New Texas Privacy Law Increases Employee Training Requirements in Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions.  For example, one of the new requirements impacts employee privacy training policies for the physician practice.   As an illustration, consider this case history:

A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open.   An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week.   Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.

Many breaches of PHI are avoidable if employees are trained on privacy/security  and remain vigilant when managing PHI.    In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act.   HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI.    New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years.    A log must be maintained with employee signatures verifying their attendance.    Physicians can prepare by updating employee training policies and materials.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

New Texas Privacy Law Places More Accountability on Business Associates of Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate some of the new protections.   I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws.  Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised.  The breach involved PHI of 1.085 individuals.  In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service.  The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI.   This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI.   Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws.  Matters to address in a BAA include:   

  • Immediate notification to practice when BA discovers breach
  • Who notifies affected individuals?  Who bears the cost?
  • Contract termination for failure to comply with law or take "reasonable" steps to fix breach
  • BA ‘s compliance with performing security risk analysis at least annually
  • BA’s compliance with employee privacy training
  • Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's

New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks

Privacy protection is getting bigger in Texas.   Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act.   These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012.    HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA.  Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI.   But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks.   In the next month I know of  two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th.    Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300.   Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online.    Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Stay tuned for more blogs on HB 300...   

cook childrens

Health Information Exchanges and Physicians Share Accountability for Safe Patient Care

The $800 billion 2009 American Recovery and Reinvestment Act (ARRA) set aside $36 billion toward health information technology (health IT) initiatives, including over $500 million for the State HIE Cooperative Program.  This federal program provides funds to each state for the successful planning and development of infrastructure that supports the exchange of electronic health data between physician electronic health records (EHRs), hospital EHRs, lab systems, radiology centers and other clinical IT systems.    For example, in Texas we are using these funds to support the development of local health information exchange entities, called HIEs, across the state and to concurrently develop the policies, standards and infrastructure needed to safely/securely connect these HIEs to each other.     The statewide HIE network will also be built to be compatible with national standards and efforts.      

Each state's effort to develop a network of community HIEs and/or a statewide HIE will be more successful with physicians involved upfront with governance and policy development.   When working with local HIEs most physicians will generally understand and appreciate the importance of protecting the privacy and security of electronic patient health information.  Their inherent knowledge on this issue will help guide policies in the right direction.   A more complex issue for physicians to understand is the relationship between HIEs and patient care.   A heightened awareness of this issue will allow physicians to properly inform HIE policymakers about the need to establish an environment where local HIEs, HIE networks and physicians share accountability for safe patient care.   

To deepen physician's understanding of this issue I encourage them and others to think about an HIE as a tool physicians use as a part of patient care, similar to a surgical tool.   If a patient is harmed by a surgical tool that broke because the physician used it incorrectly, the physician is negligent.  If the physician used the tool correctly but it still broke, but it has only broken 8 times in over 10,000 surgeries and the patient consent explains this remote risk of breakage, then no one is negligent.  However, if it broke and the issue had been reported to the vendor by many physicians on a repetitive basis, but the vendor failed to investigate the issue and fix the problem, or failed to inform physicians and patients of the increased risk in the meantime, then the vendor is negligent. 

This perpsective will help physicians advocate for policies that lead to an environment where HIEs and physicians share accountability for safe patient care.   Effective policies will lead to contracts and agreements which acknowledge that:

  1. HIEs and HIE infrastructure are tools used by physicians during the course of patient care
  2. HIEs are responsible for informing patients and doctors about the inherent risks of  the electronic health information exchange including changes in risks when issues are identified
  3. HIEs have a responsibility to continually monitor for and mitigate risks associated with their services that may impact quality of care provided by physicians


Community HIE decisions are best made in collaboration with local physicians who use EHRs

Physicians who use electronic health records (EHRs) in their offices are increasingly being called upon in their communities to participate in the development of local health information exchanges (HIEs).    During the early stages of HIE planning there are important decisions that are best made in collaboration with local physicians.   As with any health information technology usage, the anticipated benefits of exchanging electronic health data must be balanced against the inherent risks of the technology.   Physicians who use EHRs already have valuable experience with some of the inherent risks associated with electronic health data usage, but may not have experience with the clinical risks associated with the exchange of electronic health data.    The following case scenarios are intended to raise awareness and understanding of key patient safety risks associated with the clinical use of electronic personal health information (PHI) that could be obtained through a community-wide HIE.  

