

Drchrono iPad app for Doctors drives EHR adoption - Skeletor
http://www.healthcareitnews.com/news/ipad-ehr-gets-certifiedwhat-next-0

======
gwillen
I honestly fear EHRs. Chances are they they will offer me greatly-reduced
access to my own medical records, while offering my insurance company (or
prospective insurers) greatly increased access. I am open to hearing that some
regulation ensures this will not be the case.

~~~
Skeletor
Your fear is understandable, but I feel you would have less doubt if you knew
more about the EHR space.

The government is laying out strict regulations on how EHR's should work and
what data can be used (and by whom).

Access by patients to their own records is mandated as part of the
certification and we already see widespread use of patients accessing their
data from EHR systems via our patient portal and iPad app for patients.

~~~
gwillen
Can I get my data in a portable format I can take with me to another provider,
as easily as paper records? Or can I _only_ get my own data through your
proprietary portal / application?

~~~
Skeletor
Patient records can be given to patients in .pdf format (human readable) and
also one of two government specified HL7 formats (CCR and CCD.) The MU
certification makes all vendors give patients/doctors the ability to download
one of the format (CCR or CCD), but all vendors have to be able to read both
formats.

The MU guidelines did a great job of forcing all of the vendors to adopt one
of these two standards and to understand them both.

~~~
gwillen
Ok, that's exciting then. Thanks for the info. :-)

------
jcarden
Great job getting that certification. Keep at it!

------
keithflower
The article naysayers correctly point out:

 _Mobile technology presents providers "with a very long list of legal
concerns," they point out. "Privacy and security of patient data, compliance
with state and federal laws (including Stark and anti-kickback statutes),
assumption of risk and liability, along with many other critical issues,
should be addressed in the contract between the healthcare provider and vendor
of such software."_

Unless I'm missing something, this "certification" from Infogard doesn't
appear to speak much to these concerns, if at all, which are the overwhelming
concerns of physicians with these kind of non-hospital cloud-based system.

The "certification" that the application meets "meaningful use" just means
that app use may allow physicians to qualify for the government incentive
money for adopting an EHR.

[http://www.infogard.com/resources/healthcare_it/meaningful_u...](http://www.infogard.com/resources/healthcare_it/meaningful_use_requirements)

Security, security, security is the real issue. The drchrono CEO says that a
"security audit" was done, but the article gives no details. Who did it, at
what level, and where are the results?

Does drchrono assume _all_ risk and liability for patient confidentiality? Is
that spelled out contractually? Unfortunately, the problem is that even with
such verbiage in a contract, individual physicians would likely not escape the
rightful wrath of patients and regulatory bodies if a data breach occurred.
Frankly, even if physicians did adopt a system like this, they'd have to
provide disclosure and go through an informed consent process with their
individual patients about the use of drchrono, and get written approval from
individual patients to store their info this way. What happens when many (if
not all) patients opt-out? Maintain two systems?

"Tell the court, Dr. Incentive, what drove your use of drchrono? Were you
convinced that the system provided any benefits whatsoever to the patients who
now have their HIV status, mental health diagnoses, and street drug use
information plastered all over the net....or were you more interested in the
$44,000 benefit _you got_ from adopting the software?"

 _But, he [CEO of drchrono] says, with the iPad connected to drchrono's cloud-
based platform, "there's no information stored on the iPad except a temporary
cache ... it's more secure than locally stored laptops and servers."_

This statement makes no sense. We've seen countless breaches and releases of
protected health information from cloud-based systems. How is highly sensitive
information transmitted to and stored on drchrono and/or third-party servers
possibly more secure than leaving patients' data on local systems which are
locally controlled, physically fenced (easily quarantined from the net),
easily whole-disk encrypted, locally backed-up, locally audited, with locally
set retention policies, and locally destroyed when needed?

~~~
Skeletor
The legal FUD you bring up would have some basis in fact if the government
weren't mandating that all US physicians use EHR systems and passed
laws/regulations defining their use and liability under HIPAA and the security
rule.

The #1 source of patient data theft has occurred from stolen laptops which
contained locally stored records. A cloud based solution with mobile access is
much more secure since even if an iPad is stolen there is no loss of data.

