For the past decade or so, Electronic Health Records have seen a significant rise in adoption in the US and – to a lesser extend – abroad. One of the often cited barriers to faster adoption is a reluctance on the part of the clinical staff to use such systems, embrace them, and do many of the tasks previously completed by an army of helpers themselves. Reviewing a few notes and flow sheets on a readily accessible computer is one thing – entering and signing orders, sifting through selection lists and dealing with many pop-up warnings and electronic signatures are perceived to be a hassle and constitute barriers to adoption.
Recently, Apple released the iPad in the US and much has been written about its promise in the clinical space. For the first time in a while, the community is excited about a new form factor tablet. While the tablet concept is not new, the iPad offers lighter weight, presumably fits into a lab coat pocket, a long enough battery life, and an easy to use multi-touch user interface – not to mention the cool factor that come with Apple.
Clinicians all over the place are giving it a try – running web-based EMR applications on it, using the Citrix Receiver to run full Windows-based clients or entire Windows desktops on it etc. EMR vendors are using the APIs to write iPad friendly versions of their software. So, what stands in the way of wider and faster EMR adoption? Well, it’s not that easy.
Fellow bloggers on these pages have written about the consumerization of IT and Bring Your Own Computer (BYOC) program in which end users de-couple themselves from rigid corporate IT standards and are therefore happier and more productive at work.
CMIOs these days have to worry about regulatory compliance: HIPAA, and the recently introduced HITECH provisions, which require them to notify patients and the government of privacy breaches concerning unsecured personal health information.
The majority of disclosed privacy breaches today actually fall into the category of security breaches. Under HIPAA/HITECH, the organization is exempt from the reporting requirement if the security breach concerns devices or networks on which the data is encrypted in a FIPS 140-2 and NIST 800-111 compliant manner.
Trouble is, while many systems in the chain between the data center and the end-user can be configured to be compliant with such standards, many of the very popular end points are not. The iPad (to the best of my knowledge) is inherently not FIPS 140-2 compliant and I am not sure if Apple is aware that this consumer-targeted device is already making major inroads into the corporate IT market. (note that the lack of FIPS compliance does not constitute a barrier towards HIPAA or HITECH compliance – it just means that a loss of a device very likely leads to having to report such loss to patients and the secretary of HHS)
It’s a real dilemma as CMIOs must decide whether they like to increase adoption by adapting a liberal policy towards user managed devices or insist on the use of issued IT-managed devices with which a reasonable effort towards achieving the HITECH safe harbor can be made. It’s a bit of a catch-22 situation, which re-emphasizes my previous points of carefully assessing user requirements, end-point, application delivery and other factors while planning for an EMR rollout. Which way do you sway? What has been your experience?

twitter: @florianbecker
Ask the Architect – Everything Healthcare
Tech Target – Virtualization Pulse