Categories
EHR Standards Knowledge

Indian Electronic Health Records(EHR) Standards – Part 4 : Shared clinical information models for semantic interoperability

In our series of Indian Electronic Health Records posts, the next aspect we intend to analyze is about shared clinical information models for semantic interoperability. One of the major purpose that healthcare information systems should serve is the optimum delivery of healthcare services and treatment programs. Since healthcare is not just a temporary event or happening but a perpetual affair that covers the entire lifespan of a person, the need to bring in interoperability standards for healthcare information systems becomes paramount.

Interoperability of data in IT systems works on two levels – syntactic and semantic. The former is transactional and is defined at the interface layer and often as an afterthought to exchange information between independently designed systems, whereas the latter is achieved at the design stage of software and ensures a more meaningful data exchange that includes both information and the context of the information. A true EHR system should not just do the former, but should be designed to deliver the latter

The Ministry of Health and Family Welfare(MOHFW) has taken a staged approach to enhance large scale adoption of the EHR technology, provide optimum security of health information, implement specifications, consider factors to improve interoperability and ensuring semantically interoperable EHR for Indian citizens. The Indian EHR standards includes pointers, such as OpenEHR, to the direction that the country is projected to move.

Since there are many clinical systems already in place, the first phase in pushing for EHR adoption is to define an exchange format and convert the proprietary data into that format as needed. Here the focus is on the applications and interface design, with no thought given to the underlying data. The second phase should be to standardize models for health data first and build new EHR systems on top to avoid interoperability issues completely and achieve semantic information exchange. This entails defining a shared set of clinical data models for newer EHR systems as the starting point.

As the pace of EHR adoption picks up, most healthcare organisations are beginning to realise that their data is more valuable than their applications. Since good data is key to improving outcomes, managing chronic disease and enabling population health management, it is becoming the key asset in their armory of tools. This key asset needs to be managed for the lifetime of the patient, when we all know that applications are not going to last that long. The question all of them are asking is ‘what happens to health data when we switch applications?’

The solution to the above problem is to turning the focus from applications to data. Imagine if the proposed National Health Stack for India builds on it’s common resources to include shared clinical information models that cover varied aspects of healthcare to support an Integrative healthcare paradigm. Imagine if instead of building applications, the government were to standardise models for health data? While it is unrealistic to expect that any application could cover the diverse requirements of healthcare, it would be possible to define a common set of clinical information models to support several different solutions. This would provide different stakeholders with choice of applications and vendors while at the same time delivering on the goal of making health data interoperable by design. It would also prevent vendor lock-in by making healthcare applications easier to interoperate and replace, while eliminating the high costs of data migration.

Our EHR.Network platform has been designed with this philosophy of shared clinical information models. It has been designed in line with the OpenEHR Reference Model and is designed to work with any OpenEHR Archetypes & Templates. Applications built on EHR.Network will remain future proof, portable and interoperable. We already incorporate a large number of clinical models from the International community governed Clinical Knowledge Manager(CKM). Apart from the cloud hosted public platform, we offer EHR.Network for collaboration and co-creation to build modern healthcare applications. Please contact us to know more.

Categories
EHR Standards Knowledge

Indian Electronic Health Records(EHR) Standards – Part 3: Security and Privacy guidelines in designing a Cloud EHR

Discussions about privacy and security of personal data has been holding centre stage recently in light of the many high profile data theft and misuse of personal data that involves some of the most prominent technology companies in the world. With technology taking centre stage in almost all areas of human endeavour, countries across the world are racing against time to bring out regulations to safeguard personal data. The European GDPR is a case in point.

This is even more important in the case of intensely personal and private data such as EHR. EHR systems requires safeguards to ensure that the data is available when needed and that the information is not used, disclosed, accessed, altered, or deleted inappropriately while being stored or retrieved or transmitted. Given the pace at which technology adoption is evolving in healthcare, the only acceptable strategy for an enduring solution is to follow some basic design guidelines while designing EHR systems.

From the beginning the Indian EHR standards has made it point to treat data security and privacy as integral to the core of the standards. It attempts to do this through the following strategies:

  • Establish the person as the owner of their health data
  • Provide guidelines on the design of technology systems that manage EHR data to ensure that the data is inherently secure
  • Include administrative and physical access standards to protect the data falling into the hands of unauthorized users within an organisation

Ownership of EHR

By giving the person ownership of their EHR, the standard renders providers and any other agency holding EHR as only custodians of the data and thus limit the rights on the data. This reduces the chances of such agencies wilfully using anybody’s personal health data for purposes other than to provide care to the person.

The providers are also required to maintain the data in an interoperable format and make it available to the person in a pre-defined electronic form for use in future care situations.

Building security into the design of EHR systems

The standards include a wide range of recommendations to follow while designing EHR systems so that they remain inherently secure over a wide use case situations. At a generic level these include all the common security strategies employed by modern technology solutions including user authentication, authorization, access privileges, access control, automatic log-off, data encryption and transit data integrity. As these involve implementation specific strategies which are discussed in detail in many easily available articles, we will not be explaining them further in this post.

Apart from the above common domain agnostic guidelines, the Indian EHR standards include some guidelines which are very specific to the Healthcare domain. These are discussed in more detail below:

Segregation of personal and EHR data

The EHR standards recommends a complete segregation of the Demographic and EHR data in any EHR system. A person’s privacy in breached when a compromised EHR is identifiable as belonging to them. Any system where these data are managed separately and brought together as required in a usage context remains inherently secure. For such systems to be compromised, multiple services (a minimum of 3 including EHR, Demographics and Integration service) have to be compromised, making it difficult for an attacker.

Versioning of EHR data

Given the critical nature of health data, the standards mandate that health data should never deleted or destroyed completely. It further requires the systems to ensure that the older version of any data that has been modified are always available for review. The recommended strategy to address the above requirements is to version all EHR data. Any modifications to the data should create a newer version of the data, while all the previous versions are still maintained and available as required. Deletion of any data should create an new version with empty data set which co-exists with the previous versions. This ensures that the integrity of data is maintained and verifiable at all times.

Audit log

The Indian EHR standards require systems to maintain a detailed audit trail of all activities that happen. Such audit information should record date, time, record identification, user identification and the particulars of the action, whenever any electronic health information is created, modified, deleted or accessed(view & print). These should in turn be available to be electronically displayed or printed for user/administrative review. Further EHR information shared between organisations should contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails.

As you can see from the above privacy and security of health data is one of the cornerstones of the Indian EHR standards and provides a high level of guarantee to the end user regarding cloud based EHR solutions that are aligned to standards. Cloud based solutions now provide a very attractive option owing to their ease of access, lower cost and continuous improvement. Thanks to the Indian EHR standards, you now have a firm set of guidelines to ensure that the systems that you select are designed with security for your customers’ data.

Healthelife’s EHR.Network repository and AyushEHR are designed in line with the EHR standards and will continue to evolve with them. To know more about how we can help you get the best cloud EHR solution for your organisation, please contact us.