The Allscripts Enterprise EHR is a wonderful example of the healthcare industry utilizing technology to improve the overall quality of the care provided to its patients, who are ultimately its customers.  While many arguments can be made in favor of the electronic health record, perhaps none is more prevalent than the ability to have a patient’s chart only a few clicks away.  The EHR stores an incredible amount of information about patients – from general information that helps identify, such as name and mailing address, to more personal and medically relevant information such as diagnoses and allergies. Let us examine the Allscripts Enterprise EHR, and the various resources that help it work, in the context of Protected Health Information security and privacy.

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is legislation that protects health insurance coverage when workers change or lose their jobs, while also limiting restriction of benefits for preexisting conditions.  It also created several programs to control fraud and abuse within the healthcare industry.  These initiatives are contemplated by HIPAA’s Administrative Simplification Rules, two of which are summarized below:

–        The Privacy Rule

“The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.”  (www.hhs.gov/ocr/privacy/hipaa)

–        The Security Rule

“The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.” (www.hhs.gov/ocr/privacy/hipaa)

Protected Health Information (PHI) is generally defined as follows:

“ Any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.”

ePHI, or electronic PHI is described the same way, except it refers to information only in the electronic form.  If you’re using Allscripts Enterprise EHR to look at a patient’s chart on a computer screen, smartphone, iPad, etc., it’s considered ePHI, but if you utilize the application’s print function and then are physically holding a piece of paper in your hand, it’s PHI.  PHI encompasses ePHI and the differentiation only serves to indicate whether or not the information was in electronic form.

HIPAA specifically lists 18 types of information that qualify as PHI.  That list can be found here.

Where do we find PHI within an Allscripts Enterprise EHR implementation?

There are three major ways to encounter PHI within Allscripts:

–        Allscripts Enterprise EHR – the application itself.

–        Works database – the back end database that houses most information filed into and out of the EHR.

–        ConnectR interface engine – this software processes messages, primarily in the HL7 format, to get information in and out of the EHR.

In the screenshot below we see the Clinical Desktop for patient Kelly Test within the EHR. In this single screenshot we see pertinent information in the patient banner that is used to uniquely identify Kelly Test – her first and last name, date of birth, and phone number.  We also see a current health problem of Emphysema, laboratory orders and results, and the fact that she is allergic to Morphine/Morphine Derivatives. All of this is Protected Health Information.

In the next example we’ll look at the Works database, the SQL Server database that houses most of the data found in the EHR.

The SQL in the example queries several tables within the database, including the Person table and the Problem table.  Several other tables and specific columns are integrated into the query; the result of which produces a listing of all of the patients that have electronic health records within this (test) hospital or clinic, along with the corresponding problems and specific ICD-9 codes for those patients.  This query illustrates the nature of the information inside the Works database and emphasizes the PHI it contains as well.

Lastly, let’s examine an HL7 message being used to communicate a laboratory result for Kelly Test.

Most HL7 messages will contain a PID (Patient Identification) segment.  This message segment alone is full of protected health information, as it is designed to communicate a patient’s full name, date of birth, address, phone number, and MRN, among other types of information.  From this single message we learn that there is a patient named Kelly Test, born on January 1, 1981, currently living at 101 Tremont St. in Boston, MA.  Also contained in this example HL7 message is a DG1 segment, which contains information pertinent to Kelly’s diagnosis.  In this specific example we find the value ‘1540’ in DG1-3.  The value ‘1540’ is an ICD-9 code, so this HL7 message tells us that Kelly Test has been diagnosed with a type of cancerous tumor.

The Allscripts EHR and the components of its implementation, such as the Works database and interface engine, store, utilize, and make available an incredible amount of information. Much of this data is Protected Health Information (PHI) and should be secured and protected in accordance with HIPAA and other legislation such as the HITECH Act.  We want you to be aware of the most common ways to access PHI while using Allscripts Enterprise EHR, and encourage you to contact us with any questions or concerns.