorded, whereas re- writable cards allow card space to be re- used. Data is recorded on the card with a low- powered laser device connected to a computer. The optical card is not electromagnetically sensitive and, therefore, has the advantage of not having data erased accidentally if the card is near magnets, such as an MRI scanner.
The card itself can hold enormous quantities of data (up to 2Mb): indeed the entire record, including images, x- rays, ultrasounds, and any-thing that can be digitised may be stored on the card. However, the stored data is not secure against unauthorised access and any reader system can extract data from the card. Encryption systems, even those using a PIN, may be used, but all such systems can be broken. If the card only stores some selected data, the PIN and network issues are the same as for magnetic stripe cards.
The advantages are that all data can be access-ed locally from the card, including images, and thus the system can be network independent, allowing patients to carry their own records from place to place, avoiding duplication. The disadvantages are that the technology today is unfamiliar to the public, it is expensive and slow, requires specialised reader systems, that the stored data cannot easily be adequately secured against privacy invasions, and that copying the data from the card for protection against loss onto every system the card- holder visits would be prohibitive in storage terms.
Integrated circuit (IC) or 'smart' cards differ from the above as access to data is only through an on- card microprocessor controlled by a 'mask' or very restricted and pre-determined set of access and operational routines. It cannot respond to any other commands or attempts to access its data, and no additional commands can be put onto the chip. In its memory, there are different levels of data security, so that even when a user has been cleared for access, that access may be only to some parts of the stored data and not to any others. There is normally one password that enables the card to be accessed, and that is known only to the patient, although multiple passwords are possible, each password con-trolling access to a certain subsection of the data.
Various versions of IC cards are currently available, with differing storage capacities (up to 10,000 characters) with ease of erasure: they can store as much text as is likely to be required, but image files would present a storage problem. The stored data is intrinsically secure, and thus confidential data can be entrusted safely to the card. The enabling PIN is recorded on the card and there is therefore no need for reference to be made to any central database in obtaining permission to access the card. Indeed there is no particular clinical reason for any data to be stored cen-trally for the system to function. All personal data that is likely to be required for routine care (e.g. the last 3 months of health care information) can be stored on the card, whilst older data and picture files can be called up across the network through pointers embedded in the card. In this way, the use of a network is totally optional, although it could enhance an IC card system.
The advantages are that: IC cards are relatively cheap, robust and simple to use; can carry suff-icient data for most care encounter require-ments; carry data and on- card security systems (e.g. PIN) within a very secure environment; and support multiple levels of card access authority. In addition, an IC card has one unique advantage: it can generate a digital 'signature' that can be used as electronic irrefutable proof of attribution (e.g. of a note or entry), of authentication (e.g. of an order for treatment) and of endorsement (e.g. of a medical benefits claim by the patient concerned).
Appropriate selection of data for inclusion on the cards can enable considerable clinical benefit to be derived in the absence of a network. The disadvantages are few, other than the technology is unfamiliar to the public at this time.
Prototypes of hybrid cards are already available. One such card has a magnetic stripe across the back together with an embedded IC chip (in the international standard positions) and has an optical coating covering the front. This combines the high security of the IC chip, the high storage volume of the optical tech-nology, and the ease of use of the magnetic stripe (in view of the large numbers of installed magnetic stripe reader systems). Further developments include fully- functional com-puters on the cards, and a photograph of the card holder embedded on the card.
A multitude of options can be suggested and compared based on these technologies, each with its own special advantages and dis-advantages. Every one of these would be able to make available up- to- date patient data for care providers.
Different PHMRs can support different uses. The magnetic stripe card offers little clinical or administrative benefit, carries a limited amount of data, cannot be a portable record in itself, is simply a token for accessing an electronic file, and has low security. The optical card offers significant clinical benefit, can easily carry full record information, including images, but is expensive to read and write and is difficult to render secure. The IC card can carry sufficient data for significant clinical and administrative benefit, with the benefit of a high level of security and an overall cost that is likely to be little more than a magnetic stripe system. The variables are the amount of data held on a PHMR, the parameters of the data transmission network (if required), the speed of access to data, and the intrinsic capacity of the system to protect privacy.
Who should be allowed to access data on the PHMR?
The various parties involved in patient care have been discussed in the section on Inform-ation Flow, and all need access to at least parts of the PHMR. It may be appropriate to desig-nate sections of the PHMR that are accessible to the different groups of interested parties, e.g. limiting access by Pharmacists to Allergies, Medications and Prescriptions only, or limiting access by Medicare and Health Insurance Companies to a billing section only. Should third parties such as the Department of Health or the judicial system be allowed access to any of the information on the card?