Conflicting data scenario:  A nurse records a penicillin allergy in the hospital EHR when a patient experiences GI symptoms after receiving a penicillin injection.   The next day, the patient is seen by her primary care physician (PCP).   After reviewing the history, the PCP is convinced that the reported symptoms were unrelated to the penicillin injection.   She records “No Known Allergies” in her office EHR.   The local HIE retrieves “allergies” from both EHRs and displays this patient’s allergies as both “no known allergies” and “penicillin.”  

In such cases, the physician will have to reconcile the data by considering the sources, dates, and times of each and decide whether additional investigation is necessary.   

Segmented data scenario (this applies only if the HIE will allow patients to exclude some or all of their data as a part of the consent process):   For privacy reasons an HIV patient decides to exclude his diagnoses from the HIE which results in a problem list so that it does not disclose his HIV status.   He also excludes data from two sources: his psychiatrist and a psychiatric hospital.   This patient had suffered an episode of neuroleptic malignant syndrome secondary to an antipsychotic medication a year ago while under the care of the psychiatrist at that hospital.   Since records from the psychiatrist and hospital are excluded, the HIE will not contain this information.   A physician viewing the patient’s information through the HIE will see no record of the patient’s susceptibility to a life-threatening event from a certain class of medications.  

Informing the viewing physician that the patient has excluded some data from the Problem List and some data from both a physician and a hospital may prompt important additional questions and dialogue with the patient that could prevent an avoidable adverse event.  

 Clinical Risk Management

Community-wide HIE initiatives are increasingly turning to local physicians who use EHRs to assist with assessments of both the benefits and risks associated with the clinical use of electronic health data shared across their community.  The clinical risks outlined in these scenarios can be managed through the following principles: 

1.  An HIE must provide physicians access to the source, date and time for all displayed data

 2.  An HIE must alert clinicians when data or data sources are excluded  

  • The alert should specify the type of data (“lab results”) or type of source (“hospitals”) that have been excluded from the HIE through the patient consent process

3.  An HIE must inform physicians about:

  • The patient consent policy used by the HIE (and of policy changes when they occur
  • A list of the specific types of data they are generally able to access through the HIE
  • A list of the specific sources of data that the HIE exchanges with

Modifications to the HIPAA Privacy Rules Under HITECH Will Burden Small Physician Practices

The HITECH Act requires HHS to revise the HIPAA Privacy Rule to remove the exclusion for Accounting of Disclosures for treatment, payment and health care operations to the extent that the disclosures are made through an EHR.    In addition, it requires HHS to determine what information is to be collected and then included in these disclosures.    In 2010 HHS published a Request For Information (RFI) to seek comments on individual’s interests in learning of disclosures, the burdens on Covered Entities in accounting for these disclosures and the capabilities of current technologies to facilitate disclosures.    The resulting proposed rule is an attempt by HHS to balance the individual’s privacy rights against the burdens on Covered Entities.    HHS is accepting comments on this proposed rule up until August 1, 2011. 

At a high level, it appears that the proposed rule primarily does two things:

  1. Provides individuals a right to request a new "Access Report" that lists who has accessed their PHI in an electronic designated record set (which is basically medical records, billing records, or other electronic information that is used for payment or treatment decisions) for any purpose including for treatment, payment and health care operations.    The proposed rule limits the information in an Access Report to content which is already required by the Privacy Rule to be collected.    The assumption is that limiting content in this manner will enable a more automated process by which Covered Entities could produce an Access Report and that this would therefore ease their burden.
  2. Makes changes to "streamline" the Privacy Rule's current Accounting of Disclosures provision, such as limiting the types of disclosures that must be accounted for.     As with the Access Report, HHS showed consideration to the burden placed on Covered Entities by making a number of changes to the individual's existing right to an Accounting of Disclosures that would make it easier for Covered Entities to comply with the requirements.   

