Sunday, February 21, 2016

The Indian National EHR Standards and some interpretations in the context of an 'anonymized online case-records system'

The National EHR Standards have already addressed the issues of privacy, ownership, secrecy, anonymisation and de-identification here: http://www.mohfw.nic.in/showfile.php?lid=1672 since Nov 2013.

At that time we took a look at the document and made some interpretations in the context of an 'anonymized online case-records system' (non-standardized but thriving on open-online-low-resources environment to serve the purpose of shared decision making, an alternative to replacing all humans). 


Below are some of the thoughts shared as soon as the National EHR Standards were released at that time (Nov 2013).


(Page 38) DATA OWNERSHIP OF EMR

The Ethical, Legal, Social Issues (ELSI) guidelines for Electronic Medical Record (EMR) are
recommended as follows.

For the purposes of these recommendations, the term “privacy” shall mean that only those person or person(s) including organisations duly authorized by the patient may view the recorded data or part thereof. 

Privacy would refer to authorization by the owner of the data (the patient)

Page 39
For data ownership,a distinction is to be made between
a.The physical or electronic records, which are owned by the healthcare provider.These are held in trust on behalf of the patient, and
b.The contained data which are the sensitive personal data of the patient is owned by the patient itself.

Interpretation in context of  the anonymized online case-records system: We are not touching/recording the "sensitive personal data of the patient" right at the stage of 'data capture' by the patient/caregiver-social worker/health professional. However we do have some of the patient/relative emails at the moment and these will have to be protected as per: “security” defined in Page 38 to mean that all recorded personally identifiable data will at all times be protected from any unauthorized access.

Page 41:

Disclosures can be performed without individual authorization in the following
situations.
With Identifiers, on production of court order
However, as far as possible, and where appropriate, the data so provided should
be anonymised to remove information that will allow identification of the
patient. (Removing identifiers as indicated in Table 1 below)


Interpretation in context of an 'anonymized online case-records system:' This means we can by no means release without authorization by our individual patient user 'authorization.'

Can these digital signature guidelines improve an 
'anonymized online case-records system' workflow?

Digital signatures are to be used to prevent non-repudiation (establishing authenticity of author of the
document) and trust by the recipient.

Follow e-Pramaan National e-Authentication service offered by DeitY, Govt. Of India
http://epramaan.gov.in/
Reference Framework for e-authentication–ePramaan
document-for-e-authentication-epramaan

Reference Guidelines for Digital Signatures, available at
http://egovstandards.gov.in/guidelines/Guidelines%20for%20Digital-signature/view

(Page 48) informed-consent-form/authorization form:


Authorization
: Any document designating any permission. Authorization or waiver of authorization for the 
use or disclosure of identifiable health information for research (among other activities) is 
required. The authorization must indicate ifthe health information used or disclosed is existing 
information and/or new information that will be created.

The authorization form may be combined with the informed consent form, so that a patient 
need sign only one form.
An authorization must include the following specific elements:
1) a description of what information will be used and disclosed and for what purposes; a 
description of any information that will not be disclosed,

2)if applicable; a list of who will disclose the information and to whom it will be disclosed; an expiration date for the disclosure; a statement that the authorization can be revoked; a statement that disclosed information may be re-disclosed and no longerprotected; a statement that if the individual does not provide an authorization, she/he may not be able to receive the intended treatment; the subject’s signature and date.

Of some relevance to anonymized online case-records systems:

Alternate UHID 

As per institution/ vendor's specifications/Mandatory if no other concomitant ID is used in the 
system, else optional
Wherever Adhaar Number is unavailable and the healthcare provider wishes to use their own 
ID system, this field should be used; this ID may be used in addition to the UHID above

Sensitive Data: (Page 39)

Interpretation in context of 
anonymized online case-records system: below 
information means that Medical Case History is also a sensitive information): So in 
effect while requesting 'authorization' from the patient (this fact needs to be added in 
the consent form) to allow the anonymized-online-records manager to share PART 
(marked in bold see below number iii and v) of their 'sensitive information' which is As 
per the Information Technology Act 2000, Data Privacy Rules, refer to ‘sensitive personal data or information’ (Sensitive Data) as the subject of protection, but also refer, with respect to certain obligations, to ‘personal information’. Sensitive Data is defined as a subset of ‘personal information’. Sensitive Data is 
defined as personal information that relates to:
i.Passwords;
ii.Financial information such as bank account or credit card or
debit card or other payment instrument details;
iii.Physical, psychological and mental health condition;
iv.Sexual orientation;
v.Medical records and history;
vi.Biometric information;
vii.Any detail relating to (1)–(6) above received by the body
corporate for provision of services; or
viii.Any information relating to (1)–(7) that is received, stored or
processed by the body corporate under a lawful contract

Is the online-patient-record a very useful communication tool?

Once most doctors realize that the online-patient-record is potentially a very useful asynchronous communication tool with ample opportunities for patient-follow-up (informational continuity) they are likely to warm up to it. 

It took time for a majority of people to warm up to asynchronous SMS over synchronous telephone calls but once they realized the benefits (minimal intrusion on one's personal time space) people lapped it up and when WhatsApp arrived with more value addition to the SMS it touched the skies?

In their day to day workflow much time is lost by doctors communicating on telephones and most of these conversations are not even recorded but some of it is later distilled onto paper based records. 

On the other hand EHRs can considerably reduce this telephonic time taken for each patient. 

Even in non-standardized online-patient-records that are connected to closed-social-media (part of our hospital and community patient-workflow), when the senior consultant wants to know the follow up of any patient (at any time from his/her residence) all s/he needs to do is enter 'update' and tag whichever on-duty-resident/nursing-staff is present in the hospital at that time. S/he's sure to have the answer within a short-while from the duty-person who types the necessary patient-information below the same comment thread (and the entire information exchange is later saved in the online-record in a space that is not a part of the main record but can be accessed at one click if/when needed). For example: http://globaludhc07.blogspot.in/2016/02/conversational-clinical-decision.html (scroll to bottom for today's update).

Same goes for the patient who is currently in the community (where this response comes from the community health worker who creates and manages the patient's non-standardized online-health-record). 

An important point that needs to be addressed for scaling such models is 'training' to create efficient health-user-ecosystems and one of the biggest stumbling blocks to these is our current medical education curricula which encourages lecture-classes and rote memorization over patient-centered-learning?