By Jeff Kabachinski, MS-T, BS-ETE, MCNE JeffKabachinski

In this installment of the “Networking” column, electronic health record (EHR) systems are considered from the perspective of general costs versus benefits. Additionally, we will look at one of the ancillary devices often needed in EHR systems. Finally, there will be some discussion on security issues.

Most of the time, electronic medical record (EMR) and EHR are used interchangeably, but they do have somewhat varying definitions. For example, the EMR is the medical information of a patient record that feeds an EHR. The EHR is the overall medical record that gets shared among physicians, the patient, hospitals, and hospitals’ departments. EHRs are generated and maintained by the institution and can contain a lot of information, including the medical history, medications and allergies, flu shot history, lab test results, pictures from radiology, everything you can think of down to billing and insurance information. Part of this might be the PHR, or personal health record, a portion of the EHR that the patient maintains.


The need for integrated devices across the enterprise is more necessary than ever before, especially for patients that are admitted to the hospital—since they are sicker, on the average, than in the past—and we have more biomedical devices that can be used in their care. Medical data information systems (MDIS) are the interfaces between biomedical devices and a clinical information system using EMRs or EHRs. Obtaining the device’s report of its standing, as well as the patient’s physiological data, is the target or purpose of an MDIS. Each EHR system installation is essentially a custom job very dependent on the make/model and the nature of the biomedical device’s output. If not already in the right format, it is the job of the MDIS to translate or convert the data to a common language, such as Health Level Seven (HL7), that the EHR system will understand and be able to use. An MDIS may also be a physical device that converts, for example, RS-232 serial data to Ethernet datagrams. Often, since the MDIS is making physical and logical translations for many devices, it also aggregates its output to send to the clinical EHR system. In July, the FDA announced a proposal for a unique device identifier (UDI). This is an effort to improve the quality of information of medical devices. The proposal includes a UDI specific to the make/model with a production number pointing to current production information for the device. Among the benefits the FDA says this will have is a way to reduce medical errors by more precisely identifying the device and to provide a consistent way to enter information about a device in the EHR system. It also provides a better way to track devices in event management, such as a device failure, of particular interest to the FDA.

The EHR is the overall medical record that gets shared among physicians, the patient, hospitals, and hospitals’ departments.

Again, the institution generates and maintains the EHR, but the institution could be just about any health care organization from an integrated delivery network through hospitals and clinics to a physician’s office with the idea that the EHR can be shared among facilities and payors, insurers, and employers, which in turn can challenge security.

Security Breaches

The Los Angeles Times estimates that 150 people can view an individual EHR during hospitalization, or have access to at least a portion of it. From physicians and nurses to billing clerks and insurance agencies, all get a chance to access an EHR. The Los Angeles Times also stated that there are more than 600,000 payors, providers, and “others” that handle a provider’s billing data that can get at least some access. This protected health information (PHI) is covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and maybe some local laws as well. However, that did not affect the 767 security breaches that compromised the PHI of more than 23 million patients in the time span of 2006 through 2012.

Security is no small issue. Consider that, according to the US Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, in 2011 alone, 380 breaches led to compromising more that 18 million individual records. And they only track breaches that affect more than 500 people! Therefore, this report is only a portion of the true total of security breaches.
Like any database, threats to security of EHRs can be internal, external, intentional, or unintentional, and are classified as human threats (ie, employees or hackers), natural threats (tornadoes, wildfires), or technological threats (like system crashes).


Consider the pharmacist from Alaska who checked on the urine toxicology report of his daughter’s fiancé in Florida. Was this breach reported to the fiancé? Or consider the lawyer from San Francisco whose therapist’s reports were examined by her insurance company, and through a misunderstanding of the therapist’s notes denied her insurance claim for disability benefits. Sometimes it seems as though the insurance company’s use of this data is to search for information that will allow it to wiggle out from paying insurance claims.

There is no clear mandate or strategy to protect PHI. In 2007, the Government Accountability Office said that there was “a jumble of studies and vague policy statements but no overall strategy …” Security strategies that financial institutions must follow might be a good model for the health care industry to consider. The bottom line is that health care workers should be security conscious and HIPAA compliant, especially when making such information available to third parties.

Luddites Must Progress

The number of health care providers that are getting on the EHR/EMR bandwagon is increasing. However paper-based systems are still around in a big way as the most common record keeping system by far. It is easy to enter data and it is a low-cost method, as long as you have the storage space for all that paper. I know at my primary care provider my paper-based record looks like half of a set of the Encyclopedia Britannica—but it has even stopped printing and has gone to electronic delivery only. Or for me, maybe I should have said a set of Funk and Wagnalls. There is still cost pushback even though there are the incentives from the government (see sidebar, page 22) and savings to be felt once the system is in place. Those slow to join the EHR/EMR bandwagon complain that not only is there the implementation cost of the system software and hardware (~$32,000 per physician in a five-physician practice), but also maintenance costs (~$8,500 per employee per year in a health care facility), and training costs for every user, especially continuing the training for the newly hired. Keep in mind that training costs include the cost of backfilling the “students” during their training.

System Benefits

The eventual benefits of an EHR/EMR system include the saving of nursing time, which allows the nurse more time to spend with patients. It has also been shown to reduce transcription errors. On the positive side, in addition to the government incentives, hospitals are reporting substantial savings due to EHRs. I have read where Brigham and Women’s Hospital in Boston estimated it saved between $5M and $10M per year from its implementation of the computerized physician order entry, or CPOE, which is just one portion of the EHR system. It has also reduced medication errors by 55%! Another large hospital saved $8.6M by going paperless for outpatients and nearly $3M annually by providing electronic access to lab reports. I have yet to see a total savings or cost-avoidance figure for a large institution. However, based on these focused reports, it could be a substantial number! One study of EMRs reports that a savings of 6% per year will be felt in overall improved efficiency. Smaller providers like physician’s offices may not experience these kinds of savings in that they do not have the same cost-avoidance opportunity, but mainly because they are already efficient in their current system. They may thereby experience more costs than the benefits will bring due to implementation and maintenance costs. There is also the cost of possible new inefficiencies that the new system/user interface might bring.

Meaningful Use and EHR Systems
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH), as part of the American Recovery and Reinvestment Act of 2009 stimulus package, incentivized the adoption of EHRs via demonstration of their “meaningful use.” Meaningful Use is demonstrated by being able to comply with a list of objectives such as using computerized physician order entry, or CPOE. The adoption and use of such a certified EHR system can garner $63,750 from Medicaid and another $44,000 from Medicare over time.
If you do not adopt an EHR system, Medicare will penalize you 1% of its reimbursements beginning in 2015 and up to 3% in the following 3 years. Looking at the situation from another angle, consider that a health care provider typically spends about 2% of revenues on IT, where a typical information intensive industry company spends closer to 10%. It appears that the health care industry is not used to spending for IT! —JK

EHR systems are here to stay. There will always be a need to get patient information into the record. To be most efficient and effective, the EHR system should be customizable and configurable to the health care provider’s network and list of medical devices. There will always be a need for those that understand the input side to an MDIS—or the output format of the biomedical devices. There will also be a need for those that understand the output of the MDIS, ensuring that the output is configured and managed in such a way to get the right information into the right patient’s record. A big sandbox with room enough for everyone to join in! 24×7 November 2012 Networking column

Jeff Kabachinski, MS-T, BS-ETE, MCNE, has more than 20 years of experience as an organizational development and training professional. He is the director of technical development for Aramark Healthcare Technologies in Charlotte, NC. For more information, contact the editor via e-mail.