Despite these positive changes, the proposed rule significantly underestimates the burden on small physician practices.    Although I agree that these changes do, in general, ease some of the burden on Covered Entities, it is primarily the large healthcare systems that will be able to leverage these changes to their advantage.    I do not believe that these changes sufficiently ease the excessive burden on providers in small practices who do not have the resources to leverage the changes to their advantage.    

HHS uses the assumption that limiting content in the Access Report to that which is already required to be collected [i.e. in an EHR] will enable a more automated report and therefore ease the burden on Covered Entities when an individual requests a report.  This assumption is misleading because it assumes that all Covered Entities have the resources necessary to produce a report that meets all the requirements.   According to the proposed rule, the Access Report must meet certain specifications as defined in the rule, must consolidate content from multiple systems if they exist, must allow individuals to limit their requests to specific time periods or persons, and must be made available in an electronic format as requested by the individual if possible.    Although the information in the Access Report is limited to content already required to be collected, EHR vendor products are not required to provide an automated process to produce an electronic report that meets the proposed rule’s requirements.     Therefore, it will not typically be a simple automated process to produce the report.     Instead, the Covered Entities will have to produce the report through a manual process in which some technical skills are needed to design and configure the report to meet the proposed rule’s specifications, to consolidate content from multiple systems, to customize the report to meet requested limitations and/or to re-format the report.   

For example, programming skills will be needed to create an Access Report from a typical EHR that produces an automated audit log that only shows the User’s ID when a record is accessed, but not the individual’s name as required for the Access Report.    In that case the report must be re-configured to map the actual name of the individual in place of the recorded User ID.    As we know, when one change is made in an electronic report, other changes may be needed to accommodate the change.    In this example, mapping content from the NAME field to the USER ID field might also require the report writer to increase a character limit in the USER ID field so as to not cut off long names.    This second change could cause the report to extend beyond the set margins of the report’s design, therefore requiring the report writer to change the design of the report.    A small practice will not typically have someone with the expertise to program such a report and will therefore have to hire an IT consultant.

Covered Entities must utilize the time and effort people who have the needed technical skills to meet the proposed rule’s reporting requirements.    The difference between small practices and large providers is the availability of technical expertise to do this manual work.     Most large healthcare systems and some large physician practices have an IT Department or employ IT personnel who have the expertise and skills needed to design, configure and format reports.    For large entities, the Access Report does not create a significant new burden because they already have the expertise to produce their reports. But very few small physician practices have the resources necessary to do this.     So in order to produce an Access Report, a small practice will have to hire outside resources to design, configure and format the reports at variable costs.    The actual cost will be dependent on the complexity of each report and the IT consultant’s hourly rates ($100-$250/hour).     As the proposed rule is currently written, a small practice will typically have to hire external resources, at their own expense, to write the report and then be required to provide the report at no cost to the requesting individual.

As acknowledged in the proposed rule, the Accounting of Disclosure is recognized by HHS to be more complex and will require a “manual, expensive, and time consuming process for Covered Entities and Business Associates.”   One purpose of the new Access Report is to be an alternative to Accounting of Disclosures in order to mitigate this known burden of disclosures.    Nevertheless, the Access Reports will still require “manual” work that involves technical skills and will be a significant burden on small practices.    Also, since the Accounting of Disclosure reports are more complex they will require more manual work and technical skill than Access Reports.    The burden of disclosures on small practices will therefore be much greater than for large systems that already employ the technical expertise to design, configure and format the reports.

 In summary:

  1. The proposed rule requires small practices to provide requesting individuals with a new Access Report which places excessive burden on small practices at an unreasonable cost.    The burden of producing an Access Report should be on the vendor’s EHR product and not on the physician.     The proposed rule should be modified to require small practices to provide the system’s automated audit log, as configured by the vendor, if available, from any of their systems that store PHI.    The burden should be placed on the vendors to configure their products to produce automated reports that meet the specifications and requirements.    If a small practice has to hire IT consultants to design and configure or modify an Access Report, they should be allowed to charge the individual for the actual costs incurred.
  2. This proposed rule also requires small practices to provide requesting individuals with an Accounting of Disclosure which also places excessive burden on small practices at an unreasonable cost.    The burden of producing Disclosure reports should be on the vendor’s EHR product and not on the physician.    The burden should be placed on the vendors to configure their products to produce automated reports that meet the specifications and requirements.    If a small practice has to hire IT consultants to design and configure or modify an Accounting of Disclosure report, they should be allowed to charge the individual for the actual costs incurred.

Private E-mail Communications Between Physicians and Patients—Identity proofing, Authentication and Encryption

Case study:   A plaintiff claims that his physician sent him an e-mail with poor medical advice that led to an adverse medical event.  The defendant physician agrees that the e-mail in question provides grossly negligent advice, but claims that she never sent such an e-mail.   Unfortunately, the physician had been using her own, personal home e-mail program to communicate with patients without using encryption or authentication software.  A costly investigation eventually proved that the e-mail had originated from an unknown third-party spammer who used a technique called “spoofing” to insert the physician’s e-mail address into the "From" field in the e-mail that was sent to the patient.

Although this physician avoided a malpractice suit, she bore the financial burden of a technical investigation to prove the e-mail was not from her. This is only one example of a number of privacy and security issues with physician-patient e-mail. But these problems are avoidable and e-mail can be safely used if the physician can be sure of four things:

  1. They are using the authentic e-mail address of the patient
  2. A message received from the patient has actually been sent from their authentic e-mail address
  3. Each message (sent or received) has not been changed while traversing across the Internet
  4. Only the physician and the patient are able to read each other’s e-mail messages

E-mail encryption programs and secure messaging programs both provide safeguards that ensure this level of privacy and security needed for physician-patient e-mail.   From a legal perspective, these technologies, when combined with appropriate procedures of use, make it very difficult for someone to successfully repudiate (deny sending or receiving) an e-mail in a legal situation.   As noted in this case, regular home and business e-mail programs do not typically include such safeguards.

The Texas Medical Board (TMB) specifically requires physicians to “authenticate” patients prior to initiating e-communications, and to only use e-communications with established patients.   Although the TMB does not specify how this is to be accomplished, the procedure typically involves “identity proofing” patients during an office visit.   Patients physically present themselves to an office staff member who is authorized to register new “users” into the physician’s secure e-mail system.   After being registered in the system, the patients will receive the “credentials” that allow them to receive and send messages through that system.  The type of e-mail system used by the physician determines the type of “credentials” the office will provide.  The credentials may be a password, a biometric feature (i.e. finger print), or a physical device such as a CD, smart card, or thumb drive that contains a password “key”.

After the patient is identity proofed, secure e-mail systems are able to use built-in “authentication” technologies to ensure:

  • a message received has actually been sent from the credentialed patient’s mailbox
  • a message sent or received has not been changed while it traveled over the Internet
  • a message sent can only be received and decoded by the credentialed patient.

Taking care to set up authentic e-mail accounts with identified patients and using an e-mail program (encrypted e-mail or secure messaging) that includes "authentication" technologies are necessary to establish the trust needed when engaging in private medical conversations.   In addition, these work flow procedures and technologies will help the physician stay within HIPAA regulations that require encryption when PHI is sent over the Internet.

Physicians Use E-mail With Patients Safely By Avoiding Misuse, Mishandling and Medicolegal Issues

Effective communication is a hallmark of patient satisfaction with their physician as well as with quality outcomes.  It is not surprising that surveys reveal more than 90% of patients desire to e-mail their doctors.  Physicians, however, are tentative about moving forward. In a 2009 survey by the Texas Medical Association, only about 20% of physicians reported the use of e-mail with their patients.

Those of us who do successfully use e-mail with patients know that we must be attentive to the risks involved to use e-mail safely. We also recognize that in order to use this technology efficiently we have to think about our work flow and be smart about redesigning it.  The risks of using e-mail with patients can be categorized into misuse, mishandling and medicolegal issues.

Misuses of physician-patient e-mail include:

  • seeking or providing new diagnoses/treatments
  • using e-mail with new patients with no previous face-to-face encounter
  • communicating on sensitive matters such as HIV, sexually transmitted infections, genetics and mental health
  • using e-mail for urgent or emergent issues
  • writing long, complex messages
  • using e-mail attachments with formats that patient’s computers may not be able open and read
  • forwarding e-mails from patients without their consent
  • advertising or promoting goods and products through e-mail

Mishandling issues with physician-patient e-mail include:

  • problems with e-mail triage or distribution within the office such as failure to adhere to established protocols or meet expected turn-around times for actions/replies
  • physicians using their personal e-mail accounts to send e-mail to patients
  • misunderstandings by patients/office staff regarding over who actually received, sent or replied to messages (authorship issues)

Medicolegal, privacy and security issues include:

  • failure to properly identify patients and verify e-mail addresses
  • privacy breaches
  • security problems with the e-mail system or related computer systems
  • not getting e-mail communications into the patient’s medical record
  • repudiation issues (i.e. patient denies sending or receiving an e-mail)
  • accountability issues
  • legal e-discovery issues
  • medical liability associated with diagnoses/treatment
  • failure to follow Texas Medical Board rules, HIPAA regulations or other on privacy/security regulations

These issues are certainly not insurmountable.  With an awareness and understanding of the rules, regulations and guidelines published by one’s state medical board, HIPAA, professional societies and other professional organizations such as the AMA, a physician can develop a set of policies and procedures to safely and efficiently use e-mail with their patients.  The procedures should include oversight mechanisms, adequate training of staff, adherence to privacy and security regulations, appropriate identification and authentication of each patient who consents to the use of e-mail and patient education to clarify what the physician will allow e-mail to be used for.  Patients should also be educated on how the office will manage e-mail messages and on what the expected turn-around times for replies will be.

Enhance Safe Use of EHRs By Aligning Implementation To Quality Goals

Safe use of electronic medical records (EMRs) is enhanced when physicians focus their EMR implementation on quality of care improvements.  Effective communication among the staff about these key goals creates a positive environment that serves as a catalyst for successful use of the EMR.  In addition, large healthcare systems and small physician offices are both less likely to encounter patient safety issues when they align their health information technology (IT) strategies to quality of care goals.  

Case Study:  Several years ago the leadership of an Accountable Care Organization (ACO) formed between a local healthcare system and a multi-specialty physician group began working collaboratively on a common vision for patient safety excellence.  System-wide integration and use of medication reconciliation were top priorities.  The EMR used by the hospitals have an ambulatory component that meets all of the critical requirements determined by the physician board members.  If implemented, the ambulatory and hospital EMRs could be integrated and share the same master patient index, drug formulary, medication index, allergy index and set of clinical decision support rules.  However, the physician board, influenced by several leading opinion-makers who favored an alternative EMR, convinced ACO leaders to allow the physicians to purchase their own ambulatory EMR and use system resources to purchase and develop a data repository that could send/receive (bi-directionally) and store data between multiple sources.  The vendors involved promised they could provide the infrastructure and tools necessary to capture and manipulate the data.  Two years later a patient suffers a severe anaphylactic reaction after receiving an antibiotic injection in one of the physician offices.  An investigation reveals that although the EMR had properly displayed the allergy, the antibiotic order had not triggered an allergy alert.  Further research reveals multiple ways for an allergy to be entered into their customized, bi-directional medication reconciliation tool that would successfully display the allergy in the ambulatory EMR, but not trigger an alert during the ordering process.  Their conclusion is that the use of different EMRs with multiple drug formularies, multiple medication and allergy indices and different clinical decision support rules is more complex than anticipated.  They suspended use of the medication reconciliation tool until they could determine whether they could more effectively execute their current strategy.

Key Points:  Effective organizational characteristics and a focus on quality of care are important catalysts for safe EMR use.

Cultivating a culture of safety, promoting transparent communications and alignment of strategic planning with prioritized goals to improve quality of care are examples of organizational characteristics that facilitate safe EMR use.  In this case the organization did well creating a shared vision with common goals/priorities regarding quality of care.   However, organizational alignment fell apart when the unbalanced interests from one part of the organization created the perceived need for an alternative strategy.   Although the new strategic plan was plausible, the organization did not have the resources or organizational discipline to effectively execute plans that were considerably more complex.   It will be paramount for ACOs to effectively manage such issues in the future.  Similarly, even the small, individual physician practice is more likely to be successful with an EMR implementation when they develop a strategy to improve quality of care through the implementation of an EMR.  

"Think Simple" When Developing Order Sets and Clinical Content Screens for EMRs

Physicians would prefer that an EMR computer screen emulate a tri-fold flow sheet that inspires a "gestalt feel" for the whole clinical situation.   Instead, data split among multiple screens with the need for numerous mouse clicks and excessive scrolling in order to see all the information tends to frustrate clinicians.  The frustration comes as a result of the fragmentation of our thought processes and patterns which have developed over time.    In addition, "user interface" issues can become a patient safety risk.  The following case study provides an example of such an issue.   

Case Study:   A small practice had their EMR vendor develop a custom report called the Patient Summary that “pulls in” EMR data including lab and radiology results.  This report is useful while on-call because they can remotely access it from home over the Internet.   Over one weekend the on-call physician discovered that some of the lab results for one of his patients did not show up on the Patient Summary.    He checked several other patients and found another example of missing results.   He decided that this report was unreliable and that he would not use it until the issue was understood.  The EMR vendor was notified on Monday.   They quickly determined that the report was working normally and no data was missing.   They suspected the doctor forgot that this report displays a little <+> symbol at the bottom of the screen if there are additional lab results that will not fit in the space provided.   At that point the physician realized that he had used his new iPhone for the first time and that the small viewing display had made it very difficult to for him to see the small <+> symbol.


Key Points:

  • Displaying medical data on a computer screen in a manner that meets the cognitive challenge at hand is difficult and can fragment a physician’s thought processes

 Since tri-fold computer screens are not a practical solution today, physicians need to involve themselves in the development of the EMR content screens that they will be using on a day-to-day basis.  For most EMR products these screens can be configured and used in various ways.  In this case the small display inherent to smart phones was inadequate when viewing the report.   But this is because it was not designed with the small viewing area and resolution of a smart phone in mind.  If presenting this data on a smart phone is a requirement for this physician, a new report will have to be developed in order to meet that new need.  

  • “Think simple” when developing EMR screens that clinicians interact with

Complexity makes EMR use even more difficult and less safe.   Most EMRs allow modifications to some EMR screens that physicians interact with such as documentation templates, reports, orders and order sets.   Good advice to those who develop these screens is to “think simple”.   For example, if six gastroenterologists decide to each create their own list of 25 order sets to accommodate personal preferences, their EMR order set screen will display 150 order sets.   Creating a screen that displays 125 choices for physicians has a pre-determined fate.  They would be better served by collaborating on 25 evidence-based order sets to share.   The result will be less frustration, less variation from evidence-based medicine and less work when annually reviewing the content of order sets.