To help with this problem, many states have implemented their own electronic immunization repositories (no national database exists.) For example, in Utah, for the past five years or so, every newborn child has been automatically enrolled into USIIS (“Utah Statewide Immunization Information System”, pronounced “you sis.”) Qualified health care providers and educational organizations alike are granted access to the system. Now, after a visit to the doctor, a child’s immunization record is updated in the state database (running Oracle, by the way), which can then be accessed in report form by the school nurse.

Though I applaud the Utah Department of Health for their efforts to gather and store medical information electronically, the USIIS system falls short in a couple of aspects. For one, there is no facility for direct parent access to the system (no “parent portal.”) As well, having a separate database for immunization data apart from the rest of a persons’ medical information seems divergent from the goal of a universal personal health record. Finally, there is no access/permissions model controllable by the parent. Once data is entered into the system, it is viewable and editable by *all* of the users on the system.

On the up side, USIIS does have a web interface and an HL7 interface and USIIS can be configured to work with EHR systems. As well, it has the ability to connect to other states’ immunization record systems (recently it was coupled with Louisiana’s when Hurricane Katrina refugees came here.)

Does your EHR system have the ability to interface to your state’s immunization system?

* Source: National Vaccine Advisory Committee (NVAC)Report, Centers for Disease Control and Prevention (CDC).

• EMR (Electronic Medical Record): a medical record in digital format. If you’re still using paper records in your hospital, you need to change. now. seriously. NOW.
• EHR (Electronic Health Record): a health record in digital format. (Though there might be technical differences for some, but the words EHR and EMR are used interchangeably by many.)
• HIPAA (Health Insurance Portability and Accountability Act): provides national healthcare privacy standards. It’s another reason why outsouring your EMR system is a good idea.
• PHR (Personal Health Record): a health record maintained by an individual. All good EMR systems include a patient portal which allows patients to access their PHRs.
• PI (Predictive Informatics): healthcare predictive analytics. When data mining is applied to healthcare data, useful trends can be found to modify outcomes.
• HL7 (Health Level Seven): A way of encoding medical data so it can be transmitted between different systems without losing meaning. Particularly for large hospitals, interoperability between disparate systems is a must, so a common interchange format is required.
• ICD-9 (International Classification of Diseases): a classification system for diseases, symptoms, complaints, etc, used to correctly document a medical encounter and for insurance billing purposes. “Every health condition can be assigned to a unique category and given a code, up to six characters long.”
• DICOM (Digital Imaging and Communications in Medicine): a standard for storing medical imaging data. Another aspect of a full-fledged EMR system is the ability to view, annotate and manipulate DICOM images.

HIPAA Overview:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
• Ensure compliance by the workforce

What does this all mean to you? Well, before signing up, you should ask some tough questions to your hosted EHR provider, such as:

1. Are their backups encrypted?
2. What sort of physical access security do they have?
3. Do they maintain both read and write access logs at the database level?
4. Is credit card information encrypted?
5. Are passwords one-way hashed?
6. Is SSL used to encrypt data traffic?
7. Do user passwords expire?
8. When they have employees leave, what measures are in place for revocation of access?
9. Is data ever stored on non-company computers?
10. If data is transported physically, is it encrypted?
11. Do workstations auto-lock when employees step away?
12. How is media properly disposed of?
13. What server operating system is used? (if it’s Windows, you should look for a better vendor…)

Also, be sure to see their Data Backup Plan, Disaster Recovery Plan and Business Continuity plan.

Here’s a sample HIPAA Security Checklist and here’s yet another HIPAA Security Checklist