Who should be allowed to alter data on the PHMR?
Of all the people who may be interested in a patient's medical record, a sub- group which also has the ability to alter the record must be defined. Again, this authority may only apply to certain parts of the PHMR, e.g. Pharmacists may only be allowed to read the prescription and alter the dispensing records.
How is restricted access controlled?
If the PHMR is segmented as described above, it is likely that some form of access restriction will be applied for each type of user. The diffi-culty here is that the patient must have some way of authorising the different levels of ac-cess, and the problem of remembering multiple access codes may be significant. Different technologies used for the PHMR have different abilities and deficiencies in this area.
The technology for securing data is well developed, and varies with the type of PHMR considered. Most involve some form of token, which the patient carries, and an access code, which the patient remembers.
What happens if the patient is unable to enter access codes?
The potential benefit of a PHMR in an emer-gency situation when the patient is uncon-scious is such that a means of obtaining information without a security code must be considered. The case for demented or other-wise forgetful patients must be allowed for. One option is to keep a copy of the access code(s) with the primary care practitioner.
Who owns/pays for the PHMR media?
In most current situations, the institution where the records are stored pays for the storage media, and 'owns' the physical medical record. In the case where the patient keeps the medical record, it seems logical therefore that the patient must pay for the cost of the card. This may prove to be a problem if the cost of the media is high.
Who owns the data on the PHMR?
Unlike most existing forms of medical records, the PHMR will not be kept in an institution, but with the patient. This does not cause a problem with the current view that the ultimate control or 'ownership' of the medical information remains with the patient.
How can PHMRs be protected against legislation forcing the release of information from the PHMR?
A perennial problem, and one that causes the most angst amongst privacy workers. One option may be to keep the records away from any centralised or networked record system at all costs, thus placing practical obstacles in the way of legislative intervention. It is important to remember that the patient would have the option of not recording certain information on the card, even if that information is medically relevant. Perhaps the greatest privacy concerns lie in the use of a network to centralise medical records. This would be required if magnetic stripe cards are used as the 'PHMR' media, although strictly speaking the medical record in this instance is not actually held by the patient!
Which 'language' should be used for the data?
There are many levels at which standards of communication must be set, from the format of the data on the card and the methods used to retrieve and decode it, to the language used to present the data to the user. There is unlikely to be much dispute about the use of English as the end- user language, but the lower- level standards have yet to be defined. The decision to store the information as free- form text or in a coded form is probably the most vital of these.
Linkage with other technologies
How can PHMRs assist, or be assisted by other technologies?
The most significant potential here is the linkage of the PHMR with some form of communications network. This can obviously facilitate the transfer of information between practitioners/institutions in the case of data or media loss, or the transfer of information too great in size for storage on the PHMR. The greatest concern is that other parties could use the network as a means to control health care practices or centralise patient records, with subsequent privacy concerns. If computer data-bases are to be linked, the means for doing this must be established. Apart from the problems of linking disparate computer systems, there is the major issue of ensuring that the information linked is in fact for the same person. Current options include supplying everyone with a unique identifier, or continuing to use the current method of probability matching using the name, date of birth and sex of a person. PHMR's, if issued from a centralised register, may be able to help with patient identification, and even with the transfer of information.
Are inducements required to encourage the public to use PHMRs?
For the public to accept the introduction of PHMRs, there must be a clearly perceived benefit. While education of the potential medi-cal benefits may persuade many, financial and legislative inducements may also be required. In particular, using a part of the PHMR to store Medicare billing information may be an effec-tive way to ensure widespread dissemination of PHMR media, although individual patients may not wish to use any of the other facilities of the PHMR. Should PHMRs be introduced if they require such inducements?
How can abuse of PHMRs be prevented?
PHMRs, like any other aspect of the health system, are open to abuse. In some ways it is less likely to be abused, (e.g. as an 'identity' card by drug addicts) because of the very individualised medical and demographic details contained in the PHMR, but an additional level of protection may be necessary, such as a cen-tralised issuing and verification system similar to that used for credit and ATM cards. Should PHMRs be introduced if such a nationalised control system is required? Would such a system differ significantly from existing systems such as Medicare or tax file numbers?
At present, the flow of information within and between institutions and practices is limited and this must inevitably inhibit the provision of efficient and optimal health care. It is possible for Patient Held Medical Records to provide comprehensive and portable patient inform-ation but finding an appropriate means of doing this which is acceptable to all the players is far from simple.
This discussion paper has been produced with the intent that a position paper will be produced by HIANSW in the near future. The four main issues that are raised in this dis-cussion paper, and should be addressed in the position paper, include:
